directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: rev 56284 - in incubator/directory/eve/trunk/jndi-provider/src: java/org/apache/eve/db java/org/apache/eve/jndi/ibs test/org/apache/eve/jndi test/org/apache/eve/jndi/ibs
Date Mon, 01 Nov 2004 21:36:41 GMT
Author: akarasulu
Date: Mon Nov  1 13:36:40 2004
New Revision: 56284

Added:
   incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractMultiUserJndiTest.java
Modified:
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java
   incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java
   incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java
   incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Log:
Changes ...

 o found and fixed bug in ResultFilteringEnumeration where
   we were not skipping entries whose filters rejected them
 o relative path names are a PITA for now we'll do without it
   it was causing bugs in the filter service on the list hook
 o AuthorizationFilter was not checking to block access to
   the admin user account.  We made sure it does.
 o added many more tests for list only
 o created another test case base class that initializes a 
   non-admin user context on ou=system so we can test auth
   rules as akarasulu
   
Todos ...

 o still have to test authorization rules on search invocations
   before we can close all tests



Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java
Mon Nov  1 13:36:40 2004
@@ -252,8 +252,13 @@
             {
                 accepted = ( ( SearchResultFilter ) filters.get( 0 ) )
                         .accept( ctx, tmp, searchControls );
-                this.prefetched = tmp;
-                return;
+                if ( accepted )
+                {
+                    this.prefetched = tmp;
+                    return;
+                }
+
+                continue;
             }
 
             // apply all filters shorting their application on result denials

Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
Mon Nov  1 13:36:40 2004
@@ -29,10 +29,7 @@
 import org.apache.eve.db.SearchResultFilter;
 import org.apache.eve.db.DbSearchResult;
 import org.apache.eve.exception.EveNoPermissionException;
-import org.apache.eve.jndi.BaseInterceptor;
-import org.apache.eve.jndi.Invocation;
-import org.apache.eve.jndi.InvocationStateEnum;
-import org.apache.eve.jndi.EveContext;
+import org.apache.eve.jndi.*;
 import org.apache.ldap.common.name.NameComponentNormalizer;
 import org.apache.ldap.common.name.DnParser;
 
@@ -252,6 +249,7 @@
                 throws NamingException
         {
             Name dn;
+
             synchronized( dnParser )
             {
                 dn = dnParser.parse( result.getName() );
@@ -262,6 +260,10 @@
             {
                 return false;
             }
+            else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN ) )
+            {
+                return false;
+            }
 
             return true;
         }
@@ -288,6 +290,13 @@
                 String msg = "Access to user account " + dn + " not permitted";
                 msg += " for user " + principalDn + ".  Only the admin can";
                 msg += " access user account information";
+                throw new EveNoPermissionException( msg );
+            }
+            else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN ) )
+            {
+                String msg = "Access to admin account " + dn + " not permitted";
+                msg += " for user " + principalDn + ".  Only the admin can";
+                msg += " access admin account information";
                 throw new EveNoPermissionException( msg );
             }
         }

Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java
Mon Nov  1 13:36:40 2004
@@ -35,7 +35,6 @@
 import org.apache.eve.jndi.InvocationStateEnum;
 
 import org.apache.ldap.common.filter.ExprNode;
-import org.apache.ldap.common.name.LdapName;
 
 
 /**
@@ -113,10 +112,7 @@
                                            SearchControls controls )
                             throws NamingException
                     {
-                        String rdn = new LdapName( result.getName() ).getRdn();
-                        result.setName( rdn );
-                        result.setObject( ctx.lookup( rdn ) );
-                        result.setRelative( true );
+                        result.setName( result.getName() );
                         return FilterServiceImpl.this.accept( ctx, result, controls );
                     }
                 } );

Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java
Mon Nov  1 13:36:40 2004
@@ -35,7 +35,7 @@
  * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
  * @version $Rev$
  */
-public class AbstractJndiTest extends TestCase
+public abstract class AbstractJndiTest extends TestCase
 {
     /** the context root for the system partition */
     protected LdapContext sysRoot;

Added: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractMultiUserJndiTest.java
==============================================================================
--- (empty file)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractMultiUserJndiTest.java
Mon Nov  1 13:36:40 2004
@@ -0,0 +1,62 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.eve.jndi;
+
+
+import java.util.Hashtable;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+
+/**
+ * Adds extra code to perform operations as another user besides the admin user.
+ *
+ * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public abstract class AbstractMultiUserJndiTest extends AbstractJndiTest
+{
+    protected EveLdapContext sysRootAsNonAdminUser;
+
+
+    /**
+     * Set's up a context for an authenticated non-root user.
+     *
+     * @see AbstractJndiTest#setUp()
+     */
+    protected void setUp() throws Exception
+    {
+        // bring the system up
+        super.setUp();
+
+        // authenticate as akarasulu
+        Hashtable env = new Hashtable( );
+        env.put( Context.PROVIDER_URL, "ou=system" );
+        env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.eve.jndi.EveContextFactory"
);
+        env.put( Context.SECURITY_PRINCIPAL, "uid=akarasulu,ou=users,ou=system" );
+        env.put( Context.SECURITY_CREDENTIALS, "test" );
+        InitialContext ictx = new InitialContext( env );
+        sysRootAsNonAdminUser = ( EveLdapContext ) ictx.lookup( "" );
+    }
+
+
+    protected void tearDown() throws Exception
+    {
+        super.tearDown();
+        sysRootAsNonAdminUser = null;
+    }
+}

Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java
Mon Nov  1 13:36:40 2004
@@ -17,26 +17,78 @@
 package org.apache.eve.jndi;
 
 
+import java.util.HashSet;
 import javax.naming.NamingException;
 import javax.naming.NamingEnumeration;
 import javax.naming.NameClassPair;
 
 
 /**
- * Document this class.
+ * Tests our ability to list elements as the admin user and as a non admin user
+ * on security sensitive values.  We do not return results or name class pairs
+ * for user accounts if the user is not the admin.
  *
  * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
  * @version $Rev$
  */
-public class ListTest extends AbstractJndiTest
+public class ListTest extends AbstractMultiUserJndiTest
 {
-    public void testList() throws NamingException
+    public void testListSystemAsAdmin() throws NamingException
     {
+        HashSet set = new HashSet();
         NamingEnumeration list = sysRoot.list( "" );
         while ( list.hasMore() )
         {
             NameClassPair ncp = ( NameClassPair ) list.next();
-            System.out.println( ncp );
+            set.add( ncp.getName() );
         }
+
+        assertTrue( set.contains( "uid=admin,ou=system" ) );
+        assertTrue( set.contains( "ou=users,ou=system" ) );
+        assertTrue( set.contains( "ou=groups,ou=system" ) );
+    }
+
+
+    public void testListSystemAsNonAdmin() throws NamingException
+    {
+        HashSet set = new HashSet();
+        NamingEnumeration list = sysRootAsNonAdminUser.list( "" );
+        while ( list.hasMore() )
+        {
+            NameClassPair ncp = ( NameClassPair ) list.next();
+            set.add( ncp.getName() );
+        }
+
+        assertFalse( set.contains( "uid=admin,ou=system" ) );
+        assertTrue( set.contains( "ou=users,ou=system" ) );
+        assertTrue( set.contains( "ou=groups,ou=system" ) );
+    }
+
+
+    public void testListUsersAsAdmin() throws NamingException
+    {
+        HashSet set = new HashSet();
+        NamingEnumeration list = sysRoot.list( "ou=users" );
+        while ( list.hasMore() )
+        {
+            NameClassPair ncp = ( NameClassPair ) list.next();
+            set.add( ncp.getName() );
+        }
+
+        assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+    }
+
+
+    public void testListUsersAsNonAdmin() throws NamingException
+    {
+        HashSet set = new HashSet();
+        NamingEnumeration list = sysRootAsNonAdminUser.list( "ou=users" );
+        while ( list.hasMore() )
+        {
+            NameClassPair ncp = ( NameClassPair ) list.next();
+            set.add( ncp.getName() );
+        }
+
+        assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
     }
 }

Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Mon Nov  1 13:36:40 2004
@@ -17,15 +17,11 @@
 package org.apache.eve.jndi.ibs;
 
 
-import java.util.Hashtable;
-import javax.naming.Context;
-import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
 import javax.naming.directory.Attributes;
 
-import org.apache.eve.jndi.EveLdapContext;
-import org.apache.eve.jndi.AbstractJndiTest;
+import org.apache.eve.jndi.AbstractMultiUserJndiTest;
 import org.apache.eve.exception.EveNoPermissionException;
 import org.apache.ldap.common.message.LockableAttributesImpl;
 
@@ -37,39 +33,8 @@
  * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
  * @version $Rev$
  */
-public class AuthorizationServiceTest extends AbstractJndiTest
+public class AuthorizationServiceTest extends AbstractMultiUserJndiTest
 {
-    EveLdapContext sysRootAsNonRootUser;
-
-
-    /**
-     * Set's up a context for an authenticated non-root user.
-     *
-     * @see AbstractJndiTest#setUp()
-     */
-    protected void setUp() throws Exception
-    {
-        // bring the system up
-        super.setUp();
-
-        // authenticate as akarasulu
-        Hashtable env = new Hashtable( );
-        env.put( Context.PROVIDER_URL, "ou=system" );
-        env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.eve.jndi.EveContextFactory"
);
-        env.put( Context.SECURITY_PRINCIPAL, "uid=akarasulu,ou=users,ou=system" );
-        env.put( Context.SECURITY_CREDENTIALS, "test" );
-        InitialContext ictx = new InitialContext( env );
-        sysRootAsNonRootUser = ( EveLdapContext ) ictx.lookup( "" );
-    }
-
-
-    protected void tearDown() throws Exception
-    {
-        super.tearDown();
-        sysRootAsNonRootUser = null;
-    }
-
-
     /**
      * Makes sure the admin cannot delete the admin account.
      *
@@ -98,8 +63,8 @@
     {
         try
         {
-            sysRootAsNonRootUser.destroySubcontext( "uid=admin" );
-            fail( sysRootAsNonRootUser.getPrincipal().getDn()
+            sysRootAsNonAdminUser.destroySubcontext( "uid=admin" );
+            fail( sysRootAsNonAdminUser.getPrincipal().getDn()
                     + " should not be able to delete his account" );
         }
         catch ( EveNoPermissionException e )
@@ -137,7 +102,7 @@
     {
         try
         {
-            sysRootAsNonRootUser.rename( "uid=admin", "uid=alex" );
+            sysRootAsNonAdminUser.rename( "uid=admin", "uid=alex" );
             fail( "admin should not be able to rename his account" );
         }
         catch ( EveNoPermissionException e )
@@ -172,9 +137,9 @@
 
         try
         {
-            sysRootAsNonRootUser.modifyAttributes( "uid=admin",
+            sysRootAsNonAdminUser.modifyAttributes( "uid=admin",
                     DirContext.REPLACE_ATTRIBUTE, attributes );
-            fail( sysRootAsNonRootUser.getPrincipal().getDn() +
+            fail( sysRootAsNonAdminUser.getPrincipal().getDn() +
                     " should not be able to modify attributes on admin" );
         } catch( Exception e ) { }
     }

Mime
View raw message