directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: rev 56320 - in incubator/directory/eve/trunk/jndi-provider/src: java/org/apache/eve/jndi/ibs test/org/apache/eve/jndi/ibs
Date Tue, 02 Nov 2004 01:51:57 GMT
Author: akarasulu
Date: Mon Nov  1 17:51:56 2004
New Revision: 56320

Modified:
   incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
   incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Log:
last changes which get minimal authorization requirements working

Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
Mon Nov  1 17:51:56 2004
@@ -46,6 +46,8 @@
     private static final Name ADMIN_DN = SystemPartition.getAdminDn();
     /** the base distinguished {@link Name} for all users */
     private static final Name USER_BASE_DN = SystemPartition.getUsersBaseDn();
+    /** the base distinguished {@link Name} for all groups */
+    private static final Name GROUP_BASE_DN = SystemPartition.getGroupsBaseDn();
 
     /** the name parser used by this service */
     private final DnParser dnParser;
@@ -107,6 +109,15 @@
                 msg += name + ". Only the admin can delete user accounts.";
                 throw new EveNoPermissionException( msg );
             }
+
+            if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN )
+                    && ! principalDn.equals( ADMIN_DN ) )
+            {
+                String msg = "User " + principalDn;
+                msg += " does not have permission to delete the group entry: ";
+                msg += name + ". Only the admin can delete groups.";
+                throw new EveNoPermissionException( msg );
+            }
         }
     }
 
@@ -165,21 +176,32 @@
         {
             Name principalDn = getPrincipal( invocation ).getDn();
 
-            if ( dn == ADMIN_DN || dn.equals( ADMIN_DN ) && ! principalDn.equals(
ADMIN_DN ) )
+            if ( ! principalDn.equals( ADMIN_DN ) )
             {
-                String msg = "User " + principalDn;
-                msg += " does not have permission to modify the admin account.";
-                throw new EveNoPermissionException( msg );
-            }
-
-            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
-            {
-                String msg = "User " + principalDn;
-                msg += " does not have permission to modify the account of the";
-                msg += " user " + dn + ".\nEven the owner of an account cannot";
-                msg += " modify it.\nUser accounts can only be modified by the";
-                msg += " administrator.";
-                throw new EveNoPermissionException( msg );
+                if ( dn == ADMIN_DN || dn.equals( ADMIN_DN ) )
+                {
+                    String msg = "User " + principalDn;
+                    msg += " does not have permission to modify the admin account.";
+                    throw new EveNoPermissionException( msg );
+                }
+
+                if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
+                {
+                    String msg = "User " + principalDn;
+                    msg += " does not have permission to modify the account of the";
+                    msg += " user " + dn + ".\nEven the owner of an account cannot";
+                    msg += " modify it.\nUser accounts can only be modified by the";
+                    msg += " administrator.";
+                    throw new EveNoPermissionException( msg );
+                }
+
+                if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) )
+                {
+                    String msg = "User " + principalDn;
+                    msg += " does not have permission to modify the group entry ";
+                    msg += dn + ".\nGroups can only be modified by the admin.";
+                    throw new EveNoPermissionException( msg );
+                }
             }
         }
     }
@@ -239,6 +261,14 @@
                 msg += " rename user accounts.";
                 throw new EveNoPermissionException( msg );
             }
+
+            if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) && !
principalDn.equals( ADMIN_DN ) )
+            {
+                String msg = "User " + principalDn;
+                msg += " does not have permission to move or rename the group entry ";
+                msg += dn + ".\nGroups can only be moved or renamed by the admin.";
+                throw new EveNoPermissionException( msg );
+            }
         }
     }
     
@@ -256,13 +286,21 @@
             }
 
             Name principalDn = ( ( EveContext ) ctx ).getPrincipal().getDn();
-            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
-            {
-                return false;
-            }
-            else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN ) )
+            if ( ! principalDn.equals( ADMIN_DN ) )
             {
-                return false;
+                if ( dn.size() > 2  )
+                {
+                    if ( dn.startsWith( USER_BASE_DN ) || dn.startsWith( GROUP_BASE_DN )
)
+                    {
+                        return false;
+                    }
+                }
+
+                if ( dn.equals( ADMIN_DN ) )
+                {
+                    return false;
+                }
+
             }
 
             return true;
@@ -285,19 +323,33 @@
         private void filter( LdapContext ctx, Name dn ) throws NamingException
         {
             Name principalDn = ( ( EveContext ) ctx ).getPrincipal().getDn();
-            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && ! principalDn.equals(
ADMIN_DN ) )
-            {
-                String msg = "Access to user account '" + dn + "' not permitted";
-                msg += " for user '" + principalDn + "'.  Only the admin can";
-                msg += " access user account information";
-                throw new EveNoPermissionException( msg );
-            }
-            else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN ) )
+
+
+            if ( ! principalDn.equals( ADMIN_DN ) )
             {
-                String msg = "Access to admin account not permitted for user '";
-                msg += principalDn + "'.  Only the admin can";
-                msg += " access admin account information";
-                throw new EveNoPermissionException( msg );
+                if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
+                {
+                    String msg = "Access to user account '" + dn + "' not permitted";
+                    msg += " for user '" + principalDn + "'.  Only the admin can";
+                    msg += " access user account information";
+                    throw new EveNoPermissionException( msg );
+                }
+
+                if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) )
+                {
+                    String msg = "Access to group '" + dn + "' not permitted";
+                    msg += " for user '" + principalDn + "'.  Only the admin can";
+                    msg += " access group information";
+                    throw new EveNoPermissionException( msg );
+                }
+
+                if ( dn.equals( ADMIN_DN ) )
+                {
+                    String msg = "Access to admin account not permitted for user '";
+                    msg += principalDn + "'.  Only the admin can";
+                    msg += " access admin account information";
+                    throw new EveNoPermissionException( msg );
+                }
             }
         }
     }

Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
(original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Mon Nov  1 17:51:56 2004
@@ -17,12 +17,16 @@
 package org.apache.eve.jndi.ibs;
 
 
+import java.util.HashSet;
 import javax.naming.NamingException;
+import javax.naming.NamingEnumeration;
 import javax.naming.directory.DirContext;
 import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchControls;
 
 import org.apache.eve.jndi.AbstractMultiUserJndiTest;
 import org.apache.eve.exception.EveNoPermissionException;
+import org.apache.eve.db.DbSearchResult;
 import org.apache.ldap.common.message.LockableAttributesImpl;
 
 
@@ -142,5 +146,60 @@
             fail( sysRootAsNonAdminUser.getPrincipal().getDn() +
                     " should not be able to modify attributes on admin" );
         } catch( Exception e ) { }
+    }
+
+
+    /**
+     * Makes sure the admin can see all entries we know of on a subtree search.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testSearchSubtreeByAdmin() throws NamingException
+    {
+        SearchControls controls = new SearchControls();
+        controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+
+        HashSet set = new HashSet();
+        NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
+        while ( list.hasMore() )
+        {
+            DbSearchResult result = ( DbSearchResult ) list.next();
+            set.add( result.getName() );
+        }
+
+        assertTrue( set.contains( "ou=system" ) );
+        assertTrue( set.contains( "ou=groups,ou=system" ) );
+        assertTrue( set.contains( "cn=administrators,ou=groups,ou=system" ) );
+        assertTrue( set.contains( "ou=users,ou=system" ) );
+        assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+        assertTrue( set.contains( "uid=admin,ou=system" ) );
+    }
+
+
+    /**
+     * Makes sure the admin can see all entries we know of on a subtree search.
+     *
+     * @throws NamingException if there are problems
+     */
+    public void testSearchSubtreeByNonAdmin() throws NamingException
+    {
+        SearchControls controls = new SearchControls();
+        controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+
+        HashSet set = new HashSet();
+        NamingEnumeration list = sysRootAsNonAdminUser.search( "",
+                "(objectClass=*)", controls );
+        while ( list.hasMore() )
+        {
+            DbSearchResult result = ( DbSearchResult ) list.next();
+            set.add( result.getName() );
+        }
+
+        assertTrue( set.contains( "ou=system" ) );
+        assertTrue( set.contains( "ou=groups,ou=system" ) );
+        assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
+        assertTrue( set.contains( "ou=users,ou=system" ) );
+        assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+        assertFalse( set.contains( "uid=admin,ou=system" ) );
     }
 }

Mime
View raw message