directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r320969 - in /directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz: AbstractAuthorizationTest.java AddAuthorizationTest.java DeleteAuthorizationTest.java
Date Fri, 14 Oct 2005 01:55:52 GMT
Author: akarasulu
Date: Thu Oct 13 18:55:49 2005
New Revision: 320969

URL: http://svn.apache.org/viewcvs?rev=320969&view=rev
Log:
changes ...

 o added new test case for delete ACI functionality
 o fixed a bug or two in the Add authz tests
 o documented better the utility methods within the AbstractAuthorizationTest


Added:
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/DeleteAuthorizationTest.java
  (with props)
Modified:
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java?rev=320969&r1=320968&r2=320969&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
Thu Oct 13 18:55:49 2005
@@ -36,6 +36,10 @@
  */
 public abstract class AbstractAuthorizationTest extends AbstractNonAdminTestCase
 {
+    /**
+     * Creates an abstract authorization test case which enables the
+     * authorization subsystem of the server.
+     */
     public AbstractAuthorizationTest()
     {
         super();
@@ -48,13 +52,28 @@
     // -----------------------------------------------------------------------
 
 
-    public DirContext getAdminContext() throws NamingException
+    /**
+     * Gets a context at ou=system as the admin user.
+     *
+     * @return the admin context at ou=system
+     * @throws NamingException if there are problems creating the context
+     */
+    public DirContext getContextAsAdmin() throws NamingException
     {
-        return getAdminContext( "ou=system" );
+        return getContextAsAdmin( "ou=system" );
     }
 
 
-    public DirContext getAdminContext( String dn ) throws NamingException
+    /**
+     * Gets a context at some dn within the directory as the admin user.
+     * Should be a dn of an entry under ou=system since no other partitions
+     * are enabled.
+     *
+     * @param dn the DN of the context to get
+     * @return the context for the DN as the admin user
+     * @throws NamingException if is a problem initializing or getting the context
+     */
+    public DirContext getContextAsAdmin( String dn ) throws NamingException
     {
         Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
         env.put( DirContext.PROVIDER_URL, dn );
@@ -65,9 +84,19 @@
     }
 
 
+    /**
+     * Creates a group using the groupOfUniqueNames objectClass under the
+     * ou=groups,ou=sytem container with an initial member.
+     *
+     * @param cn the common name of the group used as the RDN attribute
+     * @param firstMemberDn the DN of the first member of this group
+     * @return the distinguished name of the group entry
+     * @throws NamingException if there are problems creating the new group like
+     * it exists already
+     */
     public Name createGroup( String cn, String firstMemberDn ) throws NamingException
     {
-        DirContext adminCtx = getAdminContext();
+        DirContext adminCtx = getContextAsAdmin();
         Attributes group = new BasicAttributes( "cn", cn, true );
         Attribute objectClass = new BasicAttribute( "objectClass" );
         group.put( objectClass );
@@ -79,9 +108,19 @@
     }
 
 
+    /**
+     * Creates a simple user as an inetOrgPerson under the ou=users,ou=system
+     * container.  The user's RDN attribute is the uid argument.  This argument
+     * is also used as the value of the two MUST attributes: sn and cn.
+     *
+     * @param uid the value of the RDN attriubte (uid), the sn and cn attributes
+     * @param password the password to use to create the user
+     * @return the dn of the newly created user entry
+     * @throws NamingException if there are problems creating the user entry
+     */
     public Name createUser( String uid, String password ) throws NamingException
     {
-        DirContext adminCtx = getAdminContext();
+        DirContext adminCtx = getContextAsAdmin();
         Attributes user = new BasicAttributes( "uid", uid, true );
         user.put( "userPassword", password );
         Attribute objectClass = new BasicAttribute( "objectClass" );
@@ -97,9 +136,17 @@
     }
 
 
+    /**
+     * Adds an existing user under ou=users,ou=system to an existing group under the
+     * ou=groups,ou=system container.
+     *
+     * @param userUid the uid of the user to add to the group
+     * @param groupCn the cn of the group to add the user to
+     * @throws NamingException if the group does not exist
+     */
     public void addUserToGroup( String userUid, String groupCn ) throws NamingException
     {
-        DirContext adminCtx = getAdminContext();
+        DirContext adminCtx = getContextAsAdmin();
         Attributes changes = new BasicAttributes( "uniqueMember",
                 "uid="+userUid+",ou=users,ou=system", true );
         adminCtx.modifyAttributes( "cn="+groupCn+",ou=groups",
@@ -107,13 +154,30 @@
     }
 
 
-    public DirContext getUserContext( Name user, String password ) throws NamingException
+    /**
+     * Gets the context at ou=system as a specific user.
+     *
+     * @param user the DN of the user to get the context as
+     * @param password the password of the user
+     * @return the context as the user
+     * @throws NamingException if the user does not exist or authx fails
+     */
+    public DirContext getContextAs( Name user, String password ) throws NamingException
     {
-        return getUserContext( user, password, "ou=system" );
+        return getContextAs( user, password, "ou=system" );
     }
 
 
-    public DirContext getUserContext( Name user, String password, String dn ) throws NamingException
+    /**
+     * Gets the context at any DN under ou=system as a specific user.
+     *
+     * @param user the DN of the user to get the context as
+     * @param password the password of the user
+     * @param dn the distinguished name of the entry to get the context for
+     * @return the context representing the entry at the dn as a specific user
+     * @throws NamingException if the does not exist or authx fails
+     */
+    public DirContext getContextAs( Name user, String password, String dn ) throws NamingException
     {
         Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
         env.put( DirContext.PROVIDER_URL, dn );
@@ -134,7 +198,7 @@
      */
     public void createAccessControlSubentry( String cn, String aciItem ) throws NamingException
     {
-        DirContext adminCtx = getAdminContext();
+        DirContext adminCtx = getContextAsAdmin();
 
         // modify ou=system to be an AP for an A/C AA if it is not already
         Attributes ap = adminCtx.getAttributes( "" );

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java?rev=320969&r1=320968&r2=320969&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
Thu Oct 13 18:55:49 2005
@@ -48,7 +48,6 @@
      */
     public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws
NamingException
     {
-        // try an add operation which should fail without any ACI
         Attributes testEntry = new BasicAttributes( "ou", "testou", true );
         Attribute objectClass = new BasicAttribute( "objectClass" );
         testEntry.put( objectClass );
@@ -58,11 +57,11 @@
         try
         {
             LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
-            DirContext userContext = getUserContext( userName, "billyd" );
+            DirContext userContext = getContextAs( userName, password );
             userContext.createSubcontext( entryRdn, testEntry );
 
             // delete the newly created context as the admin user
-            DirContext adminContext = getAdminContext();
+            DirContext adminContext = getContextAsAdmin();
             adminContext.destroySubcontext( entryRdn );
 
             return true;

Added: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/DeleteAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/DeleteAuthorizationTest.java?rev=320969&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/DeleteAuthorizationTest.java
(added)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/DeleteAuthorizationTest.java
Thu Oct 13 18:55:49 2005
@@ -0,0 +1,206 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.ldap.server.authz;
+
+
+import org.apache.ldap.common.exception.LdapNoPermissionException;
+import org.apache.ldap.common.name.LdapName;
+
+import javax.naming.NamingException;
+import javax.naming.directory.*;
+
+
+/**
+ * Tests whether or not authorization rules for entry deletion works properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class DeleteAuthorizationTest extends AbstractAuthorizationTest
+{
+    /**
+     * Checks if a simple entry (organizationalUnit) can be deleted from the DIT at an
+     * RDN relative to ou=system by a specific non-admin user.  The entry is first
+     * created using the admin account which can do anything without limitations.
+     * After creating the entry as the admin an attempt is made to delete it as the
+     * specified user.
+     *
+     * If a permission exception is encountered it is caught and false is returned,
+     * otherwise true is returned when the entry is created.  The entry is deleted by the
+     * admin user after a delete failure to make sure the entry is deleted if subsequent
+     * calls are made to this method: the admin account is used to delete this test entry
+     * so permissions to delete are not required to delete it by the specified user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry creation then deletion
is tested
+     * @return true if the entry can be created by the user at the specified location, false
otherwise
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanDeleteEntryAs( String uid, String password, String entryRdn )
throws NamingException
+    {
+        Attributes testEntry = new BasicAttributes( "ou", "testou", true );
+        Attribute objectClass = new BasicAttribute( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+
+        DirContext adminContext = getContextAsAdmin();
+        try
+        {
+            // create the entry as the admin
+            LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+            adminContext.createSubcontext( entryRdn, testEntry );
+
+            // delete the newly created context as the user
+            DirContext userContext = getContextAs( userName, password );
+            userContext.destroySubcontext( entryRdn );
+
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            adminContext.destroySubcontext( entryRdn );
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantDeleteAdministrators() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // Gives grantRemove perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } },
" +
+                "userPermissions { { " +
+                "protectedItems {entry}, " +
+                "grantsAndDenials { grantRemove } } } } }" );
+
+        // see if we can now delete that test entry which we could not before
+        // delete op should still fail since billd is not in the admin group
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try a delete operation which should succeed with ACI and group membership change
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantDeleteByName() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to delete an entry below ou=system
+        createAccessControlSubentry( "billydAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry}, " +
+                "grantsAndDenials { grantRemove } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantDeleteBySubtree() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to delte an entry below ou=system
+        createAccessControlSubentry( "billyAddBySubtree", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry}, " +
+                "grantsAndDenials { grantRemove } } } } }" );
+
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testGrantDeleteAllUsers() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( "anybodyAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry}, " +
+                "grantsAndDenials { grantRemove } } } } }" );
+
+        // see if we can now delete that test entry which we could not before
+        // should work now with billyd now that all users are authorized
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+}

Propchange: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/DeleteAuthorizationTest.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message