directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r326744 - in /directory/apacheds/trunk: core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java plugin/project.xml shared/project.xml
Date Wed, 19 Oct 2005 23:07:29 GMT
Author: akarasulu
Date: Wed Oct 19 16:07:22 2005
New Revision: 326744

URL: http://svn.apache.org/viewcvs?rev=326744&view=rev
Log:
changes ...

 o updated deps in plugin and shared subprojects to right versions of jars
 o added test case to test subentryACI with search
 o added test case to test entryACI with search
 o added and tested combination of grants with denials
 o added and tested combinations of precedence in ACI
 o found and fixed bug where lookup of subentry ACI attribute was failing to
   return since subentryACI is operational

Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
    directory/apacheds/trunk/plugin/project.xml
    directory/apacheds/trunk/shared/project.xml

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
Wed Oct 19 16:07:22 2005
@@ -219,7 +219,8 @@
         // will contain the subentryACI attributes that effect subentries
         Name parentDn = ( Name ) dn.clone();
         parentDn.remove( dn.size() - 1 );
-        Attributes administrativeEntry = proxy.lookup( parentDn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS
);
+        Attributes administrativeEntry = proxy.lookup( parentDn, new String[] { SUBENTRYACI_ATTR
},
+                DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
         Attribute subentryAci = administrativeEntry.get( SUBENTRYACI_ATTR );
 
         if ( subentryAci == null )

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
Wed Oct 19 16:07:22 2005
@@ -669,7 +669,7 @@
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
-        // we should also see the entry we are about to deny access to
+        // we should NOT see the entry we are about to deny access to
         assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
         assertNull( results.get( "ou=tests,ou=system" ) );
 
@@ -679,24 +679,147 @@
     }
 
 
-//    public boolean checkSubentryAccessAs( String username, String password, Name rdn )
-//
-//
-//    public void testSubentryAccess() throws NamingException
-//    {
-//        // create the non-admin user
-//        createUser( "billyd", "billyd" );
-//
-//        // now add a subentry that enables anyone to search below ou=system
-//        createAccessControlSubentry( "anybodySearch", "{ " +
-//                "identificationTag \"searchAci\", " +
-//                "precedence 14, " +
-//                "authenticationLevel none, " +
-//                "itemOrUserFirst userFirst: { " +
-//                "userClasses { allUsers }, " +
-//                "userPermissions { { " +
-//                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-//                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
-//
-//    }
+    /**
+     * Adds a perscriptiveACI to allow search, tests for success, then adds entryACI
+     * to deny read, browse and returnDN to a specific entry and checks to make sure
+     * that entry cannot be accessed via search as a specific user.  Here the
+     * precidence of the ACI is put to the test.
+     *
+     * @throws NamingException if the test is broken
+     */
+    public void testPerscriptiveGrantWithEntryDenialWithPrecidence() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // now add an entryACI denies browse, read and returnDN to a specific entry
+        String aci = "{ " +
+                "identificationTag \"denyAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+
+        // try a search operation which should fail without any prescriptive ACI
+        SearchControls cons = new SearchControls();
+        cons.setSearchScope( SearchControls.SUBTREE_SCOPE );
+        LdapName rdn = new LdapName( "ou=tests" );
+        assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+
+        // now add a subentry that enables anyone to search below ou=system
+        createAccessControlSubentry( "anybodySearch", "{ " +
+                "identificationTag \"searchAci\", " +
+                "precedence 15, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // see if we can now search the tree which we could not before
+        // should work with billyd now that all users are authorized
+        // we should also see the entry we are about to deny access to
+        // we see it because the precidence of the grant is greater
+        // than the precedence of the denial
+        assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 10 ) );
+        assertNotNull( results.get( "ou=tests,ou=system" ) );
+
+        // now add an entryACI denies browse, read and returnDN to a specific entry
+        // but this time the precedence will be higher than that of the grant
+        aci = "{ " +
+                "identificationTag \"denyAci\", " +
+                "precedence 16, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+
+        // see if we can now search the tree which we could not before
+        // should work with billyd now that all users are authorized
+        // we should NOT see the entry we are about to deny access to
+        // we do NOT see it because the precidence of the grant is less
+        // than the precedence of the denial - so the denial wins
+        assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+        assertNull( results.get( "ou=tests,ou=system" ) );
+    }
+
+
+    /**
+     * Performs an object level search on the specified subentry relative to ou=system as
a specific user.
+     *
+     * @param uid the uid RDN attribute value of the user to perform the search as
+     * @param password the password of the user
+     * @param rdn the relative name to the subentry under the ou=system AP
+     * @return the single search result if access is allowed or null
+     * @throws NamingException if the search fails w/ exception other than no permission
+     */
+    private SearchResult checkCanSearhSubentryAs( String uid, String password, Name rdn )
throws NamingException
+    {
+        DirContext userCtx = getContextAs( new LdapName( "uid="+uid+",ou=users,ou=system"
), password );
+        SearchControls cons = new SearchControls();
+        cons.setSearchScope( SearchControls.OBJECT_SCOPE );
+        SearchResult result = null;
+        NamingEnumeration list = null;
+
+        try
+        {
+            list = userCtx.search( rdn, "(objectClass=*)", cons );
+            if ( list.hasMore() )
+            {
+                result = ( SearchResult ) list.next();
+                list.close();
+                return result;
+            }
+        }
+        catch ( LdapNoPermissionException e )
+        {
+        }
+        finally
+        {
+            if ( list != null ) { list.close(); }
+        }
+
+        return result;
+    }
+
+
+    public void testSubentryAccess() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // now add a subentry that enables anyone to search below ou=system
+        createAccessControlSubentry( "anybodySearch", "{ " +
+                "identificationTag \"searchAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // check and see if we can access the subentry now
+        assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapName( "cn=anybodySearch"
) ) );
+
+        // now add a denial to prevent all users except the admin from accessing the subentry
+        addSubentryACI( "{ " +
+                "identificationTag \"searchAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+
+        // now we should not be able to access the subentry with a search
+        assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapName( "cn=anybodySearch"
) ) );
+    }
 }

Modified: directory/apacheds/trunk/plugin/project.xml
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/plugin/project.xml?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/plugin/project.xml (original)
+++ directory/apacheds/trunk/plugin/project.xml Wed Oct 19 16:07:22 2005
@@ -46,12 +46,12 @@
     <dependency>
       <groupId>directory-shared</groupId>
       <artifactId>ldap-common</artifactId>
-      <version>0.9.2</version>
+      <version>0.9.3-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>directory</groupId>
       <artifactId>apacheds-shared</artifactId>
-      <version>0.9.2</version>
+      <version>0.9.3-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>velocity</groupId>

Modified: directory/apacheds/trunk/shared/project.xml
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/shared/project.xml?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/shared/project.xml (original)
+++ directory/apacheds/trunk/shared/project.xml Wed Oct 19 16:07:22 2005
@@ -16,7 +16,7 @@
     <dependency>
       <groupId>directory-shared</groupId>
       <artifactId>ldap-common</artifactId>
-      <version>0.9.2</version>
+      <version>0.9.3-SNAPSHOT</version>
     </dependency>
   </dependencies>
 



Mime
View raw message