directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r796556 - in /directory/apacheds/trunk: core/src/main/java/org/apache/directory/server/core/authn/ server-integ/src/test/java/org/apache/directory/server/operations/bind/
Date Tue, 21 Jul 2009 22:04:02 GMT
Author: elecharny
Date: Tue Jul 21 22:04:02 2009
New Revision: 796556

URL: http://svn.apache.org/viewvc?rev=796556&view=rev
Log:
Fix for DIRSERVER-1383 : A user can still read therootDSE even if not bound (ie doing a simple
search), but anonymous access are forbidden if the allowAnonymousAccess is set to false.

Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
    directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authn/AnonymousAuthenticator.java
Tue Jul 21 22:04:02 2009
@@ -50,12 +50,8 @@
      */
     public LdapPrincipal authenticate( BindOperationContext opContext ) throws NamingException
     {
-        // We only allow Anonymous binds if the service allows them _or_
-        // if the user wants to bind on the rootDSE
-        // TODO : Fix this ASAP !!! This is a backdoor, we should not allow
-        // a user to get in as anonymous simply because the bind request DN
-        // is empty !
-        if ( getDirectoryService().isAllowAnonymousAccess() || opContext.getDn().isEmpty()
)
+        // We only allow Anonymous binds if the service allows them
+        if ( getDirectoryService().isAllowAnonymousAccess() )
         {
             return LdapPrincipal.ANONYMOUS;
         }

Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java
(original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/MiscBindIT.java
Tue Jul 21 22:04:02 2009
@@ -39,6 +39,13 @@
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.InitialLdapContext;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPUrl;
+
 import org.apache.directory.server.core.DefaultDirectoryService;
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.server.core.integ.IntegrationUtils;
@@ -190,44 +197,28 @@
         env.put( Context.SECURITY_AUTHENTICATION, "none" );
         env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
 
-        boolean connected = false;
-        while ( !connected )
-        {
-            try
-            {
-                ic = new InitialDirContext( env );
-                connected = true;
-            }
-            catch ( Exception e )
-            {
-                // We should not get here
-                fail();
-            }
-        }
-
-        ldapServer.getDirectoryService().setAllowAnonymousAccess( false );
-        
         try
         {
-            ic.search( "", "(objectClass=*)", new SearchControls() );
-            fail( "If anonymous binds are disabled we should never get here!" );
+            ic = new InitialDirContext( env );
+            fail();
         }
-        catch ( NoPermissionException e )
+        catch ( Exception e )
         {
+            // We should get here
         }
 
-        Attributes attrs = new BasicAttributes( true );
-        Attribute oc = new BasicAttribute( "objectClass" );
-        attrs.put( oc );
-        oc.add( "top" );
-        oc.add( "organizationalUnit" );
-
         try
         {
-            ic.createSubcontext( "ou=blah", attrs );
+            // Use the netscape API as JNDI cannot be used to do a search without
+            // first binding.
+            LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), "ou=system", new
String[]{"vendorName"}, 0, "(ObjectClass=*)" );
+            LDAPSearchResults results = LDAPConnection.search( url );
+
+            fail();
         }
-        catch ( NoPermissionException e )
+        catch ( LDAPException e )
         {
+            // Expected result
         }
     }
 

Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
(original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SaslBindIT.java
Tue Jul 21 22:04:02 2009
@@ -30,7 +30,6 @@
 import javax.naming.Context;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
-import javax.naming.NoPermissionException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.DirContext;
@@ -299,40 +298,6 @@
 
 
      /**
-      * Tests to make sure binds below the RootDSE require authentication.
-      */
-     @Test
-     public void testAnonymousBelowRootDSE()
-     {
-         ldapServer.getDirectoryService().setAllowAnonymousAccess( false );
-         
-         try
-         {
-             Hashtable<String, String> env = new Hashtable<String, String>();
-             env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"
);
-             env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapServer.getPort() );
-
-             DirContext context = new InitialDirContext( env );
-
-             String[] attrIDs =
-                 { "vendorName" };
-
-             context.getAttributes( "dc=example,dc=com", attrIDs );
-
-             fail( "Should not have gotten here." );
-         }
-         catch ( NoPermissionException npe )
-         {
-             assertTrue( npe.getMessage().contains( "error code 50" ) );
-         }
-         catch ( NamingException ne )
-         {
-             fail( "Should not have gotten here" );
-         }
-     }
-
-
-     /**
       * Tests to make sure CRAM-MD5 binds below the RootDSE work.
       */
      @Test

Modified: directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java?rev=796556&r1=796555&r2=796556&view=diff
==============================================================================
--- directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java
(original)
+++ directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/bind/SimpleBindIT.java
Tue Jul 21 22:04:02 2009
@@ -34,12 +34,21 @@
 import javax.naming.directory.DirContext;
 import javax.naming.directory.InitialDirContext;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPSearchResult;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPUrl;
+
 import org.apache.directory.server.core.integ.Level;
 import org.apache.directory.server.core.integ.annotations.ApplyLdifs;
 import org.apache.directory.server.core.integ.annotations.CleanupLevel;
 import org.apache.directory.server.integ.SiRunner;
 import org.apache.directory.server.ldap.LdapServer;
 
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredConnection;
 import static org.junit.Assert.fail;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.assertEquals;
@@ -47,6 +56,9 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredConnection;
+import static org.apache.directory.server.integ.ServerIntegrationUtils.getWiredContextThrowOnRefferal;
+
 
 /**
  * An {@link AbstractServerTest} testing SIMPLE authentication.
@@ -262,37 +274,62 @@
         try
         {
             ctx = new InitialDirContext(env);
+            fail();
         }
         catch ( NamingException ne )
         {
-            fail();
+            // Expected, as the server forbid anonymous access
         }
         
-        // We should be anonymous here. 
         // Check that we can read the rootDSE
         try
         {
-            Attributes attrs = ctx.getAttributes( "", attrIDs );
-            
-            assertNotNull( attrs );
-            assertEquals( "Apache Software Foundation", attrs.get( "vendorName" ).get() );
+            // Use the netscape API as JNDI cannot be used to do a search without
+            // first binding.
+            LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), "", new String[]{"vendorName"},
0, "(ObjectClass=*)" );
+            LDAPSearchResults results = LDAPConnection.search( url );
+
+            if ( results.hasMoreElements() ) 
+            {
+                LDAPEntry entry = results.next();
+
+                LDAPAttribute vendorName = entry.getAttribute( "vendorName" );
+
+                if ( vendorName != null )
+                {
+                    assertEquals( "Apache Software Foundation", vendorName.getStringValueArray()[0]
);
+                }
+                else
+                {
+                    fail();
+                }
+            }
+            else
+            {
+                fail();
+            }
         }
-        catch ( NamingException ne )
+        catch ( LDAPException e )
         {
-            fail();
+            e.printStackTrace();
+            fail( "Should not have caught exception." );
         }
 
         // Check that we cannot read another entry being anonymous
         try
         {
-            Attributes attrs = ctx.getAttributes( "uid=admin,ou=system", attrIDs );
-            
-            assertNotNull( attrs );
-            assertEquals( 0, attrs.size() );
-            fail( "Should not be able to read the root DSE" );
+            // Use the netscape API as JNDI cannot be used to do a search without
+            // first binding.
+            LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), 
+                "uid=admin,ou=system", attrIDs, 0, "(ObjectClass=*)" );
+            LDAPSearchResults results = LDAPConnection.search( url );
+
+            fail();
         }
-        catch ( NamingException ne )
+        catch ( LDAPException e )
         {
+            // Expected
+            assertTrue( true);
         }
         
         ldapServer.getDirectoryService().setAllowAnonymousAccess( oldValue );
@@ -364,34 +401,40 @@
      * The configuration for this test case MUST disable anonymous access.
      */
     @Test
-    public void testAnonymousRootDSE()
+    public void testAnonymousRootDSESearch()
     {
+        
         boolean oldValue = ldapServer.getDirectoryService().isAllowAnonymousAccess();
         ldapServer.getDirectoryService().setAllowAnonymousAccess( false );
 
         try
         {
-            Hashtable<String, String> env = new Hashtable<String, String>();
-            env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"
);
-            env.put( Context.PROVIDER_URL, "ldap://localhost:" + ldapServer.getPort() );
-
-            DirContext context = new InitialDirContext( env );
+            // Use the netscape API as JNDI cannot be used to do a search without
+            // first binding.
+            LDAPUrl url = new LDAPUrl( "localhost", ldapServer.getPort(), "", new String[]{"vendorName"},
0, "(ObjectClass=*)" );
+            LDAPSearchResults results = LDAPConnection.search( url );
 
-            String[] attrIDs =
-                { "vendorName" };
-
-            Attributes attrs = context.getAttributes( "", attrIDs );
+            if ( results.hasMoreElements() ) 
+            {
+                LDAPEntry entry = results.next();
 
-            String vendorName = null;
+                LDAPAttribute vendorName = entry.getAttribute( "vendorName" );
 
-            if ( attrs.get( "vendorName" ) != null )
+                if ( vendorName != null )
+                {
+                    assertEquals( "Apache Software Foundation", vendorName.getStringValueArray()[0]
);
+                }
+                else
+                {
+                    fail();
+                }
+            }
+            else
             {
-                vendorName = ( String ) attrs.get( "vendorName" ).get();
+                fail();
             }
-
-            assertEquals( "Apache Software Foundation", vendorName );
         }
-        catch ( NamingException e )
+        catch ( LDAPException e )
         {
             e.printStackTrace();
             fail( "Should not have caught exception." );



Mime
View raw message