directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1060006 - in /directory/apacheds/trunk: core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
Date Mon, 17 Jan 2011 17:24:04 GMT
Author: elecharny
Date: Mon Jan 17 17:24:04 2011
New Revision: 1060006

URL: http://svn.apache.org/viewvc?rev=1060006&view=rev
Log:
Fixed https://issues.apache.org/jira/browse/DIRSERVER-1419

Modified:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java?rev=1060006&r1=1060005&r2=1060006&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
(original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
Mon Jan 17 17:24:04 2011
@@ -159,10 +159,22 @@ import org.junit.runner.RunWith;
         "objectClass: person",
         "cn: C",
         "sn: entry-C",
+        "",
+        // An entry used to create a User session
+        "dn: cn=testUser,ou=system",
+        "objectClass: top",
+        "objectClass: person",
+        "cn: testUser",
+        "sn: test User",
+        "userpassword: test",
         "" })
 public class SubentryServiceIT extends AbstractLdapTestUnit
 {
 
+    // The shared LDAP user connection
+    protected static LdapConnection userConnection;
+
+
     public Attributes getTestEntry( String cn )
     {
         Attributes subentry = new BasicAttributes( true );
@@ -843,7 +855,6 @@ public class SubentryServiceIT extends A
 
 
     @Test
-    @Ignore
     public void testSubentryModifyRdn() throws Exception
     {
         LdapContext sysRoot = getSystemContext( service );
@@ -1262,4 +1273,25 @@ public class SubentryServiceIT extends A
         assertEquals( 1, entries.size() );
         assertNotNull( entries.get( "cn=testsubentry,ou=system" ) );
     }
+
+
+    @Test
+    public void testUserInjectAccessControlSubentries() throws Exception
+    {
+        userConnection = IntegrationUtils.getConnectionAs( service, "cn=testUser,ou=system",
"test" );
+
+        Entry sap = LdifUtils.createEntry(
+            "ou=dummy,ou=system",
+            "objectClass: organizationalUnit",
+            "objectClass: top",
+            "ou: dummy",
+            "accessControlSubentries: ou=system" );
+
+        // It should fail
+        AddResponse response = userConnection.add( sap );
+
+        assertEquals( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, response.getLdapResult().getResultCode()
);
+
+        userConnection.close();
+    }
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java?rev=1060006&r1=1060005&r2=1060006&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
Mon Jan 17 17:24:04 2011
@@ -154,6 +154,32 @@ public class OperationalAttributeInterce
 
 
     /**
+     * Check if we have to add an operational attribute, or if the admin has injected one
+     */
+    private boolean checkAddOperationalAttribute( boolean isAdmin, Entry entry, String attribute
) throws LdapException
+    {
+        if ( entry.containsAttribute( attribute ) )
+        {
+            if ( !isAdmin )
+            {
+                // Wrong !
+                String message = I18n.err( I18n.ERR_30, attribute );
+                LOG.error( message );
+                throw new LdapNoPermissionException( message );
+            }
+            else
+            {
+                return true;
+            }
+        }
+        else
+        {
+            return false;
+        }
+    }
+
+
+    /**
      * Adds extra operational attributes to the entry before it is added.
      * 
      * We add those attributes :
@@ -173,66 +199,43 @@ public class OperationalAttributeInterce
         boolean isAdmin = addContext.getSession().getAuthenticatedPrincipal().getName().equals(
             ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
 
-        if ( entry.containsAttribute( SchemaConstants.ENTRY_UUID_AT ) )
-        {
-            if ( !isAdmin )
-            {
-                // Wrong !
-                String message = I18n.err( I18n.ERR_30, SchemaConstants.ENTRY_UUID_AT );
-                LOG.error( message );
-                throw new LdapNoPermissionException( message );
-            }
-        }
-        else
+        // The EntryUUID attribute
+        if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.ENTRY_UUID_AT
) )
         {
             entry.put( SchemaConstants.ENTRY_UUID_AT, UUID.randomUUID().toString() );
         }
 
-        if ( entry.containsAttribute( SchemaConstants.ENTRY_CSN_AT ) )
-        {
-            if ( !isAdmin )
-            {
-                // Wrong !
-                String message = I18n.err( I18n.ERR_30, SchemaConstants.ENTRY_CSN_AT );
-                LOG.error( message );
-                throw new LdapNoPermissionException( message );
-            }
-        }
-        else
+        // The EntryCSN attribute
+        if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.ENTRY_CSN_AT
) )
         {
             entry.put( SchemaConstants.ENTRY_CSN_AT, service.getCSN().toString() );
         }
 
-        if ( entry.containsAttribute( SchemaConstants.CREATORS_NAME_AT ) )
-        {
-            if ( !isAdmin )
-            {
-                // Wrong !
-                String message = I18n.err( I18n.ERR_30, SchemaConstants.CREATORS_NAME_AT
);
-                LOG.error( message );
-                throw new LdapNoPermissionException( message );
-            }
-        }
-        else
+        // The CreatorsName attribute
+        if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.CREATORS_NAME_AT
) )
         {
             entry.put( SchemaConstants.CREATORS_NAME_AT, principal );
         }
 
-        if ( entry.containsAttribute( SchemaConstants.CREATE_TIMESTAMP_AT ) )
-        {
-            if ( !isAdmin )
-            {
-                // Wrong !
-                String message = I18n.err( I18n.ERR_30, SchemaConstants.CREATE_TIMESTAMP_AT
);
-                LOG.error( message );
-                throw new LdapNoPermissionException( message );
-            }
-        }
-        else
+        // The CreateTimeStamp attribute
+        if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.CREATE_TIMESTAMP_AT
) )
         {
             entry.put( SchemaConstants.CREATE_TIMESTAMP_AT, DateUtils.getGeneralizedTime()
);
         }
 
+        // Now, check that the user does not add operational attributes
+        // The accessControlSubentries attribute
+        checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT
);
+
+        // The CollectiveAttributeSubentries attribute
+        checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.COLLECTIVE_ATTRIBUTE_SUBENTRIES_AT
);
+
+        // The TriggerExecutionSubentries attribute
+        checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.TRIGGER_EXECUTION_SUBENTRIES_AT
);
+
+        // The SubSchemaSybentry attribute
+        checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.SUBSCHEMA_SUBENTRY_AT
);
+
         nextInterceptor.add( addContext );
     }
 



Mime
View raw message