You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2011/01/17 18:24:04 UTC
svn commit: r1060006 - in /directory/apacheds/trunk:
core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
Author: elecharny
Date: Mon Jan 17 17:24:04 2011
New Revision: 1060006
URL: http://svn.apache.org/viewvc?rev=1060006&view=rev
Log:
Fixed https://issues.apache.org/jira/browse/DIRSERVER-1419
Modified:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java?rev=1060006&r1=1060005&r2=1060006&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/subtree/SubentryServiceIT.java Mon Jan 17 17:24:04 2011
@@ -159,10 +159,22 @@ import org.junit.runner.RunWith;
"objectClass: person",
"cn: C",
"sn: entry-C",
+ "",
+ // An entry used to create a User session
+ "dn: cn=testUser,ou=system",
+ "objectClass: top",
+ "objectClass: person",
+ "cn: testUser",
+ "sn: test User",
+ "userpassword: test",
"" })
public class SubentryServiceIT extends AbstractLdapTestUnit
{
+ // The shared LDAP user connection
+ protected static LdapConnection userConnection;
+
+
public Attributes getTestEntry( String cn )
{
Attributes subentry = new BasicAttributes( true );
@@ -843,7 +855,6 @@ public class SubentryServiceIT extends A
@Test
- @Ignore
public void testSubentryModifyRdn() throws Exception
{
LdapContext sysRoot = getSystemContext( service );
@@ -1262,4 +1273,25 @@ public class SubentryServiceIT extends A
assertEquals( 1, entries.size() );
assertNotNull( entries.get( "cn=testsubentry,ou=system" ) );
}
+
+
+ @Test
+ public void testUserInjectAccessControlSubentries() throws Exception
+ {
+ userConnection = IntegrationUtils.getConnectionAs( service, "cn=testUser,ou=system", "test" );
+
+ Entry sap = LdifUtils.createEntry(
+ "ou=dummy,ou=system",
+ "objectClass: organizationalUnit",
+ "objectClass: top",
+ "ou: dummy",
+ "accessControlSubentries: ou=system" );
+
+ // It should fail
+ AddResponse response = userConnection.add( sap );
+
+ assertEquals( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, response.getLdapResult().getResultCode() );
+
+ userConnection.close();
+ }
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java?rev=1060006&r1=1060005&r2=1060006&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java Mon Jan 17 17:24:04 2011
@@ -154,6 +154,32 @@ public class OperationalAttributeInterce
/**
+ * Check if we have to add an operational attribute, or if the admin has injected one
+ */
+ private boolean checkAddOperationalAttribute( boolean isAdmin, Entry entry, String attribute ) throws LdapException
+ {
+ if ( entry.containsAttribute( attribute ) )
+ {
+ if ( !isAdmin )
+ {
+ // Wrong !
+ String message = I18n.err( I18n.ERR_30, attribute );
+ LOG.error( message );
+ throw new LdapNoPermissionException( message );
+ }
+ else
+ {
+ return true;
+ }
+ }
+ else
+ {
+ return false;
+ }
+ }
+
+
+ /**
* Adds extra operational attributes to the entry before it is added.
*
* We add those attributes :
@@ -173,66 +199,43 @@ public class OperationalAttributeInterce
boolean isAdmin = addContext.getSession().getAuthenticatedPrincipal().getName().equals(
ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
- if ( entry.containsAttribute( SchemaConstants.ENTRY_UUID_AT ) )
- {
- if ( !isAdmin )
- {
- // Wrong !
- String message = I18n.err( I18n.ERR_30, SchemaConstants.ENTRY_UUID_AT );
- LOG.error( message );
- throw new LdapNoPermissionException( message );
- }
- }
- else
+ // The EntryUUID attribute
+ if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.ENTRY_UUID_AT ) )
{
entry.put( SchemaConstants.ENTRY_UUID_AT, UUID.randomUUID().toString() );
}
- if ( entry.containsAttribute( SchemaConstants.ENTRY_CSN_AT ) )
- {
- if ( !isAdmin )
- {
- // Wrong !
- String message = I18n.err( I18n.ERR_30, SchemaConstants.ENTRY_CSN_AT );
- LOG.error( message );
- throw new LdapNoPermissionException( message );
- }
- }
- else
+ // The EntryCSN attribute
+ if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.ENTRY_CSN_AT ) )
{
entry.put( SchemaConstants.ENTRY_CSN_AT, service.getCSN().toString() );
}
- if ( entry.containsAttribute( SchemaConstants.CREATORS_NAME_AT ) )
- {
- if ( !isAdmin )
- {
- // Wrong !
- String message = I18n.err( I18n.ERR_30, SchemaConstants.CREATORS_NAME_AT );
- LOG.error( message );
- throw new LdapNoPermissionException( message );
- }
- }
- else
+ // The CreatorsName attribute
+ if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.CREATORS_NAME_AT ) )
{
entry.put( SchemaConstants.CREATORS_NAME_AT, principal );
}
- if ( entry.containsAttribute( SchemaConstants.CREATE_TIMESTAMP_AT ) )
- {
- if ( !isAdmin )
- {
- // Wrong !
- String message = I18n.err( I18n.ERR_30, SchemaConstants.CREATE_TIMESTAMP_AT );
- LOG.error( message );
- throw new LdapNoPermissionException( message );
- }
- }
- else
+ // The CreateTimeStamp attribute
+ if ( !checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.CREATE_TIMESTAMP_AT ) )
{
entry.put( SchemaConstants.CREATE_TIMESTAMP_AT, DateUtils.getGeneralizedTime() );
}
+ // Now, check that the user does not add operational attributes
+ // The accessControlSubentries attribute
+ checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
+
+ // The CollectiveAttributeSubentries attribute
+ checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.COLLECTIVE_ATTRIBUTE_SUBENTRIES_AT );
+
+ // The TriggerExecutionSubentries attribute
+ checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.TRIGGER_EXECUTION_SUBENTRIES_AT );
+
+ // The SubSchemaSybentry attribute
+ checkAddOperationalAttribute( isAdmin, entry, SchemaConstants.SUBSCHEMA_SUBENTRY_AT );
+
nextInterceptor.add( addContext );
}