You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2004/11/01 22:36:41 UTC
svn commit: rev 56284 - in incubator/directory/eve/trunk/jndi-provider/src: java/org/apache/eve/db java/org/apache/eve/jndi/ibs test/org/apache/eve/jndi test/org/apache/eve/jndi/ibs
Author: akarasulu
Date: Mon Nov 1 13:36:40 2004
New Revision: 56284
Added:
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractMultiUserJndiTest.java
Modified:
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Log:
Changes ...
o found and fixed bug in ResultFilteringEnumeration where
we were not skipping entries whose filters rejected them
o relative path names are a PITA for now we'll do without it
it was causing bugs in the filter service on the list hook
o AuthorizationFilter was not checking to block access to
the admin user account. We made sure it does.
o added many more tests for list only
o created another test case base class that initializes a
non-admin user context on ou=system so we can test auth
rules as akarasulu
Todos ...
o still have to test authorization rules on search invocations
before we can close all tests
Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java (original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/db/ResultFilteringEnumeration.java Mon Nov 1 13:36:40 2004
@@ -252,8 +252,13 @@
{
accepted = ( ( SearchResultFilter ) filters.get( 0 ) )
.accept( ctx, tmp, searchControls );
- this.prefetched = tmp;
- return;
+ if ( accepted )
+ {
+ this.prefetched = tmp;
+ return;
+ }
+
+ continue;
}
// apply all filters shorting their application on result denials
Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java (original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java Mon Nov 1 13:36:40 2004
@@ -29,10 +29,7 @@
import org.apache.eve.db.SearchResultFilter;
import org.apache.eve.db.DbSearchResult;
import org.apache.eve.exception.EveNoPermissionException;
-import org.apache.eve.jndi.BaseInterceptor;
-import org.apache.eve.jndi.Invocation;
-import org.apache.eve.jndi.InvocationStateEnum;
-import org.apache.eve.jndi.EveContext;
+import org.apache.eve.jndi.*;
import org.apache.ldap.common.name.NameComponentNormalizer;
import org.apache.ldap.common.name.DnParser;
@@ -252,6 +249,7 @@
throws NamingException
{
Name dn;
+
synchronized( dnParser )
{
dn = dnParser.parse( result.getName() );
@@ -262,6 +260,10 @@
{
return false;
}
+ else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN ) )
+ {
+ return false;
+ }
return true;
}
@@ -288,6 +290,13 @@
String msg = "Access to user account " + dn + " not permitted";
msg += " for user " + principalDn + ". Only the admin can";
msg += " access user account information";
+ throw new EveNoPermissionException( msg );
+ }
+ else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN ) )
+ {
+ String msg = "Access to admin account " + dn + " not permitted";
+ msg += " for user " + principalDn + ". Only the admin can";
+ msg += " access admin account information";
throw new EveNoPermissionException( msg );
}
}
Modified: incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java (original)
+++ incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/FilterServiceImpl.java Mon Nov 1 13:36:40 2004
@@ -35,7 +35,6 @@
import org.apache.eve.jndi.InvocationStateEnum;
import org.apache.ldap.common.filter.ExprNode;
-import org.apache.ldap.common.name.LdapName;
/**
@@ -113,10 +112,7 @@
SearchControls controls )
throws NamingException
{
- String rdn = new LdapName( result.getName() ).getRdn();
- result.setName( rdn );
- result.setObject( ctx.lookup( rdn ) );
- result.setRelative( true );
+ result.setName( result.getName() );
return FilterServiceImpl.this.accept( ctx, result, controls );
}
} );
Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java (original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractJndiTest.java Mon Nov 1 13:36:40 2004
@@ -35,7 +35,7 @@
* @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
* @version $Rev$
*/
-public class AbstractJndiTest extends TestCase
+public abstract class AbstractJndiTest extends TestCase
{
/** the context root for the system partition */
protected LdapContext sysRoot;
Added: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractMultiUserJndiTest.java
==============================================================================
--- (empty file)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/AbstractMultiUserJndiTest.java Mon Nov 1 13:36:40 2004
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.eve.jndi;
+
+
+import java.util.Hashtable;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+
+
+/**
+ * Adds extra code to perform operations as another user besides the admin user.
+ *
+ * @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public abstract class AbstractMultiUserJndiTest extends AbstractJndiTest
+{
+ protected EveLdapContext sysRootAsNonAdminUser;
+
+
+ /**
+ * Set's up a context for an authenticated non-root user.
+ *
+ * @see AbstractJndiTest#setUp()
+ */
+ protected void setUp() throws Exception
+ {
+ // bring the system up
+ super.setUp();
+
+ // authenticate as akarasulu
+ Hashtable env = new Hashtable( );
+ env.put( Context.PROVIDER_URL, "ou=system" );
+ env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.eve.jndi.EveContextFactory" );
+ env.put( Context.SECURITY_PRINCIPAL, "uid=akarasulu,ou=users,ou=system" );
+ env.put( Context.SECURITY_CREDENTIALS, "test" );
+ InitialContext ictx = new InitialContext( env );
+ sysRootAsNonAdminUser = ( EveLdapContext ) ictx.lookup( "" );
+ }
+
+
+ protected void tearDown() throws Exception
+ {
+ super.tearDown();
+ sysRootAsNonAdminUser = null;
+ }
+}
Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java (original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ListTest.java Mon Nov 1 13:36:40 2004
@@ -17,26 +17,78 @@
package org.apache.eve.jndi;
+import java.util.HashSet;
import javax.naming.NamingException;
import javax.naming.NamingEnumeration;
import javax.naming.NameClassPair;
/**
- * Document this class.
+ * Tests our ability to list elements as the admin user and as a non admin user
+ * on security sensitive values. We do not return results or name class pairs
+ * for user accounts if the user is not the admin.
*
* @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
* @version $Rev$
*/
-public class ListTest extends AbstractJndiTest
+public class ListTest extends AbstractMultiUserJndiTest
{
- public void testList() throws NamingException
+ public void testListSystemAsAdmin() throws NamingException
{
+ HashSet set = new HashSet();
NamingEnumeration list = sysRoot.list( "" );
while ( list.hasMore() )
{
NameClassPair ncp = ( NameClassPair ) list.next();
- System.out.println( ncp );
+ set.add( ncp.getName() );
}
+
+ assertTrue( set.contains( "uid=admin,ou=system" ) );
+ assertTrue( set.contains( "ou=users,ou=system" ) );
+ assertTrue( set.contains( "ou=groups,ou=system" ) );
+ }
+
+
+ public void testListSystemAsNonAdmin() throws NamingException
+ {
+ HashSet set = new HashSet();
+ NamingEnumeration list = sysRootAsNonAdminUser.list( "" );
+ while ( list.hasMore() )
+ {
+ NameClassPair ncp = ( NameClassPair ) list.next();
+ set.add( ncp.getName() );
+ }
+
+ assertFalse( set.contains( "uid=admin,ou=system" ) );
+ assertTrue( set.contains( "ou=users,ou=system" ) );
+ assertTrue( set.contains( "ou=groups,ou=system" ) );
+ }
+
+
+ public void testListUsersAsAdmin() throws NamingException
+ {
+ HashSet set = new HashSet();
+ NamingEnumeration list = sysRoot.list( "ou=users" );
+ while ( list.hasMore() )
+ {
+ NameClassPair ncp = ( NameClassPair ) list.next();
+ set.add( ncp.getName() );
+ }
+
+ assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+ }
+
+
+ public void testListUsersAsNonAdmin() throws NamingException
+ {
+ HashSet set = new HashSet();
+ NamingEnumeration list = sysRootAsNonAdminUser.list( "ou=users" );
+ while ( list.hasMore() )
+ {
+ NameClassPair ncp = ( NameClassPair ) list.next();
+ set.add( ncp.getName() );
+ }
+
+ assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
}
}
Modified: incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
==============================================================================
--- incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java (original)
+++ incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java Mon Nov 1 13:36:40 2004
@@ -17,15 +17,11 @@
package org.apache.eve.jndi.ibs;
-import java.util.Hashtable;
-import javax.naming.Context;
-import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.Attributes;
-import org.apache.eve.jndi.EveLdapContext;
-import org.apache.eve.jndi.AbstractJndiTest;
+import org.apache.eve.jndi.AbstractMultiUserJndiTest;
import org.apache.eve.exception.EveNoPermissionException;
import org.apache.ldap.common.message.LockableAttributesImpl;
@@ -37,39 +33,8 @@
* @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
* @version $Rev$
*/
-public class AuthorizationServiceTest extends AbstractJndiTest
+public class AuthorizationServiceTest extends AbstractMultiUserJndiTest
{
- EveLdapContext sysRootAsNonRootUser;
-
-
- /**
- * Set's up a context for an authenticated non-root user.
- *
- * @see AbstractJndiTest#setUp()
- */
- protected void setUp() throws Exception
- {
- // bring the system up
- super.setUp();
-
- // authenticate as akarasulu
- Hashtable env = new Hashtable( );
- env.put( Context.PROVIDER_URL, "ou=system" );
- env.put( Context.INITIAL_CONTEXT_FACTORY, "org.apache.eve.jndi.EveContextFactory" );
- env.put( Context.SECURITY_PRINCIPAL, "uid=akarasulu,ou=users,ou=system" );
- env.put( Context.SECURITY_CREDENTIALS, "test" );
- InitialContext ictx = new InitialContext( env );
- sysRootAsNonRootUser = ( EveLdapContext ) ictx.lookup( "" );
- }
-
-
- protected void tearDown() throws Exception
- {
- super.tearDown();
- sysRootAsNonRootUser = null;
- }
-
-
/**
* Makes sure the admin cannot delete the admin account.
*
@@ -98,8 +63,8 @@
{
try
{
- sysRootAsNonRootUser.destroySubcontext( "uid=admin" );
- fail( sysRootAsNonRootUser.getPrincipal().getDn()
+ sysRootAsNonAdminUser.destroySubcontext( "uid=admin" );
+ fail( sysRootAsNonAdminUser.getPrincipal().getDn()
+ " should not be able to delete his account" );
}
catch ( EveNoPermissionException e )
@@ -137,7 +102,7 @@
{
try
{
- sysRootAsNonRootUser.rename( "uid=admin", "uid=alex" );
+ sysRootAsNonAdminUser.rename( "uid=admin", "uid=alex" );
fail( "admin should not be able to rename his account" );
}
catch ( EveNoPermissionException e )
@@ -172,9 +137,9 @@
try
{
- sysRootAsNonRootUser.modifyAttributes( "uid=admin",
+ sysRootAsNonAdminUser.modifyAttributes( "uid=admin",
DirContext.REPLACE_ATTRIBUTE, attributes );
- fail( sysRootAsNonRootUser.getPrincipal().getDn() +
+ fail( sysRootAsNonAdminUser.getPrincipal().getDn() +
" should not be able to modify attributes on admin" );
} catch( Exception e ) { }
}