You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2010/03/17 15:41:35 UTC
svn commit: r924314 [3/3] - in /directory/apacheds/trunk/core-integ: ./
src/main/java/org/apache/directory/server/core/integ/
src/test/java/org/apache/directory/server/core/authz/
src/test/java/org/apache/directory/server/core/suites/
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=924314&r1=924313&r2=924314&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Wed Mar 17 14:41:34 2010
@@ -27,35 +27,33 @@ import static org.apache.directory.serve
import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
-import static org.apache.directory.server.core.integ.IntegrationUtils.getSystemContext;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getAdminConnection;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getConnectionAs;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
import java.util.HashMap;
import java.util.Map;
-import javax.naming.Name;
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.directory.BasicAttribute;
-import javax.naming.directory.BasicAttributes;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.SearchControls;
-import javax.naming.directory.SearchResult;
-import javax.naming.ldap.LdapContext;
-
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.message.SearchResponse;
+import org.apache.directory.ldap.client.api.message.SearchResultEntry;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.shared.ldap.exception.LdapNoSuchObjectException;
-import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.server.core.integ.IntegrationUtils;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
+import org.apache.directory.shared.ldap.cursor.Cursor;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.client.DefaultClientEntry;
+import org.apache.directory.shared.ldap.filter.SearchScope;
import org.apache.directory.shared.ldap.name.DN;
+import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -68,23 +66,36 @@ import org.junit.runner.RunWith;
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$
*/
-@RunWith ( FrameworkRunner.class )
+@RunWith(FrameworkRunner.class)
+//@CreateDS( enableAccessControl=true, name="SearchAuthorizationIT" )
+//@CreateLdapServer(
+// transports =
+// {
+// @CreateTransport( protocol = "LDAP" )
+// }
+//)
public class SearchAuthorizationIT extends AbstractLdapTestUnit
{
@Before
public void setService()
{
- AutzIntegUtils.service = service;
+ AutzIntegUtils.ldapServer = ldapServer;
+ }
+
+ @After
+ public void closeConnections()
+ {
+ IntegrationUtils.closeConections();
}
/**
- * The search results of tests are added to this map via put (<String, SearchResult>)
+ * The search results of tests are added to this map via put (<String, Entry>)
* the map is also cleared before each search test. This allows further inspections
* of the results for more specific test cases.
*/
- private Map<String, SearchResult> results = new HashMap<String, SearchResult>();
+ private Map<String, Entry> results = new HashMap<String, Entry>();
/**
@@ -94,39 +105,42 @@ public class SearchAuthorizationIT exten
* @param count the number of entries to produce
* @return an array of entries with length = count
*/
- private Attributes[] getTestNodes( final int count )
+ private Entry[] getTestNodes( final int count )
{
- Attributes[] attributes = new Attributes[count];
+ Entry[] attributes = new DefaultClientEntry[count];
for ( int ii = 0; ii < count; ii++ )
{
- attributes[ii] = new BasicAttributes( true );
- Attribute oc = new BasicAttribute( "objectClass" );
- oc.add( "top" );
- oc.add( "organizationalUnit" );
- attributes[ii].put( oc );
- Attribute ou = new BasicAttribute( "ou" );
- ou.add( String.valueOf( ii ) );
- ou.add( "testEntry" );
- attributes[ii].put( ou );
- attributes[ii].put( "telephoneNumber", String.valueOf( count ) );
+ try
+ {
+ attributes[ii] = new DefaultClientEntry();
+ attributes[ii].add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+ attributes[ii].add( SchemaConstants.OU_AT, String.valueOf( ii ) );
+ attributes[ii].add( SchemaConstants.OU_AT, "testEntry" );
+ attributes[ii].add( "telephoneNumber", String.valueOf( count ) );
+ }
+ catch ( Exception e )
+ {
+ e.printStackTrace();
+ }
}
return attributes;
}
- private void recursivelyAddSearchData( Name parent, Attributes[] children, final long sizeLimit, long[] count )
+ private void recursivelyAddSearchData( DN parent, Entry[] children, final long sizeLimit, long[] count )
throws Exception
{
- Name[] childRdns = new Name[children.length];
-
+ DN[] childRdns = new DN[children.length];
+
for ( int i = 0; ( i < children.length ) && ( count[0] < sizeLimit ); i++ )
{
- Name childRdn = new DN();
+ DN childRdn = new DN();
childRdn.addAll( parent );
childRdn.add( "ou=" + i );
childRdns[i] = childRdn;
- getSystemContext( service ).createSubcontext( childRdn, children[i] );
+ children[i].setDn( childRdn );
+ getAdminConnection().add( children[i] );
count[0]++;
}
@@ -152,16 +166,20 @@ public class SearchAuthorizationIT exten
* @param branchingFactor how to brach the data
* @param sizelimit the amount of entries
* @return the immediate child node created under parent which contains the subtree
- * @throws NamingException on error
+ * @throws Exception on error
*/
- private Name addSearchData( Name parent, int branchingFactor, long sizelimit ) throws Exception
+ private DN addSearchData( DN parent, int branchingFactor, long sizelimit ) throws Exception
{
- parent = ( Name ) parent.clone();
- parent.add( "ou=tests" );
- getSystemContext( service ).createSubcontext( parent, getTestNodes( 1 )[0] );
- recursivelyAddSearchData( parent, getTestNodes( branchingFactor ), sizelimit, new long[]
+ DN base = new DN( "ou=tests," + parent.getName() );
+ Entry entry = getTestNodes( 1 )[0];
+ entry.add( SchemaConstants.OU_AT, "tests" );
+ entry.setDn( base );
+
+ getAdminConnection().add( entry );
+
+ recursivelyAddSearchData( base, getTestNodes( branchingFactor ), sizelimit, new long[]
{ 1 } );
- return parent;
+ return base;
}
@@ -169,21 +187,22 @@ public class SearchAuthorizationIT exten
* Recursively deletes all entries including the base specified.
*
* @param rdn the relative dn from ou=system of the entry to delete recursively
- * @throws NamingException if there are problems deleting entries
+ * @throws Exception if there are problems deleting entries
*/
- private void recursivelyDelete( Name rdn ) throws Exception
+ private void recursivelyDelete( DN rdn ) throws Exception
{
- LdapContext sysRoot = getSystemContext( service );
- NamingEnumeration<SearchResult> results = sysRoot.search( rdn, "(objectClass=*)", new SearchControls() );
-
- while ( results.hasMore() )
- {
- SearchResult result = results.next();
- Name childRdn = new DN( result.getName() );
- childRdn.remove( 0 );
+ LdapConnection sysRoot = getAdminConnection();
+ Cursor<SearchResponse> results = sysRoot.search( rdn.getName(), "(objectClass=*)", SearchScope.ONELEVEL, "*" );
+
+ while ( results.next() )
+ {
+ SearchResultEntry result = ( SearchResultEntry ) results.get();
+ DN childRdn = result.getEntry().getDn();
recursivelyDelete( childRdn );
}
- sysRoot.destroySubcontext( rdn );
+
+ results.close();
+ sysRoot.delete( rdn );
}
@@ -194,11 +213,11 @@ public class SearchAuthorizationIT exten
* @param uid the uid RDN attribute value for the user under ou=users,ou=system
* @param password the password of the user
* @return true if the search succeeds as expected, false otherwise
- * @throws NamingException if there are problems conducting the search
+ * @throws Exception if there are problems conducting the search
*/
private boolean checkCanSearchAs( String uid, String password ) throws Exception
{
- return checkCanSearchAs( uid, password, "(objectClass=*)", null, 3 );
+ return checkCanSearchAs( uid, password, "(objectClass=*)", SearchScope.ONELEVEL, 3 );
}
@@ -211,11 +230,11 @@ public class SearchAuthorizationIT exten
* @param password the password of the user
* @param resultSetSz the expected size of the results
* @return true if the search succeeds as expected, false otherwise
- * @throws NamingException if there are problems conducting the search
+ * @throws Exception if there are problems conducting the search
*/
private boolean checkCanSearchAs( String uid, String password, int resultSetSz ) throws Exception
{
- return checkCanSearchAs( uid, password, "(objectClass=*)", null, resultSetSz );
+ return checkCanSearchAs( uid, password, "(objectClass=*)", SearchScope.ONELEVEL, resultSetSz );
}
@@ -226,15 +245,15 @@ public class SearchAuthorizationIT exten
*
* @param uid the uid RDN attribute value for the user under ou=users,ou=system
* @param password the password of the user
- * @param cons search controls
+ * @param scope search controls
* @param resultSetSz the expected size of the results
* @return true if the search succeeds as expected, false otherwise
- * @throws NamingException if there are problems conducting the search
+ * @throws Exception if there are problems conducting the search
*/
- private boolean checkCanSearchAs( String uid, String password, SearchControls cons, int resultSetSz )
+ private boolean checkCanSearchAs( String uid, String password, SearchScope scope, int resultSetSz )
throws Exception
{
- return checkCanSearchAs( uid, password, "(objectClass=*)", cons, resultSetSz );
+ return checkCanSearchAs( uid, password, "(objectClass=*)", scope, resultSetSz );
}
@@ -245,44 +264,34 @@ public class SearchAuthorizationIT exten
* @param uid the uid RDN attribute value for the user under ou=users,ou=system
* @param password the password of the user
* @param filter the search filter to use
- * @param cons search controls
+ * @param scope search scope
* @param resultSetSz the expected size of the results
* @return true if the search succeeds as expected, false otherwise
- * @throws NamingException if there are problems conducting the search
+ * @throws Exception if there are problems conducting the search
*/
- private boolean checkCanSearchAs( String uid, String password, String filter, SearchControls cons, int resultSetSz )
+ private boolean checkCanSearchAs( String uid, String password, String filter, SearchScope scope, int resultSetSz )
throws Exception
{
- if ( cons == null )
- {
- cons = new SearchControls();
- }
- Name base = addSearchData( new DN(), 3, 10 );
- Name userDn = new DN( "uid=" + uid + ",ou=users,ou=system" );
- try
- {
- results.clear();
- DirContext userCtx = getContextAs( userDn, password );
- NamingEnumeration<SearchResult> list = userCtx.search( base, filter, cons );
- int counter = 0;
-
- while ( list.hasMore() )
- {
- SearchResult result = list.next();
- results.put( result.getName(), result );
- counter++;
- }
- return counter == resultSetSz;
- }
- catch ( LdapNoPermissionException e )
- {
- return false;
- }
- finally
+ DN base = addSearchData( new DN( "ou=system" ), 3, 10 );
+ DN userDn = new DN( "uid=" + uid + ",ou=users,ou=system" );
+ results.clear();
+ LdapConnection userCtx = getConnectionAs( userDn, password );
+ Cursor<SearchResponse> cursor = userCtx.search( base.getName(), filter, scope, "*" );
+ int counter = 0;
+
+ while ( cursor.next() )
{
- recursivelyDelete( base );
+ Entry result = ( ( SearchResultEntry ) cursor.get() ).getEntry();
+ results.put( result.getDn().getName(), result );
+ counter++;
}
+
+ cursor.close();
+
+ recursivelyDelete( base );
+
+ return counter == resultSetSz;
}
@@ -292,47 +301,35 @@ public class SearchAuthorizationIT exten
*
* @param uid the uid RDN attribute value for the user under ou=users,ou=system
* @param password the password of the user
- * @param cons the search controls
- * @param rdn the rdn
+ * @param scope the search controls
+ * @param dn the rdn
* @param aci the aci
* @param resultSetSz the result sz
* @return true if the search succeeds as expected, false otherwise
- * @throws NamingException if there are problems conducting the search
+ * @throws Exception if there are problems conducting the search
*/
- private boolean checkSearchAsWithEntryACI( String uid, String password, SearchControls cons, Name rdn, String aci,
+ private boolean checkSearchAsWithEntryACI( String uid, String password, SearchScope scope, DN dn, String aci,
int resultSetSz ) throws Exception
{
- if ( cons == null )
- {
- cons = new SearchControls();
- }
+ DN base = addSearchData( dn, 3, 10 );
+ addEntryACI( base, aci );
+ DN userDn = new DN( "uid=" + uid + ",ou=users,ou=system" );
+
+ results.clear();
+ LdapConnection userCtx = getConnectionAs( userDn, password );
+ Cursor<SearchResponse> cursor = userCtx.search( base.getName(), "(objectClass=*)", scope, "*" );
+ int counter = 0;
- Name base = addSearchData( new DN(), 3, 10 );
- addEntryACI( rdn, aci );
- Name userDn = new DN( "uid=" + uid + ",ou=users,ou=system" );
- try
- {
- results.clear();
- DirContext userCtx = getContextAs( userDn, password );
- NamingEnumeration<SearchResult> list = userCtx.search( base, "(objectClass=*)", cons );
- int counter = 0;
-
- while ( list.hasMore() )
- {
- SearchResult result = list.next();
- results.put( result.getName(), result );
- counter++;
- }
- return counter == resultSetSz;
- }
- catch ( LdapNoPermissionException e )
+ while ( cursor.next() )
{
- return false;
- }
- finally
- {
- recursivelyDelete( base );
+ Entry result = ( ( SearchResultEntry ) cursor.get() ).getEntry();
+ results.put( result.getDn().getName(), result );
+ counter++;
}
+
+ recursivelyDelete( base );
+
+ return counter == resultSetSz;
}
@@ -340,36 +337,30 @@ public class SearchAuthorizationIT exten
* Checks to see that the addSearchData() and the recursiveDelete()
* functions in this test work properly.
*
- * @throws NamingException if there is a problem with the implementation of
+ * @throws Exception if there is a problem with the implementation of
* these utility functions
*/
@Test
public void testAddSearchData() throws Exception
{
- LdapContext sysRoot = getSystemContext( service );
- Name base = addSearchData( new DN(), 3, 10 );
- SearchControls controls = new SearchControls();
- controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
- NamingEnumeration<SearchResult> results = sysRoot.search( base, "(objectClass=*)", controls );
+ LdapConnection connection = getAdminConnection();
+ DN base = addSearchData( new DN( "ou=system" ), 3, 10 );
+
+ Cursor<SearchResponse> results = connection
+ .search( base.getName(), "(objectClass=*)", SearchScope.SUBTREE, "+" );
int counter = 0;
-
- while ( results.hasMore() )
+
+ while ( results.next() )
{
- results.next();
+ results.get();
counter++;
}
assertEquals( 10, counter );
recursivelyDelete( base );
//noinspection EmptyCatchBlock
- try
- {
- sysRoot.lookup( base );
- fail();
- }
- catch ( LdapNoSuchObjectException e )
- {
- }
+ SearchResultEntry entry = ( SearchResultEntry ) connection.lookup( base.getName() );
+ assertNull( entry );
}
@@ -380,7 +371,7 @@ public class SearchAuthorizationIT exten
/**
* Checks to make sure group membership based userClass works for add operations.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantAdministrators() throws Exception
@@ -414,7 +405,7 @@ public class SearchAuthorizationIT exten
/**
* Checks to make sure name based userClass works for search operations.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantSearchByName() throws Exception
@@ -441,7 +432,7 @@ public class SearchAuthorizationIT exten
* Checks to make sure name based userClass works for search operations
* when we vary the case of the DN.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantSearchByNameUserDnCase() throws Exception
@@ -467,7 +458,7 @@ public class SearchAuthorizationIT exten
/**
* Checks to make sure subtree based userClass works for search operations.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantSearchBySubtree() throws Exception
@@ -493,7 +484,7 @@ public class SearchAuthorizationIT exten
/**
* Checks to make sure <b>allUsers</b> userClass works for search operations.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantSearchAllUsers() throws Exception
@@ -524,7 +515,7 @@ public class SearchAuthorizationIT exten
* Checks to make sure search does not return entries not assigned the
* perscriptiveACI and that it does not fail with an exception.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testSelectiveGrantsAllUsers() throws Exception
@@ -533,9 +524,7 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// try an add operation which should fail without any ACI
- SearchControls cons = new SearchControls();
- cons.setSearchScope( SearchControls.SUBTREE_SCOPE );
- assertFalse( checkCanSearchAs( "billyd", "billyd", cons, 4 ) );
+ assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
// now add a subentry that enables anyone to add an entry below ou=system
// down two more rdns for DNs of a max size of 3
@@ -547,7 +536,7 @@ public class SearchAuthorizationIT exten
// see if we can now add that test entry which we could not before
// should work now with billyd now that all users are authorized
- assertTrue( checkCanSearchAs( "billyd", "billyd", cons, 4 ) );
+ assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
}
@@ -555,7 +544,7 @@ public class SearchAuthorizationIT exten
* Checks to make sure attributeTypes are not present when permissions are
* not given for reading them and their values.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testHidingAttributes() throws Exception
@@ -564,9 +553,7 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// try an add operation which should fail without any ACI
- SearchControls cons = new SearchControls();
- cons.setSearchScope( SearchControls.SUBTREE_SCOPE );
- assertFalse( checkCanSearchAs( "billyd", "billyd", cons, 4 ) );
+ assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. It only grants access to
@@ -578,12 +565,12 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
// see if we can now add that search and find 4 entries
- assertTrue( checkCanSearchAs( "billyd", "billyd", cons, 4 ) );
+ assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
// check to make sure the telephoneNumber attribute is not present in results
- for ( SearchResult result : results.values() )
+ for ( Entry result : results.values() )
{
- assertNull( result.getAttributes().get( "telephoneNumber" ) );
+ assertNull( result.get( "telephoneNumber" ) );
}
// delete the subentry to test more general rule's inclusion of telephoneNumber
@@ -599,12 +586,12 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
// again we should find four entries
- assertTrue( checkCanSearchAs( "billyd", "billyd", cons, 4 ) );
+ assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
// check now to make sure the telephoneNumber attribute is present in results
- for ( SearchResult result : results.values() )
+ for ( Entry result : results.values() )
{
- assertNotNull( result.getAttributes().get( "telephoneNumber" ) );
+ assertNotNull( result.get( "telephoneNumber" ) );
}
}
@@ -613,7 +600,7 @@ public class SearchAuthorizationIT exten
* Checks to make sure specific attribute values are not present when
* read permission is denied.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testHidingAttributeValues() throws Exception
@@ -644,9 +631,9 @@ public class SearchAuthorizationIT exten
assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
// check to make sure the ou attribute value "testEntry" is not present in results
- for ( SearchResult result : results.values() )
+ for ( Entry result : results.values() )
{
- assertFalse( result.getAttributes().get( "ou" ).contains( "testEntry" ) );
+ assertFalse( result.get( "ou" ).contains( "testEntry" ) );
}
// delete the subentry to test more general rule's inclusion of all values
@@ -665,9 +652,9 @@ public class SearchAuthorizationIT exten
assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
// check now to make sure the telephoneNumber attribute is present in results
- for ( SearchResult result : results.values() )
+ for ( Entry result : results.values() )
{
- assertTrue( result.getAttributes().get( "ou" ).contains( "testEntry" ) );
+ assertTrue( result.get( "ou" ).contains( "testEntry" ) );
}
}
@@ -677,7 +664,7 @@ public class SearchAuthorizationIT exten
* to deny read, browse and returnDN to a specific entry and checks to make sure
* that entry cannot be accessed via search as a specific user.
*
- * @throws NamingException if the test is broken
+ * @throws Exception if the test is broken
*/
@Test
public void testPerscriptiveGrantWithEntryDenial() throws Exception
@@ -692,10 +679,9 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
// try a search operation which should fail without any prescriptive ACI
- SearchControls cons = new SearchControls();
- cons.setSearchScope( SearchControls.SUBTREE_SCOPE );
- DN rdn = new DN( "ou=tests" );
- assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+ DN testsDn = new DN( "ou=system" );
+
+ assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
// now add a subentry that enables anyone to search below ou=system
createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
@@ -706,11 +692,11 @@ public class SearchAuthorizationIT exten
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
// we should NOT see the entry we are about to deny access to
- assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+ assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
assertNull( results.get( "ou=tests,ou=system" ) );
// try without the entry ACI .. just perscriptive and see ou=tests,ou=system
- assertTrue( checkCanSearchAs( "billyd", "billyd", cons, 10 ) );
+ assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 10 ) );
assertNotNull( results.get( "ou=tests,ou=system" ) );
}
@@ -721,7 +707,7 @@ public class SearchAuthorizationIT exten
* that entry cannot be accessed via search as a specific user. Here the
* precidence of the ACI is put to the test.
*
- * @throws NamingException if the test is broken
+ * @throws Exception if the test is broken
*/
@Test
public void testPerscriptiveGrantWithEntryDenialWithPrecidence() throws Exception
@@ -736,10 +722,9 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
// try a search operation which should fail without any prescriptive ACI
- SearchControls cons = new SearchControls();
- cons.setSearchScope( SearchControls.SUBTREE_SCOPE );
- DN rdn = new DN( "ou=tests" );
- assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+ DN testsDn = new DN( "ou=system" );
+
+ assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
// now add a subentry that enables anyone to search below ou=system
createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 15, "
@@ -752,7 +737,7 @@ public class SearchAuthorizationIT exten
// we should also see the entry we are about to deny access to
// we see it because the precidence of the grant is greater
// than the precedence of the denial
- assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 10 ) );
+ assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 10 ) );
assertNotNull( results.get( "ou=tests,ou=system" ) );
// now add an entryACI denies browse, read and returnDN to a specific entry
@@ -767,7 +752,7 @@ public class SearchAuthorizationIT exten
// we should NOT see the entry we are about to deny access to
// we do NOT see it because the precidence of the grant is less
// than the precedence of the denial - so the denial wins
- assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+ assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
assertNull( results.get( "ou=tests,ou=system" ) );
}
@@ -777,41 +762,24 @@ public class SearchAuthorizationIT exten
*
* @param uid the uid RDN attribute value of the user to perform the search as
* @param password the password of the user
- * @param rdn the relative name to the subentry under the ou=system AP
+ * @param dn the relative name to the subentry under the ou=system AP
* @return the single search result if access is allowed or null
- * @throws NamingException if the search fails w/ exception other than no permission
+ * @throws Exception if the search fails w/ exception other than no permission
*/
- private SearchResult checkCanSearhSubentryAs( String uid, String password, Name rdn ) throws Exception
+ private SearchResultEntry checkCanSearhSubentryAs( String uid, String password, DN dn ) throws Exception
{
- DirContext userCtx = getContextAs( new DN( "uid=" + uid + ",ou=users,ou=system" ), password );
- SearchControls cons = new SearchControls();
- cons.setSearchScope( SearchControls.OBJECT_SCOPE );
- SearchResult result = null;
- NamingEnumeration<SearchResult> list = null;
+ LdapConnection userCtx = getConnectionAs( new DN( "uid=" + uid + ",ou=users,ou=system" ), password );
+ SearchResultEntry result = null;
+ Cursor<SearchResponse> list = null;
- //noinspection EmptyCatchBlock
- try
+ list = userCtx.search( dn.getName(), "(objectClass=*)", SearchScope.OBJECT, "*" );
+ if ( list.next() )
{
- list = userCtx.search( rdn, "(objectClass=*)", cons );
- if ( list.hasMore() )
- {
- result = list.next();
- list.close();
- return result;
- }
- }
- catch ( LdapNoPermissionException e )
- {
- return null;
- }
- finally
- {
- if ( list != null )
- {
- list.close();
- }
+ result = ( SearchResultEntry ) list.get();
}
+ list.close();
+
return result;
}
@@ -829,7 +797,7 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
// check and see if we can access the subentry now
- assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch" ) ) );
+ assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
// now add a denial to prevent all users except the admin from accessing the subentry
addSubentryACI( "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
@@ -838,7 +806,7 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
// now we should not be able to access the subentry with a search
- assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch" ) ) );
+ assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
}
@@ -857,18 +825,11 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" );
// get a context as the user and try a lookup of a non-existant entry under ou=groups,ou=system
- DirContext userCtx = getContextAs( new DN( "uid=billyd,ou=users,ou=system" ), "billyd" );
- try
- {
- userCtx.lookup( "cn=blah,ou=groups" );
- }
- catch ( NamingException e )
- {
- Name matched = e.getResolvedName();
+ LdapConnection userCtx = getConnectionAs( "uid=billyd,ou=users,ou=system", "billyd" );
- // we should not see ou=groups,ou=system for the remaining name
- assertEquals( matched.toString(), "ou=system" );
- }
+ // we should not see ou=groups,ou=system for the remaining name
+ SearchResultEntry entry = ( SearchResultEntry ) userCtx.lookup( "cn=blah,ou=groups" );
+ assertNull( entry );
// now delete and replace subentry with one that does not excluse ou=groups,ou=system
deleteAccessControlSubentry( "selectiveDiscloseOnError" );
@@ -879,50 +840,43 @@ public class SearchAuthorizationIT exten
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" );
// now try a lookup of a non-existant entry under ou=groups,ou=system again
- try
- {
- userCtx.lookup( "cn=blah,ou=groups" );
- }
- catch ( NamingException e )
- {
- Name matched = e.getResolvedName();
-
- // we should not see ou=groups,ou=system for the remaining name
- assertEquals( matched.toString(), "ou=groups,ou=system" );
- }
+ entry = ( SearchResultEntry ) userCtx.lookup( "cn=blah,ou=groups" );
+ assertNull( entry );
}
-
+
+
@Test
public void testUserClassParentOfEntry() throws Exception
{
// create the non-admin user
createUser( "billyd", "billyd" );
-
+
// create an entry subordinate to the user
- DirContext billydCtx = AutzIntegUtils.getContextAsAdmin("uid=billyd,ou=users,ou=system");
- Attributes phoneBook = new BasicAttributes( "ou", "phoneBook", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- phoneBook.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
- billydCtx.createSubcontext( "ou=phoneBook", phoneBook );
+ Entry phoneBook = new DefaultClientEntry( new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) );
+ phoneBook.add( SchemaConstants.OU_AT, "phoneBook" );
+ phoneBook.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+
+ getAdminConnection().add( phoneBook );
// now add a subentry that enables anyone to search below their own entries
- createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"searchAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { allUsers }, " + "userPermissions { { "
+ + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
// check and see if we can access the subentry now
- assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users" ) ) );
+ assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN(
+ "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
// now add a denial to prevent all users except the admin from accessing the subentry
- addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"anybodyDontSearchTheirSubordinates\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ "
+ + "identificationTag \"anybodyDontSearchTheirSubordinates\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, "
+ + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
// now we should not be able to access the subentry with a search
- assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users" ) ) );
+ assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
}
}
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/suites/AuthzISuite.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/suites/AuthzISuite.java?rev=924314&r1=924313&r2=924314&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/suites/AuthzISuite.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/suites/AuthzISuite.java Wed Mar 17 14:41:34 2010
@@ -19,6 +19,8 @@
package org.apache.directory.server.core.suites;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.authz.AddAuthorizationIT;
import org.apache.directory.server.core.authz.AdministratorsGroupIT;
@@ -44,6 +46,12 @@ import org.junit.runners.Suite;
*/
@RunWith ( FrameworkSuite.class )
@CreateDS( enableAccessControl=true, name="AuthzISuite" )
+@CreateLdapServer(
+ transports =
+ {
+ @CreateTransport( protocol = "LDAP" )
+ }
+)
@Suite.SuiteClasses ( {
AddAuthorizationIT.class,
AuthorizationServiceAsAdminIT.class,