You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2005/10/13 23:23:33 UTC
svn commit: r320926 - in
/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz:
AbstractAuthorizationTest.java AddAuthorizationTest.java
AuthorizationServiceAsNonAdminTest.java
Author: akarasulu
Date: Thu Oct 13 14:23:27 2005
New Revision: 320926
URL: http://svn.apache.org/viewcvs?rev=320926&view=rev
Log:
organizing unit tests for ACI: added base class and cleaned up add operation tests
Added:
directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java (with props)
directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java (with props)
Modified:
directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java
Added: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java?rev=320926&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java (added)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java Thu Oct 13 14:23:27 2005
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.ldap.server.authz;
+
+
+import org.apache.ldap.server.AbstractNonAdminTestCase;
+import org.apache.ldap.server.subtree.SubentryService;
+import org.apache.ldap.common.name.LdapName;
+
+import javax.naming.directory.*;
+import javax.naming.NamingException;
+import javax.naming.Name;
+import java.util.Hashtable;
+
+
+/**
+ * A base class used for authorization tests. It has some extra utility methods
+ * added to it which are required by all authorization tests.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public abstract class AbstractAuthorizationTest extends AbstractNonAdminTestCase
+{
+ public AbstractAuthorizationTest()
+ {
+ super();
+ super.configuration.setAccessControlEnabled( true );
+ }
+
+
+ // -----------------------------------------------------------------------
+ // Utility methods used by subclasses
+ // -----------------------------------------------------------------------
+
+
+ public DirContext getAdminContext() throws NamingException
+ {
+ return getAdminContext( "ou=system" );
+ }
+
+
+ public DirContext getAdminContext( String dn ) throws NamingException
+ {
+ Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
+ env.put( DirContext.PROVIDER_URL, dn );
+ env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
+ env.put( DirContext.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
+ env.put( DirContext.SECURITY_CREDENTIALS, "secret" );
+ return new InitialDirContext( env );
+ }
+
+
+ public Name createGroup( String cn, String firstMemberDn ) throws NamingException
+ {
+ DirContext adminCtx = getAdminContext();
+ Attributes group = new BasicAttributes( "cn", cn, true );
+ Attribute objectClass = new BasicAttribute( "objectClass" );
+ group.put( objectClass );
+ objectClass.add( "top" );
+ objectClass.add( "groupOfUniqueNames" );
+ group.put( "uniqueMember", firstMemberDn );
+ adminCtx.createSubcontext( "cn="+cn+",ou=groups", group );
+ return new LdapName( "cn="+cn+",ou=groups,ou=system" );
+ }
+
+
+ public Name createUser( String uid, String password ) throws NamingException
+ {
+ DirContext adminCtx = getAdminContext();
+ Attributes user = new BasicAttributes( "uid", uid, true );
+ user.put( "userPassword", password );
+ Attribute objectClass = new BasicAttribute( "objectClass" );
+ user.put( objectClass );
+ objectClass.add( "top" );
+ objectClass.add( "person" );
+ objectClass.add( "organizationalPerson" );
+ objectClass.add( "inetOrgPerson" );
+ user.put( "sn", uid );
+ user.put( "cn", uid );
+ adminCtx.createSubcontext( "uid="+uid+",ou=users", user );
+ return new LdapName( "uid="+uid+",ou=users,ou=system" );
+ }
+
+
+ public void addUserToGroup( String userUid, String groupCn ) throws NamingException
+ {
+ DirContext adminCtx = getAdminContext();
+ Attributes changes = new BasicAttributes( "uniqueMember",
+ "uid="+userUid+",ou=users,ou=system", true );
+ adminCtx.modifyAttributes( "cn="+groupCn+",ou=groups",
+ DirContext.ADD_ATTRIBUTE, changes );
+ }
+
+
+ public DirContext getUserContext( Name user, String password ) throws NamingException
+ {
+ return getUserContext( user, password, "ou=system" );
+ }
+
+
+ public DirContext getUserContext( Name user, String password, String dn ) throws NamingException
+ {
+ Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
+ env.put( DirContext.PROVIDER_URL, dn );
+ env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
+ env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
+ env.put( DirContext.SECURITY_CREDENTIALS, password );
+ return new InitialDirContext( env );
+ }
+
+
+ /**
+ * Creates an access control subentry under ou=system whose subtree covers
+ * the entire naming context.
+ *
+ * @param cn the common name and rdn for the subentry
+ * @param aciItem the prescriptive ACI attribute value
+ * @throws NamingException if there is a problem creating the subentry
+ */
+ public void createAccessControlSubentry( String cn, String aciItem ) throws NamingException
+ {
+ DirContext adminCtx = getAdminContext();
+
+ // modify ou=system to be an AP for an A/C AA if it is not already
+ Attributes ap = adminCtx.getAttributes( "" );
+ Attribute administrativeRole = ap.get( "administrativeRole" );
+ if ( administrativeRole == null || ! administrativeRole.contains( SubentryService.AC_AREA ) )
+ {
+ Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA, true );
+ adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
+ }
+
+ // now add the A/C subentry below ou=system
+ Attributes subentry = new BasicAttributes( "cn", cn, true );
+ Attribute objectClass = new BasicAttribute( "objectClass" );
+ subentry.put( objectClass );
+ objectClass.add( "top" );
+ objectClass.add( "subentry" );
+ objectClass.add( "accessControlSubentry" );
+ subentry.put( "subtreeSpecification", "{}" );
+ subentry.put( "prescriptiveACI", aciItem );
+ adminCtx.createSubcontext( "cn=" + cn, subentry );
+ }
+}
Propchange: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java?rev=320926&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java (added)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java Thu Oct 13 14:23:27 2005
@@ -0,0 +1,200 @@
+/*
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.apache.ldap.server.authz;
+
+
+import org.apache.ldap.common.exception.LdapNoPermissionException;
+import org.apache.ldap.common.name.LdapName;
+
+import javax.naming.NamingException;
+import javax.naming.directory.*;
+
+
+/**
+ * Tests whether or not authorization around entry addition works properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class AddAuthorizationTest extends AbstractAuthorizationTest
+{
+ /**
+ * Checks if a simple entry (organizationalUnit) can be added to the DIT at an
+ * RDN relative to ou=system by a specific non-admin user. If a permission exception
+ * is encountered it is caught and false is returned, otherwise true is returned
+ * when the entry is created. The entry is deleted after being created just in case
+ * subsequent calls to this method do not fail: the admin account is used to delete
+ * this test entry so permissions to delete are not required to delete it by the user.
+ *
+ * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+ * @param password the password of this user
+ * @param entryRdn the relative DN, relative to ou=system where entry creation is tested
+ * @return true if the entry can be created by the user at the specified location, false otherwise
+ * @throws NamingException if there are problems conducting the test
+ */
+ public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws NamingException
+ {
+ // try an add operation which should fail without any ACI
+ Attributes testEntry = new BasicAttributes( "ou", "testou", true );
+ Attribute objectClass = new BasicAttribute( "objectClass" );
+ testEntry.put( objectClass );
+ objectClass.add( "top" );
+ objectClass.add( "organizationalUnit" );
+
+ try
+ {
+ LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ DirContext userContext = getUserContext( userName, "billyd" );
+ userContext.createSubcontext( entryRdn, testEntry );
+
+ // delete the newly created context as the admin user
+ DirContext adminContext = getAdminContext();
+ adminContext.destroySubcontext( entryRdn );
+
+ return true;
+ }
+ catch ( LdapNoPermissionException e )
+ {
+ return false;
+ }
+ }
+
+
+ /**
+ * Checks to make sure group membership based userClass works for add operations.
+ *
+ * @throws NamingException if the test encounters an error
+ */
+ public void testGrantAddAdministrators() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an add operation which should fail without any ACI
+ assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+ // Gives grantAdd perm to all users in the Administrators group for
+ // entries and all attribute types and values
+ createAccessControlSubentry( "administratorAdd", "{ " +
+ "identificationTag \"addAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantAdd } } } } }" );
+
+ // see if we can now add that test entry which we could not before
+ // add op should still fail since billd is not in the admin group
+ assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+ // now add billyd to the Administrator group and try again
+ addUserToGroup( "billyd", "Administrators" );
+
+ // try an add operation which should succeed with ACI and group membership change
+ assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+ }
+
+
+ /**
+ * Checks to make sure name based userClass works for add operations.
+ *
+ * @throws NamingException if the test encounters an error
+ */
+ public void testGrantAddByName() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an add operation which should fail without any ACI
+ assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+ // now add a subentry that enables user billyd to add an entry below ou=system
+ createAccessControlSubentry( "billydAdd", "{ " +
+ "identificationTag \"addAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantAdd } } } } }" );
+
+ // should work now that billyd is authorized by name
+ assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+ }
+
+
+ /**
+ * Checks to make sure subtree based userClass works for add operations.
+ *
+ * @throws NamingException if the test encounters an error
+ */
+ public void testGrantAddBySubtree() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an add operation which should fail without any ACI
+ assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+ // now add a subentry that enables user billyd to add an entry below ou=system
+ createAccessControlSubentry( "billyAddBySubtree", "{ " +
+ "identificationTag \"addAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantAdd } } } } }" );
+
+ // should work now that billyd is authorized by the subtree userClass
+ assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+ }
+
+
+ /**
+ * Checks to make sure <b>allUsers</b> userClass works for add operations.
+ *
+ * @throws NamingException if the test encounters an error
+ */
+ public void testGrantAddAllUsers() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an add operation which should fail without any ACI
+ assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+ // now add a subentry that enables anyone to add an entry below ou=system
+ createAccessControlSubentry( "anybodyAdd", "{ " +
+ "identificationTag \"addAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { allUsers }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantAdd } } } } }" );
+
+ // see if we can now add that test entry which we could not before
+ // should work now with billyd now that all users are authorized
+ assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+ }
+}
Propchange: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java?rev=320926&r1=320925&r2=320926&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java (original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java Thu Oct 13 14:23:27 2005
@@ -41,13 +41,6 @@
*/
public class AuthorizationServiceAsNonAdminTest extends AbstractNonAdminTestCase
{
- public AuthorizationServiceAsNonAdminTest()
- {
- super();
- super.configuration.setAccessControlEnabled( true );
- }
-
-
/**
* Makes sure a non-admin user cannot delete the admin account.
*
@@ -127,265 +120,5 @@
assertTrue( set.contains( "ou=users,ou=system" ) );
assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
assertFalse( set.contains( "uid=admin,ou=system" ) );
- }
-
-
- private DirContext getAdminContext() throws NamingException
- {
- Hashtable env = ( Hashtable ) ( ( Hashtable ) sysRoot.getEnvironment() ).clone();
- env.put( DirContext.PROVIDER_URL, "ou=system" );
- env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
- env.put( DirContext.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
- env.put( DirContext.SECURITY_CREDENTIALS, "secret" );
- return new InitialDirContext( env );
- }
-
-
- public void testGrantAddAllUsers() throws NamingException
- {
- DirContext adminCtx = getAdminContext();
-
- // modify ou=system to be an AP for an A/C AA
- Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA, true );
- adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
- // try an add operation which should fail without any ACI
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
-
- try
- {
- sysRoot.createSubcontext( "ou=testou", testEntry );
- fail( "should never get here due to a permission exception" );
- }
- catch ( LdapNoPermissionException e ) {}
-
- // now add a subentry that enables anyone to add an entry below ou=system
- Attributes subentry = new BasicAttributes( "cn", "anybodyAdd", true );
- objectClass = new BasicAttribute( "objectClass" );
- subentry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "subentry" );
- objectClass.add( "accessControlSubentry" );
- subentry.put( "subtreeSpecification", "{}" );
- subentry.put( "prescriptiveACI", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { allUsers }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantAdd } } } } }" );
- adminCtx.createSubcontext( "cn=anybodyAdd", subentry );
-
- // see if we can now add that test entry which we could not before
- testEntry = new BasicAttributes( "ou", "testou", true );
- objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
- sysRoot.createSubcontext( "ou=testou", testEntry );
- }
-
-
- public Name createTestUser( String uid ) throws NamingException
- {
- DirContext adminCtx = getAdminContext();
-
- Attributes testUser = new BasicAttributes( "uid", uid, true );
- testUser.put( "userPassword", uid );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testUser.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "person" );
- objectClass.add( "organizationalPerson" );
- objectClass.add( "inetOrgPerson" );
-
- adminCtx.createSubcontext( "uid="+uid+",ou=users", testUser );
- return new LdapName( "uid="+uid+",ou=users,ou=system" );
- }
-
-
- public void addUserToGroup( String userUid, String groupCn ) throws NamingException
- {
- DirContext adminCtx = getAdminContext();
- Attributes changes = new BasicAttributes( "uniqueMember", "uid="+userUid+",ou=users,ou=system", true );
- adminCtx.modifyAttributes( "cn="+groupCn+",ou=groups", DirContext.ADD_ATTRIBUTE, changes );
- }
-
-
- public DirContext getUserContext( Name user, String password ) throws NamingException
- {
- Hashtable env = ( Hashtable ) ( ( Hashtable ) sysRoot.getEnvironment() ).clone();
- env.put( DirContext.PROVIDER_URL, "ou=system" );
- env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
- env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
- env.put( DirContext.SECURITY_CREDENTIALS, password );
- return new InitialDirContext( env );
- }
-
-
- public void testGrantAddAdministrators() throws NamingException
- {
- DirContext adminCtx = getAdminContext();
-
- // modify ou=system to be an AP for an A/C AA
- Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA, true );
- adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
- Name userName = createTestUser( "billyd" );
-
- // try an add operation which should fail without any ACI
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
-
- try
- {
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
- fail( "should never get here due to a permission exception" );
- }
- catch ( LdapNoPermissionException e ) {}
-
- // now add a subentry that enables users in the admin group to add an entry below ou=system
- Attributes subentry = new BasicAttributes( "cn", "administratorAdd", true );
- objectClass = new BasicAttribute( "objectClass" );
- subentry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "subentry" );
- objectClass.add( "accessControlSubentry" );
- subentry.put( "subtreeSpecification", "{}" );
- subentry.put( "prescriptiveACI", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantAdd } } } } }" );
- adminCtx.createSubcontext( "cn=administratorAdd", subentry );
-
- // see if we can now add that test entry which we could not before
- // add op should still fail since akarasulu is not in the admin group
- try
- {
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
- fail( "should never get here due to a permission exception" );
- }
- catch ( LdapNoPermissionException e ) {}
-
- // now add akarasulu to the Administrator group and try again
- addUserToGroup( "billyd", "Administrators" );
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
- }
-
-
- public void testGrantAddByName() throws NamingException
- {
- DirContext adminCtx = getAdminContext();
-
- // modify ou=system to be an AP for an A/C AA
- Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA, true );
- adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
- Name userName = createTestUser( "billyd" );
-
- // try an add operation which should fail without any ACI
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
-
- try
- {
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
- fail( "should never get here due to a permission exception" );
- }
- catch ( LdapNoPermissionException e ) {}
-
- // now add a subentry that enables user billyd to add an entry below ou=system
- Attributes subentry = new BasicAttributes( "cn", "billydAdd", true );
- objectClass = new BasicAttribute( "objectClass" );
- subentry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "subentry" );
- objectClass.add( "accessControlSubentry" );
- subentry.put( "subtreeSpecification", "{}" );
- subentry.put( "prescriptiveACI", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantAdd } } } } }" );
- adminCtx.createSubcontext( "cn=billydAdd", subentry );
-
- // should work now that billyd is authorized
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
- }
-
-
- public void testGrantAddBySubtree() throws NamingException
- {
- DirContext adminCtx = getAdminContext();
-
- // modify ou=system to be an AP for an A/C AA
- Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA, true );
- adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
- Name userName = createTestUser( "billyd" );
-
- // try an add operation which should fail without any ACI
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
-
- try
- {
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
- fail( "should never get here due to a permission exception" );
- }
- catch ( LdapNoPermissionException e ) {}
-
- // now add a subentry that enables user billyd to add an entry below ou=system
- Attributes subentry = new BasicAttributes( "cn", "billydAdd", true );
- objectClass = new BasicAttribute( "objectClass" );
- subentry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "subentry" );
- objectClass.add( "accessControlSubentry" );
- subentry.put( "subtreeSpecification", "{}" );
- subentry.put( "prescriptiveACI", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantAdd } } } } }" );
- adminCtx.createSubcontext( "cn=billydAdd", subentry );
-
- // should work now that billyd is authorized
- DirContext userContext = getUserContext( userName, "billyd" );
- userContext.createSubcontext( "ou=testou", testEntry );
}
}