You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2005/10/20 01:07:29 UTC
svn commit: r326744 - in /directory/apacheds/trunk:
core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
plugin/project.xml shared/project.xml
Author: akarasulu
Date: Wed Oct 19 16:07:22 2005
New Revision: 326744
URL: http://svn.apache.org/viewcvs?rev=326744&view=rev
Log:
changes ...
o updated deps in plugin and shared subprojects to right versions of jars
o added test case to test subentryACI with search
o added test case to test entryACI with search
o added and tested combination of grants with denials
o added and tested combinations of precedence in ACI
o found and fixed bug where lookup of subentry ACI attribute was failing to
return since subentryACI is operational
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
directory/apacheds/trunk/plugin/project.xml
directory/apacheds/trunk/shared/project.xml
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java Wed Oct 19 16:07:22 2005
@@ -219,7 +219,8 @@
// will contain the subentryACI attributes that effect subentries
Name parentDn = ( Name ) dn.clone();
parentDn.remove( dn.size() - 1 );
- Attributes administrativeEntry = proxy.lookup( parentDn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
+ Attributes administrativeEntry = proxy.lookup( parentDn, new String[] { SUBENTRYACI_ATTR },
+ DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
Attribute subentryAci = administrativeEntry.get( SUBENTRYACI_ATTR );
if ( subentryAci == null )
Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java (original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/SearchAuthorizationTest.java Wed Oct 19 16:07:22 2005
@@ -669,7 +669,7 @@
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
- // we should also see the entry we are about to deny access to
+ // we should NOT see the entry we are about to deny access to
assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
assertNull( results.get( "ou=tests,ou=system" ) );
@@ -679,24 +679,147 @@
}
-// public boolean checkSubentryAccessAs( String username, String password, Name rdn )
-//
-//
-// public void testSubentryAccess() throws NamingException
-// {
-// // create the non-admin user
-// createUser( "billyd", "billyd" );
-//
-// // now add a subentry that enables anyone to search below ou=system
-// createAccessControlSubentry( "anybodySearch", "{ " +
-// "identificationTag \"searchAci\", " +
-// "precedence 14, " +
-// "authenticationLevel none, " +
-// "itemOrUserFirst userFirst: { " +
-// "userClasses { allUsers }, " +
-// "userPermissions { { " +
-// "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-// "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
-//
-// }
+ /**
+ * Adds a perscriptiveACI to allow search, tests for success, then adds entryACI
+ * to deny read, browse and returnDN to a specific entry and checks to make sure
+ * that entry cannot be accessed via search as a specific user. Here the
+ * precidence of the ACI is put to the test.
+ *
+ * @throws NamingException if the test is broken
+ */
+ public void testPerscriptiveGrantWithEntryDenialWithPrecidence() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // now add an entryACI denies browse, read and returnDN to a specific entry
+ String aci = "{ " +
+ "identificationTag \"denyAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { allUsers }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+
+ // try a search operation which should fail without any prescriptive ACI
+ SearchControls cons = new SearchControls();
+ cons.setSearchScope( SearchControls.SUBTREE_SCOPE );
+ LdapName rdn = new LdapName( "ou=tests" );
+ assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+
+ // now add a subentry that enables anyone to search below ou=system
+ createAccessControlSubentry( "anybodySearch", "{ " +
+ "identificationTag \"searchAci\", " +
+ "precedence 15, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { allUsers }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+ // see if we can now search the tree which we could not before
+ // should work with billyd now that all users are authorized
+ // we should also see the entry we are about to deny access to
+ // we see it because the precidence of the grant is greater
+ // than the precedence of the denial
+ assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 10 ) );
+ assertNotNull( results.get( "ou=tests,ou=system" ) );
+
+ // now add an entryACI denies browse, read and returnDN to a specific entry
+ // but this time the precedence will be higher than that of the grant
+ aci = "{ " +
+ "identificationTag \"denyAci\", " +
+ "precedence 16, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { allUsers }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+
+ // see if we can now search the tree which we could not before
+ // should work with billyd now that all users are authorized
+ // we should NOT see the entry we are about to deny access to
+ // we do NOT see it because the precidence of the grant is less
+ // than the precedence of the denial - so the denial wins
+ assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", cons, rdn, aci, 9 ) );
+ assertNull( results.get( "ou=tests,ou=system" ) );
+ }
+
+
+ /**
+ * Performs an object level search on the specified subentry relative to ou=system as a specific user.
+ *
+ * @param uid the uid RDN attribute value of the user to perform the search as
+ * @param password the password of the user
+ * @param rdn the relative name to the subentry under the ou=system AP
+ * @return the single search result if access is allowed or null
+ * @throws NamingException if the search fails w/ exception other than no permission
+ */
+ private SearchResult checkCanSearhSubentryAs( String uid, String password, Name rdn ) throws NamingException
+ {
+ DirContext userCtx = getContextAs( new LdapName( "uid="+uid+",ou=users,ou=system" ), password );
+ SearchControls cons = new SearchControls();
+ cons.setSearchScope( SearchControls.OBJECT_SCOPE );
+ SearchResult result = null;
+ NamingEnumeration list = null;
+
+ try
+ {
+ list = userCtx.search( rdn, "(objectClass=*)", cons );
+ if ( list.hasMore() )
+ {
+ result = ( SearchResult ) list.next();
+ list.close();
+ return result;
+ }
+ }
+ catch ( LdapNoPermissionException e )
+ {
+ }
+ finally
+ {
+ if ( list != null ) { list.close(); }
+ }
+
+ return result;
+ }
+
+
+ public void testSubentryAccess() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // now add a subentry that enables anyone to search below ou=system
+ createAccessControlSubentry( "anybodySearch", "{ " +
+ "identificationTag \"searchAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { allUsers }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+ // check and see if we can access the subentry now
+ assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapName( "cn=anybodySearch" ) ) );
+
+ // now add a denial to prevent all users except the admin from accessing the subentry
+ addSubentryACI( "{ " +
+ "identificationTag \"searchAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { allUsers }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+
+ // now we should not be able to access the subentry with a search
+ assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapName( "cn=anybodySearch" ) ) );
+ }
}
Modified: directory/apacheds/trunk/plugin/project.xml
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/plugin/project.xml?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/plugin/project.xml (original)
+++ directory/apacheds/trunk/plugin/project.xml Wed Oct 19 16:07:22 2005
@@ -46,12 +46,12 @@
<dependency>
<groupId>directory-shared</groupId>
<artifactId>ldap-common</artifactId>
- <version>0.9.2</version>
+ <version>0.9.3-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>directory</groupId>
<artifactId>apacheds-shared</artifactId>
- <version>0.9.2</version>
+ <version>0.9.3-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>velocity</groupId>
Modified: directory/apacheds/trunk/shared/project.xml
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/shared/project.xml?rev=326744&r1=326743&r2=326744&view=diff
==============================================================================
--- directory/apacheds/trunk/shared/project.xml (original)
+++ directory/apacheds/trunk/shared/project.xml Wed Oct 19 16:07:22 2005
@@ -16,7 +16,7 @@
<dependency>
<groupId>directory-shared</groupId>
<artifactId>ldap-common</artifactId>
- <version>0.9.2</version>
+ <version>0.9.3-SNAPSHOT</version>
</dependency>
</dependencies>