1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.core.authz;
21
22
23 import org.apache.directory.server.core.jndi.ServerLdapContext;
24 import org.apache.directory.server.core.integ.CiRunner;
25 import org.apache.directory.server.core.integ.annotations.Factory;
26 import org.apache.directory.server.core.DirectoryService;
27 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
28 import org.apache.directory.shared.ldap.name.LdapDN;
29 import org.junit.runner.RunWith;
30
31 import javax.naming.directory.Attribute;
32 import javax.naming.directory.Attributes;
33 import javax.naming.directory.BasicAttribute;
34 import javax.naming.directory.BasicAttributes;
35 import javax.naming.directory.DirContext;
36 import static org.junit.Assert.assertTrue;
37 import static org.junit.Assert.assertFalse;
38 import org.junit.Test;
39 import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
40 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
41 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAsAdmin;
42 import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
43 import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
44
45
46
47
48
49
50
51
52 @RunWith ( CiRunner.class )
53 @Factory ( AutzIntegUtils.ServiceFactory.class )
54 public class CompareAuthorizationIT
55 {
56 public static DirectoryService service;
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78 public boolean checkCanCompareTelephoneNumberAs( String uid, String password, String entryRdn, String number )
79 throws Exception
80 {
81
82 Attributes testEntry = new BasicAttributes( "ou", "testou", true );
83 Attribute objectClass = new BasicAttribute( "objectClass" );
84 testEntry.put( objectClass );
85 objectClass.add( "top" );
86 objectClass.add( "organizationalUnit" );
87 testEntry.put( "telephoneNumber", "867-5309" );
88
89 DirContext adminContext = getContextAsAdmin();
90
91 try
92 {
93
94 LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
95 adminContext.createSubcontext( entryRdn, testEntry );
96
97
98 DirContext userContext = getContextAs( userName, password );
99 ServerLdapContext ctx = ( ServerLdapContext ) userContext.lookup( "" );
100 ctx.compare( new LdapDN( entryRdn + ",ou=system" ), "telephoneNumber", number );
101
102
103 return true;
104 }
105 catch ( LdapNoPermissionException e )
106 {
107 return false;
108 }
109 finally
110 {
111
112 adminContext.destroySubcontext( entryRdn );
113 }
114 }
115
116
117
118
119
120
121
122 @Test
123 public void testGrantCompareAdministrators() throws Exception
124 {
125
126 createUser( "billyd", "billyd" );
127
128
129 assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
130
131
132
133 createAccessControlSubentry( "administratorAdd",
134 "{ identificationTag \"addAci\", " +
135 " precedence 14, " +
136 " authenticationLevel none, " +
137 " itemOrUserFirst userFirst: { " +
138 " userClasses { " +
139 " userGroup { " +
140 " \"cn=Administrators,ou=groups,ou=system\" " +
141 " } " +
142 " }, " +
143 " userPermissions { " +
144 " { " +
145 " protectedItems { entry, allUserAttributeTypesAndValues }, " +
146 " grantsAndDenials { grantCompare, grantRead, grantBrowse } " +
147 " } " +
148 " } " +
149 " } " +
150 "}" );
151
152
153
154 assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
155
156
157 addUserToGroup( "billyd", "Administrators" );
158
159
160 assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "976-6969" ) );
161 }
162
163
164
165
166
167
168
169 @Test
170 public void testGrantCompareByName() throws Exception
171 {
172
173 createUser( "billyd", "billyd" );
174
175
176 assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
177
178
179 createAccessControlSubentry( "billydAdd",
180 "{ " +
181 " identificationTag \"addAci\", precedence 14, authenticationLevel none, itemOrUserFirst userFirst: " +
182 " { " +
183 " userClasses " +
184 " { " +
185 " name " +
186 " { " +
187 " \"uid=billyd,ou=users,ou=system\" " +
188 " } " +
189 " }, " +
190 " userPermissions " +
191 " { " +
192 " { " +
193 " protectedItems " +
194 " {" +
195 " entry, allUserAttributeTypesAndValues" +
196 " }, " +
197 " grantsAndDenials " +
198 " { " +
199 " grantCompare, grantRead, grantBrowse " +
200 " } " +
201 " } " +
202 " } " +
203 " } " +
204 "}" );
205
206
207 assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
208 }
209
210
211
212
213
214
215
216 @Test
217 public void testGrantCompareBySubtree() throws Exception
218 {
219
220 createUser( "billyd", "billyd" );
221
222
223 assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
224
225
226 createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
227 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
228 + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
229 + "protectedItems {entry, allUserAttributeTypesAndValues}, "
230 + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
231
232
233 assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
234 }
235
236
237
238
239
240
241
242 @Test
243 public void testGrantCompareAllUsers() throws Exception
244 {
245
246 createUser( "billyd", "billyd" );
247
248
249 assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
250
251
252 createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
253 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
254 + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
255 + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
256
257
258
259 assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
260 }
261
262
263 @Test
264 public void testPasswordCompare() throws Exception
265 {
266 DirContext adminCtx = getContextAsAdmin();
267 Attributes user = new BasicAttributes( "uid", "bob", true );
268 user.put( "userPassword", "bobspassword" );
269 Attribute objectClass = new BasicAttribute( "objectClass" );
270 user.put( objectClass );
271 objectClass.add( "top" );
272 objectClass.add( "person" );
273 objectClass.add( "organizationalPerson" );
274 objectClass.add( "inetOrgPerson" );
275 user.put( "sn", "bob" );
276 user.put( "cn", "bob" );
277 adminCtx.createSubcontext( "uid=bob,ou=users", user );
278
279 ServerLdapContext ctx = ( ServerLdapContext ) adminCtx.lookup( "" );
280 assertTrue( ctx.compare( new LdapDN( "uid=bob,ou=users,ou=system" ), "userPassword", "bobspassword" ) );
281 }
282
283 }