1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.core.authz;
21
22 import org.apache.directory.shared.ldap.name.LdapDN;
23
24
25 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
26 import org.apache.directory.server.core.integ.CiRunner;
27 import org.apache.directory.server.core.integ.annotations.Factory;
28 import org.apache.directory.server.core.DirectoryService;
29 import org.junit.runner.RunWith;
30
31 import javax.naming.directory.Attribute;
32 import javax.naming.directory.Attributes;
33 import javax.naming.directory.BasicAttribute;
34 import javax.naming.directory.BasicAttributes;
35 import javax.naming.directory.DirContext;
36
37 import static org.junit.Assert.assertTrue;
38 import static org.junit.Assert.assertFalse;
39 import org.junit.Test;
40 import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
41 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
42 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAsAdmin;
43 import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
44 import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
45
46
47
48
49
50
51
52
53 @RunWith ( CiRunner.class )
54 @Factory ( AutzIntegUtils.ServiceFactory.class )
55 public class DeleteAuthorizationIT
56 {
57 public static DirectoryService service;
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79 public boolean checkCanDeleteEntryAs( String uid, String password, String entryRdn ) throws Exception
80 {
81 Attributes testEntry = new BasicAttributes( "ou", "testou", true );
82 Attribute objectClass = new BasicAttribute( "objectClass" );
83 testEntry.put( objectClass );
84 objectClass.add( "top" );
85 objectClass.add( "organizationalUnit" );
86
87 DirContext adminContext = getContextAsAdmin();
88 try
89 {
90
91 LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
92 adminContext.createSubcontext( entryRdn, testEntry );
93
94
95 DirContext userContext = getContextAs( userName, password );
96 userContext.destroySubcontext( entryRdn );
97
98 return true;
99 }
100 catch ( LdapNoPermissionException e )
101 {
102 adminContext.destroySubcontext( entryRdn );
103 return false;
104 }
105 }
106
107
108
109
110
111
112
113 @Test
114 public void testGrantDeleteAdministrators() throws Exception
115 {
116
117 createUser( "billyd", "billyd" );
118
119
120 assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
121
122
123
124 createAccessControlSubentry( "administratorAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
125 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
126 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
127 + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
128
129
130
131 assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
132
133
134 addUserToGroup( "billyd", "Administrators" );
135
136
137 assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
138 }
139
140
141
142
143
144
145
146 @Test
147 public void testGrantDeleteByName() throws Exception
148 {
149
150 createUser( "billyd", "billyd" );
151
152
153 assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
154
155
156 createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
157 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
158 + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
159 + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
160
161
162 assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
163 }
164
165
166
167
168
169
170
171 @Test
172 public void testGrantDeleteBySubtree() throws Exception
173 {
174
175 createUser( "billyd", "billyd" );
176
177
178 assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
179
180
181 createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
182 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
183 + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
184 + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
185
186
187 assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
188 }
189
190
191
192
193
194
195
196 @Test
197 public void testGrantDeleteAllUsers() throws Exception
198 {
199
200 createUser( "billyd", "billyd" );
201
202
203 assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
204
205
206 createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
207 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
208 + "userPermissions { { " + "protectedItems {entry}, "
209 + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
210
211
212
213 assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
214 }
215 }