1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.core.authz;
21  
22  
23  import org.apache.directory.server.core.DirectoryService;
24  import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
25  import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
26  import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
27  import org.apache.directory.server.core.integ.CiRunner;
28  import org.apache.directory.server.core.integ.SetupMode;
29  import org.apache.directory.server.core.integ.annotations.*;
30  import static org.junit.Assert.assertTrue;
31  import static org.junit.Assert.assertFalse;
32  import static org.junit.Assert.fail;
33  
34  import org.junit.Test;
35  import org.junit.runner.RunWith;
36  
37  import javax.naming.Name;
38  import javax.naming.NamingException;
39  import javax.naming.NoPermissionException;
40  import javax.naming.directory.DirContext;
41  
42  
43  /**
44   * Some tests to make sure users in the cn=Administrators,ou=groups,ou=system 
45   * group behave as admin like users will full access rights.
46   * 
47   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
48   * @version $Rev$
49   */
50  @RunWith ( CiRunner.class )
51  @Mode ( SetupMode.PRISTINE )
52  public class AdministratorsGroupIT
53  {
54      public static DirectoryService service;
55      
56      boolean canReadAdministrators( DirContext ctx ) throws NamingException
57      {
58          try
59          {
60              ctx.getAttributes( "cn=Administrators,ou=groups" );
61              return true;
62          }
63          catch ( NoPermissionException e )
64          {
65              return false;
66          }
67      }
68  
69  
70      /**
71       * Checks to make sure a non-admin user which is not in the Administrators 
72       * group cannot access entries under ou=groups,ou=system.  Also check that 
73       * after adding that user to the group they see those groups.  This test 
74       * does NOT use the DefaultAuthorizationInterceptor but uses the one based on
75       * ACI.
76       * 
77       * @throws Exception on failures
78       */
79      @Test
80      @Factory ( AutzIntegUtils.ServiceFactory.class )
81      public void testNonAdminReadAccessToGroups() throws Exception
82      {
83          Name billydDn = createUser( "billyd", "s3kr3t" );
84          
85          // this should fail with a no permission exception because we
86          // are not allowed to browse ou=system without an ACI 
87          try
88          {
89              getContextAs( billydDn, "s3kr3t" );
90              fail( "Should not get here since we cannot browse ou=system" );
91          }
92          catch( NoPermissionException e )
93          {
94          }
95          
96          // add billyd to administrators and try again
97          addUserToGroup( "billyd", "Administrators" );
98  
99          // billyd should now be able to read ou=system and the admin group
100         DirContext ctx = getContextAs( billydDn, "s3kr3t" );
101         assertTrue( canReadAdministrators( ctx ) );
102     }
103 
104 
105     /**
106      * Checks to make sure a non-admin user which is not in the Administrators
107      * group cannot access entries under ou=groups,ou=system.  Also check that
108      * after adding that user to the group they see those groups.
109      *
110      * @throws Exception on failure
111      */
112     @Test
113     @Factory ( AutzIntegUtils.DefaultServiceFactory.class )
114     public void testDefaultNonAdminReadAccessToGroups() throws Exception
115     {
116         Name billydDn = createUser( "billyd", "s3kr3t" );
117         assertFalse( service.isAccessControlEnabled() );
118         DirContext ctx = getContextAs( billydDn, "s3kr3t" );
119 
120         // billyd should not be able to read the admin group
121         assertFalse( canReadAdministrators( ctx ) );
122 
123         // add billyd to administrators and try again
124         addUserToGroup( "billyd", "Administrators" );
125 
126         // billyd should now be able to read the admin group
127         assertTrue( canReadAdministrators( ctx ) );
128     }
129 }