1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.core.authz;
21
22
23 import org.apache.directory.server.core.DirectoryService;
24 import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
25 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
26 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAsAdmin;
27 import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
28 import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
29 import org.apache.directory.server.core.integ.CiRunner;
30 import org.apache.directory.server.core.integ.annotations.Factory;
31 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
32 import org.apache.directory.shared.ldap.name.LdapDN;
33 import static org.junit.Assert.assertFalse;
34 import static org.junit.Assert.assertTrue;
35 import org.junit.Test;
36 import org.junit.runner.RunWith;
37
38 import javax.naming.NamingException;
39 import javax.naming.directory.Attribute;
40 import javax.naming.directory.Attributes;
41 import javax.naming.directory.BasicAttribute;
42 import javax.naming.directory.BasicAttributes;
43 import javax.naming.directory.DirContext;
44
45
46
47
48
49
50
51
52 @RunWith ( CiRunner.class )
53 @Factory ( AutzIntegUtils.ServiceFactory.class )
54 public class AddAuthorizationIT
55 {
56 public static DirectoryService service;
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73 public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws Exception
74 {
75 Attributes testEntry = new BasicAttributes( "ou", "testou", true );
76 Attribute objectClass = new BasicAttribute( "objectClass" );
77 testEntry.put( objectClass );
78 objectClass.add( "top" );
79 objectClass.add( "organizationalUnit" );
80
81 try
82 {
83 LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
84 DirContext userContext = getContextAs( userName, password );
85 userContext.createSubcontext( entryRdn, testEntry );
86
87
88 DirContext adminContext = getContextAsAdmin();
89 adminContext.destroySubcontext( entryRdn );
90
91 return true;
92 }
93 catch ( LdapNoPermissionException e )
94 {
95 return false;
96 }
97 }
98
99
100
101
102
103
104
105 @Test
106 public void testGrantAddAdministrators() throws Exception
107 {
108
109 createUser( "billyd", "billyd" );
110
111
112 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
113
114
115
116 createAccessControlSubentry( "administratorAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
117 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
118 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
119 + "protectedItems {entry, allUserAttributeTypesAndValues}, "
120 + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
121
122
123
124 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
125
126
127 addUserToGroup( "billyd", "Administrators" );
128
129
130 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
131 }
132
133
134
135
136
137
138
139 @Test
140 public void testGrantAddByName() throws Exception
141 {
142
143 createUser( "billyd", "billyd" );
144
145
146 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
147
148
149 createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
150 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
151 + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
152 + "protectedItems {entry, allUserAttributeTypesAndValues}, "
153 + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
154
155
156 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
157 }
158
159
160
161
162
163
164
165 @Test
166 public void testGrantAddBySubtree() throws Exception
167 {
168
169 createUser( "billyd", "billyd" );
170
171
172 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
173
174
175 createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
176 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
177 + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
178 + "protectedItems {entry, allUserAttributeTypesAndValues}, "
179 + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
180
181
182 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
183 }
184
185
186
187
188
189
190
191 @Test
192 public void testGrantAddAllUsers() throws Exception
193 {
194
195 createUser( "billyd", "billyd" );
196
197
198 assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
199
200
201 createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
202 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
203 + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
204 + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
205
206
207
208 assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
209 }
210 }