1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.core.authz;
21
22 import org.apache.directory.shared.ldap.name.LdapDN;
23
24
25 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
26 import org.apache.directory.server.core.integ.CiRunner;
27 import org.apache.directory.server.core.integ.annotations.Factory;
28 import org.apache.directory.server.core.DirectoryService;
29 import org.junit.runner.RunWith;
30
31 import javax.naming.directory.Attribute;
32 import javax.naming.directory.Attributes;
33 import javax.naming.directory.BasicAttribute;
34 import javax.naming.directory.BasicAttributes;
35 import javax.naming.directory.DirContext;
36
37 import static org.junit.Assert.assertTrue;
38 import static org.junit.Assert.assertFalse;
39 import org.junit.Test;
40
41 import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
42 import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteUser;
43 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
44 import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAsAdmin;
45 import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
46 import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
47 import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
48 import static org.apache.directory.server.core.authz.AutzIntegUtils.removeUserFromGroup;
49
50
51
52
53
54
55
56
57 @RunWith ( CiRunner.class )
58 @Factory ( AutzIntegUtils.ServiceFactory.class )
59 public class MoveRenameAuthorizationIT
60 {
61 public static DirectoryService service;
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79 public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newRdn )
80 throws Exception
81 {
82 Attributes testEntry = new BasicAttributes( "ou", "testou", true );
83 Attribute objectClass = new BasicAttribute( "objectClass" );
84 testEntry.put( objectClass );
85 objectClass.add( "top" );
86 objectClass.add( "organizationalUnit" );
87
88 DirContext adminContext = getContextAsAdmin();
89 try
90 {
91
92 adminContext.createSubcontext( entryRdn, testEntry );
93
94 LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
95 DirContext userContext = getContextAs( userName, password );
96 userContext.rename( entryRdn, newRdn );
97
98
99 adminContext.destroySubcontext( newRdn );
100 return true;
101 }
102 catch ( LdapNoPermissionException e )
103 {
104
105
106 adminContext.destroySubcontext( entryRdn );
107 return false;
108 }
109 }
110
111
112
113
114
115
116
117
118 @Test
119 public void testGrantByAdministrators() throws Exception
120 {
121
122
123
124
125
126 createUser( "billyd", "billyd" );
127
128
129 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
130
131
132 createAccessControlSubentry( "grantRenameByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
133 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
134 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
135 + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
136
137
138
139 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
140
141
142 addUserToGroup( "billyd", "Administrators" );
143
144
145 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
146
147
148 removeUserFromGroup( "billyd", "Administrators" );
149 deleteAccessControlSubentry( "grantRenameByAdmin" );
150 deleteUser( "billyd" );
151
152
153
154
155
156
157 createUser( "billyd", "billyd" );
158
159
160 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
161
162
163
164 createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "identificationTag \"addAci\", "
165 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
166 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
167 + "protectedItems {entry}, "
168 + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
169
170
171
172 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
173
174
175 addUserToGroup( "billyd", "Administrators" );
176
177
178 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
179
180
181 removeUserFromGroup( "billyd", "Administrators" );
182 deleteAccessControlSubentry( "grantRenameMoveByAdmin" );
183 deleteUser( "billyd" );
184
185
186
187
188
189
190 createUser( "billyd", "billyd" );
191
192
193 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
194
195
196 createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
197 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
198 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
199 + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
200
201
202
203 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
204
205
206 addUserToGroup( "billyd", "Administrators" );
207
208
209 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
210
211
212 removeUserFromGroup( "billyd", "Administrators" );
213 deleteAccessControlSubentry( "grantMoveByAdmin" );
214 deleteUser( "billyd" );
215 }
216
217
218
219
220
221
222
223
224 @Test
225 public void testGrantByName() throws Exception
226 {
227
228
229
230
231
232 createUser( "billyd", "billyd" );
233
234
235 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
236
237
238 createAccessControlSubentry( "grantRenameByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
239 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
240 + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
241 + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
242
243
244 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
245
246
247 deleteAccessControlSubentry( "grantRenameByName" );
248 deleteUser( "billyd" );
249
250
251
252
253
254
255 createUser( "billyd", "billyd" );
256
257
258 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
259
260
261 createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", "
262 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
263 + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
264 + "protectedItems {entry}, "
265 + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
266
267
268 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
269
270
271 deleteAccessControlSubentry( "grantRenameMoveByName" );
272 deleteUser( "billyd" );
273
274
275
276
277
278
279 createUser( "billyd", "billyd" );
280
281
282 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
283
284
285 createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
286 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
287 + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
288 + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
289
290
291 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
292
293
294 deleteAccessControlSubentry( "grantMoveByName" );
295 deleteUser( "billyd" );
296 }
297
298
299
300
301
302
303
304
305 @Test
306 public void testGrantBySubtree() throws Exception
307 {
308
309
310
311
312
313 createUser( "billyd", "billyd" );
314
315
316 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
317
318
319 createAccessControlSubentry( "grantRenameByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
320 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
321 + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
322 + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
323
324
325 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
326
327
328 deleteAccessControlSubentry( "grantRenameByTree" );
329 deleteUser( "billyd" );
330
331
332
333
334
335
336 createUser( "billyd", "billyd" );
337
338
339 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
340
341
342 createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", "
343 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
344 + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
345 + "protectedItems {entry}, "
346 + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
347
348
349 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
350
351
352 deleteAccessControlSubentry( "grantRenameMoveByTree" );
353 deleteUser( "billyd" );
354
355
356
357
358
359
360 createUser( "billyd", "billyd" );
361
362
363 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
364
365
366 createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
367 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
368 + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
369 + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
370
371
372 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
373
374
375 deleteAccessControlSubentry( "grantMoveByTree" );
376 deleteUser( "billyd" );
377 }
378
379
380
381
382
383
384
385
386 @Test
387 public void testGrantByAnyuser() throws Exception
388 {
389
390
391
392
393
394 createUser( "billyd", "billyd" );
395
396
397 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
398
399
400 createAccessControlSubentry( "grantRenameByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
401 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
402 + "userPermissions { { " + "protectedItems {entry}, "
403 + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
404
405
406 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
407
408
409 deleteAccessControlSubentry( "grantRenameByAny" );
410 deleteUser( "billyd" );
411
412
413
414
415
416
417 createUser( "billyd", "billyd" );
418
419
420 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
421
422
423 createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", "
424 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
425 + "userClasses { allUsers }, " + "userPermissions { { " + "protectedItems {entry}, "
426 + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
427
428
429 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
430
431
432 deleteAccessControlSubentry( "grantRenameMoveByAny" );
433 deleteUser( "billyd" );
434
435
436
437
438
439
440 createUser( "billyd", "billyd" );
441
442
443 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
444
445
446 createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
447 + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
448 + "userPermissions { { " + "protectedItems {entry}, "
449 + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
450
451
452 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
453
454
455 deleteAccessControlSubentry( "grantMoveByAny" );
456 deleteUser( "billyd" );
457 }
458
459
460
461
462
463
464
465
466 @Test
467 public void testExportAndImportSeperately() throws Exception
468 {
469
470
471
472
473
474 createUser( "billyd", "billyd" );
475
476
477 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
478
479
480
481
482
483 createAccessControlSubentry(
484 "grantBrowseForTheWholeNamingContext",
485 "{ }",
486 "{ " + "identificationTag \"browseACI\", "
487 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
488 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
489 + "protectedItems { entry }, "
490 + "grantsAndDenials { grantBrowse } } } } }" );
491
492
493
494 createAccessControlSubentry(
495 "grantExportFromASubtree",
496 "{ base \"ou=users\" }",
497 "{ " + "identificationTag \"exportACI\", "
498 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
499 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
500 + "protectedItems { entry }, "
501 + "grantsAndDenials { grantExport, grantRename } } } } }" );
502
503
504
505 createAccessControlSubentry(
506 "grantImportToASubtree",
507 "{ base \"ou=groups\" }",
508 "{ " + "identificationTag \"importACI\", "
509 + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
510 + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
511 + "protectedItems { entry }, "
512 + "grantsAndDenials { grantImport } } } } }" );
513
514
515
516 assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
517
518
519 addUserToGroup( "billyd", "Administrators" );
520
521
522 assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
523
524
525 removeUserFromGroup( "billyd", "Administrators" );
526 deleteAccessControlSubentry( "grantBrowseForTheWholeNamingContext" );
527 deleteAccessControlSubentry( "grantExportFromASubtree" );
528 deleteAccessControlSubentry( "grantImportToASubtree" );
529 deleteUser( "billyd" );
530 }
531 }