1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.core.authz;
21
22
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.List;
26
27 import org.apache.directory.server.core.CoreSession;
28 import org.apache.directory.server.core.DirectoryService;
29 import org.apache.directory.server.core.authn.LdapPrincipal;
30 import org.apache.directory.server.core.entry.DefaultServerEntry;
31 import org.apache.directory.server.core.integ.CiRunner;
32 import static org.apache.directory.server.core.integ.IntegrationUtils.getUserAddLdif;
33 import org.apache.directory.server.core.integ.annotations.Factory;
34 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
35 import org.apache.directory.shared.ldap.entry.Entry;
36 import org.apache.directory.shared.ldap.entry.EntryAttribute;
37 import org.apache.directory.shared.ldap.entry.Modification;
38 import org.apache.directory.shared.ldap.entry.ModificationOperation;
39 import org.apache.directory.shared.ldap.entry.client.ClientModification;
40 import org.apache.directory.shared.ldap.entry.client.DefaultClientAttribute;
41 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
42 import org.apache.directory.shared.ldap.filter.ExprNode;
43 import org.apache.directory.shared.ldap.filter.FilterParser;
44 import org.apache.directory.shared.ldap.filter.SearchScope;
45 import org.apache.directory.shared.ldap.ldif.LdifEntry;
46 import org.apache.directory.shared.ldap.message.AliasDerefMode;
47 import org.apache.directory.shared.ldap.name.LdapDN;
48 import org.apache.directory.shared.ldap.name.Rdn;
49
50 import static org.junit.Assert.assertNotNull;
51 import static org.junit.Assert.fail;
52 import static org.junit.Assert.assertTrue;
53 import org.junit.Test;
54 import org.junit.runner.RunWith;
55
56 import javax.naming.NamingException;
57
58
59
60
61
62
63
64
65
66 @RunWith ( CiRunner.class )
67 @Factory ( AutzIntegUtils.ServiceFactory.class )
68 public class AuthorizationServiceAsNonAdminIT
69 {
70 public static DirectoryService service;
71
72
73
74
75
76
77
78 @Test
79 public void testNoDeleteOnAdminByNonAdmin() throws Exception
80 {
81 LdifEntry akarasulu = getUserAddLdif();
82
83 service.getAdminSession().add(
84 new DefaultServerEntry( service.getRegistries(), akarasulu.getEntry() ) );
85
86 try
87 {
88 service.getAdminSession().delete( new LdapDN( "uid=admin,ou=system") );
89 fail( "User 'admin' should not be able to delete his account" );
90 }
91 catch ( LdapNoPermissionException e )
92 {
93 assertNotNull( e );
94 }
95 }
96
97
98
99
100
101
102
103 @Test
104 public void testNoRdnChangesOnAdminByNonAdmin() throws Exception
105 {
106 LdifEntry akarasulu = getUserAddLdif();
107
108 service.getAdminSession().add(
109 new DefaultServerEntry( service.getRegistries(), akarasulu.getEntry() ) );
110
111 try
112 {
113 service.getAdminSession().rename(
114 new LdapDN( "uid=admin,ou=system" ),
115 new Rdn( "uid=alex" ),
116 false );
117 fail( "admin should not be able to rename his account" );
118 }
119 catch ( LdapNoPermissionException e )
120 {
121 assertNotNull( e );
122 }
123 }
124
125
126
127
128
129
130
131 @Test
132 public void testModifyOnAdminByNonAdmin() throws Exception
133 {
134 LdifEntry akarasulu = getUserAddLdif();
135
136 service.getAdminSession().add(
137 new DefaultServerEntry( service.getRegistries(), akarasulu.getEntry() ) );
138
139
140 Entry readEntry = service.getAdminSession().lookup( akarasulu.getDn(), new String[]{ "userPassword"} );
141
142 assertTrue( Arrays.equals( akarasulu.get( "userPassword" ).getBytes(), readEntry.get( "userPassword" ).getBytes() ) );
143
144 EntryAttribute attribute = new DefaultClientAttribute( "userPassword", "replaced" );
145
146 List<Modification> mods = new ArrayList<Modification>();
147
148 Modification mod = new ClientModification( ModificationOperation.REPLACE_ATTRIBUTE, attribute );
149 mods.add( mod );
150
151 LdapDN userDn = new LdapDN( "uid=akarasulu,ou=users,ou=system" );
152 userDn.normalize( service.getRegistries().getAttributeTypeRegistry().getNormalizerMapping() );
153 LdapPrincipal principal = new LdapPrincipal( userDn, AuthenticationLevel.SIMPLE );
154 CoreSession akarasuluSession = service.getSession( principal );
155
156 try
157 {
158 akarasuluSession.modify(
159 new LdapDN( "uid=admin,ou=system" ), mods );
160 fail( "User 'uid=admin,ou=system' should not be able to modify attributes on admin" );
161 }
162 catch ( Exception e )
163 {
164 }
165 }
166
167
168
169
170
171
172
173 @Test
174 public void testNoSearchByNonAdmin() throws Exception
175 {
176 LdifEntry akarasulu = getUserAddLdif();
177
178 service.getAdminSession().add(
179 new DefaultServerEntry( service.getRegistries(), akarasulu.getEntry() ) );
180
181 try
182 {
183 ExprNode filter = FilterParser.parse( "(objectClass=*)" );
184 service.getAdminSession().search( new LdapDN( "ou=system" ), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
185 }
186 catch ( LdapNoPermissionException e )
187 {
188 assertNotNull( e );
189 }
190 }
191 }