239N/A/*
239N/A * CDDL HEADER START
239N/A *
239N/A * The contents of this file are subject to the terms of the
239N/A * Common Development and Distribution License, Version 1.0 only
239N/A * (the "License"). You may not use this file except in compliance
239N/A * with the License.
239N/A *
239N/A * You can obtain a copy of the license at
239N/A * trunk/opends/resource/legal-notices/OpenDS.LICENSE
239N/A * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
239N/A * See the License for the specific language governing permissions
239N/A * and limitations under the License.
239N/A *
239N/A * When distributing Covered Code, include this CDDL HEADER in each
239N/A * file and include the License file at
239N/A * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
239N/A * add the following below this CDDL HEADER, with the fields enclosed
873N/A * by brackets "[]" replaced with your own identifying information:
239N/A * Portions Copyright [yyyy] [name of copyright owner]
239N/A *
239N/A * CDDL HEADER END
239N/A *
239N/A *
3232N/A * Copyright 2006-2008 Sun Microsystems, Inc.
239N/A */
239N/Apackage org.opends.server.extensions;
239N/A
239N/A
239N/A
239N/Aimport java.net.Socket;
239N/Aimport java.util.ArrayList;
2017N/Aimport java.util.List;
2017N/Aimport java.util.HashMap;
239N/Aimport java.util.concurrent.atomic.AtomicInteger;
239N/A
239N/Aimport org.testng.annotations.BeforeClass;
239N/Aimport org.testng.annotations.Test;
239N/A
239N/Aimport org.opends.server.TestCaseUtils;
2017N/Aimport org.opends.server.controls.ProxiedAuthV2Control;
239N/Aimport org.opends.server.core.AddOperation;
239N/Aimport org.opends.server.core.ExtendedOperation;
239N/Aimport org.opends.server.protocols.internal.InternalClientConnection;
2017N/Aimport org.opends.server.protocols.ldap.ExtendedRequestProtocolOp;
2017N/Aimport org.opends.server.protocols.ldap.ExtendedResponseProtocolOp;
239N/Aimport org.opends.server.protocols.ldap.LDAPMessage;
2017N/Aimport org.opends.server.protocols.ldap.LDAPResultCode;
239N/Aimport org.opends.server.protocols.ldap.UnbindRequestProtocolOp;
239N/Aimport org.opends.server.tools.LDAPAuthenticationHandler;
1924N/Aimport org.opends.server.tools.LDAPReader;
1924N/Aimport org.opends.server.tools.LDAPWriter;
4134N/Aimport org.opends.server.types.*;
239N/A
239N/Aimport static org.testng.Assert.*;
239N/A
239N/Aimport static org.opends.server.util.ServerConstants.*;
239N/A
239N/A
239N/A
239N/A/**
239N/A * A set of test cases for the "Who Am I?" extended operation.
239N/A */
239N/Apublic class WhoAmIExtendedOperationTestCase
239N/A extends ExtensionsTestCase
239N/A{
239N/A /**
239N/A * Ensures that the Directory Server is running.
239N/A *
239N/A * @throws Exception If an unexpected problem occurs.
239N/A */
239N/A @BeforeClass()
239N/A public void startServer()
239N/A throws Exception
239N/A {
239N/A TestCaseUtils.startServer();
239N/A }
239N/A
239N/A
239N/A
239N/A /**
239N/A * Tests the use of the Who Am I? extended operation with an internal
239N/A * connection authenticated as a root user.
239N/A */
239N/A @Test()
239N/A public void testAsInternalRootUser()
239N/A {
239N/A InternalClientConnection conn =
239N/A InternalClientConnection.getRootConnection();
239N/A ExtendedOperation extOp =
239N/A conn.processExtendedOperation(OID_WHO_AM_I_REQUEST, null);
239N/A assertEquals(extOp.getResultCode(), ResultCode.SUCCESS);
239N/A assertNotNull(extOp.getResponseValue());
239N/A }
239N/A
239N/A
239N/A
239N/A /**
239N/A * Tests the use of the Who Am I? extended operation with an internal
239N/A * unauthenticated connection.
2105N/A *
2105N/A * @throws Exception If an unexpected problem occurs.
239N/A */
239N/A @Test()
239N/A public void testAsInternalAnonymous()
2105N/A throws Exception
239N/A {
2105N/A InternalClientConnection conn = new InternalClientConnection(DN.nullDN());
239N/A ExtendedOperation extOp =
239N/A conn.processExtendedOperation(OID_WHO_AM_I_REQUEST, null);
239N/A assertEquals(extOp.getResultCode(), ResultCode.SUCCESS);
239N/A assertNotNull(extOp.getResponseValue());
239N/A }
239N/A
239N/A
239N/A
239N/A /**
239N/A * Tests the use of the Who Am I? extended operation with an internal
239N/A * connection authenticated as a normal user.
239N/A *
239N/A * @throws Exception If an unexpected problem occurs.
239N/A */
239N/A @Test()
239N/A public void testAsInternalNormalUser()
239N/A throws Exception
239N/A {
239N/A TestCaseUtils.initializeTestBackend(true);
239N/A
239N/A Entry e = TestCaseUtils.makeEntry(
239N/A "dn: uid=test.user,o=test",
239N/A "objectClass: top",
239N/A "objectClass: person",
239N/A "objectClass: organizationalPerson",
239N/A "objectClass: inetOrgPerson",
239N/A "uid: test.user",
239N/A "givenName: Test",
239N/A "sn: User",
239N/A "cn: Test User",
239N/A "userPassword: password");
239N/A
239N/A InternalClientConnection conn =
239N/A InternalClientConnection.getRootConnection();
239N/A AddOperation addOp = conn.processAdd(e.getDN(), e.getObjectClasses(),
239N/A e.getUserAttributes(),
239N/A e.getOperationalAttributes());
239N/A assertEquals(addOp.getResultCode(), ResultCode.SUCCESS);
239N/A
239N/A
773N/A conn = new InternalClientConnection(new AuthenticationInfo(e, false));
239N/A ExtendedOperation extOp =
239N/A conn.processExtendedOperation(OID_WHO_AM_I_REQUEST, null);
239N/A assertEquals(extOp.getResultCode(), ResultCode.SUCCESS);
239N/A assertNotNull(extOp.getResponseValue());
239N/A }
239N/A
239N/A
239N/A
239N/A /**
239N/A * Tests the use of the Who Am I? extended operation with an LDAP connection
239N/A * authenticated as a root user.
239N/A *
239N/A * @throws Exception If an unexpected problem occurs.
239N/A */
239N/A @Test()
239N/A public void testAsLDAPRootUser()
239N/A throws Exception
239N/A {
1118N/A Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
1924N/A LDAPReader reader = new LDAPReader(s);
1924N/A LDAPWriter writer = new LDAPWriter(s);
239N/A
239N/A AtomicInteger nextMessageID = new AtomicInteger(1);
239N/A LDAPAuthenticationHandler authHandler =
239N/A new LDAPAuthenticationHandler(reader, writer, "localhost",
239N/A nextMessageID);
4134N/A authHandler.doSimpleBind(3, ByteString.valueOf("cn=Directory Manager"),
4134N/A ByteString.valueOf("password"),
4134N/A new ArrayList<Control>(),
4134N/A new ArrayList<Control>());
4134N/A ByteString authzID = authHandler.requestAuthorizationIdentity();
239N/A assertNotNull(authzID);
239N/A
239N/A LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
239N/A new UnbindRequestProtocolOp());
1924N/A writer.writeMessage(unbindMessage);
239N/A s.close();
239N/A }
239N/A
239N/A
239N/A
239N/A /**
239N/A * Tests the use of the Who Am I? extended operation with an unauthenticated
239N/A * LDAP connection.
239N/A *
239N/A * @throws Exception If an unexpected problem occurs.
239N/A */
239N/A @Test()
239N/A public void testAsLDAPAnonymous()
239N/A throws Exception
239N/A {
1118N/A Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
1924N/A LDAPReader reader = new LDAPReader(s);
1924N/A LDAPWriter writer = new LDAPWriter(s);
239N/A
239N/A AtomicInteger nextMessageID = new AtomicInteger(1);
239N/A LDAPAuthenticationHandler authHandler =
239N/A new LDAPAuthenticationHandler(reader, writer, "localhost",
239N/A nextMessageID);
4134N/A ByteString authzID = authHandler.requestAuthorizationIdentity();
239N/A assertNull(authzID);
239N/A
239N/A LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
239N/A new UnbindRequestProtocolOp());
1924N/A writer.writeMessage(unbindMessage);
239N/A s.close();
239N/A }
239N/A
239N/A
239N/A
239N/A /**
239N/A * Tests the use of the Who Am I? extended operation with an LDAP connection
239N/A * authenticated as a normal user.
239N/A *
239N/A * @throws Exception If an unexpected problem occurs.
239N/A */
239N/A @Test()
239N/A public void testAsLDAPNormalUser()
239N/A throws Exception
239N/A {
239N/A TestCaseUtils.initializeTestBackend(true);
239N/A
239N/A Entry e = TestCaseUtils.makeEntry(
239N/A "dn: uid=test.user,o=test",
239N/A "objectClass: top",
239N/A "objectClass: person",
239N/A "objectClass: organizationalPerson",
239N/A "objectClass: inetOrgPerson",
239N/A "uid: test.user",
239N/A "givenName: Test",
239N/A "sn: User",
239N/A "cn: Test User",
239N/A "userPassword: password");
239N/A
239N/A InternalClientConnection conn =
239N/A InternalClientConnection.getRootConnection();
239N/A AddOperation addOp = conn.processAdd(e.getDN(), e.getObjectClasses(),
239N/A e.getUserAttributes(),
239N/A e.getOperationalAttributes());
239N/A assertEquals(addOp.getResultCode(), ResultCode.SUCCESS);
239N/A
239N/A
1118N/A Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
1924N/A LDAPReader reader = new LDAPReader(s);
1924N/A LDAPWriter writer = new LDAPWriter(s);
239N/A
239N/A AtomicInteger nextMessageID = new AtomicInteger(1);
239N/A LDAPAuthenticationHandler authHandler =
239N/A new LDAPAuthenticationHandler(reader, writer, "localhost",
239N/A nextMessageID);
4134N/A authHandler.doSimpleBind(3, ByteString.valueOf("uid=test.user,o=test"),
4134N/A ByteString.valueOf("password"),
4134N/A new ArrayList<Control>(),
4134N/A new ArrayList<Control>());
4134N/A ByteString authzID = authHandler.requestAuthorizationIdentity();
239N/A assertNotNull(authzID);
239N/A
239N/A LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
239N/A new UnbindRequestProtocolOp());
1924N/A writer.writeMessage(unbindMessage);
239N/A s.close();
239N/A }
2017N/A
2017N/A
2017N/A
2017N/A /**
2017N/A * Tests the use of the "Who Am I?" extended operation when used by a client
2017N/A * that has authenticated using a SASL mechanism and specified an alternate
2017N/A * authorization identity.
2017N/A *
2017N/A * @throws Exception If an unexpected problem occurs.
2017N/A */
2017N/A @Test()
2017N/A public void testWithAlternateSASLAuthzID()
2017N/A throws Exception
2017N/A {
2017N/A TestCaseUtils.initializeTestBackend(true);
2017N/A
2017N/A TestCaseUtils.addEntries(
2017N/A "dn: uid=test.user,o=test",
2017N/A "objectClass: top",
2017N/A "objectClass: person",
2017N/A "objectClass: organizationalPerson",
2017N/A "objectClass: inetOrgPerson",
2017N/A "uid: test.user",
2017N/A "givenName: Test",
2017N/A "sn: User",
2017N/A "cn: Test User",
2017N/A "userPassword: password",
2017N/A "",
2017N/A "dn: uid=proxy.user,o=test",
2017N/A "objectClass: top",
2017N/A "objectClass: person",
2017N/A "objectClass: organizationalPerson",
2017N/A "objectClass: inetOrgPerson",
2017N/A "uid: proxy.user",
2017N/A "givenName: Proxy",
2017N/A "sn: User",
2017N/A "cn: Proxy User",
2017N/A "userPassword: password",
2017N/A "ds-privilege-name: bypass-acl",
2017N/A "ds-privilege-name: proxied-auth");
2017N/A
2017N/A
2017N/A Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
2017N/A LDAPReader reader = new LDAPReader(s);
2017N/A LDAPWriter writer = new LDAPWriter(s);
2017N/A
2017N/A
2017N/A // Bind as the proxy user with an alternate authorization identity, and use
2017N/A // the "Who Am I?" operation.
2017N/A AtomicInteger nextMessageID = new AtomicInteger(1);
2017N/A LDAPAuthenticationHandler authHandler =
2017N/A new LDAPAuthenticationHandler(reader, writer, "localhost",
2017N/A nextMessageID);
2017N/A
2017N/A HashMap<String,List<String>> saslProperties =
2017N/A new HashMap<String,List<String>>(2);
2017N/A
2017N/A ArrayList<String> authIDList = new ArrayList<String>(1);
2017N/A authIDList.add("dn:uid=proxy.user,o=test");
2017N/A saslProperties.put("authID", authIDList);
2017N/A
2017N/A ArrayList<String> authzIDList = new ArrayList<String>(1);
2017N/A authzIDList.add("dn:uid=test.user,o=test");
2017N/A saslProperties.put("authzID", authzIDList);
2017N/A
4134N/A authHandler.doSASLPlain(ByteString.empty(),
4134N/A ByteString.valueOf("password"), saslProperties,
4134N/A new ArrayList<Control>(),
4134N/A new ArrayList<Control>());
4134N/A ByteString authzID = authHandler.requestAuthorizationIdentity();
2017N/A assertNotNull(authzID);
2017N/A assertEquals(authzID.toString(), "dn:uid=test.user,o=test");
2017N/A
2017N/A
2017N/A // Close the connection to the server.
2017N/A LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
2017N/A new UnbindRequestProtocolOp());
2017N/A writer.writeMessage(unbindMessage);
2017N/A s.close();
2017N/A }
2017N/A
2017N/A
2017N/A
2017N/A /**
2017N/A * Tests the use of the Who Am I? extended operation in conjunction with the
2017N/A * proxied authorization control by an appropriately authorized user.
2017N/A *
2017N/A * @throws Exception If an unexpected problem occurs.
2017N/A */
2017N/A @Test()
2017N/A public void testWithAllowedProxiedAuthControl()
2017N/A throws Exception
2017N/A {
2017N/A TestCaseUtils.initializeTestBackend(true);
2017N/A
2017N/A TestCaseUtils.addEntries(
2017N/A "dn: uid=test.user,o=test",
2017N/A "objectClass: top",
2017N/A "objectClass: person",
2017N/A "objectClass: organizationalPerson",
2017N/A "objectClass: inetOrgPerson",
2017N/A "uid: test.user",
2017N/A "givenName: Test",
2017N/A "sn: User",
2017N/A "cn: Test User",
2017N/A "userPassword: password",
2017N/A "",
2017N/A "dn: uid=proxy.user,o=test",
2017N/A "objectClass: top",
2017N/A "objectClass: person",
2017N/A "objectClass: organizationalPerson",
2017N/A "objectClass: inetOrgPerson",
2017N/A "uid: proxy.user",
2017N/A "givenName: Proxy",
2017N/A "sn: User",
2017N/A "cn: Proxy User",
2017N/A "userPassword: password",
2017N/A "ds-privilege-name: bypass-acl",
2017N/A "ds-privilege-name: proxied-auth");
2017N/A
2017N/A
2017N/A Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
2017N/A LDAPReader reader = new LDAPReader(s);
2017N/A LDAPWriter writer = new LDAPWriter(s);
2017N/A
2017N/A
2017N/A // Bind as the proxy user and use the "Who Am I?" operation, but without the
2017N/A // proxied auth control.
2017N/A AtomicInteger nextMessageID = new AtomicInteger(1);
2017N/A LDAPAuthenticationHandler authHandler =
2017N/A new LDAPAuthenticationHandler(reader, writer, "localhost",
2017N/A nextMessageID);
4134N/A authHandler.doSimpleBind(3, ByteString.valueOf("uid=proxy.user,o=test"),
4134N/A ByteString.valueOf("password"),
4134N/A new ArrayList<Control>(),
4134N/A new ArrayList<Control>());
4134N/A ByteString authzID = authHandler.requestAuthorizationIdentity();
2017N/A assertNotNull(authzID);
2017N/A assertEquals(authzID.toString(), "dn:uid=proxy.user,o=test");
2017N/A
2017N/A
2017N/A // Use the "Who Am I?" operation again, this time with the proxy control.
2017N/A ExtendedRequestProtocolOp extendedRequest =
2017N/A new ExtendedRequestProtocolOp(OID_WHO_AM_I_REQUEST);
4134N/A ArrayList<Control> requestControls = new ArrayList<Control>(1);
4134N/A requestControls.add(new ProxiedAuthV2Control(
4134N/A ByteString.valueOf("dn:uid=test.user,o=test")));
2017N/A LDAPMessage message = new LDAPMessage(nextMessageID.getAndIncrement(),
2017N/A extendedRequest, requestControls);
2017N/A writer.writeMessage(message);
2017N/A
2017N/A message = reader.readMessage();
2017N/A ExtendedResponseProtocolOp extendedResponse =
2017N/A message.getExtendedResponseProtocolOp();
2017N/A assertEquals(extendedResponse.getResultCode(), LDAPResultCode.SUCCESS);
2017N/A authzID = extendedResponse.getValue();
2017N/A assertNotNull(authzID);
2017N/A assertEquals(authzID.toString(), "dn:uid=test.user,o=test");
2017N/A
2017N/A
2017N/A // Close the connection to the server.
2017N/A message = new LDAPMessage(nextMessageID.getAndIncrement(),
2017N/A new UnbindRequestProtocolOp());
2017N/A writer.writeMessage(message);
2017N/A s.close();
2017N/A }
2017N/A
2017N/A
2017N/A
2017N/A /**
2017N/A * Tests the use of the Who Am I? extended operation in conjunction with the
2017N/A * proxied authorization control by a user who doesn't have the rights to use
2017N/A * that control.
2017N/A *
2017N/A * @throws Exception If an unexpected problem occurs.
2017N/A */
2017N/A @Test()
2017N/A public void testWithDisallowedProxiedAuthControl()
2017N/A throws Exception
2017N/A {
2017N/A TestCaseUtils.initializeTestBackend(true);
2017N/A
2017N/A TestCaseUtils.addEntries(
2017N/A "dn: uid=test.user,o=test",
2017N/A "objectClass: top",
2017N/A "objectClass: person",
2017N/A "objectClass: organizationalPerson",
2017N/A "objectClass: inetOrgPerson",
2017N/A "uid: test.user",
2017N/A "givenName: Test",
2017N/A "sn: User",
2017N/A "cn: Test User",
2017N/A "userPassword: password",
2017N/A "",
2017N/A "dn: uid=cantproxy.user,o=test",
2017N/A "objectClass: top",
2017N/A "objectClass: person",
2017N/A "objectClass: organizationalPerson",
2017N/A "objectClass: inetOrgPerson",
2017N/A "uid: proxy.user",
2017N/A "givenName: Cantproxy",
2017N/A "sn: User",
2017N/A "cn: Cantproxy User",
2017N/A "userPassword: password",
2017N/A "ds-privilege-name: bypass-acl");
2017N/A
2017N/A
2017N/A Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
2017N/A LDAPReader reader = new LDAPReader(s);
2017N/A LDAPWriter writer = new LDAPWriter(s);
2017N/A
2017N/A
2017N/A // Bind as the proxy user and use the "Who Am I?" operation, but without the
2017N/A // proxied auth control.
2017N/A AtomicInteger nextMessageID = new AtomicInteger(1);
2017N/A LDAPAuthenticationHandler authHandler =
2017N/A new LDAPAuthenticationHandler(reader, writer, "localhost",
2017N/A nextMessageID);
2017N/A authHandler.doSimpleBind(3,
4134N/A ByteString.valueOf("uid=cantproxy.user,o=test"),
4134N/A ByteString.valueOf("password"),
4134N/A new ArrayList<Control>(),
4134N/A new ArrayList<Control>());
4134N/A ByteString authzID = authHandler.requestAuthorizationIdentity();
2017N/A assertNotNull(authzID);
2017N/A assertEquals(authzID.toString(), "dn:uid=cantproxy.user,o=test");
2017N/A
2017N/A
2017N/A // Use the "Who Am I?" operation again, this time with the proxy control.
2017N/A ExtendedRequestProtocolOp extendedRequest =
2017N/A new ExtendedRequestProtocolOp(OID_WHO_AM_I_REQUEST);
4134N/A ArrayList<Control> requestControls = new ArrayList<Control>(1);
4134N/A requestControls.add(new ProxiedAuthV2Control(
4134N/A ByteString.valueOf("dn:uid=test.user,o=test")));
2017N/A LDAPMessage message = new LDAPMessage(nextMessageID.getAndIncrement(),
2017N/A extendedRequest, requestControls);
2017N/A writer.writeMessage(message);
2017N/A
2017N/A message = reader.readMessage();
2017N/A ExtendedResponseProtocolOp extendedResponse =
2017N/A message.getExtendedResponseProtocolOp();
2017N/A assertEquals(extendedResponse.getResultCode(),
2017N/A LDAPResultCode.AUTHORIZATION_DENIED);
2017N/A assertNull(extendedResponse.getValue());
2017N/A
2017N/A
2017N/A // Close the connection to the server.
2017N/A message = new LDAPMessage(nextMessageID.getAndIncrement(),
2017N/A new UnbindRequestProtocolOp());
2017N/A writer.writeMessage(message);
2017N/A s.close();
2017N/A }
239N/A}
239N/A