TargetControlTestCase.java revision ea1068c292e9b341af6d6b563cd8988a96be20a9
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions Copyright 2012-2015 ForgeRock AS.
*/
/**
* Unit test to test the targetcontrol ACI keyword.
*/
@SuppressWarnings("javadoc")
public class TargetControlTestCase extends AciTestCase {
public void setupClass() throws Exception {
addEntries("o=test");
}
public void clearBackend() throws Exception {
}
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: john.doe",
"givenName: John",
"sn: Doe",
"cn: John Doe",
"mail: john.doe@example.com",
"userPassword: password",
};
/** Valid targetcontrol statements. Not the complete ACI. */
return new Object[][] {
{"1.3.6.1.4.1.42.2.27.8.5.1"},
{"2.16.840.1.113730.3.4.18"},
{"*"},
};
}
/** Invalid targetcontrol statements. Not the complete ACI. */
return new Object[][] {
{"1.3.6.1.4.1.42.2.27..8.5.1"},
{"2.16.840.1.113730.3.XXX.18"},
{"2.16.840.1.113730.*.4.18"},
{"2.16.840,1.113730.3.4.18"},
{"+"},
};
}
private static final
"(version 3.0;acl \"aclRights access\";" +
"allow (all) " +
"userdn=\"ldap:///self\";)";
private static final
"(version 3.0;acl \"aclRights access\";" +
"allow (search, read) " +
"userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
/** Disallow all controls with wild-card. */
private static final
"(version 3.0; acl \"control\";" +
/** Allow all controls with wild-card. */
private static final
"(version 3.0; acl \"control\";" +
/**
* People branch can do any control but geteffectiverights assertion control.
*/
private static final
OID_GET_EFFECTIVE_RIGHTS + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
/** Admin branch can only do geteffectiverights control. */
private static final
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
/**
* Allow either reportauthzID or passwordpolicy controls. Used in the bind
* tests.
*/
private static final
OID_PASSWORD_POLICY_CONTROL + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
/**
* Allow either no-op or passwordpolicy controls. Used in the extop tests.
*/
private static final
OID_PASSWORD_POLICY_CONTROL + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
/** Allow all to extended op. */
private static final
"(extop=\"" + "*" + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
/**
* Only allow access to the password policy control. Used to test if the
* targetattr rule will give access erroneously.
*/
private static final
"(targetattr != \"userpassword\")" +
"(version 3.0; acl \"control\";" +
"allow(all) userdn=\"ldap:///" + "anyone" + "\";)";
/**
* Test valid targetcontrol statements.
*
* @param statement The targetcontrol statement to attempt to decode.
* @throws AciException If an unexpected result happens.
*/
}
/**
* Test invalid targetcontrol statements.
*
* @param statement The targetcontrol statement to attempt to decode.
* @throws Exception If an unexpected result happens.
*/
try {
} catch (AciException e) {
throw e;
} catch (Exception e) {
"Invalid targetcontrol <" + statement +
"> threw wrong exception type.");
throw e;
}
throw new RuntimeException(
"Invalid targetcontrol <" + statement +
"> did not throw an exception.");
}
/**
* Test access to disallowed control based on a targetattr rule allowing
* access.
*
* @throws Exception If an unexpected result is returned.
*/
@Test
public void testTargetattrSideEffect() throws Exception {
// This should fail because this ACI only allows access to the
//password policy control.
}
/**
* Test access to extended op controls (no-op and userPasswordPolicy).
*
* @throws Exception If an unexpected result is returned.
*/
@Test
public void testExtendOpControls() throws Exception {
//This pwd change should return no-op since the no-op control is
//specified and it is allowed for authorization dn.
//This pwd change should fail even though the no-op is specified, since
//since the no-op control is not allowed for this authorization dn.
}
/**
* Test access to bind controls (reportAuthzID and usePasswordPolicy).
*
* @throws Exception If an unexpected result is returned.
*/
@Test
public void testBindControl() throws Exception {
//The bind operation control access is based on the bind DN so this
//should succeed since both pwd policy and authzID control are allowed on
//ou=people, o=test suffix.
false, 0);
true, 0);
//This should succeed since both controls are not allowed for the
//ou=admins, o=test suffix, but both are critical.
true, 0);
}
/**
* Test target from global ACI level. Two global ACIs are added, one allowing
* all controls except geteffectiverights to the ou=people, o=test
* suffix. The other ACI only allows the geteffectiverights control on
* the ou=admin, o=test suffix. Comments in method should explain more
* what operations and controls are attempted.
*
* @throws Exception If an unexpected result happens.
*/
@Test
public void testGlobalTargets() throws Exception {
//Succeeds because geteffectiverights control is not allowed on
//ou=people, o=test, but it is non-critical.
false, false, 0);
//OK because geteffectiverights control is allowed on
//ou=admin, o=test
false, false, 0);
//Test add to ou=people, o=test with assertion control,
//should get protocol error since this control is allowed but value is
//junk.
//Test add to ou=admin, o=test with assertion control, and critical
//should get access denied since this control is not allowed.
}
/**
* Test wildcard access. First test "targetcontrol != *"
* expression. Should all be access denied. Remove that ACI and add
* "targetcontrol = *" expression. Use assertion control with bad filter,
* all should return protocol error (modify, add, delete, modifyDN). Search
* with geteffectiverights should succeed.
*
* @throws Exception If an unexpected result happens.
*/
@Test
public void testWildCard() throws Exception {
0 /* disallowed but non-critical */);
//Search with geteffectiverights control.
//Attempt modify. Protocol error means we passed access control
//Attempt add, protocol error means we passed access control
//Attempt delete. Protocol error means we passed access control.
//Attempt modify DN. Protocol error means we passed access control.
}
}