/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
/** This class provides a set of test cases for the Directory Server JMX privilege subsystem. */
{
/**
* An array of boolean values that indicates whether config read operations
* should be successful for users in the corresponding slots of the connections array.
*/
private boolean[] successful;
/** The set of client connections that should be used when performing operations. */
/**
* Make sure that the server is running and that an appropriate set of
* structures are in place.
*
* @throws Exception If an unexpected problem occurs.
*/
@BeforeClass(alwaysRun = true)
{
super.setUp();
"dn: cn=Unprivileged Root,cn=Root DNs,cn=config",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"objectClass: ds-cfg-root-dn-user",
"cn: Unprivileged Root",
"givenName: Unprivileged",
"sn: Root",
"uid: unprivileged.root",
"userPassword: password",
"ds-privilege-name: config-read",
"ds-privilege-name: config-write",
"ds-privilege-name: password-reset",
"ds-privilege-name: update-schema",
"ds-privilege-name: ldif-import",
"ds-privilege-name: ldif-export",
"ds-privilege-name: backend-backup",
"ds-privilege-name: backend-restore",
"ds-privilege-name: unindexed-search",
"ds-privilege-name: -jmx-read",
"ds-privilege-name: -jmx-write",
"",
"dn: cn=Unprivileged JMX Root,cn=Root DNs,cn=config",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"objectClass: ds-cfg-root-dn-user",
"cn: Unprivileged Root",
"givenName: Unprivileged",
"sn: Root",
"uid: unprivileged.root",
"userPassword: password",
"",
"dn: cn=Proxy Root,cn=Root DNs,cn=config",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"objectClass: ds-cfg-root-dn-user",
"cn: Proxy Root",
"givenName: Proxy",
"sn: Root",
"uid: proxy.root",
"userPassword: password",
"ds-privilege-name: proxied-auth",
"ds-privilege-name: jmx-read",
"ds-privilege-name: jmx-write",
"",
"",
"dn: cn=Privileged User,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: Privileged User",
"givenName: Privileged",
"sn: User",
"uid: privileged.user",
"userPassword: password",
"ds-privilege-name: config-read",
"ds-privilege-name: config-write",
"ds-privilege-name: password-reset",
"ds-privilege-name: update-schema",
"ds-privilege-name: ldif-import",
"ds-privilege-name: ldif-export",
"ds-privilege-name: backend-backup",
"ds-privilege-name: backend-restore",
"ds-privilege-name: proxied-auth",
"ds-privilege-name: bypass-acl",
"ds-privilege-name: unindexed-search",
"ds-privilege-name: jmx-read",
"ds-privilege-name: jmx-write",
"ds-privilege-name: subentry-write",
"ds-pwp-password-policy-dn: cn=Clear UserPassword Policy," +
"cn=Password Policies,cn=config",
"",
"dn: cn=Unprivileged User,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: Unprivileged User",
"givenName: Unprivileged",
"sn: User",
"uid: unprivileged.user",
"ds-privilege-name: bypass-acl",
"userPassword: password",
"ds-pwp-password-policy-dn: cn=Clear UserPassword Policy," +
"cn=Password Policies,cn=config",
"",
"dn: cn=PWReset Target,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: PWReset Target",
"givenName: PWReset",
"sn: Target",
"uid: pwreset.target",
"userPassword: password");
TestCaseUtils.applyModifications(false,
"dn: o=test",
"changetype: modify",
"add: aci",
"aci: (version 3.0; acl \"Proxy Root\"; allow (proxy) " +
"userdn=\"ldap:///cn=Proxy Root,cn=Root DNs,cn=config\";)",
"aci: (version 3.0; acl \"Unprivileged Root\"; allow (proxy) " +
"userdn=\"ldap:///cn=Unprivileged Root,cn=Root DNs,cn=config\";)",
"aci: (version 3.0; acl \"Privileged User\"; allow (proxy) " +
"userdn=\"ldap:///cn=Privileged User,o=test\";)",
"aci: (targetattr=\"*\")(version 3.0; acl \"PWReset Target\"; " +
"allow (all) userdn=\"ldap:///cn=PWReset Target,o=test\";)");
// Build the array of connections we will use to perform the tests.
successList.add(false);
successList.add(false);
successList.add(true);
successList.add(false);
successList.add(true);
{
}
"dn: dc=unindexed,dc=jeb",
"objectClass: top",
"objectClass: domain",
"",
"dn: cn=test1 user,dc=unindexed,dc=jeb",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: test1 user",
"givenName: user",
"sn: test1",
"",
"dn: cn=test2 user,dc=unindexed,dc=jeb",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: test2 user",
"givenName: user",
"sn: test2"
);
}
private JmxClientConnection newJmxClientConnection(JmxConnectionHandler jmxCtx, String userDN, boolean isRoot)
throws DirectoryException
{
}
/**
* Cleans up anything that might be left around after running the tests in this class.
*
* @throws Exception If an unexpected problem occurs.
*/
{
"cn=Unprivileged Root,cn=Root DNs,cn=config",
"cn=Unprivileged JMX Root,cn=Root DNs,cn=config",
"cn=Proxy Root,cn=Root DNs,cn=config",
"cn=Privileged User,o=test",
"cn=UnPrivileged User,o=test",
"cn=PWReset Target,o=test",
"cn=test1 user,dc=unindexed,dc=jeb",
"cn=test2 user,dc=unindexed,dc=jeb",
"dc=unindexed,dc=jeb");
{
connections[i].finalize();
connections[i] = null;
}
}
{
{
}
}
/**
* Retrieves a set of data that can be used for performing the tests. The
* arguments generated for each method will be:
* <OL>
* <LI>A client connection to use to perform the operation</LI>
* <LI>A flag indicating whether or not the operation should succeed</LI>
* </OL>
*
* @return A set of data that can be used for performing the tests.
*/
{
{
}
return returnArray;
}
/**
* Check that simple connection to the JMX service are
* accepted only if JMX_READ privilege is set.
* @throws Exception If an unexpected problem occurs.
*/
{
// Try connection withoutJMX_READ privilege
// Expected result: failed
try
{
opendsConnector.close() ;
fail("User \"cn=Unprivileged JMX Root,cn=Root "+
"DNs,cn=config\" doesn't have JMX_READ privilege but he's able " +
"to connect, which is not the correct behavior");
}
catch (SecurityException e)
{
}
// Add JMX_READ privilege
// Try connection withoutJMX_READ privilege
// Expected result: success
try
{
opendsConnector.close() ;
}
catch (SecurityException e)
{
fail("User \"cn=Unprivileged JMX Root,cn=Root " +
"DNs,cn=config\" has JMX_READ privilege and he's NOT able " +
"to connect, which is NOT the correct behavior.");
}
// remove JMX_READ privilege
// Try connection withoutJMX_READ privilege
// Expected result: failed
try
{
opendsConnector.close() ;
fail("User \"cn=Unprivileged JMX Root,cn=Root "+
"DNs,cn=config\" doesn't have JMX_READ privilege but he's able " +
"to connect, which is not the correct behavior");
}
catch (SecurityException e)
{
}
}
/**
* Tests to ensure that search operations in the server configuration properly
* respect the JMX_READ privilege.
*
* @param conn The client connection to use to perform the search
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the JMX_READ privilege and therefore the
* search should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
{
if (hasPrivilege)
{
}
else
{
}
}
/**
* Tests to ensure that attempts to update the schema with an add schema file
* task will properly respect the UPDATE_SCHEMA privilege.
*
* @param conn The client connection to use to perform the schema
* update.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the UPDATE_SCHEMA privilege and therefore
* the schema update should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
public void testUpdateSchemaAddSchemaFile(JmxClientConnection conn, boolean hasPrivilege) throws Exception
{
if (authNEntry == null)
{
identifier = "null";
}
else
{
}
{
"dn: cn=schema",
"objectClass: top",
"objectClass: ldapSubentry",
"objectClass: subschema",
};
{
{
}
}
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for add, delete, modify and modify DN requests
* that contain the proxied auth v1 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
"dn: cn=ProxyV1 Test,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: ProxyV1 Test",
"givenName: ProxyV1",
"sn: Test");
// Try to add the entry. If this fails with the proxy control, then add it
// with a root connection so we can do other things with it.
if (!hasProxyPrivilege)
{
}
// Try to modify the entry to add a description.
mods);
// Try to rename the entry.
// Try to delete the operation. If this fails, then delete it with a root
// connection so it gets cleaned up.
if (!hasProxyPrivilege)
{
}
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for search and compare requests that contain the
* proxied auth v1 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
// Test a compare operation against the PWReset Target user.
// Test a search operation against the PWReset Target user.
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for add, delete, modify and modify DN requests
* that contain the proxied auth v2 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
"dn: cn=ProxyV2 Test,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: ProxyV2 Test",
"givenName: ProxyV2",
"sn: Test");
// Try to add the entry. If this fails with the proxy control, then add it
// with a root connection so we can do other things with it.
if (!hasProxyPrivilege)
{
}
// Try to modify the entry to add a description.
mods);
// Try to rename the entry.
// Try to delete the operation. If this fails, then delete it with a root
// connection so it gets cleaned up.
if (!hasProxyPrivilege)
{
}
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for search and compare requests that contain the
* proxied auth v2 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
// Test a compare operation against the PWReset Target user.
// Test a search operation against the PWReset Target user.
}
{
if (hasProxyPrivilege)
{
}
else
{
}
}
{
if (hasProxyPrivilege)
{
}
else
{
}
}
{
if (hasProxyPrivilege)
{
}
else
{
}
}
/**
* Tests the ability to update the set of privileges for a user on the fly
* and have them take effect immediately.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
{
"dn: " + dnStr,
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: Test User",
"givenName: Test",
"sn: User",
"userPassword: password");
// Make sure the user starts out without any privileges.
{
}
// Modify the user entry to add the JMX_READ privilege and verify that
// the client connection reflects that.
// Take the privilege away from the user and verify that it is recognized immediately.
}
/**
* Tests the ability to update the set of root privileges and have them take
* effect immediately for new root connections.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
{
// Make sure that a root connection doesn't have the proxied auth privilege.
// Update the set of root privileges to include proxied auth.
// Get a new root connection and verify that it now has proxied auth.
// Update the set of root privileges to revoke proxied auth.
}
{
}
private ArrayList<Modification> newModifications(ModificationType modType, String attrName, String attrValue)
{
}
{
}
private JmxClientConnection newJmxClientConnection(JmxConnectionHandler jmxCtx, DN entryDN) throws DirectoryException
{
}
}