JmxPrivilegeTestCase.java revision ea1068c292e9b341af6d6b563cd8988a96be20a9
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster/*
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * CDDL HEADER START
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The contents of this file are subject to the terms of the
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Common Development and Distribution License, Version 1.0 only
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * (the "License"). You may not use this file except in compliance
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * with the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * or http://forgerock.org/license/CDDLv1.0.html.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * See the License for the specific language governing permissions
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * and limitations under the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * When distributing Covered Code, include this CDDL HEADER in each
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * file and include the License file at legal-notices/CDDLv1_0.txt.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * If applicable, add the following below this CDDL HEADER, with the
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * fields enclosed by brackets "[]" replaced with your own identifying
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * information:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Portions Copyright [yyyy] [name of copyright owner]
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * CDDL HEADER END
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Copyright 2008-2010 Sun Microsystems, Inc.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Portions Copyright 2011-2015 ForgeRock AS
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterpackage org.opends.server.protocols.jmx;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.io.BufferedWriter;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.io.File;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.io.FileWriter;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.ArrayList;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.HashMap;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.forgerock.i18n.LocalizableMessage;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.forgerock.opendj.ldap.ByteString;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.forgerock.opendj.ldap.ModificationType;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.forgerock.opendj.ldap.ResultCode;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.forgerock.opendj.ldap.SearchScope;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.TestCaseUtils;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.backends.task.Task;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.backends.task.TaskBackend;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.backends.task.TaskState;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.controls.ProxiedAuthV1Control;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.controls.ProxiedAuthV2Control;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.AddOperationBasis;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.CompareOperationBasis;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.DeleteOperation;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.DeleteOperationBasis;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.DirectoryServer;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.ModifyDNOperationBasis;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.ModifyOperation;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.ModifyOperationBasis;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.core.SchemaConfigManager;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.protocols.internal.InternalClientConnection;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.protocols.internal.InternalSearchOperation;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.protocols.internal.SearchRequest;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.opends.server.types.*;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.testng.annotations.AfterClass;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.testng.annotations.BeforeClass;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.testng.annotations.DataProvider;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport org.testng.annotations.Test;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport static org.opends.messages.ProtocolMessages.*;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport static org.opends.server.protocols.internal.InternalClientConnection.*;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport static org.opends.server.protocols.internal.Requests.*;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport static org.testng.Assert.*;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster/**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * This class provides a set of test cases for the Directory Server JMX
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * privilege subsystem.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterpublic class JmxPrivilegeTestCase extends JmxTestCase
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster{
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * An array of boolean values that indicates whether config read operations
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * should be successful for users in the corresponding slots of the
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * connections array.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private boolean[] successful;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The set of client connections that should be used when performing
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * operations.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster private JmxClientConnection[] connections;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Make sure that the server is running and that an appropriate set of
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * structures are in place.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @throws Exception If an unexpected problem occurs.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster @BeforeClass(alwaysRun = true)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster @Override
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public void setUp() throws Exception
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster super.setUp();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster TestCaseUtils.enableBackend("unindexedRoot");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster TestCaseUtils.initializeTestBackend(true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster TestCaseUtils.addEntries(
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=Unprivileged Root,cn=Root DNs,cn=config",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: ds-cfg-root-dn-user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: Unprivileged Root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: Unprivileged",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: Root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "uid: unprivileged.root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userPassword: password",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: config-read",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: config-write",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: password-reset",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: update-schema",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: ldif-import",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: ldif-export",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: backend-backup",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: backend-restore",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: unindexed-search",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: -jmx-read",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: -jmx-write",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=Unprivileged JMX Root,cn=Root DNs,cn=config",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: ds-cfg-root-dn-user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: Unprivileged Root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: Unprivileged",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: Root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "uid: unprivileged.root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userPassword: password",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=Proxy Root,cn=Root DNs,cn=config",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: ds-cfg-root-dn-user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: Proxy Root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: Proxy",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: Root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "uid: proxy.root",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userPassword: password",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: proxied-auth",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: jmx-read",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: jmx-write",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=Privileged User,o=test",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: Privileged User",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: Privileged",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: User",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "uid: privileged.user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userPassword: password",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: config-read",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: config-write",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: password-reset",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: update-schema",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: ldif-import",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: ldif-export",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: backend-backup",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: backend-restore",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: proxied-auth",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: bypass-acl",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: unindexed-search",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: jmx-read",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: jmx-write",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: subentry-write",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-pwp-password-policy-dn: cn=Clear UserPassword Policy," +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn=Password Policies,cn=config",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=Unprivileged User,o=test",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: Unprivileged User",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: Unprivileged",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: User",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "uid: unprivileged.user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name: bypass-acl",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userPassword: password",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-pwp-password-policy-dn: cn=Clear UserPassword Policy," +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn=Password Policies,cn=config",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=PWReset Target,o=test",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: PWReset Target",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: PWReset",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: Target",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "uid: pwreset.target",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userPassword: password");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster TestCaseUtils.applyModifications(false,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: o=test",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "changetype: modify",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "add: aci",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "aci: (version 3.0; acl \"Proxy Root\"; allow (proxy) " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userdn=\"ldap:///cn=Proxy Root,cn=Root DNs,cn=config\";)",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "aci: (version 3.0; acl \"Unprivileged Root\"; allow (proxy) " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userdn=\"ldap:///cn=Unprivileged Root,cn=Root DNs,cn=config\";)",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "aci: (version 3.0; acl \"Privileged User\"; allow (proxy) " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "userdn=\"ldap:///cn=Privileged User,o=test\";)",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "aci: (targetattr=\"*\")(version 3.0; acl \"PWReset Target\"; " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "allow (all) userdn=\"ldap:///cn=PWReset Target,o=test\";)");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Build the array of connections we will use to perform the tests.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster JmxConnectionHandler jmxCtx = getJmxConnectionHandler();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ArrayList<JmxClientConnection> connList =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster new ArrayList<JmxClientConnection>();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ArrayList<Boolean> successList = new ArrayList<Boolean>();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String userDN ;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster Entry userEntry ;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster AuthenticationInfo authInfo;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connList.add(new JmxClientConnection(jmxCtx,new AuthenticationInfo()));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successList.add(false);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userDN = "cn=Unprivileged Root,cn=Root DNs,cn=config";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userEntry = DirectoryServer.getEntry(DN.valueOf(userDN));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster authInfo = new AuthenticationInfo(userEntry, true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connList.add(new JmxClientConnection(jmxCtx,authInfo));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successList.add(false);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userDN = "cn=Proxy Root,cn=Root DNs,cn=config";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userEntry = DirectoryServer.getEntry(DN.valueOf(userDN));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster authInfo = new AuthenticationInfo(userEntry, true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connList.add(new JmxClientConnection(jmxCtx,authInfo));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successList.add(true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userDN = "cn=Unprivileged User,o=test";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userEntry = DirectoryServer.getEntry(DN.valueOf(userDN));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster authInfo = new AuthenticationInfo(userEntry, false);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connList.add(new JmxClientConnection(jmxCtx,authInfo));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successList.add(false);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userDN = "cn=Privileged User,o=test";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster userEntry = DirectoryServer.getEntry(DN.valueOf(userDN));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster authInfo = new AuthenticationInfo(userEntry, false);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connList.add(new JmxClientConnection(jmxCtx,authInfo));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successList.add(true);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connections = new JmxClientConnection[connList.size()];
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successful = new boolean[connections.length];
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster for (int i=0; i < connections.length; i++)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connections[i] = connList.get(i);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster successful[i] = successList.get(i);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster TestCaseUtils.addEntries(
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: dc=unindexed,dc=jeb",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: domain",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=test1 user,dc=unindexed,dc=jeb",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: test1 user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: test1",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "dn: cn=test2 user,dc=unindexed,dc=jeb",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: top",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: person",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: organizationalPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "objectClass: inetOrgPerson",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "cn: test2 user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "givenName: user",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "sn: test2"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster );
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Cleans up anything that might be left around after running the tests in
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * this class.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @throws Exception If an unexpected problem occurs.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster @AfterClass
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public void cleanUp()
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster throws Exception
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster InternalClientConnection conn = InternalClientConnection
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .getRootConnection();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster DeleteOperation deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=Unprivileged Root,cn=Root DNs,cn=config"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=Unprivileged JMX Root,cn=Root DNs,cn=config"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=Proxy Root,cn=Root DNs,cn=config"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=Privileged User,o=test"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=UnPrivileged User,o=test"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=PWReset Target,o=test"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=test1 user,dc=unindexed,dc=jeb"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster .valueOf("cn=test2 user,dc=unindexed,dc=jeb"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster deleteOperation = conn.processDelete(DN.valueOf("dc=unindexed,dc=jeb"));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster for (int i = 0; connections != null && i < connections.length; i++)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connections[i].finalize();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster connections[i] = null;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster TestCaseUtils.disableBackend("unindexedRoot");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Retrieves a set of data that can be used for performing the tests. The
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * arguments generated for each method will be:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * <OL>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * <LI>A client connection to use to perform the operation</LI>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * <LI>A flag indicating whether or not the operation should succeed</LI>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * </OL>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @return A set of data that can be used for performing the tests.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster @DataProvider(name = "testdata")
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public Object[][] getTestData()
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster Object[][] returnArray = new Object[connections.length][2];
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster for (int i=0; i < connections.length; i++)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster returnArray[i][0] = connections[i];
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster returnArray[i][1] = successful[i];
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster return returnArray;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Check that simple connection to the JMX service are
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * accepted only if JMX_READ privilege is set.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @throws Exception If an unexpected problem occurs.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster @Test(enabled = true)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster public void simpleConnectJmxPrivilege() throws Exception
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster OpendsJmxConnector opendsConnector;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster int jmxPort = TestCaseUtils.getServerJmxPort() ;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster HashMap<String, Object> env = new HashMap<String, Object>();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String user = "cn=Unprivileged JMX Root,cn=Root DNs,cn=config";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String password = "password";
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster String[] credentials = new String[] { user, password };
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster env.put("jmx.remote.credentials", credentials);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster env.put("jmx.remote.x.client.connection.check.period", 0);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Try connection withoutJMX_READ privilege
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Expected result: failed
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster try
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector = new OpendsJmxConnector("localhost", jmxPort, env);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector.connect();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector.close() ;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster fail("User \"cn=Unprivileged JMX Root,cn=Root "+
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "DNs,cn=config\" doesn't have JMX_READ privilege but he's able " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "to connect, which is not the correct behavior");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster catch (SecurityException e)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster LocalizableMessage message = ERR_JMX_INSUFFICIENT_PRIVILEGES.get();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(message.toString(), e.getMessage());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Add JMX_READ privilege
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster InternalClientConnection rootConnection = getRootConnection();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ArrayList<Modification> mods = new ArrayList<Modification>();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster mods.add(new Modification(ModificationType.ADD, Attributes.create(
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "ds-privilege-name", "jmx-read")));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster ModifyOperation modifyOperation =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster rootConnection.processModify(DN.valueOf(user), mods);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Try connection withoutJMX_READ privilege
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Expected result: success
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster try
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector = new OpendsJmxConnector("localhost", jmxPort, env);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector.connect();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector.close() ;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster catch (SecurityException e)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster fail("User \"cn=Unprivileged JMX Root,cn=Root " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "DNs,cn=config\" has JMX_READ privilege and he's NOT able " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "to connect, which is NOT the correct behavior.");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // remove JMX_READ privilege
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster mods = new ArrayList<Modification>();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster mods.add(new Modification(ModificationType.DELETE,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster Attributes.create("ds-privilege-name", "jmx-read")));
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster modifyOperation =
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster rootConnection.processModify(DN.valueOf(user), mods);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Try connection withoutJMX_READ privilege
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster // Expected result: failed
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster try
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector = new OpendsJmxConnector("localhost", jmxPort, env);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector.connect();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster opendsConnector.close() ;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster fail("User \"cn=Unprivileged JMX Root,cn=Root "+
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "DNs,cn=config\" doesn't have JMX_READ privilege but he's able " +
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster "to connect, which is not the correct behavior");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster catch (SecurityException e)
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster LocalizableMessage message = ERR_JMX_INSUFFICIENT_PRIVILEGES.get();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster assertEquals(message.toString(), e.getMessage());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
/**
* Tests to ensure that search operations in the server configuration properly
* respect the JMX_READ privilege.
*
* @param conn The client connection to use to perform the search
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the JMX_READ privilege and therefore the
* search should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(dataProvider = "testdata")
public void testConfigReadSearch(JmxClientConnection conn,
boolean hasPrivilege)
throws Exception
{
assertEquals(conn.hasPrivilege(Privilege.JMX_READ, null), hasPrivilege);
SearchRequest request = newSearchRequest(DN.valueOf("cn=config"), SearchScope.BASE_OBJECT);
InternalSearchOperation searchOperation = conn.processSearch(request);
if (hasPrivilege)
{
assertEquals(searchOperation.getResultCode(), ResultCode.SUCCESS);
}
else
{
assertEquals(searchOperation.getResultCode(),
ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
}
}
/**
* Tests to ensure that attempts to update the schema with an add schema file
* task will properly respect the UPDATE_SCHEMA privilege.
*
* @param conn The client connection to use to perform the schema
* update.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the UPDATE_SCHEMA privilege and therefore
* the schema update should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(dataProvider = "testdata")
public void testUpdateSchemaAddSchemaFile(JmxClientConnection conn,
boolean hasPrivilege)
throws Exception
{
assertEquals(conn.hasPrivilege(Privilege.JMX_WRITE, null),
hasPrivilege);
String schemaDirectory = SchemaConfigManager.getSchemaDirectoryPath();
String identifier;
Entry authNEntry = conn.getAuthenticationInfo().getAuthenticationEntry();
if (authNEntry == null)
{
identifier = "null";
}
else
{
identifier = authNEntry.getName().toString();
identifier = identifier.replace(',', '-');
identifier = identifier.replace(' ', '-');
identifier = identifier.replace('=', '-');
}
String[] fileLines =
{
"dn: cn=schema",
"objectClass: top",
"objectClass: ldapSubentry",
"objectClass: subschema",
"attributeTypes: ( " + identifier.toLowerCase() + "-oid " +
"NAME '" + identifier + "' )"
};
File validFile = new File(schemaDirectory, "05-" + identifier + ".ldif");
BufferedWriter writer = new BufferedWriter(new FileWriter(validFile));
for (String line : fileLines)
{
writer.write(line);
writer.newLine();
}
writer.close();
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for add, delete, modify and modify DN requests
* that contain the proxied auth v1 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(dataProvider = "testdata")
public void testProxyAuthV1Write(JmxClientConnection conn, boolean hasPrivilege) throws Exception
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
boolean hasProxyPrivilege = conn.hasPrivilege(Privilege.PROXIED_AUTH, null);
Entry e = TestCaseUtils.makeEntry(
"dn: cn=ProxyV1 Test,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: ProxyV1 Test",
"givenName: ProxyV1",
"sn: Test");
ArrayList<Control> controls = new ArrayList<Control>(1);
controls.add(new ProxiedAuthV1Control(
DN.valueOf("cn=PWReset Target,o=test")));
// Try to add the entry. If this fails with the proxy control, then add it
// with a root connection so we can do other things with it.
AddOperationBasis addOperation =
new AddOperationBasis(conn, conn
.nextOperationID(), conn.nextMessageID(), controls, e.getName(), e
.getObjectClasses(), e.getUserAttributes(), e
.getOperationalAttributes());
addOperation.run();
if (hasProxyPrivilege)
{
assertEquals(addOperation.getResultCode(), ResultCode.SUCCESS);
}
else
{
assertEquals(addOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
TestCaseUtils.addEntry(e);
}
// Try to modify the entry to add a description.
ArrayList<Modification> mods = new ArrayList<Modification>(1);
mods.add(new Modification(ModificationType.REPLACE,
Attributes.create("description", "foo")));
ModifyOperationBasis modifyOperation = new ModifyOperationBasis(conn,
conn.nextOperationID(), conn.nextMessageID(), controls, e.getName(),
mods);
modifyOperation.run();
if (hasProxyPrivilege)
{
assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
}
else
{
assertEquals(modifyOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
}
// Try to rename the entry.
ModifyDNOperationBasis modifyDNOperation =
new ModifyDNOperationBasis(conn, conn.nextOperationID(),
conn.nextMessageID(), controls, e.getName(),
RDN.decode("cn=Proxy V1 Test"), true, null);
modifyDNOperation.run();
DN newEntryDN;
if (hasProxyPrivilege)
{
assertEquals(modifyDNOperation.getResultCode(), ResultCode.SUCCESS);
newEntryDN = modifyDNOperation.getNewDN();
}
else
{
assertEquals(modifyDNOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
newEntryDN = e.getName();
}
// Try to delete the operation. If this fails, then delete it with a root
// connection so it gets cleaned up.
DeleteOperationBasis deleteOperation =
new DeleteOperationBasis(conn,
conn.nextOperationID(), conn.nextMessageID(), controls, newEntryDN);
deleteOperation.run();
if (hasProxyPrivilege)
{
assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
}
else
{
assertEquals(deleteOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
InternalClientConnection rootConnection =
InternalClientConnection.getRootConnection();
DeleteOperation delOp = rootConnection.processDelete(newEntryDN);
assertEquals(delOp.getResultCode(), ResultCode.SUCCESS);
}
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for search and compare requests that contain the
* proxied auth v1 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(dataProvider = "testdata")
public void testProxyAuthV1Read(JmxClientConnection conn, boolean hasPrivilege) throws Exception
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
boolean hasProxyPrivilege = conn.hasPrivilege(Privilege.PROXIED_AUTH, null);
DN targetDN = DN.valueOf("cn=PWReset Target,o=test");
ArrayList<Control> controls = new ArrayList<Control>(1);
controls.add(new ProxiedAuthV1Control(targetDN));
// Test a compare operation against the PWReset Target user.
CompareOperationBasis compareOperation =
new CompareOperationBasis(conn, conn.nextOperationID(),
conn.nextMessageID(), controls, targetDN,
DirectoryServer.getAttributeType("cn", true),
ByteString.valueOf("PWReset Target"));
compareOperation.run();
if (hasProxyPrivilege)
{
assertEquals(compareOperation.getResultCode(), ResultCode.COMPARE_TRUE);
}
else
{
assertEquals(compareOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
}
// Test a search operation against the PWReset Target user.
SearchRequest request = newSearchRequest(targetDN, SearchScope.BASE_OBJECT).addControl(controls);
InternalSearchOperation searchOperation = new InternalSearchOperation(
conn, conn.nextOperationID(), conn.nextMessageID(), request, null);
searchOperation.run();
if (hasProxyPrivilege)
{
assertEquals(searchOperation.getResultCode(), ResultCode.SUCCESS);
}
else
{
assertEquals(searchOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
}
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for add, delete, modify and modify DN requests
* that contain the proxied auth v2 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(dataProvider = "testdata")
public void testProxyAuthV2Write(JmxClientConnection conn, boolean hasPrivilege) throws Exception
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
boolean hasProxyPrivilege = conn.hasPrivilege(Privilege.PROXIED_AUTH, null);
Entry e = TestCaseUtils.makeEntry(
"dn: cn=ProxyV2 Test,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: ProxyV2 Test",
"givenName: ProxyV2",
"sn: Test");
ArrayList<Control> controls = new ArrayList<Control>(1);
controls.add(new ProxiedAuthV2Control(
ByteString.valueOf("dn:cn=PWReset Target,o=test")));
// Try to add the entry. If this fails with the proxy control, then add it
// with a root connection so we can do other things with it.
DN authDN = conn.getAuthenticationInfo().getAuthenticationDN();
AddOperationBasis addOperation =
new AddOperationBasis(conn, conn
.nextOperationID(), conn.nextMessageID(), controls, e.getName(), e
.getObjectClasses(), e.getUserAttributes(), e
.getOperationalAttributes());
addOperation.run();
if (hasProxyPrivilege)
{
assertEquals(addOperation.getResultCode(), ResultCode.SUCCESS,
"Unexpected add failure for user " + authDN);
}
else
{
assertEquals(addOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED,
"Unexpected add success for user " + authDN);
TestCaseUtils.addEntry(e);
}
// Try to modify the entry to add a description.
ArrayList<Modification> mods = new ArrayList<Modification>(1);
mods.add(new Modification(ModificationType.REPLACE,
Attributes.create("description", "foo")));
ModifyOperationBasis modifyOperation =
new ModifyOperationBasis(conn,
conn.nextOperationID(), conn.nextMessageID(), controls, e.getName(),
mods);
modifyOperation.run();
if (hasProxyPrivilege)
{
assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS,
"Unexpected mod failure for user " + authDN);
}
else
{
assertEquals(modifyOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED,
"Unexpected mod success for user " + authDN);
}
// Try to rename the entry.
ModifyDNOperationBasis modifyDNOperation =
new ModifyDNOperationBasis(conn, conn.nextOperationID(),
conn.nextMessageID(), controls, e.getName(),
RDN.decode("cn=Proxy V2 Test"), true, null);
modifyDNOperation.run();
DN newEntryDN;
if (hasProxyPrivilege)
{
assertEquals(modifyDNOperation.getResultCode(), ResultCode.SUCCESS,
"Unexpected moddn failure for user " + authDN);
newEntryDN = modifyDNOperation.getNewDN();
}
else
{
assertEquals(modifyDNOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED,
"Unexpected moddn success for user " + authDN);
newEntryDN = e.getName();
}
// Try to delete the operation. If this fails, then delete it with a root
// connection so it gets cleaned up.
DeleteOperationBasis deleteOperation =
new DeleteOperationBasis(conn,
conn.nextOperationID(), conn.nextMessageID(), controls, newEntryDN);
deleteOperation.run();
if (hasProxyPrivilege)
{
assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS,
"Unexpected delete failure for user " + authDN);
}
else
{
assertEquals(deleteOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED,
"Unexpected delete success for user " + authDN);
InternalClientConnection rootConnection =
InternalClientConnection.getRootConnection();
DeleteOperation delOp = rootConnection.processDelete(newEntryDN);
assertEquals(delOp.getResultCode(), ResultCode.SUCCESS);
}
}
/**
* Tests to ensure that the use of the Directory Server will properly respect
* the PROXIED_AUTH privilege for search and compare requests that contain the
* proxied auth v2 control.
*
* @param conn The client connection to use to perform the
* operation.
* @param hasPrivilege Indicates whether the authenticated user is expected
* to have the PROXIED_AUTH privilege and therefore
* the operation should succeed.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(dataProvider = "testdata")
public void testProxyAuthV2Read(JmxClientConnection conn, boolean hasPrivilege) throws Exception
{
// We can't trust the value of hasPrivilege because root users don't get
// proxy privileges by default. So make the determination based on the
// privileges the user actually has.
boolean hasProxyPrivilege = conn.hasPrivilege(Privilege.PROXIED_AUTH, null);
DN targetDN = DN.valueOf("cn=PWReset Target,o=test");
ArrayList<Control> controls = new ArrayList<Control>(1);
controls.add(new ProxiedAuthV2Control(ByteString.valueOf("dn:" + targetDN)));
// Test a compare operation against the PWReset Target user.
CompareOperationBasis compareOperation =
new CompareOperationBasis(conn, conn.nextOperationID(),
conn.nextMessageID(), controls, targetDN,
DirectoryServer.getAttributeType("cn", true),
ByteString.valueOf("PWReset Target"));
compareOperation.run();
if (hasProxyPrivilege)
{
assertEquals(compareOperation.getResultCode(), ResultCode.COMPARE_TRUE);
}
else
{
assertEquals(compareOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
}
// Test a search operation against the PWReset Target user.
SearchRequest request = newSearchRequest(targetDN, SearchScope.BASE_OBJECT).addControl(controls);
InternalSearchOperation searchOperation = new InternalSearchOperation(
conn, conn.nextOperationID(), conn.nextMessageID(), request, null);
searchOperation.run();
if (hasProxyPrivilege)
{
assertEquals(searchOperation.getResultCode(), ResultCode.SUCCESS);
}
else
{
assertEquals(searchOperation.getResultCode(),
ResultCode.AUTHORIZATION_DENIED);
}
}
/**
* Tests the ability to update the set of privileges for a user on the fly
* and have them take effect immediately.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testUpdateUserPrivileges() throws Exception
{
InternalClientConnection rootConnection = getRootConnection();
final String dnStr = "cn=Test User,o=test";
final DN dn = DN.valueOf(dnStr);
Entry testEntry = TestCaseUtils.addEntry(
"dn: " + dnStr,
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"cn: Test User",
"givenName: Test",
"sn: User",
"userPassword: password");
AuthenticationInfo authInfo = new AuthenticationInfo(testEntry, false);
JmxConnectionHandler jmxCtx = getJmxConnectionHandler();
JmxClientConnection testConnection =
new JmxClientConnection(jmxCtx,authInfo);
// Make sure the user starts out without any privileges.
for (Privilege p : Privilege.values())
{
assertFalse(testConnection.hasPrivilege(p, null));
}
// Modify the user entry to add the JMX_READ privilege and verify that
// the client connection reflects that.
ArrayList<Modification> mods = new ArrayList<Modification>();
mods.add(new Modification(ModificationType.ADD,
Attributes.create("ds-privilege-name", "jmx-read")));
ModifyOperation modifyOperation = rootConnection.processModify(dn, mods);
assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
assertTrue(testConnection.hasPrivilege(Privilege.JMX_READ, null));
// Take the privilege away from the user and verify that it is recognized
// immediately.
mods.clear();
mods.add(new Modification(ModificationType.DELETE,
Attributes.create("ds-privilege-name", "jmx-read")));
modifyOperation = rootConnection.processModify(dn, mods);
assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
assertFalse(testConnection.hasPrivilege(Privilege.JMX_READ, null));
DeleteOperation deleteOperation = rootConnection.processDelete(dn);
assertEquals(deleteOperation.getResultCode(), ResultCode.SUCCESS);
}
/**
* Tests the ability to update the set of root privileges and have them take
* effect immediately for new root connections.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testUpdateRootPrivileges()
throws Exception
{
// Make sure that a root connection doesn't have the proxied auth
// privilege.
DN unprivRootDN = DN.valueOf("cn=Unprivileged Root,cn=Root DNs,cn=config");
Entry unprivRootEntry = DirectoryServer.getEntry(unprivRootDN);
AuthenticationInfo authInfo = new AuthenticationInfo(unprivRootEntry, true);
JmxConnectionHandler jmxCtx = getJmxConnectionHandler();
JmxClientConnection unprivRootConn =
new JmxClientConnection(jmxCtx,authInfo);
assertFalse(unprivRootConn.hasPrivilege(Privilege.PROXIED_AUTH, null));
// Update the set of root privileges to include proxied auth.
InternalClientConnection conn = getRootConnection();
ArrayList<Modification> mods = new ArrayList<Modification>();
mods.add(new Modification(ModificationType.ADD,
Attributes.create("ds-cfg-default-root-privilege-name",
"proxied-auth")));
ModifyOperation modifyOperation =
conn.processModify(DN.valueOf("cn=Root DNs,cn=config"), mods);
assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
// Get a new root connection and verify that it now has proxied auth.
unprivRootEntry = DirectoryServer.getEntry(unprivRootDN);
authInfo = new AuthenticationInfo(unprivRootEntry, true);
unprivRootConn = new JmxClientConnection(jmxCtx,authInfo);
assertTrue(unprivRootConn.hasPrivilege(Privilege.PROXIED_AUTH, null));
// Update the set of root privileges to revoke proxied auth.
mods.clear();
mods.add(new Modification(ModificationType.DELETE,
Attributes.create("ds-cfg-default-root-privilege-name",
"proxied-auth")));
modifyOperation =
conn.processModify(DN.valueOf("cn=Root DNs,cn=config"), mods);
assertEquals(modifyOperation.getResultCode(), ResultCode.SUCCESS);
// Get a new root connection and verify that it no longer has proxied auth.
unprivRootEntry = DirectoryServer.getEntry(unprivRootDN);
authInfo = new AuthenticationInfo(unprivRootEntry, true);
unprivRootConn = new JmxClientConnection(jmxCtx,authInfo);
assertFalse(unprivRootConn.hasPrivilege(Privilege.PROXIED_AUTH, null));
}
/**
* Retrieves the specified task from the server, waiting for it to finish all
* the running its going to do before returning.
*
* @param taskEntryDN The DN of the entry for the task to retrieve.
*
* @return The requested task entry.
*
* @throws Exception If an unexpected problem occurs.
*/
private Task getCompletedTask(DN taskEntryDN) throws Exception
{
TaskBackend taskBackend =
(TaskBackend) DirectoryServer.getBackend(DN.valueOf("cn=tasks"));
Task task = taskBackend.getScheduledTask(taskEntryDN);
if (task == null)
{
long stopWaitingTime = System.currentTimeMillis() + 10000L;
while (task == null && System.currentTimeMillis() < stopWaitingTime)
{
Thread.sleep(10);
task = taskBackend.getScheduledTask(taskEntryDN);
}
}
assertNotNull(task, "There is no such task " + taskEntryDN);
if (! TaskState.isDone(task.getTaskState()))
{
long stopWaitingTime = System.currentTimeMillis() + 20000L;
while (!TaskState.isDone(task.getTaskState())
&& System.currentTimeMillis() < stopWaitingTime)
{
Thread.sleep(10);
}
}
assertTrue(TaskState.isDone(task.getTaskState()),
"Task " + taskEntryDN + " did not complete in a timely manner.");
return task;
}
}