/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions copyright 2012 ForgeRock AS.
*/
/**
* Unit test to test the targetcontrol ACI keyword.
*/
addEntries("o=test");
}
}
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: john.doe",
"givenName: John",
"sn: Doe",
"cn: John Doe",
"mail: john.doe@example.com",
"userPassword: password",
};
//Valid targetcontrol statements. Not the complete ACI.
return new Object[][] {
{"1.3.6.1.4.1.42.2.27.8.5.1"},
{"2.16.840.1.113730.3.4.18"},
{"*"},
};
}
//Invalid targetcontrol statements. Not the complete ACI.
return new Object[][] {
{"1.3.6.1.4.1.42.2.27..8.5.1"},
{"2.16.840.1.113730.3.XXX.18"},
{"2.16.840.1.113730.*.4.18"},
{"2.16.840,1.113730.3.4.18"},
{"+"},
};
}
private static final
"(version 3.0;acl \"aclRights access\";" +
"allow (all) " +
"userdn=\"ldap:///self\";)";
private static final
"(version 3.0;acl \"aclRights access\";" +
"allow (search, read) " +
"userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
//Disallow all controls with wild-card.
private static final
"(version 3.0; acl \"control\";" +
//Allow all controls with wild-card.
private static final
"(version 3.0; acl \"control\";" +
//People branch can do any control but geteffectiverights assertion control.
private static final
OID_GET_EFFECTIVE_RIGHTS + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
//Admin branch can only do geteffectiverights control.
private static final
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
//Allow either reportauthzID or passwordpolicy controls. Used in the
//bind tests.
private static final
OID_PASSWORD_POLICY_CONTROL + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
//Allow either no-op or passwordpolicy controls. Used in the
//ext op tests.
private static final
OID_PASSWORD_POLICY_CONTROL + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
//Allow all to extended op.
private static final
"(extop=\"" + "*" + "\")" +
"(version 3.0; acl \"control\";" +
"allow(read) userdn=\"ldap:///" + "anyone" + "\";)";
//Only allow access to the password policy control. Used to test if the
//targetattr rule will give access erroneously.
private static final
"(targetattr != \"userpassword\")" +
"(version 3.0; acl \"control\";" +
"allow(all) userdn=\"ldap:///" + "anyone" + "\";)";
/**
* Test valid targetcontrol statements.
*
* @param statement The targetcontrol statement to attempt to decode.
* @throws AciException If an unexpected result happens.
*/
}
/**
* Test invalid targetcontrol statements.
*
* @param statement The targetcontrol statement to attempt to decode.
* @throws Exception If an unexpected result happens.
*/
try {
} catch (AciException e) {
throw e;
} catch (Exception e) {
"Invalid targetcontrol <" + statement +
"> threw wrong exception type.");
throw e;
}
throw new RuntimeException(
"Invalid targetcontrol <" + statement +
"> did not throw an exception.");
}
/**
* Test access to disallowed control based on a targetattr rule allowing
* access.
*
* @throws Exception If an unexpected result is returned.
*/
@Test()
//This should fail beacause this ACI only allows acces to the
//password policy control.
}
/**
* Test access to extended op controls (no-op and userPasswordPolicy).
*
* @throws Exception If an unexpected result is returned.
*/
@Test()
//This pwd change should return no-op since the no-op control is
//specified and it is allowed for authorization dn.
//This pwd change should fail even though the no-op is specified, since
//since the no-op control is not allowed for this authorization dn.
}
/**
* Test access to bind controls (reportAuthzID and usePasswordPolicy).
*
* @throws Exception If an unexpected result is returned.
*/
@Test()
//The bind operation control access is based on the bind DN so this
//should succeed since both pwd policy and authzID control are allowed on
//ou=people, o=test suffix.
false, 0);
true, 0);
//This should succeed since both controls are not allowed for the
//ou=admins, o=test suffix, but both are critical.
true, 0);
}
/**
* Test target from global ACI level. Two global ACIs are added, one allowing
* all controls except geteffective rights to the ou=people, o=test
* suffix. The other ACI only allows the geteffectiverights control on
* the ou=admin, o=test suffix. Comments in method should explain more
* what operations and controls are attempted.
*
* @throws Exception If an unexpected result happens.
*/
@Test()
//Succeeds because geteffectiverights control is not allowed on
//ou=people, o=test, but it is non-critical.
false, false, 0);
//Ok because geteffectiverights control is allowed on
//ou=admin, o=test
false, false, 0);
//Test add to ou=people, o=test with assertion control,
//should get protocol error since this control is allowed but value is
//junk.
//Test add to ou=admin, o=test with assertion control, and critical
//should get access denied since this control is not allowed.
}
/**
* Test wildcard access. First test "targetcontrol != *"
* expression. Should all be access denied. Remove that ACI and add
* "targetcontrol = *" expression. Use assertion control with bad filter,
* all should return protocol error (modify, add, delete, modifyDN). Search
* with geteffectiverights should succeed.
*
* @throws Exception If an unexpected result happens.
*/
@Test()
0 /* disallowed but non-critical */);
//Search with geteffectiverights control.
//Attempt modify. Protocol error means we passed access control
//Attempt add, protocol error means we passed access control
//Attempt delete. Protocol error means we passed access control.
//Attempt modify DN. Protocol error means we passed access control.
}
}