GetEffectiveRightsTestCase.java revision 24d6db06810f2ea747f6dff60d483e4fca3aaa13
0N/A/*
2362N/A * CDDL HEADER START
0N/A *
0N/A * The contents of this file are subject to the terms of the
0N/A * Common Development and Distribution License, Version 1.0 only
0N/A * (the "License"). You may not use this file except in compliance
0N/A * with the License.
0N/A *
0N/A * You can obtain a copy of the license at
0N/A * trunk/opends/resource/legal-notices/OpenDS.LICENSE
0N/A * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
0N/A * See the License for the specific language governing permissions
0N/A * and limitations under the License.
0N/A *
0N/A * When distributing Covered Code, include this CDDL HEADER in each
0N/A * file and include the License file at
0N/A * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
0N/A * add the following below this CDDL HEADER, with the fields enclosed
2362N/A * by brackets "[]" replaced with your own identifying information:
2362N/A * Portions Copyright [yyyy] [name of copyright owner]
2362N/A *
0N/A * CDDL HEADER END
0N/A *
0N/A *
0N/A * Portions Copyright 2007 Sun Microsystems, Inc.
0N/A */
0N/A
0N/Apackage org.opends.server.authorization.dseecompat;
0N/A
0N/Aimport org.testng.annotations.BeforeClass;
0N/Aimport org.testng.annotations.Test;
0N/Aimport org.testng.annotations.BeforeMethod;
0N/Aimport org.testng.annotations.AfterClass;
0N/Aimport static org.opends.server.config.ConfigConstants.*;
0N/Aimport org.testng.Assert;
0N/Aimport org.opends.server.TestCaseUtils;
0N/Aimport static org.opends.server.util.ServerConstants.OID_GET_EFFECTIVE_RIGHTS;
0N/A
0N/Aimport java.util.HashMap;
0N/A
0N/Apublic class GetEffectiveRightsTestCase extends AciTestCase {
0N/A private static final String base="uid=user.3,ou=People,o=test";
0N/A private static final String user1="uid=user.1,ou=People,o=test";
0N/A private static final String superUser="uid=superuser,ou=admins,o=test";
0N/A private static final String[] attrList={"pager", "fax"};
0N/A private static final String[] memberAttrList={"member"};
0N/A private static final String entryLevel = "aclRights;entryLevel";
0N/A private static final String attributeLevel = "aclRights;attributeLevel;";
0N/A
0N/A //Various results for entryLevel searches.
0N/A private static final
0N/A String bypassRights = "add:1,delete:1,read:1,write:1,proxy:1";
0N/A
0N/A private static final
0N/A String rRights = "add:0,delete:0,read:1,write:0,proxy:0";
0N/A
0N/A private static final
0N/A String arRights = "add:1,delete:0,read:1,write:0,proxy:0";
0N/A
0N/A private static final
0N/A String adrRights = "add:1,delete:1,read:1,write:0,proxy:0";
0N/A
0N/A private static final
0N/A String adrwRights = "add:1,delete:1,read:1,write:1,proxy:0";
0N/A
0N/A private static final
0N/A String allRights = "add:1,delete:1,read:1,write:1,proxy:1";
0N/A
0N/A //Results for attributeLevel searches
0N/A private static final String srwMailAttrRights =
0N/A "search:1,read:1,compare:0,write:1," +
0N/A "selfwrite_add:0,selfwrite_delete:0,proxy:0";
0N/A
0N/A private static final String srDescrptionAttrRights =
0N/A "search:1,read:1,compare:0,write:0," +
0N/A "selfwrite_add:0,selfwrite_delete:0,proxy:0";
0N/A
0N/A private static final String srxFaxAttrRights =
0N/A "search:1,read:1,compare:0,write:?," +
0N/A "selfwrite_add:0,selfwrite_delete:0,proxy:0";
0N/A
0N/A private static final String srPagerAttrRights =
0N/A "search:1,read:1,compare:0,write:0," +
0N/A "selfwrite_add:0,selfwrite_delete:0,proxy:0";
0N/A
0N/A private static final String selfWriteAttrRights =
0N/A "search:0,read:0,compare:0,write:0," +
0N/A "selfwrite_add:1,selfwrite_delete:1,proxy:0";
0N/A
0N/A //ACI needed to search/read aciRights attribute.
0N/A
0N/A //Need an ACI to allow proxy control
0N/A String controlACI = "(targetcontrol=\"" + OID_GET_EFFECTIVE_RIGHTS + "\")" +
0N/A "(version 3.0; acl \"control\";" +
0N/A "allow(read) userdn=\"ldap:///anyone\";)";
0N/A
0N/A private static final
0N/A String aclRightsAci = "(targetattr=\"aclRights\")" +
0N/A "(version 3.0;acl \"aclRights access\";" +
0N/A "allow (search, read) " +
0N/A "userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
0N/A
0N/A //General ACI superuser to search/read.
0N/A
0N/A private static final
0N/A String readSearchAci = "(targetattr=\"*\")" +
0N/A "(version 3.0;acl \"read/search access\";" +
0N/A "allow (search, read) " +
0N/A "userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
0N/A
0N/A //General ACI for anonymous test.
0N/A private static final
0N/A String readSearchAnonAci = "(targetattr=\"*\")" +
0N/A "(version 3.0;acl \"anonymous read/search access\";" +
0N/A "allow (search, read) " +
0N/A "userdn=\"ldap:///anyone\";)";
0N/A
0N/A //Test ACIs.
0N/A private static final
0N/A String addAci = "(version 3.0;acl \"add access\";" +
0N/A "allow (add) " +
0N/A "userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
0N/A
0N/A private static final
0N/A String delAci = "(version 3.0;acl \"delete access\";" +
0N/A "allow (delete) " +
0N/A "userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
0N/A
0N/A private static final
0N/A String writeAci = "(version 3.0;acl \"write access\";" +
0N/A "allow (write) " +
0N/A "userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
0N/A
0N/A private static final
0N/A String writeMailAci = "(targetattr=\"mail\")" +
"(version 3.0;acl \"write mail access\";" +
"allow (write) " +
"userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
private static final
String proxyAci = "(version 3.0;acl \"proxy access\";" +
"allow (proxy) " +
"userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
private static final
String faxTargAttrAci =
"(targattrfilters=\"add=fax:(fax=*), del=fax:(fax=*)\")" +
"(version 3.0;acl \"allow write fax\";" +
"allow (write)" +
"userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
private static final
String pagerTargAttrAci =
"(targattrfilters=\"add=pager:(pager=*), del=pager:(pager=*)\")" +
"(version 3.0;acl \"deny write pager\";" +
"deny (write)" +
"userdn=\"ldap:///uid=superuser,ou=admins,o=test\";)";
private static final
String selfWriteAci = "(targetattr=\"member\")" +
"(version 3.0; acl \"selfwrite\"; allow(selfwrite)" + "" +
"userdn=\"ldap:///uid=user.1,ou=People,o=test\";)";
@BeforeClass
public void setupClass() throws Exception {
TestCaseUtils.startServer();
deleteAttrFromEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
addEntries("o=test");
}
@AfterClass(alwaysRun = true)
public void tearDown() throws Exception {
String aciLdif=makeAddLDIF(ATTR_AUTHZ_GLOBAL_ACI, ACCESS_HANDLER_DN,
G_READ_ACI, G_SELF_MOD, G_SCHEMA, G_DSE, G_USER_OPS, G_CONTROL,
E_EXTEND_OP);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
}
@BeforeMethod
public void removeAcis() throws Exception {
deleteAttrFromEntry("ou=People,o=test", "aci");
}
/**
* Test entry level using the -g param and anonymous dn as the authzid.
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testAnonEntryLevelParams() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAnonAci,
controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchParams(DIR_MGR_DN, PWD, null, "dn:", null,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, rRights);
}
/**
* Test entry level using the -g param and superuser dn as the authzid.
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testSuEntryLevelParams() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci,
controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, rRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", addAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, arRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", delAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, adrRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, adrwRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", proxyAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, allRights);
}
/**
* Test entry level using the control OID only (no authzid specified).
* Should use the bound user (superuser) as the authzid.
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testSuEntryLevelCtrl() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci,
controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, rRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", addAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, arRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", delAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, adrRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, adrwRights);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", proxyAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
userResults =
LDAPSearchCtrl(superUser, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, allRights);
}
/**
* Test entry level using the control OID only -- bound as a bypass user.
* Should use the bound user (DIR_MGR) as the authzid.
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testBypassEntryLevelCtrl() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchCtrl(DIR_MGR_DN, PWD, null, OID_GET_EFFECTIVE_RIGHTS,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkEntryLevel(attrMap, bypassRights);
}
/**
* Test attribute level using the -g param and superuser dn as the authzid.
* The attributes used are mail and description. Mail should show write
* access allowed, description should show write access not allowed.
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testSuAttrLevelParams() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci,
controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeMailAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, null,
base, filter, "aclRights mail description");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkAttributeLevel(attrMap, "mail", srwMailAttrRights);
checkAttributeLevel(attrMap, "description", srDescrptionAttrRights);
}
/**
* Test attribute level using the -g param and superuser dn as the authzid and
* the -e option using pager and fax.
* The attributes used are mail and description. Mail should show write
* access allowed, description should show write access not allowed.
*
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testSuAttrLevelParams2() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci,
controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", writeMailAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", faxTargAttrAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", pagerTargAttrAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + superUser, attrList,
base, filter, "aclRights mail description");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkAttributeLevel(attrMap, "mail", srwMailAttrRights);
checkAttributeLevel(attrMap, "description", srDescrptionAttrRights);
checkAttributeLevel(attrMap, "fax", srxFaxAttrRights);
checkAttributeLevel(attrMap, "pager", srPagerAttrRights);
}
/**
* Test selfwrite attribute level using the -g param and user.1 dn as the
* authzid and the -e option member.
* The attributes used are mail and description. Mail should show write
* access allowed, description should show write access not allowed.
*
* @throws Exception If the search result is empty or a right string
* doesn't match the expected value.
*/
@Test()
public void testSuAttrLevelParams3() throws Exception {
String aciLdif=makeAddLDIF("aci", "ou=People,o=test", aclRightsAci,
controlACI);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", readSearchAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
aciLdif=makeAddLDIF("aci", "ou=People,o=test", selfWriteAci);
LDIFModify(aciLdif, DIR_MGR_DN, PWD);
String userResults =
LDAPSearchParams(superUser, PWD, null, "dn: " + user1, memberAttrList,
base, filter, "aclRights");
Assert.assertFalse(userResults.equals(""));
HashMap<String, String> attrMap=getAttrMap(userResults);
checkAttributeLevel(attrMap, "member", selfWriteAttrRights);
}
private void
checkAttributeLevel(HashMap<String, String> attrMap, String attr,
String reqRightsStr) throws Exception {
String attrType=attributeLevel.toLowerCase() + attr;
String retRightsStr=attrMap.get(attrType);
Assert.assertTrue(retRightsStr.equals(reqRightsStr));
}
private void
checkEntryLevel(HashMap<String, String> attrMap, String reqRightsStr)
throws Exception {
String retRightsStr=attrMap.get(entryLevel.toLowerCase());
Assert.assertTrue(retRightsStr.equals(reqRightsStr));
}
}