Author: akarasulu
Date: Mon Nov 1 17:51:56 2004
New Revision: 56320
Modified:
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Log:
last changes which get minimal authorization requirements working
Modified:
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
==============================================================================
---
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
(original)
+++
incubator/directory/eve/trunk/jndi-provider/src/java/org/apache/eve/jndi/ibs/AuthorizationService.java
Mon Nov 1 17:51:56 2004
@@ -46,6 +46,8 @@
private static final Name ADMIN_DN = SystemPartition.getAdminDn();
/** the base distinguished [EMAIL PROTECTED] Name} for all users */
private static final Name USER_BASE_DN = SystemPartition.getUsersBaseDn();
+ /** the base distinguished [EMAIL PROTECTED] Name} for all groups */
+ private static final Name GROUP_BASE_DN =
SystemPartition.getGroupsBaseDn();
/** the name parser used by this service */
private final DnParser dnParser;
@@ -107,6 +109,15 @@
msg += name + ". Only the admin can delete user accounts.";
throw new EveNoPermissionException( msg );
}
+
+ if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN )
+ && ! principalDn.equals( ADMIN_DN ) )
+ {
+ String msg = "User " + principalDn;
+ msg += " does not have permission to delete the group entry: ";
+ msg += name + ". Only the admin can delete groups.";
+ throw new EveNoPermissionException( msg );
+ }
}
}
@@ -165,21 +176,32 @@
{
Name principalDn = getPrincipal( invocation ).getDn();
- if ( dn == ADMIN_DN || dn.equals( ADMIN_DN ) && !
principalDn.equals( ADMIN_DN ) )
+ if ( ! principalDn.equals( ADMIN_DN ) )
{
- String msg = "User " + principalDn;
- msg += " does not have permission to modify the admin
account.";
- throw new EveNoPermissionException( msg );
- }
-
- if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && !
principalDn.equals( ADMIN_DN ) )
- {
- String msg = "User " + principalDn;
- msg += " does not have permission to modify the account of
the";
- msg += " user " + dn + ".\nEven the owner of an account
cannot";
- msg += " modify it.\nUser accounts can only be modified by
the";
- msg += " administrator.";
- throw new EveNoPermissionException( msg );
+ if ( dn == ADMIN_DN || dn.equals( ADMIN_DN ) )
+ {
+ String msg = "User " + principalDn;
+ msg += " does not have permission to modify the admin
account.";
+ throw new EveNoPermissionException( msg );
+ }
+
+ if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
+ {
+ String msg = "User " + principalDn;
+ msg += " does not have permission to modify the account of
the";
+ msg += " user " + dn + ".\nEven the owner of an account
cannot";
+ msg += " modify it.\nUser accounts can only be modified by
the";
+ msg += " administrator.";
+ throw new EveNoPermissionException( msg );
+ }
+
+ if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) )
+ {
+ String msg = "User " + principalDn;
+ msg += " does not have permission to modify the group
entry ";
+ msg += dn + ".\nGroups can only be modified by the admin.";
+ throw new EveNoPermissionException( msg );
+ }
}
}
}
@@ -239,6 +261,14 @@
msg += " rename user accounts.";
throw new EveNoPermissionException( msg );
}
+
+ if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) && !
principalDn.equals( ADMIN_DN ) )
+ {
+ String msg = "User " + principalDn;
+ msg += " does not have permission to move or rename the group
entry ";
+ msg += dn + ".\nGroups can only be moved or renamed by the
admin.";
+ throw new EveNoPermissionException( msg );
+ }
}
}
@@ -256,13 +286,21 @@
}
Name principalDn = ( ( EveContext ) ctx ).getPrincipal().getDn();
- if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && !
principalDn.equals( ADMIN_DN ) )
- {
- return false;
- }
- else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN
) )
+ if ( ! principalDn.equals( ADMIN_DN ) )
{
- return false;
+ if ( dn.size() > 2 )
+ {
+ if ( dn.startsWith( USER_BASE_DN ) || dn.startsWith(
GROUP_BASE_DN ) )
+ {
+ return false;
+ }
+ }
+
+ if ( dn.equals( ADMIN_DN ) )
+ {
+ return false;
+ }
+
}
return true;
@@ -285,19 +323,33 @@
private void filter( LdapContext ctx, Name dn ) throws NamingException
{
Name principalDn = ( ( EveContext ) ctx ).getPrincipal().getDn();
- if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && !
principalDn.equals( ADMIN_DN ) )
- {
- String msg = "Access to user account '" + dn + "' not
permitted";
- msg += " for user '" + principalDn + "'. Only the admin can";
- msg += " access user account information";
- throw new EveNoPermissionException( msg );
- }
- else if ( dn.equals( ADMIN_DN ) && ! principalDn.equals( ADMIN_DN
) )
+
+
+ if ( ! principalDn.equals( ADMIN_DN ) )
{
- String msg = "Access to admin account not permitted for user
'";
- msg += principalDn + "'. Only the admin can";
- msg += " access admin account information";
- throw new EveNoPermissionException( msg );
+ if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
+ {
+ String msg = "Access to user account '" + dn + "' not
permitted";
+ msg += " for user '" + principalDn + "'. Only the admin
can";
+ msg += " access user account information";
+ throw new EveNoPermissionException( msg );
+ }
+
+ if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) )
+ {
+ String msg = "Access to group '" + dn + "' not permitted";
+ msg += " for user '" + principalDn + "'. Only the admin
can";
+ msg += " access group information";
+ throw new EveNoPermissionException( msg );
+ }
+
+ if ( dn.equals( ADMIN_DN ) )
+ {
+ String msg = "Access to admin account not permitted for
user '";
+ msg += principalDn + "'. Only the admin can";
+ msg += " access admin account information";
+ throw new EveNoPermissionException( msg );
+ }
}
}
}
Modified:
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
==============================================================================
---
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
(original)
+++
incubator/directory/eve/trunk/jndi-provider/src/test/org/apache/eve/jndi/ibs/AuthorizationServiceTest.java
Mon Nov 1 17:51:56 2004
@@ -17,12 +17,16 @@
package org.apache.eve.jndi.ibs;
+import java.util.HashSet;
import javax.naming.NamingException;
+import javax.naming.NamingEnumeration;
import javax.naming.directory.DirContext;
import javax.naming.directory.Attributes;
+import javax.naming.directory.SearchControls;
import org.apache.eve.jndi.AbstractMultiUserJndiTest;
import org.apache.eve.exception.EveNoPermissionException;
+import org.apache.eve.db.DbSearchResult;
import org.apache.ldap.common.message.LockableAttributesImpl;
@@ -142,5 +146,60 @@
fail( sysRootAsNonAdminUser.getPrincipal().getDn() +
" should not be able to modify attributes on admin" );
} catch( Exception e ) { }
+ }
+
+
+ /**
+ * Makes sure the admin can see all entries we know of on a subtree search.
+ *
+ * @throws NamingException if there are problems
+ */
+ public void testSearchSubtreeByAdmin() throws NamingException
+ {
+ SearchControls controls = new SearchControls();
+ controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+
+ HashSet set = new HashSet();
+ NamingEnumeration list = sysRoot.search( "", "(objectClass=*)",
controls );
+ while ( list.hasMore() )
+ {
+ DbSearchResult result = ( DbSearchResult ) list.next();
+ set.add( result.getName() );
+ }
+
+ assertTrue( set.contains( "ou=system" ) );
+ assertTrue( set.contains( "ou=groups,ou=system" ) );
+ assertTrue( set.contains( "cn=administrators,ou=groups,ou=system" ) );
+ assertTrue( set.contains( "ou=users,ou=system" ) );
+ assertTrue( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+ assertTrue( set.contains( "uid=admin,ou=system" ) );
+ }
+
+
+ /**
+ * Makes sure the admin can see all entries we know of on a subtree search.
+ *
+ * @throws NamingException if there are problems
+ */
+ public void testSearchSubtreeByNonAdmin() throws NamingException
+ {
+ SearchControls controls = new SearchControls();
+ controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+
+ HashSet set = new HashSet();
+ NamingEnumeration list = sysRootAsNonAdminUser.search( "",
+ "(objectClass=*)", controls );
+ while ( list.hasMore() )
+ {
+ DbSearchResult result = ( DbSearchResult ) list.next();
+ set.add( result.getName() );
+ }
+
+ assertTrue( set.contains( "ou=system" ) );
+ assertTrue( set.contains( "ou=groups,ou=system" ) );
+ assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
+ assertTrue( set.contains( "ou=users,ou=system" ) );
+ assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+ assertFalse( set.contains( "uid=admin,ou=system" ) );
}
}
