mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
@@ -73,7 +73,7 @@ * @param patterns List of dns patterns to match against. * @param type An enumeration representing the bind rule type. */ private DNS(LinkedList<String> patterns, EnumBindRuleType type) { DNS(LinkedList<String> patterns, EnumBindRuleType type) { this.patterns=patterns; this.type=type; } @@ -194,54 +194,36 @@ return matched.getRet(type, false); } /* * TODO Verify that a DNS pattern of "*" is valid by writing a unit * test. Probably isn't. * * TODO Evaluate if extending the wild-card matching to multiple name * components should be supported. Currently wild-cards are only permitted * in the leftmost field and the rest of the domain name components must * match. * * TODO Evaluate extending wild-card matching to non-complete name matching. * * Is it acceptable to have a DNS address of just "*" * (which presumably will match any system)? * * Is it acceptable for a wildcard to match multiple name components? For * example, is "*.example.com" supposed to be considered a match for * "host.east.example.com"? Similarly, would a pattern like * "www.*.example.com" match "www.newyork.east.example.com"? It doesn't * appear that the current implementation matches either of them. * * Is it acceptable for a wildcard to appear as anything other than a * complete name component? For example, if I have three web servers * "www1.example.com","www2.example.com", and "www3.example.com", then * can I use "www*.example.com"? It doesn't appear that the current * implementation allows that. Further, would "www*.example.com" match * cases like "www.example.com" or "www1.east.example.com"? */ /** * Checks an array containing the remote client's hostname against * patterns specified in the bind rule expression. Wild-cards are * only permitted in the leftmost field and the rest of the domain * name array components must match. * name array components must match. A single wild-card matches any * hostname. * @param remoteHostName Array containing components of the remote clients * hostname (split on "."). * @param pat An array containing the pattern specified in * the bind rule expression. The first array slot may be a wild-card "*". * @return True if the remote hostname matches the pattern. */ private boolean evalHostName(String[] remoteHostName, String[] pat) { if(remoteHostName.length != pat.length) boolean evalHostName(String[] remoteHostName, String[] pat) { boolean wildCard=pat[0].equals("*"); //Check if there is a single wild-card. if(pat.length == 1 && wildCard) return true; int remoteHnIndex=remoteHostName.length-pat.length; if(remoteHnIndex < 0) return false; for(int i=0;i<remoteHostName.length;i++) { if(!pat[i].equals("*")) { if(!pat[i].equalsIgnoreCase(remoteHostName[i])) int patternIndex=0; if(!wildCard) remoteHnIndex=0; else { patternIndex=1; remoteHnIndex++; } for(int i=remoteHnIndex ;i<remoteHostName.length;i++) if(!pat[patternIndex++].equalsIgnoreCase(remoteHostName[i])) return false; } } return true; } } opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
@@ -237,6 +237,7 @@ private static final String BIND_RULE_IP_NOT_MISC_AND_LOCALHOST = "ip!=\"72.5.124.61,127.0.0.1\""; private static final String BIND_RULE_DNS_LOCALHOST = "dns=\"localhost\""; private static final String BIND_RULE_DNS_NOT_LOCALHOST = "dns!=\"localhost\""; private static final String BIND_RULE_DNS_ALL= "dns=\"*\""; private static final String BIND_RULE_THIS_HOUR = getTimeOfDayRuleNextHour(); private static final String BIND_RULE_PREVIOUS_HOUR = getTimeOfDayRulePreviousHour(); @@ -465,6 +466,9 @@ private static final String ALLOW_ALL_TO_NON_DNS_LOCALHOST = buildAciValue("name", "allow all to non localhost", "targetattr", "*", "allow(all)", BIND_RULE_DNS_NOT_LOCALHOST); private static final String ALLOW_ALL_TO_DNS_ALL = buildAciValue("name", "allow all to dns all", "targetattr", "*", "allow(all)", BIND_RULE_DNS_ALL); private static final String DENY_ALL_TO_DNS_LOCALHOST = buildAciValue("name", "deny all to localhost", "targetattr", "*", "deny(all)", BIND_RULE_DNS_LOCALHOST); @@ -1142,6 +1146,10 @@ String GROUP1_GROUPDN_MODS = makeAddAciLdif(OU_LEAF_DN, ALLOW_SEARCH_TO_GROUP1_GROUPDN); //Aci to test dns="*". private static final String DNS_ALL_ACI = makeAddAciLdif(OU_LEAF_DN, ALLOW_ALL_TO_DNS_ALL); // ou=leaf,ou=inner,ou=acitest,dc=example,dc=com and everything under it private static final String LEAF_OU_FULL_LDIF__SEARCH_TESTS = LEAF_OU_LDIF__SEARCH_TESTS + @@ -1878,6 +1886,28 @@ } /** * Test ACI using dns="*" bind rule pattern. Search should succeed. * @throws Throwable If the search doesn't return any entries. */ @Test() public void testDNSWildCard() throws Throwable { SingleSearchParams userParam = new SingleSearchParams(LEVEL_1_USER_DN, "pa$$word", LEVEL_3_USER_DN, OBJECTCLASS_STAR, SCOPE_BASE, null, null, null); try { addEntries(BASIC_LDIF__GROUP_SEARCH_TESTS, DIR_MGR_DN, DIR_MGR_PW); modEntries(DNS_ALL_ACI, DIR_MGR_DN, DIR_MGR_PW); String userResults = ldapSearch(userParam.getLdapSearchArgs()); Assert.assertFalse(userResults.equals("")); } catch(Throwable e) { throw e; } } /** * Test group and role bind rule ACI keywords. Both groupdn and roledn keywords * funnel through the same code so the results should be the same. * @throws Throwable opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/DNSTestCase.java
New file @@ -0,0 +1,108 @@ /* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at * trunk/opends/resource/legal-notices/OpenDS.LICENSE * or https://OpenDS.dev.java.net/OpenDS.LICENSE. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, * add the following below this CDDL HEADER, with the fields enclosed * by brackets "[]" replaced with your own identifying information: * Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * * Portions Copyright 2007 Sun Microsystems, Inc. */ package org.opends.server.authorization.dseecompat; import org.testng.annotations.Test; import org.testng.annotations.DataProvider; import static org.testng.Assert.assertTrue; import static org.testng.Assert.assertFalse; public class DNSTestCase { private DNS dns=new DNS(null, null); @DataProvider(name = "wildCardMatch") public Object[][] wcMatchData() { return new Object[][] { { "foo.example.com", "*.com" }, { "foo.example.com", "*.example.com" }, { "very.long.dns.foo.example.com", "*.example.com" }, { "foo.example.com", "*" }, }; } @DataProvider(name = "nonWildCardMatch") public Object[][] nonWCMatchData() { return new Object[][] { { "foo.example.com", "foo.example.com" }, { "example.com", "example.com" }, { "com", "com" }, { "very.long.dns.example.com", "very.long.dns.example.com" }, }; } @DataProvider(name = "invalidMatch") public Object[][] invalidMatchData() { return new Object[][] { { "foo.example.com", "example.com" }, { "foo.example.com", "com" }, { "foo.example.com", "*.foo.com" }, { "foo.bar.com", "*.foo.bar.com" }, { "bar.com", "foo.bar.com" }, { "very.long.dns.example.com", "very.long.dns.test.com" }, }; } /** * Test wild-card match patterns. They all should succeed. * @param hostString The string representing a host name. * @param patString The pattern to evaluate with. */ @Test(dataProvider = "wildCardMatch") public void testWildCardMatch(String hostString, String patString) { String[] patArray = patString.split("\\.", -1); String[] hostArray = hostString.split("\\.", -1); assertTrue(dns.evalHostName(hostArray, patArray)); } /** * Test non wild-card match patterns. They all should succeed. * @param hostString The string representing a host name. * @param patString The pattern to evaluate with. */ @Test(dataProvider = "nonWildCardMatch") public void testNonWildCardMatch(String hostString, String patString) { String[] patArray = patString.split("\\.", -1); String[] hostArray = hostString.split("\\.", -1); assertTrue(dns.evalHostName(hostArray, patArray)); } /** * Test with various invalid patterns and hostname combinations. They all * should fail. * @param hostString The string representing a host name. * @param patString The pattern to evaluate with. */ @Test(dataProvider = "invalidMatch") public void testInvalidMatch(String hostString, String patString) { String[] patArray = patString.split("\\.", -1); String[] hostArray = hostString.split("\\.", -1); assertFalse(dns.evalHostName(hostArray, patArray)); } }
