From 43023ab6e36fbc7687df60fd2aa6e4a479ce632e Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Tue, 14 Aug 2007 16:32:26 +0000
Subject: [PATCH] Add ACI unit test for nested static groups.
---
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/NestedGroupDNTestCase.java | 172 +++++++++++++++++++++++++++++++++++++++++++
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTestCase.java | 34 +++++++-
2 files changed, 202 insertions(+), 4 deletions(-)
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTestCase.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTestCase.java
index 3240d8b..2985497 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTestCase.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTestCase.java
@@ -42,7 +42,7 @@
import java.util.HashMap;
import java.util.ArrayList;
-@Test(groups = { "precommit", "dseecompat" })
+@Test(groups = {"precommit", "dseecompat"})
public abstract class AciTestCase extends DirectoryServerTestCase {
public static final String DIR_MGR_DN = "cn=Directory Manager";
public static final String PWD = "password";
@@ -441,6 +441,32 @@
"cn: group",
"member: uid=user.3,ou=People," + suffix,
"",
+ "dn: ou=Nested Groups," + suffix,
+ "objectClass: top",
+ "objectClass: organizationalUnit",
+ "ou: Nested Groups",
+ "",
+ "dn: cn=group 1,ou=Nested Groups," + suffix,
+ "objectClass: top",
+ "objectClass: groupOfNames",
+ "cn: group 1",
+ "",
+ "dn: cn=group 2,ou=Nested Groups," + suffix,
+ "objectClass: top",
+ "objectClass: groupOfNames",
+ "cn: group 2",
+ "",
+ "dn: cn=group 3,ou=Nested Groups," + suffix,
+ "objectClass: top",
+ "objectClass: groupOfNames",
+ "cn: group 3",
+ "",
+ "dn: cn=group 4,ou=Nested Groups," + suffix,
+ "objectClass: top",
+ "objectClass: groupOfURLs",
+ "cn: group 4",
+ "memberURL: ldap:///ou=people,o=test??sub?(sn>=5)",
+ "",
"dn: uid=superuser,ou=admins," + suffix,
"objectClass: top",
"objectClass: person",
@@ -500,7 +526,7 @@
"givenName: User 2",
"sn: 2",
"cn: User 2",
- "l: dallas",
+ "l: dallas",
"userPassword: password",
"",
"dn: uid=user.3,ou=People," + suffix,
@@ -512,7 +538,7 @@
"givenName: User 3",
"sn: 3",
"cn: User 3",
- "l: Austin",
+ "l: Austin",
"userPassword: password",
"ds-privilege-name: proxied-auth",
"",
@@ -525,7 +551,7 @@
"givenName: User 4",
"sn: 4",
"cn: User 4",
- "l: ft worth",
+ "l: ft worth",
"userPassword: password",
"",
"dn: uid=user.5,ou=People," + suffix,
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/NestedGroupDNTestCase.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/NestedGroupDNTestCase.java
new file mode 100644
index 0000000..69c5059
--- /dev/null
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/NestedGroupDNTestCase.java
@@ -0,0 +1,172 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License"). You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at
+ * trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at
+ * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ * add the following below this CDDL HEADER, with the fields enclosed
+ * by brackets "[]" replaced with your own identifying information:
+ * Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ *
+ *
+ * Portions Copyright 2007 Sun Microsystems, Inc.
+ */
+
+
+package org.opends.server.authorization.dseecompat;
+
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.Test;
+import org.testng.Assert;
+import org.opends.server.TestCaseUtils;
+import static org.opends.server.config.ConfigConstants.ATTR_AUTHZ_GLOBAL_ACI;
+
+/**
+ * Test the groupdn keyword using nested groups.
+ */
+public class NestedGroupDNTestCase extends AciTestCase {
+
+ private static final String peopleBase="ou=People,o=test";
+ private static final String user5="uid=user.5,ou=People,o=test";
+ private static final String group1DN = "cn=group 1,ou=Nested Groups, o=test";
+ private static final String group2DN = "cn=group 2,ou=Nested Groups, o=test";
+ private static final String group3DN = "cn=group 3,ou=Nested Groups, o=test";
+ private static final String group4DN = "cn=group 4,ou=Nested Groups, o=test";
+
+ private static final
+ String groupAci = "(targetattr=\"*\")" +
+ "(version 3.0; acl \"group ACI\"; " +
+ "allow (all) " +
+ "groupdn=\"ldap:///" + group1DN + "\";)";
+
+ @BeforeClass
+ public void setupClass() throws Exception {
+ TestCaseUtils.startServer();
+ deleteAttrFromEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
+ addEntries("o=test");
+ }
+
+ @AfterClass
+ public void tearDown() throws Exception {
+ String aciLdif=makeAddLDIF(ATTR_AUTHZ_GLOBAL_ACI, ACCESS_HANDLER_DN,
+ G_READ_ACI, G_SELF_MOD, G_SCHEMA, G_DSE, G_USER_OPS, G_CONTROL,
+ E_EXTEND_OP);
+ LDIFModify(aciLdif, DIR_MGR_DN, PWD);
+ }
+
+
+ @BeforeMethod
+ public void clearBackend() throws Exception {
+ deleteAttrFromEntry(peopleBase, "aci");
+ deleteAttrFromEntry(group1DN, "member");
+ deleteAttrFromEntry(group2DN, "member");
+ deleteAttrFromEntry(group3DN, "member");
+ deleteAttrFromEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
+ }
+
+ /**
+ * Test access using static nested groups. Add a user to group3, add group3
+ * to group2 and group2 to group1.
+ *
+ * @throws Exception If an unexpected result is received.
+ */
+ @Test()
+ public void testNestedGroup() throws Exception {
+ String aciLdif=makeAddLDIF("aci", peopleBase, groupAci);
+ LDIFModify(aciLdif, DIR_MGR_DN, PWD);
+ String userResults =
+ LDAPSearchParams(user5, PWD, null, null, null,
+ user5, filter, null);
+ //Access to user5 should be denied, user5 is not in any groups.
+ Assert.assertTrue(userResults.equals(""));
+ //Add user5 to group1.
+ String member5Ldif=makeAddLDIF("member", group3DN, user5);
+ LDIFModify(member5Ldif, DIR_MGR_DN, PWD);
+ //Nest group1 in group2.
+ String group2Ldif=makeAddLDIF("member", group2DN, group3DN);
+ LDIFModify(group2Ldif, DIR_MGR_DN, PWD);
+ //Nest group2 in group1.
+ String group1Ldif=makeAddLDIF("member", group1DN, group2DN);
+ LDIFModify(group1Ldif, DIR_MGR_DN, PWD);
+ String userResults1 =
+ LDAPSearchParams(user5, PWD, null, null, null,
+ user5, filter, null);
+ //Results should be returned since user5 now has access.
+ Assert.assertFalse(userResults1.equals(""));
+ }
+
+
+ /**
+ * Test access using a dynamic nested group. Group 4 (dynamic) is nested
+ * in group1, group1 is nested in group2, group2 is nested in group1.
+ *
+ * @throws Exception If an unexpected result is returned.
+ */
+ @Test()
+ public void testNestedDynamicGroup() throws Exception {
+ String aciLdif=makeAddLDIF("aci", peopleBase, groupAci);
+ LDIFModify(aciLdif, DIR_MGR_DN, PWD);
+ String userResults =
+ LDAPSearchParams(user5, PWD, null, null, null,
+ user5, filter, null);
+ Assert.assertTrue(userResults.equals(""));
+ //Add group4 (dynamic) to group3.
+ String group3Ldif=makeAddLDIF("member", group3DN, group4DN);
+ LDIFModify(group3Ldif, DIR_MGR_DN, PWD);
+ String group2Ldif=makeAddLDIF("member", group2DN, group3DN);
+ LDIFModify(group2Ldif, DIR_MGR_DN, PWD);
+ String group1Ldif=makeAddLDIF("member", group1DN, group2DN);
+ LDIFModify(group1Ldif, DIR_MGR_DN, PWD);
+ String userResults1 =
+ LDAPSearchParams(user5, PWD, null, null, null,
+ user5, filter, null);
+ //Results should be returned, since user5 now has access because of
+ //nested group4.
+ Assert.assertFalse(userResults1.equals(""));
+ }
+
+
+ /**
+ * Test group access using a circular group definition. Group3 points back
+ * to group1.
+ *
+ * @throws Exception IKf an unexpected result is returned.
+ */
+ @Test()
+ public void testNestedCircularGroup() throws Exception {
+ String aciLdif=makeAddLDIF("aci", peopleBase, groupAci);
+ LDIFModify(aciLdif, DIR_MGR_DN, PWD);
+ String userResults =
+ LDAPSearchParams(user5, PWD, null, null, null,
+ user5, filter, null);
+ Assert.assertTrue(userResults.equals(""));
+ //Nest group1 in group3, creating circular nesting.
+ String group3Ldif=makeAddLDIF("member", group3DN, group1DN);
+ LDIFModify(group3Ldif, DIR_MGR_DN, PWD);
+ String group2Ldif=makeAddLDIF("member", group2DN, group3DN);
+ LDIFModify(group2Ldif, DIR_MGR_DN, PWD);
+ String group1Ldif=makeAddLDIF("member", group1DN, group2DN);
+ LDIFModify(group1Ldif, DIR_MGR_DN, PWD);
+ String userResults1 =
+ LDAPSearchParams(user5, PWD, null, null, null,
+ user5, filter, null);
+ //Results should not be returned because of circular condition.
+ Assert.assertTrue(userResults1.equals(""));
+ }
+
+}
--
Gitblit v1.10.0