From dc31fed4c82c660e83a362e47663a3bc1cc87c8e Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Tue, 17 Apr 2007 21:15:25 +0000
Subject: [PATCH] Fix ACI dns bind rule keyword to be more compatible with dsee. Issue 462.
---
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java | 30 +++++++
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/DNSTestCase.java | 108 +++++++++++++++++++++++++++
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java | 60 +++++---------
3 files changed, 159 insertions(+), 39 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
index fa3e478..5f6dcab 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/DNS.java
@@ -73,7 +73,7 @@
* @param patterns List of dns patterns to match against.
* @param type An enumeration representing the bind rule type.
*/
- private DNS(LinkedList<String> patterns, EnumBindRuleType type) {
+ DNS(LinkedList<String> patterns, EnumBindRuleType type) {
this.patterns=patterns;
this.type=type;
}
@@ -194,54 +194,36 @@
return matched.getRet(type, false);
}
- /*
- * TODO Verify that a DNS pattern of "*" is valid by writing a unit
- * test. Probably isn't.
- *
- * TODO Evaluate if extending the wild-card matching to multiple name
- * components should be supported. Currently wild-cards are only permitted
- * in the leftmost field and the rest of the domain name components must
- * match.
- *
- * TODO Evaluate extending wild-card matching to non-complete name matching.
- *
- * Is it acceptable to have a DNS address of just "*"
- * (which presumably will match any system)?
- *
- * Is it acceptable for a wildcard to match multiple name components? For
- * example, is "*.example.com" supposed to be considered a match for
- * "host.east.example.com"? Similarly, would a pattern like
- * "www.*.example.com" match "www.newyork.east.example.com"? It doesn't
- * appear that the current implementation matches either of them.
- *
- * Is it acceptable for a wildcard to appear as anything other than a
- * complete name component? For example, if I have three web servers
- * "www1.example.com","www2.example.com", and "www3.example.com", then
- * can I use "www*.example.com"? It doesn't appear that the current
- * implementation allows that. Further, would "www*.example.com" match
- * cases like "www.example.com" or "www1.east.example.com"?
- */
/**
* Checks an array containing the remote client's hostname against
* patterns specified in the bind rule expression. Wild-cards are
* only permitted in the leftmost field and the rest of the domain
- * name array components must match.
+ * name array components must match. A single wild-card matches any
+ * hostname.
* @param remoteHostName Array containing components of the remote clients
* hostname (split on ".").
* @param pat An array containing the pattern specified in
* the bind rule expression. The first array slot may be a wild-card "*".
* @return True if the remote hostname matches the pattern.
*/
- private boolean evalHostName(String[] remoteHostName, String[] pat) {
- if(remoteHostName.length != pat.length)
- return false;
- for(int i=0;i<remoteHostName.length;i++)
- {
- if(!pat[i].equals("*")) {
- if(!pat[i].equalsIgnoreCase(remoteHostName[i]))
- return false;
- }
- }
+ boolean evalHostName(String[] remoteHostName, String[] pat) {
+ boolean wildCard=pat[0].equals("*");
+ //Check if there is a single wild-card.
+ if(pat.length == 1 && wildCard)
return true;
+ int remoteHnIndex=remoteHostName.length-pat.length;
+ if(remoteHnIndex < 0)
+ return false;
+ int patternIndex=0;
+ if(!wildCard)
+ remoteHnIndex=0;
+ else {
+ patternIndex=1;
+ remoteHnIndex++;
+ }
+ for(int i=remoteHnIndex ;i<remoteHostName.length;i++)
+ if(!pat[patternIndex++].equalsIgnoreCase(remoteHostName[i]))
+ return false;
+ return true;
}
}
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
index 5028fd7..d28050c 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
@@ -237,6 +237,7 @@
private static final String BIND_RULE_IP_NOT_MISC_AND_LOCALHOST = "ip!=\"72.5.124.61,127.0.0.1\"";
private static final String BIND_RULE_DNS_LOCALHOST = "dns=\"localhost\"";
private static final String BIND_RULE_DNS_NOT_LOCALHOST = "dns!=\"localhost\"";
+ private static final String BIND_RULE_DNS_ALL= "dns=\"*\"";
private static final String BIND_RULE_THIS_HOUR = getTimeOfDayRuleNextHour();
private static final String BIND_RULE_PREVIOUS_HOUR = getTimeOfDayRulePreviousHour();
@@ -465,6 +466,9 @@
private static final String ALLOW_ALL_TO_NON_DNS_LOCALHOST =
buildAciValue("name", "allow all to non localhost", "targetattr", "*", "allow(all)", BIND_RULE_DNS_NOT_LOCALHOST);
+ private static final String ALLOW_ALL_TO_DNS_ALL =
+ buildAciValue("name", "allow all to dns all", "targetattr", "*", "allow(all)", BIND_RULE_DNS_ALL);
+
private static final String DENY_ALL_TO_DNS_LOCALHOST =
buildAciValue("name", "deny all to localhost", "targetattr", "*", "deny(all)", BIND_RULE_DNS_LOCALHOST);
@@ -1142,6 +1146,10 @@
String GROUP1_GROUPDN_MODS = makeAddAciLdif(OU_LEAF_DN,
ALLOW_SEARCH_TO_GROUP1_GROUPDN);
+ //Aci to test dns="*".
+ private static final
+ String DNS_ALL_ACI = makeAddAciLdif(OU_LEAF_DN, ALLOW_ALL_TO_DNS_ALL);
+
// ou=leaf,ou=inner,ou=acitest,dc=example,dc=com and everything under it
private static final String LEAF_OU_FULL_LDIF__SEARCH_TESTS =
LEAF_OU_LDIF__SEARCH_TESTS +
@@ -1878,6 +1886,28 @@
}
/**
+ * Test ACI using dns="*" bind rule pattern. Search should succeed.
+ * @throws Throwable If the search doesn't return any entries.
+ */
+ @Test()
+ public void testDNSWildCard() throws Throwable {
+ SingleSearchParams userParam =
+ new SingleSearchParams(LEVEL_1_USER_DN,
+ "pa$$word", LEVEL_3_USER_DN,
+ OBJECTCLASS_STAR, SCOPE_BASE,
+ null, null, null);
+ try {
+ addEntries(BASIC_LDIF__GROUP_SEARCH_TESTS, DIR_MGR_DN, DIR_MGR_PW);
+ modEntries(DNS_ALL_ACI, DIR_MGR_DN, DIR_MGR_PW);
+ String userResults = ldapSearch(userParam.getLdapSearchArgs());
+ Assert.assertFalse(userResults.equals(""));
+ } catch(Throwable e) {
+ throw e;
+ }
+ }
+
+
+ /**
* Test group and role bind rule ACI keywords. Both groupdn and roledn keywords
* funnel through the same code so the results should be the same.
* @throws Throwable
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/DNSTestCase.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/DNSTestCase.java
new file mode 100644
index 0000000..871a812
--- /dev/null
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/DNSTestCase.java
@@ -0,0 +1,108 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License"). You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at
+ * trunk/opends/resource/legal-notices/OpenDS.LICENSE
+ * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at
+ * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
+ * add the following below this CDDL HEADER, with the fields enclosed
+ * by brackets "[]" replaced with your own identifying information:
+ * Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ *
+ *
+ * Portions Copyright 2007 Sun Microsystems, Inc.
+ */
+
+package org.opends.server.authorization.dseecompat;
+
+import org.testng.annotations.Test;
+import org.testng.annotations.DataProvider;
+import static org.testng.Assert.assertTrue;
+import static org.testng.Assert.assertFalse;
+
+public class DNSTestCase {
+
+ private DNS dns=new DNS(null, null);
+
+ @DataProvider(name = "wildCardMatch")
+ public Object[][] wcMatchData() {
+ return new Object[][] {
+ { "foo.example.com", "*.com" },
+ { "foo.example.com", "*.example.com" },
+ { "very.long.dns.foo.example.com", "*.example.com" },
+ { "foo.example.com", "*" },
+ };
+ }
+
+ @DataProvider(name = "nonWildCardMatch")
+ public Object[][] nonWCMatchData() {
+ return new Object[][] {
+ { "foo.example.com", "foo.example.com" },
+ { "example.com", "example.com" },
+ { "com", "com" },
+ { "very.long.dns.example.com", "very.long.dns.example.com" },
+ };
+ }
+
+ @DataProvider(name = "invalidMatch")
+ public Object[][] invalidMatchData() {
+ return new Object[][] {
+ { "foo.example.com", "example.com" },
+ { "foo.example.com", "com" },
+ { "foo.example.com", "*.foo.com" },
+ { "foo.bar.com", "*.foo.bar.com" },
+ { "bar.com", "foo.bar.com" },
+ { "very.long.dns.example.com", "very.long.dns.test.com" },
+ };
+ }
+
+
+ /**
+ * Test wild-card match patterns. They all should succeed.
+ * @param hostString The string representing a host name.
+ * @param patString The pattern to evaluate with.
+ */
+ @Test(dataProvider = "wildCardMatch")
+ public void testWildCardMatch(String hostString, String patString) {
+ String[] patArray = patString.split("\\.", -1);
+ String[] hostArray = hostString.split("\\.", -1);
+ assertTrue(dns.evalHostName(hostArray, patArray));
+ }
+
+ /**
+ * Test non wild-card match patterns. They all should succeed.
+ * @param hostString The string representing a host name.
+ * @param patString The pattern to evaluate with.
+ */
+ @Test(dataProvider = "nonWildCardMatch")
+ public void testNonWildCardMatch(String hostString, String patString) {
+ String[] patArray = patString.split("\\.", -1);
+ String[] hostArray = hostString.split("\\.", -1);
+ assertTrue(dns.evalHostName(hostArray, patArray));
+ }
+
+ /**
+ * Test with various invalid patterns and hostname combinations. They all
+ * should fail.
+ * @param hostString The string representing a host name.
+ * @param patString The pattern to evaluate with.
+ */
+ @Test(dataProvider = "invalidMatch")
+ public void testInvalidMatch(String hostString, String patString) {
+ String[] patArray = patString.split("\\.", -1);
+ String[] hostArray = hostString.split("\\.", -1);
+ assertFalse(dns.evalHostName(hostArray, patArray));
+ }
+}
--
Gitblit v1.10.0