/** * Tests the {@code getValidatedAuthorizationDN} method for a user that doesn't exist in the * directory data. * * @throws Exception If an unexpected problem occurs. */ @Test(expectedExceptions = {DirectoryException.class}) public void testGetValidatedAuthorizationNonExistingNormalUser() throws Exception { TestCaseUtils.initializeTestBackend(true); ProxiedAuthV1Control proxyControl = new ProxiedAuthV1Control(DN.decode("uid=test,o=test")); proxyControl.getAuthorizationEntry(); }
/** * Tests the {@code getRawAuthorizationDN} and {@code setRawAuthorizationDN} methods. * * @throws Exception If an unexpected problem occurs. */ @Test() public void testGetAndSetRawAuthorizationDN() throws Exception { ProxiedAuthV1Control proxyControl = new ProxiedAuthV1Control(ByteString.valueOf("")); assertEquals(proxyControl.getRawAuthorizationDN(), ByteString.valueOf("")); proxyControl = new ProxiedAuthV1Control(ByteString.valueOf("uid=test,o=test")); assertEquals(proxyControl.getRawAuthorizationDN(), ByteString.valueOf("uid=test,o=test")); }
/** * Tests the {@code toString} methods. * * @throws Exception If an unexpected problem occurs. */ @Test() public void testToString() throws Exception { // The default toString() calls the version that takes a string builder // argument, so we only need to use the default version to cover both cases. ProxiedAuthV1Control proxyControl = new ProxiedAuthV1Control(ByteString.valueOf("uid=test,o=test")); proxyControl.toString(); proxyControl = new ProxiedAuthV1Control(DN.decode("uid=test,o=test")); proxyControl.toString(); }
/** * Tests the {@code decodeControl} method when the control value is a valid octet string that * contains an valid non-empty DN. * * @throws Exception If an unexpected problem occurs. */ @Test() public void testDecodeControlValueNonEmptyDN() throws Exception { ByteStringBuilder bsb = new ByteStringBuilder(); ASN1Writer writer = ASN1.getWriter(bsb); writer.writeStartSequence(); writer.writeOctetString("uid=test,o=test"); writer.writeEndSequence(); LDAPControl c = new LDAPControl(OID_PROXIED_AUTH_V1, true, bsb.toByteString()); ProxiedAuthV1Control proxyControl = ProxiedAuthV1Control.DECODER.decode(c.isCritical(), c.getValue()); assertEquals(proxyControl.getAuthorizationDN(), DN.decode("uid=test,o=test")); }
/** * Tests the second constructor, which creates an instance of the control using a processed DN. * * @throws Exception If an unexpected problem occurs. */ @Test() public void testConstructor2() throws Exception { // Try a DN of "null", which is not valid and will fail on the attempt to // create the control ProxiedAuthV1Control proxyControl; try { proxyControl = new ProxiedAuthV1Control((DN) null); throw new AssertionError( "Expected a failure when creating a proxied " + "auth V1 control with a null octet string."); } catch (Throwable t) { } // Try an empty DN, which is acceptable. proxyControl = new ProxiedAuthV1Control(DN.nullDN()); assertTrue(proxyControl.getOID().equals(OID_PROXIED_AUTH_V1)); assertTrue(proxyControl.isCritical()); assertTrue(proxyControl.getAuthorizationDN().isNullDN()); // Try a valid DN, which is acceptable. proxyControl = new ProxiedAuthV1Control(DN.decode("uid=test,o=test")); assertTrue(proxyControl.getOID().equals(OID_PROXIED_AUTH_V1)); assertTrue(proxyControl.isCritical()); assertEquals(proxyControl.getAuthorizationDN(), DN.decode("uid=test,o=test")); }
/** * Tests the {@code getValidatedAuthorizationDN} method for a normal user that exists in the * directory data and doesn't have any restrictions on its use. * * @throws Exception If an unexpected problem occurs. */ @Test() public void testGetValidatedAuthorizationExistingNormalUser() throws Exception { TestCaseUtils.initializeTestBackend(true); TestCaseUtils.addEntry( "dn: uid=test,o=test", "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", "objectClass: inetOrgPerson", "uid: test", "givenName: Test", "sn: User", "cn: Test User"); ProxiedAuthV1Control proxyControl = new ProxiedAuthV1Control(DN.decode("uid=test,o=test")); assertEquals(proxyControl.getAuthorizationEntry().getDN(), DN.decode("uid=test,o=test")); }
/** * Tests the {@code getValidatedAuthorizationDN} method for a disabled user. * * @throws Exception If an unexpected problem occurs. */ @Test(expectedExceptions = {DirectoryException.class}) public void testGetValidatedAuthorizationDisabledUser() throws Exception { TestCaseUtils.initializeTestBackend(true); TestCaseUtils.addEntry( "dn: uid=test,o=test", "objectClass: top", "objectClass: person", "objectClass: organizationalPerson", "objectClass: inetOrgPerson", "uid: test", "givenName: Test", "sn: User", "cn: Test User", "ds-pwp-account-disabled: true"); ProxiedAuthV1Control proxyControl = new ProxiedAuthV1Control(DN.decode("uid=test,o=test")); proxyControl.getAuthorizationEntry(); }
/** * Handles any controls contained in the request. * * @throws DirectoryException If there is a problem with any of the request controls. */ private void handleRequestControls() throws DirectoryException { LocalBackendWorkflowElement.removeAllDisallowedControls(baseDN, this); List<Control> requestControls = getRequestControls(); if (requestControls != null && !requestControls.isEmpty()) { for (Control c : requestControls) { String oid = c.getOID(); if (OID_LDAP_ASSERTION.equals(oid)) { LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER); SearchFilter assertionFilter; try { assertionFilter = assertControl.getSearchFilter(); } catch (DirectoryException de) { if (debugEnabled()) { TRACER.debugCaught(DebugLogLevel.ERROR, de); } throw new DirectoryException( de.getResultCode(), ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()), de); } Entry entry; try { entry = DirectoryServer.getEntry(baseDN); } catch (DirectoryException de) { if (debugEnabled()) { TRACER.debugCaught(DebugLogLevel.ERROR, de); } throw new DirectoryException( de.getResultCode(), ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(de.getMessageObject())); } if (entry == null) { throw new DirectoryException( ResultCode.NO_SUCH_OBJECT, ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get()); } // Check if the current user has permission to make // this determination. if (!AccessControlConfigManager.getInstance() .getAccessControlHandler() .isAllowed(this, entry, assertionFilter)) { throw new DirectoryException( ResultCode.INSUFFICIENT_ACCESS_RIGHTS, ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid)); } try { if (!assertionFilter.matchesEntry(entry)) { throw new DirectoryException( ResultCode.ASSERTION_FAILED, ERR_SEARCH_ASSERTION_FAILED.get()); } } catch (DirectoryException de) { if (de.getResultCode() == ResultCode.ASSERTION_FAILED) { throw de; } if (debugEnabled()) { TRACER.debugCaught(DebugLogLevel.ERROR, de); } throw new DirectoryException( de.getResultCode(), ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()), de); } } else if (OID_PROXIED_AUTH_V1.equals(oid)) { // Log usage of legacy proxy authz V1 control. addAdditionalLogItem( AdditionalLogItem.keyOnly(getClass(), "obsoleteProxiedAuthzV1Control")); // The requester must have the PROXIED_AUTH privilege in order to be // able to use this control. if (!clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this)) { throw new DirectoryException( ResultCode.AUTHORIZATION_DENIED, ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get()); } ProxiedAuthV1Control proxyControl = getRequestControl(ProxiedAuthV1Control.DECODER); Entry authorizationEntry = proxyControl.getAuthorizationEntry(); setAuthorizationEntry(authorizationEntry); setProxiedAuthorizationDN(getDN(authorizationEntry)); } else if (OID_PROXIED_AUTH_V2.equals(oid)) { // The requester must have the PROXIED_AUTH privilege in order to be // able to use this control. if (!clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this)) { throw new DirectoryException( ResultCode.AUTHORIZATION_DENIED, ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get()); } ProxiedAuthV2Control proxyControl = getRequestControl(ProxiedAuthV2Control.DECODER); Entry authorizationEntry = proxyControl.getAuthorizationEntry(); setAuthorizationEntry(authorizationEntry); setProxiedAuthorizationDN(getDN(authorizationEntry)); } else if (OID_PERSISTENT_SEARCH.equals(oid)) { final PersistentSearchControl ctrl = getRequestControl(PersistentSearchControl.DECODER); persistentSearch = new PersistentSearch( this, ctrl.getChangeTypes(), ctrl.getChangesOnly(), ctrl.getReturnECs()); } else if (OID_LDAP_SUBENTRIES.equals(oid)) { SubentriesControl subentriesControl = getRequestControl(SubentriesControl.DECODER); setReturnSubentriesOnly(subentriesControl.getVisibility()); } else if (OID_LDUP_SUBENTRIES.equals(oid)) { // Support for legacy draft-ietf-ldup-subentry. addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(), "obsoleteSubentryControl")); setReturnSubentriesOnly(true); } else if (OID_MATCHED_VALUES.equals(oid)) { MatchedValuesControl matchedValuesControl = getRequestControl(MatchedValuesControl.DECODER); setMatchedValuesControl(matchedValuesControl); } else if (OID_ACCOUNT_USABLE_CONTROL.equals(oid)) { setIncludeUsableControl(true); } else if (OID_REAL_ATTRS_ONLY.equals(oid)) { setRealAttributesOnly(true); } else if (OID_VIRTUAL_ATTRS_ONLY.equals(oid)) { setVirtualAttributesOnly(true); } else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid) && DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS)) { // Do nothing here and let AciHandler deal with it. } // NYI -- Add support for additional controls. else if (c.isCritical() && !backendSupportsControl(oid)) { throw new DirectoryException( ResultCode.UNAVAILABLE_CRITICAL_EXTENSION, ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL.get(oid)); } } } }
/** * Tests the {@code getValidatedAuthorizationDN} method for the null DN. * * @throws Exception If an unexpected problem occurs. */ @Test() public void testGetValidatedAuthorizationDNNullDN() throws Exception { ProxiedAuthV1Control proxyControl = new ProxiedAuthV1Control(DN.nullDN()); assertNull(proxyControl.getAuthorizationEntry()); }