From 0823ca913540a010cf7a03b76e3bd72a19dbbb93 Mon Sep 17 00:00:00 2001
From: Adrian Damian <Adrian.Damian@nrc-cnrc.gc.ca>
Date: Thu, 11 Sep 2014 15:46:16 -0700
Subject: [PATCH] Fixed unit testing to work with the agreed ldap acis
---
.../nrc/cadc/ac/server/ldap/LdapGroupDAO.java | 25 ++++++--------
.../nrc/cadc/ac/server/ldap/LdapUserDAO.java | 33 +++++++++++++++----
.../nrc/cadc/ac/server/ldap/LdapDAOTest.java | 2 +-
.../cadc/ac/server/ldap/LdapGroupDAOTest.java | 8 ++---
.../cadc/ac/server/ldap/LdapUserDAOTest.java | 2 +-
.../src/ca/nrc/cadc/ac/Group.java | 4 +--
6 files changed, 44 insertions(+), 30 deletions(-)
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
index e1b8af7e..f15ba746 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
@@ -114,7 +114,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
"(groupdn = \"ldap:///<ACTUAL_GROUP>\");)";
private static final String PUB_GROUP_ACI = "(targetattr = \"*\") " +
"(version 3.0;acl \"Group Public\";" +
- "allow (read,compare,search)userdn=\"ldap:///anyone\";)";
+ "allow (read,compare,search)userdn=\"ldap:///all\";)";
private LdapUserDAO<T> userPersist;
@@ -327,7 +327,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
Filter filter = Filter.createANDFilter(
Filter.createEqualityFilter("cn", groupID),
Filter.createNOTFilter(
- Filter.createEqualityFilter("nsaccountlock", "true")));
+ Filter.createEqualityFilter("nsaccountlock", "TRUE")));
SearchRequest searchRequest = new SearchRequest(
config.getGroupsDN(), SearchScope.SUB,
@@ -379,7 +379,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
User<X500Principal> user;
try
{
- user = userPersist.getMember(memberDN);
+ user = userPersist.getMember(memberDN, false);
}
catch (UserNotFoundException e)
{
@@ -391,8 +391,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
else if (memberDN.isDescendantOf(config.getGroupsDN(),
false))
{
- Group memberGroup = getGroup(memberDN);
- ldapGroup.getGroupMembers().add(memberGroup);
+ ldapGroup.getGroupMembers().add(new Group(memberDN.getRDNString().replace("cn=", "")));
}
else
{
@@ -412,10 +411,10 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
// TODO it's gotta be a better way to do this.
String grRead = aci.substring(
aci.indexOf("ldap:///"));
- grRead = grRead.substring(grRead.indexOf("cn"),
- grRead.lastIndexOf('"'));
+ grRead = grRead.substring(grRead.indexOf("cn=") + 3,
+ grRead.indexOf(','));
- Group groupRead = getGroup(new DN(grRead));
+ Group groupRead = new Group(grRead.trim());
ldapGroup.groupRead = groupRead;
}
else if (aci.contains("Group Write"))
@@ -423,10 +422,10 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
// TODO it's gotta be a better way to do this.
String grWrite = aci.substring(
aci.indexOf("ldap:///"));
- grWrite = grWrite.substring(grWrite.indexOf("cn"),
- grWrite.lastIndexOf('"'));
+ grWrite = grWrite.substring(grWrite.indexOf("cn=") + 3,
+ grWrite.indexOf(','));
- Group groupWrite = getGroup(new DN(grWrite));
+ Group groupWrite = getGroup(grWrite.trim());
ldapGroup.groupWrite = groupWrite;
}
else if (aci.equals(PUB_GROUP_ACI))
@@ -446,10 +445,6 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
// access control
throw new TransientException("Error getting the group", e1);
}
- catch (UserNotFoundException e2)
- {
- throw new RuntimeException("BUG - owner or member not found", e2);
- }
}
/**
diff --git a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
index b4243307..b58ade6f 100755
--- a/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
+++ b/projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAO.java
@@ -129,7 +129,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
"Unsupported principal type " + userID.getClass());
}
- searchField = "(" + searchField + "=" + userID.getName() + ")";
+ searchField = "(&(objectclass=cadcaccount)(" + searchField + "=" + userID.getName() + "))";
SearchResultEntry searchResult = null;
try
@@ -137,7 +137,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
SearchRequest searchRequest = new SearchRequest(config.getUsersDN(),
SearchScope.SUB, searchField,
new String[] {"cn", "entryid", "entrydn", "dn"});
-
+
searchRequest.addControl(
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
@@ -164,7 +164,7 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
searchResult.getAttributeValueAsInteger("entryid")));
return user;
- }
+ }
/**
* Get all groups the user specified by userID belongs to.
@@ -335,11 +335,14 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
/**
* Returns a member user identified by the X500Principal only.
* @param userDN
+ * @param bindAsSubject - true if Ldap commands executed as subject
+ * (proxy authorization) or false if they are executed as the user
+ * in the connection.
* @return
* @throws UserNotFoundException
* @throws LDAPException
*/
- User<X500Principal> getMember(DN userDN)
+ User<X500Principal> getMember(DN userDN, boolean bindAsSubject)
throws UserNotFoundException, LDAPException
{
Filter filter =
@@ -352,9 +355,12 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
(String[]) this.attribType.values().toArray(
new String[this.attribType.values().size()]));
- searchRequest.addControl(
- new ProxiedAuthorizationV2RequestControl("dn:" +
- getSubjectDN().toNormalizedString()));
+ if (bindAsSubject)
+ {
+ searchRequest.addControl(
+ new ProxiedAuthorizationV2RequestControl("dn:" +
+ getSubjectDN().toNormalizedString()));
+ }
SearchResultEntry searchResult =
getConnection().searchForEntry(searchRequest);
@@ -371,6 +377,19 @@ public class LdapUserDAO<T extends Principal> extends LdapDAO
return user;
}
+
+ /**
+ * Returns a member user identified by the X500Principal only.
+ * @param userDN
+ * @return
+ * @throws UserNotFoundException
+ * @throws LDAPException
+ */
+ User<X500Principal> getMember(DN userDN)
+ throws UserNotFoundException, LDAPException
+ {
+ return getMember(userDN, true);
+ }
DN getUserDN(User<? extends Principal> user)
throws LDAPException, UserNotFoundException
diff --git a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapDAOTest.java b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapDAOTest.java
index da506f72..9a2c2cad 100644
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapDAOTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapDAOTest.java
@@ -87,7 +87,7 @@ public class LdapDAOTest
{
static String server = "mach275.cadc.dao.nrc.ca";
static int port = 389;
- static String adminDN = "uid=webproxy,ou=administrators,ou=topologymanagement,o=netscaperoot";
+ static String adminDN = "uid=webproxy,ou=WebProxy,ou=topologymanagement,o=netscaperoot";
static String adminPW = "go4it";
static String userBaseDN = "ou=Users,ou=ds,dc=canfartest,dc=net";
static String groupBaseDN = "ou=Groups,ou=ds,dc=canfartest,dc=net";
diff --git a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java
index f03f82a9..cdde99c2 100644
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAOTest.java
@@ -70,10 +70,10 @@ public class LdapGroupDAOTest
static int port = 389;
static String adminDN = "uid=webproxy,ou=webproxy,ou=topologymanagement,o=netscaperoot";
static String adminPW = "go4it";
-// static String userBaseDN = "ou=Users,ou=ds,dc=canfartest,dc=net";
-// static String groupBaseDN = "ou=Groups,ou=ds,dc=canfartest,dc=net";
- static String userBaseDN = "ou=Users,ou=ds,dc=canfar,dc=net";
- static String groupBaseDN = "ou=Groups,ou=ds,dc=canfar,dc=net";
+ static String userBaseDN = "ou=Users,ou=ds,dc=canfartest,dc=net";
+ static String groupBaseDN = "ou=Groups,ou=ds,dc=canfartest,dc=net";
+ //static String userBaseDN = "ou=Users,ou=ds,dc=canfar,dc=net";
+ //static String groupBaseDN = "ou=Groups,ou=ds,dc=canfar,dc=net";
static String daoTestDN1 = "cn=cadcdaotest1,ou=cadc,o=hia,c=ca";
static String daoTestDN2 = "cn=cadcdaotest2,ou=cadc,o=hia,c=ca";
diff --git a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java
index 84ed2d88..a742fe5b 100644
--- a/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java
+++ b/projects/cadcAccessControl-Server/test/src/ca/nrc/cadc/ac/server/ldap/LdapUserDAOTest.java
@@ -94,7 +94,7 @@ public class LdapUserDAOTest
static String server = "mach275.cadc.dao.nrc.ca";
static int port = 389;
- static String adminDN = "uid=webproxy,ou=administrators,ou=topologymanagement,o=netscaperoot";
+ static String adminDN = "uid=webproxy,ou=Webproxy,ou=topologymanagement,o=netscaperoot";
static String adminPW = "go4it";
static String userBaseDN = "ou=Users,ou=ds,dc=canfartest,dc=net";
static String groupBaseDN = "ou=Groups,ou=ds,dc=canfartest,dc=net";
diff --git a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/Group.java b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/Group.java
index 3bb88cd4..f4e11a97 100644
--- a/projects/cadcAccessControl/src/ca/nrc/cadc/ac/Group.java
+++ b/projects/cadcAccessControl/src/ca/nrc/cadc/ac/Group.java
@@ -199,7 +199,7 @@ public class Group
@Override
public int hashCode()
{
- return 31 + groupID.hashCode();
+ return 31 + groupID.toLowerCase().hashCode();
}
/* (non-Javadoc)
@@ -221,7 +221,7 @@ public class Group
return false;
}
Group other = (Group) obj;
- if (!groupID.equals(other.groupID))
+ if (!groupID.equalsIgnoreCase(other.groupID))
{
return false;
}
--
GitLab