/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2008 Sun Microsystems, Inc.
* Portions Copyright 2014-2015 ForgeRock AS
*/
package org.opends.server.extensions;
import java.net.Socket;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.TestCaseUtils;
import org.opends.server.controls.ProxiedAuthV2Control;
import org.opends.server.core.ExtendedOperation;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.ldap.ExtendedRequestProtocolOp;
import org.opends.server.protocols.ldap.ExtendedResponseProtocolOp;
import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.protocols.ldap.LDAPResultCode;
import org.opends.server.protocols.ldap.UnbindRequestProtocolOp;
import org.opends.server.tools.LDAPAuthenticationHandler;
import org.opends.server.tools.LDAPReader;
import org.opends.server.tools.LDAPWriter;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.Entry;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;
import static org.opends.server.util.CollectionUtils.*;
import static org.opends.server.util.ServerConstants.*;
import static org.testng.Assert.*;
/**
* A set of test cases for the "Who Am I?" extended operation.
*/
public class WhoAmIExtendedOperationTestCase
extends ExtensionsTestCase
{
/**
* Ensures that the Directory Server is running.
*
* @throws Exception If an unexpected problem occurs.
*/
@BeforeClass
public void startServer()
throws Exception
{
TestCaseUtils.startServer();
}
/**
* Tests the use of the Who Am I? extended operation with an internal
* connection authenticated as a root user.
*/
@Test
public void testAsInternalRootUser()
{
InternalClientConnection conn =
InternalClientConnection.getRootConnection();
ExtendedOperation extOp =
conn.processExtendedOperation(OID_WHO_AM_I_REQUEST, null);
assertEquals(extOp.getResultCode(), ResultCode.SUCCESS);
assertNotNull(extOp.getResponseValue());
}
/**
* Tests the use of the Who Am I? extended operation with an internal
* unauthenticated connection.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testAsInternalAnonymous()
throws Exception
{
InternalClientConnection conn = new InternalClientConnection(DN.rootDN());
ExtendedOperation extOp =
conn.processExtendedOperation(OID_WHO_AM_I_REQUEST, null);
assertEquals(extOp.getResultCode(), ResultCode.SUCCESS);
assertNotNull(extOp.getResponseValue());
}
/**
* Tests the use of the Who Am I? extended operation with an internal
* connection authenticated as a normal user.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testAsInternalNormalUser()
throws Exception
{
TestCaseUtils.initializeTestBackend(true);
Entry e = TestCaseUtils.addEntry(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: password");
InternalClientConnection conn = new InternalClientConnection(new AuthenticationInfo(e, false));
ExtendedOperation extOp =
conn.processExtendedOperation(OID_WHO_AM_I_REQUEST, null);
assertEquals(extOp.getResultCode(), ResultCode.SUCCESS);
assertNotNull(extOp.getResponseValue());
}
/**
* Tests the use of the Who Am I? extended operation with an LDAP connection
* authenticated as a root user.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testAsLDAPRootUser()
throws Exception
{
Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
LDAPReader reader = new LDAPReader(s);
LDAPWriter writer = new LDAPWriter(s);
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPAuthenticationHandler authHandler =
new LDAPAuthenticationHandler(reader, writer, "localhost",
nextMessageID);
authHandler.doSimpleBind(3, ByteString.valueOfUtf8("cn=Directory Manager"),
ByteString.valueOfUtf8("password"),
new ArrayList<Control>(),
new ArrayList<Control>());
ByteString authzID = authHandler.requestAuthorizationIdentity();
assertNotNull(authzID);
LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
new UnbindRequestProtocolOp());
writer.writeMessage(unbindMessage);
s.close();
}
/**
* Tests the use of the Who Am I? extended operation with an unauthenticated
* LDAP connection.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testAsLDAPAnonymous()
throws Exception
{
Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
LDAPReader reader = new LDAPReader(s);
LDAPWriter writer = new LDAPWriter(s);
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPAuthenticationHandler authHandler =
new LDAPAuthenticationHandler(reader, writer, "localhost",
nextMessageID);
ByteString authzID = authHandler.requestAuthorizationIdentity();
assertNull(authzID);
LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
new UnbindRequestProtocolOp());
writer.writeMessage(unbindMessage);
s.close();
}
/**
* Tests the use of the Who Am I? extended operation with an LDAP connection
* authenticated as a normal user.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testAsLDAPNormalUser()
throws Exception
{
TestCaseUtils.initializeTestBackend(true);
TestCaseUtils.addEntry(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: password");
Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
LDAPReader reader = new LDAPReader(s);
LDAPWriter writer = new LDAPWriter(s);
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPAuthenticationHandler authHandler =
new LDAPAuthenticationHandler(reader, writer, "localhost",
nextMessageID);
authHandler.doSimpleBind(3, ByteString.valueOfUtf8("uid=test.user,o=test"),
ByteString.valueOfUtf8("password"),
new ArrayList<Control>(),
new ArrayList<Control>());
ByteString authzID = authHandler.requestAuthorizationIdentity();
assertNotNull(authzID);
LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
new UnbindRequestProtocolOp());
writer.writeMessage(unbindMessage);
s.close();
}
/**
* Tests the use of the "Who Am I?" extended operation when used by a client
* that has authenticated using a SASL mechanism and specified an alternate
* authorization identity.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testWithAlternateSASLAuthzID()
throws Exception
{
TestCaseUtils.initializeTestBackend(true);
TestCaseUtils.addEntries(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: password",
"",
"dn: uid=proxy.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: proxy.user",
"givenName: Proxy",
"sn: User",
"cn: Proxy User",
"userPassword: password",
"ds-privilege-name: bypass-acl",
"ds-privilege-name: proxied-auth");
Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
LDAPReader reader = new LDAPReader(s);
LDAPWriter writer = new LDAPWriter(s);
// Bind as the proxy user with an alternate authorization identity, and use
// the "Who Am I?" operation.
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPAuthenticationHandler authHandler =
new LDAPAuthenticationHandler(reader, writer, "localhost",
nextMessageID);
HashMap<String,List<String>> saslProperties = new HashMap<>(2);
saslProperties.put("authID", newArrayList("dn:uid=proxy.user,o=test"));
saslProperties.put("authzID", newArrayList("dn:uid=test.user,o=test"));
authHandler.doSASLPlain(ByteString.empty(),
ByteString.valueOfUtf8("password"), saslProperties,
new ArrayList<Control>(),
new ArrayList<Control>());
ByteString authzID = authHandler.requestAuthorizationIdentity();
assertNotNull(authzID);
assertEquals(authzID.toString(), "dn:uid=test.user,o=test");
// Close the connection to the server.
LDAPMessage unbindMessage = new LDAPMessage(nextMessageID.getAndIncrement(),
new UnbindRequestProtocolOp());
writer.writeMessage(unbindMessage);
s.close();
}
/**
* Tests the use of the Who Am I? extended operation in conjunction with the
* proxied authorization control by an appropriately authorized user.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testWithAllowedProxiedAuthControl()
throws Exception
{
TestCaseUtils.initializeTestBackend(true);
TestCaseUtils.addEntries(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: password",
"",
"dn: uid=proxy.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: proxy.user",
"givenName: Proxy",
"sn: User",
"cn: Proxy User",
"userPassword: password",
"ds-privilege-name: bypass-acl",
"ds-privilege-name: proxied-auth");
Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
LDAPReader reader = new LDAPReader(s);
LDAPWriter writer = new LDAPWriter(s);
// Bind as the proxy user and use the "Who Am I?" operation, but without the
// proxied auth control.
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPAuthenticationHandler authHandler =
new LDAPAuthenticationHandler(reader, writer, "localhost",
nextMessageID);
authHandler.doSimpleBind(3, ByteString.valueOfUtf8("uid=proxy.user,o=test"),
ByteString.valueOfUtf8("password"),
new ArrayList<Control>(),
new ArrayList<Control>());
ByteString authzID = authHandler.requestAuthorizationIdentity();
assertNotNull(authzID);
assertEquals(authzID.toString(), "dn:uid=proxy.user,o=test");
// Use the "Who Am I?" operation again, this time with the proxy control.
ExtendedRequestProtocolOp extendedRequest =
new ExtendedRequestProtocolOp(OID_WHO_AM_I_REQUEST);
ArrayList<Control> requestControls = new ArrayList<>(1);
requestControls.add(new ProxiedAuthV2Control(
ByteString.valueOfUtf8("dn:uid=test.user,o=test")));
LDAPMessage message = new LDAPMessage(nextMessageID.getAndIncrement(),
extendedRequest, requestControls);
writer.writeMessage(message);
message = reader.readMessage();
ExtendedResponseProtocolOp extendedResponse =
message.getExtendedResponseProtocolOp();
assertEquals(extendedResponse.getResultCode(), LDAPResultCode.SUCCESS);
authzID = extendedResponse.getValue();
assertNotNull(authzID);
assertEquals(authzID.toString(), "dn:uid=test.user,o=test");
// Close the connection to the server.
message = new LDAPMessage(nextMessageID.getAndIncrement(),
new UnbindRequestProtocolOp());
writer.writeMessage(message);
s.close();
}
/**
* Tests the use of the Who Am I? extended operation in conjunction with the
* proxied authorization control by a user who doesn't have the rights to use
* that control.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test
public void testWithDisallowedProxiedAuthControl()
throws Exception
{
TestCaseUtils.initializeTestBackend(true);
TestCaseUtils.addEntries(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: password",
"",
"dn: uid=cantproxy.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: proxy.user",
"givenName: Cantproxy",
"sn: User",
"cn: Cantproxy User",
"userPassword: password",
"ds-privilege-name: bypass-acl");
Socket s = new Socket("127.0.0.1", TestCaseUtils.getServerLdapPort());
LDAPReader reader = new LDAPReader(s);
LDAPWriter writer = new LDAPWriter(s);
// Bind as the proxy user and use the "Who Am I?" operation, but without the
// proxied auth control.
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPAuthenticationHandler authHandler =
new LDAPAuthenticationHandler(reader, writer, "localhost",
nextMessageID);
authHandler.doSimpleBind(3,
ByteString.valueOfUtf8("uid=cantproxy.user,o=test"),
ByteString.valueOfUtf8("password"),
new ArrayList<Control>(),
new ArrayList<Control>());
ByteString authzID = authHandler.requestAuthorizationIdentity();
assertNotNull(authzID);
assertEquals(authzID.toString(), "dn:uid=cantproxy.user,o=test");
// Use the "Who Am I?" operation again, this time with the proxy control.
ExtendedRequestProtocolOp extendedRequest =
new ExtendedRequestProtocolOp(OID_WHO_AM_I_REQUEST);
ArrayList<Control> requestControls = new ArrayList<>(1);
requestControls.add(new ProxiedAuthV2Control(
ByteString.valueOfUtf8("dn:uid=test.user,o=test")));
LDAPMessage message = new LDAPMessage(nextMessageID.getAndIncrement(),
extendedRequest, requestControls);
writer.writeMessage(message);
message = reader.readMessage();
ExtendedResponseProtocolOp extendedResponse =
message.getExtendedResponseProtocolOp();
assertEquals(extendedResponse.getResultCode(),
LDAPResultCode.AUTHORIZATION_DENIED);
assertNull(extendedResponse.getValue());
// Close the connection to the server.
message = new LDAPMessage(nextMessageID.getAndIncrement(),
new UnbindRequestProtocolOp());
writer.writeMessage(message);
s.close();
}
}