directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r320926 - in /directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz: AbstractAuthorizationTest.java AddAuthorizationTest.java AuthorizationServiceAsNonAdminTest.java
Date Thu, 13 Oct 2005 21:23:33 GMT
Author: akarasulu
Date: Thu Oct 13 14:23:27 2005
New Revision: 320926

URL: http://svn.apache.org/viewcvs?rev=320926&view=rev
Log:
organizing unit tests for ACI: added base class and cleaned up add operation tests

Added:
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
  (with props)
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
  (with props)
Modified:
    directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java

Added: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java?rev=320926&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
(added)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
Thu Oct 13 14:23:27 2005
@@ -0,0 +1,159 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.ldap.server.authz;
+
+
+import org.apache.ldap.server.AbstractNonAdminTestCase;
+import org.apache.ldap.server.subtree.SubentryService;
+import org.apache.ldap.common.name.LdapName;
+
+import javax.naming.directory.*;
+import javax.naming.NamingException;
+import javax.naming.Name;
+import java.util.Hashtable;
+
+
+/**
+ * A base class used for authorization tests.  It has some extra utility methods
+ * added to it which are required by all authorization tests.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public abstract class AbstractAuthorizationTest extends AbstractNonAdminTestCase
+{
+    public AbstractAuthorizationTest()
+    {
+        super();
+        super.configuration.setAccessControlEnabled( true );
+    }
+
+
+    // -----------------------------------------------------------------------
+    // Utility methods used by subclasses
+    // -----------------------------------------------------------------------
+
+
+    public DirContext getAdminContext() throws NamingException
+    {
+        return getAdminContext( "ou=system" );
+    }
+
+
+    public DirContext getAdminContext( String dn ) throws NamingException
+    {
+        Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
+        env.put( DirContext.PROVIDER_URL, dn );
+        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
+        env.put( DirContext.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
+        env.put( DirContext.SECURITY_CREDENTIALS, "secret" );
+        return new InitialDirContext( env );
+    }
+
+
+    public Name createGroup( String cn, String firstMemberDn ) throws NamingException
+    {
+        DirContext adminCtx = getAdminContext();
+        Attributes group = new BasicAttributes( "cn", cn, true );
+        Attribute objectClass = new BasicAttribute( "objectClass" );
+        group.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "groupOfUniqueNames" );
+        group.put( "uniqueMember", firstMemberDn );
+        adminCtx.createSubcontext( "cn="+cn+",ou=groups", group );
+        return new LdapName( "cn="+cn+",ou=groups,ou=system" );
+    }
+
+
+    public Name createUser( String uid, String password ) throws NamingException
+    {
+        DirContext adminCtx = getAdminContext();
+        Attributes user = new BasicAttributes( "uid", uid, true );
+        user.put( "userPassword", password );
+        Attribute objectClass = new BasicAttribute( "objectClass" );
+        user.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "person" );
+        objectClass.add( "organizationalPerson" );
+        objectClass.add( "inetOrgPerson" );
+        user.put( "sn", uid );
+        user.put( "cn", uid );
+        adminCtx.createSubcontext( "uid="+uid+",ou=users", user );
+        return new LdapName( "uid="+uid+",ou=users,ou=system" );
+    }
+
+
+    public void addUserToGroup( String userUid, String groupCn ) throws NamingException
+    {
+        DirContext adminCtx = getAdminContext();
+        Attributes changes = new BasicAttributes( "uniqueMember",
+                "uid="+userUid+",ou=users,ou=system", true );
+        adminCtx.modifyAttributes( "cn="+groupCn+",ou=groups",
+                DirContext.ADD_ATTRIBUTE, changes );
+    }
+
+
+    public DirContext getUserContext( Name user, String password ) throws NamingException
+    {
+        return getUserContext( user, password, "ou=system" );
+    }
+
+
+    public DirContext getUserContext( Name user, String password, String dn ) throws NamingException
+    {
+        Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
+        env.put( DirContext.PROVIDER_URL, dn );
+        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
+        env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
+        env.put( DirContext.SECURITY_CREDENTIALS, password );
+        return new InitialDirContext( env );
+    }
+
+
+    /**
+     * Creates an access control subentry under ou=system whose subtree covers
+     * the entire naming context.
+     *
+     * @param cn the common name and rdn for the subentry
+     * @param aciItem the prescriptive ACI attribute value
+     * @throws NamingException if there is a problem creating the subentry
+     */
+    public void createAccessControlSubentry( String cn, String aciItem ) throws NamingException
+    {
+        DirContext adminCtx = getAdminContext();
+
+        // modify ou=system to be an AP for an A/C AA if it is not already
+        Attributes ap = adminCtx.getAttributes( "" );
+        Attribute administrativeRole = ap.get( "administrativeRole" );
+        if ( administrativeRole == null || ! administrativeRole.contains( SubentryService.AC_AREA
) )
+        {
+            Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA,
true );
+            adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
+        }
+
+        // now add the A/C subentry below ou=system
+        Attributes subentry = new BasicAttributes( "cn", cn, true );
+        Attribute objectClass = new BasicAttribute( "objectClass" );
+        subentry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "subentry" );
+        objectClass.add( "accessControlSubentry" );
+        subentry.put( "subtreeSpecification", "{}" );
+        subentry.put( "prescriptiveACI", aciItem );
+        adminCtx.createSubcontext( "cn=" + cn, subentry );
+    }
+}

Propchange: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AbstractAuthorizationTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java?rev=320926&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
(added)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
Thu Oct 13 14:23:27 2005
@@ -0,0 +1,200 @@
+/*
+ *   Copyright 2004 The Apache Software Foundation
+ *
+ *   Licensed under the Apache License, Version 2.0 (the "License");
+ *   you may not use this file except in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing, software
+ *   distributed under the License is distributed on an "AS IS" BASIS,
+ *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *   See the License for the specific language governing permissions and
+ *   limitations under the License.
+ *
+ */
+package org.apache.ldap.server.authz;
+
+
+import org.apache.ldap.common.exception.LdapNoPermissionException;
+import org.apache.ldap.common.name.LdapName;
+
+import javax.naming.NamingException;
+import javax.naming.directory.*;
+
+
+/**
+ * Tests whether or not authorization around entry addition works properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class AddAuthorizationTest extends AbstractAuthorizationTest
+{
+    /**
+     * Checks if a simple entry (organizationalUnit) can be added to the DIT at an
+     * RDN relative to ou=system by a specific non-admin user.  If a permission exception
+     * is encountered it is caught and false is returned, otherwise true is returned
+     * when the entry is created.  The entry is deleted after being created just in case
+     * subsequent calls to this method do not fail: the admin account is used to delete
+     * this test entry so permissions to delete are not required to delete it by the user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry creation is tested
+     * @return true if the entry can be created by the user at the specified location, false
otherwise
+     * @throws NamingException if there are problems conducting the test
+     */
+    public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws
NamingException
+    {
+        // try an add operation which should fail without any ACI
+        Attributes testEntry = new BasicAttributes( "ou", "testou", true );
+        Attribute objectClass = new BasicAttribute( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+
+        try
+        {
+            LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+            DirContext userContext = getUserContext( userName, "billyd" );
+            userContext.createSubcontext( entryRdn, testEntry );
+
+            // delete the newly created context as the admin user
+            DirContext adminContext = getAdminContext();
+            adminContext.destroySubcontext( entryRdn );
+
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    public void testGrantAddAdministrators() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // Gives grantAdd perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } },
" +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantAdd } } } } }" );
+
+        // see if we can now add that test entry which we could not before
+        // add op should still fail since billd is not in the admin group
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try an add operation which should succeed with ACI and group membership change
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    public void testGrantAddByName() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billydAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantAdd } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    public void testGrantAddBySubtree() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billyAddBySubtree", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantAdd } } } } }" );
+
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    public void testGrantAddAllUsers() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( "anybodyAdd", "{ " +
+                "identificationTag \"addAci\", " +
+                "precedence 14, " +
+                "authenticationLevel none, " +
+                "itemOrUserFirst userFirst: { " +
+                "userClasses { allUsers }, " +
+                "userPermissions { { " +
+                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+                "grantsAndDenials { grantAdd } } } } }" );
+
+        // see if we can now add that test entry which we could not before
+        // should work now with billyd now that all users are authorized
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+}

Propchange: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AddAuthorizationTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java?rev=320926&r1=320925&r2=320926&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java
(original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/AuthorizationServiceAsNonAdminTest.java
Thu Oct 13 14:23:27 2005
@@ -41,13 +41,6 @@
  */
 public class AuthorizationServiceAsNonAdminTest extends AbstractNonAdminTestCase
 {
-    public AuthorizationServiceAsNonAdminTest()
-    {
-        super();
-        super.configuration.setAccessControlEnabled( true );
-    }
-
-
     /**
      * Makes sure a non-admin user cannot delete the admin account.
      *
@@ -127,265 +120,5 @@
         assertTrue( set.contains( "ou=users,ou=system" ) );
         assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
         assertFalse( set.contains( "uid=admin,ou=system" ) );
-    }
-
-
-    private DirContext getAdminContext() throws NamingException
-    {
-        Hashtable env = ( Hashtable ) ( ( Hashtable ) sysRoot.getEnvironment() ).clone();
-        env.put( DirContext.PROVIDER_URL, "ou=system" );
-        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
-        env.put( DirContext.SECURITY_PRINCIPAL, "uid=admin,ou=system" );
-        env.put( DirContext.SECURITY_CREDENTIALS, "secret" );
-        return new InitialDirContext( env );
-    }
-
-
-    public void testGrantAddAllUsers() throws NamingException
-    {
-        DirContext adminCtx = getAdminContext();
-
-        // modify ou=system to be an AP for an A/C AA
-        Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA,
true );
-        adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
-        // try an add operation which should fail without any ACI
-        Attributes testEntry = new BasicAttributes( "ou", "testou", true );
-        Attribute objectClass = new BasicAttribute( "objectClass" );
-        testEntry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "organizationalUnit" );
-
-        try
-        {
-            sysRoot.createSubcontext( "ou=testou", testEntry );
-            fail( "should never get here due to a permission exception" );
-        }
-        catch ( LdapNoPermissionException e ) {}
-
-        // now add a subentry that enables anyone to add an entry below ou=system
-        Attributes subentry = new BasicAttributes( "cn", "anybodyAdd", true );
-        objectClass = new BasicAttribute( "objectClass" );
-        subentry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "subentry" );
-        objectClass.add( "accessControlSubentry" );
-        subentry.put( "subtreeSpecification", "{}" );
-        subentry.put( "prescriptiveACI", "{ " +
-                "identificationTag \"addAci\", " +
-                "precedence 14, " +
-                "authenticationLevel none, " +
-                "itemOrUserFirst userFirst: { " +
-                "userClasses { allUsers }, " +
-                "userPermissions { { " +
-                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-                "grantsAndDenials { grantAdd } } } } }" );
-        adminCtx.createSubcontext( "cn=anybodyAdd", subentry );
-
-        // see if we can now add that test entry which we could not before
-        testEntry = new BasicAttributes( "ou", "testou", true );
-        objectClass = new BasicAttribute( "objectClass" );
-        testEntry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "organizationalUnit" );
-        sysRoot.createSubcontext( "ou=testou", testEntry );
-    }
-
-
-    public Name createTestUser( String uid ) throws NamingException
-    {
-        DirContext adminCtx = getAdminContext();
-
-        Attributes testUser = new BasicAttributes( "uid", uid, true );
-        testUser.put( "userPassword", uid );
-        Attribute objectClass = new BasicAttribute( "objectClass" );
-        testUser.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "person" );
-        objectClass.add( "organizationalPerson" );
-        objectClass.add( "inetOrgPerson" );
-
-        adminCtx.createSubcontext( "uid="+uid+",ou=users", testUser );
-        return new LdapName( "uid="+uid+",ou=users,ou=system" );
-    }
-
-
-    public void addUserToGroup( String userUid, String groupCn ) throws NamingException
-    {
-        DirContext adminCtx = getAdminContext();
-        Attributes changes = new BasicAttributes( "uniqueMember", "uid="+userUid+",ou=users,ou=system",
true );
-        adminCtx.modifyAttributes( "cn="+groupCn+",ou=groups", DirContext.ADD_ATTRIBUTE,
changes );
-    }
-
-
-    public DirContext getUserContext( Name user, String password ) throws NamingException
-    {
-        Hashtable env = ( Hashtable ) ( ( Hashtable ) sysRoot.getEnvironment() ).clone();
-        env.put( DirContext.PROVIDER_URL, "ou=system" );
-        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
-        env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
-        env.put( DirContext.SECURITY_CREDENTIALS, password );
-        return new InitialDirContext( env );
-    }
-
-
-    public void testGrantAddAdministrators() throws NamingException
-    {
-        DirContext adminCtx = getAdminContext();
-
-        // modify ou=system to be an AP for an A/C AA
-        Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA,
true );
-        adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
-        Name userName = createTestUser( "billyd" );
-
-        // try an add operation which should fail without any ACI
-        Attributes testEntry = new BasicAttributes( "ou", "testou", true );
-        Attribute objectClass = new BasicAttribute( "objectClass" );
-        testEntry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "organizationalUnit" );
-
-        try
-        {
-            DirContext userContext = getUserContext( userName, "billyd" );
-            userContext.createSubcontext( "ou=testou", testEntry );
-            fail( "should never get here due to a permission exception" );
-        }
-        catch ( LdapNoPermissionException e ) {}
-
-        // now add a subentry that enables users in the admin group to add an entry below
ou=system
-        Attributes subentry = new BasicAttributes( "cn", "administratorAdd", true );
-        objectClass = new BasicAttribute( "objectClass" );
-        subentry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "subentry" );
-        objectClass.add( "accessControlSubentry" );
-        subentry.put( "subtreeSpecification", "{}" );
-        subentry.put( "prescriptiveACI", "{ " +
-                "identificationTag \"addAci\", " +
-                "precedence 14, " +
-                "authenticationLevel none, " +
-                "itemOrUserFirst userFirst: { " +
-                "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } },
" +
-                "userPermissions { { " +
-                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-                "grantsAndDenials { grantAdd } } } } }" );
-        adminCtx.createSubcontext( "cn=administratorAdd", subentry );
-
-        // see if we can now add that test entry which we could not before
-        // add op should still fail since akarasulu is not in the admin group
-        try
-        {
-            DirContext userContext = getUserContext( userName, "billyd" );
-            userContext.createSubcontext( "ou=testou", testEntry );
-            fail( "should never get here due to a permission exception" );
-        }
-        catch ( LdapNoPermissionException e ) {}
-
-        // now add akarasulu to the Administrator group and try again
-        addUserToGroup( "billyd", "Administrators" );
-        DirContext userContext = getUserContext( userName, "billyd" );
-        userContext.createSubcontext( "ou=testou", testEntry );
-    }
-
-
-    public void testGrantAddByName() throws NamingException
-    {
-        DirContext adminCtx = getAdminContext();
-
-        // modify ou=system to be an AP for an A/C AA
-        Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA,
true );
-        adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
-        Name userName = createTestUser( "billyd" );
-
-        // try an add operation which should fail without any ACI
-        Attributes testEntry = new BasicAttributes( "ou", "testou", true );
-        Attribute objectClass = new BasicAttribute( "objectClass" );
-        testEntry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "organizationalUnit" );
-
-        try
-        {
-            DirContext userContext = getUserContext( userName, "billyd" );
-            userContext.createSubcontext( "ou=testou", testEntry );
-            fail( "should never get here due to a permission exception" );
-        }
-        catch ( LdapNoPermissionException e ) {}
-
-        // now add a subentry that enables user billyd to add an entry below ou=system
-        Attributes subentry = new BasicAttributes( "cn", "billydAdd", true );
-        objectClass = new BasicAttribute( "objectClass" );
-        subentry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "subentry" );
-        objectClass.add( "accessControlSubentry" );
-        subentry.put( "subtreeSpecification", "{}" );
-        subentry.put( "prescriptiveACI", "{ " +
-                "identificationTag \"addAci\", " +
-                "precedence 14, " +
-                "authenticationLevel none, " +
-                "itemOrUserFirst userFirst: { " +
-                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
-                "userPermissions { { " +
-                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-                "grantsAndDenials { grantAdd } } } } }" );
-        adminCtx.createSubcontext( "cn=billydAdd", subentry );
-
-        // should work now that billyd is authorized
-        DirContext userContext = getUserContext( userName, "billyd" );
-        userContext.createSubcontext( "ou=testou", testEntry );
-    }
-
-
-    public void testGrantAddBySubtree() throws NamingException
-    {
-        DirContext adminCtx = getAdminContext();
-
-        // modify ou=system to be an AP for an A/C AA
-        Attributes changes = new BasicAttributes( "administrativeRole", SubentryService.AC_AREA,
true );
-        adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
-
-        Name userName = createTestUser( "billyd" );
-
-        // try an add operation which should fail without any ACI
-        Attributes testEntry = new BasicAttributes( "ou", "testou", true );
-        Attribute objectClass = new BasicAttribute( "objectClass" );
-        testEntry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "organizationalUnit" );
-
-        try
-        {
-            DirContext userContext = getUserContext( userName, "billyd" );
-            userContext.createSubcontext( "ou=testou", testEntry );
-            fail( "should never get here due to a permission exception" );
-        }
-        catch ( LdapNoPermissionException e ) {}
-
-        // now add a subentry that enables user billyd to add an entry below ou=system
-        Attributes subentry = new BasicAttributes( "cn", "billydAdd", true );
-        objectClass = new BasicAttribute( "objectClass" );
-        subentry.put( objectClass );
-        objectClass.add( "top" );
-        objectClass.add( "subentry" );
-        objectClass.add( "accessControlSubentry" );
-        subentry.put( "subtreeSpecification", "{}" );
-        subentry.put( "prescriptiveACI", "{ " +
-                "identificationTag \"addAci\", " +
-                "precedence 14, " +
-                "authenticationLevel none, " +
-                "itemOrUserFirst userFirst: { " +
-                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
-                "userPermissions { { " +
-                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-                "grantsAndDenials { grantAdd } } } } }" );
-        adminCtx.createSubcontext( "cn=billydAdd", subentry );
-
-        // should work now that billyd is authorized
-        DirContext userContext = getUserContext( userName, "billyd" );
-        userContext.createSubcontext( "ou=testou", testEntry );
     }
 }



Mime
View raw message