directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ersi...@apache.org
Subject svn commit: r438396 - in /directory/branches/apacheds/1.0: core-unit/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/partition/
Date Wed, 30 Aug 2006 06:36:16 GMT
Author: ersiner
Date: Tue Aug 29 23:36:15 2006
New Revision: 438396

URL: http://svn.apache.org/viewvc?rev=438396&view=rev
Log:
Fix for http://issues.apache.org/jira/browse/DIRSERVER-724 and http://issues.apache.org/jira/browse/DIRSERVER-725.
Also fixed a few more bugs I found while I was debugging.

Modified:
    directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
    directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
    directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/partition/PartitionNexusProxy.java

Modified: directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java?rev=438396&r1=438395&r2=438396&view=diff
==============================================================================
--- directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
(original)
+++ directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
Tue Aug 29 23:36:15 2006
@@ -435,7 +435,6 @@
      *
      * @throws javax.naming.NamingException if the test encounters an error
      */
-    /*
     public void testExportAndImportSeperately() throws NamingException
     {
         // ----------------------------------------------------------------------------
@@ -500,5 +499,4 @@
         deleteAccessControlSubentry( "grantImportToASubtree" );
         deleteUser( "billyd" );
     }
-    */
 }

Modified: directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?rev=438396&r1=438395&r2=438396&view=diff
==============================================================================
--- directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
(original)
+++ directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Tue Aug 29 23:36:15 2006
@@ -112,8 +112,7 @@
         set.add( MicroOperation.REMOVE );
         REPLACE_PERMS = Collections.unmodifiableCollection( set );
 
-        set = new HashSet( 3 );
-        set.add( MicroOperation.IMPORT );
+        set = new HashSet( 2 );
         set.add( MicroOperation.EXPORT );
         set.add( MicroOperation.RENAME );
         MOVERENAME_PERMS = Collections.unmodifiableCollection( set );
@@ -818,12 +817,32 @@
         engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
             null, MOVERENAME_PERMS, tuples, entry );
 
+        // Get the entry again without operational attributes
+        // because access control subentry operational attributes
+        // will not be valid at the new location.
+        // This will certainly be fixed by the SubentryService,
+        // but after this service.
+        Attributes importedEntry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS
);
+        // As the target entry does not exist yet and so
+        // its subentry operational attributes are not there,
+        // we need to construct an entry to represent it
+        // at least with minimal requirements which are object class
+        // and access control subentry operational attributes.
+        SubentryService subentryService = ( SubentryService ) chain.get( "subentryService"
);
+        Attributes subentryAttrs = subentryService.getSubentryAttributes( newName, importedEntry
);
+        NamingEnumeration attrList = importedEntry.getAll();
+        while ( attrList.hasMore() )
+        {
+            subentryAttrs.put( ( Attribute ) attrList.next() );
+        }
+        
         Collection destTuples = new HashSet();
-        addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
-        addEntryAciTuples( destTuples, entry );
-        addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
-            null, IMPORT_PERMS, tuples, entry );
+        // Import permission is only valid for prescriptive ACIs
+        addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+        // Evaluate the target context to see whether it
+        // allows an entry named newName to be imported as a subordinate.
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
newName, null,
+            null, IMPORT_PERMS, destTuples, subentryAttrs );
 
         //        if ( deleteOldRn )
         //        {
@@ -893,13 +912,33 @@
 
         engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
             null, EXPORT_PERMS, tuples, entry );
-
+        
+        // Get the entry again without operational attributes
+        // because access control subentry operational attributes
+        // will not be valid at the new location.
+        // This will certainly be fixed by the SubentryService,
+        // but after this service.
+        Attributes importedEntry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS
);
+        // As the target entry does not exist yet and so
+        // its subentry operational attributes are not there,
+        // we need to construct an entry to represent it
+        // at least with minimal requirements which are object class
+        // and access control subentry operational attributes.
+        SubentryService subentryService = ( SubentryService ) chain.get( "subentryService"
);
+        Attributes subentryAttrs = subentryService.getSubentryAttributes( newName, importedEntry
);
+        NamingEnumeration attrList = importedEntry.getAll();
+        while ( attrList.hasMore() )
+        {
+            subentryAttrs.put( ( Attribute ) attrList.next() );
+        }
+        
         Collection destTuples = new HashSet();
-        addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
-        addEntryAciTuples( destTuples, entry );
-        addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
-            null, IMPORT_PERMS, tuples, entry );
+        // Import permission is only valid for prescriptive ACIs
+        addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+        // Evaluate the target context to see whether it
+        // allows an entry named newName to be imported as a subordinate.
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
newName, null,
+            null, IMPORT_PERMS, destTuples, subentryAttrs );
 
         next.move( oriChildName, newParentName );
         tupleCache.subentryRenamed( oriChildName, newName );

Modified: directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/partition/PartitionNexusProxy.java
URL: http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/partition/PartitionNexusProxy.java?rev=438396&r1=438395&r2=438396&view=diff
==============================================================================
--- directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/partition/PartitionNexusProxy.java
(original)
+++ directory/branches/apacheds/1.0/core/src/main/java/org/apache/directory/server/core/partition/PartitionNexusProxy.java
Tue Aug 29 23:36:15 2006
@@ -67,6 +67,8 @@
     public static final Collection LOOKUP_BYPASS;
     /** safe to use set of bypass instructions to getMatchedDn */
     public static final Collection GETMATCHEDDN_BYPASS;
+    /** safe to use set of bypass instructions to lookup raw entries excluding operational
attributes */
+    public static final Collection LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS;
     /** Bypass String to use when ALL interceptors should be skipped */
     public static final String BYPASS_ALL = "*";
     /** Bypass String to use when ALL interceptors should be skipped */
@@ -106,6 +108,17 @@
         c.add( "referralService" );
         c.add( "eventService" );
         GETMATCHEDDN_BYPASS = Collections.unmodifiableCollection( c );
+        
+        c = new HashSet();
+        c.add( "normalizationService" );
+        c.add( "authenticationService" );
+        c.add( "authorizationService" );
+        c.add( "defaultAuthorizationService" );
+        c.add( "schemaService" );
+        c.add( "subentryService" );
+        c.add( "referralService" );
+        c.add( "eventService" );
+        LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS = Collections.unmodifiableCollection( c );
     }
 
 



Mime
View raw message