directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ersi...@apache.org
Subject svn commit: r438406 - in /directory/trunks/apacheds: core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Date Wed, 30 Aug 2006 07:09:50 GMT
Author: ersiner
Date: Wed Aug 30 00:09:49 2006
New Revision: 438406

URL: http://svn.apache.org/viewvc?rev=438406&view=rev
Log:
Fix for http://issues.apache.org/jira/browse/DIRSERVER-724 and http://issues.apache.org/jira/browse/DIRSERVER-725.
Also fixed a few more bugs I found while I was debugging.

Modified:
    directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
    directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java

Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java?rev=438406&r1=438405&r2=438406&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
(original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
Wed Aug 30 00:09:49 2006
@@ -65,7 +65,7 @@
             // create the new entry as the admin user
             adminContext.createSubcontext( entryRdn, testEntry );
 
-            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" ); 
             DirContext userContext = getContextAs( userName, password );
             userContext.rename( entryRdn, newRdn );
 
@@ -423,6 +423,80 @@
 
         // now let's cleanup
         deleteAccessControlSubentry( "grantMoveByAny" );
+        deleteUser( "billyd" );
+    }
+    
+    
+    /**
+     * FIXME: THIS TEST FAILS
+     * 
+     * Checks to make sure Export and Import permissions work correctly
+     * when they are defined on seperate contexts.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    public void testExportAndImportSeperately() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups"
) );
+
+        
+        // Gives grantBrowse perm to all users in the Administrators
+        // group for entries
+        // It's is needed just to read navigate the tree at root
+        createAccessControlSubentry(
+            "grantBrowseForTheWholeNamingContext",
+            "{ }",
+            "{ " + "identificationTag \"browseACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, "
+ "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantBrowse } } } } }" );
+        
+        // Gives grantExport, grantRename perm to all users in the Administrators
+        // group for entries
+        createAccessControlSubentry(
+            "grantExportFromASubtree",
+            "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users"
}
+            "{ " + "identificationTag \"exportACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, "
+ "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantExport, grantRename } } } } }" );
+        
+        // Gives grantImport perm to all users in the Administrators
+        // group for the target context
+        createAccessControlSubentry(
+            "grantImportToASubtree",
+            "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups"
}
+            "{ " + "identificationTag \"importACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, "
+ "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantImport } } } } }" );
+
+        // see if we can move and rename the test entry which we could not before
+        // op should still fail since billyd is not in the admin group
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups"
) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try move w/ rdn change which should succeed with ACI and group membership change
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups"
) );
+
+        // now let's cleanup
+        removeUserFromGroup( "billyd", "Administrators" );
+        deleteAccessControlSubentry( "grantBrowseForTheWholeNamingContext" );
+        deleteAccessControlSubentry( "grantExportFromASubtree" );
+        deleteAccessControlSubentry( "grantImportToASubtree" );
         deleteUser( "billyd" );
     }
 }

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?rev=438406&r1=438405&r2=438406&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
(original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Wed Aug 30 00:09:49 2006
@@ -112,8 +112,7 @@
         set.add( MicroOperation.REMOVE );
         REPLACE_PERMS = Collections.unmodifiableCollection( set );
 
-        set = new HashSet( 3 );
-        set.add( MicroOperation.IMPORT );
+        set = new HashSet( 2 );
         set.add( MicroOperation.EXPORT );
         set.add( MicroOperation.RENAME );
         MOVERENAME_PERMS = Collections.unmodifiableCollection( set );
@@ -818,12 +817,32 @@
         engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
             null, MOVERENAME_PERMS, tuples, entry );
 
+        // Get the entry again without operational attributes
+        // because access control subentry operational attributes
+        // will not be valid at the new location.
+        // This will certainly be fixed by the SubentryService,
+        // but after this service.
+        Attributes importedEntry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS
);
+        // As the target entry does not exist yet and so
+        // its subentry operational attributes are not there,
+        // we need to construct an entry to represent it
+        // at least with minimal requirements which are object class
+        // and access control subentry operational attributes.
+        SubentryService subentryService = ( SubentryService ) chain.get( "subentryService"
);
+        Attributes subentryAttrs = subentryService.getSubentryAttributes( newName, importedEntry
);
+        NamingEnumeration attrList = importedEntry.getAll();
+        while ( attrList.hasMore() )
+        {
+            subentryAttrs.put( ( Attribute ) attrList.next() );
+        }
+        
         Collection destTuples = new HashSet();
-        addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
-        addEntryAciTuples( destTuples, entry );
-        addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
-            null, IMPORT_PERMS, tuples, entry );
+        // Import permission is only valid for prescriptive ACIs
+        addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+        // Evaluate the target context to see whether it
+        // allows an entry named newName to be imported as a subordinate.
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
newName, null,
+            null, IMPORT_PERMS, destTuples, subentryAttrs );
 
         //        if ( deleteOldRn )
         //        {
@@ -893,13 +912,33 @@
 
         engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
             null, EXPORT_PERMS, tuples, entry );
-
+        
+        // Get the entry again without operational attributes
+        // because access control subentry operational attributes
+        // will not be valid at the new location.
+        // This will certainly be fixed by the SubentryService,
+        // but after this service.
+        Attributes importedEntry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS
);
+        // As the target entry does not exist yet and so
+        // its subentry operational attributes are not there,
+        // we need to construct an entry to represent it
+        // at least with minimal requirements which are object class
+        // and access control subentry operational attributes.
+        SubentryService subentryService = ( SubentryService ) chain.get( "subentryService"
);
+        Attributes subentryAttrs = subentryService.getSubentryAttributes( newName, importedEntry
);
+        NamingEnumeration attrList = importedEntry.getAll();
+        while ( attrList.hasMore() )
+        {
+            subentryAttrs.put( ( Attribute ) attrList.next() );
+        }
+        
         Collection destTuples = new HashSet();
-        addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
-        addEntryAciTuples( destTuples, entry );
-        addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null,
-            null, IMPORT_PERMS, tuples, entry );
+        // Import permission is only valid for prescriptive ACIs
+        addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+        // Evaluate the target context to see whether it
+        // allows an entry named newName to be imported as a subordinate.
+        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
newName, null,
+            null, IMPORT_PERMS, destTuples, subentryAttrs );
 
         next.move( oriChildName, newParentName );
         tupleCache.subentryRenamed( oriChildName, newName );



Mime
View raw message