directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r439119 - in /directory/trunks/apacheds: core-unit/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/ core/src/main/java/org/apache/directory/server/core/authz/
Date Fri, 01 Sep 2006 00:38:33 GMT
Author: akarasulu
Date: Thu Aug 31 17:38:32 2006
New Revision: 439119

URL: http://svn.apache.org/viewvc?rev=439119&view=rev
Log:
Fix for DIRSERVER-617: Add ACI for Administrators group if not already present

Added:
    directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupTest.java
      - copied unchanged from r439118, directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupTest.java
Modified:
    directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
    directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
    directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
    directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
    directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
    directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java

Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java?rev=439119&r1=439118&r2=439119&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java Thu Aug 31 17:38:32 2006
@@ -158,6 +158,25 @@
 
 
     /**
+     * Creates a simple groupOfUniqueNames under the ou=groups,ou=system
+     * container.  The admin user is always a member of this newly created 
+     * group.
+     */
+    public Name createGroup( String groupName ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes group = new BasicAttributes( true );
+        Attribute objectClass = new BasicAttribute( "objectClass" );
+        group.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "groupOfUniqueNames" );
+        group.put( "uniqueMember", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
+        adminCtx.createSubcontext( "cn=" + groupName + ",ou=groups", group );
+        return new LdapDN( "cn=" + groupName + ",ou=groups,ou=system" );
+    }
+
+
+    /**
      * Adds an existing user under ou=users,ou=system to an existing group under the
      * ou=groups,ou=system container.
      *

Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?rev=439119&r1=439118&r2=439119&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java Thu Aug 31 17:38:32 2006
@@ -267,7 +267,7 @@
      *
      * @throws javax.naming.NamingException if the test encounters an error
      */
-    public void testGrantModifyByAdministrators() throws NamingException
+    public void testGrantModifyByTestGroup() throws NamingException
     {
         // ----------------------------------------------------------------------------------
         // Modify with Attribute Addition
@@ -279,15 +279,17 @@
 
         // create the non-admin user
         createUser( "billyd", "billyd" );
+        
+        createGroup( "TestGroup" );
 
         // try a modify operation which should fail without any ACI
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
-        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
         createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
             + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
 
@@ -295,8 +297,8 @@
         // add op should still fail since billd is not in the admin group
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
-        // now add billyd to the Administrator group and try again
-        addUserToGroup( "billyd", "Administrators" );
+        // now add billyd to the TestGroup group and try again
+        addUserToGroup( "billyd", "TestGroup" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -312,11 +314,11 @@
         // make sure we cannot remove the telephone number from the test entry
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
-        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
         createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
             + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
 
@@ -334,11 +336,11 @@
         // make sure we cannot remove the telephone number from the test entry
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
-        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
         createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
             + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
             + "} } }" );
@@ -360,11 +362,11 @@
         // try a modify operation which should fail without any ACI
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE, changes ) );
 
-        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
         createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
             + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
 
@@ -382,11 +384,11 @@
         // make sure we cannot remove the telephone number from the test entry
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE, changes ) );
 
-        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
         createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
             + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
 
@@ -404,11 +406,11 @@
         // make sure we cannot remove the telephone number from the test entry
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
 
-        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
         createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
-            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
             + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
             + "} } }" );
@@ -417,6 +419,7 @@
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
         deleteAccessControlSubentry( "administratorModifyReplace" );
     }
+
 
     //    /**
     //     * Checks to make sure name based userClass works for modify operations.

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java?rev=439119&r1=439118&r2=439119&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/DefaultDirectoryService.java Thu Aug 31 17:38:32 2006
@@ -445,7 +445,7 @@
             attributes.put( "displayName", "Directory Superuser" );
             attributes.put( "cn", "system administrator" );
             attributes.put( "sn", "administrator" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
             attributes.put( "displayName", "Directory Superuser" );
 
@@ -472,7 +472,7 @@
             attributes.put( objectClass );
 
             attributes.put( "ou", "users" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( userDn, attributes );
@@ -496,7 +496,7 @@
             attributes.put( objectClass );
 
             attributes.put( "ou", "groups" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( groupDn, attributes );
@@ -520,8 +520,8 @@
             objectClass.add( "groupOfUniqueNames" );
             attributes.put( objectClass );
             attributes.put( "cn", "Administrators" );
-            attributes.put( "uniqueMember", PartitionNexus.ADMIN_PRINCIPAL );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "uniqueMember", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add(normName, attributes );
@@ -547,7 +547,7 @@
             attributes.put( objectClass );
 
             attributes.put( "ou", "configuration" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( configurationDn, attributes );
@@ -571,7 +571,7 @@
             attributes.put( objectClass );
 
             attributes.put( "ou", "partitions" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( partitionsDn, attributes );
@@ -595,7 +595,7 @@
             attributes.put( objectClass );
 
             attributes.put( "ou", "services" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( servicesDn, attributes );
@@ -619,7 +619,7 @@
             attributes.put( objectClass );
 
             attributes.put( "ou", "interceptors" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( interceptorsDn, attributes );
@@ -644,7 +644,7 @@
 
             attributes.put( "objectClass", "extensibleObject" );
             attributes.put( "prefNodeName", "sysPrefRoot" );
-            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL );
+            attributes.put( "creatorsName", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
             attributes.put( "createTimestamp", DateUtils.getGeneralizedTime() );
 
             partitionNexus.add( sysPrefRootDn, attributes );

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?rev=439119&r1=439118&r2=439119&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java Thu Aug 31 17:38:32 2006
@@ -34,7 +34,6 @@
 import org.apache.directory.server.core.invocation.InvocationStack;
 import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.jndi.ServerLdapContext;
-import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.server.core.partition.PartitionNexusProxy;
 import org.apache.directory.server.core.schema.AttributeTypeRegistry;
 import org.apache.directory.server.core.schema.ConcreteNameComponentNormalizer;
@@ -361,7 +360,7 @@
         // Access the principal requesting the operation, and bypass checks if it is the admin
         Invocation invocation = InvocationStack.getInstance().peek();
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -371,7 +370,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toNormName().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.add( normName, entry );
             tupleCache.subentryAdded( normName.toNormName(), normName, entry );
@@ -389,7 +388,7 @@
         }
 
         // Assemble all the information required to make an access control decision
-        Set userGroups = groupCache.getGroups( userName.toNormName() );
+        Set userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection tuples = new HashSet();
 
         // Build the total collection of tuples to be considered for add rights
@@ -399,7 +398,7 @@
 
         // check if entry scope permission is granted
         PartitionNexusProxy proxy = invocation.getProxy();
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), normName, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), normName, null, null,
             ADD_PERMS, tuples, subentryAttrs );
 
         // now we must check if attribute type and value scope permission is granted
@@ -409,7 +408,7 @@
             Attribute attr = ( Attribute ) attributeList.next();
             for ( int ii = 0; ii < attr.size(); ii++ )
             {
-                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), normName, attr
+                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), normName, attr
                     .getID(), attr.get( ii ), ADD_PERMS, tuples, entry );
             }
         }
@@ -431,7 +430,7 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -441,7 +440,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.delete( name );
             tupleCache.subentryDeleted( name, entry );
@@ -449,13 +448,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( principalDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             REMOVE_PERMS, tuples, entry );
 
         next.delete( name );
@@ -471,7 +470,7 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -481,7 +480,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.modify( name, modOp, mods );
             tupleCache.subentryModified( name, modOp, mods, entry );
@@ -489,13 +488,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( principalDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
 
         NamingEnumeration attrList = mods.getAll();
@@ -518,7 +517,7 @@
             Attribute attr = ( Attribute ) attrList.next();
             for ( int ii = 0; ii < attr.size(); ii++ )
             {
-                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, attr
+                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attr
                     .getID(), attr.get( ii ), perms, tuples, entry );
             }
         }
@@ -536,7 +535,7 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -546,7 +545,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.modify( name, mods );
             tupleCache.subentryModified( name, mods, entry );
@@ -554,13 +553,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( principalDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
 
         Collection perms = null;
@@ -582,7 +581,7 @@
             Attribute attr = mods[ii].getAttribute();
             for ( int jj = 0; jj < attr.size(); jj++ )
             {
-                engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, attr
+                engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attr
                     .getID(), attr.get( jj ), perms, tuples, entry );
             }
         }
@@ -599,22 +598,21 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
-        if ( userName.toNormName().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled
-            || name.toString().trim().equals( "" ) ) // no checks on the rootdse
+        if ( isPrincipalAnAdministrator( principalDn ) || !enabled || name.toString().trim().equals( "" ) ) // no checks on the rootdse
         {
             return next.hasEntry( name );
         }
 
-        Set userGroups = groupCache.getGroups( userName.toNormName() );
+        Set userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
         // check that we have browse access to the entry
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             BROWSE_PERMS, tuples, entry );
 
         return next.hasEntry( name );
@@ -679,7 +677,7 @@
         LdapDN principalDn = new LdapDN( principal.getName() );
         principalDn.normalize( attrRegistry.getNormalizerMapping() );
         
-        if ( principalDn.toNormName().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
+        if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
         {
             return next.lookup( dn, attrIds );
         }
@@ -698,7 +696,7 @@
         LdapDN principalDn = (LdapDN)user.getJndiName();
         principalDn.normalize( attrRegistry.getNormalizerMapping() );
         
-        if ( principalDn.toString().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
+        if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
         {
             return next.lookup( name );
         }
@@ -715,7 +713,7 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
         LdapDN newName = ( LdapDN ) name.clone();
         newName.remove( name.size() - 1 );
         newName.add( parseNormalized( newRn ).get( 0 ) );
@@ -728,7 +726,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.modifyRn( name, newRn, deleteOldRn );
             tupleCache.subentryRenamed( name, newName );
@@ -738,13 +736,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( principalDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             RENAME_PERMS, tuples, entry );
 
         //        if ( deleteOldRn )
@@ -788,7 +786,7 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
         LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( newRn );
 
@@ -800,7 +798,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.move( oriChildName, newParentName, newRn, deleteOldRn );
             tupleCache.subentryRenamed( oriChildName, newName );
@@ -808,13 +806,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( principalDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, oriChildName, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
             null, MOVERENAME_PERMS, tuples, entry );
 
         // Get the entry again without operational attributes
@@ -841,7 +839,7 @@
         addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), newName, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
             null, IMPORT_PERMS, destTuples, subentryAttrs );
 
         //        if ( deleteOldRn )
@@ -886,7 +884,7 @@
         LdapDN newName = ( LdapDN ) newParentName.clone();
         newName.add( oriChildName.get( oriChildName.size() - 1 ) );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
         // bypass authz code if we are disabled
         if ( !enabled )
@@ -896,7 +894,7 @@
         }
 
         // bypass authz code but manage caches if operation is performed by the admin
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.move( oriChildName, newParentName );
             tupleCache.subentryRenamed( oriChildName, newName );
@@ -904,13 +902,13 @@
             return;
         }
 
-        Set userGroups = groupCache.getGroups( userName.toString() );
+        Set userGroups = groupCache.getGroups( principalDn.toString() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, oriChildName, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
             null, EXPORT_PERMS, tuples, entry );
         
         // Get the entry again without operational attributes
@@ -937,7 +935,7 @@
         addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), newName, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
             null, IMPORT_PERMS, destTuples, subentryAttrs );
 
         next.move( oriChildName, newParentName );
@@ -954,7 +952,7 @@
         ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
         LdapPrincipal user = ctx.getPrincipal();
         NamingEnumeration e = next.list( base );
-        if ( user.getName().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
+        if ( isPrincipalAnAdministrator( user.getJndiName() ) || !enabled )
         {
             return e;
         }
@@ -974,8 +972,7 @@
 
         boolean isSubschemaSubentryLookup = subschemaSubentryDn.equals( base.toNormName() );
         boolean isRootDSELookup = base.size() == 0 && searchCtls.getSearchScope() == SearchControls.OBJECT_SCOPE;
-        if ( principalDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled || 
-            isRootDSELookup || isSubschemaSubentryLookup )
+        if ( isPrincipalAnAdministrator( principalDn ) || !enabled || isRootDSELookup || isSubschemaSubentryLookup )
         {
             return e;
         }
@@ -983,6 +980,12 @@
         return new SearchResultFilteringEnumeration( e, searchCtls, invocation, authzFilter );
     }
 
+    
+    public final boolean isPrincipalAnAdministrator( LdapDN principalDn ) throws NamingException
+    {
+        return groupCache.isPrincipalAnAdministrator( principalDn );
+    }
+    
 
     public boolean compare( NextInterceptor next, LdapDN name, String oid, Object value ) throws NamingException
     {
@@ -991,22 +994,22 @@
         PartitionNexusProxy proxy = invocation.getProxy();
         Attributes entry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS );
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
+        LdapDN principalDn = principal.getJndiName();
 
-        if ( userName.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
+        if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
         {
             return next.compare( name, oid, value );
         }
 
-        Set userGroups = groupCache.getGroups( userName.toNormName() );
+        Set userGroups = groupCache.getGroups( principalDn.toNormName() );
         Collection tuples = new HashSet();
         addPerscriptiveAciTuples( proxy, tuples, name, entry );
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( proxy, tuples, name, entry );
 
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null, null,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
             READ_PERMS, tuples, entry );
-        engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, oid, value,
+        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
             COMPARE_PERMS, tuples, entry );
 
         return next.compare( name, oid, value );
@@ -1019,8 +1022,9 @@
         Invocation invocation = InvocationStack.getInstance().peek();
         PartitionNexusProxy proxy = invocation.getProxy();
         LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
-        LdapDN userName = principal.getJndiName();
-        if ( userName.toString().equalsIgnoreCase( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) || !enabled )
+        LdapDN principalDn = principal.getJndiName();
+        
+        if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
         {
             return next.getMatchedName( dn );
         }
@@ -1035,13 +1039,13 @@
         while ( matched.size() > 0 )
         {
             entry = proxy.lookup( matched, PartitionNexusProxy.GETMATCHEDDN_BYPASS );
-            Set userGroups = groupCache.getGroups( userName.toString() );
+            Set userGroups = groupCache.getGroups( principalDn.toString() );
             Collection tuples = new HashSet();
             addPerscriptiveAciTuples( proxy, tuples, matched, entry );
             addEntryAciTuples( tuples, entry );
             addSubentryAciTuples( proxy, tuples, matched, entry );
 
-            if ( engine.hasPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), matched, null,
+            if ( engine.hasPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
                 null, MATCHEDNAME_PERMS, tuples, entry ) )
             {
                 return matched;

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java?rev=439119&r1=439118&r2=439119&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java Thu Aug 31 17:38:32 2006
@@ -20,12 +20,15 @@
 package org.apache.directory.server.core.authz;
 
 
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.NoPermissionException;
+import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.ModificationItem;
 import javax.naming.directory.SearchControls;
@@ -60,11 +63,6 @@
 public class DefaultAuthorizationService extends BaseInterceptor
 {
     /**
-     * the administrator's distinguished {@link Name}
-     */
-    private static LdapDN ADMIN_DN;
-
-    /**
      * the base distinguished {@link Name} for all users
      */
     private static LdapDN USER_BASE_DN;
@@ -77,13 +75,21 @@
     private static LdapDN GROUP_BASE_DN_NORMALIZED;
 
     /**
+     * the distinguished {@link Name} for the administrator group
+     */
+    private static LdapDN ADMIN_GROUP_DN;
+    private static LdapDN ADMIN_GROUP_DN_NORMALIZED;
+
+    /**
      * the name parser used by this service
      */
     private boolean enabled = true;
     
-    private Map oidsMap;
+    private Set administrators = new HashSet(2);
     
-
+    private Map normalizerMapping;
+    
+    private PartitionNexus nexus;
 
     /**
      * Creates a new instance.
@@ -95,21 +101,47 @@
 
     public void init( DirectoryServiceConfiguration factoryCfg, InterceptorConfiguration cfg ) throws NamingException
     {
-        oidsMap = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry().getNormalizerMapping();
-        //dnParser = new DnParser( new ConcreteNameComponentNormalizer( atr ) );
+        nexus = factoryCfg.getPartitionNexus();
+        normalizerMapping = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry().getNormalizerMapping();
 
         // disable this static module if basic access control mechanisms are enabled
         enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();
-        ADMIN_DN = PartitionNexus.getAdminName(); 
         
         USER_BASE_DN = PartitionNexus.getUsersBaseName();
-        USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN, oidsMap );
+        USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN, normalizerMapping );
         
         GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
-        GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN, oidsMap );
+        GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN, normalizerMapping );
+     
+        ADMIN_GROUP_DN = new LdapDN( "cn=Administrators,ou=groups,ou=system" );
+        ADMIN_GROUP_DN_NORMALIZED = ( LdapDN ) ADMIN_GROUP_DN.clone();
+        ADMIN_GROUP_DN_NORMALIZED.normalize( normalizerMapping );
+        loadAdministrators();
+    }
+    
+    
+    private void loadAdministrators() throws NamingException
+    {
+        // read in the administrators and cache their normalized names
+        Set newAdministrators = new HashSet( 2 );
+        Attributes adminGroup = nexus.lookup( ADMIN_GROUP_DN_NORMALIZED );
+        
+        if ( adminGroup == null )
+        {
+            return;
+        }
+        
+        Attribute uniqueMember = adminGroup.get( "uniqueMember" );
+        for ( int ii = 0; ii < uniqueMember.size(); ii++ )
+        {
+            LdapDN memberDn = new LdapDN( ( String ) uniqueMember.get( ii ) );
+            memberDn.normalize( normalizerMapping );
+            newAdministrators.add( memberDn.toNormName() );
+        }
+        administrators = newAdministrators;
     }
 
-
+    
     // Note:
     //    Lookup, search and list operations need to be handled using a filter
     // and so we need access to the filter service.
@@ -122,7 +154,7 @@
             return;
         }
 
-        Name principalDn = getPrincipal().getJndiName();
+        LdapDN principalDn = getPrincipal().getJndiName();
 
         if ( name.toString().equals( "" ) )
         {
@@ -130,7 +162,13 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( name == ADMIN_DN || name.equals( ADMIN_DN ) )
+        if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+        {
+            String msg = "The Administrators group cannot be deleted!";
+            throw new LdapNoPermissionException( msg );
+        }
+
+        if ( isTheAdministrator( name ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to delete the admin account.";
@@ -138,7 +176,7 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !principalDn.equals( ADMIN_DN ) )
+        if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to delete the user account: ";
@@ -146,7 +184,7 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !principalDn.equals( ADMIN_DN ) )
+        if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to delete the group entry: ";
@@ -157,6 +195,24 @@
         nextInterceptor.delete( name );
     }
 
+    
+    private final boolean isTheAdministrator( LdapDN normalizedDn )
+    {
+        return normalizedDn.toNormName() == PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED || 
+             normalizedDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
+    }
+    
+    
+    private final boolean isAnAdministrator( LdapDN normalizedDn ) throws NamingException
+    {
+        if ( isTheAdministrator( normalizedDn ) )
+        {
+            return true;
+        }
+        
+        return administrators.contains( normalizedDn.toNormName() );
+    }
+    
 
     /**
      * Note that we do nothing here. First because this is not an externally
@@ -186,6 +242,14 @@
         if ( enabled )
         {
             protectModifyAlterations( name );
+            nextInterceptor.modify( name, modOp, attrs );
+
+            // update administrators if we change administrators group
+            if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+            {
+                loadAdministrators();
+            }
+            return;
         }
 
         nextInterceptor.modify( name, modOp, attrs );
@@ -203,7 +267,16 @@
         if ( enabled )
         {
             protectModifyAlterations( name );
+            nextInterceptor.modify( name, items );
+
+            // update administrators if we change administrators group
+            if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+            {
+                loadAdministrators();
+            }
+            return;
         }
+        
         nextInterceptor.modify( name, items );
     }
 
@@ -218,8 +291,14 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( !principalDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( ! isAnAdministrator( principalDn ) )
         {
+            // allow self modifications 
+            if ( dn.toNormName().equals( getPrincipal().getJndiName().toNormName() ) )
+            {
+                return;
+            }
+            
             if ( dn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
@@ -228,7 +307,7 @@
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) )
+            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the account of the";
@@ -238,7 +317,7 @@
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) )
+            if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the group entry ";
@@ -247,8 +326,8 @@
             }
         }
     }
-
-
+    
+    
     // ------------------------------------------------------------------------
     // DN altering operations are a no no for any user entry.  Basically here
     // are the rules of conduct to follow:
@@ -290,7 +369,7 @@
     }
 
 
-    private void protectDnAlterations( Name dn ) throws LdapNoPermissionException
+    private void protectDnAlterations( LdapDN dn ) throws NamingException
     {
         LdapDN principalDn = getPrincipal().getJndiName();
 
@@ -300,7 +379,12 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( dn == ADMIN_DN || dn.equals( ADMIN_DN ) )
+        if ( dn.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+        {
+            throw new LdapNoPermissionException( "The Administrators group cannot be moved or renamed!" );
+        }
+        
+        if ( isTheAdministrator( dn ) )
         {
             String msg = "User '" + principalDn.getUpName();
             msg += "' does not have permission to move or rename the admin";
@@ -309,7 +393,7 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && !principalDn.equals( ADMIN_DN ) )
+        if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User '" + principalDn;
             msg += "' does not have permission to move or rename the user";
@@ -318,7 +402,7 @@
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) && !principalDn.equals( ADMIN_DN ) )
+        if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to move or rename the group entry ";
@@ -358,9 +442,9 @@
     {
         LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
         LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
-        if ( !principalDn.equals( ADMIN_DN ) )
+        if ( !isAnAdministrator( principalDn ) )
         {
-            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN ) )
+            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN_NORMALIZED ) )
             {
                 // allow for self reads
                 if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
@@ -374,7 +458,7 @@
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN ) )
+            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
             {
                 // allow for self reads
                 if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
@@ -388,7 +472,7 @@
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( normalizedDn.equals( ADMIN_DN ) )
+            if ( isTheAdministrator( normalizedDn ) )
             {
                 // allow for self reads
                 if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
@@ -455,12 +539,10 @@
         LdapDN principalDn = ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
         LdapDN dn;
         dn = new LdapDN( result.getName() );
-        dn.normalize( oidsMap );
+        dn.normalize( normalizerMapping );
 
-        boolean isAdmin = principalDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
-        
-        // Admin user gets full access to all entries
-        if ( isAdmin )
+        // Admin users gets full access to all entries
+        if ( isAnAdministrator( principalDn ) )
         {
             return true;
         }
@@ -486,7 +568,7 @@
         }
         
         // Non-admin users cannot read the admin entry
-        if ( dn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        if ( isTheAdministrator( dn ) )
         {
             return false;
         }

Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=439119&r1=439118&r2=439119&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Thu Aug 31 17:38:32 2006
@@ -71,16 +71,24 @@
      */
     private Map normalizerMap;
     
+    /** the normalized dn of the administrators group */
+    LdapDN administratorsGroupDn;
+    
     /**
      * Creates a static group cache.
      *
      * @param factoryCfg the context factory configuration for the server
      */
-    public GroupCache(DirectoryServiceConfiguration factoryCfg) throws NamingException
+    public GroupCache( DirectoryServiceConfiguration factoryCfg ) throws NamingException
     {
     	normalizerMap = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry().getNormalizerMapping();
         this.nexus = factoryCfg.getPartitionNexus();
         this.env = ( Hashtable ) factoryCfg.getEnvironment().clone();
+        
+        // stuff for dealing with the admin group
+        administratorsGroupDn = new LdapDN( "cn=Administrators,ou=groups,ou=system" );
+        administratorsGroupDn.normalize( normalizerMap );
+
         initialize();
     }
 
@@ -405,6 +413,31 @@
         }
     }
 
+    
+    /**
+     * An optimization.  By having this method here we can directly access the group
+     * membership information and lookup to see if the principalDn is contained within.
+     * 
+     * @param principalDn the normalized DN of the user to check if they are an admin
+     * @return true if the principal is an admin or the admin
+     */
+    public final boolean isPrincipalAnAdministrator( LdapDN principalDn )
+    {
+        if ( principalDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+        {
+            return true;
+        }
+        
+        Set members = ( Set ) groups.get( administratorsGroupDn.toNormName() );
+        if ( members == null )
+        {
+            log.warn( "What do you mean there is no administrators group? This is bad news." );
+            return false;
+        }
+        
+        return members.contains( principalDn.toNormName() );
+    }
+    
 
     /**
      * Gets the set of groups a user is a member of.  The groups are returned



Mime
View raw message