directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ersi...@apache.org
Subject svn commit: r553786 - in /directory/apacheds/branches/1.0: core-unit/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/support/ cor...
Date Fri, 06 Jul 2007 08:21:01 GMT
Author: ersiner
Date: Fri Jul  6 01:21:00 2007
New Revision: 553786

URL: http://svn.apache.org/viewvc?view=rev&rev=553786
Log:
Fix for DIRSERVER-988 and DIRSERVER-989.

Modified:
    directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
    directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
    directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
    directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
    directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
    directory/apacheds/branches/1.0/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java

Modified: directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java?view=diff&rev=553786&r1=553785&r2=553786
==============================================================================
--- directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
(original)
+++ directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
Fri Jul  6 01:21:00 2007
@@ -337,4 +337,18 @@
         Attributes changes = new LockableAttributesImpl( "subentryACI", aciItem, true );
         adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
     }
+
+
+    /**
+     * Replaces values of an prescriptiveACI attribute of a subentry subordinate
+     * to ou=system.
+     * @throws NamingException 
+     *
+     */
+    public void changePresciptiveACI( String cn, String aciItem ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes changes = new LockableAttributesImpl( "prescriptiveACI", aciItem );
+        adminCtx.modifyAttributes( "cn=" + cn, DirContext.REPLACE_ATTRIBUTE, changes );
+    }
 }

Modified: directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java?view=diff&rev=553786&r1=553785&r2=553786
==============================================================================
--- directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
(original)
+++ directory/apacheds/branches/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
Fri Jul  6 01:21:00 2007
@@ -297,7 +297,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials
{ grantAdd } } " + "} } }" );
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}},
grantsAndDenials { grantAdd } } " + "} } }" );
 
         // see if we can now add that test entry which we could not before
         // add op should still fail since billd is not in the admin group
@@ -326,7 +326,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials
{ grantRemove } } " + "} } }" );
+            + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}},
grantsAndDenials { grantRemove } } " + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -348,7 +348,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials
{ grantAdd, grantRemove } } "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}},
grantsAndDenials { grantAdd, grantRemove } } "
             + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
@@ -374,7 +374,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials
{ grantAdd } } " + "} } }" );
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}},
grantsAndDenials { grantAdd } } " + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE,
changes ) );
@@ -396,7 +396,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials
{ grantRemove } } " + "} } }" );
+            + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}},
grantsAndDenials { grantRemove } } " + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE,
changes ) );
@@ -418,7 +418,7 @@
             + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
             + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions
{ "
             + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } },
"
-            + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials
{ grantAdd, grantRemove } } "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}},
grantsAndDenials { grantAdd, grantRemove } } "
             + "} } }" );
 
         // try a modify operation which should succeed with ACI and group membership change
@@ -513,4 +513,34 @@
     //        // should work with billyd now that all users are authorized
     //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" )
);
     //    }
+
+
+    public void testPresciptiveACIModification() throws NamingException
+    {
+        
+        ModificationItemImpl[] mods = toItems( DirContext.ADD_ATTRIBUTE,
+            new LockableAttributesImpl( "registeredAddress", "100 Park Ave.", true ) );
+
+        createUser( "billyd", "billyd" );
+
+        createAccessControlSubentry( "modifyACI", "{ " + "identificationTag \"modifyAci\",
"
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
+            + "userClasses { allUsers }, " + "userPermissions { "
+            + "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials
{ grantModify, grantBrowse, grantAdd, grantRemove } } } } }" );
+
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        
+        mods = toItems( DirContext.REPLACE_ATTRIBUTE,
+            new LockableAttributesImpl( "registeredAddress", "200 Park Ave.", true ) );
+        
+        changePresciptiveACI( "modifyACI", "{ " + "identificationTag \"modifyAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst:
{ "
+            + "userClasses { allUsers }, " + "userPermissions { "
+            + "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials
{ denyModify } } } } }" );
+
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        
+        deleteAccessControlSubentry( "modifyACI" );
+        
+    }
 }

Modified: directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?view=diff&rev=553786&r1=553785&r2=553786
==============================================================================
--- directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
(original)
+++ directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Fri Jul  6 01:21:00 2007
@@ -490,7 +490,8 @@
         if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.modify( name, modOp, mods );
-            tupleCache.subentryModified( name, modOp, mods, entry );
+            Attributes modifiedEntry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS
);
+            tupleCache.subentryModified( name, modOp, mods, modifiedEntry );
             groupCache.groupModified( name, modOp, mods, entry );
             return;
         }
@@ -521,7 +522,36 @@
 
         while ( attrList.hasMore() )
         {
+
             Attribute attr = ( Attribute ) attrList.next();
+
+            switch ( modOp )
+            {
+                case ( DirContext.ADD_ATTRIBUTE  ):
+                    // If the attribute is being created with an initial value ...
+                    if ( entry.get( attr.getID() ) == null )
+                    {
+                        // ... we also need to check if adding the attribute is permitted
+                        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                            attr.getID(), null, perms, tuples, entry );
+                    }
+                    break;
+                case ( DirContext.REMOVE_ATTRIBUTE  ):
+                    Attribute entryAttr = entry.get( attr.getID() );
+                    if (  entryAttr != null )
+                    {
+                        // If there is only one value remaining in the attribute ...
+                        if ( entryAttr.size() == 1 )
+                        {
+                            // ... we also need to check if removing the attribute at all
is permitted
+                            engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                                attr.getID(), null, perms, tuples, entry );
+                        }
+                    }
+                    break;
+            }
+
+            
             for ( int ii = 0; ii < attr.size(); ii++ )
             {
                 engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name, attr
@@ -530,7 +560,8 @@
         }
 
         next.modify( name, modOp, mods );
-        tupleCache.subentryModified( name, modOp, mods, entry );
+        Attributes modifiedEntry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS
);
+        tupleCache.subentryModified( name, modOp, mods, modifiedEntry );
         groupCache.groupModified( name, modOp, mods, entry );
     }
 
@@ -555,7 +586,8 @@
         if ( isPrincipalAnAdministrator( principalDn ) )
         {
             next.modify( name, mods );
-            tupleCache.subentryModified( name, mods, entry );
+            Attributes modifiedEntry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS
);
+            tupleCache.subentryModified( name, mods, modifiedEntry );
             groupCache.groupModified( name, mods, entry );
             return;
         }
@@ -572,20 +604,43 @@
         Collection perms = null;
         for ( int ii = 0; ii < mods.length; ii++ )
         {
+
+            Attribute attr = mods[ii].getAttribute();            
+
             switch ( mods[ii].getModificationOp() )
             {
                 case ( DirContext.ADD_ATTRIBUTE  ):
                     perms = ADD_PERMS;
+                    // If the attribute is being created with an initial value ...
+                    if ( entry.get( attr.getID() ) == null )
+                    {
+                        // ... we also need to check if adding the attribute is permitted
+                        engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                            attr.getID(), null, perms, tuples, entry );
+                    }
                     break;
+                    
                 case ( DirContext.REMOVE_ATTRIBUTE  ):
                     perms = REMOVE_PERMS;
+                    Attribute entryAttr = entry.get( attr.getID() );
+                    if (  entryAttr != null )
+                    {
+                        // If there is only one value remaining in the attribute ...
+                        if ( entryAttr.size() == 1 )
+                        {
+                            // ... we also need to check if removing the attribute at all
is permitted
+                            engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name,
+                                attr.getID(), null, perms, tuples, entry );
+                        }
+                    }
                     break;
+                    
                 case ( DirContext.REPLACE_ATTRIBUTE  ):
                     perms = REPLACE_PERMS;
                     break;
             }
 
-            Attribute attr = mods[ii].getAttribute();
+            
             for ( int jj = 0; jj < attr.size(); jj++ )
             {
                 engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(),
name, attr
@@ -594,7 +649,8 @@
         }
 
         next.modify( name, mods );
-        tupleCache.subentryModified( name, mods, entry );
+        Attributes modifiedEntry = proxy.lookup( name, PartitionNexusProxy.LOOKUP_BYPASS
);
+        tupleCache.subentryModified( name, mods, modifiedEntry );
         groupCache.groupModified( name, mods, entry );
     }
 

Modified: directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?view=diff&rev=553786&r1=553785&r2=553786
==============================================================================
--- directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
(original)
+++ directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
Fri Jul  6 01:21:00 2007
@@ -213,7 +213,7 @@
 
         tuples.remove( normName.toString() );
     }
-
+    
 
     public void subentryModified( LdapDN normName, ModificationItemImpl[] mods, Attributes
entry ) throws NamingException
     {
@@ -221,16 +221,16 @@
         {
             return;
         }
-
-        boolean isAciModified = false;
+        
         for ( int ii = 0; ii < mods.length; ii++ )
         {
-            isAciModified |= AttributeUtils.containsValueCaseIgnore( mods[ii].getAttribute(),
ACI_ATTR );
-        }
-        if ( isAciModified )
-        {
-            subentryDeleted( normName, entry );
-            subentryAdded( normName.getUpName(), normName, entry );
+            String attrID = mods[ii].getAttribute().getID();
+            if ( attrID.equalsIgnoreCase( ACI_ATTR ) )
+            {
+                subentryDeleted( normName, entry );
+                subentryAdded( normName.getUpName(), normName, entry );
+                continue;
+            }
         }
     }
 

Modified: directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?view=diff&rev=553786&r1=553785&r2=553786
==============================================================================
--- directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
(original)
+++ directory/apacheds/branches/1.0/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
Fri Jul  6 01:21:00 2007
@@ -131,7 +131,7 @@
             }
             else if ( item instanceof ProtectedItem.AllAttributeValues )
             {
-                if ( scope != OperationScope.ATTRIBUTE_TYPE && scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE
)
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
                 {
                     continue;
                 }

Modified: directory/apacheds/branches/1.0/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/1.0/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java?view=diff&rev=553786&r1=553785&r2=553786
==============================================================================
--- directory/apacheds/branches/1.0/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
(original)
+++ directory/apacheds/branches/1.0/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
Fri Jul  6 01:21:00 2007
@@ -170,10 +170,10 @@
 
         tuples = getTuples( new ProtectedItem.AllAttributeValues( attrTypes ) );
 
-        Assert.assertEquals( 1, filterA.filter( tuples, OperationScope.ATTRIBUTE_TYPE, null,
null, USER_NAME, null,
+        Assert.assertEquals( 1, filterA.filter( tuples, OperationScope.ATTRIBUTE_TYPE_AND_VALUE,
null, null, USER_NAME, null,
             null, null, "attrA", null, null, null ).size() );
 
-        Assert.assertEquals( 0, filterB.filter( tuples, OperationScope.ATTRIBUTE_TYPE, null,
null, USER_NAME, null,
+        Assert.assertEquals( 0, filterB.filter( tuples, OperationScope.ATTRIBUTE_TYPE_AND_VALUE,
null, null, USER_NAME, null,
             null, null, "attrB", null, null, null ).size() );
     }
 



Mime
View raw message