directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r602318 [1/3] - in /directory/apacheds/branches/bigbang: core-integ/src/main/java/org/apache/directory/server/core/integ/state/ core-integ/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/...
Date Sat, 08 Dec 2007 04:52:19 GMT
Author: akarasulu
Date: Fri Dec  7 20:52:17 2007
New Revision: 602318

URL: http://svn.apache.org/viewvc?rev=602318&view=rev
Log:
converted all authorization tests to use the new framework and fixed bugs in framework

Added:
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/
      - copied from r601982, directory/apacheds/branches/bigbang/core-unit/src/test/java/org/apache/directory/server/core/authz/
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzISuite.java
      - copied, changed from r602007, directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/schema/SchemaISuite.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java   (with props)
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java   (with props)
Removed:
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AbstractAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationITest.java
Modified:
    directory/apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/state/StartedDirtyState.java
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java

Modified: directory/apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/state/StartedDirtyState.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/state/StartedDirtyState.java?rev=602318&r1=602317&r2=602318&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/state/StartedDirtyState.java (original)
+++ directory/apacheds/branches/bigbang/core-integ/src/main/java/org/apache/directory/server/core/integ/state/StartedDirtyState.java Fri Dec  7 20:52:17 2007
@@ -105,6 +105,7 @@
             {
                 context.getState().shutdown();
                 context.getState().cleanup();
+                context.getState().destroy();
             }
             catch ( Exception e )
             {

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,206 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.DirectoryService;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+
+
+/**
+ * Tests whether or not authorization around entry addition works properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class AddAuthorizationIT
+{
+    public static DirectoryService service;
+
+    
+    /**
+     * Checks if a simple entry (organizationalUnit) can be added to the DIT at an
+     * RDN relative to ou=system by a specific non-admin user.  If a permission exception
+     * is encountered it is caught and false is returned, otherwise true is returned
+     * when the entry is created.  The entry is deleted after being created just in case
+     * subsequent calls to this method do not fail: the admin account is used to delete
+     * this test entry so permissions to delete are not required to delete it by the user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry creation is tested
+     * @return true if the entry can be created by the user at the specified location, false otherwise
+     * @throws NamingException if there are problems conducting the test
+     */
+    public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws NamingException
+    {
+        Attributes testEntry = new AttributesImpl( "ou", "testou", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+
+        try
+        {
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            DirContext userContext = getContextAs( userName, password );
+            userContext.createSubcontext( entryRdn, testEntry );
+
+            // delete the newly created context as the admin user
+            DirContext adminContext = getContextAsAdmin();
+            adminContext.destroySubcontext( entryRdn );
+
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantAddAdministrators() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // Gives grantAdd perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
+
+        // see if we can now add that test entry which we could not before
+        // add op should still fail since billd is not in the admin group
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try an add operation which should succeed with ACI and group membership change
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantAddByName() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantAddBySubtree() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to add an entry below ou=system
+        createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for add operations.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantAddAllUsers() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantAdd, grantBrowse } } } } }" );
+
+        // see if we can now add that test entry which we could not before
+        // should work now with billyd now that all users are authorized
+        assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,127 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.DirectoryService;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.SetupMode;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.server.core.integ.annotations.Mode;
+import static org.junit.Assert.*;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.naming.Name;
+import javax.naming.NamingException;
+import javax.naming.NoPermissionException;
+import javax.naming.directory.DirContext;
+
+
+/**
+ * Some tests to make sure users in the cn=Administrators,ou=groups,ou=system 
+ * group behave as admin like users will full access rights.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+public class AdministratorsGroupIT
+{
+    public static DirectoryService service;
+
+
+    boolean canReadAdministrators( DirContext ctx ) throws NamingException
+    {
+        try
+        {
+            ctx.getAttributes( "cn=Administrators,ou=groups" );
+            return true;
+        }
+        catch ( NoPermissionException e )
+        {
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks to make sure a non-admin user which is not in the Administrators 
+     * group cannot access entries under ou=groups,ou=system.  Also check that 
+     * after adding that user to the group they see those groups.  This test 
+     * does NOT use the DefaultAuthorizationInterceptor but uses the one based on
+     * ACI.
+     * 
+     * @throws Exception on failures
+     */
+    @Test
+    public void testNonAdminReadAccessToGroups() throws Exception
+    {
+        Name billydDn = createUser( "billyd", "s3kr3t" );
+        
+        // this should fail with a no permission exception because we
+        // are not allowed to browse ou=system without an ACI 
+        try
+        {
+            getContextAs( billydDn, "s3kr3t" );
+            fail( "Should not get here since we cannot browse ou=system" );
+        }
+        catch( NoPermissionException e )
+        {
+        }
+        
+        // add billyd to administrators and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // billyd should now be able to read ou=system and the admin group
+        DirContext ctx = getContextAs( billydDn, "s3kr3t" );
+        assertTrue( canReadAdministrators( ctx ) );
+    }
+
+
+    /**
+     * Checks to make sure a non-admin user which is not in the Administrators
+     * group cannot access entries under ou=groups,ou=system.  Also check that
+     * after adding that user to the group they see those groups.
+     *
+     * @throws Exception on failure
+     */
+    @Test
+    @Factory ( AutzIntegUtils.DefaultServiceFactory.class )
+    @Mode ( SetupMode.PRISTINE )
+    public void testDefaultNonAdminReadAccessToGroups() throws Exception
+    {
+        Name billydDn = createUser( "billyd", "s3kr3t" );
+        assertFalse( service.isAccessControlEnabled() );
+        DirContext ctx = getContextAs( billydDn, "s3kr3t" );
+
+        // billyd should not be able to read the admin group
+        assertFalse( canReadAdministrators( ctx ) );
+
+        // add billyd to administrators and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // billyd should now be able to read the admin group
+        assertTrue( canReadAdministrators( ctx ) );
+
+        service.shutdown();
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AdministratorsGroupIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,140 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.integ.CiRunner;
+import static org.apache.directory.server.core.integ.IntegrationUtils.getSystemContext;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.util.ArrayUtils;
+import static org.junit.Assert.*;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+import java.util.HashSet;
+
+
+/**
+ * Tests the Authorization service to make sure it is enforcing policies
+ * correctly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class AuthorizationServiceAsAdminIT
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Makes sure the admin cannot delete the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testNoDeleteOnAdminByAdmin() throws NamingException
+    {
+        try
+        {
+            getSystemContext( service ).destroySubcontext( "uid=admin" );
+            fail( "admin should not be able to delete his account" );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure the admin cannot rename the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testNoRdnChangesOnAdminByAdmin() throws NamingException
+    {
+        try
+        {
+            getSystemContext( service ).rename( "uid=admin", "uid=alex" );
+            fail( "admin should not be able to rename his account" );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure the admin cannot rename the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testModifyOnAdminByAdmin() throws NamingException
+    {
+        LdapContext sysRoot = getSystemContext( service );
+        Attributes attributes = new AttributesImpl();
+        attributes.put( "userPassword", "replaced" );
+        sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
+        Attributes newAttrs = sysRoot.getAttributes( "uid=admin" );
+        assertTrue( ArrayUtils.isEquals( "replaced".getBytes(), newAttrs.get( "userPassword" ).get() ) );
+    }
+
+
+    /**
+     * Makes sure the admin can see all entries we know of on a subtree search.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testSearchSubtreeByAdmin() throws NamingException
+    {
+        LdapContext sysRoot = getSystemContext( service );
+        SearchControls controls = new SearchControls();
+        controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+        HashSet<String> set = new HashSet<String>();
+        NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
+
+        while ( list.hasMore() )
+        {
+            SearchResult result = ( SearchResult ) list.next();
+            set.add( result.getName() );
+        }
+
+        assertTrue( set.contains( "ou=system" ) );
+        assertTrue( set.contains( "ou=groups,ou=system" ) );
+        assertTrue( set.contains( "ou=users,ou=system" ) );
+        assertTrue( set.contains( "uid=admin,ou=system" ) );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsAdminIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,165 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.integ.CiRunner;
+import static org.apache.directory.server.core.integ.IntegrationUtils.*;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.ldif.Entry;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.fail;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+import javax.naming.ldap.LdapContext;
+import java.util.HashSet;
+
+
+/**
+ * Tests the Authorization service to make sure it is enforcing policies
+ * correctly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class AuthorizationServiceAsNonAdminIT 
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Makes sure a non-admin user cannot delete the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testNoDeleteOnAdminByNonAdmin() throws NamingException
+    {
+        Entry akarasulu = getUserAddLdif();
+        getRootContext( service ).createSubcontext( akarasulu.getDn(), akarasulu.getAttributes() );
+
+        try
+        {
+            getContext( akarasulu.getDn(), service, "ou=system" ).destroySubcontext( "uid=admin" );
+            fail( "User 'admin' should not be able to delete his account" );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure a non-admin user cannot rename the admin account.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testNoRdnChangesOnAdminByNonAdmin() throws NamingException
+    {
+        Entry akarasulu = getUserAddLdif();
+        getRootContext( service ).createSubcontext( akarasulu.getDn(), akarasulu.getAttributes() );
+        LdapContext sysRoot = getContext( akarasulu.getDn(), service, "ou=system" );
+
+        try
+        {
+            sysRoot.rename( "uid=admin", "uid=alex" );
+            fail( "admin should not be able to rename his account" );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            assertNotNull( e );
+        }
+    }
+
+
+    /**
+     * Makes sure the a non-admin user cannot rename the admin account.
+     *
+     * @throws NamingException on error
+     */
+    @Test
+    public void testModifyOnAdminByNonAdmin() throws NamingException
+    {
+        Entry akarasulu = getUserAddLdif();
+        getRootContext( service ).createSubcontext( akarasulu.getDn(), akarasulu.getAttributes() );
+        LdapContext sysRoot = getContext( akarasulu.getDn(), service, "ou=system" );
+
+        Attributes attributes = new AttributesImpl();
+        attributes.put( "userPassword", "replaced" );
+
+        //noinspection EmptyCatchBlock
+        try
+        {
+            sysRoot.modifyAttributes( "uid=admin", DirContext.REPLACE_ATTRIBUTE, attributes );
+            fail( "User 'uid=admin,ou=system' should not be able to modify attributes on admin" );
+        }
+        catch ( Exception e )
+        {
+        }
+    }
+
+
+    /**
+     * Makes sure the admin can see all entries we know of on a subtree search.
+     *
+     * @throws NamingException if there are problems
+     */
+    @Test
+    public void testSearchSubtreeByNonAdmin() throws NamingException
+    {
+        Entry akarasulu = getUserAddLdif();
+        getRootContext( service ).createSubcontext( akarasulu.getDn(), akarasulu.getAttributes() );
+        LdapContext sysRoot = getContext( akarasulu.getDn(), service, "ou=system" );
+
+        SearchControls controls = new SearchControls();
+        controls.setSearchScope( SearchControls.SUBTREE_SCOPE );
+
+        //noinspection MismatchedQueryAndUpdateOfCollection
+        HashSet<String> set = new HashSet<String>();
+        NamingEnumeration list = sysRoot.search( "", "(objectClass=*)", controls );
+        while ( list.hasMore() )
+        {
+            SearchResult result = ( SearchResult ) list.next();
+            set.add( result.getName() );
+        }
+
+        // @todo this assertion fails now - is this the expected behavoir?
+//        assertTrue( set.contains( "ou=system" ) );
+//        assertTrue( set.contains( "ou=groups,ou=system" ) );
+//        assertFalse( set.contains( "cn=administrators,ou=groups,ou=system" ) );
+//        assertTrue( set.contains( "ou=users,ou=system" ) );
+//        assertFalse( set.contains( "uid=akarasulu,ou=users,ou=system" ) );
+//        assertFalse( set.contains( "uid=admin,ou=system" ) );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthorizationServiceAsNonAdminIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,136 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import junit.framework.Assert;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.server.core.DirectoryService;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+import static org.junit.Assert.*;
+import org.junit.Test;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+
+
+/**
+ * Tests whether or not authentication with authorization works properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class AuthzAuthnIT
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Checks to make sure a user can authenticate with RootDSE as the
+     * provider URL without need of any access control permissions.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testAuthnWithRootDSE() throws NamingException
+    {
+        createUser( "billyd", "billyd" );
+
+        LdapDN userName = new LdapDN( "uid=billyd,ou=users,ou=system" ); 
+        try
+        {
+            // Authenticate to RootDSE
+            getContextAs( userName, "billyd", "" );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            fail( "Authentication should not have failed." );
+        }
+    }
+    
+    
+    /**
+     * Checks to make sure a user cannot authenticate with a naming context
+     * as the provider URL if it does not have appropriate Browse permissions.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testAuthnFailsWithSystemPartition() throws NamingException
+    {
+        createUser( "billyd", "billyd" );
+        
+        LdapDN userName = new LdapDN( "uid=billyd,ou=users,ou=system" ); 
+        try
+        {
+            // Authenticate to "ou=system"
+            getContextAs( userName, "billyd", "ou=system" );
+            fail( "Authentication should have failed." );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            Assert.assertNotNull( e ); 
+        }
+    }
+    
+    
+    /**
+     * Checks to make sure a user can authenticate with a naming context
+     * as the provider URL if it has appropriate Browse permissions.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testAuthnPassesWithSystemPartition() throws NamingException
+    {
+        createUser( "billyd", "billyd" );
+        
+        // Create ACI with minimum level of required privileges:
+        // Only for user "uid=billyd,ou=users,ou=system"
+        // Only to The entry "ou=system"
+        // Only Browse permission
+        // Note: In order to read contents of the bound context
+        //       user will need appropriate Read permissions.
+        createAccessControlSubentry(
+            "grantBrowseForTheWholeNamingContext",
+            "{ maximum 0 }", // !!!!! Replace this with "{ minimum 1 }" for practicing !
+            "{ " + "identificationTag \"browseACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantBrowse } } } } }" );
+        
+        LdapDN userName = new LdapDN( "uid=billyd,ou=users,ou=system" ); 
+        try
+        {
+            // Authenticate to "ou=system"
+            getContextAs( userName, "billyd", "ou=system" );
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            fail( "Authentication should not have failed." );
+        }
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Copied: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzISuite.java (from r602007, directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/schema/SchemaISuite.java)
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzISuite.java?p2=directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzISuite.java&p1=directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/schema/SchemaISuite.java&r1=602007&r2=602318&rev=602318&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/schema/SchemaISuite.java (original)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzISuite.java Fri Dec  7 20:52:17 2007
@@ -16,13 +16,14 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.directory.server.core.schema;
+package org.apache.directory.server.core.authz;
 
 import org.apache.directory.server.core.integ.CiSuite;
 import org.apache.directory.server.core.integ.ServiceScope;
 import org.apache.directory.server.core.integ.SetupMode;
 import org.apache.directory.server.core.integ.annotations.Mode;
 import org.apache.directory.server.core.integ.annotations.Scope;
+import org.apache.directory.server.core.schema.*;
 import org.junit.runner.RunWith;
 import org.junit.Ignore;
 import org.junit.runners.Suite;
@@ -36,19 +37,21 @@
  */
 @RunWith ( CiSuite.class )
 @Suite.SuiteClasses ( {
-        MetaAttributeTypeHandlerIT.class,
-        MetaComparatorHandlerIT.class,
-        MetaMatchingRuleHandlerIT.class,
-        MetaNormalizerHandlerIT.class,
-        MetaObjectClassHandlerIT.class,
-        MetaSchemaHandlerIT.class,
-        MetaSyntaxCheckerHandlerIT.class,
-        MetaSyntaxHandlerIT.class,
-        ObjectClassCreateIT.class,
-        SchemaPersistenceIT.class,
-        SubschemaSubentryIT.class,
-        SchemaServiceIT.class
+        AddAuthorizationIT.class,
+        AuthorizationServiceAsAdminIT.class,
+        AuthorizationServiceAsNonAdminIT.class,
+        AuthzAuthnIT.class,
+        CompareAuthorizationIT.class,
+        DeleteAuthorizationIT.class,
+        GeneralAuthorizationIT.class,
+        ModifyAuthorizationIT.class,
+        MoveRenameAuthorizationIT.class,
+        SearchAuthorizationIT.class,
+        AdministratorsGroupIT.class     // make sure this always runs last since it leaves
+                                        // the default factory service running instead of
+                                        // one with 
         } )
-public class SchemaISuite
+@Scope ( ServiceScope.TESTSUITE )
+public class AuthzISuite
 {
-}
+}
\ No newline at end of file

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,385 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.DefaultDirectoryService;
+import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.integ.DirectoryServiceFactory;
+import static org.apache.directory.server.core.integ.IntegrationUtils.getSystemContext;
+import org.apache.directory.server.core.partition.PartitionNexus;
+import org.apache.directory.server.core.subtree.SubentryInterceptor;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.name.LdapDN;
+
+import javax.naming.Name;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import javax.naming.ldap.LdapContext;
+import java.util.Hashtable;
+
+
+/**
+ * Some extra utility methods added to it which are required by all
+ * authorization tests.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class AutzIntegUtils
+{
+    public static DirectoryService service;
+
+
+    public static class ServiceFactory implements DirectoryServiceFactory
+    {
+        public DirectoryService newInstance()
+        {
+            DefaultDirectoryService service = new DefaultDirectoryService();
+            service.setAccessControlEnabled( true );
+            service.getChangeLog().setEnabled( true );
+            AutzIntegUtils.service = service;
+            return service;
+        }
+    }
+
+
+    public static class DefaultServiceFactory implements DirectoryServiceFactory
+    {
+        public DirectoryService newInstance()
+        {
+            DefaultDirectoryService service = new DefaultDirectoryService();
+            service.setAccessControlEnabled( false );
+            service.getChangeLog().setEnabled( true );
+            AutzIntegUtils.service = service;
+            return service;
+        }
+    }
+
+
+    // -----------------------------------------------------------------------
+    // Utility methods used by subclasses
+    // -----------------------------------------------------------------------
+
+    /**
+     * Gets a context at ou=system as the admin user.
+     *
+     * @return the admin context at ou=system
+     * @throws NamingException if there are problems creating the context
+     */
+    public static DirContext getContextAsAdmin() throws NamingException
+    {
+        return getSystemContext( service );
+    }
+
+
+    /**
+     * Gets a context at some dn within the directory as the admin user.
+     * Should be a dn of an entry under ou=system since no other partitions
+     * are enabled.
+     *
+     * @param dn the DN of the context to get
+     * @return the context for the DN as the admin user
+     * @throws NamingException if is a problem initializing or getting the context
+     */
+    @SuppressWarnings("unchecked")
+    public static DirContext getContextAsAdmin( String dn ) throws NamingException
+    {
+        LdapContext sysRoot = getSystemContext( service );
+        Hashtable<String,Object> env = ( Hashtable<String,Object> ) sysRoot.getEnvironment().clone();
+        env.put( DirContext.PROVIDER_URL, dn );
+        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
+        env.put( DirContext.SECURITY_PRINCIPAL, PartitionNexus.ADMIN_PRINCIPAL );
+        env.put( DirContext.SECURITY_CREDENTIALS, "secret" );
+        env.put( DirContext.INITIAL_CONTEXT_FACTORY, "org.apache.directory.server.core.jndi.CoreContextFactory" );
+        env.put( DirectoryService.JNDI_KEY, service );
+        return new InitialDirContext( env );
+    }
+
+
+    /**
+     * Creates a group using the groupOfUniqueNames objectClass under the
+     * ou=groups,ou=sytem container with an initial member.
+     *
+     * @param cn the common name of the group used as the RDN attribute
+     * @param firstMemberDn the DN of the first member of this group
+     * @return the distinguished name of the group entry
+     * @throws NamingException if there are problems creating the new group like
+     * it exists already
+     */
+    public static Name createGroup( String cn, String firstMemberDn ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes group = new AttributesImpl( "cn", cn, true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        group.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "groupOfUniqueNames" );
+        group.put( "uniqueMember", firstMemberDn );
+        adminCtx.createSubcontext( "cn=" + cn + ",ou=groups", group );
+        return new LdapDN( "cn=" + cn + ",ou=groups,ou=system" );
+    }
+
+
+    /**
+     * Deletes a user with a specific UID under ou=users,ou=system.
+     *
+     * @param uid the RDN value for the user to delete
+     * @throws NamingException if there are problems removing the user
+     * i.e. user does not exist
+     */
+    public static void deleteUser( String uid ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        adminCtx.destroySubcontext( "uid=" + uid + ",ou=users" );
+    }
+
+
+    /**
+     * Creates a simple user as an inetOrgPerson under the ou=users,ou=system
+     * container.  The user's RDN attribute is the uid argument.  This argument
+     * is also used as the value of the two MUST attributes: sn and cn.
+     *
+     * @param uid the value of the RDN attriubte (uid), the sn and cn attributes
+     * @param password the password to use to create the user
+     * @return the dn of the newly created user entry
+     * @throws NamingException if there are problems creating the user entry
+     */
+    public static Name createUser( String uid, String password ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes user = new AttributesImpl( "uid", uid, true );
+        user.put( "userPassword", password );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        user.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "person" );
+        objectClass.add( "organizationalPerson" );
+        objectClass.add( "inetOrgPerson" );
+        user.put( "sn", uid );
+        user.put( "cn", uid );
+        adminCtx.createSubcontext( "uid=" + uid + ",ou=users", user );
+        return new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+    }
+
+
+    /**
+     * Creates a simple groupOfUniqueNames under the ou=groups,ou=system
+     * container.  The admin user is always a member of this newly created 
+     * group.
+     *
+     * @param groupName the name of the cgroup to create
+     * @return the DN of the group as a Name object
+     * @throws NamingException if the group cannot be created
+     */
+    public static Name createGroup( String groupName ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes group = new AttributesImpl( true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        group.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "groupOfUniqueNames" );
+        group.put( "uniqueMember", PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
+        adminCtx.createSubcontext( "cn=" + groupName + ",ou=groups", group );
+        return new LdapDN( "cn=" + groupName + ",ou=groups,ou=system" );
+    }
+
+
+    /**
+     * Adds an existing user under ou=users,ou=system to an existing group under the
+     * ou=groups,ou=system container.
+     *
+     * @param userUid the uid of the user to add to the group
+     * @param groupCn the cn of the group to add the user to
+     * @throws NamingException if the group does not exist
+     */
+    public static void addUserToGroup( String userUid, String groupCn ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes changes = new AttributesImpl( "uniqueMember", "uid=" + userUid + ",ou=users,ou=system", true );
+        adminCtx.modifyAttributes( "cn=" + groupCn + ",ou=groups", DirContext.ADD_ATTRIBUTE, changes );
+    }
+
+
+    /**
+     * Removes a user from a group.
+     *
+     * @param userUid the RDN attribute value of the user to remove from the group
+     * @param groupCn the RDN attribute value of the group to have user removed from
+     * @throws NamingException if there are problems accessing the group
+     */
+    public static void removeUserFromGroup( String userUid, String groupCn ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes changes = new AttributesImpl( "uniqueMember", "uid=" + userUid + ",ou=users,ou=system", true );
+        adminCtx.modifyAttributes( "cn=" + groupCn + ",ou=groups", DirContext.REMOVE_ATTRIBUTE, changes );
+    }
+
+
+    /**
+     * Gets the context at ou=system as a specific user.
+     *
+     * @param user the DN of the user to get the context as
+     * @param password the password of the user
+     * @return the context as the user
+     * @throws NamingException if the user does not exist or authx fails
+     */
+    public static DirContext getContextAs( Name user, String password ) throws NamingException
+    {
+        return getContextAs( user, password, PartitionNexus.SYSTEM_PARTITION_SUFFIX );
+    }
+
+
+    /**
+     * Gets the context at any DN under ou=system as a specific user.
+     *
+     * @param user the DN of the user to get the context as
+     * @param password the password of the user
+     * @param dn the distinguished name of the entry to get the context for
+     * @return the context representing the entry at the dn as a specific user
+     * @throws NamingException if the does not exist or authx fails
+     */
+    @SuppressWarnings("unchecked")
+    public static DirContext getContextAs( Name user, String password, String dn ) throws NamingException
+    {
+        LdapContext sysRoot = getSystemContext( service );
+        Hashtable<String,Object> env = ( Hashtable<String,Object> ) sysRoot.getEnvironment().clone();
+        env.put( DirContext.PROVIDER_URL, dn );
+        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
+        env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
+        env.put( DirContext.SECURITY_CREDENTIALS, password );
+        env.put( DirContext.INITIAL_CONTEXT_FACTORY, "org.apache.directory.server.core.jndi.CoreContextFactory" );
+        env.put( DirectoryService.JNDI_KEY, service );
+        return new InitialDirContext( env );
+    }
+
+
+    public static void deleteAccessControlSubentry( String cn ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        adminCtx.destroySubcontext( "cn=" + cn );
+    }
+
+
+    /**
+     * Creates an access control subentry under ou=system whose subtree covers
+     * the entire naming context.
+     *
+     * @param cn the common name and rdn for the subentry
+     * @param aciItem the prescriptive ACI attribute value
+     * @throws NamingException if there is a problem creating the subentry
+     */
+    public static void createAccessControlSubentry( String cn, String aciItem ) throws NamingException
+    {
+        createAccessControlSubentry( cn, "{}", aciItem );
+    }
+
+
+    /**
+     * Creates an access control subentry under ou=system whose subtree covers
+     * the entire naming context.
+     *
+     * @param cn the common name and rdn for the subentry
+     * @param subtree the subtreeSpecification for the subentry
+     * @param aciItem the prescriptive ACI attribute value
+     * @throws NamingException if there is a problem creating the subentry
+     */
+    public static void createAccessControlSubentry( String cn, String subtree, String aciItem ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+
+        // modify ou=system to be an AP for an A/C AA if it is not already
+        Attributes ap = adminCtx.getAttributes( "", new String[]
+            { "administrativeRole" } );
+        Attribute administrativeRole = ap.get( "administrativeRole" );
+        if ( administrativeRole == null || !administrativeRole.contains( SubentryInterceptor.AC_AREA ) )
+        {
+            Attributes changes = new AttributesImpl( "administrativeRole", SubentryInterceptor.AC_AREA, true );
+            adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
+        }
+
+        // now add the A/C subentry below ou=system
+        Attributes subentry = new AttributesImpl( "cn", cn, true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        subentry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( SchemaConstants.SUBENTRY_OC );
+        objectClass.add( "accessControlSubentry" );
+        subentry.put( "subtreeSpecification", subtree );
+        subentry.put( "prescriptiveACI", aciItem );
+        adminCtx.createSubcontext( "cn=" + cn, subentry );
+    }
+
+
+    /**
+     * Adds and entryACI attribute to an entry specified by a relative name
+     * with respect to ou=system
+     *
+     * @param rdn a name relative to ou=system
+     * @param aciItem the entryACI attribute value
+     * @throws NamingException if there is a problem adding the attribute
+     */
+    public static void addEntryACI( Name rdn, String aciItem ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+
+        // modify the entry relative to ou=system to include the aciItem
+        Attributes changes = new AttributesImpl( "entryACI", aciItem, true );
+        adminCtx.modifyAttributes( rdn, DirContext.ADD_ATTRIBUTE, changes );
+    }
+
+
+    /**
+     * Adds and subentryACI attribute to ou=system
+     *
+     * @param aciItem the subentryACI attribute value
+     * @throws NamingException if there is a problem adding the attribute
+     */
+    public static void addSubentryACI( String aciItem ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+
+        // modify the entry relative to ou=system to include the aciItem
+        Attributes changes = new AttributesImpl( "subentryACI", aciItem, true );
+        adminCtx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );
+    }
+    
+    
+    /**
+     * Replaces values of an prescriptiveACI attribute of a subentry subordinate
+     * to ou=system.
+     *
+     * @param cn the common name of the aci subentry
+     * @param aciItem the new value for the ACI item
+     * @throws NamingException if the modify fails
+     */
+    public static void changePresciptiveACI( String cn, String aciItem ) throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes changes = new AttributesImpl( "prescriptiveACI", aciItem );
+        adminCtx.modifyAttributes( "cn=" + cn, DirContext.REPLACE_ATTRIBUTE, changes );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,258 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.jndi.ServerLdapContext;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import static org.junit.Assert.*;
+import org.junit.Test;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+
+
+/**
+ * Tests whether or not authorization around entry compare operations work properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class CompareAuthorizationIT
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Checks if an attribute of a simple entry (an organizationalUnit's telephoneNumber)
+     * with an RDN relative to ou=system can be compared by a specific non-admin user.
+     * If a permission exception is encountered it is caught and false is returned,
+     * otherwise true is returned.  The entry is deleted after being created just in case
+     * subsequent calls to this method are made in the same test case: the admin account
+     * is used to add and delete this test entry so permissions to add and delete are not
+     * required to test the compare operation by the user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry is created
+     * for comparison test
+     * @param number the telephone number to compare to this one
+     * @return true if the entry's telephoneNumber can be compared by the user at the
+     * specified location, false otherwise.  A false compare result still returns
+     * true.
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanCompareTelephoneNumberAs( String uid, String password, String entryRdn, String number )
+        throws NamingException
+    {
+        // create the entry with the telephoneNumber attribute to compare
+        Attributes testEntry = new AttributesImpl( "ou", "testou", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+        testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+
+        DirContext adminContext = getContextAsAdmin();
+
+        try
+        {
+            // create the entry as admin
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            adminContext.createSubcontext( entryRdn, testEntry );
+
+            // compare the telephone numbers
+            DirContext userContext = getContextAs( userName, password );
+            ServerLdapContext ctx = ( ServerLdapContext ) userContext.lookup( "" );
+            ctx.compare( new LdapDN( entryRdn + ",ou=system" ), "telephoneNumber", number );
+
+            // don't return compare result which can be false but true since op was permitted
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            return false;
+        }
+        finally
+        {
+            // let's clean up
+            adminContext.destroySubcontext( entryRdn );
+        }
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for compare operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantCompareAdministrators() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a compare operation which should fail without any ACI
+        assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+
+        // Gives grantCompare, and grantRead perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorAdd", 
+            "{ identificationTag \"addAci\", " +
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: { " +
+            "    userClasses { " +
+            "      userGroup { " +
+            "        \"cn=Administrators,ou=groups,ou=system\" " +
+            "      } " +
+            "    }, " + 
+            "    userPermissions { " +
+            "      { " +
+            "        protectedItems { entry, allUserAttributeTypesAndValues }, " +
+            "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
+
+        // see if we can now add that test entry which we could not before
+        // add op should still fail since billd is not in the admin group
+        assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try an add operation which should succeed with ACI and group membership change
+        assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "976-6969" ) );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for compare operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantCompareByName() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an compare operation which should fail without any ACI
+        assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+
+        // now add a subentry that enables user billyd to compare an entry below ou=system
+        createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for compare operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantCompareBySubtree() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a compare operation which should fail without any ACI
+        assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+
+        // now add a subentry that enables user billyd to compare an entry below ou=system
+        createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    }
+
+
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for compare operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantCompareAllUsers() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+
+        // see if we can now compare that test entry's number which we could not before
+        // should work with billyd now that all users are authorized
+        assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    }
+
+
+    @Test
+    public void testPasswordCompare() throws NamingException
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes user = new AttributesImpl( "uid", "bob", true );
+        user.put( "userPassword", "bobspassword".getBytes() );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        user.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "person" );
+        objectClass.add( "organizationalPerson" );
+        objectClass.add( "inetOrgPerson" );
+        user.put( "sn", "bob" );
+        user.put( "cn", "bob" );
+        adminCtx.createSubcontext( "uid=bob,ou=users", user );
+
+        ServerLdapContext ctx = ( ServerLdapContext ) adminCtx.lookup( "" );
+        assertTrue( ctx.compare( new LdapDN( "uid=bob,ou=users,ou=system" ), "userPassword", "bobspassword" ) );
+    }
+
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,211 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+import org.apache.directory.shared.ldap.name.LdapDN;
+
+
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.server.core.DirectoryService;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+
+
+/**
+ * Tests whether or not authorization rules for entry deletion works properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class DeleteAuthorizationIT 
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Checks if a simple entry (organizationalUnit) can be deleted from the DIT at an
+     * RDN relative to ou=system by a specific non-admin user.  The entry is first
+     * created using the admin account which can do anything without limitations.
+     * After creating the entry as the admin an attempt is made to delete it as the
+     * specified user.
+     *
+     * If a permission exception is encountered it is caught and false is returned,
+     * otherwise true is returned when the entry is created.  The entry is deleted by the
+     * admin user after a delete failure to make sure the entry is deleted if subsequent
+     * calls are made to this method: the admin account is used to delete this test entry
+     * so permissions to delete are not required to delete it by the specified user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry creation then deletion is tested
+     * @return true if the entry can be created by the user at the specified location, false otherwise
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanDeleteEntryAs( String uid, String password, String entryRdn ) throws NamingException
+    {
+        Attributes testEntry = new AttributesImpl( "ou", "testou", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+
+        DirContext adminContext = getContextAsAdmin();
+        try
+        {
+            // create the entry as the admin
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            adminContext.createSubcontext( entryRdn, testEntry );
+
+            // delete the newly created context as the user
+            DirContext userContext = getContextAs( userName, password );
+            userContext.destroySubcontext( entryRdn );
+
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            adminContext.destroySubcontext( entryRdn );
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantDeleteAdministrators() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // Gives grantRemove perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+
+        // see if we can now delete that test entry which we could not before
+        // delete op should still fail since billd is not in the admin group
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try a delete operation which should succeed with ACI and group membership change
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantDeleteByName() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to delete an entry below ou=system
+        createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantDeleteBySubtree() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables user billyd to delte an entry below ou=system
+        createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+
+
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for delete operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantDeleteAllUsers() throws NamingException
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a delete operation which should fail without any ACI
+        assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+            + "userPermissions { { " + "protectedItems {entry}, "
+            + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+
+        // see if we can now delete that test entry which we could not before
+        // should work now with billyd now that all users are authorized
+        assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,73 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.server.core.DirectoryService;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.shared.ldap.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+
+
+/**
+ * Tests various authorization functionality without any specific operation.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev: 494176 $
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class GeneralAuthorizationIT 
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Checks to make sure we cannot create a malformed ACI missing two
+     * last brackets.
+     *
+     * @throws NamingException if the test encounters an error
+     */
+    @Test
+    public void testFailureToAddBadACI() throws NamingException
+    {
+        // add a subentry with malformed ACI
+        try
+        {
+            createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+                + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+                + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+                + "grantsAndDenials { grantAdd, grantBrowse } } }" );
+            fail( "should never get here due to failure to add bad ACIItem" );
+        }
+        catch( LdapInvalidAttributeValueException e )
+        {
+            assertEquals( ResultCodeEnum.INVALID_ATTRIBUTE_SYNTAX, e.getResultCode() );
+        }
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/GeneralAuthorizationIT.java
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message