directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r602318 [2/3] - in /directory/apacheds/branches/bigbang: core-integ/src/main/java/org/apache/directory/server/core/integ/state/ core-integ/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/...
Date Sat, 08 Dec 2007 04:52:19 GMT
Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,624 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.message.ModificationItemImpl;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.server.core.DirectoryService;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+import javax.naming.NamingEnumeration;
+import javax.naming.Name;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+
+import java.util.List;
+import java.util.ArrayList;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+
+
+/**
+ * Tests whether or not authorization around entry modify operations work properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class ModifyAuthorizationIT
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Checks if an attribute of a simple entry (an organizationalUnit) with an RDN
+     * relative to ou=system can be modified by a specific non-admin user.  If a
+     * permission exception is encountered it is caught and false is returned,
+     * otherwise true is returned.  The entry is deleted after being created just in case
+     * subsequent calls to this method are made in the same test case: the admin account
+     * is used to add and delete this test entry so permissions to add and delete are not
+     * required to test the modify operation by the user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry is created
+     * for modification test
+     * @param mods the modifications to make to the entry
+     * @return true if the modifications can be made by the user at the specified location,
+     * false otherwise.
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanModifyAs( String uid, String password, String entryRdn, ModificationItemImpl[] mods )
+        throws NamingException
+    {
+        // create the entry with the telephoneNumber attribute to modify
+        Attributes testEntry = new AttributesImpl( "ou", "testou", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+        testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+
+        DirContext adminContext = getContextAsAdmin();
+
+        //noinspection EmptyCatchBlock
+        try
+        {
+            // create the entry as admin
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            adminContext.createSubcontext( entryRdn, testEntry );
+
+            // modify the entry as the user
+            DirContext userContext = getContextAs( userName, password );
+            userContext.modifyAttributes( entryRdn, mods );
+
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+        }
+        finally
+        {
+            // let's clean up
+            adminContext.destroySubcontext( entryRdn );
+        }
+        
+        return false;
+    }
+
+
+    /**
+     * Checks if an attribute of a simple entry (an organizationalUnit) with an RDN
+     * relative to ou=system can be modified by a specific non-admin user.  If a
+     * permission exception is encountered it is caught and false is returned,
+     * otherwise true is returned.  The entry is deleted after being created just in case
+     * subsequent calls to this method are made in the same test case: the admin account
+     * is used to add and delete this test entry so permissions to add and delete are not
+     * required to test the modify operation by the user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry is created
+     * for modification test
+     * @param mods the attributes to modify in the entry
+     * @param modOp the modification operation to use for all attributes
+     * @return true if the modifications can be made by the user at the specified location,
+     * false otherwise.
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanModifyAs( String uid, String password, String entryRdn, int modOp, Attributes mods )
+        throws NamingException
+    {
+        // create the entry with the telephoneNumber attribute to modify
+        Attributes testEntry = new AttributesImpl( "ou", "testou", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+        testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+
+        DirContext adminContext = getContextAsAdmin();
+
+        try
+        {
+            // create the entry as admin
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            adminContext.createSubcontext( entryRdn, testEntry );
+
+            // modify the entry as the user
+            DirContext userContext = getContextAs( userName, password );
+            userContext.modifyAttributes( entryRdn, modOp, mods );
+
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            return false;
+        }
+        finally
+        {
+            // let's clean up
+            adminContext.destroySubcontext( entryRdn );
+        }
+    }
+
+
+    /**
+     * Checks if a user can modify an attribute of their own entry.  Users are
+     * presumed to reside under ou=users,ou=system.  If a permission exception is
+     * encountered it is caught and false is returned, otherwise true is returned.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param mods the attributes to modify in the entry
+     * @param modOp the modification operation to use for all attributes
+     * @return true if the modifications can be made by the user his/her own entry,
+     * false otherwise.
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanSelfModify( String uid, String password, int modOp, Attributes mods ) throws NamingException
+    {
+        try
+        {
+            // modify the entry as the user
+            Name userEntry = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            DirContext userContext = getContextAs( userEntry, password, userEntry.toString() );
+            userContext.modifyAttributes( "", modOp, mods );
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks if a user can modify an attribute of their own entry.  Users are
+     * presumed to reside under ou=users,ou=system.  If a permission exception is
+     * encountered it is caught and false is returned, otherwise true is returned.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param mods the attributes to modify in the entry
+     * @return true if the modifications can be made by the user his/her own entry,
+     * false otherwise.
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanSelfModify( String uid, String password, ModificationItemImpl[] mods ) throws NamingException
+    {
+        try
+        {
+            // modify the entry as the user
+            Name userEntry = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            DirContext userContext = getContextAs( userEntry, password, userEntry.toString() );
+            userContext.modifyAttributes( "", mods );
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            return false;
+        }
+    }
+
+
+    /**
+     * Converts a set of attributes and a modification operation type into a MoficationItem array.
+     *
+     * @param modOp the modification operation to perform
+     * @param changes the modifications to the attribute
+     * @return the array of modification items represting the changes
+     * @throws NamingException if there are problems accessing attributes
+     */
+    private ModificationItemImpl[] toItems( int modOp, Attributes changes ) throws NamingException
+    {
+        List<ModificationItemImpl> mods = new ArrayList<ModificationItemImpl>();
+        NamingEnumeration<? extends Attribute> list = changes.getAll();
+        while ( list.hasMore() )
+        {
+            Attribute attr = list.next();
+            mods.add( new ModificationItemImpl( modOp, attr ) );
+        }
+        ModificationItemImpl[] modArray = new ModificationItemImpl[mods.size()];
+        return mods.toArray( modArray );
+    }
+
+
+    @Test
+    public void testSelfModification() throws NamingException
+    {
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Addition
+        // ----------------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // create the password modification
+        ModificationItemImpl[] mods = toItems( DirContext.REPLACE_ATTRIBUTE, new AttributesImpl( "userPassword",
+            "williams", true ) );
+
+        // try a modify operation which should fail without any ACI
+        assertFalse( checkCanSelfModify( "billyd", "billyd", mods ) );
+
+        // Gives grantModify, and grantRead perm to all users in the Administrators group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "selfModifyUserPassword", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { thisEntry }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } }, "
+            + "{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } } "
+            + "} } }" );
+
+        // try a modify operation which should succeed with ACI
+        assertTrue( checkCanSelfModify( "billyd", "billyd", mods ) );
+        deleteAccessControlSubentry( "selfModifyUserPassword" );
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for modify operations.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantModifyByTestGroup() throws NamingException
+    {
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Addition
+        // ----------------------------------------------------------------------------------
+
+        // create the add modifications
+        ModificationItemImpl[] mods = toItems( DirContext.ADD_ATTRIBUTE, new AttributesImpl( "registeredAddress",
+            "100 Park Ave.", true ) );
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+        
+        createGroup( "TestGroup" );
+
+        // try a modify operation which should fail without any ACI
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
+
+        // see if we can now add that test entry which we could not before
+        // add op should still fail since billd is not in the admin group
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // now add billyd to the TestGroup group and try again
+        addUserToGroup( "billyd", "TestGroup" );
+
+        // try a modify operation which should succeed with ACI and group membership change
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        deleteAccessControlSubentry( "administratorModifyAdd" );
+
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Removal
+        // ----------------------------------------------------------------------------------
+
+        // now let's test to see if we can perform a modify with a delete op
+        mods = toItems( DirContext.REMOVE_ATTRIBUTE, new AttributesImpl( "telephoneNumber", "867-5309", true ) );
+
+        // make sure we cannot remove the telephone number from the test entry
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+            + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
+
+        // try a modify operation which should succeed with ACI and group membership change
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        deleteAccessControlSubentry( "administratorModifyRemove" );
+
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Replace (requires both grantRemove and grantAdd on attrs)
+        // ----------------------------------------------------------------------------------
+
+        // now let's test to see if we can perform a modify with a delete op
+        mods = toItems( DirContext.REPLACE_ATTRIBUTE, new AttributesImpl( "telephoneNumber", "867-5309", true ) );
+
+        // make sure we cannot remove the telephone number from the test entry
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
+            + "} } }" );
+
+        // try a modify operation which should succeed with ACI and group membership change
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        deleteAccessControlSubentry( "administratorModifyReplace" );
+
+        /* =================================================================================
+         *              DO IT ALL OVER AGAIN BUT USE THE OTHER MODIFY METHOD
+         * ================================================================================= */
+
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Addition
+        // ----------------------------------------------------------------------------------
+        // create the add modifications
+        Attributes changes = new AttributesImpl( "registeredAddress", "100 Park Ave.", true );
+
+        // try a modify operation which should fail without any ACI
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE, changes ) );
+
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
+
+        // try a modify operation which should succeed with ACI and group membership change
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE, changes ) );
+        deleteAccessControlSubentry( "administratorModifyAdd" );
+
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Removal
+        // ----------------------------------------------------------------------------------
+
+        // now let's test to see if we can perform a modify with a delete op
+        changes = new AttributesImpl( "telephoneNumber", "867-5309", true );
+
+        // make sure we cannot remove the telephone number from the test entry
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE, changes ) );
+
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+            + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
+
+        // try a modify operation which should succeed with ACI and group membership change
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE, changes ) );
+        deleteAccessControlSubentry( "administratorModifyRemove" );
+
+        // ----------------------------------------------------------------------------------
+        // Modify with Attribute Replace (requires both grantRemove and grantAdd on attrs)
+        // ----------------------------------------------------------------------------------
+
+        // now let's test to see if we can perform a modify with a delete op
+        changes = new AttributesImpl( "telephoneNumber", "867-5309", true );
+
+        // make sure we cannot remove the telephone number from the test entry
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
+
+        // Gives grantModify, and grantRead perm to all users in the TestGroup group for
+        // entries and all attribute types and values
+        createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
+            + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+            + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
+            + "} } }" );
+
+        // try a modify operation which should succeed with ACI and group membership change
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
+        deleteAccessControlSubentry( "administratorModifyReplace" );
+    }
+
+
+    //    /**
+    //     * Checks to make sure name based userClass works for modify operations.
+    //     *
+    //     * @throws javax.naming.NamingException if the test encounters an error
+    //     */
+    //    public void testGrantModifyByName() throws NamingException
+    //    {
+    //        // create the non-admin user
+    //        createUser( "billyd", "billyd" );
+    //
+    //        // try an modify operation which should fail without any ACI
+    //        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    //
+    //        // now add a subentry that enables user billyd to modify an entry below ou=system
+    //        createAccessControlSubentry( "billydAdd", "{ " +
+    //                "identificationTag \"addAci\", " +
+    //                "precedence 14, " +
+    //                "authenticationLevel none, " +
+    //                "itemOrUserFirst userFirst: { " +
+    //                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+    //                "userPermissions { { " +
+    //                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+    //                "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
+    //
+    //        // should work now that billyd is authorized by name
+    //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    //    }
+    //
+    //
+    //    /**
+    //     * Checks to make sure subtree based userClass works for modify operations.
+    //     *
+    //     * @throws javax.naming.NamingException if the test encounters an error
+    //     */
+    //    public void testGrantModifyBySubtree() throws NamingException
+    //    {
+    //        // create the non-admin user
+    //        createUser( "billyd", "billyd" );
+    //
+    //        // try a modify operation which should fail without any ACI
+    //        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    //
+    //        // now add a subentry that enables user billyd to modify an entry below ou=system
+    //        createAccessControlSubentry( "billyAddBySubtree", "{ " +
+    //                "identificationTag \"addAci\", " +
+    //                "precedence 14, " +
+    //                "authenticationLevel none, " +
+    //                "itemOrUserFirst userFirst: { " +
+    //                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
+    //                "userPermissions { { " +
+    //                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+    //                "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
+    //
+    //        // should work now that billyd is authorized by the subtree userClass
+    //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    //    }
+    //
+    //
+    //    /**
+    //     * Checks to make sure <b>allUsers</b> userClass works for modify operations.
+    //     *
+    //     * @throws javax.naming.NamingException if the test encounters an error
+    //     */
+    //    public void testGrantModifyAllUsers() throws NamingException
+    //    {
+    //        // create the non-admin user
+    //        createUser( "billyd", "billyd" );
+    //
+    //        // try an add operation which should fail without any ACI
+    //        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    //
+    //        // now add a subentry that enables anyone to add an entry below ou=system
+    //        createAccessControlSubentry( "anybodyAdd", "{ " +
+    //                "identificationTag \"addAci\", " +
+    //                "precedence 14, " +
+    //                "authenticationLevel none, " +
+    //                "itemOrUserFirst userFirst: { " +
+    //                "userClasses { allUsers }, " +
+    //                "userPermissions { { " +
+    //                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+    //                "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
+    //
+    //        // see if we can now modify that test entry's number which we could not before
+    //        // should work with billyd now that all users are authorized
+    //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+    //    }
+    
+    
+    @Test
+    public void testPresciptiveACIModification() throws NamingException
+    {
+        
+        ModificationItemImpl[] mods = toItems( DirContext.ADD_ATTRIBUTE,
+            new AttributesImpl( "registeredAddress", "100 Park Ave.", true ) );
+
+        createUser( "billyd", "billyd" );
+
+        createAccessControlSubentry( "modifyACI", "{ " + "identificationTag \"modifyAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { allUsers }, " + "userPermissions { "
+            + "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } } } } }" );
+
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        
+        mods = toItems( DirContext.REPLACE_ATTRIBUTE,
+            new AttributesImpl( "registeredAddress", "200 Park Ave.", true ) );
+        
+        changePresciptiveACI( "modifyACI", "{ " + "identificationTag \"modifyAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { allUsers }, " + "userPermissions { "
+            + "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials { denyModify } } } } }" );
+
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        
+        deleteAccessControlSubentry( "modifyACI" );
+        
+    }
+    
+
+    @Test
+    public void testMaxValueCountProtectedItem() throws NamingException
+    {
+        createUser( "billyd", "billyd" );
+        createAccessControlSubentry( "mvcACI",
+            " {" +
+                " identificationTag \"mvcACI\"," +
+                " precedence 10," +
+                " authenticationLevel simple," +
+                " itemOrUserFirst userFirst:" + 
+                " {" +
+                    " userClasses { allUsers }," +
+                    " userPermissions" + 
+                    " {" +
+                        " {" +
+                            " protectedItems { entry }," +
+                            " grantsAndDenials { grantModify, grantBrowse }" +
+                        " }" +
+                        " ," +
+                        " {" +
+                            " protectedItems" + 
+                            " {" +
+                                " attributeType { description }," +
+                                " allAttributeValues { description }," +
+                                " maxValueCount" + 
+                                " {" +
+                                    " { type description, maxCount 1 }" + 
+                                " }" +
+                            " }" +
+                            " ," +
+                            " grantsAndDenials" + 
+                            " {" +
+                                " grantRemove," +
+                                " grantAdd" +
+                            " }" +
+                        " }" +
+                     " }" +
+                " }" +
+            " }" );
+        
+        ModificationItemImpl[] mods = toItems( DirContext.ADD_ATTRIBUTE,
+            new AttributesImpl( "description", "description 1", true ) );
+        
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        
+        AttributesImpl attrs = new AttributesImpl(true);
+        AttributeImpl attr = new AttributeImpl( "description" );
+        attr.add( "description 1" );
+        attr.add( "description 2" );
+        attrs.put( attr );
+        mods = toItems( DirContext.ADD_ATTRIBUTE, attrs );
+        
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+        
+        mods = toItems( DirContext.REPLACE_ATTRIBUTE, attrs );
+        
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id

Added: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=602318&view=auto
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (added)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Fri Dec  7 20:52:17 2007
@@ -0,0 +1,523 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz;
+
+import org.apache.directory.shared.ldap.name.LdapDN;
+
+
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.server.core.DirectoryService;
+import org.junit.runner.RunWith;
+
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+
+import static org.junit.Assert.*;
+import org.junit.Test;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.*;
+
+
+/**
+ * Tests whether or not authorization around entry renames and moves work properly.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$
+ */
+@RunWith ( CiRunner.class )
+@Factory ( AutzIntegUtils.ServiceFactory.class )
+public class MoveRenameAuthorizationIT
+{
+    public static DirectoryService service;
+
+
+    /**
+     * Checks if a simple entry (organizationalUnit) can be renamed at an RDN relative
+     * to ou=system by a specific non-admin user.  If a permission exception
+     * is encountered it is caught and false is returned, otherwise true is returned
+     * when the entry is created.  The entry is deleted after being created just in case
+     * subsequent calls to this method do not fail: the admin account is used to delete
+     * this test entry so permissions to delete are not required to delete it by the user.
+     *
+     * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
+     * @param password the password of this user
+     * @param entryRdn the relative DN, relative to ou=system where entry renames are tested
+     * @param newRdn the new RDN for the entry under ou=system
+     * @return true if the entry can be renamed by the user at the specified location, false otherwise
+     * @throws javax.naming.NamingException if there are problems conducting the test
+     */
+    public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newRdn )
+        throws NamingException
+    {
+        Attributes testEntry = new AttributesImpl( "ou", "testou", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        testEntry.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+
+        DirContext adminContext = getContextAsAdmin();
+        try
+        {
+            // create the new entry as the admin user
+            adminContext.createSubcontext( entryRdn, testEntry );
+
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            DirContext userContext = getContextAs( userName, password );
+            userContext.rename( entryRdn, newRdn );
+
+            // delete the renamed context as the admin user
+            adminContext.destroySubcontext( newRdn );
+            return true;
+        }
+        catch ( LdapNoPermissionException e )
+        {
+            // delete the original context as the admin user since rename
+            // of newly created test entry did not succeed
+            adminContext.destroySubcontext( entryRdn );
+            return false;
+        }
+    }
+
+
+    /**
+     * Checks to make sure group membership based userClass works for renames,
+     * moves and moves with renames.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantByAdministrators() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test simple RDN change: NO SUBTREE MOVEMENT!
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try the rename operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // Gives grantRename perm to all users in the Administrators group for entries
+        createAccessControlSubentry( "grantRenameByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+
+        // see if we can now rename that test entry which we could not before
+        // rename op should still fail since billyd is not in the admin group
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try a rename operation which should succeed with ACI and group membership change
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // now let's cleanup
+        removeUserFromGroup( "billyd", "Administrators" );
+        deleteAccessControlSubentry( "grantRenameByAdmin" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // Gives grantRename, grantImport, grantExport perm to all users in the Administrators
+        // group for entries - browse is needed just to read navigate the tree at root
+        createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, "
+            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+
+        // see if we can move and rename the test entry which we could not before
+        // op should still fail since billyd is not in the admin group
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try move w/ rdn change which should succeed with ACI and group membership change
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now let's cleanup
+        removeUserFromGroup( "billyd", "Administrators" );
+        deleteAccessControlSubentry( "grantRenameMoveByAdmin" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move ONLY without any RDN changes.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try move operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // Gives grantImport, and grantExport perm to all users in the Administrators group for entries
+        createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+
+        // see if we can now move that test entry which we could not before
+        // op should still fail since billyd is not in the admin group
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try move operation which should succeed with ACI and group membership change
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // now let's cleanup
+        removeUserFromGroup( "billyd", "Administrators" );
+        deleteAccessControlSubentry( "grantMoveByAdmin" );
+        deleteUser( "billyd" );
+    }
+
+
+    /**
+     * Checks to make sure name based userClass works for rename, move, and
+     * rename with move operation access controls.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantByName() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test simple RDN change: NO SUBTREE MOVEMENT!
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try the rename operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // Gives grantRename perm specifically to the billyd user
+        createAccessControlSubentry( "grantRenameByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+
+        // try a rename operation which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantRenameByName" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // Gives grantRename, grantImport, grantExport perm to billyd user on entries
+        createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, "
+            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+
+        // try move w/ rdn change which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantRenameMoveByName" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move ONLY without any RDN changes.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try move operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // Gives grantImport, and grantExport perm to billyd user for entries
+        createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+
+        // try move operation which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantMoveByName" );
+        deleteUser( "billyd" );
+    }
+
+
+    /**
+     * Checks to make sure subtree based userClass works for rename, move, and
+     * rename with move operation access controls.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantBySubtree() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test simple RDN change: NO SUBTREE MOVEMENT!
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try the rename operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // Gives grantRename perm for entries to those users selected by the subtree
+        createAccessControlSubentry( "grantRenameByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+
+        // try a rename operation which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantRenameByTree" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // Gives grantRename, grantImport, grantExport for entries to users selected by subtree
+        createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+            + "protectedItems {entry}, "
+            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+
+        // try move w/ rdn change which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantRenameMoveByTree" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move ONLY without any RDN changes.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try move operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // Gives grantImport, and grantExport perm for entries to subtree selected users
+        createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+            + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+
+        // try move operation which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantMoveByTree" );
+        deleteUser( "billyd" );
+    }
+
+
+    /**
+     * Checks to make sure the <b>anyUser</b> userClass works for rename, move, and
+     * rename with move operation access controls.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testGrantByAnyuser() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test simple RDN change: NO SUBTREE MOVEMENT!
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try the rename operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // Gives grantRename perm for entries to any user
+        createAccessControlSubentry( "grantRenameByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+            + "userPermissions { { " + "protectedItems {entry}, "
+            + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+
+        // try a rename operation which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantRenameByAny" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // Gives grantRename, grantImport, grantExport for entries to any user
+        createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { allUsers }, " + "userPermissions { { " + "protectedItems {entry}, "
+            + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+
+        // try move w/ rdn change which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantRenameMoveByAny" );
+        deleteUser( "billyd" );
+
+        // ----------------------------------------------------------------------------
+        // Test move ONLY without any RDN changes.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try move operation which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // Gives grantImport, and grantExport perm for entries to any user
+        createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+            + "userPermissions { { " + "protectedItems {entry}, "
+            + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+
+        // try move operation which should succeed with ACI
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+
+        // now let's cleanup
+        deleteAccessControlSubentry( "grantMoveByAny" );
+        deleteUser( "billyd" );
+    }
+    
+    
+    /**
+     * Checks to make sure Export and Import permissions work correctly
+     * when they are defined on seperate contexts.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    @Test
+    public void testExportAndImportSeperately() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        
+        // Gives grantBrowse perm to all users in the Administrators
+        // group for entries
+        // It's is needed just to read navigate the tree at root
+        createAccessControlSubentry(
+            "grantBrowseForTheWholeNamingContext",
+            "{ }",
+            "{ " + "identificationTag \"browseACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantBrowse } } } } }" );
+        
+        // Gives grantExport, grantRename perm to all users in the Administrators
+        // group for entries
+        createAccessControlSubentry(
+            "grantExportFromASubtree",
+            "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users" }
+            "{ " + "identificationTag \"exportACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantExport, grantRename } } } } }" );
+        
+        // Gives grantImport perm to all users in the Administrators
+        // group for the target context
+        createAccessControlSubentry(
+            "grantImportToASubtree",
+            "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups" }
+            "{ " + "identificationTag \"importACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantImport } } } } }" );
+
+        // see if we can move and rename the test entry which we could not before
+        // op should still fail since billyd is not in the admin group
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try move w/ rdn change which should succeed with ACI and group membership change
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now let's cleanup
+        removeUserFromGroup( "billyd", "Administrators" );
+        deleteAccessControlSubentry( "grantBrowseForTheWholeNamingContext" );
+        deleteAccessControlSubentry( "grantExportFromASubtree" );
+        deleteAccessControlSubentry( "grantImportToASubtree" );
+        deleteUser( "billyd" );
+    }
+}

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Fri Dec  7 20:52:17 2007
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id



Mime
View raw message