directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ersi...@apache.org
Subject svn commit: r681489 - in /directory: apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/ apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/ apacheds/branches/bigbang/core/...
Date Thu, 31 Jul 2008 21:00:50 GMT
Author: ersiner
Date: Thu Jul 31 14:00:49 2008
New Revision: 681489

URL: http://svn.apache.org/viewvc?rev=681489&view=rev
Log:
Fix for DIRSERVER-1204.
We can now control access to subordinate entries of a user's own entry.

Modified:
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
    directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
    directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
    directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
    directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g
    directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g
    directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java
    directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java

Modified: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
(original)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
Thu Jul 31 14:00:49 2008
@@ -384,4 +384,11 @@
         Attributes changes = new AttributesImpl( "prescriptiveACI", aciItem );
         adminCtx.modifyAttributes( "cn=" + cn, DirContext.REPLACE_ATTRIBUTE, changes );
     }
+    
+    public static void addPrescriptiveACI( String cn, String aciItem ) throws Exception
+    {
+        DirContext adminCtx = getContextAsAdmin();
+        Attributes changes = new AttributesImpl( "prescriptiveACI", aciItem );
+        adminCtx.modifyAttributes( "cn=" + cn, DirContext.ADD_ATTRIBUTE, changes );
+    }
 }

Modified: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
(original)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
Thu Jul 31 14:00:49 2008
@@ -20,30 +20,24 @@
 package org.apache.directory.server.core.authz;
 
 
-import org.apache.directory.server.core.DirectoryService;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
 import static org.apache.directory.server.core.authz.AutzIntegUtils.addEntryACI;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.addPrescriptiveACI;
 import static org.apache.directory.server.core.authz.AutzIntegUtils.addSubentryACI;
-import org.apache.directory.server.core.integ.CiRunner;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
 import static org.apache.directory.server.core.integ.IntegrationUtils.getSystemContext;
-import org.apache.directory.server.core.integ.annotations.Factory;
-import org.apache.directory.shared.ldap.exception.LdapNameNotFoundException;
-import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-import org.apache.directory.shared.ldap.message.AttributeImpl;
-import org.apache.directory.shared.ldap.message.AttributesImpl;
-import org.apache.directory.shared.ldap.name.LdapDN;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+
+import java.util.HashMap;
+import java.util.Map;
 
 import javax.naming.Name;
 import javax.naming.NamingEnumeration;
@@ -54,8 +48,17 @@
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.LdapContext;
-import java.util.HashMap;
-import java.util.Map;
+
+import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.shared.ldap.exception.LdapNameNotFoundException;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.junit.Test;
+import org.junit.runner.RunWith;
 
 
 /**
@@ -883,4 +886,38 @@
             assertEquals( matched.toString(), "ou=groups,ou=system" );
         }
     }
+    
+    @Test
+    public void testUserClassParentOfEntry() throws Exception
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+        
+        // create an entry subordinate to the user
+        DirContext billydCtx = AutzIntegUtils.getContextAsAdmin("uid=billyd,ou=users,ou=system");
+        Attributes phoneBook = new AttributesImpl( "ou", "phoneBook", true );
+        Attribute objectClass = new AttributeImpl( "objectClass" );
+        phoneBook.put( objectClass );
+        objectClass.add( "top" );
+        objectClass.add( "organizationalUnit" );
+        billydCtx.createSubcontext( "ou=phoneBook", phoneBook );
+
+        // now add a subentry that enables anyone to search below their own entries
+        createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag
\"searchAci\", " + "precedence 14, "
+            + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses
{ allUsers }, "
+            + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues},
"
+            + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+        // check and see if we can access the subentry now
+        assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapDN( "ou=phoneBook,uid=billyd,ou=users"
) ) );
+
+        // now add a denial to prevent all users except the admin from accessing the subentry
+        addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"anybodyDontSearchTheirSubordinates\",
" + "precedence 14, " + "authenticationLevel none, "
+            + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, " + "userPermissions
{ { "
+            + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+
+        // now we should not be able to access the subentry with a search
+        assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapDN( "ou=phoneBook,uid=billyd,ou=users"
) ) );
+    }
 }

Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
Thu Jul 31 14:00:49 2008
@@ -26,6 +26,7 @@
 import javax.naming.NamingException;
 
 import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
 import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.subtree.SubtreeEvaluator;
 import org.apache.directory.server.schema.registries.Registries;
@@ -36,6 +37,8 @@
 import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.name.LdapDN;
 import org.apache.directory.shared.ldap.subtree.SubtreeSpecification;
+import org.apache.directory.shared.ldap.util.AttributeUtils;
+import org.apache.directory.shared.ldap.util.DNUtils;
 
 
 /**
@@ -131,6 +134,13 @@
                     return true;
                 }
             }
+            else if ( userClass == UserClass.PARENT_OF_ENTRY )
+            {
+                if ( entryName.startsWith( userName ) )
+                {
+                    return true;
+                }
+            }
             else if ( userClass instanceof UserClass.Name )
             {
                 UserClass.Name nameUserClass = ( UserClass.Name ) userClass;

Modified: directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
(original)
+++ directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
Thu Jul 31 14:00:49 2008
@@ -109,6 +109,17 @@
         Assert.assertEquals( 0, filter.filter( null, tuples, OperationScope.ENTRY, null,
null, USER_NAME, null,
             AuthenticationLevel.NONE, new LdapDN( "ou=unrelated" ), null, null, null, null,
null ).size() );
     }
+    
+    
+    public void testParentOfEntry() throws Exception
+    {
+        Collection<ACITuple> tuples = getTuples( UserClass.PARENT_OF_ENTRY );
+
+        Assert.assertEquals( 1, filter.filter( null, tuples, OperationScope.ENTRY, null,
null, USER_NAME, null,
+            AuthenticationLevel.NONE, new LdapDN( "ou=phoneBook, ou=test, ou=users, ou=system"
), null, null, null, null, null ).size() );
+        Assert.assertEquals( 0, filter.filter( null, tuples, OperationScope.ENTRY, null,
null, USER_NAME, null,
+            AuthenticationLevel.NONE, new LdapDN( "ou=unrelated" ), null, null, null, null,
null ).size() );
+    }
 
 
     public void testName() throws Exception

Modified: directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g (original)
+++ directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g Thu Jul 31 14:00:49 2008
@@ -852,7 +852,8 @@
 }
     :
     allUsers
-    | thisEntry 
+    | thisEntry
+    | parentOfEntry
     | name
     | userGroup
     | subtree
@@ -880,6 +881,17 @@
     }
     ;
 
+parentOfEntry
+{
+    log.debug( "entered parentOfEntry()" );
+}
+    :
+    ID_parentOfEntry
+    {
+        userClassesMap.put( "parentOfEntry", UserClass.PARENT_OF_ENTRY );
+    }
+    ;
+
 name
 {
     log.debug( "entered name()" );
@@ -1369,6 +1381,7 @@
     ID_userPermissions = "userPermissions";
     ID_allUsers = "allUsers";
     ID_thisEntry = "thisEntry";
+    ID_parentOfEntry = "parentOfEntry";
     ID_subtree = "subtree";
     ID_name = "name";
     ID_userGroup = "userGroup";

Modified: directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g (original)
+++ directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g Thu Jul 31 14:00:49
2008
@@ -400,7 +400,8 @@
 userClass
     :
     allUsers
-    | thisEntry 
+    | thisEntry
+    | parentOfEntry
     | name
     | userGroup
     | subtree
@@ -416,6 +417,11 @@
     ID_thisEntry
     ;
 
+parentOfEntry
+    :
+    ID_parentOfEntry
+    ;
+
 name
     :
     ID_name ( SP )+ 
@@ -656,6 +662,7 @@
     ID_userPermissions = "userPermissions";
     ID_allUsers = "allUsers";
     ID_thisEntry = "thisEntry";
+    ID_parentOfEntry = "parentOfEntry";
     ID_subtree = "subtree";
     ID_name = "name";
     ID_userGroup = "userGroup";

Modified: directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java
(original)
+++ directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java
Thu Jul 31 14:00:49 2008
@@ -51,6 +51,11 @@
      * distinguished name of the ancestor.
      */
     public static final ThisEntry THIS_ENTRY = new ThisEntry();
+    
+    /**
+     * The user as parent (ancestor) of accessed entry.
+     */
+    public static final ParentOfEntry PARENT_OF_ENTRY = new ParentOfEntry();
 
 
     /**
@@ -101,7 +106,25 @@
             return "thisEntry";
         }
     }
-
+    
+    /**
+     * The user as parent (ancestor) of accessed entry.
+     */
+    public static class ParentOfEntry extends UserClass
+    {
+        private static final long serialVersionUID = 5247207736068086476L;
+        
+        private ParentOfEntry()
+        {
+        }
+        
+        public String toString()
+        {
+            return "parentOfEntry";
+        }
+        
+    }
+    
     /**
      * A base class for all user classes which has a set of DNs.
      */

Modified: directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java
(original)
+++ directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java
Thu Jul 31 14:00:49 2008
@@ -496,6 +496,19 @@
         }
     }
     
+    public void testUserClassParentOfEntry() throws Exception
+    {
+        String spec = "{ identificationTag \"id\"   , precedence 10, authenticationLevel
none  , "
+            + "itemOrUserFirst userFirst:  { userClasses {  parentOfEntry  , name { \"cn=ersin,ou=people\"
}, "
+            + "subtree {{ base \"ou=system\" }, { base \"ou=ORGANIZATIONUNIT\","
+            + "minimum  1, maximum   2 } } }  , "
+            + "userPermissions { { protectedItems{ entry  , attributeType { cn  , ou }  ,
attributeValue {x=y,m=n,k=l} , "
+            + "rangeOfValues (cn=ErsinEr) }  , grantsAndDenials { grantBrowse } } } }  }
  ";
+
+        ACIItem item = parser.parse( spec );
+        checkItemToString( spec, item );
+    }
+    
     
     /**
      * Test case for DIRSERVER-891



Mime
View raw message