directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r960058 - in /directory/apacheds/trunk: core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
Date Fri, 02 Jul 2010 17:08:19 GMT
Author: elecharny
Date: Fri Jul  2 17:08:19 2010
New Revision: 960058

URL: http://svn.apache.org/viewvc?rev=960058&view=rev
Log:
o Added 3 tests which were commented due to some bad ACI
o Fixed a problem in the RelatedProtectedItemFilter

Modified:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=960058&r1=960057&r2=960058&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
(original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
Fri Jul  2 17:08:19 2010
@@ -581,92 +581,146 @@ public class ModifyAuthorizationIT exten
     }
 
 
-    //    /**
-    //     * Checks to make sure name based userClass works for modify operations.
-    //     *
-    //     * @throws javax.naming.Exception if the test encounters an error
-    //     */
-    //    public void testGrantModifyByName() throws Exception
-    //    {
-    //        // create the non-admin user
-    //        createUser( "billyd", "billyd" );
-    //
-    //        // try an modify operation which should fail without any ACI
-    //        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309"
) );
-    //
-    //        // now add a subentry that enables user billyd to modify an entry below ou=system
-    //        createAccessControlSubentry( "billydAdd", "{ " +
-    //                "identificationTag \"addAci\", " +
-    //                "precedence 14, " +
-    //                "authenticationLevel none, " +
-    //                "itemOrUserFirst userFirst: { " +
-    //                "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
-    //                "userPermissions { { " +
-    //                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-    //                "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }"
);
-    //
-    //        // should work now that billyd is authorized by name
-    //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" )
);
-    //    }
-    //
-    //
-    //    /**
-    //     * Checks to make sure subtree based userClass works for modify operations.
-    //     *
-    //     * @throws javax.naming.Exception if the test encounters an error
-    //     */
-    //    public void testGrantModifyBySubtree() throws Exception
-    //    {
-    //        // create the non-admin user
-    //        createUser( "billyd", "billyd" );
-    //
-    //        // try a modify operation which should fail without any ACI
-    //        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309"
) );
-    //
-    //        // now add a subentry that enables user billyd to modify an entry below ou=system
-    //        createAccessControlSubentry( "billyAddBySubtree", "{ " +
-    //                "identificationTag \"addAci\", " +
-    //                "precedence 14, " +
-    //                "authenticationLevel none, " +
-    //                "itemOrUserFirst userFirst: { " +
-    //                "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
-    //                "userPermissions { { " +
-    //                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-    //                "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }"
);
-    //
-    //        // should work now that billyd is authorized by the subtree userClass
-    //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" )
);
-    //    }
-    //
-    //
-    //    /**
-    //     * Checks to make sure <b>allUsers</b> userClass works for modify operations.
-    //     *
-    //     * @throws javax.naming.Exception if the test encounters an error
-    //     */
-    //    public void testGrantModifyAllUsers() throws Exception
-    //    {
-    //        // create the non-admin user
-    //        createUser( "billyd", "billyd" );
+    /**
+     * Checks to make sure name based userClass works for modify operations.
+     *
+     * @throws javax.naming.Exception if the test encounters an error
+     */
+    @Test
+    public void testGrantModifyByName() throws Exception
+    {
+        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, 
+            new DefaultEntryAttribute( "telephoneNumber", "012-3456" ) );
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an modify operation which should fail without any ACI
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // now add a subentry that enables user billyd to modify an entry below ou=system
+        createAccessControlSubentry( 
+            "billydAdd", 
+            "{ " +
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " +
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantModify, grantRead, grantBrowse } " +
+            "      }, " +
+            "      { " +
+            "        protectedItems {allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantAdd, grantRead, grantRemove } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
+
+        // should work now that billyd is authorized by name
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+    }
+    
+    
+    /**
+     * Checks to make sure subtree based userClass works for modify operations.
+     *
+     * @throws javax.naming.Exception if the test encounters an error
+     */
+    @Test
+    public void testGrantModifyBySubtree() throws Exception
+    {
+        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, 
+            new DefaultEntryAttribute( "telephoneNumber", "012-345678" ) );
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a modify operation which should fail without any ACI
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // now add a subentry that enables user billyd to modify an entry below ou=system
+        createAccessControlSubentry( 
+            "billyAddBySubtree", 
+            "{ " +
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " +
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses " +
+            "    {" +
+            "      subtree { { base \"ou=users,ou=system\" } } " +
+            "    }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantModify, grantRead, grantBrowse } " +
+            "      }, " +
+            "      { " +
+            "        protectedItems {allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantAdd, grantRead, grantRemove } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
     //
-    //        // try an add operation which should fail without any ACI
-    //        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309"
) );
+        // should work now that billyd is authorized by the subtree userClass
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+    }
     //
-    //        // now add a subentry that enables anyone to add an entry below ou=system
-    //        createAccessControlSubentry( "anybodyAdd", "{ " +
-    //                "identificationTag \"addAci\", " +
-    //                "precedence 14, " +
-    //                "authenticationLevel none, " +
-    //                "itemOrUserFirst userFirst: { " +
-    //                "userClasses { allUsers }, " +
-    //                "userPermissions { { " +
-    //                "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-    //                "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }"
);
     //
-    //        // see if we can now modify that test entry's number which we could not before
-    //        // should work with billyd now that all users are authorized
-    //        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" )
);
-    //    }
+    /**
+     * Checks to make sure <b>allUsers</b> userClass works for modify operations.
+     *
+     * @throws javax.naming.Exception if the test encounters an error
+     */
+    @Test
+    public void testGrantModifyAllUsers() throws Exception
+    {
+        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, 
+            new DefaultEntryAttribute( "telephoneNumber", "001-012345" ) );
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an add operation which should fail without any ACI
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+        // now add a subentry that enables anyone to add an entry below ou=system
+        createAccessControlSubentry( 
+            "anybodyAdd", 
+            "{ " +
+            "  identificationTag \"addAci\", " +
+            "  precedence 14, " +
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " +
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems {entry}, " +
+            "        grantsAndDenials { grantModify, grantRead, grantBrowse } " +
+            "      }, " +
+            "      { " +
+            "        protectedItems {allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantAdd, grantRead, grantRemove } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
+
+        // see if we can now modify that test entry's number which we could not before
+        // should work with billyd now that all users are authorized
+        assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+    }
 
     @Test
     public void testPresciptiveACIModification() throws Exception

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?rev=960058&r1=960057&r2=960058&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
Fri Jul  2 17:08:19 2010
@@ -123,10 +123,12 @@ public class RelatedProtectedItemFilter 
         {
             if ( item == ProtectedItem.ENTRY )
             {
-                if ( scope == OperationScope.ENTRY )
+                if ( scope != OperationScope.ENTRY )
                 {
-                    return true;
+                    continue;
                 }
+                
+                return true;
             }
             else if ( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES )
             {



Mime
View raw message