Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 29613 invoked from network); 2 Jul 2010 12:24:29 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 2 Jul 2010 12:24:29 -0000 Received: (qmail 7474 invoked by uid 500); 2 Jul 2010 12:24:29 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 7420 invoked by uid 500); 2 Jul 2010 12:24:27 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 7412 invoked by uid 99); 2 Jul 2010 12:24:26 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Jul 2010 12:24:26 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Jul 2010 12:24:19 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 7CC412388993; Fri, 2 Jul 2010 12:22:54 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r959961 - in /directory/apacheds/trunk: core-integ/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/ Date: Fri, 02 Jul 2010 12:22:54 -0000 To: commits@directory.apache.org From: elecharny@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20100702122254.7CC412388993@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: elecharny Date: Fri Jul 2 12:22:53 2010 New Revision: 959961 URL: http://svn.apache.org/viewvc?rev=959961&view=rev Log: o Minor refactoring in the ACI interceptor o Formated the ACI in tests Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=959961&r1=959960&r2=959961&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Fri Jul 2 12:22:53 2010 @@ -196,10 +196,27 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm to all users in the Administrators group for entries - createAccessControlSubentry( "grantRenameByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameByAdmin", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now rename that test entry which we could not before // rename op should still fail since billyd is not in the admin group @@ -228,11 +245,27 @@ public class MoveRenameAuthorizationIT e // Gives grantRename, grantImport, grantExport perm to all users in the Administrators // group for entries - browse is needed just to read navigate the tree at root - createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "identificationTag \"addAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry}, " - + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameMoveByAdmin", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can move and rename the test entry which we could not before // op should still fail since billyd is not in the admin group @@ -260,10 +293,27 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm to all users in the Administrators group for entries - createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantMoveByAdmin", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now move that test entry which we could not before // op should still fail since billyd is not in the admin group @@ -302,10 +352,24 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm specifically to the billyd user - createAccessControlSubentry( "grantRenameByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameByName", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try a rename operation which should succeed with ACI assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); @@ -325,11 +389,24 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) ); // Gives grantRename, grantImport, grantExport perm to billyd user on entries - createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry}, " - + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameMoveByName", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move w/ rdn change which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); @@ -349,10 +426,24 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm to billyd user for entries - createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantMoveByName", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move operation which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); @@ -383,10 +474,27 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm for entries to those users selected by the subtree - createAccessControlSubentry( "grantRenameByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { " - + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameByTree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try a rename operation which should succeed with ACI assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); @@ -406,11 +514,26 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); // Gives grantRename, grantImport, grantExport for entries to users selected by subtree - createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { " - + "protectedItems {entry}, " - + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameMoveByTree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move w/ rdn change which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); @@ -430,10 +553,27 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm for entries to subtree selected users - createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { " - + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantMoveByTree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move operation which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); @@ -464,10 +604,24 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm for entries to any user - createAccessControlSubentry( "grantRenameByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " - + "userPermissions { { " + "protectedItems {entry}, " - + "grantsAndDenials { grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameByAny", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try a rename operation which should succeed with ACI assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); @@ -487,10 +641,24 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); // Gives grantRename, grantImport, grantExport for entries to any user - createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { allUsers }, " + "userPermissions { { " + "protectedItems {entry}, " - + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantRenameMoveByAny", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move w/ rdn change which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); @@ -510,10 +678,24 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm for entries to any user - createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " - + "userPermissions { { " + "protectedItems {entry}, " - + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" ); + createAccessControlSubentry( + "grantMoveByAny", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move operation which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); @@ -550,33 +732,66 @@ public class MoveRenameAuthorizationIT e createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", - "{ " + "identificationTag \"browseACI\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems { entry }, " - + "grantsAndDenials { grantBrowse } } } } }" ); + "{ " + + " identificationTag \"browseACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // Gives grantExport, grantRename perm to all users in the Administrators // group for entries createAccessControlSubentry( "grantExportFromASubtree", - "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users" } - "{ " + "identificationTag \"exportACI\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems { entry }, " - + "grantsAndDenials { grantExport, grantRename } } } } }" ); + "{ base \"ou=users\" }", + "{ " + + " identificationTag \"exportACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantExport, grantRename } " + + " } " + + " } " + + " } " + + "}" ); // Gives grantImport perm to all users in the Administrators // group for the target context createAccessControlSubentry( "grantImportToASubtree", - "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups" } - "{ " + "identificationTag \"importACI\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems { entry }, " - + "grantsAndDenials { grantImport } } } } }" ); + "{ base \"ou=groups\" }", + "{ " + + " identificationTag \"importACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantImport } " + + " } " + + " } " + + " } " + + "}" ); // see if we can move and rename the test entry which we could not before // op should still fail since billyd is not in the admin group Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=959961&r1=959960&r2=959961&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Fri Jul 2 12:22:53 2010 @@ -103,24 +103,27 @@ public class SearchAuthorizationIT exten */ private Entry[] getTestNodes( final int count ) { - Entry[] attributes = new DefaultEntry[count]; - for ( int ii = 0; ii < count; ii++ ) + Entry[] entries = new DefaultEntry[count]; + + for ( int i = 0; i < count; i++ ) { + Entry entry = new DefaultEntry(); + try { - attributes[ii] = new DefaultEntry(); - attributes[ii].add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" ); - attributes[ii].add( SchemaConstants.OU_AT, String.valueOf( ii ) ); - attributes[ii].add( SchemaConstants.OU_AT, "testEntry" ); - attributes[ii].add( "telephoneNumber", String.valueOf( count ) ); + entry.add( "objectClass", "organizationalUnit" ); + entry.add( "ou", "testEntry", String.valueOf( i ) ); + entry.add( "telephoneNumber", String.valueOf( count ) ); } catch ( Exception e ) { e.printStackTrace(); } + + entries[i] = entry; } - return attributes; + return entries; } @@ -353,7 +356,7 @@ public class SearchAuthorizationIT exten assertEquals( 10, counter ); recursivelyDelete( base ); - //noinspection EmptyCatchBlock + SearchResultEntry entry = ( SearchResultEntry ) connection.lookup( base.getName() ); assertNull( entry ); } @@ -374,25 +377,41 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd" ) ); // Gives search perms to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( "searchAdmin", "{ " + "identificationTag \"searchAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "searchAdmin", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); - // see if we can now add that test entry which we could not before - // add op should still fail since billd is not in the admin group + // see if we can now search that test entry which we could not before + // add or should still fail since billd is not in the admin group assertFalse( checkCanSearchAs( "billyd", "billyd" ) ); // now add billyd to the Administrator group and try again addUserToGroup( "billyd", "Administrators" ); - // try an add operation which should succeed with ACI and group membership change + // try a search operation which should succeed with ACI and group membership change assertTrue( checkCanSearchAs( "billyd", "billyd" ) ); } @@ -408,15 +427,31 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd" ) ); - // now add a subentry that enables user billyd to add an entry below ou=system - createAccessControlSubentry( "billydSearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + // now add a subentry that enables user billyd to search an entry below ou=system + createAccessControlSubentry( + "billydSearch", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " name { \"uid=billyd,ou=users,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " }" + + " } " + + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanSearchAs( "billyd", "billyd" ) ); @@ -435,15 +470,31 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "BillyD", "billyd" ) ); - // now add a subentry that enables user billyd to add an entry below ou=system - createAccessControlSubentry( "billydSearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + // now add a subentry that enables user billyd to search an entry below ou=system + createAccessControlSubentry( + "billydSearch", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " name { \"uid=billyd,ou=users,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanSearchAs( "BillyD", "billyd" ) ); @@ -461,15 +512,34 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd" ) ); - // now add a subentry that enables user billyd to add an entry below ou=system - createAccessControlSubentry( "billySearchBySubtree", "{ " + "identificationTag \"searchAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + // now add a subentry that enables user billyd to search an entry below ou=system + createAccessControlSubentry( + "billySearchBySubtree", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree " + + " { " + + " { base \"ou=users,ou=system\" } " + + " } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // should work now that billyd is authorized by the subtree userClass assertTrue( checkCanSearchAs( "billyd", "billyd" ) ); @@ -487,14 +557,28 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an search operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd" ) ); // now add a subentry that enables anyone to search an entry below ou=system - createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " - + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "anybodySearch", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now search that tree which we could not before // should work now with billyd now that all users are authorized @@ -518,18 +602,32 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) ); - // now add a subentry that enables anyone to add an entry below ou=system + // now add a subentry that enables anyone to search an entry below ou=system // down two more rdns for DNs of a max size of 3 - createAccessControlSubentry( "anybodySearch", "{ maximum 2 }", "{ " + "identificationTag \"searchAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "anybodySearch", + "{ maximum 2 }", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); - // see if we can now add that test entry which we could not before + // see if we can now search that test entry which we could not before // should work now with billyd now that all users are authorized assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) ); } @@ -547,19 +645,33 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) ); // now add a subentry that enables anyone to search an entry below ou=system // down two more rdns for DNs of a max size of 3. It only grants access to // the ou and objectClass attributes however. - createAccessControlSubentry( "excluseTelephoneNumber", "{ maximum 2 }", "{ " - + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allAttributeValues { ou, objectClass } }, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "excludeTelephoneNumber", + "{ maximum 2 }", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allAttributeValues { ou, objectClass } }, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); - // see if we can now add that search and find 4 entries + // see if we can now search and find 4 entries assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) ); // check to make sure the telephoneNumber attribute is not present in results @@ -569,16 +681,30 @@ public class SearchAuthorizationIT exten } // delete the subentry to test more general rule's inclusion of telephoneNumber - deleteAccessControlSubentry( "excluseTelephoneNumber" ); + deleteAccessControlSubentry( "excludeTelephoneNumber" ); // now add a subentry that enables anyone to search an entry below ou=system // down two more rdns for DNs of a max size of 3. This time we should be able // to see the telephoneNumber attribute - createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ " - + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues }, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "includeAllAttributeTypesAndValues", + "{ maximum 2 }", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues }, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " }" + + " } " + + "}" ); // again we should find four entries assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) ); @@ -604,26 +730,39 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // try an add operation which should fail without any ACI + // try a search operation which should fail without any ACI assertFalse( checkCanSearchAs( "billyd", "billyd", 3 ) ); // now add a subentry that enables anyone to search an entry below ou=system // down two more rdns for DNs of a max size of 3. It only grants access to // the ou and objectClass attributes however. createAccessControlSubentry( - "excluseOUValue", + "excludeOUValue", "{ maximum 2 }", - "{ " - + "identificationTag \"searchAci\", " - + "precedence 14, " - + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " - + "userClasses { allUsers }, " - + "userPermissions { { " - + "protectedItems {entry, attributeType { ou }, allAttributeValues { objectClass }, attributeValue { ou=0, ou=1, ou=2 } }, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems " + + " {" + + " entry, " + + " attributeType { ou }, " + + " allAttributeValues { objectClass }, " + + " attributeValue { ou=0, ou=1, ou=2 } " + + " }, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); - // see if we can now add that search and find 4 entries + // see if we can now search and find 4 entries assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) ); // check to make sure the ou attribute value "testEntry" is not present in results @@ -633,16 +772,30 @@ public class SearchAuthorizationIT exten } // delete the subentry to test more general rule's inclusion of all values - deleteAccessControlSubentry( "excluseOUValue" ); + deleteAccessControlSubentry( "excludeOUValue" ); // now add a subentry that enables anyone to search an entry below ou=system // down two more rdns for DNs of a max size of 3. This time we should be able // to see the telephoneNumber attribute - createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ " - + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues }, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "includeAllAttributeTypesAndValues", + "{ maximum 2 }", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues }, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " }" + + "}" ); // again we should find four entries assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) ); @@ -669,10 +822,23 @@ public class SearchAuthorizationIT exten createUser( "billyd", "billyd" ); // now add an entryACI denies browse, read and returnDN to a specific entry - String aci = "{ " + "identificationTag \"denyAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }"; + String aci = + "{ " + + " identificationTag \"denyAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + + " } " + + " } " + + " } " + + "}"; // try a search operation which should fail without any prescriptive ACI DN testsDn = new DN( "ou=system" ); @@ -680,10 +846,24 @@ public class SearchAuthorizationIT exten assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) ); // now add a subentry that enables anyone to search below ou=system - createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " - + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "anybodySearch", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now search the tree which we could not before // should work with billyd now that all users are authorized @@ -691,7 +871,7 @@ public class SearchAuthorizationIT exten assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) ); assertNull( results.get( "ou=tests,ou=system" ) ); - // try without the entry ACI .. just perscriptive and see ou=tests,ou=system + // try without the entry ACI, just perscriptive and see ou=tests,ou=system assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 10 ) ); assertNotNull( results.get( "ou=tests,ou=system" ) ); } @@ -711,11 +891,24 @@ public class SearchAuthorizationIT exten // create the non-admin user createUser( "billyd", "billyd" ); - // now add an entryACI denies browse, read and returnDN to a specific entry - String aci = "{ " + "identificationTag \"denyAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }"; + // now add an entryACI denying browse, read and returnDN to a specific entry + String aci = + "{ " + + " identificationTag \"denyAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + + " } " + + " } " + + " } " + + "}"; // try a search operation which should fail without any prescriptive ACI DN testsDn = new DN( "ou=system" ); @@ -723,10 +916,24 @@ public class SearchAuthorizationIT exten assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) ); // now add a subentry that enables anyone to search below ou=system - createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 15, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " - + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "anybodySearch", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 15, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now search the tree which we could not before // should work with billyd now that all users are authorized @@ -738,10 +945,23 @@ public class SearchAuthorizationIT exten // now add an entryACI denies browse, read and returnDN to a specific entry // but this time the precedence will be higher than that of the grant - aci = "{ " + "identificationTag \"denyAci\", " + "precedence 16, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }"; + aci = + "{ " + + " identificationTag \"denyAci\", " + + " precedence 16, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + + " } " + + " } " + + " } " + + "}"; // see if we can now search the tree which we could not before // should work with billyd now that all users are authorized @@ -787,19 +1007,46 @@ public class SearchAuthorizationIT exten createUser( "billyd", "billyd" ); // now add a subentry that enables anyone to search below ou=system - createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " - + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "anybodySearch", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // check and see if we can access the subentry now assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) ); // now add a denial to prevent all users except the admin from accessing the subentry - addSubentryACI( "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" ); + addSubentryACI( + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + + " } " + + " } " + + " } " + + "}" ); // now we should not be able to access the subentry with a search assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) ); @@ -814,11 +1061,33 @@ public class SearchAuthorizationIT exten // now add a subentry that enables anyone to search/lookup and disclose on error // below ou=system, with the exclusion of ou=groups and everything below it - createAccessControlSubentry( "selectiveDiscloseOnError", "{ specificExclusions { chopBefore:\"ou=groups\" } }", - "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, " - + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" ); + createAccessControlSubentry( + "selectiveDiscloseOnError", + "{ specificExclusions " + + " { chopBefore:\"ou=groups\" } " + + "}", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst:" + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials " + + " { " + + " grantRead, " + + " grantReturnDN, " + + " grantBrowse, " + + " grantDiscloseOnError " + + " } " + + " } " + + " } " + + " } " + + "}" ); // get a context as the user and try a lookup of a non-existant entry under ou=groups,ou=system LdapConnection userCtx = getConnectionAs( "uid=billyd,ou=users,ou=system", "billyd" ); @@ -829,11 +1098,30 @@ public class SearchAuthorizationIT exten // now delete and replace subentry with one that does not excluse ou=groups,ou=system deleteAccessControlSubentry( "selectiveDiscloseOnError" ); - createAccessControlSubentry( "selectiveDiscloseOnError", "{ " + "identificationTag \"searchAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" ); + createAccessControlSubentry( + "selectiveDiscloseOnError", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials " + + " { " + + " grantRead, " + + " grantReturnDN, " + + " grantBrowse, " + + " grantDiscloseOnError " + + " } " + + " } " + + " } " + + " } " + + "}" ); // now try a lookup of a non-existant entry under ou=groups,ou=system again entry = ( SearchResultEntry ) userCtx.lookup( "cn=blah,ou=groups" ); @@ -855,22 +1143,48 @@ public class SearchAuthorizationIT exten getAdminConnection().add( phoneBook ); // now add a subentry that enables anyone to search below their own entries - createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"searchAci\", " - + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " - + "userClasses { allUsers }, " + "userPermissions { { " - + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" ); + createAccessControlSubentry( + "anybodySearchTheirSubordinates", + "{ " + + " identificationTag \"searchAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // check and see if we can access the subentry now assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) ); // now add a denial to prevent all users except the admin from accessing the subentry - addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ " - + "identificationTag \"anybodyDontSearchTheirSubordinates\", " + "precedence 14, " - + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, " - + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, " - + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" ); + addPrescriptiveACI( + "anybodySearchTheirSubordinates", + "{ " + + " identificationTag \"anybodyDontSearchTheirSubordinates\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { parentOfEntry }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + + " } " + + " } " + + " } " + + "}" ); // now we should not be able to access the subentry with a search assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) ); Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=959961&r1=959960&r2=959961&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Fri Jul 2 12:22:53 2010 @@ -160,14 +160,17 @@ public class AciAuthorizationInterceptor /** the system wide subschemaSubentryDn */ private String subschemaSubentryDn; - private AttributeType objectClassType; - private AttributeType acSubentryType; + /** The ObjectClass AttributeType */ + private static AttributeType OBJECT_CLASS_AT; + + /** The AccessControlSubentry AttributeType */ + private static AttributeType ACCESS_CONTROL_SUBENTRY_AT; /** A storage for the entryACI attributeType */ - private AttributeType entryAciType; + private static AttributeType ENTRY_ACI_AT; /** the subentry ACI attribute type */ - private AttributeType subentryAciType; + private static AttributeType SUBENTRY_ACI_AT; public static final SearchControls DEFAULT_SEARCH_CONTROLS = new SearchControls(); @@ -187,20 +190,22 @@ public class AciAuthorizationInterceptor adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() ); CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService ); + schemaManager = directoryService.getSchemaManager(); + chain = directoryService.getInterceptorChain(); + // Create the caches tupleCache = new TupleCache( adminSession ); groupCache = new GroupCache( adminSession ); - schemaManager = directoryService.getSchemaManager(); // look up some constant information - objectClassType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.OBJECT_CLASS_AT ); - acSubentryType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT ); - entryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID ); - subentryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID ); + OBJECT_CLASS_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.OBJECT_CLASS_AT ); + ACCESS_CONTROL_SUBENTRY_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT ); + ENTRY_ACI_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID ); + SUBENTRY_ACI_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID ); + // Iitialize the ACI PARSER and ACDF engine aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( schemaManager ), schemaManager ); engine = new ACDFEngine( schemaManager ); - chain = directoryService.getInterceptorChain(); // stuff for dealing with subentries (garbage for now) Value subschemaSubentry = directoryService.getPartitionNexus().getRootDSE( null ).get( @@ -252,11 +257,11 @@ public class AciAuthorizationInterceptor if ( entry instanceof ClonedServerEntry ) { - oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( objectClassType ); + oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( OBJECT_CLASS_AT ); } else { - oc = entry.get( objectClassType ); + oc = entry.get( OBJECT_CLASS_AT ); } /* @@ -275,7 +280,7 @@ public class AciAuthorizationInterceptor entry = opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS ); } - EntryAttribute subentries = entry.get( acSubentryType ); + EntryAttribute subentries = entry.get( ACCESS_CONTROL_SUBENTRY_AT ); if ( subentries == null ) { @@ -300,7 +305,7 @@ public class AciAuthorizationInterceptor */ private void addEntryAciTuples( Collection tuples, Entry entry ) throws LdapException { - EntryAttribute entryAci = entry.get( entryAciType ); + EntryAttribute entryAci = entry.get( ENTRY_ACI_AT ); if ( entryAci == null ) { @@ -354,7 +359,7 @@ public class AciAuthorizationInterceptor Entry administrativeEntry = ( ( ClonedServerEntry ) opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS ) ) .getOriginalEntry(); - EntryAttribute subentryAci = administrativeEntry.get( subentryAciType ); + EntryAttribute subentryAci = administrativeEntry.get( SUBENTRY_ACI_AT ); if ( subentryAci == null ) { @@ -705,8 +710,10 @@ public class AciAuthorizationInterceptor */ private void checkLookupAccess( LookupOperationContext lookupContext, Entry entry ) throws LdapException { + DN dn = lookupContext.getDn(); + // no permissions checks on the RootDSE - if ( lookupContext.getDn().getNormName().trim().equals( "" ) ) + if ( dn.isRootDSE() ) { return; } @@ -715,13 +722,13 @@ public class AciAuthorizationInterceptor DN userName = principal.getDN(); Set userGroups = groupCache.getGroups( userName.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( lookupContext, tuples, lookupContext.getDn(), entry ); + addPerscriptiveAciTuples( lookupContext, tuples, dn, entry ); addEntryAciTuples( tuples, entry ); - addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry ); + addSubentryAciTuples( lookupContext, tuples, dn, entry ); // check that we have read access to the entry engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(), - lookupContext.getDn(), null, null, LOOKUP_PERMS, tuples, entry, null ); + dn, null, null, LOOKUP_PERMS, tuples, entry, null ); // check that we have read access to every attribute type and value for ( EntryAttribute attribute : entry ) @@ -730,13 +737,16 @@ public class AciAuthorizationInterceptor for ( Value value : attribute ) { engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal - .getAuthenticationLevel(), lookupContext.getDn(), attribute.getAttributeType(), value, READ_PERMS, tuples, + .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, READ_PERMS, tuples, entry, null ); } } } + /** + * {@inheritDoc} + */ public Entry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws LdapException { CoreSession session = lookupContext.getSession(); @@ -750,6 +760,7 @@ public class AciAuthorizationInterceptor principalDn.normalize( schemaManager.getNormalizerMapping() ); } + // Bypass this interceptor if we disabled the AC subsystem or if the principal is the admin if ( isPrincipalAnAdministrator( principalDn ) || !directoryService.isAccessControlEnabled() ) { return next.lookup( lookupContext );