Mailing-List: contact commits-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@directory.apache.org
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r960232 - in /directory:
 apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/
 apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/
 shared/trunk/ldap-constants/src/main/java/org/apache/...
Date: Sat, 03 Jul 2010 16:21:51 -0000
To: commits@directory.apache.org
From: elecharny@apache.org
Message-Id: <20100703162151.E303123889DD@eris.apache.org>

Author: elecharny
Date: Sat Jul  3 16:21:51 2010
New Revision: 960232

URL: http://svn.apache.org/viewvc?rev=960232&view=rev
Log:
o Added a test for DIRSERVER-999 (ignored)
o When the ACI tuples is empty, don't go through the filters
o Added a dedicated logger for ACI (ACI_LOG)

Added:
    directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java
Modified:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Sat Jul  3 16:21:51 2010
@@ -1189,4 +1189,50 @@ public class SearchAuthorizationIT exten
         // now we should not be able to access the subentry with a search
         assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
     }
+
+
+    /**
+     * Checks that we can protect a RangeOfValues item
+     *
+     * @throws Exception if the test encounters an error
+     */
+    @Test
+    @Ignore
+    public void testRangeOfValues() throws Exception
+    {
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try a search operation which should fail without any ACI
+        assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // now add a subentry that allows a user to read the CN only
+        createAccessControlSubentry( 
+            "rangeOfValues", 
+            "{ " +
+            "  identificationTag \"rangeOfValuesAci\", " + 
+            "  precedence 14," +
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " +
+            "      { " +
+            "        protectedItems { entry, rangeOfValues (cn=billyd) }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
+
+        // see if we can now search and find 4 entries
+        assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
+
+        // check to make sure the telephoneNumber attribute is not present in results
+        for ( Entry result : results.values() )
+        {
+            assertNotNull( result.get( "cn" ) );
+        }
+    }
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Sat Jul  3 16:21:51 2010
@@ -221,10 +221,18 @@ public class ACDFEngine
 
         // Clone aciTuples in case it is unmodifiable.
         aciTuples = new ArrayList<ACITuple>( aciTuples );
+        
+        
 
         // Filter unrelated and invalid tuples
         for ( ACITupleFilter filter : filters )
         {
+            if ( aciTuples.size() == 0 )
+            {
+                // No need to continue filtering
+                return false;
+            }
+            
             aciTuples = filter.filter( 
                 schemaManager, 
                 aciTuples, 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Sat Jul  3 16:21:51 2010
@@ -26,12 +26,15 @@ import org.apache.directory.server.core.
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.constants.Loggers;
 import org.apache.directory.shared.ldap.entry.Entry;
 import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.name.DN;
 import org.apache.directory.shared.ldap.schema.AttributeType;
 import org.apache.directory.shared.ldap.schema.SchemaManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
 /**
@@ -43,6 +46,9 @@ import org.apache.directory.shared.ldap.
  */
 public interface ACITupleFilter
 {
+    /** the dedicated logger for ACI */
+    static final Logger ACI_LOG = LoggerFactory.getLogger( Loggers.ACI_LOG.getName() );
+
     /**
      * Returns the collection of the filtered tuples using the specified
      * extra information.

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Sat Jul  3 16:21:51 2010
@@ -60,8 +60,11 @@ public class HighestPrecedenceFilter imp
             Entry entryView )
         throws LdapException
     {
+        ACI_LOG.debug( "Filtering HighestPrecedence..." );
+        
         if ( tuples.size() <= 1 )
         {
+            ACI_LOG.debug( "HighestPrecedence : nothing to do" );
             return tuples;
         }
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java Sat Jul  3 16:21:51 2010
@@ -95,6 +95,8 @@ public class MaxImmSubFilter implements 
             Entry entryView )
         throws LdapException
     {
+        ACI_LOG.debug( "Filtering MaxImmSub..." );
+
         if ( entryName.size() == 0 )
         {
             return tuples;

Added: directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java
URL: http://svn.apache.org/viewvc/directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java?rev=960232&view=auto
==============================================================================
--- directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java (added)
+++ directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java Sat Jul  3 16:21:51 2010
@@ -0,0 +1,55 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.shared.ldap.constants;
+
+/**
+ * An enum defining a list of dedicated loggers, used for debugging
+ * purpose :
+ * - ACI_LOG
+ * - (more to come)
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public enum Loggers
+{
+    ACI_LOG( "aci-logger" );
+
+    private String name;
+    
+    /**
+     * Creates a new instance of LdapSecurityConstants.
+     */
+    private Loggers( String name )
+    {
+        this.name = name;
+    }
+    
+    
+    /**
+     * Return the name associated with the constant.
+     */
+    public String getName()
+    {
+        return name;
+    }
+    
+    
+}