directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r985411 [3/11] - in /directory: apacheds/branches/apacheds-codec-merge/core-api/src/main/java/org/apache/directory/server/core/ apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/admin/ apacheds...
Date Sat, 14 Aug 2010 00:22:40 GMT
Modified: directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=985411&r1=985410&r2=985411&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (original)
+++ directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Sat Aug 14 00:22:38 2010
@@ -33,7 +33,6 @@ import static org.junit.Assert.assertTru
 
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.ldap.client.api.message.ModifyRequest;
-import org.apache.directory.ldap.client.api.message.ModifyResponse;
 import org.apache.directory.server.core.annotations.CreateDS;
 import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
 import org.apache.directory.server.core.integ.FrameworkRunner;
@@ -47,6 +46,7 @@ import org.apache.directory.shared.ldap.
 import org.apache.directory.shared.ldap.entry.Modification;
 import org.apache.directory.shared.ldap.entry.ModificationOperation;
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.directory.shared.ldap.message.internal.InternalModifyResponse;
 import org.apache.directory.shared.ldap.name.DN;
 import org.junit.After;
 import org.junit.Before;
@@ -60,7 +60,7 @@ import org.junit.runner.RunWith;
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
 @RunWith(FrameworkRunner.class)
-@CreateDS( enableAccessControl=true )
+@CreateDS(enableAccessControl = true)
 public class ModifyAuthorizationIT extends AbstractLdapTestUnit
 {
 
@@ -76,8 +76,8 @@ public class ModifyAuthorizationIT exten
     {
         IntegrationUtils.closeConnections();
     }
-    
-    
+
+
     /**
      * Checks if an attribute of a simple entry (an organizationalUnit) with an RDN
      * relative to ou=system can be modified by a specific non-admin user.  If a
@@ -101,7 +101,7 @@ public class ModifyAuthorizationIT exten
     {
         DN entryDN = new DN( entryRdn + ",ou=system" );
         boolean result;
-        
+
         // create the entry with the telephoneNumber attribute to compare
         Entry testEntry = new DefaultEntry( entryDN );
         testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
@@ -120,7 +120,7 @@ public class ModifyAuthorizationIT exten
         // modify the entry as the user
         ModifyRequest modReq = new ModifyRequest( entryDN );
         modReq.addModification( mods );
-        ModifyResponse resp = userConnection.modify( modReq );
+        InternalModifyResponse resp = userConnection.modify( modReq );
 
         if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
         {
@@ -130,10 +130,10 @@ public class ModifyAuthorizationIT exten
         {
             result = false;
         }
-        
+
         // let's clean up
         adminConnection.delete( entryDN );
-    
+
         return result;
     }
 
@@ -180,7 +180,7 @@ public class ModifyAuthorizationIT exten
         ModifyRequest modReq = new ModifyRequest( entryDN );
         modReq.addModification( attr, modOp );
 
-        ModifyResponse resp = userConnection.modify( modReq );
+        InternalModifyResponse resp = userConnection.modify( modReq );
 
         if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
         {
@@ -219,7 +219,7 @@ public class ModifyAuthorizationIT exten
         ModifyRequest modReq = new ModifyRequest( userDN );
         modReq.addModification( mods );
 
-        ModifyResponse resp = connection.modify( modReq );
+        InternalModifyResponse resp = connection.modify( modReq );
 
         return resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS;
     }
@@ -266,28 +266,12 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the Administrators group for
         // entries and all attribute types and values
-        createAccessControlSubentry( 
-            "selfModifyUserPassword", 
-            "{ " + 
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { thisEntry }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse, grantRead } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems {allAttributeValues {userPassword}}, " +
-            "        grantsAndDenials { grantAdd, grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "selfModifyUserPassword", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { thisEntry }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry}, " + "        grantsAndDenials { grantModify, grantBrowse, grantRead } "
+            + "      }, " + "      { " + "        protectedItems {allAttributeValues {userPassword}}, "
+            + "        grantsAndDenials { grantAdd, grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // try a modify operation which should succeed with ACI
         assertTrue( checkCanSelfModify( "billyd", "billyd", mods ) );
@@ -321,32 +305,14 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry(
-            "administratorModifyAdd",
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems " +
-            "        {" +
-            "          attributeType {registeredAddress}, " +
-            "          allAttributeValues {registeredAddress}" +
-            "        }, " +
-            "        grantsAndDenials { grantAdd } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "administratorModifyAdd", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {registeredAddress}" + "        }, "
+            + "        grantsAndDenials { grantAdd } " + "      } " + "    } " + "  } " + "}" );
 
         // see if we can now add that test entry which we could not before
         // add op should still fail since billd is not in the admin group
@@ -372,32 +338,14 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry(
-            "administratorModifyRemove",
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems " +
-            "        {" +
-            "          attributeType {telephoneNumber}, " +
-            "          allAttributeValues {telephoneNumber}" +
-            "        }, " +
-            "        grantsAndDenials { grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "administratorModifyRemove", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems " + "        {" + "          attributeType {telephoneNumber}, "
+            + "          allAttributeValues {telephoneNumber}" + "        }, "
+            + "        grantsAndDenials { grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -416,32 +364,14 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry(
-            "administratorModifyReplace",
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems " +
-            "        {" +
-            "          attributeType {registeredAddress}, " +
-            "          allAttributeValues {telephoneNumber}" +
-            "        }, " +
-            "        grantsAndDenials { grantAdd, grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "administratorModifyReplace", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {telephoneNumber}" + "        }, "
+            + "        grantsAndDenials { grantAdd, grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -462,32 +392,14 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry(
-            "administratorModifyAdd",
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " + 
-            "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " + 
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse } " +
-            "      }, " + 
-            "      { " +
-            "        protectedItems " +
-            "        {" +
-            "          attributeType {registeredAddress}, " +
-            "          allAttributeValues {registeredAddress}" +
-            "        }, " +
-            "        grantsAndDenials { grantAdd } " +
-            "      } " + 
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "administratorModifyAdd", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {registeredAddress}" + "        }, "
+            + "        grantsAndDenials { grantAdd } " + "      } " + "    } " + "  } " + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.ADD_ATTRIBUTE, changes ) );
@@ -505,32 +417,14 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry(
-            "administratorModifyRemove",
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems " +
-            "        {" +
-            "          attributeType {telephoneNumber}, " +
-            "          allAttributeValues {telephoneNumber}" +
-            "        }, " +
-            "        grantsAndDenials { grantRemove } " +
-            "      } " + 
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "administratorModifyRemove", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems " + "        {" + "          attributeType {telephoneNumber}, "
+            + "          allAttributeValues {telephoneNumber}" + "        }, "
+            + "        grantsAndDenials { grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REMOVE_ATTRIBUTE, changes ) );
@@ -544,36 +438,19 @@ public class ModifyAuthorizationIT exten
         changes = new DefaultEntryAttribute( "telephoneNumber", "867-5309" );
 
         // make sure we cannot remove the telephone number from the test entry
-        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) );
+        assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE,
+            changes ) );
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry(
-            "administratorModifyReplace",
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems " +
-            "        {" +
-            "          attributeType {registeredAddress}, " +
-            "          allAttributeValues {telephoneNumber}" +
-            "        }, " +
-            "        grantsAndDenials { grantAdd, grantRemove } " +
-            "      } " + 
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "administratorModifyReplace", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {telephoneNumber}" + "        }, "
+            + "        grantsAndDenials { grantAdd, grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) );
@@ -589,8 +466,8 @@ public class ModifyAuthorizationIT exten
     @Test
     public void testGrantModifyByName() throws Exception
     {
-        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, 
-            new DefaultEntryAttribute( "telephoneNumber", "012-3456" ) );
+        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute(
+            "telephoneNumber", "012-3456" ) );
 
         // create the non-admin user
         createUser( "billyd", "billyd" );
@@ -599,34 +476,19 @@ public class ModifyAuthorizationIT exten
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         // now add a subentry that enables user billyd to modify an entry below ou=system
-        createAccessControlSubentry( 
-            "billydAdd", 
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantRead, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems {allUserAttributeTypesAndValues}, " +
-            "        grantsAndDenials { grantAdd, grantRead, grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "billydAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
+            + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems {allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // should work now that billyd is authorized by name
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
     }
-    
-    
+
+
     /**
      * Checks to make sure subtree based userClass works for modify operations.
      *
@@ -635,8 +497,8 @@ public class ModifyAuthorizationIT exten
     @Test
     public void testGrantModifyBySubtree() throws Exception
     {
-        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, 
-            new DefaultEntryAttribute( "telephoneNumber", "012-345678" ) );
+        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute(
+            "telephoneNumber", "012-345678" ) );
 
         // create the non-admin user
         createUser( "billyd", "billyd" );
@@ -645,35 +507,19 @@ public class ModifyAuthorizationIT exten
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         // now add a subentry that enables user billyd to modify an entry below ou=system
-        createAccessControlSubentry( 
-            "billyAddBySubtree", 
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses " +
-            "    {" +
-            "      subtree { { base \"ou=users,ou=system\" } } " +
-            "    }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantRead, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems {allUserAttributeTypesAndValues}, " +
-            "        grantsAndDenials { grantAdd, grantRead, grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
-    //
+        createAccessControlSubentry( "billyAddBySubtree", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses " + "    {" + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
+            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } " + "      }, " + "      { "
+            + "        protectedItems {allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        //
         // should work now that billyd is authorized by the subtree userClass
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
     }
+
+
     //
     //
     /**
@@ -684,8 +530,8 @@ public class ModifyAuthorizationIT exten
     @Test
     public void testGrantModifyAllUsers() throws Exception
     {
-        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, 
-            new DefaultEntryAttribute( "telephoneNumber", "001-012345" ) );
+        Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute(
+            "telephoneNumber", "001-012345" ) );
 
         // create the non-admin user
         createUser( "billyd", "billyd" );
@@ -694,34 +540,19 @@ public class ModifyAuthorizationIT exten
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         // now add a subentry that enables anyone to add an entry below ou=system
-        createAccessControlSubentry( 
-            "anybodyAdd", 
-            "{ " +
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { allUsers }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantModify, grantRead, grantBrowse } " +
-            "      }, " +
-            "      { " +
-            "        protectedItems {allUserAttributeTypesAndValues}, " +
-            "        grantsAndDenials { grantAdd, grantRead, grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "anybodyAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry}, " + "        grantsAndDenials { grantModify, grantRead, grantBrowse } "
+            + "      }, " + "      { " + "        protectedItems {allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " + "      } " + "    } " + "  } " + "}" );
 
         // see if we can now modify that test entry's number which we could not before
         // should work with billyd now that all users are authorized
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
     }
 
+
     @Test
     public void testPresciptiveACIModification() throws Exception
     {
@@ -731,48 +562,23 @@ public class ModifyAuthorizationIT exten
 
         createUser( "billyd", "billyd" );
 
-        createAccessControlSubentry(
-            "modifyACI",
-            "{ " +
-            "  identificationTag \"modifyAci\", " +
-            "  precedence 14, " +
-            "  authenticationLevel none, " +
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { allUsers }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
-            "        grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "modifyACI", "{ " + "  identificationTag \"modifyAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " + "      } " + "    } "
+            + "  } " + "}" );
 
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultEntryAttribute( "registeredAddress",
             "200 Park Ave." ) );
 
-        changePresciptiveACI( 
-            "modifyACI", 
-            "{ " + 
-            "  identificationTag \"modifyAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " + 
-            "    userClasses { allUsers }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
-            "        grantsAndDenials { denyModify } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        changePresciptiveACI( "modifyACI", "{ " + "  identificationTag \"modifyAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { denyModify } " + "      } " + "    } " + "  } " + "}" );
 
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
@@ -785,33 +591,14 @@ public class ModifyAuthorizationIT exten
     public void testMaxValueCountProtectedItem() throws Exception
     {
         createUser( "billyd", "billyd" );
-        createAccessControlSubentry( 
-            "mvcACI", 
-            "{" + 
-            "  identificationTag \"mvcACI\"," + 
-            "  precedence 10," +
-            "  authenticationLevel simple," + 
-            "  itemOrUserFirst userFirst:" + 
-            "  {" + 
-            "    userClasses { allUsers }," +
-            "    userPermissions" + 
-            "    {" + 
-            "      {" + 
-            "        protectedItems { entry }," +
-            "        grantsAndDenials { grantModify, grantBrowse }" + 
-            "      }," + 
-            "      {" + 
-            "        protectedItems" + 
-            "        {" +
-            "          attributeType { description }," + 
-            "          allAttributeValues { description }," + 
-            "          maxValueCount { { type description, maxCount 1 } }" + 
-            "        } ," + 
-            "        grantsAndDenials { grantRemove, grantAdd }" + 
-            "      }" + 
-            "    }" + 
-            "  }" + 
-            "}" );
+        createAccessControlSubentry( "mvcACI", "{" + "  identificationTag \"mvcACI\"," + "  precedence 10,"
+            + "  authenticationLevel simple," + "  itemOrUserFirst userFirst:" + "  {"
+            + "    userClasses { allUsers }," + "    userPermissions" + "    {" + "      {"
+            + "        protectedItems { entry }," + "        grantsAndDenials { grantModify, grantBrowse }"
+            + "      }," + "      {" + "        protectedItems" + "        {"
+            + "          attributeType { description }," + "          allAttributeValues { description },"
+            + "          maxValueCount { { type description, maxCount 1 } }" + "        } ,"
+            + "        grantsAndDenials { grantRemove, grantAdd }" + "      }" + "    }" + "  }" + "}" );
 
         Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( "description",
             "description 1" ) );

Modified: directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=985411&r1=985410&r2=985411&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original)
+++ directory/apacheds/branches/apacheds-codec-merge/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Sat Aug 14 00:22:38 2010
@@ -19,6 +19,7 @@
  */
 package org.apache.directory.server.core.authz;
 
+
 import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
 import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
 import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
@@ -31,7 +32,6 @@ import static org.junit.Assert.assertFal
 import static org.junit.Assert.assertTrue;
 
 import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.message.ModifyDnResponse;
 import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
 import org.apache.directory.server.core.integ.FrameworkRunner;
 import org.apache.directory.server.core.integ.IntegrationUtils;
@@ -39,6 +39,7 @@ import org.apache.directory.shared.ldap.
 import org.apache.directory.shared.ldap.entry.DefaultEntry;
 import org.apache.directory.shared.ldap.entry.Entry;
 import org.apache.directory.shared.ldap.message.ResultCodeEnum;
+import org.apache.directory.shared.ldap.message.internal.InternalModifyDnResponse;
 import org.apache.directory.shared.ldap.name.DN;
 import org.junit.After;
 import org.junit.Before;
@@ -51,44 +52,45 @@ import org.junit.runner.RunWith;
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  */
-@RunWith ( FrameworkRunner.class )
+@RunWith(FrameworkRunner.class)
 public class MoveRenameAuthorizationIT extends AbstractLdapTestUnit
 {
 
     @Before
     public void setService()
     {
-       AutzIntegUtils.service = service;
-       service.setAccessControlEnabled( true );
+        AutzIntegUtils.service = service;
+        service.setAccessControlEnabled( true );
     }
-    
+
+
     @After
     public void closeConnections()
     {
         IntegrationUtils.closeConnections();
     }
-    
-    
+
+
     public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newNameRdn ) throws Exception
     {
         DN entryDN = new DN( entryRdn + ",ou=system" );
         boolean result;
-        
+
         Entry testEntry = new DefaultEntry( entryDN );
         testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
         testEntry.add( SchemaConstants.OU_AT, "testou" );
-        
+
         LdapConnection adminConnection = getAdminConnection();
 
         // create the new entry as the admin user
         adminConnection.add( testEntry );
-        
+
         DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
-        
+
         LdapConnection userConnection = getConnectionAs( userName, password );
-        ModifyDnResponse resp = userConnection.rename( entryDN.getName(), newNameRdn );
-        
-        if( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
+        InternalModifyDnResponse resp = userConnection.rename( entryDN.getName(), newNameRdn );
+
+        if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
         {
             userConnection.delete( newNameRdn + ",ou=system" );
             result = true;
@@ -98,11 +100,11 @@ public class MoveRenameAuthorizationIT e
             adminConnection.delete( entryDN );
             result = false;
         }
-        
+
         return result;
     }
-    
-    
+
+
     /**
      * Checks if a simple entry (organizationalUnit) can be renamed at an RDN relative
      * to ou=system by a specific non-admin user.  If a permission exception
@@ -119,28 +121,28 @@ public class MoveRenameAuthorizationIT e
      * @return true if the entry can be renamed by the user at the specified location, false otherwise
      * @throws Exception if there are problems conducting the test
      */
-    public boolean checkCanMoveAndRenameAs( String uid, String password, String entryRdn, String newNameRdn, String newParentRdn )
-        throws Exception
+    public boolean checkCanMoveAndRenameAs( String uid, String password, String entryRdn, String newNameRdn,
+        String newParentRdn ) throws Exception
     {
         DN entryDN = new DN( entryRdn + ",ou=system" );
         boolean result;
-        
+
         Entry testEntry = new DefaultEntry( entryDN );
         testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
         testEntry.add( SchemaConstants.OU_AT, "testou" );
-        
+
         LdapConnection adminConnection = getAdminConnection();
 
         // create the new entry as the admin user
         adminConnection.add( testEntry );
-        
+
         DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
-        
+
         LdapConnection userConnection = getConnectionAs( userName, password );
 
         boolean isMoved = false;
-        ModifyDnResponse moveResp = userConnection.move( entryDN.getName(), newParentRdn + ",ou=system" );
-        
+        InternalModifyDnResponse moveResp = userConnection.move( entryDN.getName(), newParentRdn + ",ou=system" );
+
         if ( moveResp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
         {
             isMoved = true;
@@ -150,11 +152,12 @@ public class MoveRenameAuthorizationIT e
             adminConnection.delete( entryDN );
             return false;
         }
-        
-        ModifyDnResponse resp = userConnection.rename( entryRdn + "," + newParentRdn + ",ou=system", newNameRdn );
-        
+
+        InternalModifyDnResponse resp = userConnection
+            .rename( entryRdn + "," + newParentRdn + ",ou=system", newNameRdn );
+
         ResultCodeEnum code = resp.getLdapResult().getResultCode();
-        
+
         if ( ( code == ResultCodeEnum.SUCCESS ) || ( code == ResultCodeEnum.ENTRY_ALREADY_EXISTS ) )
         {
             userConnection.delete( newNameRdn + "," + newParentRdn + ",ou=system" );
@@ -162,15 +165,15 @@ public class MoveRenameAuthorizationIT e
         }
         else
         {
-            if( isMoved )
+            if ( isMoved )
             {
                 entryDN = entryDN.add( 1, newParentRdn );
                 adminConnection.delete( entryDN );
             }
-            
+
             result = false;
         }
-        
+
         // delete the renamed context as the admin user
         return result;
     }
@@ -196,27 +199,11 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm to all users in the Administrators group for entries
-        createAccessControlSubentry( 
-            "grantRenameByAdmin", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses " +
-            "    { " +
-            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
-            "    }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " + 
-            "        grantsAndDenials { grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameByAdmin", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses " + "    { " + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+            + "    }, " + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRename, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
 
         // see if we can now rename that test entry which we could not before
         // rename op should still fail since billyd is not in the admin group
@@ -245,27 +232,12 @@ public class MoveRenameAuthorizationIT e
 
         // Gives grantRename, grantImport, grantExport perm to all users in the Administrators
         // group for entries - browse is needed just to read navigate the tree at root
-        createAccessControlSubentry( 
-            "grantRenameMoveByAdmin", 
-            "{ " + 
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses " +
-            "    { " +
-            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
-            "    }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses " + "    { " + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+            + "    }, " + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // see if we can move and rename the test entry which we could not before
         // op should still fail since billyd is not in the admin group
@@ -293,27 +265,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm to all users in the Administrators group for entries
-        createAccessControlSubentry( 
-            "grantMoveByAdmin", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses " +
-            "    { " +
-            "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
-            "    }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " + 
-            "        grantsAndDenials { grantExport, grantImport, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantMoveByAdmin", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses " + "    { " + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+            + "    }, " + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantBrowse } " + "      } " + "    } " + "  } "
+            + "}" );
 
         // see if we can now move that test entry which we could not before
         // op should still fail since billyd is not in the admin group
@@ -352,24 +309,11 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm specifically to the billyd user
-        createAccessControlSubentry( 
-            "grantRenameByName", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " + 
-            "        grantsAndDenials { grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameByName", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
+            + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRename, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -389,24 +333,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport perm to billyd user on entries
-        createAccessControlSubentry( 
-            "grantRenameMoveByName", 
-            "{ " + 
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameMoveByName", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
+            + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -426,24 +358,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm to billyd user for entries
-        createAccessControlSubentry( 
-            "grantMoveByName", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " + 
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantMoveByName", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
+            + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -474,27 +394,11 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm for entries to those users selected by the subtree
-        createAccessControlSubentry( 
-            "grantRenameByTree", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses " +
-            "    { " +
-            "      subtree { { base \"ou=users,ou=system\" } } " +
-            "    }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " + 
-            "        grantsAndDenials { grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameByTree", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses " + "    { " + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
+            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRename, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -514,26 +418,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport for entries to users selected by subtree
-        createAccessControlSubentry( 
-            "grantRenameMoveByTree", 
-            "{ " + 
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: { " +
-            "    userClasses " +
-            "    { " +
-            "      subtree { { base \"ou=users,ou=system\" } } " +
-            "    }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: { "
+            + "    userClasses " + "    { " + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
+            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -553,27 +443,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm for entries to subtree selected users
-        createAccessControlSubentry( 
-            "grantMoveByTree", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses " +
-            "    { " +
-            "      subtree { { base \"ou=users,ou=system\" } } " +
-            "    }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems {entry}, " + 
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantMoveByTree", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses " + "    { "
+            + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, " + "    userPermissions " + "    { "
+            + "      { " + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -604,24 +479,11 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm for entries to any user
-        createAccessControlSubentry( 
-            "grantRenameByAny", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " + 
-            "    userClasses { allUsers }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " + 
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameByAny", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry}, " + "        grantsAndDenials { grantRename, grantBrowse } "
+            + "      } " + "    } " + "  } " + "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -641,24 +503,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport for entries to any user
-        createAccessControlSubentry( 
-            "grantRenameMoveByAny", 
-            "{ " + 
-            "  identificationTag \"addAci\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { allUsers }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " + 
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "  identificationTag \"addAci\", "
+            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -678,24 +528,12 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm for entries to any user
-        createAccessControlSubentry( 
-            "grantMoveByAny", 
-            "{ " + 
-            "  identificationTag \"addAci\", " + 
-            "  precedence 14, " +
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " + 
-            "    userClasses { allUsers }, " +
-            "    userPermissions " +
-            "    { " +
-            "      { " + 
-            "        protectedItems {entry}, " +
-            "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantMoveByAny", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
+            + "    } " + "  } " + "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -704,8 +542,8 @@ public class MoveRenameAuthorizationIT e
         deleteAccessControlSubentry( "grantMoveByAny" );
         deleteUser( "billyd" );
     }
-    
-    
+
+
     /**
      * Checks to make sure Export and Import permissions work correctly
      * when they are defined on seperate contexts.
@@ -725,73 +563,33 @@ public class MoveRenameAuthorizationIT e
         // try an move w/ rdn change which should fail without any ACI
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
-        
         // Gives grantBrowse perm to all users in the Administrators
         // group for entries
         // It's is needed just to read navigate the tree at root
-        createAccessControlSubentry(
-            "grantBrowseForTheWholeNamingContext",
-            "{ }",
-            "{ " + 
-            "  identificationTag \"browseACI\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems { entry }, " +
-            "        grantsAndDenials { grantBrowse } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
-        
+        createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", "{ "
+            + "  identificationTag \"browseACI\", " + "  precedence 14, " + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems { entry }, "
+            + "        grantsAndDenials { grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+
         // Gives grantExport, grantRename perm to all users in the Administrators
         // group for entries
-        createAccessControlSubentry(
-            "grantExportFromASubtree",
-            "{ base \"ou=users\" }", 
-            "{ " + 
-            "  identificationTag \"exportACI\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems { entry }, " +
-            "        grantsAndDenials { grantExport, grantRename } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
-        
+        createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }", "{ "
+            + "  identificationTag \"exportACI\", " + "  precedence 14, " + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems { entry }, "
+            + "        grantsAndDenials { grantExport, grantRename } " + "      } " + "    } " + "  } " + "}" );
+
         // Gives grantImport perm to all users in the Administrators
         // group for the target context
-        createAccessControlSubentry(
-            "grantImportToASubtree",
-            "{ base \"ou=groups\" }", 
-            "{ " + 
-            "  identificationTag \"importACI\", " +
-            "  precedence 14, " + 
-            "  authenticationLevel none, " + 
-            "  itemOrUserFirst userFirst: " +
-            "  { " +
-            "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + 
-            "    userPermissions " +
-            "    { " +
-            "      { " +
-            "        protectedItems { entry }, " +
-            "        grantsAndDenials { grantImport } " +
-            "      } " +
-            "    } " +
-            "  } " +
-            "}" );
+        createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }", "{ "
+            + "  identificationTag \"importACI\", " + "  precedence 14, " + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
+            + "    { " + "      { " + "        protectedItems { entry }, "
+            + "        grantsAndDenials { grantImport } " + "      } " + "    } " + "  } " + "}" );
 
         // see if we can move and rename the test entry which we could not before
         // op should still fail since billyd is not in the admin group



Mime
View raw message