Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 56246 invoked from network); 20 Aug 2010 19:33:24 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 20 Aug 2010 19:33:24 -0000 Received: (qmail 74677 invoked by uid 500); 20 Aug 2010 19:33:24 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 74619 invoked by uid 500); 20 Aug 2010 19:33:24 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 74612 invoked by uid 99); 20 Aug 2010 19:33:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Aug 2010 19:33:24 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Aug 2010 19:33:22 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id DFDD82388A36; Fri, 20 Aug 2010 19:32:04 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r987611 [3/13] - in /directory/apacheds/trunk: ./ all/ core-annotations/ core-api/ core-api/src/main/java/org/apache/directory/server/core/ core-api/src/main/java/org/apache/directory/server/core/event/ core-api/src/main/java/org/apache/dir... Date: Fri, 20 Aug 2010 19:32:02 -0000 To: commits@directory.apache.org From: kayyagari@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20100820193204.DFDD82388A36@eris.apache.org> Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java?rev=987611&r1=987610&r2=987611&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java Fri Aug 20 19:31:58 2010 @@ -28,11 +28,11 @@ import static org.junit.Assert.assertNot import static org.junit.Assert.assertNull; import org.apache.directory.ldap.client.api.LdapConnection; -import org.apache.directory.ldap.client.api.message.SearchResultEntry; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; import org.apache.directory.server.core.integ.FrameworkRunner; import org.apache.directory.server.core.integ.IntegrationUtils; import org.apache.directory.shared.ldap.entry.Entry; +import org.apache.directory.shared.ldap.message.SearchResultEntry; import org.apache.directory.shared.ldap.name.DN; import org.junit.After; import org.junit.Before; @@ -46,7 +46,7 @@ import org.junit.runner.RunWith; * * @author Apache Directory Project */ -@RunWith ( FrameworkRunner.class ) +@RunWith(FrameworkRunner.class) public class AuthzAuthnIT extends AbstractLdapTestUnit { @@ -56,15 +56,15 @@ public class AuthzAuthnIT extends Abstra AutzIntegUtils.service = service; service.setAccessControlEnabled( true ); } - - + + @After public void closeConnections() { IntegrationUtils.closeConnections(); } - - + + /** * Checks to make sure a user can authenticate with RootDSE as the * provider URL without need of any access control permissions. @@ -76,15 +76,15 @@ public class AuthzAuthnIT extends Abstra { createUser( "billyd", "billyd" ); - DN userName = new DN( "uid=billyd,ou=users,ou=system" ); + DN userName = new DN( "uid=billyd,ou=users,ou=system" ); // Authenticate to RootDSE LdapConnection connection = getConnectionAs( userName, "billyd" ); Entry entry = ( ( SearchResultEntry ) connection.lookup( "" ) ).getEntry(); assertNotNull( entry ); assertEquals( 0, entry.getDn().size() ); } - - + + /** * Checks to make sure a user cannot authenticate with a naming context * as the provider URL if it does not have appropriate Browse permissions. @@ -95,54 +95,41 @@ public class AuthzAuthnIT extends Abstra public void testAuthnFailsWithSystemPartition() throws Exception { createUser( "billyd", "billyd" ); - - DN userName = new DN( "uid=billyd,ou=users,ou=system" ); + + DN userName = new DN( "uid=billyd,ou=users,ou=system" ); LdapConnection connection = getConnectionAs( userName, "billyd" ); SearchResultEntry entry = ( SearchResultEntry ) connection.lookup( "ou=system" ); assertNull( entry ); } - - + + /** * Checks to make sure a user can authenticate with a naming context * as the provider URL if it has appropriate Browse permissions. * * @throws Exception if the test encounters an error */ - @Ignore( "This test is not failing but I want to make sure that this test case is equivalent to its prior JNDI based impl, so ignoring this to get attention" ) + @Ignore("This test is not failing but I want to make sure that this test case is equivalent to its prior JNDI based impl, so ignoring this to get attention") @Test public void testAuthnPassesWithSystemPartition() throws Exception { createUser( "billyd", "billyd" ); - + // Create ACI with minimum level of required privileges: // Only for user "uid=billyd,ou=users,ou=system" // Only to The entry "ou=system" // Only Browse permission // Note: In order to read contents of the bound context // user will need appropriate Read permissions. - createAccessControlSubentry( - "grantBrowseForTheWholeNamingContext", - "{ maximum 0 }", // !!!!! Replace this with "{ minimum 1 }" for practicing ! - "{ " + - " identificationTag \"browseACI\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems { entry }, " + - " grantsAndDenials { grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); - - DN userName = new DN( "uid=billyd,ou=users,ou=system" ); - + createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ maximum 0 }", // !!!!! Replace this with "{ minimum 1 }" for practicing ! + "{ " + " identificationTag \"browseACI\", " + " precedence 14, " + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems { entry }, " + + " grantsAndDenials { grantBrowse } " + " } " + " } " + " } " + "}" ); + + DN userName = new DN( "uid=billyd,ou=users,ou=system" ); + LdapConnection connection = getConnectionAs( userName, "billyd" ); SearchResultEntry entry = ( SearchResultEntry ) connection.lookup( "ou=system" ); assertNull( entry ); Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java?rev=987611&r1=987610&r2=987611&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java Fri Aug 20 19:31:58 2010 @@ -21,9 +21,6 @@ package org.apache.directory.server.core import org.apache.directory.ldap.client.api.LdapConnection; -import org.apache.directory.ldap.client.api.message.AddResponse; -import org.apache.directory.ldap.client.api.message.ModifyRequest; -import org.apache.directory.ldap.client.api.message.SearchResultEntry; import org.apache.directory.server.constants.ServerDNConstants; import org.apache.directory.server.core.DirectoryService; import org.apache.directory.server.core.integ.IntegrationUtils; @@ -31,7 +28,11 @@ import org.apache.directory.shared.ldap. import org.apache.directory.shared.ldap.entry.DefaultEntry; import org.apache.directory.shared.ldap.entry.Entry; import org.apache.directory.shared.ldap.entry.EntryAttribute; +import org.apache.directory.shared.ldap.message.AddResponse; +import org.apache.directory.shared.ldap.message.ModifyRequest; +import org.apache.directory.shared.ldap.message.ModifyRequestImpl; import org.apache.directory.shared.ldap.message.ResultCodeEnum; +import org.apache.directory.shared.ldap.message.SearchResultEntry; import org.apache.directory.shared.ldap.name.DN; @@ -45,6 +46,7 @@ public class AutzIntegUtils { public static DirectoryService service; + // ----------------------------------------------------------------------- // Utility methods used by subclasses // ----------------------------------------------------------------------- @@ -176,7 +178,8 @@ public class AutzIntegUtils { LdapConnection connection = getAdminConnection(); - ModifyRequest modReq = new ModifyRequest( new DN( "cn=" + groupCn + ",ou=groups,ou=system" ) ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( new DN( "cn=" + groupCn + ",ou=groups,ou=system" ) ); modReq.add( SchemaConstants.UNIQUE_MEMBER_AT, "uid=" + userUid + ",ou=users,ou=system" ); connection.modify( modReq ).getLdapResult().getResultCode(); @@ -192,7 +195,8 @@ public class AutzIntegUtils */ public static void removeUserFromGroup( String userUid, String groupCn ) throws Exception { - ModifyRequest modReq = new ModifyRequest( new DN( "cn=" + groupCn + ",ou=groups,ou=system" ) ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( new DN( "cn=" + groupCn + ",ou=groups,ou=system" ) ); modReq.remove( SchemaConstants.UNIQUE_MEMBER_AT, "uid=" + userUid + ",ou=users,ou=system" ); getAdminConnection().modify( modReq ); } @@ -240,7 +244,8 @@ public class AutzIntegUtils if ( administrativeRole == null || !administrativeRole.contains( "accessControlSpecificArea" ) ) { - ModifyRequest modReq = new ModifyRequest( systemEntry.getDn() ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( systemEntry.getDn() ); modReq.add( "administrativeRole", "accessControlSpecificArea" ); connection.modify( modReq ); } @@ -269,7 +274,8 @@ public class AutzIntegUtils public static void addEntryACI( DN dn, String aciItem ) throws Exception { // modify the entry relative to ou=system to include the aciItem - ModifyRequest modReq = new ModifyRequest( dn ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( dn ); modReq.add( "entryACI", aciItem ); getAdminConnection().modify( modReq ); @@ -285,7 +291,8 @@ public class AutzIntegUtils public static void addSubentryACI( String aciItem ) throws Exception { // modify the entry relative to ou=system to include the aciItem - ModifyRequest modReq = new ModifyRequest( new DN( "ou=system" ) ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( new DN( "ou=system" ) ); modReq.add( "subentryACI", aciItem ); getAdminConnection().modify( modReq ); } @@ -301,15 +308,17 @@ public class AutzIntegUtils */ public static void changePresciptiveACI( String cn, String aciItem ) throws Exception { - ModifyRequest req = new ModifyRequest( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) ); - req.replace( "prescriptiveACI", aciItem ); - getAdminConnection().modify( req ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) ); + modReq.replace( "prescriptiveACI", aciItem ); + getAdminConnection().modify( modReq ); } public static void addPrescriptiveACI( String cn, String aciItem ) throws Exception { - ModifyRequest modReq = new ModifyRequest( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) ); modReq.add( "prescriptiveACI", aciItem ); getAdminConnection().modify( modReq ); } Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java?rev=987611&r1=987610&r2=987611&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java Fri Aug 20 19:31:58 2010 @@ -30,7 +30,6 @@ import static org.junit.Assert.assertFal import static org.junit.Assert.assertTrue; import org.apache.directory.ldap.client.api.LdapConnection; -import org.apache.directory.ldap.client.api.message.CompareResponse; import org.apache.directory.server.core.annotations.CreateDS; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; import org.apache.directory.server.core.integ.FrameworkRunner; @@ -38,6 +37,7 @@ import org.apache.directory.server.core. import org.apache.directory.shared.ldap.constants.SchemaConstants; import org.apache.directory.shared.ldap.entry.DefaultEntry; import org.apache.directory.shared.ldap.entry.Entry; +import org.apache.directory.shared.ldap.message.CompareResponse; import org.apache.directory.shared.ldap.message.ResultCodeEnum; import org.apache.directory.shared.ldap.name.DN; import org.junit.After; @@ -51,8 +51,8 @@ import org.junit.runner.RunWith; * * @author Apache Directory Project */ -@RunWith ( FrameworkRunner.class ) -@CreateDS( enableAccessControl=true ) +@RunWith(FrameworkRunner.class) +@CreateDS(enableAccessControl = true) public class CompareAuthorizationIT extends AbstractLdapTestUnit { @@ -61,15 +61,15 @@ public class CompareAuthorizationIT exte { AutzIntegUtils.service = service; } - - + + @After public void closeConnections() { IntegrationUtils.closeConnections(); } - - + + /** * Checks if an attribute of a simple entry (an organizationalUnit's telephoneNumber) * with an RDN relative to ou=system can be compared by a specific non-admin user. @@ -95,7 +95,7 @@ public class CompareAuthorizationIT exte DN entryDN = new DN( entryRdn + ",ou=system" ); boolean result = true; - + // create the entry with the telephoneNumber attribute to compare Entry testEntry = new DefaultEntry( entryDN ); testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" ); @@ -106,18 +106,18 @@ public class CompareAuthorizationIT exte // create the entry as admin adminConnection.add( testEntry ); - + DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" ); // compare the telephone numbers LdapConnection userConnection = getConnectionAs( userName, password ); CompareResponse resp = userConnection.compare( entryDN, "telephoneNumber", number ); - + // don't set based on compare result success/failure but based on whether the op was permitted or not - if( resp.getLdapResult().getResultCode() == ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS ) + if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS ) { result = false; } - + // let's clean up adminConnection.delete( entryRdn ); @@ -141,23 +141,12 @@ public class CompareAuthorizationIT exte // Gives grantCompare, and grantRead perm to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( "administratorAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }" + - " userPermissions " + - " { " + - " { " + - " protectedItems { entry, allUserAttributeTypesAndValues }, " + - " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorAdd", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }" + " userPermissions " + + " { " + " { " + " protectedItems { entry, allUserAttributeTypesAndValues }, " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + + "}" ); // see if we can now add that test entry which we could not before // add op should still fail since billd is not in the admin group @@ -186,23 +175,12 @@ public class CompareAuthorizationIT exte assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); // now add a subentry that enables user billyd to compare an entry below ou=system - createAccessControlSubentry( "billydAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems { entry, allUserAttributeTypesAndValues }, " + - " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " + + " { " + " protectedItems { entry, allUserAttributeTypesAndValues }, " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); @@ -224,27 +202,13 @@ public class CompareAuthorizationIT exte assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); // now add a subentry that enables user billyd to compare an entry below ou=system - createAccessControlSubentry( - "billyAddBySubtree", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses " + - " { " + - " subtree { { base \"ou=users,ou=system\" } } " + - " }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry, allUserAttributeTypesAndValues}, " + - " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, " + + " userPermissions " + " { " + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + + "}" ); // should work now that billyd is authorized by the subtree userClass assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); @@ -266,24 +230,12 @@ public class CompareAuthorizationIT exte assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); // now add a subentry that enables anyone to add an entry below ou=system - createAccessControlSubentry( - "anybodyAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { allUsers }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry, allUserAttributeTypesAndValues}, " + - " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + + "}" ); // see if we can now compare that test entry's number which we could not before // should work with billyd now that all users are authorized @@ -307,7 +259,7 @@ public class CompareAuthorizationIT exte adminCtx.add( user ); CompareResponse resp = adminCtx.compare( userDN, "userPassword", "bobspassword" ); - assertEquals( ResultCodeEnum.COMPARE_TRUE, resp.getLdapResult().getResultCode() ); + assertEquals( ResultCodeEnum.COMPARE_TRUE, resp.getLdapResult().getResultCode() ); } } Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java?rev=987611&r1=987610&r2=987611&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java Fri Aug 20 19:31:58 2010 @@ -19,6 +19,7 @@ */ package org.apache.directory.server.core.authz; + import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup; import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry; import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser; @@ -28,7 +29,6 @@ import static org.junit.Assert.assertFal import static org.junit.Assert.assertTrue; import org.apache.directory.ldap.client.api.LdapConnection; -import org.apache.directory.ldap.client.api.message.DeleteResponse; import org.apache.directory.server.core.annotations.CreateDS; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; import org.apache.directory.server.core.integ.FrameworkRunner; @@ -36,6 +36,7 @@ import org.apache.directory.server.core. import org.apache.directory.shared.ldap.constants.SchemaConstants; import org.apache.directory.shared.ldap.entry.DefaultEntry; import org.apache.directory.shared.ldap.entry.Entry; +import org.apache.directory.shared.ldap.message.DeleteResponse; import org.apache.directory.shared.ldap.message.ResultCodeEnum; import org.apache.directory.shared.ldap.name.DN; import org.junit.After; @@ -49,9 +50,9 @@ import org.junit.runner.RunWith; * * @author Apache Directory Project */ -@RunWith ( FrameworkRunner.class ) -@CreateDS( enableAccessControl=true ) -public class DeleteAuthorizationIT extends AbstractLdapTestUnit +@RunWith(FrameworkRunner.class) +@CreateDS(enableAccessControl = true) +public class DeleteAuthorizationIT extends AbstractLdapTestUnit { @Before @@ -59,15 +60,15 @@ public class DeleteAuthorizationIT exten { AutzIntegUtils.service = service; } - - + + @After public void closeConnections() { IntegrationUtils.closeConnections(); } - - + + /** * Checks if a simple entry (organizationalUnit) can be deleted from the DIT at an * RDN relative to ou=system by a specific non-admin user. The entry is first @@ -90,7 +91,7 @@ public class DeleteAuthorizationIT exten public boolean checkCanDeleteEntryAs( String uid, String password, String entryRdn ) throws Exception { DN entryDN = new DN( entryRdn + ",ou=system" ); - + // create the entry with the telephoneNumber attribute to compare Entry testEntry = new DefaultEntry( entryDN ); testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" ); @@ -100,14 +101,14 @@ public class DeleteAuthorizationIT exten // create the entry as admin adminConnection.add( testEntry ); - + DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" ); - + // delete the newly created context as the user LdapConnection userConnection = getConnectionAs( userName, password ); DeleteResponse resp = userConnection.delete( entryDN ); - if( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS ) + if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS ) { return true; } @@ -135,24 +136,11 @@ public class DeleteAuthorizationIT exten // Gives grantRemove perm to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantRemove, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorAdd", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + " } " + " } " + " } " + "}" ); // see if we can now delete that test entry which we could not before // delete op should still fail since billd is not in the admin group @@ -181,24 +169,11 @@ public class DeleteAuthorizationIT exten assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); // now add a subentry that enables user billyd to delete an entry below ou=system - createAccessControlSubentry( - "billydAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantRemove, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " + + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + " } " + " } " + " } " + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); @@ -220,27 +195,11 @@ public class DeleteAuthorizationIT exten assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); // now add a subentry that enables user billyd to delte an entry below ou=system - createAccessControlSubentry( - "billyAddBySubtree", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses " + - " { " + - " subtree { { base \"ou=users,ou=system\" } } " + - " }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantRemove, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, " + + " userPermissions " + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + " } " + " } " + " } " + "}" ); // should work now that billyd is authorized by the subtree userClass assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); @@ -262,24 +221,11 @@ public class DeleteAuthorizationIT exten assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); // now add a subentry that enables anyone to add an entry below ou=system - createAccessControlSubentry( - "anybodyAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { allUsers }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantRemove, grantBrowse } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + + " protectedItems {entry}, " + " grantsAndDenials { grantRemove, grantBrowse } " + + " } " + " } " + " } " + "}" ); // see if we can now delete that test entry which we could not before // should work now with billyd now that all users are authorized Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=987611&r1=987610&r2=987611&view=diff ============================================================================== --- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (original) +++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Fri Aug 20 19:31:58 2010 @@ -32,8 +32,6 @@ import static org.junit.Assert.assertFal import static org.junit.Assert.assertTrue; import org.apache.directory.ldap.client.api.LdapConnection; -import org.apache.directory.ldap.client.api.message.ModifyRequest; -import org.apache.directory.ldap.client.api.message.ModifyResponse; import org.apache.directory.server.core.annotations.CreateDS; import org.apache.directory.server.core.integ.AbstractLdapTestUnit; import org.apache.directory.server.core.integ.FrameworkRunner; @@ -46,6 +44,9 @@ import org.apache.directory.shared.ldap. import org.apache.directory.shared.ldap.entry.EntryAttribute; import org.apache.directory.shared.ldap.entry.Modification; import org.apache.directory.shared.ldap.entry.ModificationOperation; +import org.apache.directory.shared.ldap.message.ModifyRequest; +import org.apache.directory.shared.ldap.message.ModifyRequestImpl; +import org.apache.directory.shared.ldap.message.ModifyResponse; import org.apache.directory.shared.ldap.message.ResultCodeEnum; import org.apache.directory.shared.ldap.name.DN; import org.junit.After; @@ -60,7 +61,7 @@ import org.junit.runner.RunWith; * @author Apache Directory Project */ @RunWith(FrameworkRunner.class) -@CreateDS( enableAccessControl=true ) +@CreateDS(enableAccessControl = true) public class ModifyAuthorizationIT extends AbstractLdapTestUnit { @@ -76,8 +77,8 @@ public class ModifyAuthorizationIT exten { IntegrationUtils.closeConnections(); } - - + + /** * Checks if an attribute of a simple entry (an organizationalUnit) with an RDN * relative to ou=system can be modified by a specific non-admin user. If a @@ -101,7 +102,7 @@ public class ModifyAuthorizationIT exten { DN entryDN = new DN( entryRdn + ",ou=system" ); boolean result; - + // create the entry with the telephoneNumber attribute to compare Entry testEntry = new DefaultEntry( entryDN ); testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" ); @@ -118,8 +119,14 @@ public class ModifyAuthorizationIT exten LdapConnection userConnection = getConnectionAs( userName, password ); // modify the entry as the user - ModifyRequest modReq = new ModifyRequest( entryDN ); - modReq.addModification( mods ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( entryDN ); + + for ( Modification modification : mods ) + { + modReq.addModification( modification ); + } + ModifyResponse resp = userConnection.modify( modReq ); if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS ) @@ -130,10 +137,10 @@ public class ModifyAuthorizationIT exten { result = false; } - + // let's clean up adminConnection.delete( entryDN ); - + return result; } @@ -177,7 +184,8 @@ public class ModifyAuthorizationIT exten DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" ); // modify the entry as the user LdapConnection userConnection = getConnectionAs( userName, password ); - ModifyRequest modReq = new ModifyRequest( entryDN ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( entryDN ); modReq.addModification( attr, modOp ); ModifyResponse resp = userConnection.modify( modReq ); @@ -216,8 +224,13 @@ public class ModifyAuthorizationIT exten DN userDN = new DN( "uid=" + uid + ",ou=users,ou=system" ); LdapConnection connection = getConnectionAs( userDN, password ); - ModifyRequest modReq = new ModifyRequest( userDN ); - modReq.addModification( mods ); + ModifyRequest modReq = new ModifyRequestImpl(); + modReq.setName( userDN ); + + for ( Modification modification : mods ) + { + modReq.addModification( modification ); + } ModifyResponse resp = connection.modify( modReq ); @@ -266,28 +279,12 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( - "selfModifyUserPassword", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { thisEntry }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse, grantRead } " + - " }, " + - " { " + - " protectedItems {allAttributeValues {userPassword}}, " + - " grantsAndDenials { grantAdd, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "selfModifyUserPassword", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { thisEntry }, " + " userPermissions " + " { " + " { " + + " protectedItems {entry}, " + " grantsAndDenials { grantModify, grantBrowse, grantRead } " + + " }, " + " { " + " protectedItems {allAttributeValues {userPassword}}, " + + " grantsAndDenials { grantAdd, grantRemove } " + " } " + " } " + " } " + "}" ); // try a modify operation which should succeed with ACI assertTrue( checkCanSelfModify( "billyd", "billyd", mods ) ); @@ -321,32 +318,14 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorModifyAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse } " + - " }, " + - " { " + - " protectedItems " + - " {" + - " attributeType {registeredAddress}, " + - " allAttributeValues {registeredAddress}" + - " }, " + - " grantsAndDenials { grantAdd } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorModifyAdd", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " + + " protectedItems " + " {" + " attributeType {registeredAddress}, " + + " allAttributeValues {registeredAddress}" + " }, " + + " grantsAndDenials { grantAdd } " + " } " + " } " + " } " + "}" ); // see if we can now add that test entry which we could not before // add op should still fail since billd is not in the admin group @@ -372,32 +351,14 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorModifyRemove", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse } " + - " }, " + - " { " + - " protectedItems " + - " {" + - " attributeType {telephoneNumber}, " + - " allAttributeValues {telephoneNumber}" + - " }, " + - " grantsAndDenials { grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorModifyRemove", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " + + " protectedItems " + " {" + " attributeType {telephoneNumber}, " + + " allAttributeValues {telephoneNumber}" + " }, " + + " grantsAndDenials { grantRemove } " + " } " + " } " + " } " + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -416,32 +377,14 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorModifyReplace", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse } " + - " }, " + - " { " + - " protectedItems " + - " {" + - " attributeType {registeredAddress}, " + - " allAttributeValues {telephoneNumber}" + - " }, " + - " grantsAndDenials { grantAdd, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorModifyReplace", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " + + " protectedItems " + " {" + " attributeType {registeredAddress}, " + + " allAttributeValues {telephoneNumber}" + " }, " + + " grantsAndDenials { grantAdd, grantRemove } " + " } " + " } " + " } " + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -462,32 +405,14 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorModifyAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse } " + - " }, " + - " { " + - " protectedItems " + - " {" + - " attributeType {registeredAddress}, " + - " allAttributeValues {registeredAddress}" + - " }, " + - " grantsAndDenials { grantAdd } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorModifyAdd", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " + + " protectedItems " + " {" + " attributeType {registeredAddress}, " + + " allAttributeValues {registeredAddress}" + " }, " + + " grantsAndDenials { grantAdd } " + " } " + " } " + " } " + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.ADD_ATTRIBUTE, changes ) ); @@ -505,32 +430,14 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorModifyRemove", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse } " + - " }, " + - " { " + - " protectedItems " + - " {" + - " attributeType {telephoneNumber}, " + - " allAttributeValues {telephoneNumber}" + - " }, " + - " grantsAndDenials { grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorModifyRemove", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " + + " protectedItems " + " {" + " attributeType {telephoneNumber}, " + + " allAttributeValues {telephoneNumber}" + " }, " + + " grantsAndDenials { grantRemove } " + " } " + " } " + " } " + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REMOVE_ATTRIBUTE, changes ) ); @@ -544,36 +451,19 @@ public class ModifyAuthorizationIT exten changes = new DefaultEntryAttribute( "telephoneNumber", "867-5309" ); // make sure we cannot remove the telephone number from the test entry - assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) ); + assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, + changes ) ); // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( - "administratorModifyReplace", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantBrowse } " + - " }, " + - " { " + - " protectedItems " + - " {" + - " attributeType {registeredAddress}, " + - " allAttributeValues {telephoneNumber}" + - " }, " + - " grantsAndDenials { grantAdd, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "administratorModifyReplace", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " + + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " + + " protectedItems " + " {" + " attributeType {registeredAddress}, " + + " allAttributeValues {telephoneNumber}" + " }, " + + " grantsAndDenials { grantAdd, grantRemove } " + " } " + " } " + " } " + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) ); @@ -589,8 +479,8 @@ public class ModifyAuthorizationIT exten @Test public void testGrantModifyByName() throws Exception { - Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, - new DefaultEntryAttribute( "telephoneNumber", "012-3456" ) ); + Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( + "telephoneNumber", "012-3456" ) ); // create the non-admin user createUser( "billyd", "billyd" ); @@ -599,34 +489,19 @@ public class ModifyAuthorizationIT exten assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); // now add a subentry that enables user billyd to modify an entry below ou=system - createAccessControlSubentry( - "billydAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantRead, grantBrowse } " + - " }, " + - " { " + - " protectedItems {allUserAttributeTypesAndValues}, " + - " grantsAndDenials { grantAdd, grantRead, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " + + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + " }, " + " { " + + " protectedItems {allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + " } " + " } " + " } " + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); } - - + + /** * Checks to make sure subtree based userClass works for modify operations. * @@ -635,8 +510,8 @@ public class ModifyAuthorizationIT exten @Test public void testGrantModifyBySubtree() throws Exception { - Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, - new DefaultEntryAttribute( "telephoneNumber", "012-345678" ) ); + Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( + "telephoneNumber", "012-345678" ) ); // create the non-admin user createUser( "billyd", "billyd" ); @@ -645,35 +520,19 @@ public class ModifyAuthorizationIT exten assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); // now add a subentry that enables user billyd to modify an entry below ou=system - createAccessControlSubentry( - "billyAddBySubtree", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses " + - " {" + - " subtree { { base \"ou=users,ou=system\" } } " + - " }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantRead, grantBrowse } " + - " }, " + - " { " + - " protectedItems {allUserAttributeTypesAndValues}, " + - " grantsAndDenials { grantAdd, grantRead, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); - // + createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", " + + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses " + " {" + " subtree { { base \"ou=users,ou=system\" } } " + " }, " + + " userPermissions " + " { " + " { " + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + " }, " + " { " + + " protectedItems {allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + " } " + " } " + " } " + "}" ); + // // should work now that billyd is authorized by the subtree userClass assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); } + + // // /** @@ -684,8 +543,8 @@ public class ModifyAuthorizationIT exten @Test public void testGrantModifyAllUsers() throws Exception { - Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, - new DefaultEntryAttribute( "telephoneNumber", "001-012345" ) ); + Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( + "telephoneNumber", "001-012345" ) ); // create the non-admin user createUser( "billyd", "billyd" ); @@ -694,34 +553,19 @@ public class ModifyAuthorizationIT exten assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); // now add a subentry that enables anyone to add an entry below ou=system - createAccessControlSubentry( - "anybodyAdd", - "{ " + - " identificationTag \"addAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { allUsers }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry}, " + - " grantsAndDenials { grantModify, grantRead, grantBrowse } " + - " }, " + - " { " + - " protectedItems {allUserAttributeTypesAndValues}, " + - " grantsAndDenials { grantAdd, grantRead, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + + " protectedItems {entry}, " + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + + " }, " + " { " + " protectedItems {allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + " } " + " } " + " } " + "}" ); // see if we can now modify that test entry's number which we could not before // should work with billyd now that all users are authorized assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); } + @Test public void testPresciptiveACIModification() throws Exception { @@ -731,48 +575,23 @@ public class ModifyAuthorizationIT exten createUser( "billyd", "billyd" ); - createAccessControlSubentry( - "modifyACI", - "{ " + - " identificationTag \"modifyAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { allUsers }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry, allUserAttributeTypesAndValues}, " + - " grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " + - " } " + - " } " + - " } " + - "}" ); + createAccessControlSubentry( "modifyACI", "{ " + " identificationTag \"modifyAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " + " } " + " } " + + " } " + "}" ); assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultEntryAttribute( "registeredAddress", "200 Park Ave." ) ); - changePresciptiveACI( - "modifyACI", - "{ " + - " identificationTag \"modifyAci\", " + - " precedence 14, " + - " authenticationLevel none, " + - " itemOrUserFirst userFirst: " + - " { " + - " userClasses { allUsers }, " + - " userPermissions " + - " { " + - " { " + - " protectedItems {entry, allUserAttributeTypesAndValues}, " + - " grantsAndDenials { denyModify } " + - " } " + - " } " + - " } " + - "}" ); + changePresciptiveACI( "modifyACI", "{ " + " identificationTag \"modifyAci\", " + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + + " protectedItems {entry, allUserAttributeTypesAndValues}, " + + " grantsAndDenials { denyModify } " + " } " + " } " + " } " + "}" ); assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -785,33 +604,14 @@ public class ModifyAuthorizationIT exten public void testMaxValueCountProtectedItem() throws Exception { createUser( "billyd", "billyd" ); - createAccessControlSubentry( - "mvcACI", - "{" + - " identificationTag \"mvcACI\"," + - " precedence 10," + - " authenticationLevel simple," + - " itemOrUserFirst userFirst:" + - " {" + - " userClasses { allUsers }," + - " userPermissions" + - " {" + - " {" + - " protectedItems { entry }," + - " grantsAndDenials { grantModify, grantBrowse }" + - " }," + - " {" + - " protectedItems" + - " {" + - " attributeType { description }," + - " allAttributeValues { description }," + - " maxValueCount { { type description, maxCount 1 } }" + - " } ," + - " grantsAndDenials { grantRemove, grantAdd }" + - " }" + - " }" + - " }" + - "}" ); + createAccessControlSubentry( "mvcACI", "{" + " identificationTag \"mvcACI\"," + " precedence 10," + + " authenticationLevel simple," + " itemOrUserFirst userFirst:" + " {" + + " userClasses { allUsers }," + " userPermissions" + " {" + " {" + + " protectedItems { entry }," + " grantsAndDenials { grantModify, grantBrowse }" + + " }," + " {" + " protectedItems" + " {" + + " attributeType { description }," + " allAttributeValues { description }," + + " maxValueCount { { type description, maxCount 1 } }" + " } ," + + " grantsAndDenials { grantRemove, grantAdd }" + " }" + " }" + " }" + "}" ); Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( "description", "description 1" ) );