directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1049849 [1/2] - /directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/
Date Thu, 16 Dec 2010 09:37:14 GMT
Author: elecharny
Date: Thu Dec 16 09:37:14 2010
New Revision: 1049849

URL: http://svn.apache.org/viewvc?rev=1049849&view=rev
Log:
Formated the ACI specifciations

Modified:
    directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java
    directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java
    directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java
    directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
    directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
    directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java

Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java (original)
+++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java Thu Dec 16 09:37:14 2010
@@ -123,11 +123,21 @@ public class AuthzAuthnIT extends Abstra
         // Note: In order to read contents of the bound context
         //       user will need appropriate Read permissions.
         createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ maximum 0 }", // !!!!! Replace this with "{ minimum 1 }" for practicing !
-            "{ " + "  identificationTag \"browseACI\", " + "  precedence 14, " + "  authenticationLevel none, "
-                + "  itemOrUserFirst userFirst: " + "  { "
-                + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions "
-                + "    { " + "      { " + "        protectedItems { entry }, "
-                + "        grantsAndDenials { grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+                  "{ identificationTag \"browseACI\", " 
+                + "  precedence 14, " 
+                + "  authenticationLevel none, "
+                + "  itemOrUserFirst userFirst: " 
+                + "  { "
+                + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+                + "    userPermissions "
+                + "    { " 
+                + "      { " 
+                + "        protectedItems { entry }, "
+                + "        grantsAndDenials { grantBrowse } " 
+                + "      } " 
+                + "    } " 
+                + "  } " 
+                + "}" );
 
         DN userName = new DN( "uid=billyd,ou=users,ou=system" );
 

Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java (original)
+++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java Thu Dec 16 09:37:14 2010
@@ -141,11 +141,22 @@ public class CompareAuthorizationIT exte
 
         // Gives grantCompare, and grantRead perm to all users in the Administrators group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorAdd", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }" + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems { entry, allUserAttributeTypesAndValues }, "
-            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " + "      } " + "    } " + "  } "
+        createAccessControlSubentry( "administratorAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }" 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems { entry, allUserAttributeTypesAndValues }, "
+            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now add that test entry which we could not before
@@ -175,11 +186,22 @@ public class CompareAuthorizationIT exte
         assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
 
         // now add a subentry that enables user billyd to compare an entry below ou=system
-        createAccessControlSubentry( "billydAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems { entry, allUserAttributeTypesAndValues }, "
-            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " + "      } " + "    } " + "  } "
+        createAccessControlSubentry( "billydAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems { entry, allUserAttributeTypesAndValues }, "
+            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // should work now that billyd is authorized by name
@@ -202,12 +224,25 @@ public class CompareAuthorizationIT exte
         assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
 
         // now add a subentry that enables user billyd to compare an entry below ou=system
-        createAccessControlSubentry( "billyAddBySubtree", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    { " + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
-            + "    userPermissions " + "    { " + "        { "
+        createAccessControlSubentry( "billyAddBySubtree", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      subtree { { base \"ou=users,ou=system\" } } " 
+            + "    }, "
+            + "    userPermissions " 
+            + "    { " 
+            + "        { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " + "      } " + "    } " + "  } "
+            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // should work now that billyd is authorized by the subtree userClass
@@ -230,11 +265,22 @@ public class CompareAuthorizationIT exte
         assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
 
         // now add a subentry that enables anyone to add an entry below ou=system
-        createAccessControlSubentry( "anybodyAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+        createAccessControlSubentry( "anybodyAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " + "      } " + "    } " + "  } "
+            + "        grantsAndDenials { grantCompare, grantRead, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now compare that test entry's number which we could not before
@@ -261,5 +307,4 @@ public class CompareAuthorizationIT exte
         CompareResponse resp = adminCtx.compare( userDN, "userPassword", "bobspassword" );
         assertEquals( ResultCodeEnum.COMPARE_TRUE, resp.getLdapResult().getResultCode() );
     }
-
 }

Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java (original)
+++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java Thu Dec 16 09:37:14 2010
@@ -136,11 +136,23 @@ public class DeleteAuthorizationIT exten
 
         // Gives grantRemove perm to all users in the Administrators group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorAdd", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "       grantsAndDenials { grantRemove, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "       grantsAndDenials { grantRemove, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can now delete that test entry which we could not before
         // delete op should still fail since billd is not in the admin group
@@ -169,11 +181,23 @@ public class DeleteAuthorizationIT exten
         assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
 
         // now add a subentry that enables user billyd to delete an entry below ou=system
-        createAccessControlSubentry( "billydAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantRemove, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "billydAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRemove, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // should work now that billyd is authorized by name
         assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
@@ -195,11 +219,26 @@ public class DeleteAuthorizationIT exten
         assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
 
         // now add a subentry that enables user billyd to delte an entry below ou=system
-        createAccessControlSubentry( "billyAddBySubtree", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    { " + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
-            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantRemove, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "billyAddBySubtree", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      subtree { { base \"ou=users,ou=system\" } } " 
+            + "    }, "
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRemove, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // should work now that billyd is authorized by the subtree userClass
         assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
@@ -221,11 +260,23 @@ public class DeleteAuthorizationIT exten
         assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
 
         // now add a subentry that enables anyone to add an entry below ou=system
-        createAccessControlSubentry( "anybodyAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
-            + "        protectedItems {entry}, " + "        grantsAndDenials { grantRemove, grantBrowse } "
-            + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "anybodyAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems {entry}, " 
+            + "        grantsAndDenials { grantRemove, grantBrowse } "
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can now delete that test entry which we could not before
         // should work now with billyd now that all users are authorized

Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (original)
+++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Thu Dec 16 09:37:14 2010
@@ -279,12 +279,27 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the Administrators group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "selfModifyUserPassword", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { thisEntry }, " + "    userPermissions " + "    { " + "      { "
-            + "        protectedItems {entry}, " + "        grantsAndDenials { grantModify, grantBrowse, grantRead } "
-            + "      }, " + "      { " + "        protectedItems {allAttributeValues {userPassword}}, "
-            + "        grantsAndDenials { grantAdd, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "selfModifyUserPassword", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { thisEntry }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems {entry}, " 
+            + "        grantsAndDenials { grantModify, grantBrowse, grantRead } "
+            + "      }, " 
+            + "      { " 
+            + "        protectedItems {allAttributeValues {userPassword}}, "
+            + "        grantsAndDenials { grantAdd, grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a modify operation which should succeed with ACI
         assertTrue( checkCanSelfModify( "billyd", "billyd", mods ) );
@@ -318,14 +333,31 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorModifyAdd", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
-            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
-            + "          allAttributeValues {registeredAddress}" + "        }, "
-            + "        grantsAndDenials { grantAdd } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorModifyAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " 
+            + "      }, " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {registeredAddress}" 
+            + "        }, "
+            + "        grantsAndDenials { grantAdd } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can now add that test entry which we could not before
         // add op should still fail since billd is not in the admin group
@@ -351,14 +383,30 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorModifyRemove", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
-            + "        protectedItems " + "        {" + "          attributeType {telephoneNumber}, "
-            + "          allAttributeValues {telephoneNumber}" + "        }, "
-            + "        grantsAndDenials { grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorModifyRemove", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " 
+            + "      }, " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          attributeType {telephoneNumber}, "
+            + "          allAttributeValues {telephoneNumber}" 
+            + "        }, "
+            + "        grantsAndDenials { grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -377,14 +425,31 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorModifyReplace", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
-            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
-            + "          allAttributeValues {telephoneNumber}" + "        }, "
-            + "        grantsAndDenials { grantAdd, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorModifyReplace", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " 
+            + "      }, " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {telephoneNumber}" 
+            + "        }, "
+            + "        grantsAndDenials { grantAdd, grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -405,14 +470,31 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorModifyAdd", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
-            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
-            + "          allAttributeValues {registeredAddress}" + "        }, "
-            + "        grantsAndDenials { grantAdd } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorModifyAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " 
+            + "      }, " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {registeredAddress}" 
+            + "        }, "
+            + "        grantsAndDenials { grantAdd } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.ADD_ATTRIBUTE, changes ) );
@@ -430,14 +512,31 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorModifyRemove", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
-            + "        protectedItems " + "        {" + "          attributeType {telephoneNumber}, "
-            + "          allAttributeValues {telephoneNumber}" + "        }, "
-            + "        grantsAndDenials { grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorModifyRemove", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " 
+            + "      }, " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          attributeType {telephoneNumber}, "
+            + "          allAttributeValues {telephoneNumber}" 
+            + "        }, "
+            + "        grantsAndDenials { grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REMOVE_ATTRIBUTE, changes ) );
@@ -456,14 +555,31 @@ public class ModifyAuthorizationIT exten
 
         // Gives grantModify, and grantRead perm to all users in the TestGroup group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "administratorModifyReplace", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantBrowse } " + "      }, " + "      { "
-            + "        protectedItems " + "        {" + "          attributeType {registeredAddress}, "
-            + "          allAttributeValues {telephoneNumber}" + "        }, "
-            + "        grantsAndDenials { grantAdd, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "administratorModifyReplace", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantBrowse } " 
+            + "      }, " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          attributeType {registeredAddress}, "
+            + "          allAttributeValues {telephoneNumber}" 
+            + "        }, "
+            + "        grantsAndDenials { grantAdd, grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a modify operation which should succeed with ACI and group membership change
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) );
@@ -489,13 +605,27 @@ public class ModifyAuthorizationIT exten
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         // now add a subentry that enables user billyd to modify an entry below ou=system
-        createAccessControlSubentry( "billydAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } " + "      }, " + "      { "
+        createAccessControlSubentry( "billydAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } " 
+            + "      }, " 
+            + "      { "
             + "        protectedItems {allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // should work now that billyd is authorized by name
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -520,13 +650,30 @@ public class ModifyAuthorizationIT exten
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         // now add a subentry that enables user billyd to modify an entry below ou=system
-        createAccessControlSubentry( "billyAddBySubtree", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    {" + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
-            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } " + "      }, " + "      { "
+        createAccessControlSubentry( "billyAddBySubtree", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    {" 
+            + "      subtree { { base \"ou=users,ou=system\" } } " 
+            + "    }, "
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } " 
+            + "      }, " 
+            + "      { "
             + "        protectedItems {allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
         //
         // should work now that billyd is authorized by the subtree userClass
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -553,12 +700,27 @@ public class ModifyAuthorizationIT exten
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         // now add a subentry that enables anyone to add an entry below ou=system
-        createAccessControlSubentry( "anybodyAdd", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
-            + "        protectedItems {entry}, " + "        grantsAndDenials { grantModify, grantRead, grantBrowse } "
-            + "      }, " + "      { " + "        protectedItems {allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "anybodyAdd", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems {entry}, " 
+            + "        grantsAndDenials { grantModify, grantRead, grantBrowse } "
+            + "      }, " 
+            + "      { " 
+            + "        protectedItems {allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantAdd, grantRead, grantRemove } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can now modify that test entry's number which we could not before
         // should work with billyd now that all users are authorized
@@ -575,23 +737,45 @@ public class ModifyAuthorizationIT exten
 
         createUser( "billyd", "billyd" );
 
-        createAccessControlSubentry( "modifyACI", "{ " + "  identificationTag \"modifyAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+        createAccessControlSubentry( "modifyACI", 
+              "{ " 
+            + "  identificationTag \"modifyAci\", " + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " + "      } " + "    } "
-            + "  } " + "}" );
+            + "        grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " 
+            + "      } " 
+            + "    } "
+            + "  } " 
+            + "}" );
 
         assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
         mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultEntryAttribute( "registeredAddress",
             "200 Park Ave." ) );
 
-        changePresciptiveACI( "modifyACI", "{ " + "  identificationTag \"modifyAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+        changePresciptiveACI( "modifyACI", 
+              "{ " 
+            + "  identificationTag \"modifyAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { denyModify } " + "      } " + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { denyModify } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
 
@@ -604,14 +788,32 @@ public class ModifyAuthorizationIT exten
     public void testMaxValueCountProtectedItem() throws Exception
     {
         createUser( "billyd", "billyd" );
-        createAccessControlSubentry( "mvcACI", "{" + "  identificationTag \"mvcACI\"," + "  precedence 10,"
-            + "  authenticationLevel simple," + "  itemOrUserFirst userFirst:" + "  {"
-            + "    userClasses { allUsers }," + "    userPermissions" + "    {" + "      {"
-            + "        protectedItems { entry }," + "        grantsAndDenials { grantModify, grantBrowse }"
-            + "      }," + "      {" + "        protectedItems" + "        {"
-            + "          attributeType { description }," + "          allAttributeValues { description },"
-            + "          maxValueCount { { type description, maxCount 1 } }" + "        } ,"
-            + "        grantsAndDenials { grantRemove, grantAdd }" + "      }" + "    }" + "  }" + "}" );
+        createAccessControlSubentry( "mvcACI", 
+              "{" 
+            + "  identificationTag \"mvcACI\"," 
+            + "  precedence 10,"
+            + "  authenticationLevel simple," 
+            + "  itemOrUserFirst userFirst:" 
+            + "  {"
+            + "    userClasses { allUsers }," 
+            + "    userPermissions" 
+            + "    {" 
+            + "      {"
+            + "        protectedItems { entry }," 
+            + "        grantsAndDenials { grantModify, grantBrowse }"
+            + "      }," 
+            + "      {" 
+            + "        protectedItems" 
+            + "        {"
+            + "          attributeType { description }," 
+            + "          allAttributeValues { description },"
+            + "          maxValueCount { { type description, maxCount 1 } }" 
+            + "        } ,"
+            + "        grantsAndDenials { grantRemove, grantAdd }" 
+            + "      }" 
+            + "    }" 
+            + "  }" 
+            + "}" );
 
         Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( "description",
             "description 1" ) );

Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original)
+++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Thu Dec 16 09:37:14 2010
@@ -201,11 +201,26 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm to all users in the Administrators group for entries
-        createAccessControlSubentry( "grantRenameByAdmin", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    { " + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
-            + "    }, " + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantRename, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameByAdmin", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRename, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can now rename that test entry which we could not before
         // rename op should still fail since billyd is not in the admin group
@@ -234,12 +249,26 @@ public class MoveRenameAuthorizationIT e
 
         // Gives grantRename, grantImport, grantExport perm to all users in the Administrators
         // group for entries - browse is needed just to read navigate the tree at root
-        createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    { " + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
-            + "    }, " + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameMoveByAdmin", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can move and rename the test entry which we could not before
         // op should still fail since billyd is not in the admin group
@@ -267,11 +296,25 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm to all users in the Administrators group for entries
-        createAccessControlSubentry( "grantMoveByAdmin", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    { " + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
-            + "    }, " + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantBrowse } " + "      } " + "    } " + "  } "
+        createAccessControlSubentry( "grantMoveByAdmin", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now move that test entry which we could not before
@@ -311,11 +354,23 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm specifically to the billyd user
-        createAccessControlSubentry( "grantRenameByName", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantRename, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameByName", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRename, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -335,12 +390,23 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport perm to billyd user on entries
-        createAccessControlSubentry( "grantRenameMoveByName", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameMoveByName", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -360,12 +426,23 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm to billyd user for entries
-        createAccessControlSubentry( "grantMoveByName", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantMoveByName", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -396,11 +473,26 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm for entries to those users selected by the subtree
-        createAccessControlSubentry( "grantRenameByTree", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses " + "    { " + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
-            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantRename, grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameByTree", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      subtree { { base \"ou=users,ou=system\" } } " 
+            + "    }, "
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantRename, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -420,12 +512,25 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport for entries to users selected by subtree
-        createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: { "
-            + "    userClasses " + "    { " + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, "
-            + "    userPermissions " + "    { " + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameMoveByTree", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: { "
+            + "    userClasses " 
+            + "    { " 
+            + "      subtree { { base \"ou=users,ou=system\" } } " 
+            + "    }, "
+            + "    userPermissions " 
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -445,12 +550,26 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm for entries to subtree selected users
-        createAccessControlSubentry( "grantMoveByTree", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses " + "    { "
-            + "      subtree { { base \"ou=users,ou=system\" } } " + "    }, " + "    userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantMoveByTree", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses " 
+            + "    { "
+            + "      subtree { { base \"ou=users,ou=system\" } } " 
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry}, "
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -481,11 +600,23 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
 
         // Gives grantRename perm for entries to any user
-        createAccessControlSubentry( "grantRenameByAny", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
-            + "        protectedItems {entry}, " + "        grantsAndDenials { grantRename, grantBrowse } "
-            + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantRenameByAny", 
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems {entry}, " 
+            + "        grantsAndDenials { grantRename, grantBrowse } "
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try a rename operation which should succeed with ACI
         assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -505,12 +636,23 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
 
         // Gives grantRename, grantImport, grantExport for entries to any user
-        createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "  identificationTag \"addAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+        createAccessControlSubentry( "grantRenameMoveByAny",
+              "{ " 
+            + "  identificationTag \"addAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try move w/ rdn change which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -530,12 +672,23 @@ public class MoveRenameAuthorizationIT e
         assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
 
         // Gives grantImport, and grantExport perm for entries to any user
-        createAccessControlSubentry( "grantMoveByAny", "{ " + "  identificationTag \"addAci\", " + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "      { "
+        createAccessControlSubentry( "grantMoveByAny", 
+              "{ " 
+            + "  identificationTag \"addAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry}, "
-            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + "      } "
-            + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // try move operation which should succeed with ACI
         assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -568,30 +721,63 @@ public class MoveRenameAuthorizationIT e
         // Gives grantBrowse perm to all users in the Administrators
         // group for entries
         // It's is needed just to read navigate the tree at root
-        createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", "{ "
-            + "  identificationTag \"browseACI\", " + "  precedence 14, " + "  authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems { entry }, "
-            + "        grantsAndDenials { grantBrowse } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", 
+              "{ "
+            + "  identificationTag \"browseACI\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems { entry }, "
+            + "        grantsAndDenials { grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // Gives grantExport, grantRename perm to all users in the Administrators
         // group for entries
-        createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }", "{ "
-            + "  identificationTag \"exportACI\", " + "  precedence 14, " + "  authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems { entry }, "
-            + "        grantsAndDenials { grantExport, grantRename } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }", 
+              "{ "
+            + "  identificationTag \"exportACI\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems { entry }, "
+            + "        grantsAndDenials { grantExport, grantRename } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // Gives grantImport perm to all users in the Administrators
         // group for the target context
-        createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }", "{ "
-            + "  identificationTag \"importACI\", " + "  precedence 14, " + "  authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems { entry }, "
-            + "        grantsAndDenials { grantImport } " + "      } " + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }", 
+              "{ "
+            + "  identificationTag \"importACI\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems { entry }, "
+            + "        grantsAndDenials { grantImport } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can move and rename the test entry which we could not before
         // op should still fail since billyd is not in the admin group



Mime
View raw message