directory-commits mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	elecha...@apache.org
Subject	svn commit: r1049849 [1/2] - /directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/
Date	Thu, 16 Dec 2010 09:37:14 GMT
Author: elecharny Date: Thu Dec 16 09:37:14 2010 New Revision: 1049849 URL: http://svn.apache.org/viewvc?rev=1049849&view=rev Log: Formated the ACI specifciations Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff ============================================================================== --- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java (original) +++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/AuthzAuthnIT.java Thu Dec 16 09:37:14 2010 @@ -123,11 +123,21 @@ public class AuthzAuthnIT extends Abstra // Note: In order to read contents of the bound context // user will need appropriate Read permissions. createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ maximum 0 }", // !!!!! Replace this with "{ minimum 1 }" for practicing ! - "{ " + " identificationTag \"browseACI\", " + " precedence 14, " + " authenticationLevel none, " - + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems { entry }, " - + " grantsAndDenials { grantBrowse } " + " } " + " } " + " } " + "}" ); + "{ identificationTag \"browseACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); DN userName = new DN( "uid=billyd,ou=users,ou=system" ); Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff ============================================================================== --- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java (original) +++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationIT.java Thu Dec 16 09:37:14 2010 @@ -141,11 +141,22 @@ public class CompareAuthorizationIT exte // Gives grantCompare, and grantRead perm to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( "administratorAdd", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }" + " userPermissions " - + " { " + " { " + " protectedItems { entry, allUserAttributeTypesAndValues }, " - + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + createAccessControlSubentry( "administratorAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }" + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry, allUserAttributeTypesAndValues }, " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + + " } " + + " } " + + " } " + "}" ); // see if we can now add that test entry which we could not before @@ -175,11 +186,22 @@ public class CompareAuthorizationIT exte assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); // now add a subentry that enables user billyd to compare an entry below ou=system - createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " - + " { " + " protectedItems { entry, allUserAttributeTypesAndValues }, " - + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + createAccessControlSubentry( "billydAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry, allUserAttributeTypesAndValues }, " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + + " } " + + " } " + + " } " + "}" ); // should work now that billyd is authorized by name @@ -202,12 +224,25 @@ public class CompareAuthorizationIT exte assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); // now add a subentry that enables user billyd to compare an entry below ou=system - createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, " - + " userPermissions " + " { " + " { " + createAccessControlSubentry( "billyAddBySubtree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, " - + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + + " } " + + " } " + + " } " + "}" ); // should work now that billyd is authorized by the subtree userClass @@ -230,11 +265,22 @@ public class CompareAuthorizationIT exte assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) ); // now add a subentry that enables anyone to add an entry below ou=system - createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + createAccessControlSubentry( "anybodyAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, " - + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + " } " + " } " + " } " + + " grantsAndDenials { grantCompare, grantRead, grantBrowse } " + + " } " + + " } " + + " } " + "}" ); // see if we can now compare that test entry's number which we could not before @@ -261,5 +307,4 @@ public class CompareAuthorizationIT exte CompareResponse resp = adminCtx.compare( userDN, "userPassword", "bobspassword" ); assertEquals( ResultCodeEnum.COMPARE_TRUE, resp.getLdapResult().getResultCode() ); } - } Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff ============================================================================== --- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java (original) +++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationIT.java Thu Dec 16 09:37:14 2010 @@ -136,11 +136,23 @@ public class DeleteAuthorizationIT exten // Gives grantRemove perm to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( "administratorAdd", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantRemove, grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now delete that test entry which we could not before // delete op should still fail since billd is not in the admin group @@ -169,11 +181,23 @@ public class DeleteAuthorizationIT exten assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); // now add a subentry that enables user billyd to delete an entry below ou=system - createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " - + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantRemove, grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "billydAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); @@ -195,11 +219,26 @@ public class DeleteAuthorizationIT exten assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); // now add a subentry that enables user billyd to delte an entry below ou=system - createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, " - + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantRemove, grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "billyAddBySubtree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // should work now that billyd is authorized by the subtree userClass assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); @@ -221,11 +260,23 @@ public class DeleteAuthorizationIT exten assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) ); // now add a subentry that enables anyone to add an entry below ou=system - createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " - + " protectedItems {entry}, " + " grantsAndDenials { grantRemove, grantBrowse } " - + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "anybodyAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRemove, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now delete that test entry which we could not before // should work now with billyd now that all users are authorized Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff ============================================================================== --- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (original) +++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Thu Dec 16 09:37:14 2010 @@ -279,12 +279,27 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the Administrators group for // entries and all attribute types and values - createAccessControlSubentry( "selfModifyUserPassword", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { thisEntry }, " + " userPermissions " + " { " + " { " - + " protectedItems {entry}, " + " grantsAndDenials { grantModify, grantBrowse, grantRead } " - + " }, " + " { " + " protectedItems {allAttributeValues {userPassword}}, " - + " grantsAndDenials { grantAdd, grantRemove } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "selfModifyUserPassword", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { thisEntry }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse, grantRead } " + + " }, " + + " { " + + " protectedItems {allAttributeValues {userPassword}}, " + + " grantsAndDenials { grantAdd, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // try a modify operation which should succeed with ACI assertTrue( checkCanSelfModify( "billyd", "billyd", mods ) ); @@ -318,14 +333,31 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( "administratorModifyAdd", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " - + " protectedItems " + " {" + " attributeType {registeredAddress}, " - + " allAttributeValues {registeredAddress}" + " }, " - + " grantsAndDenials { grantAdd } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorModifyAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + + " }, " + + " { " + + " protectedItems " + + " {" + + " attributeType {registeredAddress}, " + + " allAttributeValues {registeredAddress}" + + " }, " + + " grantsAndDenials { grantAdd } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now add that test entry which we could not before // add op should still fail since billd is not in the admin group @@ -351,14 +383,30 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( "administratorModifyRemove", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " - + " protectedItems " + " {" + " attributeType {telephoneNumber}, " - + " allAttributeValues {telephoneNumber}" + " }, " - + " grantsAndDenials { grantRemove } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorModifyRemove", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + + " }, " + + " { " + + " protectedItems " + + " {" + + " attributeType {telephoneNumber}, " + + " allAttributeValues {telephoneNumber}" + + " }, " + + " grantsAndDenials { grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -377,14 +425,31 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( "administratorModifyReplace", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " - + " protectedItems " + " {" + " attributeType {registeredAddress}, " - + " allAttributeValues {telephoneNumber}" + " }, " - + " grantsAndDenials { grantAdd, grantRemove } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorModifyReplace", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + + " }, " + + " { " + + " protectedItems " + + " {" + + " attributeType {registeredAddress}, " + + " allAttributeValues {telephoneNumber}" + + " }, " + + " grantsAndDenials { grantAdd, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -405,14 +470,31 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( "administratorModifyAdd", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " - + " protectedItems " + " {" + " attributeType {registeredAddress}, " - + " allAttributeValues {registeredAddress}" + " }, " - + " grantsAndDenials { grantAdd } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorModifyAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + + " }, " + + " { " + + " protectedItems " + + " {" + + " attributeType {registeredAddress}, " + + " allAttributeValues {registeredAddress}" + + " }, " + + " grantsAndDenials { grantAdd } " + + " } " + + " } " + + " } " + + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.ADD_ATTRIBUTE, changes ) ); @@ -430,14 +512,31 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( "administratorModifyRemove", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " - + " protectedItems " + " {" + " attributeType {telephoneNumber}, " - + " allAttributeValues {telephoneNumber}" + " }, " - + " grantsAndDenials { grantRemove } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorModifyRemove", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + + " }, " + + " { " + + " protectedItems " + + " {" + + " attributeType {telephoneNumber}, " + + " allAttributeValues {telephoneNumber}" + + " }, " + + " grantsAndDenials { grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REMOVE_ATTRIBUTE, changes ) ); @@ -456,14 +555,31 @@ public class ModifyAuthorizationIT exten // Gives grantModify, and grantRead perm to all users in the TestGroup group for // entries and all attribute types and values - createAccessControlSubentry( "administratorModifyReplace", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantBrowse } " + " }, " + " { " - + " protectedItems " + " {" + " attributeType {registeredAddress}, " - + " allAttributeValues {telephoneNumber}" + " }, " - + " grantsAndDenials { grantAdd, grantRemove } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "administratorModifyReplace", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantBrowse } " + + " }, " + + " { " + + " protectedItems " + + " {" + + " attributeType {registeredAddress}, " + + " allAttributeValues {telephoneNumber}" + + " }, " + + " grantsAndDenials { grantAdd, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // try a modify operation which should succeed with ACI and group membership change assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) ); @@ -489,13 +605,27 @@ public class ModifyAuthorizationIT exten assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); // now add a subentry that enables user billyd to modify an entry below ou=system - createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " - + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + " }, " + " { " + createAccessControlSubentry( "billydAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + + " }, " + + " { " + " protectedItems {allUserAttributeTypesAndValues}, " - + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + " } " + " } " + " } " + "}" ); + + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // should work now that billyd is authorized by name assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -520,13 +650,30 @@ public class ModifyAuthorizationIT exten assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); // now add a subentry that enables user billyd to modify an entry below ou=system - createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " {" + " subtree { { base \"ou=users,ou=system\" } } " + " }, " - + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + " }, " + " { " + createAccessControlSubentry( "billyAddBySubtree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " {" + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + + " }, " + + " { " + " protectedItems {allUserAttributeTypesAndValues}, " - + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + " } " + " } " + " } " + "}" ); + + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // // should work now that billyd is authorized by the subtree userClass assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -553,12 +700,27 @@ public class ModifyAuthorizationIT exten assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); // now add a subentry that enables anyone to add an entry below ou=system - createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " - + " protectedItems {entry}, " + " grantsAndDenials { grantModify, grantRead, grantBrowse } " - + " }, " + " { " + " protectedItems {allUserAttributeTypesAndValues}, " - + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "anybodyAdd", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantModify, grantRead, grantBrowse } " + + " }, " + + " { " + + " protectedItems {allUserAttributeTypesAndValues}, " + + " grantsAndDenials { grantAdd, grantRead, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now modify that test entry's number which we could not before // should work with billyd now that all users are authorized @@ -575,23 +737,45 @@ public class ModifyAuthorizationIT exten createUser( "billyd", "billyd" ); - createAccessControlSubentry( "modifyACI", "{ " + " identificationTag \"modifyAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + createAccessControlSubentry( "modifyACI", + "{ " + + " identificationTag \"modifyAci\", " + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, " - + " grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " + " } " + " } " - + " } " + "}" ); + + " grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } " + + " } " + + " } " + + " } " + + "}" ); assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultEntryAttribute( "registeredAddress", "200 Park Ave." ) ); - changePresciptiveACI( "modifyACI", "{ " + " identificationTag \"modifyAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + changePresciptiveACI( "modifyACI", + "{ " + + " identificationTag \"modifyAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, " - + " grantsAndDenials { denyModify } " + " } " + " } " + " } " + "}" ); + + " grantsAndDenials { denyModify } " + + " } " + + " } " + + " } " + + "}" ); assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) ); @@ -604,14 +788,32 @@ public class ModifyAuthorizationIT exten public void testMaxValueCountProtectedItem() throws Exception { createUser( "billyd", "billyd" ); - createAccessControlSubentry( "mvcACI", "{" + " identificationTag \"mvcACI\"," + " precedence 10," - + " authenticationLevel simple," + " itemOrUserFirst userFirst:" + " {" - + " userClasses { allUsers }," + " userPermissions" + " {" + " {" - + " protectedItems { entry }," + " grantsAndDenials { grantModify, grantBrowse }" - + " }," + " {" + " protectedItems" + " {" - + " attributeType { description }," + " allAttributeValues { description }," - + " maxValueCount { { type description, maxCount 1 } }" + " } ," - + " grantsAndDenials { grantRemove, grantAdd }" + " }" + " }" + " }" + "}" ); + createAccessControlSubentry( "mvcACI", + "{" + + " identificationTag \"mvcACI\"," + + " precedence 10," + + " authenticationLevel simple," + + " itemOrUserFirst userFirst:" + + " {" + + " userClasses { allUsers }," + + " userPermissions" + + " {" + + " {" + + " protectedItems { entry }," + + " grantsAndDenials { grantModify, grantBrowse }" + + " }," + + " {" + + " protectedItems" + + " {" + + " attributeType { description }," + + " allAttributeValues { description }," + + " maxValueCount { { type description, maxCount 1 } }" + + " } ," + + " grantsAndDenials { grantRemove, grantAdd }" + + " }" + + " }" + + " }" + + "}" ); Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultEntryAttribute( "description", "description 1" ) ); Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff ============================================================================== --- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original) +++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Thu Dec 16 09:37:14 2010 @@ -201,11 +201,26 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm to all users in the Administrators group for entries - createAccessControlSubentry( "grantRenameByAdmin", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " { " + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " - + " }, " + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantRename, grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameByAdmin", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can now rename that test entry which we could not before // rename op should still fail since billyd is not in the admin group @@ -234,12 +249,26 @@ public class MoveRenameAuthorizationIT e // Gives grantRename, grantImport, grantExport perm to all users in the Administrators // group for entries - browse is needed just to read navigate the tree at root - createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " { " + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " - + " }, " + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameMoveByAdmin", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // see if we can move and rename the test entry which we could not before // op should still fail since billyd is not in the admin group @@ -267,11 +296,25 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm to all users in the Administrators group for entries - createAccessControlSubentry( "grantMoveByAdmin", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " { " + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " - + " }, " + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantBrowse } " + " } " + " } " + " } " + createAccessControlSubentry( "grantMoveByAdmin", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantBrowse } " + + " } " + + " } " + + " } " + "}" ); // see if we can now move that test entry which we could not before @@ -311,11 +354,23 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm specifically to the billyd user - createAccessControlSubentry( "grantRenameByName", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " - + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantRename, grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameByName", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try a rename operation which should succeed with ACI assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); @@ -335,12 +390,23 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) ); // Gives grantRename, grantImport, grantExport perm to billyd user on entries - createAccessControlSubentry( "grantRenameMoveByName", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " - + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameMoveByName", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move w/ rdn change which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); @@ -360,12 +426,23 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm to billyd user for entries - createAccessControlSubentry( "grantMoveByName", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { " - + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + createAccessControlSubentry( "grantMoveByName", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move operation which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); @@ -396,11 +473,26 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm for entries to those users selected by the subtree - createAccessControlSubentry( "grantRenameByTree", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, " - + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantRename, grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameByTree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try a rename operation which should succeed with ACI assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); @@ -420,12 +512,25 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); // Gives grantRename, grantImport, grantExport for entries to users selected by subtree - createAccessControlSubentry( "grantRenameMoveByTree", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: { " - + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, " - + " userPermissions " + " { " + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameMoveByTree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move w/ rdn change which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); @@ -445,12 +550,26 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm for entries to subtree selected users - createAccessControlSubentry( "grantMoveByTree", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + " userClasses " + " { " - + " subtree { { base \"ou=users,ou=system\" } } " + " }, " + " userPermissions " + " { " - + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + createAccessControlSubentry( "grantMoveByTree", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses " + + " { " + + " subtree { { base \"ou=users,ou=system\" } } " + + " }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move operation which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); @@ -481,11 +600,23 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); // Gives grantRename perm for entries to any user - createAccessControlSubentry( "grantRenameByAny", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " - + " protectedItems {entry}, " + " grantsAndDenials { grantRename, grantBrowse } " - + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantRenameByAny", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems {entry}, " + + " grantsAndDenials { grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try a rename operation which should succeed with ACI assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) ); @@ -505,12 +636,23 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); // Gives grantRename, grantImport, grantExport for entries to any user - createAccessControlSubentry( "grantRenameMoveByAny", "{ " + " identificationTag \"addAci\", " - + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + createAccessControlSubentry( "grantRenameMoveByAny", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move w/ rdn change which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) ); @@ -530,12 +672,23 @@ public class MoveRenameAuthorizationIT e assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); // Gives grantImport, and grantExport perm for entries to any user - createAccessControlSubentry( "grantMoveByAny", "{ " + " identificationTag \"addAci\", " + " precedence 14, " - + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " - + " userClasses { allUsers }, " + " userPermissions " + " { " + " { " + createAccessControlSubentry( "grantMoveByAny", + "{ " + + " identificationTag \"addAci\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { allUsers }, " + + " userPermissions " + + " { " + + " { " + " protectedItems {entry}, " - + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } " - + " } " + " } " + "}" ); + + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // try move operation which should succeed with ACI assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) ); @@ -568,30 +721,63 @@ public class MoveRenameAuthorizationIT e // Gives grantBrowse perm to all users in the Administrators // group for entries // It's is needed just to read navigate the tree at root - createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", "{ " - + " identificationTag \"browseACI\", " + " precedence 14, " + " authenticationLevel none, " - + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems { entry }, " - + " grantsAndDenials { grantBrowse } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", + "{ " + + " identificationTag \"browseACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantBrowse } " + + " } " + + " } " + + " } " + + "}" ); // Gives grantExport, grantRename perm to all users in the Administrators // group for entries - createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }", "{ " - + " identificationTag \"exportACI\", " + " precedence 14, " + " authenticationLevel none, " - + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems { entry }, " - + " grantsAndDenials { grantExport, grantRename } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }", + "{ " + + " identificationTag \"exportACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantExport, grantRename } " + + " } " + + " } " + + " } " + + "}" ); // Gives grantImport perm to all users in the Administrators // group for the target context - createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }", "{ " - + " identificationTag \"importACI\", " + " precedence 14, " + " authenticationLevel none, " - + " itemOrUserFirst userFirst: " + " { " - + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions " - + " { " + " { " + " protectedItems { entry }, " - + " grantsAndDenials { grantImport } " + " } " + " } " + " } " + "}" ); + createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }", + "{ " + + " identificationTag \"importACI\", " + + " precedence 14, " + + " authenticationLevel none, " + + " itemOrUserFirst userFirst: " + + " { " + + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + + " userPermissions " + + " { " + + " { " + + " protectedItems { entry }, " + + " grantsAndDenials { grantImport } " + + " } " + + " } " + + " } " + + "}" ); // see if we can move and rename the test entry which we could not before // op should still fail since billyd is not in the admin group
Mime	Unnamed text/plain (inline, 7-Bit, 69232 bytes)
	View raw message