directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1049849 [2/2] - /directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/
Date Thu, 16 Dec 2010 09:37:14 GMT
Modified: directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=1049849&r1=1049848&r2=1049849&view=diff
==============================================================================
--- directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
(original)
+++ directory/apacheds/branches/apacheds-AP/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
Thu Dec 16 09:37:14 2010
@@ -384,11 +384,25 @@ public class SearchAuthorizationIT exten
 
         // Gives search perms to all users in the Administrators group for
         // entries and all attribute types and values
-        createAccessControlSubentry( "searchAdmin", "{ " + "  identificationTag \"searchAci\",
" + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { " +
"    userClasses " + "    { "
-            + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + "    },
" + "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+        createAccessControlSubentry( "searchAdmin", 
+              "{ " 
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: "
+            + "  { " 
+            + "    userClasses " 
+            + "    { "
+            + "      userGroup { \"cn=Administrators,ou=groups,ou=system\" } " 
+            + "    }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search that test entry which we could not before
@@ -418,11 +432,25 @@ public class SearchAuthorizationIT exten
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add a subentry that enables user billyd to search an entry below ou=system
-        createAccessControlSubentry( "billydSearch", "{ " + "  identificationTag \"searchAci\",
" + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { " +
"    userClasses " + "    { "
-            + "      name { \"uid=billyd,ou=users,ou=system\" } " + "    }, " + "    userPermissions
" + "    { "
-            + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    }" + "  } "
+        createAccessControlSubentry( "billydSearch", 
+              "{ " 
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses " 
+            + "    { "
+            + "      name { \"uid=billyd,ou=users,ou=system\" } " 
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    }" 
+            + "  } "
             + "}" );
 
         // should work now that billyd is authorized by name
@@ -446,11 +474,25 @@ public class SearchAuthorizationIT exten
         assertFalse( checkCanSearchAs( "BillyD", "billyd" ) );
 
         // now add a subentry that enables user billyd to search an entry below ou=system
-        createAccessControlSubentry( "billydSearch", "{ " + "  identificationTag \"searchAci\",
" + "  precedence 14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { " +
"    userClasses " + "    { "
-            + "      name { \"uid=billyd,ou=users,ou=system\" } " + "    }, " + "    userPermissions
" + "    { "
-            + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+        createAccessControlSubentry( "billydSearch", 
+              "{ " 
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses " 
+            + "    { "
+            + "      name { \"uid=billyd,ou=users,ou=system\" } " 
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // should work now that billyd is authorized by name
@@ -473,12 +515,28 @@ public class SearchAuthorizationIT exten
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add a subentry that enables user billyd to search an entry below ou=system
-        createAccessControlSubentry( "billySearchBySubtree", "{ " + "  identificationTag
\"searchAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses " + "    { " + "      subtree " + "      { "
-            + "        { base \"ou=users,ou=system\" } " + "      } " + "    }, " + "   
userPermissions " + "    { "
-            + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials {  grantRead, grantReturnDN, grantBrowse } " + "
     } " + "    } " + "  } "
+        createAccessControlSubentry( "billySearchBySubtree", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses " 
+            + "    { " 
+            + "      subtree " 
+            + "      { "
+            + "        { base \"ou=users,ou=system\" } " 
+            + "      } " 
+            + "    }, " 
+            + "    userPermissions " 
+            + "    { "
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials {  grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // should work now that billyd is authorized by the subtree userClass
@@ -501,11 +559,22 @@ public class SearchAuthorizationIT exten
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add a subentry that enables anyone to search an entry below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "anybodySearch", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search that tree which we could not before
@@ -535,11 +604,22 @@ public class SearchAuthorizationIT exten
 
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3
-        createAccessControlSubentry( "anybodySearch", "{ maximum 2 }", "{ " + "  identificationTag
\"searchAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "anybodySearch", "{ maximum 2 }", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search that test entry which we could not before
@@ -566,11 +646,22 @@ public class SearchAuthorizationIT exten
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  It only grants access to
         // the ou and objectClass attributes however.
-        createAccessControlSubentry( "excludeTelephoneNumber", "{ maximum 2 }", "{ "
-            + "  identificationTag \"searchAci\", " + "  precedence 14, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allAttributeValues
{ ou, objectClass } }, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+        createAccessControlSubentry( "excludeTelephoneNumber", "{ maximum 2 }", 
+              "{ "
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allAttributeValues { ou, objectClass } }, "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search and find 4 entries
@@ -588,11 +679,22 @@ public class SearchAuthorizationIT exten
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  This time we should be able
         // to see the telephoneNumber attribute
-        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }",
"{ "
-            + "  identificationTag \"searchAci\", " + "  precedence 14, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues
}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    }" + "  } "
+        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }",

+              "{ "
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues }, "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    }" 
+            + "  } "
             + "}" );
 
         // again we should find four entries
@@ -625,13 +727,29 @@ public class SearchAuthorizationIT exten
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  It only grants access to
         // the ou and objectClass attributes however.
-        createAccessControlSubentry( "excludeOUValue", "{ maximum 2 }", "{ " + "  identificationTag
\"searchAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems " + "        {" + "          entry, " + "         
attributeType { ou }, "
-            + "          allAttributeValues { objectClass }, " + "          attributeValue
{ ou=0, ou=1, ou=2 } "
-            + "        }, " + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse
} " + "      } "
-            + "    } " + "  } " + "}" );
+        createAccessControlSubentry( "excludeOUValue", "{ maximum 2 }", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems " 
+            + "        {" 
+            + "          entry, " 
+            + "          attributeType { ou }, "
+            + "          allAttributeValues { objectClass }, " 
+            + "          attributeValue { ou=0, ou=1, ou=2 } "
+            + "        }, " 
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } "
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // see if we can now search and find 4 entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
@@ -648,11 +766,22 @@ public class SearchAuthorizationIT exten
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  This time we should be able
         // to see the telephoneNumber attribute
-        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }",
"{ "
-            + "  identificationTag \"searchAci\", " + "  precedence 14, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues
}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  }"
+        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }",

+              "{ "
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues }, "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  }"
             + "}" );
 
         // again we should find four entries
@@ -680,10 +809,23 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add an entryACI denies browse, read and returnDN to a specific entry
-        String aci = "{ " + "  identificationTag \"denyAci\", " + "  precedence 14, " + "
 authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}";
+        String aci = 
+              "{ "
+            + "  identificationTag \"denyAci\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}";
 
         // try a search operation which should fail without any prescriptive ACI
         DN testsDn = new DN( "ou=system" );
@@ -691,11 +833,22 @@ public class SearchAuthorizationIT exten
         assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE,
testsDn, aci, 9 ) );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "anybodySearch", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search the tree which we could not before
@@ -725,10 +878,23 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add an entryACI denying browse, read and returnDN to a specific entry
-        String aci = "{ " + "  identificationTag \"denyAci\", " + "  precedence 14, " + "
 authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}";
+        String aci = 
+              "{ " 
+            + "  identificationTag \"denyAci\", " 
+            + "  precedence 14, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}";
 
         // try a search operation which should fail without any prescriptive ACI
         DN testsDn = new DN( "ou=system" );
@@ -736,11 +902,22 @@ public class SearchAuthorizationIT exten
         assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE,
testsDn, aci, 9 ) );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 15, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "anybodySearch", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 15, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search the tree which we could not before
@@ -753,10 +930,23 @@ public class SearchAuthorizationIT exten
 
         // now add an entryACI denies browse, read and returnDN to a specific entry
         // but this time the precedence will be higher than that of the grant
-        aci = "{ " + "  identificationTag \"denyAci\", " + "  precedence 16, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}";
+        aci = 
+              "{ " 
+            + "  identificationTag \"denyAci\", " 
+            + "  precedence 16, " 
+            + "  authenticationLevel none, "
+            + "  itemOrUserFirst userFirst: " 
+            + "  { " 
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions "
+            + "    { " 
+            + "      { " 
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
+            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}";
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -802,22 +992,45 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "anybodySearch", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // check and see if we can access the subentry now
         assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system"
) ) );
 
         // now add a denial to prevent all users except the admin from accessing the subentry
-        addSubentryACI( "{ " + "  identificationTag \"searchAci\", " + "  precedence 14,
"
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        addSubentryACI( 
+              "{ " 
+            + "  identificationTag \"searchAci\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // now we should not be able to access the subentry with a search
         assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system"
) ) );
@@ -832,13 +1045,29 @@ public class SearchAuthorizationIT exten
 
         // now add a subentry that enables anyone to search/lookup and disclose on error
         // below ou=system, with the exclusion of ou=groups and everything below it
-        createAccessControlSubentry( "selectiveDiscloseOnError", "{ specificExclusions "
-            + "  { chopBefore:\"ou=groups\" } " + "}", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:"
+ "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems {entry, allUserAttributeTypesAndValues}, " + "    
   grantsAndDenials "
-            + "        { " + "          grantRead, " + "          grantReturnDN, " + "  
       grantBrowse, "
-            + "          grantDiscloseOnError " + "        } " + "      } " + "    } " +
"  } " + "}" );
+        createAccessControlSubentry( "selectiveDiscloseOnError", "{ specificExclusions  
{ chopBefore:\"ou=groups\" } }",
+            "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst:" 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, " 
+            + "        grantsAndDenials "
+            + "        { " 
+            + "          grantRead, " 
+            + "          grantReturnDN, " 
+            + "          grantBrowse, "
+            + "          grantDiscloseOnError " 
+            + "        } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // get a context as the user and try a lookup of a non-existant entry under ou=groups,ou=system
         LdapConnection userCtx = getConnectionAs( "uid=billyd,ou=users,ou=system", "billyd"
);
@@ -849,12 +1078,29 @@ public class SearchAuthorizationIT exten
 
         // now delete and replace subentry with one that does not excluse ou=groups,ou=system
         deleteAccessControlSubentry( "selectiveDiscloseOnError" );
-        createAccessControlSubentry( "selectiveDiscloseOnError", "{ " + "  identificationTag
\"searchAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems {entry, allUserAttributeTypesAndValues}, " + "    
   grantsAndDenials "
-            + "        { " + "          grantRead, " + "          grantReturnDN, " + "  
       grantBrowse, "
-            + "          grantDiscloseOnError " + "        } " + "      } " + "    } " +
"  } " + "}" );
+        createAccessControlSubentry( "selectiveDiscloseOnError", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
+            + "        protectedItems {entry, allUserAttributeTypesAndValues}, " 
+            + "        grantsAndDenials "
+            + "        { " 
+            + "          grantRead, " 
+            + "          grantReturnDN, " 
+            + "          grantBrowse, "
+            + "          grantDiscloseOnError " 
+            + "        } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // now try a lookup of a non-existant entry under ou=groups,ou=system again
         entry = userCtx.lookup( "cn=blah,ou=groups" );
@@ -876,11 +1122,22 @@ public class SearchAuthorizationIT exten
         getAdminConnection().add( phoneBook );
 
         // now add a subentry that enables anyone to search below their own entries
-        createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "  identificationTag
\"searchAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "anybodySearchTheirSubordinates", 
+              "{ " 
+            + "  identificationTag \"searchAci\", "
+            + "  precedence 14, " 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // check and see if we can access the subentry now
@@ -888,12 +1145,23 @@ public class SearchAuthorizationIT exten
             "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
 
         // now add a denial to prevent all users except the admin from accessing the subentry
-        addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ "
-            + "  identificationTag \"anybodyDontSearchTheirSubordinates\", " + "  precedence
14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { parentOfEntry }, " + "    userPermissions " + "    { " +
"      { "
+        addPrescriptiveACI( "anybodySearchTheirSubordinates", 
+              "{ "
+            + "  identificationTag \"anybodyDontSearchTheirSubordinates\", " 
+            + "  precedence 14, "
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { parentOfEntry }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}" );
+            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } " 
+            + "}" );
 
         // now we should not be able to access the subentry with a search
         assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system"
) ) );
@@ -916,13 +1184,26 @@ public class SearchAuthorizationIT exten
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add a subentry that allows a user to read the CN only
-        createAccessControlSubentry( "rangeOfValues", "{ " + "  identificationTag \"rangeOfValuesAci\",
"
-            + "  precedence 14," + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
+        createAccessControlSubentry( "rangeOfValues", 
+              "{ " 
+            + "  identificationTag \"rangeOfValuesAci\", "
+            + "  precedence 14," 
+            + "  authenticationLevel none, " 
+            + "  itemOrUserFirst userFirst: " 
+            + "  { "
+            + "    userClasses { allUsers }, " 
+            + "    userPermissions " 
+            + "    { " 
+            + "      { "
             + "        protectedItems { entry }, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    }, " + "      { "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      }, " 
+            + "      { "
             + "        protectedItems { rangeOfValues (cn=billyd) }, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
+            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " 
+            + "      } " 
+            + "    } " 
+            + "  } "
             + "}" );
 
         // see if we can now search and find 4 entries



Mime
View raw message