directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1127535 - /directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
Date Wed, 25 May 2011 13:53:20 GMT
Author: elecharny
Date: Wed May 25 13:53:20 2011
New Revision: 1127535

URL: http://svn.apache.org/viewvc?rev=1127535&view=rev
Log:
Formated the ACIs

Modified:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=1127535&r1=1127534&r2=1127535&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
(original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
Wed May 25 13:53:20 2011
@@ -639,12 +639,23 @@ public class SearchAuthorizationIT exten
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  It only grants access to
         // the ou and objectClass attributes however.
-        createAccessControlSubentry( "excludeTelephoneNumber", "{ maximum 2 }", "{ "
-            + "  identificationTag \"searchAci\", " + "  precedence 14, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allAttributeValues
{ ou, objectClass } }, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
-            + "}" );
+        createAccessControlSubentry( "excludeTelephoneNumber", "{ maximum 2 }", 
+            "{ " +
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " + 
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " + 
+            "      { " + 
+            "        protectedItems {entry, allAttributeValues { ou, objectClass } }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " +
+            "}" );
 
         // see if we can now search and find 4 entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
@@ -661,12 +672,23 @@ public class SearchAuthorizationIT exten
         // now add a subentry that enables anyone to search an entry below ou=system
         // down two more rdns for DNs of a max size of 3.  This time we should be able
         // to see the telephoneNumber attribute
-        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }",
"{ "
-            + "  identificationTag \"searchAci\", " + "  precedence 14, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues
}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    }" + "  } "
-            + "}" );
+        createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }",

+            "{ " +
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " + 
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " + 
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      } " + 
+            "    }" + 
+            "  } " +
+            "}" );
 
         // again we should find four entries
         assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
@@ -779,10 +801,23 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add an entryACI denies browse, read and returnDN to a specific entry
-        String aci = "{ " + "  identificationTag \"denyAci\", " + "  precedence 14, " + "
 authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}";
+        String aci = 
+            "{ " + 
+            "  identificationTag \"denyAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " + 
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " + 
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " + 
+            "}";
 
         // try a search operation which should fail without any prescriptive ACI
         Dn testsDn = new Dn( "ou=system" );
@@ -790,12 +825,23 @@ public class SearchAuthorizationIT exten
         assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE,
testsDn, aci, 9 ) );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
-            + "}" );
+        createAccessControlSubentry( "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " + 
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " + 
+            "    { " + 
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " +
+            "}" );
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -824,10 +870,23 @@ public class SearchAuthorizationIT exten
         createUser( "billyd", "billyd" );
 
         // now add an entryACI denying browse, read and returnDN to a specific entry
-        String aci = "{ " + "  identificationTag \"denyAci\", " + "  precedence 14, " + "
 authenticationLevel none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}";
+        String aci = 
+            "{ " + 
+            "  identificationTag \"denyAci\", " + 
+            "  precedence 14, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " + 
+            "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " + 
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " + 
+            "}";
 
         // try a search operation which should fail without any prescriptive ACI
         Dn testsDn = new Dn( "ou=system" );
@@ -835,12 +894,23 @@ public class SearchAuthorizationIT exten
         assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE,
testsDn, aci, 9 ) );
 
         // now add a subentry that enables anyone to search below ou=system
-        createAccessControlSubentry( "anybodySearch", "{ " + "  identificationTag \"searchAci\",
"
-            + "  precedence 15, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
-            + "}" );
+        createAccessControlSubentry( "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 15, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " + 
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " + 
+            "    { " + 
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " +
+            "}" );
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -852,10 +922,22 @@ public class SearchAuthorizationIT exten
 
         // now add an entryACI denies browse, read and returnDN to a specific entry
         // but this time the precedence will be higher than that of the grant
-        aci = "{ " + "  identificationTag \"denyAci\", " + "  precedence 16, " + "  authenticationLevel
none, "
-            + "  itemOrUserFirst userFirst: " + "  { " + "    userClasses { allUsers }, "
+ "    userPermissions "
-            + "    { " + "      { " + "        protectedItems {entry, allUserAttributeTypesAndValues},
"
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}";
+        aci = 
+            "{ " + 
+            "  identificationTag \"denyAci\", " + 
+            "  precedence 16, " + 
+            "  authenticationLevel none, " +
+            "  itemOrUserFirst userFirst: " + "  { " + 
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " +
+            "    { " + 
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " + 
+            "}";
 
         // see if we can now search the tree which we could not before
         // should work with billyd now that all users are authorized
@@ -1035,24 +1117,46 @@ public class SearchAuthorizationIT exten
         getAdminConnection().add( phoneBook );
 
         // now add a subentry that enables anyone to search below their own entries
-        createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "  identificationTag
\"searchAci\", "
-            + "  precedence 14, " + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
-            + "}" );
+        createAccessControlSubentry( "anybodySearchTheirSubordinates", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " +
+            "  precedence 14, " + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " + 
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " + 
+            "    { " + 
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " +
+            "}" );
 
         // check and see if we can access the subentry now
         assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new Dn(
             "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
 
         // now add a denial to prevent all users except the admin from accessing the subentry
-        addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ "
-            + "  identificationTag \"anybodyDontSearchTheirSubordinates\", " + "  precedence
14, "
-            + "  authenticationLevel none, " + "  itemOrUserFirst userFirst: " + "  { "
-            + "    userClasses { parentOfEntry }, " + "    userPermissions " + "    { " +
"      { "
-            + "        protectedItems {entry, allUserAttributeTypesAndValues}, "
-            + "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + "    
 } " + "    } " + "  } " + "}" );
+        addPrescriptiveACI( "anybodySearchTheirSubordinates", 
+            "{ " +
+            "  identificationTag \"anybodyDontSearchTheirSubordinates\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " + 
+            "  { " +
+            "    userClasses { parentOfEntry }, " + 
+            "    userPermissions " + 
+            "    { " + 
+            "      { " +
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " + 
+            "}" );
 
         // now we should not be able to access the subentry with a search
         assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new Dn( "ou=phoneBook,uid=billyd,ou=users,ou=system"
) ) );
@@ -1065,7 +1169,7 @@ public class SearchAuthorizationIT exten
      * @throws Exception if the test encounters an error
      */
     @Test
-    @Ignore
+    @Ignore( "The test is currently failing" )
     public void testRangeOfValues() throws Exception
     {
         // create the non-admin user
@@ -1075,14 +1179,27 @@ public class SearchAuthorizationIT exten
         assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
 
         // now add a subentry that allows a user to read the CN only
-        createAccessControlSubentry( "rangeOfValues", "{ " + "  identificationTag \"rangeOfValuesAci\",
"
-            + "  precedence 14," + "  authenticationLevel none, " + "  itemOrUserFirst userFirst:
" + "  { "
-            + "    userClasses { allUsers }, " + "    userPermissions " + "    { " + "  
   { "
-            + "        protectedItems { entry }, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    }, " + "      { "
-            + "        protectedItems { rangeOfValues (cn=billyd) }, "
-            + "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " 
    } " + "    } " + "  } "
-            + "}" );
+        createAccessControlSubentry( "rangeOfValues", 
+            "{ " + 
+            "  identificationTag \"rangeOfValuesAci\", " +
+            "  precedence 14," + 
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " + 
+            "  { " +
+            "    userClasses { allUsers }, " + 
+            "    userPermissions " + 
+            "    { " + 
+            "      { " +
+            "        protectedItems { entry }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      }, " + 
+            "      { " +
+            "        protectedItems { rangeOfValues (cn=billyd) }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + 
+            "      } " + 
+            "    } " + 
+            "  } " +
+            "}" );
 
         // see if we can now search and find 4 entries
         assertTrue( checkCanSearchAs( "billyd", "billyd" ) );



Mime
View raw message