directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r1183441 [3/4] - in /directory/apacheds/trunk/interceptors/authz: ./ .settings/ src/ src/main/ src/main/java/ src/main/java/org/ src/main/java/org/apache/ src/main/java/org/apache/directory/ src/main/java/org/apache/directory/server/ src/ma...
Date Fri, 14 Oct 2011 17:38:32 GMT
Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,78 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.Collection;
+import java.util.Iterator;
+
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+
+
+/**
+ * An {@link ACITupleFilter} that discard tuples which doesn't contain any
+ * related {@link MicroOperation}s. (18.8.3.4, X.501) 
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ *
+ */
+public class MicroOperationFilter implements ACITupleFilter
+{
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
+    {
+        if ( aciContext.getAciTuples().size() == 0 )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
+        {
+            ACITuple tuple = i.next();
+
+            /*
+             * The ACITuple must contain all the MicroOperations specified within the
+             * microOperations argument.  Just matching a single microOperation is not
+             * enough.  All must be matched to retain the ACITuple.
+             */
+
+            boolean retain = true;
+            
+            for ( MicroOperation microOp:aciContext.getMicroOperations() )
+            {
+                if ( !tuple.getMicroOperations().contains( microOp ) )
+                {
+                    retain = false;
+                    break;
+                }
+            }
+
+            if ( !retain )
+            {
+                i.remove();
+            }
+        }
+
+        return aciContext.getAciTuples();
+    }
+
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,104 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.AllAttributeValuesItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.AttributeTypeItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.AttributeValueItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.RangeOfValuesItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.SelfValueItem;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+
+
+/**
+ * An {@link ACITupleFilter} that chooses the tuples with the most specific
+ * protected item. (18.8.4.3, X.501)
+ * <p>
+ * If more than one tuple remains, choose the tuples with the most specific
+ * protected item. If the protected item is an attribute and there are tuples 
+ * that specify the attribute type explicitly, discard all other tuples. If
+ * the protected item is an attribute value, and there are tuples that specify
+ * the attribute value explicitly, discard all other tuples. A protected item
+ * which is a rangeOfValues is to be treated as specifying an attribute value
+ * explicitly.
+ * 
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class MostSpecificProtectedItemFilter implements ACITupleFilter
+{
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
+    {
+        if ( aciContext.getAciTuples().size() <= 1 )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
+
+        // If the protected item is an attribute and there are tuples that
+        // specify the attribute type explicitly, discard all other tuples.
+        for ( ACITuple tuple:aciContext.getAciTuples() )
+        {
+            for ( ProtectedItem item:tuple.getProtectedItems() )
+            {
+                if ( item instanceof AttributeTypeItem || item instanceof AllAttributeValuesItem
+                    || item instanceof SelfValueItem || item instanceof AttributeValueItem )
+                {
+                    filteredTuples.add( tuple );
+                    break;
+                }
+            }
+        }
+
+        if ( filteredTuples.size() > 0 )
+        {
+            return filteredTuples;
+        }
+
+        // If the protected item is an attribute value, and there are tuples
+        // that specify the attribute value explicitly, discard all other tuples.
+        // A protected item which is a rangeOfValues is to be treated as
+        // specifying an attribute value explicitly. 
+        for ( ACITuple tuple:aciContext.getAciTuples() )
+        {
+            for ( ProtectedItem item:tuple.getProtectedItems() )
+            {
+                if ( item instanceof RangeOfValuesItem)
+                {
+                    filteredTuples.add( tuple );
+                }
+            }
+        }
+
+        if ( filteredTuples.size() > 0 )
+        {
+            return filteredTuples;
+        }
+
+        return aciContext.getAciTuples();
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,115 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+
+
+/**
+ * An {@link ACITupleFilter} that chooses the tuples with the most specific user
+ * class. (18.8.4.2)
+ * <p>
+ * If more than one tuple remains, choose the tuples with the most specific user
+ * class. If there are any tuples matching the requestor with UserClasses element
+ * name or thisEntry, discard all other tuples. Otherwise if there are any tuples
+ * matching UserGroup, discard all other tuples. Otherwise if there are any tuples
+ * matching subtree, discard all other tuples.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class MostSpecificUserClassFilter implements ACITupleFilter
+{
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
+    {
+        if ( aciContext.getAciTuples().size() <= 1 )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
+
+        // If there are any tuples matching the requestor with UserClasses
+        // element name or thisEntry, discard all other tuples.
+        for ( ACITuple tuple:aciContext.getAciTuples() )
+        {
+            for ( UserClass userClass:tuple.getUserClasses() )
+            {
+                if ( userClass instanceof UserClass.Name || userClass instanceof UserClass.ThisEntry )
+                {
+                    filteredTuples.add( tuple );
+                    break;
+                }
+            }
+        }
+
+        if ( filteredTuples.size() > 0 )
+        {
+            return filteredTuples;
+        }
+
+        // Otherwise if there are any tuples matching UserGroup,
+        // discard all other tuples.
+        for ( ACITuple tuple:aciContext.getAciTuples() )
+        {
+            for ( UserClass userClass:tuple.getUserClasses() )
+            {
+                if ( userClass instanceof UserClass.UserGroup )
+                {
+                    filteredTuples.add( tuple );
+                    break;
+                }
+            }
+        }
+
+        if ( filteredTuples.size() > 0 )
+        {
+            return filteredTuples;
+        }
+
+        // Otherwise if there are any tuples matching subtree,
+        // discard all other tuples.
+        for ( ACITuple tuple:aciContext.getAciTuples() )
+        {
+            for ( UserClass userClass:tuple.getUserClasses() )
+            {
+                if ( userClass instanceof UserClass.Subtree )
+                {
+                    filteredTuples.add( tuple );
+                    break;
+                }
+            }
+        }
+
+        if ( filteredTuples.size() > 0 )
+        {
+            return filteredTuples;
+        }
+
+        return aciContext.getAciTuples();
+    }
+
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/OperationScope.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,70 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+/**
+ * An enumeration that represents the scope of user operation.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class OperationScope
+{
+    /**
+     * An operation that affects the whole entry.
+     */
+    public static final OperationScope ENTRY = new OperationScope( "Entry" );
+
+    /**
+     * An operation that affects all values in an attribute type.
+     */
+    public static final OperationScope ATTRIBUTE_TYPE = new OperationScope( "Attribute Type" );
+
+    /**
+     * An operation that affects the specific value in an attribute type.
+     */
+    public static final OperationScope ATTRIBUTE_TYPE_AND_VALUE = new OperationScope( "Attribute Type & Value" );
+
+    private final String name;
+
+
+    private OperationScope(String name)
+    {
+        this.name = name;
+    }
+
+
+    /**
+     * Return the name of this scope.
+     */
+    public String getName()
+    {
+        return name;
+    }
+
+
+    /**
+     * Returns the name of this scope.
+     */
+    public String toString()
+    {
+        return name;
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,298 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.Collection;
+import java.util.Iterator;
+
+import org.apache.directory.server.core.api.event.Evaluator;
+import org.apache.directory.server.core.subtree.RefinementEvaluator;
+import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.AllAttributeValuesItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.AttributeTypeItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.AttributeValueItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.ClassesItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.MaxImmSubItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountElem;
+import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.RangeOfValuesItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByElem;
+import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.SelfValueItem;
+import org.apache.directory.shared.ldap.model.constants.SchemaConstants;
+import org.apache.directory.shared.ldap.model.entry.Attribute;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.entry.Value;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.apache.directory.shared.ldap.model.schema.AttributeType;
+import org.apache.directory.shared.ldap.model.schema.SchemaManager;
+
+
+/**
+ * An {@link ACITupleFilter} that discards all tuples whose {@link ProtectedItem}s
+ * are not related with the operation. (18.8.3.2, X.501)
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class RelatedProtectedItemFilter implements ACITupleFilter
+{
+    private final RefinementEvaluator refinementEvaluator;
+    private final Evaluator entryEvaluator;
+    private final SchemaManager schemaManager;
+
+
+    public RelatedProtectedItemFilter( RefinementEvaluator refinementEvaluator, Evaluator entryEvaluator, SchemaManager schemaManager )
+    {
+        this.refinementEvaluator = refinementEvaluator;
+        this.entryEvaluator = entryEvaluator;
+        this.schemaManager = schemaManager;
+    }
+
+
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
+    {
+        if ( aciContext.getAciTuples().size() == 0 )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
+        {
+            ACITuple tuple = i.next();
+            
+            if ( !isRelated( tuple, scope, aciContext.getUserDn(), aciContext.getEntryDn(), aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
+            {
+                i.remove();
+            }
+        }
+
+        return aciContext.getAciTuples();
+    }
+
+
+    private boolean isRelated( ACITuple tuple, OperationScope scope, Dn userName, Dn entryName, AttributeType attributeType,
+                               Value<?> attrValue, Entry entry ) throws LdapException, InternalError
+    {
+        String oid = null;
+        
+        if ( attributeType != null )
+        {
+            oid = attributeType.getOid();
+        }
+        
+        for ( ProtectedItem item : tuple.getProtectedItems() )
+        {
+            if ( item == ProtectedItem.ENTRY )
+            {
+                if ( scope != OperationScope.ENTRY )
+                {
+                    continue;
+                }
+                
+                return true;
+            }
+            else if ( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE && scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                {
+                    continue;
+                }
+
+                return true;
+            }
+            else if ( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES_AND_VALUES )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE && scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                {
+                    continue;
+                }
+
+                return true;
+            }
+            else if ( item instanceof AllAttributeValuesItem )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                {
+                    continue;
+                }
+
+                AllAttributeValuesItem aav = ( AllAttributeValuesItem ) item;
+
+                for ( Iterator<AttributeType> iterator = aav.iterator(); iterator.hasNext(); )
+                {
+                    AttributeType attr = iterator.next();
+                    
+                    if ( oid.equals( attr.getOid() ) )
+                    {
+                        return true;
+                    }
+                }
+            }
+            else if ( item instanceof AttributeTypeItem )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE )
+                {
+                    continue;
+                }
+
+                AttributeTypeItem at = ( AttributeTypeItem ) item;
+                
+                for ( Iterator<AttributeType> iterator = at.iterator(); iterator.hasNext(); )
+                {
+                    AttributeType attr = iterator.next();
+                    
+                    if ( oid.equals( attr.getOid() ) )
+                    {
+                        return true;
+                    }
+                }
+            }
+            else if ( item instanceof AttributeValueItem )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                {
+                    continue;
+                }
+
+                AttributeValueItem av = ( AttributeValueItem ) item;
+                
+                for ( Iterator<Attribute> j = av.iterator(); j.hasNext(); )
+                {
+                    Attribute entryAttribute = j.next();
+                    
+                    AttributeType attr =  entryAttribute.getAttributeType();
+                    String attrOid = null;
+                    
+                    if ( attr != null )
+                    {
+                        attrOid = entryAttribute.getAttributeType().getOid();
+                    }
+                    else
+                    {
+                        attr = schemaManager.lookupAttributeTypeRegistry( entryAttribute.getId() );
+                        attrOid = attr.getOid();
+                        entryAttribute.apply( attr );
+                    }
+                    
+                    if ( oid.equals( attrOid ) && entryAttribute.contains( attrValue ) )
+                    {
+                        return true;
+                    }
+                }
+            }
+            else if ( item instanceof ClassesItem )
+            {
+                ClassesItem refinement = (ClassesItem ) item;
+                
+                if ( refinementEvaluator.evaluate( refinement.getClasses(), entry.get( SchemaConstants.OBJECT_CLASS_AT ) ) )
+                {
+                    return true;
+                }
+            }
+            else if ( item instanceof MaxImmSubItem )
+            {
+                return true;
+            }
+            else if ( item instanceof MaxValueCountItem )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                {
+                    continue;
+                }
+
+                MaxValueCountItem mvc = ( MaxValueCountItem ) item;
+                
+                for ( Iterator<MaxValueCountElem> j = mvc.iterator(); j.hasNext(); )
+                {
+                    MaxValueCountElem mvcItem = j.next();
+                    
+                    if ( oid.equals( mvcItem.getAttributeType().getOid() ) )
+                    {
+                        return true;
+                    }
+                }
+            }
+            else if ( item instanceof RangeOfValuesItem )
+            {
+                RangeOfValuesItem rov = ( RangeOfValuesItem ) item;
+                
+                if ( entryEvaluator.evaluate( rov.getRefinement(), entryName, entry ) )
+                {
+                    return true;
+                }
+            }
+            else if ( item instanceof RestrictedByItem )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+                {
+                    continue;
+                }
+
+                RestrictedByItem rb = ( RestrictedByItem ) item;
+                
+                for ( Iterator<RestrictedByElem> j = rb.iterator(); j.hasNext(); )
+                {
+                    RestrictedByElem rbItem = j.next();
+                    
+                    if ( oid.equals( rbItem.getAttributeType().getOid() ) )
+                    {
+                        return true;
+                    }
+                }
+            }
+            else if ( item instanceof SelfValueItem )
+            {
+                if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE && scope != OperationScope.ATTRIBUTE_TYPE )
+                {
+                    continue;
+                }
+
+                SelfValueItem sv = ( SelfValueItem ) item;
+                
+                for ( Iterator<AttributeType> iterator = sv.iterator(); iterator.hasNext(); )
+                {
+                    AttributeType attr = iterator.next();
+                    
+                    if ( oid.equals( attr.getOid() ) )
+                    {
+                        Attribute entryAttribute = entry.get( oid );
+                        
+                        if ( ( entryAttribute != null ) && 
+                             ( ( entryAttribute.contains( userName.getNormName() ) || 
+                               ( entryAttribute.contains( userName.getName() ) ) ) ) )
+                        {
+                            return true;
+                        }
+                    }
+                }
+            }
+            else
+            {
+                throw new InternalError( I18n.err( I18n.ERR_232, item.getClass().getName() ) );
+            }
+        }
+
+        return false;
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,178 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.Set;
+
+import org.apache.directory.server.core.subtree.SubtreeEvaluator;
+import org.apache.directory.server.i18n.I18n;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.apache.directory.shared.ldap.model.subtree.SubtreeSpecification;
+
+
+/**
+ * An {@link ACITupleFilter} that discards all tuples whose {@link UserClass}es
+ * are not related with the current user. (18.8.3.1, X.501)
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class RelatedUserClassFilter implements ACITupleFilter
+{
+    private final SubtreeEvaluator subtreeEvaluator;
+
+
+    public RelatedUserClassFilter(SubtreeEvaluator subtreeEvaluator)
+    {
+        this.subtreeEvaluator = subtreeEvaluator;
+    }
+
+
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
+    {
+        if ( aciContext.getAciTuples().size() == 0 )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); )
+        {
+            ACITuple tuple = ii.next();
+            
+            if ( tuple.isGrant() )
+            {
+                if ( !isRelated( aciContext.getUserGroupNames(), 
+                                 aciContext.getUserDn(), 
+                                 userEntry, 
+                                 aciContext.getEntryDn(), 
+                                 tuple.getUserClasses() )
+                    || aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) < 0 )
+                {
+                    ii.remove();
+                }
+            }
+            else
+            // Denials
+            {
+                if ( !isRelated( aciContext.getUserGroupNames(), 
+                                 aciContext.getUserDn(), 
+                                 userEntry, 
+                                 aciContext.getEntryDn(), 
+                                 tuple.getUserClasses() )
+                    && aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) >= 0 )
+                {
+                    ii.remove();
+                }
+            }
+        }
+
+        return aciContext.getAciTuples();
+    }
+
+
+    private boolean isRelated( Collection<Dn> userGroupNames, Dn userName, Entry userEntry,
+        Dn entryName, Collection<UserClass> userClasses ) throws LdapException
+    {
+        for ( UserClass userClass : userClasses )
+        {
+            if ( userClass == UserClass.ALL_USERS )
+            {
+                return true;
+            }
+            else if ( userClass == UserClass.THIS_ENTRY )
+            {
+                if ( userName.equals( entryName ) )
+                {
+                    return true;
+                }
+            }
+            else if ( userClass == UserClass.PARENT_OF_ENTRY )
+            {
+                if ( entryName.isDescendantOf( userName ) )
+                {
+                    return true;
+                }
+            }
+            else if ( userClass instanceof UserClass.Name )
+            {
+                UserClass.Name nameUserClass = ( UserClass.Name ) userClass;
+                if ( nameUserClass.getNames().contains( userName ) )
+                {
+                    return true;
+                }
+            }
+            else if ( userClass instanceof UserClass.UserGroup )
+            {
+                UserClass.UserGroup userGroupUserClass = ( UserClass.UserGroup ) userClass;
+                
+                for ( Dn userGroupName : userGroupNames )
+                {
+                    Set<Dn> dns = userGroupUserClass.getNames();
+                    
+                    if ( userGroupName != null )
+                    {
+                        for ( Dn dn : dns )
+                        {
+                            if ( userGroupName.getNormName().equals( dn.getNormName() ) )
+                            {
+                                return true;
+                            }
+                        }
+                    }
+                }
+            }
+            else if ( userClass instanceof UserClass.Subtree )
+            {
+                UserClass.Subtree subtree = ( UserClass.Subtree ) userClass;
+                if ( matchUserClassSubtree( userName, userEntry, subtree ) )
+                {
+                    return true;
+                }
+            }
+            else
+            {
+                throw new InternalError( I18n.err( I18n.ERR_233, userClass.getClass().getName() ) );
+            }
+        }
+
+        return false;
+    }
+
+
+    private boolean matchUserClassSubtree( Dn userName, Entry userEntry, UserClass.Subtree subtree )
+        throws LdapException
+    {
+        for ( SubtreeSpecification subtreeSpec : subtree.getSubtreeSpecifications() )
+        {
+            if ( subtreeEvaluator.evaluate( subtreeSpec, Dn.ROOT_DSE, userName, userEntry ) )
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,105 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.Collection;
+import java.util.Iterator;
+
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByElem;
+import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.entry.Attribute;
+import org.apache.directory.shared.ldap.model.entry.Value;
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.schema.AttributeType;
+
+
+/**
+ * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
+ * {@link org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem} constraint if available. (18.8.3.3, X.501)
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class RestrictedByFilter implements ACITupleFilter
+{
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
+    {
+        if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        if ( aciContext.getAciTuples().size() == 0 )
+        {
+            return aciContext.getAciTuples();
+        }
+
+        for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator() ; ii.hasNext(); )
+        {
+            ACITuple tuple = ii.next();
+            
+            if ( !tuple.isGrant() )
+            {
+                continue;
+            }
+
+            if ( isRemovable( tuple, aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
+            {
+                ii.remove();
+            }
+        }
+
+        return aciContext.getAciTuples();
+    }
+
+
+    public boolean isRemovable( ACITuple tuple, AttributeType attributeType, Value<?> attrValue, Entry entry ) throws LdapException
+    {
+        for ( ProtectedItem item : tuple.getProtectedItems() )
+        {
+            if ( item instanceof RestrictedByItem )
+            {
+                RestrictedByItem rb = ( RestrictedByItem ) item;
+            
+                for ( Iterator<RestrictedByElem> k = rb.iterator(); k.hasNext(); )
+                {
+                    RestrictedByElem rbItem = k.next();
+                
+                    // TODO Fix DIRSEVER-832 
+                    if ( attributeType.equals( rbItem.getAttributeType() ) )
+                    {
+                        Attribute attr = entry.get( rbItem.getValuesIn() );
+                        
+                        // TODO Fix DIRSEVER-832
+                        if ( ( attr == null ) || !attr.contains( attrValue ) )
+                        {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/package-info.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/package-info.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/package-info.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/main/java/org/apache/directory/server/core/authz/support/package-info.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,31 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+
+/**
+ * <pre>
+ * <p>
+ * ACDF (Access Control Decision Function) and its support classes.
+ * </p>
+ * </pre>
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+
+package org.apache.directory.server.core.authz.support;

Added: directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyAttributeTypeRegistry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyAttributeTypeRegistry.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyAttributeTypeRegistry.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyAttributeTypeRegistry.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,167 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.schema.AttributeType;
+import org.apache.directory.shared.ldap.model.schema.LdapSyntax;
+import org.apache.directory.shared.ldap.model.schema.MatchingRule;
+import org.apache.directory.shared.ldap.model.schema.Normalizer;
+import org.apache.directory.shared.ldap.model.schema.SchemaObjectType;
+import org.apache.directory.shared.ldap.model.schema.normalizers.DeepTrimToLowerNormalizer;
+import org.apache.directory.shared.ldap.model.schema.normalizers.OidNormalizer;
+import org.apache.directory.shared.ldap.model.schema.registries.DefaultSchemaObjectRegistry;
+import org.apache.directory.shared.ldap.model.schema.registries.OidRegistry;
+import org.apache.directory.shared.ldap.model.schema.registries.SchemaObjectRegistry;
+
+
+/**
+ * A mock {@link org.apache.directory.shared.ldap.model.schema.registries.AttributeTypeRegistry} to test {@link ACITupleFilter} implementations.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ *
+ */
+public class DummyAttributeTypeRegistry extends DefaultSchemaObjectRegistry<AttributeType>
+{
+    private final boolean returnOperational;
+
+
+    public DummyAttributeTypeRegistry( boolean returnOperational )
+    {
+        super( SchemaObjectType.ATTRIBUTE_TYPE, new OidRegistry() );
+        this.returnOperational = returnOperational;
+    }
+
+
+    public AttributeType lookup( final String id ) throws LdapException
+    {
+        Normalizer normalizer = new DeepTrimToLowerNormalizer( "1.1.1" );
+
+        MatchingRule equality = new MatchingRule( "1.1.1" );
+        equality.setNormalizer( normalizer );
+
+        AttributeType attributeType = new AttributeType( id );
+        attributeType.setEquality( equality );
+        attributeType.setSingleValued( false );
+        attributeType.setCollective( false );
+        attributeType.setDescription( id );
+
+        if ( returnOperational )
+        {
+            attributeType.setUserModifiable( false );
+        }
+        else
+        {
+            LdapSyntax syntax = new LdapSyntax( "1.1.1" );
+            syntax.setHumanReadable( true );
+
+            attributeType.setSyntax( syntax );
+            attributeType.setUserModifiable( true );
+        }
+
+        return attributeType;
+    }
+
+
+    public String getSchemaName( String id ) throws LdapException
+    {
+        return "dummy";
+    }
+
+
+    public boolean contains( String id )
+    {
+        return true;
+    }
+
+
+    public Iterator<AttributeType> list()
+    {
+        return new ArrayList<AttributeType>().iterator();
+    }
+
+
+    public Map<String, OidNormalizer> getNormalizerMapping()
+    {
+        return null;
+    }
+
+
+    public Iterator<AttributeType> descendants( String ancestorId ) throws LdapException
+    {
+        return null;
+    }
+
+
+    public boolean hasDescendants( String ancestorId ) throws LdapException
+    {
+        return false;
+    }
+
+
+    public Iterator<AttributeType> iterator()
+    {
+        return null;
+    }
+
+
+    public AttributeType unregister( String numericOid ) throws LdapException
+    {
+        return null;
+    }
+
+
+    public void register( AttributeType attributeType ) throws LdapException
+    {
+    }
+
+
+    public Set<String> getBinaryAttributes() throws LdapException
+    {
+        return null;
+    }
+
+
+    public void unregisterDescendants( AttributeType attributeType, AttributeType ancestor ) throws LdapException
+    {
+    }
+
+
+    public void registerDescendants( AttributeType attributeType, AttributeType ancestor ) throws LdapException
+    {
+    }
+
+
+    public void addMappingFor( AttributeType attributeType ) throws LdapException
+    {
+    }
+
+
+    public SchemaObjectRegistry<AttributeType> copy()
+    {
+        return null;
+    }
+}
\ No newline at end of file

Added: directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyOidRegistry.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyOidRegistry.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyOidRegistry.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/DummyOidRegistry.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,103 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.directory.shared.ldap.model.exception.LdapException;
+import org.apache.directory.shared.ldap.model.schema.registries.OidRegistry;
+import org.bouncycastle.util.Strings;
+
+
+/**
+ * A mock {@link OidRegistry} to test {@link ACITupleFilter} implementations.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ *
+ */
+class DummyOidRegistry extends OidRegistry
+{
+    public String getOid( String name ) throws LdapException
+    {
+        return Strings.toLowerCase( name );
+    }
+
+
+    public boolean hasOid( String id )
+    {
+        return true;
+    }
+
+
+    public String getPrimaryName( String oid ) throws LdapException
+    {
+        return oid;
+    }
+
+
+    public List<String> getNameSet( String oid ) throws LdapException
+    {
+        List<String> list = new ArrayList<String>();
+        list.add( oid );
+        return list;
+    }
+
+
+    public Iterator list()
+    {
+        // Not used
+        return new ArrayList().iterator();
+    }
+
+
+    public void register( String name, String oid )
+    {
+        // Not used
+    }
+
+
+    /**
+     * Get the map of all the oids by their name
+     * @return The Map that contains all the oids
+     */
+    public Map getOidByName()
+    {
+        return null;
+    }
+
+
+    /**
+     * Get the map of all the oids by their name
+     * @return The Map that contains all the oids
+     */
+    public Map getNameByOid()
+    {
+        return null;
+    }
+
+
+    public void unregister( String numericOid ) throws LdapException
+    {
+    }
+}
\ No newline at end of file

Added: directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,113 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.mycila.junit.concurrent.Concurrency;
+import com.mycila.junit.concurrent.ConcurrentJunitRunner;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Tests {@link HighestPrecedenceFilter}.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ *
+ */
+@RunWith(ConcurrentJunitRunner.class)
+@Concurrency()
+public class HighestPrecedenceFilterTest
+{
+    private static final Collection<ProtectedItem> PI_EMPTY_COLLECTION = Collections.unmodifiableCollection( new ArrayList<ProtectedItem>() );
+    private static final Collection<UserClass> UC_EMPTY_COLLECTION = Collections.unmodifiableCollection( new ArrayList<UserClass>() );
+    private static final Collection<ACITuple> AT_EMPTY_COLLECTION = Collections.unmodifiableCollection( new ArrayList<ACITuple>() );
+    private static final Set<MicroOperation> MO_EMPTY_SET = Collections.unmodifiableSet( new HashSet<MicroOperation>() );
+
+
+    @Test
+    public void testZeroTuple() throws Exception
+    {
+        HighestPrecedenceFilter filter = new HighestPrecedenceFilter();
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( AT_EMPTY_COLLECTION );
+
+        assertEquals( 0, filter.filter( aciContext, null, null ).size() );
+    }
+
+
+    @Test
+    public void testOneTuple() throws Exception
+    {
+        HighestPrecedenceFilter filter = new HighestPrecedenceFilter();
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        
+        tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true, 10 ) );
+        tuples = Collections.unmodifiableCollection( tuples );
+        
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( tuples );
+
+        assertEquals( tuples, filter.filter( aciContext, null, null ) );
+    }
+
+
+    @Test
+    public void testMoreThanOneTuples() throws Exception
+    {
+        final int MAX_PRECEDENCE = 10;
+        HighestPrecedenceFilter filter = new HighestPrecedenceFilter();
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        
+        tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true,
+            MAX_PRECEDENCE ) );
+        tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true,
+            MAX_PRECEDENCE / 2 ) );
+        tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true,
+            MAX_PRECEDENCE ) );
+        tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true,
+            MAX_PRECEDENCE / 3 ) );
+
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( tuples );
+
+        tuples = filter.filter( aciContext, null, null );
+
+        for ( ACITuple tuple:tuples )
+        {
+            assertNotNull( tuple.getPrecedence() );
+            assertEquals( MAX_PRECEDENCE, tuple.getPrecedence().intValue() );
+        }
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,191 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.directory.server.core.api.MockOperation;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.aci.protectedItem.MaxImmSubItem;
+import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.apache.directory.shared.ldap.model.schema.SchemaManager;
+import org.apache.directory.shared.ldap.schemamanager.impl.DefaultSchemaManager;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import com.mycila.junit.concurrent.Concurrency;
+import com.mycila.junit.concurrent.ConcurrentJunitRunner;
+
+
+/**
+ * Tests {@link MaxImmSubFilter}.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(ConcurrentJunitRunner.class)
+@Concurrency()
+public class MaxImmSubFilterTest
+{
+    private static final Collection<ACITuple> EMPTY_ACI_TUPLE_COLLECTION = Collections
+        .unmodifiableCollection( new ArrayList<ACITuple>() );
+    private static final Collection<UserClass> EMPTY_USER_CLASS_COLLECTION = Collections
+        .unmodifiableCollection( new ArrayList<UserClass>() );
+    private static final Collection<ProtectedItem> EMPTY_PROTECTED_ITEM_COLLECTION = Collections
+        .unmodifiableCollection( new ArrayList<ProtectedItem>() );
+
+    private static final Set<MicroOperation> EMPTY_MICRO_OPERATION_SET = Collections
+        .unmodifiableSet( new HashSet<MicroOperation>() );
+
+    private static final Dn ROOTDSE_NAME = Dn.ROOT_DSE;
+    private static Dn ENTRY_NAME;
+    private static Collection<ProtectedItem> PROTECTED_ITEMS = new ArrayList<ProtectedItem>();
+    private static Entry ENTRY;
+
+    /** A reference to the schemaManager */
+    private static SchemaManager schemaManager;
+
+
+    @BeforeClass
+    public static void setup() throws Exception
+    {
+        schemaManager = new DefaultSchemaManager();
+
+        ENTRY_NAME = new Dn( schemaManager, "ou=test, ou=system" );
+        PROTECTED_ITEMS.add( new MaxImmSubItem( 2 ) );
+        ENTRY = new DefaultEntry( schemaManager, ENTRY_NAME );
+    }
+
+
+    @Test
+    public void testWrongScope() throws Exception
+    {
+        MaxImmSubFilter filter = new MaxImmSubFilter( schemaManager );
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE,
+            EMPTY_PROTECTED_ITEM_COLLECTION, EMPTY_MICRO_OPERATION_SET, true, 0 ) );
+
+        tuples = Collections.unmodifiableCollection( tuples );
+
+        AciContext aciContext = new AciContext( schemaManager, null );
+        aciContext.setEntryDn( ENTRY_NAME );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE, null ) );
+
+        aciContext = new AciContext( schemaManager, null );
+        aciContext.setEntryDn( ENTRY_NAME );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null ) );
+    }
+
+
+    @Test
+    public void testRootDSE() throws Exception
+    {
+        MaxImmSubFilter filter = new MaxImmSubFilter( schemaManager );
+
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE,
+            EMPTY_PROTECTED_ITEM_COLLECTION, EMPTY_MICRO_OPERATION_SET, true, 0 ) );
+
+        tuples = Collections.unmodifiableCollection( tuples );
+
+        AciContext aciContext = new AciContext( schemaManager, null );
+        aciContext.setEntryDn( ROOTDSE_NAME );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ENTRY, null ) );
+    }
+
+
+    @Test
+    public void testZeroTuple() throws Exception
+    {
+        MaxImmSubFilter filter = new MaxImmSubFilter( schemaManager );
+
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setEntryDn( ENTRY_NAME );
+        aciContext.setAciTuples( EMPTY_ACI_TUPLE_COLLECTION );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( 0, filter.filter( aciContext, OperationScope.ENTRY, null ).size() );
+    }
+
+
+    @Test
+    public void testDenialTuple() throws Exception
+    {
+        MaxImmSubFilter filter = new MaxImmSubFilter( schemaManager );
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE, PROTECTED_ITEMS,
+            EMPTY_MICRO_OPERATION_SET, false, 0 ) );
+
+        tuples = Collections.unmodifiableCollection( tuples );
+
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setEntryDn( ENTRY_NAME );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ENTRY, null ) );
+    }
+
+
+    @Test
+    public void testGrantTuple() throws Exception
+    {
+        MaxImmSubFilter filter = new MaxImmSubFilter( schemaManager );
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE, PROTECTED_ITEMS,
+            EMPTY_MICRO_OPERATION_SET, true, 0 ) );
+
+        AciContext aciContext = new AciContext( schemaManager, new MockOperation( schemaManager, 1 ) );
+        aciContext.setEntryDn( ENTRY_NAME );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( 1, filter.filter( aciContext, OperationScope.ENTRY, null ).size() );
+
+        aciContext = new AciContext( schemaManager, new MockOperation( schemaManager, 3 ) );
+        aciContext.setEntryDn( ENTRY_NAME );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( 0, filter.filter( aciContext, OperationScope.ENTRY, null ).size() );
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxValueCountFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxValueCountFilterTest.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxValueCountFilterTest.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MaxValueCountFilterTest.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,190 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountElem;
+import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountItem;
+import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
+import org.apache.directory.shared.ldap.model.entry.Entry;
+import org.apache.directory.shared.ldap.model.name.Dn;
+import org.apache.directory.shared.ldap.model.schema.AttributeType;
+import org.apache.directory.shared.ldap.model.schema.SchemaManager;
+import org.apache.directory.shared.ldap.schemamanager.impl.DefaultSchemaManager;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import com.mycila.junit.concurrent.Concurrency;
+import com.mycila.junit.concurrent.ConcurrentJunitRunner;
+
+
+/**
+ * Tests {@link MaxValueCountFilter}.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(ConcurrentJunitRunner.class)
+@Concurrency()
+public class MaxValueCountFilterTest
+{
+    private static final Collection<ACITuple> EMPTY_ACI_TUPLE_COLLECTION = Collections.unmodifiableCollection( new ArrayList<ACITuple>() );
+    private static final Collection<UserClass> EMPTY_USER_CLASS_COLLECTION = Collections.unmodifiableCollection( new ArrayList<UserClass>() );
+    private static final Collection<ProtectedItem> EMPTY_PROTECTED_ITEM_COLLECTION = Collections.unmodifiableCollection( new ArrayList<ProtectedItem>() );
+
+    private static final Set<MicroOperation> EMPTY_MICRO_OPERATION_SET = Collections.unmodifiableSet( new HashSet<MicroOperation>() );
+
+    private static final Collection<ProtectedItem> PROTECTED_ITEMS = new ArrayList<ProtectedItem>();
+    private static Entry ENTRY;
+    private static Entry FULL_ENTRY;
+
+    /** The CN attribute Type */
+    private static AttributeType CN_AT;
+
+    /** A reference to the schemaManager */
+    private static SchemaManager schemaManager;
+
+    
+    @BeforeClass public static void init() throws Exception
+    {
+        schemaManager = new DefaultSchemaManager();
+
+        Dn entryName = new Dn( schemaManager, "ou=test, ou=system" );
+        ENTRY = new DefaultEntry( schemaManager, entryName );
+        FULL_ENTRY = new DefaultEntry( schemaManager, entryName );
+        
+        ENTRY.put( "cn", "1" );
+        FULL_ENTRY.put( "cn", "1", "2", "3" );
+
+        Set<MaxValueCountElem> mvcItems = new HashSet<MaxValueCountElem>();
+        AttributeType cn = schemaManager.lookupAttributeTypeRegistry( "cn" );
+        mvcItems.add( new MaxValueCountElem( cn, 2 ) );
+        PROTECTED_ITEMS.add( new MaxValueCountItem( mvcItems ) );
+        
+        CN_AT = schemaManager.lookupAttributeTypeRegistry( "cn" );
+    }
+    
+    
+    @Test 
+    public void testWrongScope() throws Exception
+    {
+        MaxValueCountFilter filter = new MaxValueCountFilter();
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE, EMPTY_PROTECTED_ITEM_COLLECTION,
+            EMPTY_MICRO_OPERATION_SET, true, 0 ) );
+
+        tuples = Collections.unmodifiableCollection( tuples );
+
+        AciContext aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( tuples );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE, null ) );
+
+        aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( tuples );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ENTRY, null ) );
+    }
+
+
+    @Test 
+    public void testZeroTuple() throws Exception
+    {
+        MaxValueCountFilter filter = new MaxValueCountFilter();
+
+        AciContext aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( EMPTY_ACI_TUPLE_COLLECTION );
+
+        assertEquals( 0, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null ).size() ); 
+    }
+
+
+    @Test 
+    public void testDenialTuple() throws Exception
+    {
+        MaxValueCountFilter filter = new MaxValueCountFilter();
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE, PROTECTED_ITEMS, 
+            EMPTY_MICRO_OPERATION_SET, false, 0 ) );
+
+        tuples = Collections.unmodifiableCollection( tuples );
+
+        AciContext aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( tuples );
+        aciContext.setAttributeType( CN_AT );
+        aciContext.setEntry( ENTRY );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null ) );
+
+        aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( tuples );
+        aciContext.setAttributeType( CN_AT );
+        aciContext.setEntry( FULL_ENTRY );
+
+        assertEquals( tuples, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE,null ) );
+    }
+
+
+    @Test 
+    public void testGrantTuple() throws Exception
+    {
+        MaxValueCountFilter filter = new MaxValueCountFilter();
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        
+        // Test with this ACI :
+        // 
+        tuples.add( new ACITuple( 
+            EMPTY_USER_CLASS_COLLECTION, 
+            AuthenticationLevel.NONE, 
+            PROTECTED_ITEMS, 
+            EMPTY_MICRO_OPERATION_SET, 
+            true, 
+            0 ) );
+
+        AciContext aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( tuples );
+        aciContext.setAttributeType( CN_AT );
+        aciContext.setEntry( ENTRY );
+        aciContext.setEntryView( ENTRY );
+
+        assertEquals( 1, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null ).size() );
+
+        aciContext = new AciContext( schemaManager, null );
+        aciContext.setAciTuples( tuples );
+        aciContext.setAttributeType( CN_AT );
+        aciContext.setEntry( FULL_ENTRY );
+        aciContext.setEntryView( FULL_ENTRY );
+
+        assertEquals( 0, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null ).size() );
+    }
+}

Added: directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MicroOperationFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MicroOperationFilterTest.java?rev=1183441&view=auto
==============================================================================
--- directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MicroOperationFilterTest.java (added)
+++ directory/apacheds/trunk/interceptors/authz/src/test/java/org/apache/directory/server/core/authz/support/MicroOperationFilterTest.java Fri Oct 14 17:38:30 2011
@@ -0,0 +1,104 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.mycila.junit.concurrent.Concurrency;
+import com.mycila.junit.concurrent.ConcurrentJunitRunner;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.aci.ProtectedItem;
+import org.apache.directory.shared.ldap.aci.UserClass;
+import org.apache.directory.shared.ldap.model.constants.AuthenticationLevel;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Tests {@link MicroOperationFilter}.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith(ConcurrentJunitRunner.class)
+@Concurrency()
+public class MicroOperationFilterTest
+{
+    private static final Collection<ACITuple> EMPTY_ACI_TUPLE_COLLECTION = Collections.unmodifiableCollection( new ArrayList<ACITuple>() );
+    private static final Collection<UserClass> EMPTY_USER_CLASS_COLLECTION = Collections.unmodifiableCollection( new ArrayList<UserClass>() );
+    private static final Collection<ProtectedItem> EMPTY_PROTECTED_ITEM_COLLECTION = Collections.unmodifiableCollection( new ArrayList<ProtectedItem>() );
+
+    private static final Set<MicroOperation> USER_OPERATIONS_A = new HashSet<MicroOperation>();
+    private static final Set<MicroOperation> USER_OPERATIONS_B = new HashSet<MicroOperation>();
+    private static final Set<MicroOperation> TUPLE_OPERATIONS = new HashSet<MicroOperation>();
+
+    static
+    {
+        USER_OPERATIONS_A.add( MicroOperation.ADD );
+        USER_OPERATIONS_A.add( MicroOperation.BROWSE );
+        USER_OPERATIONS_B.add( MicroOperation.COMPARE );
+        USER_OPERATIONS_B.add( MicroOperation.DISCLOSE_ON_ERROR );
+        TUPLE_OPERATIONS.add( MicroOperation.ADD );
+        TUPLE_OPERATIONS.add( MicroOperation.BROWSE );
+        TUPLE_OPERATIONS.add( MicroOperation.EXPORT );
+    }
+
+
+    @Test
+    public void testZeroTuple() throws Exception
+    {
+        MicroOperationFilter filter = new MicroOperationFilter();
+
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( EMPTY_ACI_TUPLE_COLLECTION );
+
+        assertEquals( 0, filter.filter( aciContext, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null ).size() );
+    }
+
+
+    @Test
+    public void testOneTuple() throws Exception
+    {
+        MicroOperationFilter filter = new MicroOperationFilter();
+        Collection<ACITuple> tuples = new ArrayList<ACITuple>();
+        
+        tuples.add( new ACITuple( EMPTY_USER_CLASS_COLLECTION, AuthenticationLevel.NONE, EMPTY_PROTECTED_ITEM_COLLECTION,
+            TUPLE_OPERATIONS, true, 0 ) );
+
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setMicroOperations( USER_OPERATIONS_A );
+        aciContext.setAciTuples( tuples );
+
+        assertEquals( 1, filter.filter( aciContext, OperationScope.ENTRY, null ).size() );
+
+        aciContext = new AciContext( null, null );
+        aciContext.setMicroOperations( USER_OPERATIONS_B );
+        aciContext.setAciTuples( tuples );
+
+        assertEquals( 0, filter.filter( aciContext, OperationScope.ENTRY, null ).size() );
+    }
+}



Mime
View raw message