You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2006/02/07 08:05:54 UTC
svn commit: r375522 - in /directory/trunks:
apacheds/core-unit/src/main/java/org/apache/ldap/server/unit/
apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/
apacheds/core-unit/src/test/java/org/apache/ldap/server/core/schema/
apacheds/core-...
Author: akarasulu
Date: Mon Feb 6 23:05:51 2006
New Revision: 375522
URL: http://svn.apache.org/viewcvs?rev=375522&view=rev
Log:
Merging from private branch for RC1 fixes:
o fixes for DIREVE-328
o test cases to try to reproduce DIREVE-308
Added:
directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/normalization/
- copied from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/normalization/
directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/normalization/NormalizationServiceTest.java (props changed)
- copied unchanged from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/normalization/NormalizationServiceTest.java
directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/schema/
- copied from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/schema/
directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/schema/SchemaServiceTest.java (props changed)
- copied unchanged from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/java/org/apache/ldap/server/schema/SchemaServiceTest.java
directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/normalization/
- copied from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/resources/org/apache/ldap/server/normalization/
directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/normalization/testDireve308Example.ldif (props changed)
- copied unchanged from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/resources/org/apache/ldap/server/normalization/testDireve308Example.ldif
directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/schema/
- copied from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/resources/org/apache/ldap/server/schema/
directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/schema/nonspecific.ldif (props changed)
- copied unchanged from r375521, directory/sandbox/akarasulu/rc1refactor/apacheds/core-unit/src/test/resources/org/apache/ldap/server/schema/nonspecific.ldif
Removed:
directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/core/schema/
directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/core/schema/
Modified:
directory/trunks/apacheds/core-unit/src/main/java/org/apache/ldap/server/unit/AbstractTestCase.java
directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java
directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
directory/trunks/common/ldap/src/test/java/org/apache/ldap/common/name/DnParserTest.java (contents, props changed)
Modified: directory/trunks/apacheds/core-unit/src/main/java/org/apache/ldap/server/unit/AbstractTestCase.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core-unit/src/main/java/org/apache/ldap/server/unit/AbstractTestCase.java?rev=375522&r1=375521&r2=375522&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/main/java/org/apache/ldap/server/unit/AbstractTestCase.java (original)
+++ directory/trunks/apacheds/core-unit/src/main/java/org/apache/ldap/server/unit/AbstractTestCase.java Mon Feb 6 23:05:51 2006
@@ -104,6 +104,7 @@
this.username = username;
this.password = password;
}
+
/**
* Sets the LDIF path as a relative resource path to use with the
@@ -115,7 +116,6 @@
protected void setLdifPath( String ldifPath, Class loadClass )
{
this.loadClass = loadClass;
-
this.ldifPath = ldifPath;
}
@@ -147,9 +147,7 @@
// -------------------------------------------------------------------
Attributes attributes = new LockableAttributesImpl();
-
LdifParserImpl parser = new LdifParserImpl();
-
try
{
parser.parse( attributes, LDIF );
@@ -158,7 +156,6 @@
{
throw new NestableRuntimeException( e );
}
-
testEntries.add( attributes );
// -------------------------------------------------------------------
@@ -166,11 +163,13 @@
// -------------------------------------------------------------------
InputStream in = null;
-
- if ( loadClass == null && ldifPath != null )
+ if ( loadClass != null && ldifPath == null )
+ {
+ in = loadClass.getResourceAsStream( getName() + ".ldif" );
+ }
+ else if ( loadClass == null && ldifPath != null )
{
File ldifFile = new File( ldifPath );
-
if ( ldifFile.exists() )
{
in = new FileInputStream( ldifPath );
@@ -179,7 +178,6 @@
{
in = getClass().getResourceAsStream( ldifPath );
}
-
throw new FileNotFoundException( ldifPath );
}
else if ( loadClass != null && ldifPath != null )
@@ -190,15 +188,11 @@
if ( in != null )
{
LdifIterator list = new LdifIterator( in );
-
while ( list.hasNext() )
{
String ldif = ( String ) list.next();
-
attributes = new LockableAttributesImpl();
-
parser.parse( attributes, ldif );
-
testEntries.add( attributes );
}
}
@@ -319,21 +313,19 @@
env.put( Context.SECURITY_AUTHENTICATION, "simple" );
try { new InitialContext( env ); } catch( Exception e ) {}
-
sysRoot = null;
-
Runtime.getRuntime().gc();
-
testEntries.clear();
-
ldifPath = null;
-
loadClass = null;
-
overrides.clear();
-
configuration = new MutableStartupConfiguration();
-
doDelete( configuration.getWorkingDirectory() );
+ }
+
+
+ protected void setLoadClass( Class loadClass )
+ {
+ this.loadClass = loadClass;
}
}
Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java?rev=375522&r1=375521&r2=375522&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/authz/SearchAuthorizationTest.java Mon Feb 6 23:05:51 2006
@@ -384,6 +384,36 @@
/**
+ * Checks to make sure name based userClass works for search operations
+ * when we vary the case of the DN.
+ *
+ * @throws javax.naming.NamingException if the test encounters an error
+ */
+ public void testGrantSearchByNameUserDnCase() throws NamingException
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an add operation which should fail without any ACI
+ assertFalse( checkCanSearchAs( "BillyD", "billyd" ) );
+
+ // now add a subentry that enables user billyd to add an entry below ou=system
+ createAccessControlSubentry( "billydSearch", "{ " +
+ "identificationTag \"searchAci\", " +
+ "precedence 14, " +
+ "authenticationLevel none, " +
+ "itemOrUserFirst userFirst: { " +
+ "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ "userPermissions { { " +
+ "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+ // should work now that billyd is authorized by name
+ assertTrue( checkCanSearchAs( "BillyD", "billyd" ) );
+ }
+
+
+ /**
* Checks to make sure subtree based userClass works for search operations.
*
* @throws javax.naming.NamingException if the test encounters an error
Propchange: directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/normalization/NormalizationServiceTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core-unit/src/test/java/org/apache/ldap/server/schema/SchemaServiceTest.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/normalization/testDireve308Example.ldif
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: directory/trunks/apacheds/core-unit/src/test/resources/org/apache/ldap/server/schema/nonspecific.ldif
------------------------------------------------------------------------------
svn:eol-style = native
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=375522&r1=375521&r2=375522&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java Mon Feb 6 23:05:51 2006
@@ -330,7 +330,8 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
if ( ! enabled )
@@ -340,7 +341,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.add( upName, normName, entry );
tupleCache.subentryAdded( upName, normName, entry );
@@ -358,7 +359,7 @@
}
// Assemble all the information required to make an access control decision
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
// Build the total collection of tuples to be considered for add rights
@@ -368,7 +369,7 @@
// check if entry scope permission is granted
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
normName, null, null, ADD_PERMS, tuples, subentryAttrs );
// now we must check if attribute type and value scope permission is granted
@@ -378,8 +379,8 @@
Attribute attr = ( Attribute ) attributeList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( proxy, userGroups, user.getJndiName(),
- user.getAuthenticationLevel(), normName, attr.getID(),
+ engine.checkPermission( proxy, userGroups, userName,
+ principal.getAuthenticationLevel(), normName, attr.getID(),
attr.get( ii ), ADD_PERMS, tuples, entry );
}
}
@@ -400,7 +401,8 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
if ( ! enabled )
@@ -410,7 +412,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.delete( name );
tupleCache.subentryDeleted( name, entry );
@@ -418,13 +420,13 @@
return;
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
null, REMOVE_PERMS, tuples, entry );
next.delete( name );
@@ -439,7 +441,8 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
if ( ! enabled )
@@ -449,7 +452,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.modify( name, modOp, mods );
tupleCache.subentryModified( name, modOp, mods, entry );
@@ -457,13 +460,13 @@
return;
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
NamingEnumeration attrList = mods.getAll();
@@ -486,7 +489,7 @@
Attribute attr = ( Attribute ) attrList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, attr.getID(), attr.get( ii ), perms, tuples, entry );
}
}
@@ -503,7 +506,8 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
if ( ! enabled )
@@ -513,7 +517,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.modify( name, mods );
tupleCache.subentryModified( name, mods, entry );
@@ -521,13 +525,13 @@
return;
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
Collection perms = null;
@@ -549,7 +553,7 @@
Attribute attr = mods[ii].getAttribute();
for ( int jj = 0; jj < attr.size(); jj++ )
{
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
name, attr.getID(), attr.get( jj ), perms, tuples, entry );
}
}
@@ -565,22 +569,23 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled
|| name.toString().trim().equals( "" ) ) // no checks on the rootdse
{
return next.hasEntry( name );
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
// check that we have browse access to the entry
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
null, BROWSE_PERMS, tuples, entry );
return next.hasEntry( name );
@@ -602,7 +607,7 @@
* @param entry the raw entry pulled from the nexus
* @throws NamingException
*/
- private void checkLookupAccess( LdapPrincipal user, Name dn, Attributes entry )
+ private void checkLookupAccess( LdapPrincipal principal, Name dn, Attributes entry )
throws NamingException
{
// no permissions checks on the RootDSE
@@ -612,14 +617,15 @@
}
DirectoryPartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
- Set userGroups = groupCache.getGroups( user.getName() );
+ Name userName = dnParser.parse( principal.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, dn, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, dn, entry );
// check that we have read access to the entry
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), dn, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null,
null, LOOKUP_PERMS, tuples, entry );
// check that we have read access to every attribute type and value
@@ -629,7 +635,7 @@
Attribute attr = ( Attribute ) attributeList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), dn,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn,
attr.getID(), attr.get( ii ), READ_PERMS, tuples, entry );
}
}
@@ -641,15 +647,14 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( dn, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ if ( principal.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.lookup( dn, attrIds );
}
- checkLookupAccess( user, dn, entry );
-
+ checkLookupAccess( principal, dn, entry );
return next.lookup( dn, attrIds );
}
@@ -667,7 +672,6 @@
}
checkLookupAccess( user, name, entry );
-
return next.lookup( name );
}
@@ -678,7 +682,8 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
Name newName = ( Name ) name.clone();
newName.remove( name.size() - 1 );
newName.add( dnParser.parse( newRn ).get( 0 ) );
@@ -692,7 +697,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.modifyRn( name, newRn, deleteOldRn );
tupleCache.subentryRenamed( name, newName );
@@ -702,13 +707,13 @@
return;
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
null, RENAME_PERMS, tuples, entry );
// if ( deleteOldRn )
@@ -751,7 +756,8 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
Name newName = ( Name ) newParentName.clone();
newName.add( newRn );
@@ -763,7 +769,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.move( oriChildName, newParentName, newRn, deleteOldRn );
tupleCache.subentryRenamed( oriChildName, newName );
@@ -771,20 +777,20 @@
return;
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null, null, MOVERENAME_PERMS, tuples, entry );
Collection destTuples = new HashSet();
addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null, null, IMPORT_PERMS, tuples, entry );
// if ( deleteOldRn )
@@ -828,7 +834,8 @@
Attributes entry = proxy.lookup( oriChildName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
Name newName = ( Name ) newParentName.clone();
newName.add( oriChildName.get( oriChildName.size() - 1 ) );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
// bypass authz code if we are disabled
if ( ! enabled )
@@ -838,7 +845,7 @@
}
// bypass authz code but manage caches if operation is performed by the admin
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) )
{
next.move( oriChildName, newParentName );
tupleCache.subentryRenamed( oriChildName, newName );
@@ -846,20 +853,20 @@
return;
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null, null, EXPORT_PERMS, tuples, entry );
Collection destTuples = new HashSet();
addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(),
oriChildName, null, null, IMPORT_PERMS, tuples, entry );
next.move( oriChildName, newParentName );
@@ -911,21 +918,23 @@
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = proxy.lookup( name, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
+
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.compare( name, oid, value );
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, null,
null, READ_PERMS, tuples, entry );
- engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, oid,
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), name, oid,
value, COMPARE_PERMS, tuples, entry );
return next.compare( name, oid, value );
@@ -937,8 +946,9 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
DirectoryPartitionNexusProxy proxy = invocation.getProxy();
- LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
- if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+ Name userName = dnParser.parse( principal.getName() );
+ if ( userName.toString().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.getMatchedName( dn, normalized );
}
@@ -961,14 +971,14 @@
entry = proxy.lookup( matched, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
}
- Set userGroups = groupCache.getGroups( user.getName() );
+ Set userGroups = groupCache.getGroups( userName.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( proxy, tuples, matched, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, matched, entry );
- if ( engine.hasPermission( proxy, userGroups, user.getJndiName(),
- user.getAuthenticationLevel(), matched, null, null,
+ if ( engine.hasPermission( proxy, userGroups, userName,
+ principal.getAuthenticationLevel(), matched, null, null,
MATCHEDNAME_PERMS, tuples, entry ) )
{
return matched;
@@ -996,7 +1006,7 @@
*/
Attributes entry = invocation.getProxy().lookup( normName, DirectoryPartitionNexusProxy.LOOKUP_BYPASS );
ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
- Name userDn = ctx.getPrincipal().getJndiName();
+ Name userDn = dnParser.parse( ctx.getPrincipal().getName() );
Set userGroups = groupCache.getGroups( userDn.toString() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, entry );
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java?rev=375522&r1=375521&r2=375522&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java Mon Feb 6 23:05:51 2006
@@ -43,7 +43,7 @@
*/
public class RelatedUserClassFilter implements ACITupleFilter
{
- private static final LdapName ROOTDSE_NAME = new LdapName();
+ private static final LdapName ROOTDSE_NAME = LdapName.EMPTY_LDAP_NAME;
private final SubtreeEvaluator subtreeEvaluator;
Modified: directory/trunks/common/ldap/src/test/java/org/apache/ldap/common/name/DnParserTest.java
URL: http://svn.apache.org/viewcvs/directory/trunks/common/ldap/src/test/java/org/apache/ldap/common/name/DnParserTest.java?rev=375522&r1=375521&r2=375522&view=diff
==============================================================================
--- directory/trunks/common/ldap/src/test/java/org/apache/ldap/common/name/DnParserTest.java (original)
+++ directory/trunks/common/ldap/src/test/java/org/apache/ldap/common/name/DnParserTest.java Mon Feb 6 23:05:51 2006
@@ -25,6 +25,7 @@
import junit.framework.TestCase;
import org.apache.ldap.common.schema.DnNormalizer;
+import org.apache.ldap.common.schema.Normalizer;
/**
@@ -318,6 +319,25 @@
assertEquals( cn, result.toString() );
+ }
+
+ public void testDireve308Example() throws Exception
+ {
+ // seems to work without normalizers
+ String dn = "ou=Corporate Category\\, Operations,ou=direct report view";
+ DnParser parser = new DnParser();
+ String result = parser.parse( dn ).toString();
+ assertEquals( dn, result );
+
+ // now we try with normalization: simple as is normalizer
+ parser = new DnParser( new SimpleNameComponentNormalizer( new Normalizer() {
+ public Object normalize( Object value ) throws NamingException
+ {
+ return ( ( String ) value ).toLowerCase();
+ }
+ } ) );
+ result = parser.parse( dn ).toString();
+ assertEquals( dn.toLowerCase(), result.toString() );
}
} // end class DnParserTest
Propchange: directory/trunks/common/ldap/src/test/java/org/apache/ldap/common/name/DnParserTest.java
------------------------------------------------------------------------------
svn:eol-style = native