You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2008/07/31 23:00:50 UTC
svn commit: r681489 - in /directory:
apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/
apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/
apacheds/branches/bigbang/core/...
Author: ersiner
Date: Thu Jul 31 14:00:49 2008
New Revision: 681489
URL: http://svn.apache.org/viewvc?rev=681489&view=rev
Log:
Fix for DIRSERVER-1204.
We can now control access to subordinate entries of a user's own entry.
Modified:
directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g
directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g
directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java
directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java
Modified: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java (original)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java Thu Jul 31 14:00:49 2008
@@ -384,4 +384,11 @@
Attributes changes = new AttributesImpl( "prescriptiveACI", aciItem );
adminCtx.modifyAttributes( "cn=" + cn, DirContext.REPLACE_ATTRIBUTE, changes );
}
+
+ public static void addPrescriptiveACI( String cn, String aciItem ) throws Exception
+ {
+ DirContext adminCtx = getContextAsAdmin();
+ Attributes changes = new AttributesImpl( "prescriptiveACI", aciItem );
+ adminCtx.modifyAttributes( "cn=" + cn, DirContext.ADD_ATTRIBUTE, changes );
+ }
}
Modified: directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/branches/bigbang/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Thu Jul 31 14:00:49 2008
@@ -20,30 +20,24 @@
package org.apache.directory.server.core.authz;
-import org.apache.directory.server.core.DirectoryService;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
import static org.apache.directory.server.core.authz.AutzIntegUtils.addEntryACI;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.addPrescriptiveACI;
import static org.apache.directory.server.core.authz.AutzIntegUtils.addSubentryACI;
-import org.apache.directory.server.core.integ.CiRunner;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
import static org.apache.directory.server.core.integ.IntegrationUtils.getSystemContext;
-import org.apache.directory.server.core.integ.annotations.Factory;
-import org.apache.directory.shared.ldap.exception.LdapNameNotFoundException;
-import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-import org.apache.directory.shared.ldap.message.AttributeImpl;
-import org.apache.directory.shared.ldap.message.AttributesImpl;
-import org.apache.directory.shared.ldap.name.LdapDN;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
-import org.junit.Test;
-import org.junit.runner.RunWith;
+
+import java.util.HashMap;
+import java.util.Map;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
@@ -54,8 +48,17 @@
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
-import java.util.HashMap;
-import java.util.Map;
+
+import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.integ.CiRunner;
+import org.apache.directory.server.core.integ.annotations.Factory;
+import org.apache.directory.shared.ldap.exception.LdapNameNotFoundException;
+import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.message.AttributeImpl;
+import org.apache.directory.shared.ldap.message.AttributesImpl;
+import org.apache.directory.shared.ldap.name.LdapDN;
+import org.junit.Test;
+import org.junit.runner.RunWith;
/**
@@ -883,4 +886,38 @@
assertEquals( matched.toString(), "ou=groups,ou=system" );
}
}
+
+ @Test
+ public void testUserClassParentOfEntry() throws Exception
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // create an entry subordinate to the user
+ DirContext billydCtx = AutzIntegUtils.getContextAsAdmin("uid=billyd,ou=users,ou=system");
+ Attributes phoneBook = new AttributesImpl( "ou", "phoneBook", true );
+ Attribute objectClass = new AttributeImpl( "objectClass" );
+ phoneBook.put( objectClass );
+ objectClass.add( "top" );
+ objectClass.add( "organizationalUnit" );
+ billydCtx.createSubcontext( "ou=phoneBook", phoneBook );
+
+ // now add a subentry that enables anyone to search below their own entries
+ createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+ + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+
+ // check and see if we can access the subentry now
+ assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapDN( "ou=phoneBook,uid=billyd,ou=users" ) ) );
+
+ // now add a denial to prevent all users except the admin from accessing the subentry
+ addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"anybodyDontSearchTheirSubordinates\", " + "precedence 14, " + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, " + "userPermissions { { "
+ + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+
+ // now we should not be able to access the subentry with a search
+ assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new LdapDN( "ou=phoneBook,uid=billyd,ou=users" ) ) );
+ }
}
Modified: directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java (original)
+++ directory/apacheds/branches/bigbang/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java Thu Jul 31 14:00:49 2008
@@ -26,6 +26,7 @@
import javax.naming.NamingException;
import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.subtree.SubtreeEvaluator;
import org.apache.directory.server.schema.registries.Registries;
@@ -36,6 +37,8 @@
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.subtree.SubtreeSpecification;
+import org.apache.directory.shared.ldap.util.AttributeUtils;
+import org.apache.directory.shared.ldap.util.DNUtils;
/**
@@ -131,6 +134,13 @@
return true;
}
}
+ else if ( userClass == UserClass.PARENT_OF_ENTRY )
+ {
+ if ( entryName.startsWith( userName ) )
+ {
+ return true;
+ }
+ }
else if ( userClass instanceof UserClass.Name )
{
UserClass.Name nameUserClass = ( UserClass.Name ) userClass;
Modified: directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java (original)
+++ directory/apacheds/branches/bigbang/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java Thu Jul 31 14:00:49 2008
@@ -109,6 +109,17 @@
Assert.assertEquals( 0, filter.filter( null, tuples, OperationScope.ENTRY, null, null, USER_NAME, null,
AuthenticationLevel.NONE, new LdapDN( "ou=unrelated" ), null, null, null, null, null ).size() );
}
+
+
+ public void testParentOfEntry() throws Exception
+ {
+ Collection<ACITuple> tuples = getTuples( UserClass.PARENT_OF_ENTRY );
+
+ Assert.assertEquals( 1, filter.filter( null, tuples, OperationScope.ENTRY, null, null, USER_NAME, null,
+ AuthenticationLevel.NONE, new LdapDN( "ou=phoneBook, ou=test, ou=users, ou=system" ), null, null, null, null, null ).size() );
+ Assert.assertEquals( 0, filter.filter( null, tuples, OperationScope.ENTRY, null, null, USER_NAME, null,
+ AuthenticationLevel.NONE, new LdapDN( "ou=unrelated" ), null, null, null, null, null ).size() );
+ }
public void testName() throws Exception
Modified: directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g (original)
+++ directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItem.g Thu Jul 31 14:00:49 2008
@@ -852,7 +852,8 @@
}
:
allUsers
- | thisEntry
+ | thisEntry
+ | parentOfEntry
| name
| userGroup
| subtree
@@ -880,6 +881,17 @@
}
;
+parentOfEntry
+{
+ log.debug( "entered parentOfEntry()" );
+}
+ :
+ ID_parentOfEntry
+ {
+ userClassesMap.put( "parentOfEntry", UserClass.PARENT_OF_ENTRY );
+ }
+ ;
+
name
{
log.debug( "entered name()" );
@@ -1369,6 +1381,7 @@
ID_userPermissions = "userPermissions";
ID_allUsers = "allUsers";
ID_thisEntry = "thisEntry";
+ ID_parentOfEntry = "parentOfEntry";
ID_subtree = "subtree";
ID_name = "name";
ID_userGroup = "userGroup";
Modified: directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g (original)
+++ directory/shared/branches/bigbang/ldap/src/main/antlr/ACIItemChecker.g Thu Jul 31 14:00:49 2008
@@ -400,7 +400,8 @@
userClass
:
allUsers
- | thisEntry
+ | thisEntry
+ | parentOfEntry
| name
| userGroup
| subtree
@@ -416,6 +417,11 @@
ID_thisEntry
;
+parentOfEntry
+ :
+ ID_parentOfEntry
+ ;
+
name
:
ID_name ( SP )+
@@ -656,6 +662,7 @@
ID_userPermissions = "userPermissions";
ID_allUsers = "allUsers";
ID_thisEntry = "thisEntry";
+ ID_parentOfEntry = "parentOfEntry";
ID_subtree = "subtree";
ID_name = "name";
ID_userGroup = "userGroup";
Modified: directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java (original)
+++ directory/shared/branches/bigbang/ldap/src/main/java/org/apache/directory/shared/ldap/aci/UserClass.java Thu Jul 31 14:00:49 2008
@@ -51,6 +51,11 @@
* distinguished name of the ancestor.
*/
public static final ThisEntry THIS_ENTRY = new ThisEntry();
+
+ /**
+ * The user as parent (ancestor) of accessed entry.
+ */
+ public static final ParentOfEntry PARENT_OF_ENTRY = new ParentOfEntry();
/**
@@ -101,7 +106,25 @@
return "thisEntry";
}
}
-
+
+ /**
+ * The user as parent (ancestor) of accessed entry.
+ */
+ public static class ParentOfEntry extends UserClass
+ {
+ private static final long serialVersionUID = 5247207736068086476L;
+
+ private ParentOfEntry()
+ {
+ }
+
+ public String toString()
+ {
+ return "parentOfEntry";
+ }
+
+ }
+
/**
* A base class for all user classes which has a set of DNs.
*/
Modified: directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java
URL: http://svn.apache.org/viewvc/directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java?rev=681489&r1=681488&r2=681489&view=diff
==============================================================================
--- directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java (original)
+++ directory/shared/branches/bigbang/ldap/src/test/java/org/apache/directory/shared/ldap/aci/ACIItemParserTest.java Thu Jul 31 14:00:49 2008
@@ -496,6 +496,19 @@
}
}
+ public void testUserClassParentOfEntry() throws Exception
+ {
+ String spec = "{ identificationTag \"id\" , precedence 10, authenticationLevel none , "
+ + "itemOrUserFirst userFirst: { userClasses { parentOfEntry , name { \"cn=ersin,ou=people\" }, "
+ + "subtree {{ base \"ou=system\" }, { base \"ou=ORGANIZATIONUNIT\","
+ + "minimum 1, maximum 2 } } } , "
+ + "userPermissions { { protectedItems{ entry , attributeType { cn , ou } , attributeValue {x=y,m=n,k=l} , "
+ + "rangeOfValues (cn=ErsinEr) } , grantsAndDenials { grantBrowse } } } } } ";
+
+ ACIItem item = parser.parse( spec );
+ checkItemToString( spec, item );
+ }
+
/**
* Test case for DIRSERVER-891