You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2006/08/30 09:09:50 UTC
svn commit: r438406 - in /directory/trunks/apacheds:
core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Author: ersiner
Date: Wed Aug 30 00:09:49 2006
New Revision: 438406
URL: http://svn.apache.org/viewvc?rev=438406&view=rev
Log:
Fix for http://issues.apache.org/jira/browse/DIRSERVER-724 and http://issues.apache.org/jira/browse/DIRSERVER-725.
Also fixed a few more bugs I found while I was debugging.
Modified:
directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java?rev=438406&r1=438405&r2=438406&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java Wed Aug 30 00:09:49 2006
@@ -65,7 +65,7 @@
// create the new entry as the admin user
adminContext.createSubcontext( entryRdn, testEntry );
- LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+ LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
DirContext userContext = getContextAs( userName, password );
userContext.rename( entryRdn, newRdn );
@@ -423,6 +423,80 @@
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByAny" );
+ deleteUser( "billyd" );
+ }
+
+
+ /**
+ * FIXME: THIS TEST FAILS
+ *
+ * Checks to make sure Export and Import permissions work correctly
+ * when they are defined on seperate contexts.
+ *
+ * @throws javax.naming.NamingException if the test encounters an error
+ */
+ public void testExportAndImportSeperately() throws NamingException
+ {
+ // ----------------------------------------------------------------------------
+ // Test move and RDN change at the same time.
+ // ----------------------------------------------------------------------------
+
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an move w/ rdn change which should fail without any ACI
+ assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+
+ // Gives grantBrowse perm to all users in the Administrators
+ // group for entries
+ // It's is needed just to read navigate the tree at root
+ createAccessControlSubentry(
+ "grantBrowseForTheWholeNamingContext",
+ "{ }",
+ "{ " + "identificationTag \"browseACI\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems { entry }, "
+ + "grantsAndDenials { grantBrowse } } } } }" );
+
+ // Gives grantExport, grantRename perm to all users in the Administrators
+ // group for entries
+ createAccessControlSubentry(
+ "grantExportFromASubtree",
+ "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users" }
+ "{ " + "identificationTag \"exportACI\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems { entry }, "
+ + "grantsAndDenials { grantExport, grantRename } } } } }" );
+
+ // Gives grantImport perm to all users in the Administrators
+ // group for the target context
+ createAccessControlSubentry(
+ "grantImportToASubtree",
+ "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups" }
+ "{ " + "identificationTag \"importACI\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems { entry }, "
+ + "grantsAndDenials { grantImport } } } } }" );
+
+ // see if we can move and rename the test entry which we could not before
+ // op should still fail since billyd is not in the admin group
+ assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+ // now add billyd to the Administrator group and try again
+ addUserToGroup( "billyd", "Administrators" );
+
+ // try move w/ rdn change which should succeed with ACI and group membership change
+ assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+ // now let's cleanup
+ removeUserFromGroup( "billyd", "Administrators" );
+ deleteAccessControlSubentry( "grantBrowseForTheWholeNamingContext" );
+ deleteAccessControlSubentry( "grantExportFromASubtree" );
+ deleteAccessControlSubentry( "grantImportToASubtree" );
deleteUser( "billyd" );
}
}
Modified: directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java?rev=438406&r1=438405&r2=438406&view=diff
==============================================================================
--- directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java (original)
+++ directory/trunks/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AuthorizationService.java Wed Aug 30 00:09:49 2006
@@ -112,8 +112,7 @@
set.add( MicroOperation.REMOVE );
REPLACE_PERMS = Collections.unmodifiableCollection( set );
- set = new HashSet( 3 );
- set.add( MicroOperation.IMPORT );
+ set = new HashSet( 2 );
set.add( MicroOperation.EXPORT );
set.add( MicroOperation.RENAME );
MOVERENAME_PERMS = Collections.unmodifiableCollection( set );
@@ -818,12 +817,32 @@
engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
null, MOVERENAME_PERMS, tuples, entry );
+ // Get the entry again without operational attributes
+ // because access control subentry operational attributes
+ // will not be valid at the new location.
+ // This will certainly be fixed by the SubentryService,
+ // but after this service.
+ Attributes importedEntry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+ // As the target entry does not exist yet and so
+ // its subentry operational attributes are not there,
+ // we need to construct an entry to represent it
+ // at least with minimal requirements which are object class
+ // and access control subentry operational attributes.
+ SubentryService subentryService = ( SubentryService ) chain.get( "subentryService" );
+ Attributes subentryAttrs = subentryService.getSubentryAttributes( newName, importedEntry );
+ NamingEnumeration attrList = importedEntry.getAll();
+ while ( attrList.hasMore() )
+ {
+ subentryAttrs.put( ( Attribute ) attrList.next() );
+ }
+
Collection destTuples = new HashSet();
- addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
- addEntryAciTuples( destTuples, entry );
- addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
- null, IMPORT_PERMS, tuples, entry );
+ // Import permission is only valid for prescriptive ACIs
+ addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+ // Evaluate the target context to see whether it
+ // allows an entry named newName to be imported as a subordinate.
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), newName, null,
+ null, IMPORT_PERMS, destTuples, subentryAttrs );
// if ( deleteOldRn )
// {
@@ -893,13 +912,33 @@
engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
null, EXPORT_PERMS, tuples, entry );
-
+
+ // Get the entry again without operational attributes
+ // because access control subentry operational attributes
+ // will not be valid at the new location.
+ // This will certainly be fixed by the SubentryService,
+ // but after this service.
+ Attributes importedEntry = proxy.lookup( oriChildName, PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+ // As the target entry does not exist yet and so
+ // its subentry operational attributes are not there,
+ // we need to construct an entry to represent it
+ // at least with minimal requirements which are object class
+ // and access control subentry operational attributes.
+ SubentryService subentryService = ( SubentryService ) chain.get( "subentryService" );
+ Attributes subentryAttrs = subentryService.getSubentryAttributes( newName, importedEntry );
+ NamingEnumeration attrList = importedEntry.getAll();
+ while ( attrList.hasMore() )
+ {
+ subentryAttrs.put( ( Attribute ) attrList.next() );
+ }
+
Collection destTuples = new HashSet();
- addPerscriptiveAciTuples( proxy, destTuples, oriChildName, entry );
- addEntryAciTuples( destTuples, entry );
- addSubentryAciTuples( proxy, destTuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), oriChildName, null,
- null, IMPORT_PERMS, tuples, entry );
+ // Import permission is only valid for prescriptive ACIs
+ addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
+ // Evaluate the target context to see whether it
+ // allows an entry named newName to be imported as a subordinate.
+ engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), newName, null,
+ null, IMPORT_PERMS, destTuples, subentryAttrs );
next.move( oriChildName, newParentName );
tupleCache.subentryRenamed( oriChildName, newName );