You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2010/07/03 18:21:51 UTC
svn commit: r960232 - in /directory:
apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/
apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/
shared/trunk/ldap-constants/src/main/java/org/apache/...
Author: elecharny
Date: Sat Jul 3 16:21:51 2010
New Revision: 960232
URL: http://svn.apache.org/viewvc?rev=960232&view=rev
Log:
o Added a test for DIRSERVER-999 (ignored)
o When the ACI tuples is empty, don't go through the filters
o Added a dedicated logger for ACI (ACI_LOG)
Added:
directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java
Modified:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Sat Jul 3 16:21:51 2010
@@ -1189,4 +1189,50 @@ public class SearchAuthorizationIT exten
// now we should not be able to access the subentry with a search
assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
}
+
+
+ /**
+ * Checks that we can protect a RangeOfValues item
+ *
+ * @throws Exception if the test encounters an error
+ */
+ @Test
+ @Ignore
+ public void testRangeOfValues() throws Exception
+ {
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try a search operation which should fail without any ACI
+ assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
+
+ // now add a subentry that allows a user to read the CN only
+ createAccessControlSubentry(
+ "rangeOfValues",
+ "{ " +
+ " identificationTag \"rangeOfValuesAci\", " +
+ " precedence 14," +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems { entry, rangeOfValues (cn=billyd) }, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
+
+ // see if we can now search and find 4 entries
+ assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
+
+ // check to make sure the telephoneNumber attribute is not present in results
+ for ( Entry result : results.values() )
+ {
+ assertNotNull( result.get( "cn" ) );
+ }
+ }
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Sat Jul 3 16:21:51 2010
@@ -221,10 +221,18 @@ public class ACDFEngine
// Clone aciTuples in case it is unmodifiable.
aciTuples = new ArrayList<ACITuple>( aciTuples );
+
+
// Filter unrelated and invalid tuples
for ( ACITupleFilter filter : filters )
{
+ if ( aciTuples.size() == 0 )
+ {
+ // No need to continue filtering
+ return false;
+ }
+
aciTuples = filter.filter(
schemaManager,
aciTuples,
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Sat Jul 3 16:21:51 2010
@@ -26,12 +26,15 @@ import org.apache.directory.server.core.
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.constants.Loggers;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.name.DN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.SchemaManager;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
@@ -43,6 +46,9 @@ import org.apache.directory.shared.ldap.
*/
public interface ACITupleFilter
{
+ /** the dedicated logger for ACI */
+ static final Logger ACI_LOG = LoggerFactory.getLogger( Loggers.ACI_LOG.getName() );
+
/**
* Returns the collection of the filtered tuples using the specified
* extra information.
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Sat Jul 3 16:21:51 2010
@@ -60,8 +60,11 @@ public class HighestPrecedenceFilter imp
Entry entryView )
throws LdapException
{
+ ACI_LOG.debug( "Filtering HighestPrecedence..." );
+
if ( tuples.size() <= 1 )
{
+ ACI_LOG.debug( "HighestPrecedence : nothing to do" );
return tuples;
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java?rev=960232&r1=960231&r2=960232&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java Sat Jul 3 16:21:51 2010
@@ -95,6 +95,8 @@ public class MaxImmSubFilter implements
Entry entryView )
throws LdapException
{
+ ACI_LOG.debug( "Filtering MaxImmSub..." );
+
if ( entryName.size() == 0 )
{
return tuples;
Added: directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java
URL: http://svn.apache.org/viewvc/directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java?rev=960232&view=auto
==============================================================================
--- directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java (added)
+++ directory/shared/trunk/ldap-constants/src/main/java/org/apache/directory/shared/ldap/constants/Loggers.java Sat Jul 3 16:21:51 2010
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.shared.ldap.constants;
+
+/**
+ * An enum defining a list of dedicated loggers, used for debugging
+ * purpose :
+ * - ACI_LOG
+ * - (more to come)
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public enum Loggers
+{
+ ACI_LOG( "aci-logger" );
+
+ private String name;
+
+ /**
+ * Creates a new instance of LdapSecurityConstants.
+ */
+ private Loggers( String name )
+ {
+ this.name = name;
+ }
+
+
+ /**
+ * Return the name associated with the constant.
+ */
+ public String getName()
+ {
+ return name;
+ }
+
+
+}