You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2010/03/17 15:41:35 UTC
svn commit: r924314 [2/3] - in /directory/apacheds/trunk/core-integ: ./
src/main/java/org/apache/directory/server/core/integ/
src/test/java/org/apache/directory/server/core/authz/
src/test/java/org/apache/directory/server/core/suites/
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=924314&r1=924313&r2=924314&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Wed Mar 17 14:41:34 2010
@@ -26,27 +26,25 @@ import static org.apache.directory.serve
import static org.apache.directory.server.core.authz.AutzIntegUtils.createGroup;
import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAsAdmin;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getAdminConnection;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getConnectionAs;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.naming.Name;
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.directory.BasicAttribute;
-import javax.naming.directory.BasicAttributes;
-import javax.naming.directory.DirContext;
-import javax.naming.directory.ModificationItem;
-
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.message.ModifyRequest;
+import org.apache.directory.ldap.client.api.message.ModifyResponse;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.EntryAttribute;
+import org.apache.directory.shared.ldap.entry.Modification;
+import org.apache.directory.shared.ldap.entry.ModificationOperation;
+import org.apache.directory.shared.ldap.entry.client.ClientModification;
+import org.apache.directory.shared.ldap.entry.client.DefaultClientAttribute;
+import org.apache.directory.shared.ldap.entry.client.DefaultClientEntry;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.DN;
import org.junit.Before;
import org.junit.Test;
@@ -59,17 +57,17 @@ import org.junit.runner.RunWith;
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
* @version $Rev$
*/
-@RunWith ( FrameworkRunner.class )
+@RunWith(FrameworkRunner.class)
public class ModifyAuthorizationIT extends AbstractLdapTestUnit
{
@Before
public void setService()
{
- AutzIntegUtils.service = service;
+ AutzIntegUtils.ldapServer = ldapServer;
}
-
-
+
+
/**
* Checks if an attribute of a simple entry (an organizationalUnit) with an RDN
* relative to ou=system can be modified by a specific non-admin user. If a
@@ -86,44 +84,47 @@ public class ModifyAuthorizationIT exten
* @param mods the modifications to make to the entry
* @return true if the modifications can be made by the user at the specified location,
* false otherwise.
- * @throws javax.naming.NamingException if there are problems conducting the test
+ * @throws javax.naming.Exception if there are problems conducting the test
*/
- public boolean checkCanModifyAs( String uid, String password, String entryRdn, ModificationItem[] mods )
+ public boolean checkCanModifyAs( String uid, String password, String entryRdn, Modification[] mods )
throws Exception
{
- // create the entry with the telephoneNumber attribute to modify
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
- testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+ DN entryDN = new DN( entryRdn + ",ou=system" );
+ boolean result;
+
+ // create the entry with the telephoneNumber attribute to compare
+ Entry testEntry = new DefaultClientEntry( entryDN );
+ testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+ testEntry.add( SchemaConstants.OU_AT, "testou" );
+ testEntry.add( "telephoneNumber", "867-5309" ); // jenny don't change your number
- DirContext adminContext = getContextAsAdmin();
+ LdapConnection adminConnection = getAdminConnection();
- //noinspection EmptyCatchBlock
- try
- {
- // create the entry as admin
- DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
- adminContext.createSubcontext( entryRdn, testEntry );
-
- // modify the entry as the user
- DirContext userContext = getContextAs( userName, password );
- userContext.modifyAttributes( entryRdn, mods );
+ // create the entry as admin
+ adminConnection.add( testEntry );
- return true;
- }
- catch ( LdapNoPermissionException e )
+ DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
+ // compare the telephone numbers
+ LdapConnection userConnection = getConnectionAs( userName, password );
+
+ // modify the entry as the user
+ ModifyRequest modReq = new ModifyRequest( entryDN );
+ modReq.addModification( mods );
+ ModifyResponse resp = userConnection.modify( modReq );
+
+ if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
{
+ result = true;
}
- finally
+ else
{
- // let's clean up
- adminContext.destroySubcontext( entryRdn );
+ result = false;
}
- return false;
+ // let's clean up
+ adminConnection.delete( entryDN );
+
+ return result;
}
@@ -144,72 +145,46 @@ public class ModifyAuthorizationIT exten
* @param modOp the modification operation to use for all attributes
* @return true if the modifications can be made by the user at the specified location,
* false otherwise.
- * @throws javax.naming.NamingException if there are problems conducting the test
+ * @throws javax.naming.Exception if there are problems conducting the test
*/
- public boolean checkCanModifyAs( String uid, String password, String entryRdn, int modOp, Attributes mods )
- throws Exception
+ public boolean checkCanModifyAs( String uid, String password, String entryRdn, ModificationOperation modOp,
+ EntryAttribute attr ) throws Exception
{
- // create the entry with the telephoneNumber attribute to modify
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
- testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+ DN entryDN = new DN( entryRdn + ",ou=system" );
+ boolean result;
- DirContext adminContext = getContextAsAdmin();
+ // create the entry with the telephoneNumber attribute to compare
+ Entry testEntry = new DefaultClientEntry( entryDN );
+ testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+ testEntry.add( SchemaConstants.OU_AT, "testou" );
+ testEntry.add( "telephoneNumber", "867-5309" ); // jenny don't change your number
- try
- {
- // create the entry as admin
- DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
- adminContext.createSubcontext( entryRdn, testEntry );
-
- // modify the entry as the user
- DirContext userContext = getContextAs( userName, password );
- userContext.modifyAttributes( entryRdn, modOp, mods );
+ LdapConnection adminConnection = getAdminConnection();
- return true;
- }
- catch ( LdapNoPermissionException e )
- {
- return false;
- }
- finally
- {
- // let's clean up
- adminContext.destroySubcontext( entryRdn );
- }
- }
+ adminConnection.add( testEntry );
+ // create the entry as admin
+ DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
+ // modify the entry as the user
+ LdapConnection userConnection = getConnectionAs( userName, password );
+ ModifyRequest modReq = new ModifyRequest( entryDN );
+ modReq.addModification( attr, modOp );
- /**
- * Checks if a user can modify an attribute of their own entry. Users are
- * presumed to reside under ou=users,ou=system. If a permission exception is
- * encountered it is caught and false is returned, otherwise true is returned.
- *
- * @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
- * @param password the password of this user
- * @param mods the attributes to modify in the entry
- * @param modOp the modification operation to use for all attributes
- * @return true if the modifications can be made by the user his/her own entry,
- * false otherwise.
- * @throws javax.naming.NamingException if there are problems conducting the test
- */
- public boolean checkCanSelfModify( String uid, String password, int modOp, Attributes mods ) throws Exception
- {
- try
+ ModifyResponse resp = userConnection.modify( modReq );
+
+ if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
{
- // modify the entry as the user
- Name userEntry = new DN( "uid=" + uid + ",ou=users,ou=system" );
- DirContext userContext = getContextAs( userEntry, password, userEntry.toString() );
- userContext.modifyAttributes( "", modOp, mods );
- return true;
+ result = true;
}
- catch ( LdapNoPermissionException e )
+ else
{
- return false;
+ result = false;
}
+
+ // let's clean up
+ adminConnection.delete( entryDN );
+
+ return result;
}
@@ -223,22 +198,20 @@ public class ModifyAuthorizationIT exten
* @param mods the attributes to modify in the entry
* @return true if the modifications can be made by the user his/her own entry,
* false otherwise.
- * @throws javax.naming.NamingException if there are problems conducting the test
+ * @throws javax.naming.Exception if there are problems conducting the test
*/
- public boolean checkCanSelfModify( String uid, String password, ModificationItem[] mods ) throws Exception
+ public boolean checkCanSelfModify( String uid, String password, Modification[] mods ) throws Exception
{
- try
- {
- // modify the entry as the user
- Name userEntry = new DN( "uid=" + uid + ",ou=users,ou=system" );
- DirContext userContext = getContextAs( userEntry, password, userEntry.toString() );
- userContext.modifyAttributes( "", mods );
- return true;
- }
- catch ( LdapNoPermissionException e )
- {
- return false;
- }
+ // modify the entry as the user
+ DN userDN = new DN( "uid=" + uid + ",ou=users,ou=system" );
+ LdapConnection connection = getConnectionAs( userDN, password );
+
+ ModifyRequest modReq = new ModifyRequest( userDN );
+ modReq.addModification( mods );
+
+ ModifyResponse resp = connection.modify( modReq );
+
+ return resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS;
}
@@ -248,19 +221,19 @@ public class ModifyAuthorizationIT exten
* @param modOp the modification operation to perform
* @param changes the modifications to the attribute
* @return the array of modification items represting the changes
- * @throws NamingException if there are problems accessing attributes
+ * @throws Exception if there are problems accessing attributes
*/
- private ModificationItem[] toItems( int modOp, Attributes changes ) throws NamingException
+ private Modification[] toItems( ModificationOperation modOp, EntryAttribute... attrs ) throws Exception
{
- List<ModificationItem> mods = new ArrayList<ModificationItem>();
- NamingEnumeration<? extends Attribute> list = changes.getAll();
- while ( list.hasMore() )
+ Modification[] mods = new Modification[attrs.length];
+
+ for ( int i = 0; i < attrs.length; i++ )
{
- Attribute attr = list.next();
- mods.add( new ModificationItem( modOp, attr ) );
+ EntryAttribute ea = attrs[i];
+ mods[i] = new ClientModification( modOp, ea );
}
- ModificationItem[] modArray = new ModificationItem[mods.size()];
- return mods.toArray( modArray );
+
+ return mods;
}
@@ -275,8 +248,8 @@ public class ModifyAuthorizationIT exten
createUser( "billyd", "billyd" );
// create the password modification
- ModificationItem[] mods = toItems( DirContext.REPLACE_ATTRIBUTE, new BasicAttributes( "userPassword",
- "williams", true ) );
+ Modification[] mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultClientAttribute(
+ "userPassword", "williams" ) );
// try a modify operation which should fail without any ACI
assertFalse( checkCanSelfModify( "billyd", "billyd", mods ) );
@@ -299,7 +272,7 @@ public class ModifyAuthorizationIT exten
/**
* Checks to make sure group membership based userClass works for modify operations.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws javax.naming.Exception if the test encounters an error
*/
@Test
public void testGrantModifyByTestGroup() throws Exception
@@ -309,12 +282,12 @@ public class ModifyAuthorizationIT exten
// ----------------------------------------------------------------------------------
// create the add modifications
- ModificationItem[] mods = toItems( DirContext.ADD_ATTRIBUTE, new BasicAttributes( "registeredAddress",
- "100 Park Ave.", true ) );
+ EntryAttribute attr = new DefaultClientAttribute( "registeredAddress", "100 Park Ave." );
+ Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, attr );
// create the non-admin user
createUser( "billyd", "billyd" );
-
+
createGroup( "TestGroup" );
// try a modify operation which should fail without any ACI
@@ -322,11 +295,18 @@ public class ModifyAuthorizationIT exten
// Gives grantModify, and grantRead perm to all users in the TestGroup group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
- + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
- + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
+ createAccessControlSubentry(
+ "administratorModifyAdd",
+ "{ "
+ + "identificationTag \"addAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } "
+ + "} } }" );
// see if we can now add that test entry which we could not before
// add op should still fail since billd is not in the admin group
@@ -344,18 +324,26 @@ public class ModifyAuthorizationIT exten
// ----------------------------------------------------------------------------------
// now let's test to see if we can perform a modify with a delete op
- mods = toItems( DirContext.REMOVE_ATTRIBUTE, new BasicAttributes( "telephoneNumber", "867-5309", true ) );
+ mods = toItems( ModificationOperation.REMOVE_ATTRIBUTE, new DefaultClientAttribute( "telephoneNumber",
+ "867-5309" ) );
// make sure we cannot remove the telephone number from the test entry
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
// Gives grantModify, and grantRead perm to all users in the TestGroup group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
- + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
- + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
+ createAccessControlSubentry(
+ "administratorModifyRemove",
+ "{ "
+ + "identificationTag \"addAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -366,19 +354,26 @@ public class ModifyAuthorizationIT exten
// ----------------------------------------------------------------------------------
// now let's test to see if we can perform a modify with a delete op
- mods = toItems( DirContext.REPLACE_ATTRIBUTE, new BasicAttributes( "telephoneNumber", "867-5309", true ) );
+ mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultClientAttribute( "telephoneNumber",
+ "867-5309" ) );
// make sure we cannot remove the telephone number from the test entry
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
// Gives grantModify, and grantRead perm to all users in the TestGroup group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
- + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
- + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
- + "} } }" );
+ createAccessControlSubentry(
+ "administratorModifyReplace",
+ "{ "
+ + "identificationTag \"addAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -392,21 +387,28 @@ public class ModifyAuthorizationIT exten
// Modify with Attribute Addition
// ----------------------------------------------------------------------------------
// create the add modifications
- Attributes changes = new BasicAttributes( "registeredAddress", "100 Park Ave.", true );
+ EntryAttribute changes = new DefaultClientAttribute( "registeredAddress", "100 Park Ave." );
// try a modify operation which should fail without any ACI
- assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE, changes ) );
+ assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.ADD_ATTRIBUTE, changes ) );
// Gives grantModify, and grantRead perm to all users in the TestGroup group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
- + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
- + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
+ createAccessControlSubentry(
+ "administratorModifyAdd",
+ "{ "
+ + "identificationTag \"addAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
- assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE, changes ) );
+ assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.ADD_ATTRIBUTE, changes ) );
deleteAccessControlSubentry( "administratorModifyAdd" );
// ----------------------------------------------------------------------------------
@@ -414,21 +416,28 @@ public class ModifyAuthorizationIT exten
// ----------------------------------------------------------------------------------
// now let's test to see if we can perform a modify with a delete op
- changes = new BasicAttributes( "telephoneNumber", "867-5309", true );
+ changes = new DefaultClientAttribute( "telephoneNumber", "867-5309" );
// make sure we cannot remove the telephone number from the test entry
- assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE, changes ) );
+ assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REMOVE_ATTRIBUTE, changes ) );
// Gives grantModify, and grantRead perm to all users in the TestGroup group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
- + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
- + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
+ createAccessControlSubentry(
+ "administratorModifyRemove",
+ "{ "
+ + "identificationTag \"addAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {attributeType {telephoneNumber}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
- assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE, changes ) );
+ assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REMOVE_ATTRIBUTE, changes ) );
deleteAccessControlSubentry( "administratorModifyRemove" );
// ----------------------------------------------------------------------------------
@@ -436,22 +445,28 @@ public class ModifyAuthorizationIT exten
// ----------------------------------------------------------------------------------
// now let's test to see if we can perform a modify with a delete op
- changes = new BasicAttributes( "telephoneNumber", "867-5309", true );
+ changes = new DefaultClientAttribute( "telephoneNumber", "867-5309" );
// make sure we cannot remove the telephone number from the test entry
- assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
+ assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) );
// Gives grantModify, and grantRead perm to all users in the TestGroup group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, " + "userPermissions { "
- + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
- + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
- + "} } }" );
+ createAccessControlSubentry(
+ "administratorModifyReplace",
+ "{ "
+ + "identificationTag \"addAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=TestGroup,ou=groups,ou=system\" } }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {attributeType {registeredAddress}, allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
- assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
+ assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", ModificationOperation.REPLACE_ATTRIBUTE, changes ) );
deleteAccessControlSubentry( "administratorModifyReplace" );
}
@@ -459,9 +474,9 @@ public class ModifyAuthorizationIT exten
// /**
// * Checks to make sure name based userClass works for modify operations.
// *
- // * @throws javax.naming.NamingException if the test encounters an error
+ // * @throws javax.naming.Exception if the test encounters an error
// */
- // public void testGrantModifyByName() throws NamingException
+ // public void testGrantModifyByName() throws Exception
// {
// // create the non-admin user
// createUser( "billyd", "billyd" );
@@ -488,9 +503,9 @@ public class ModifyAuthorizationIT exten
// /**
// * Checks to make sure subtree based userClass works for modify operations.
// *
- // * @throws javax.naming.NamingException if the test encounters an error
+ // * @throws javax.naming.Exception if the test encounters an error
// */
- // public void testGrantModifyBySubtree() throws NamingException
+ // public void testGrantModifyBySubtree() throws Exception
// {
// // create the non-admin user
// createUser( "billyd", "billyd" );
@@ -517,9 +532,9 @@ public class ModifyAuthorizationIT exten
// /**
// * Checks to make sure <b>allUsers</b> userClass works for modify operations.
// *
- // * @throws javax.naming.NamingException if the test encounters an error
+ // * @throws javax.naming.Exception if the test encounters an error
// */
- // public void testGrantModifyAllUsers() throws NamingException
+ // public void testGrantModifyAllUsers() throws Exception
// {
// // create the non-admin user
// createUser( "billyd", "billyd" );
@@ -542,95 +557,71 @@ public class ModifyAuthorizationIT exten
// // should work with billyd now that all users are authorized
// assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
// }
-
-
+
@Test
public void testPresciptiveACIModification() throws Exception
{
-
- ModificationItem[] mods = toItems( DirContext.ADD_ATTRIBUTE,
- new BasicAttributes( "registeredAddress", "100 Park Ave.", true ) );
+
+ Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultClientAttribute(
+ "registeredAddress", "100 Park Ave." ) );
createUser( "billyd", "billyd" );
- createAccessControlSubentry( "modifyACI", "{ " + "identificationTag \"modifyAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, " + "userPermissions { "
- + "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } } } } }" );
+ createAccessControlSubentry(
+ "modifyACI",
+ "{ "
+ + "identificationTag \"modifyAci\", "
+ + "precedence 14, "
+ + "authenticationLevel none, "
+ + "itemOrUserFirst userFirst: { "
+ + "userClasses { allUsers }, "
+ + "userPermissions { "
+ + "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials { grantModify, grantBrowse, grantAdd, grantRemove } } } } }" );
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
-
- mods = toItems( DirContext.REPLACE_ATTRIBUTE,
- new BasicAttributes( "registeredAddress", "200 Park Ave.", true ) );
-
- changePresciptiveACI( "modifyACI", "{ " + "identificationTag \"modifyAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, " + "userPermissions { "
+
+ mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, new DefaultClientAttribute( "registeredAddress",
+ "200 Park Ave." ) );
+
+ changePresciptiveACI( "modifyACI", "{ " + "identificationTag \"modifyAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+ + "userPermissions { "
+ "{ protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials { denyModify } } } } }" );
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
-
+
deleteAccessControlSubentry( "modifyACI" );
-
+
}
-
+
@Test
public void testMaxValueCountProtectedItem() throws Exception
{
createUser( "billyd", "billyd" );
- createAccessControlSubentry( "mvcACI",
- " {" +
- " identificationTag \"mvcACI\"," +
- " precedence 10," +
- " authenticationLevel simple," +
- " itemOrUserFirst userFirst:" +
- " {" +
- " userClasses { allUsers }," +
- " userPermissions" +
- " {" +
- " {" +
- " protectedItems { entry }," +
- " grantsAndDenials { grantModify, grantBrowse }" +
- " }" +
- " ," +
- " {" +
- " protectedItems" +
- " {" +
- " attributeType { description }," +
- " allAttributeValues { description }," +
- " maxValueCount" +
- " {" +
- " { type description, maxCount 1 }" +
- " }" +
- " }" +
- " ," +
- " grantsAndDenials" +
- " {" +
- " grantRemove," +
- " grantAdd" +
- " }" +
- " }" +
- " }" +
- " }" +
- " }" );
-
- ModificationItem[] mods = toItems( DirContext.ADD_ATTRIBUTE,
- new BasicAttributes( "description", "description 1", true ) );
-
+ createAccessControlSubentry( "mvcACI", " {" + " identificationTag \"mvcACI\"," + " precedence 10,"
+ + " authenticationLevel simple," + " itemOrUserFirst userFirst:" + " {" + " userClasses { allUsers },"
+ + " userPermissions" + " {" + " {" + " protectedItems { entry },"
+ + " grantsAndDenials { grantModify, grantBrowse }" + " }" + " ," + " {" + " protectedItems" + " {"
+ + " attributeType { description }," + " allAttributeValues { description }," + " maxValueCount" + " {"
+ + " { type description, maxCount 1 }" + " }" + " }" + " ," + " grantsAndDenials" + " {" + " grantRemove,"
+ + " grantAdd" + " }" + " }" + " }" + " }" + " }" );
+
+ Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE, new DefaultClientAttribute( "description",
+ "description 1" ) );
+
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
-
- Attributes attrs = new BasicAttributes( true );
- Attribute attr = new BasicAttribute( "description" );
+
+ EntryAttribute attr = new DefaultClientAttribute( "description" );
attr.add( "description 1" );
attr.add( "description 2" );
- attrs.put( attr );
- mods = toItems( DirContext.ADD_ATTRIBUTE, attrs );
-
+
+ mods = toItems( ModificationOperation.ADD_ATTRIBUTE, attr );
+
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
-
- mods = toItems( DirContext.REPLACE_ATTRIBUTE, attrs );
-
+
+ mods = toItems( ModificationOperation.REPLACE_ATTRIBUTE, attr );
+
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
}
}
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=924314&r1=924313&r2=924314&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Wed Mar 17 14:41:34 2010
@@ -24,21 +24,20 @@ import static org.apache.directory.serve
import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteUser;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAs;
-import static org.apache.directory.server.core.authz.AutzIntegUtils.getContextAsAdmin;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getAdminConnection;
+import static org.apache.directory.server.core.authz.AutzIntegUtils.getConnectionAs;
import static org.apache.directory.server.core.authz.AutzIntegUtils.removeUserFromGroup;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
-import javax.naming.directory.BasicAttribute;
-import javax.naming.directory.BasicAttributes;
-import javax.naming.directory.DirContext;
-
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.apache.directory.ldap.client.api.message.ModifyDnResponse;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.client.DefaultClientEntry;
+import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.DN;
import org.junit.Before;
import org.junit.Test;
@@ -58,8 +57,41 @@ public class MoveRenameAuthorizationIT e
@Before
public void setService()
{
- AutzIntegUtils.service = service;
- service.setAccessControlEnabled( true );
+ AutzIntegUtils.ldapServer = ldapServer;
+ }
+
+
+ public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newNameRdn ) throws Exception
+ {
+ DN entryDN = new DN( entryRdn + ",ou=system" );
+ boolean result;
+
+ Entry testEntry = new DefaultClientEntry( entryDN );
+ testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+ testEntry.add( SchemaConstants.OU_AT, "testou" );
+
+ LdapConnection adminConnection = getAdminConnection();
+
+ // create the new entry as the admin user
+ adminConnection.add( testEntry );
+
+ DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
+
+ LdapConnection userConnection = getConnectionAs( userName, password );
+ ModifyDnResponse resp = userConnection.rename( entryDN.getName(), newNameRdn );
+
+ if( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
+ {
+ userConnection.delete( newNameRdn + ",ou=system" );
+ result = true;
+ }
+ else
+ {
+ adminConnection.delete( entryDN );
+ result = false;
+ }
+
+ return result;
}
@@ -74,40 +106,63 @@ public class MoveRenameAuthorizationIT e
* @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
* @param password the password of this user
* @param entryRdn the relative DN, relative to ou=system where entry renames are tested
- * @param newRdn the new RDN for the entry under ou=system
+ * @param newNameRdn the new RDN for the entry under ou=system
+ * @param newParentRdn the new parent RDN for the entry under ou=system
* @return true if the entry can be renamed by the user at the specified location, false otherwise
- * @throws javax.naming.NamingException if there are problems conducting the test
+ * @throws Exception if there are problems conducting the test
*/
- public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newRdn )
+ public boolean checkCanMoveAndRenameAs( String uid, String password, String entryRdn, String newNameRdn, String newParentRdn )
throws Exception
{
- Attributes testEntry = new BasicAttributes( "ou", "testou", true );
- Attribute objectClass = new BasicAttribute( "objectClass" );
- testEntry.put( objectClass );
- objectClass.add( "top" );
- objectClass.add( "organizationalUnit" );
+ DN entryDN = new DN( entryRdn + ",ou=system" );
+ boolean result;
+
+ Entry testEntry = new DefaultClientEntry( entryDN );
+ testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+ testEntry.add( SchemaConstants.OU_AT, "testou" );
+
+ LdapConnection adminConnection = getAdminConnection();
- DirContext adminContext = getContextAsAdmin();
- try
- {
- // create the new entry as the admin user
- adminContext.createSubcontext( entryRdn, testEntry );
+ // create the new entry as the admin user
+ adminConnection.add( testEntry );
+
+ DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
+
+ LdapConnection userConnection = getConnectionAs( userName, password );
- DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
- DirContext userContext = getContextAs( userName, password );
- userContext.rename( entryRdn, newRdn );
-
- // delete the renamed context as the admin user
- adminContext.destroySubcontext( newRdn );
- return true;
+ boolean isMoved = false;
+ ModifyDnResponse moveResp = userConnection.move( entryDN.getName(), newParentRdn + ",ou=system" );
+ if( moveResp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
+ {
+ isMoved = true;
}
- catch ( LdapNoPermissionException e )
+ else
{
- // delete the original context as the admin user since rename
- // of newly created test entry did not succeed
- adminContext.destroySubcontext( entryRdn );
+ adminConnection.delete( entryDN );
return false;
}
+
+ ModifyDnResponse resp = userConnection.rename( entryRdn + "," + newParentRdn + ",ou=system", newNameRdn );
+
+ ResultCodeEnum code = resp.getLdapResult().getResultCode();
+ if( code == ResultCodeEnum.SUCCESS || code == ResultCodeEnum.ENTRY_ALREADY_EXISTS )
+ {
+ userConnection.delete( newNameRdn + "," + newParentRdn + ",ou=system" );
+ result = true;
+ }
+ else
+ {
+ if( isMoved )
+ {
+ entryDN.add( 1, newParentRdn );
+ adminConnection.delete( entryDN );
+ }
+
+ result = false;
+ }
+
+ // delete the renamed context as the admin user
+ return result;
}
@@ -115,7 +170,7 @@ public class MoveRenameAuthorizationIT e
* Checks to make sure group membership based userClass works for renames,
* moves and moves with renames.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantByAdministrators() throws Exception
@@ -159,7 +214,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to all users in the Administrators
// group for entries - browse is needed just to read navigate the tree at root
@@ -171,13 +226,13 @@ public class MoveRenameAuthorizationIT e
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try move w/ rdn change which should succeed with ACI and group membership change
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );
@@ -192,7 +247,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to all users in the Administrators group for entries
createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
@@ -202,13 +257,13 @@ public class MoveRenameAuthorizationIT e
// see if we can now move that test entry which we could not before
// op should still fail since billyd is not in the admin group
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try move operation which should succeed with ACI and group membership change
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );
@@ -221,7 +276,7 @@ public class MoveRenameAuthorizationIT e
* Checks to make sure name based userClass works for rename, move, and
* rename with move operation access controls.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantByName() throws Exception
@@ -257,7 +312,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to billyd user on entries
createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", "
@@ -267,7 +322,7 @@ public class MoveRenameAuthorizationIT e
+ "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// try move w/ rdn change which should succeed with ACI
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameMoveByName" );
@@ -281,7 +336,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to billyd user for entries
createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
@@ -290,7 +345,7 @@ public class MoveRenameAuthorizationIT e
+ "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// try move operation which should succeed with ACI
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByName" );
@@ -302,7 +357,7 @@ public class MoveRenameAuthorizationIT e
* Checks to make sure subtree based userClass works for rename, move, and
* rename with move operation access controls.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantBySubtree() throws Exception
@@ -338,7 +393,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to users selected by subtree
createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", "
@@ -348,7 +403,7 @@ public class MoveRenameAuthorizationIT e
+ "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// try move w/ rdn change which should succeed with ACI
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameMoveByTree" );
@@ -362,7 +417,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to subtree selected users
createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
@@ -371,7 +426,7 @@ public class MoveRenameAuthorizationIT e
+ "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// try move operation which should succeed with ACI
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByTree" );
@@ -383,7 +438,7 @@ public class MoveRenameAuthorizationIT e
* Checks to make sure the <b>anyUser</b> userClass works for rename, move, and
* rename with move operation access controls.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testGrantByAnyuser() throws Exception
@@ -419,7 +474,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to any user
createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", "
@@ -428,7 +483,7 @@ public class MoveRenameAuthorizationIT e
+ "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// try move w/ rdn change which should succeed with ACI
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameMoveByAny" );
@@ -442,7 +497,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to any user
createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
@@ -451,7 +506,7 @@ public class MoveRenameAuthorizationIT e
+ "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// try move operation which should succeed with ACI
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByAny" );
@@ -463,7 +518,7 @@ public class MoveRenameAuthorizationIT e
* Checks to make sure Export and Import permissions work correctly
* when they are defined on seperate contexts.
*
- * @throws javax.naming.NamingException if the test encounters an error
+ * @throws Exception if the test encounters an error
*/
@Test
public void testExportAndImportSeperately() throws Exception
@@ -476,7 +531,7 @@ public class MoveRenameAuthorizationIT e
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantBrowse perm to all users in the Administrators
@@ -515,13 +570,13 @@ public class MoveRenameAuthorizationIT e
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
- assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try move w/ rdn change which should succeed with ACI and group membership change
- assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+ assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );