You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2011/01/16 03:57:35 UTC
svn commit: r1059438 - in /directory/apacheds/trunk:
core-integ/src/test/java/org/apache/directory/server/core/authz/
core/src/main/java/org/apache/directory/server/core/admin/
Author: elecharny
Date: Sun Jan 16 02:57:35 2011
New Revision: 1059438
URL: http://svn.apache.org/viewvc?rev=1059438&view=rev
Log:
o Added some check to see if the AP cache is correctly reloaded if the server is stopped
o Fixed an issue in the AP cache modification
Modified:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java?rev=1059438&r1=1059437&r2=1059438&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AddAuthorizationIT.java Sun Jan 16 02:57:35 2011
@@ -31,8 +31,6 @@ import org.apache.directory.ldap.client.
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
-import org.apache.directory.server.core.integ.IntegrationUtils;
-import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.DefaultEntry;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.exception.LdapException;
@@ -66,7 +64,7 @@ public class AddAuthorizationIT extends
@After
public void closeConnections()
{
- IntegrationUtils.closeConnections();
+ //IntegrationUtils.closeConnections();
}
@@ -86,14 +84,16 @@ public class AddAuthorizationIT extends
*/
public boolean checkCanAddEntryAs( String uid, String password, String entryRdn ) throws Exception
{
+ LdapConnection connection = null;
+
try
{
DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
- LdapConnection connection = getConnectionAs( userName, password );
+ connection = getConnectionAs( userName, password );
- Entry entry = new DefaultEntry( new DN( "ou=testou,ou=system" ) );
- entry.add( SchemaConstants.OU_AT, "testou" );
- entry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
+ Entry entry = new DefaultEntry( new DN( "ou=system" ).add( entryRdn ) );
+ entry.add( "ou", "testou" );
+ entry.add( "ObjectClass", "top", "organizationalUnit" );
AddResponse resp = connection.add( entry );
@@ -103,7 +103,6 @@ public class AddAuthorizationIT extends
}
connection.delete( entry.getDn() );
- connection.close();
return true;
}
@@ -111,6 +110,13 @@ public class AddAuthorizationIT extends
{
return false;
}
+ finally
+ {
+ if ( connection != null )
+ {
+ connection.close();
+ }
+ }
}
@@ -130,11 +136,23 @@ public class AddAuthorizationIT extends
// Gives grantAdd perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorAdd", "{ " + " identificationTag \"addAci\", "
- + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
- + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions "
- + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
- + " grantsAndDenials { grantAdd, grantBrowse } " + " } " + " } " + " } " + "}" );
+ createAccessControlSubentry( "administratorAdd",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now add that test entry which we could not before
// add op should still fail since billd is not in the admin group
@@ -145,6 +163,20 @@ public class AddAuthorizationIT extends
// try an add operation which should succeed with ACI and group membership change
assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
+
+ // Now, make sure the ACI is persisted if we stop and restart the server
+ // Stop the server now, we will restart it immediately
+ // And shutdown the DS too
+ service.shutdown();
+ assertFalse( service.isStarted() );
+
+ // And restart
+ service.startup();
+
+ assertTrue( service.isStarted() );
+
+ // try an add operation which should succeed with ACI and group membership change
+ assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
}
@@ -163,11 +195,23 @@ public class AddAuthorizationIT extends
assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
// now add a subentry that enables user billyd to add an entry below ou=system
- createAccessControlSubentry( "billydAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, "
- + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
- + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { "
- + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
- + " grantsAndDenials { grantAdd, grantBrowse } " + " } " + " } " + " } " + "}" );
+ createAccessControlSubentry( "billydAdd",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// should work now that billyd is authorized by name
assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
@@ -189,12 +233,26 @@ public class AddAuthorizationIT extends
assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
// now add a subentry that enables user billyd to add an entry below ou=system
- createAccessControlSubentry( "billyAddBySubtree", "{ " + " identificationTag \"addAci\", "
- + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
- + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, "
- + " userPermissions " + " { " + " { "
- + " protectedItems {entry, allUserAttributeTypesAndValues}, "
- + " grantsAndDenials { grantAdd, grantBrowse } " + " } " + " } " + " } " + "}" );
+ createAccessControlSubentry( "billyAddBySubtree",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " subtree { { base \"ou=users,ou=system\" } } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// should work now that billyd is authorized by the subtree userClass
assertTrue( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
@@ -216,11 +274,23 @@ public class AddAuthorizationIT extends
assertFalse( checkCanAddEntryAs( "billyd", "billyd", "ou=testou" ) );
// now add a subentry that enables anyone to add an entry below ou=system
- createAccessControlSubentry( "anybodyAdd", "{ " + " identificationTag \"addAci\", " + " precedence 14, "
- + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
- + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
- + " protectedItems {entry, allUserAttributeTypesAndValues}, "
- + " grantsAndDenials { grantAdd, grantBrowse } " + " } " + " } " + " } " + "}" );
+ createAccessControlSubentry( "anybodyAdd",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now add that test entry which we could not before
// should work now with billyd now that all users are authorized
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java?rev=1059438&r1=1059437&r2=1059438&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/AutzIntegUtils.java Sun Jan 16 02:57:35 2011
@@ -21,10 +21,8 @@ package org.apache.directory.server.core
import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.integ.IntegrationUtils;
-import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.DefaultEntry;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
@@ -91,11 +89,12 @@ public class AutzIntegUtils
{
DN groupDN = new DN( "cn=" + cn + ",ou=groups,ou=system" );
Entry entry = new DefaultEntry( groupDN );
- entry.add( SchemaConstants.OBJECT_CLASS_AT, "groupOfUniqueNames" );
- entry.add( SchemaConstants.UNIQUE_MEMBER_AT, firstMemberDn );
- entry.add( SchemaConstants.CN_AT, cn );
+ entry.add( "ObjectClass", "groupOfUniqueNames" );
+ entry.add( "uniqueMember", firstMemberDn );
+ entry.add( "cn", cn );
getAdminConnection().add( entry );
+
return groupDN;
}
@@ -128,11 +127,11 @@ public class AutzIntegUtils
LdapConnection connection = getAdminConnection();
Entry entry = new DefaultEntry( new DN( "uid=" + uid + ",ou=users,ou=system" ) );
- entry.add( SchemaConstants.UID_AT, uid );
- entry.add( SchemaConstants.OBJECT_CLASS_AT, "person", "organizationalPerson", "inetOrgPerson" );
- entry.add( SchemaConstants.SN_AT, uid );
- entry.add( SchemaConstants.CN_AT, uid );
- entry.add( SchemaConstants.USER_PASSWORD_AT, password );
+ entry.add( "uid", uid );
+ entry.add( "objectClass", "top", "person", "organizationalPerson", "inetOrgPerson" );
+ entry.add( "sn", uid );
+ entry.add( "cn", uid );
+ entry.add( "userPassword", password );
connection.add( entry );
@@ -154,10 +153,10 @@ public class AutzIntegUtils
DN groupDN = new DN( "cn=" + groupName + ",ou=groups,ou=system" );
Entry entry = new DefaultEntry( groupDN );
- entry.add( SchemaConstants.OBJECT_CLASS_AT, "groupOfUniqueNames" );
+ entry.add( "objectClass", "top", "groupOfUniqueNames" );
// TODO might be ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED
- entry.add( SchemaConstants.UNIQUE_MEMBER_AT, "uid=admin, ou=system" );
- entry.add( SchemaConstants.CN_AT, groupName );
+ entry.add( "uniqueMember", "uid=admin, ou=system" );
+ entry.add( "cn", groupName );
getAdminConnection().add( entry );
@@ -179,7 +178,7 @@ public class AutzIntegUtils
ModifyRequest modReq = new ModifyRequestImpl();
modReq.setName( new DN( "cn=" + groupCn + ",ou=groups,ou=system" ) );
- modReq.add( SchemaConstants.UNIQUE_MEMBER_AT, "uid=" + userUid + ",ou=users,ou=system" );
+ modReq.add( "uniqueMember", "uid=" + userUid + ",ou=users,ou=system" );
connection.modify( modReq ).getLdapResult().getResultCode();
}
@@ -196,14 +195,14 @@ public class AutzIntegUtils
{
ModifyRequest modReq = new ModifyRequestImpl();
modReq.setName( new DN( "cn=" + groupCn + ",ou=groups,ou=system" ) );
- modReq.remove( SchemaConstants.UNIQUE_MEMBER_AT, "uid=" + userUid + ",ou=users,ou=system" );
+ modReq.remove( "uniqueMember", "uid=" + userUid + ",ou=users,ou=system" );
getAdminConnection().modify( modReq );
}
public static void deleteAccessControlSubentry( String cn ) throws Exception
{
- getAdminConnection().delete( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN );
+ getAdminConnection().delete( "cn=" + cn + "," + "ou=system" );
}
@@ -235,12 +234,12 @@ public class AutzIntegUtils
{
LdapConnection connection = getAdminConnection();
- Entry systemEntry = connection.lookup( ServerDNConstants.SYSTEM_DN, "+", "*" );
+ Entry systemEntry = connection.lookup( "ou=system", "+", "*" );
// modify ou=system to be an AP for an A/C AA if it is not already
EntryAttribute administrativeRole = systemEntry.get( "administrativeRole" );
- if ( administrativeRole == null || !administrativeRole.contains( "accessControlSpecificArea" ) )
+ if ( ( administrativeRole == null ) || !administrativeRole.contains( "accessControlSpecificArea" ) )
{
ModifyRequest modReq = new ModifyRequestImpl();
modReq.setName( systemEntry.getDn() );
@@ -249,11 +248,10 @@ public class AutzIntegUtils
}
// now add the A/C subentry below ou=system
- Entry subEntry = new DefaultEntry( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) );
- subEntry.add( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.SUBENTRY_OC,
- SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC );
- subEntry.add( SchemaConstants.SUBTREE_SPECIFICATION_AT, subtree );
- subEntry.add( SchemaConstants.PRESCRIPTIVE_ACI_AT, aciItem );
+ Entry subEntry = new DefaultEntry( new DN( "cn=" + cn + ",ou=system" ) );
+ subEntry.add( "objectClass", "top", "subentry", "accessControlSubentry" );
+ subEntry.add( "subtreeSpecification", subtree );
+ subEntry.add( "prescriptiveACI", aciItem );
AddResponse addResp = connection.add( subEntry );
@@ -307,7 +305,7 @@ public class AutzIntegUtils
public static void changePresciptiveACI( String cn, String aciItem ) throws Exception
{
ModifyRequest modReq = new ModifyRequestImpl();
- modReq.setName( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) );
+ modReq.setName( new DN( "cn=" + cn + ",ou=system" ) );
modReq.replace( "prescriptiveACI", aciItem );
getAdminConnection().modify( modReq );
}
@@ -316,7 +314,7 @@ public class AutzIntegUtils
public static void addPrescriptiveACI( String cn, String aciItem ) throws Exception
{
ModifyRequest modReq = new ModifyRequestImpl();
- modReq.setName( new DN( "cn=" + cn + "," + ServerDNConstants.SYSTEM_DN ) );
+ modReq.setName( new DN( "cn=" + cn + ",ou=system" ) );
modReq.add( "prescriptiveACI", aciItem );
getAdminConnection().modify( modReq );
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java?rev=1059438&r1=1059437&r2=1059438&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/admin/AdministrativePointInterceptor.java Sun Jan 16 02:57:35 2011
@@ -1424,6 +1424,9 @@ public class AdministrativePointIntercep
}
modifiedAdminRole.remove( value );
+ delRole( value.getString(), dn, uuid, acapCacheCopy, caapCacheCopy, teapCacheCopy,
+ ssapCacheCopy );
+
}
break;