You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2006/02/20 04:58:21 UTC
svn commit: r379013 [3/45] - in /directory/trunks/apacheds: ./ core-plugin/
core-plugin/src/main/java/org/apache/directory/server/core/tools/schema/
core-plugin/src/test/java/org/apache/directory/server/core/tools/schema/
core-shared/ core-shared/src/m...
Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationTest.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationTest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationTest.java Sun Feb 19 19:57:02 2006
@@ -53,7 +53,7 @@
* @throws javax.naming.NamingException if there are problems conducting the test
*/
public boolean checkCanCompareTelephoneNumberAs( String uid, String password, String entryRdn, String number )
- throws NamingException
+ throws NamingException
{
// create the entry with the telephoneNumber attribute to compare
Attributes testEntry = new BasicAttributes( "ou", "testou", true );
@@ -61,14 +61,14 @@
testEntry.put( objectClass );
objectClass.add( "top" );
objectClass.add( "organizationalUnit" );
- testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+ testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
DirContext adminContext = getContextAsAdmin();
try
{
// create the entry as admin
- LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ LdapName userName = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
adminContext.createSubcontext( entryRdn, testEntry );
// compare the telephone numbers
@@ -106,15 +106,11 @@
// Gives grantCompare, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+ createAccessControlSubentry( "administratorAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
// see if we can now add that test entry which we could not before
// add op should still fail since billd is not in the admin group
@@ -142,15 +138,11 @@
assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
// now add a subentry that enables user billyd to compare an entry below ou=system
- createAccessControlSubentry( "billydAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+ createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
// should work now that billyd is authorized by name
assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
@@ -171,15 +163,11 @@
assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
// now add a subentry that enables user billyd to compare an entry below ou=system
- createAccessControlSubentry( "billyAddBySubtree", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+ createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+ + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
// should work now that billyd is authorized by the subtree userClass
assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
@@ -200,22 +188,19 @@
assertFalse( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
// now add a subentry that enables anyone to add an entry below ou=system
- createAccessControlSubentry( "anybodyAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { allUsers }, " +
- "userPermissions { { " +
- "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
+ createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+ + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + "grantsAndDenials { grantCompare, grantRead, grantBrowse } } } } }" );
// see if we can now compare that test entry's number which we could not before
// should work with billyd now that all users are authorized
assertTrue( checkCanCompareTelephoneNumberAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
}
-
- public void testPasswordCompare() throws NamingException {
+
+
+ public void testPasswordCompare() throws NamingException
+ {
DirContext adminCtx = getContextAsAdmin();
Attributes user = new BasicAttributes( "uid", "bob", true );
user.put( "userPassword", "bobspassword".getBytes() );
@@ -230,7 +215,7 @@
adminCtx.createSubcontext( "uid=bob,ou=users", user );
ServerLdapContext ctx = ( ServerLdapContext ) adminCtx.lookup( "" );
- assertTrue(ctx.compare(new LdapName( "uid=bob,ou=users,ou=system"), "userPassword", "bobspassword"));
+ assertTrue( ctx.compare( new LdapName( "uid=bob,ou=users,ou=system" ), "userPassword", "bobspassword" ) );
}
-
+
}
Propchange: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/CompareAuthorizationTest.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationTest.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationTest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationTest.java Sun Feb 19 19:57:02 2006
@@ -63,7 +63,7 @@
try
{
// create the entry as the admin
- LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ LdapName userName = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
adminContext.createSubcontext( entryRdn, testEntry );
// delete the newly created context as the user
@@ -95,15 +95,10 @@
// Gives grantRemove perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+ createAccessControlSubentry( "administratorAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
// see if we can now delete that test entry which we could not before
// delete op should still fail since billd is not in the admin group
@@ -131,15 +126,10 @@
assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
// now add a subentry that enables user billyd to delete an entry below ou=system
- createAccessControlSubentry( "billydAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+ createAccessControlSubentry( "billydAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
// should work now that billyd is authorized by name
assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
@@ -160,15 +150,10 @@
assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
// now add a subentry that enables user billyd to delte an entry below ou=system
- createAccessControlSubentry( "billyAddBySubtree", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+ createAccessControlSubentry( "billyAddBySubtree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
// should work now that billyd is authorized by the subtree userClass
assertTrue( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
@@ -189,15 +174,10 @@
assertFalse( checkCanDeleteEntryAs( "billyd", "billyd", "ou=testou" ) );
// now add a subentry that enables anyone to add an entry below ou=system
- createAccessControlSubentry( "anybodyAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { allUsers }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
+ createAccessControlSubentry( "anybodyAdd", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+ + "userPermissions { { " + "protectedItems {entry}, "
+ + "grantsAndDenials { grantRemove, grantBrowse } } } } }" );
// see if we can now delete that test entry which we could not before
// should work now with billyd now that all users are authorized
Propchange: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/DeleteAuthorizationTest.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationTest.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationTest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationTest.java Sun Feb 19 19:57:02 2006
@@ -55,7 +55,7 @@
* @throws javax.naming.NamingException if there are problems conducting the test
*/
public boolean checkCanModifyAs( String uid, String password, String entryRdn, ModificationItem[] mods )
- throws NamingException
+ throws NamingException
{
// create the entry with the telephoneNumber attribute to modify
Attributes testEntry = new BasicAttributes( "ou", "testou", true );
@@ -63,14 +63,14 @@
testEntry.put( objectClass );
objectClass.add( "top" );
objectClass.add( "organizationalUnit" );
- testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+ testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
DirContext adminContext = getContextAsAdmin();
try
{
// create the entry as admin
- LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ LdapName userName = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
adminContext.createSubcontext( entryRdn, testEntry );
// modify the entry as the user
@@ -111,7 +111,7 @@
* @throws javax.naming.NamingException if there are problems conducting the test
*/
public boolean checkCanModifyAs( String uid, String password, String entryRdn, int modOp, Attributes mods )
- throws NamingException
+ throws NamingException
{
// create the entry with the telephoneNumber attribute to modify
Attributes testEntry = new BasicAttributes( "ou", "testou", true );
@@ -119,14 +119,14 @@
testEntry.put( objectClass );
objectClass.add( "top" );
objectClass.add( "organizationalUnit" );
- testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
+ testEntry.put( "telephoneNumber", "867-5309" ); // jenny don't change your number
DirContext adminContext = getContextAsAdmin();
try
{
// create the entry as admin
- LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ LdapName userName = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
adminContext.createSubcontext( entryRdn, testEntry );
// modify the entry as the user
@@ -160,13 +160,12 @@
* false otherwise.
* @throws javax.naming.NamingException if there are problems conducting the test
*/
- public boolean checkCanSelfModify( String uid, String password, int modOp, Attributes mods )
- throws NamingException
+ public boolean checkCanSelfModify( String uid, String password, int modOp, Attributes mods ) throws NamingException
{
try
{
// modify the entry as the user
- Name userEntry = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ Name userEntry = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
DirContext userContext = getContextAs( userEntry, password, userEntry.toString() );
userContext.modifyAttributes( "", modOp, mods );
return true;
@@ -190,13 +189,12 @@
* false otherwise.
* @throws javax.naming.NamingException if there are problems conducting the test
*/
- public boolean checkCanSelfModify( String uid, String password, ModificationItem[] mods )
- throws NamingException
+ public boolean checkCanSelfModify( String uid, String password, ModificationItem[] mods ) throws NamingException
{
try
{
// modify the entry as the user
- Name userEntry = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ Name userEntry = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
DirContext userContext = getContextAs( userEntry, password, userEntry.toString() );
userContext.modifyAttributes( "", mods );
return true;
@@ -240,25 +238,20 @@
createUser( "billyd", "billyd" );
// create the password modification
- ModificationItem[] mods = toItems( DirContext.REPLACE_ATTRIBUTE,
- new BasicAttributes( "userPassword", "williams", true ) );
+ ModificationItem[] mods = toItems( DirContext.REPLACE_ATTRIBUTE, new BasicAttributes( "userPassword",
+ "williams", true ) );
// try a modify operation which should fail without any ACI
assertFalse( checkCanSelfModify( "billyd", "billyd", mods ) );
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "selfModifyUserPassword",
- "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { thisEntry }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } }, " +
- "{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } } " +
- "} } }" );
+ createAccessControlSubentry( "selfModifyUserPassword", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { thisEntry }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } }, "
+ + "{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI
assertTrue( checkCanSelfModify( "billyd", "billyd", mods ) );
@@ -278,8 +271,8 @@
// ----------------------------------------------------------------------------------
// create the add modifications
- ModificationItem[] mods = toItems( DirContext.ADD_ATTRIBUTE,
- new BasicAttributes( "registeredAddress", "100 Park Ave.", true ) );
+ ModificationItem[] mods = toItems( DirContext.ADD_ATTRIBUTE, new BasicAttributes( "registeredAddress",
+ "100 Park Ave.", true ) );
// create the non-admin user
createUser( "billyd", "billyd" );
@@ -289,17 +282,11 @@
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyAdd",
- "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, " +
- "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " +
- "} } }" );
+ createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
// see if we can now add that test entry which we could not before
// add op should still fail since billd is not in the admin group
@@ -317,24 +304,18 @@
// ----------------------------------------------------------------------------------
// now let's test to see if we can perform a modify with a delete op
- mods = toItems( DirContext.REMOVE_ATTRIBUTE,
- new BasicAttributes( "telephoneNumber", "867-5309", true ) );
+ mods = toItems( DirContext.REMOVE_ATTRIBUTE, new BasicAttributes( "telephoneNumber", "867-5309", true ) );
// make sure we cannot remove the telephone number from the test entry
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyRemove", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, " +
- "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " +
- "} } }" );
+ createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -345,24 +326,19 @@
// ----------------------------------------------------------------------------------
// now let's test to see if we can perform a modify with a delete op
- mods = toItems( DirContext.REPLACE_ATTRIBUTE,
- new BasicAttributes( "telephoneNumber", "867-5309", true ) );
+ mods = toItems( DirContext.REPLACE_ATTRIBUTE, new BasicAttributes( "telephoneNumber", "867-5309", true ) );
// make sure we cannot remove the telephone number from the test entry
assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyReplace", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, " +
- "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } " +
- "} } }" );
+ createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
@@ -375,7 +351,6 @@
// ----------------------------------------------------------------------------------
// Modify with Attribute Addition
// ----------------------------------------------------------------------------------
-
// create the add modifications
Attributes changes = new BasicAttributes( "registeredAddress", "100 Park Ave.", true );
@@ -384,16 +359,11 @@
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyAdd", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, " +
- "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " +
- "} } }" );
+ createAccessControlSubentry( "administratorModifyAdd", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {allAttributeValues {registeredAddress}}, grantsAndDenials { grantAdd } } " + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.ADD_ATTRIBUTE, changes ) );
@@ -411,16 +381,11 @@
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyRemove", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, " +
- "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " +
- "} } }" );
+ createAccessControlSubentry( "administratorModifyRemove", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantRemove } } " + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REMOVE_ATTRIBUTE, changes ) );
@@ -438,107 +403,102 @@
// Gives grantModify, and grantRead perm to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "administratorModifyReplace", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { " +
- "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, " +
- "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } " +
- "} } }" );
+ createAccessControlSubentry( "administratorModifyReplace", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { "
+ + "{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse } }, "
+ + "{ protectedItems {allAttributeValues {telephoneNumber}}, grantsAndDenials { grantAdd, grantRemove } } "
+ + "} } }" );
// try a modify operation which should succeed with ACI and group membership change
assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", DirContext.REPLACE_ATTRIBUTE, changes ) );
deleteAccessControlSubentry( "administratorModifyReplace" );
}
-
-// /**
-// * Checks to make sure name based userClass works for modify operations.
-// *
-// * @throws javax.naming.NamingException if the test encounters an error
-// */
-// public void testGrantModifyByName() throws NamingException
-// {
-// // create the non-admin user
-// createUser( "billyd", "billyd" );
-//
-// // try an modify operation which should fail without any ACI
-// assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
-//
-// // now add a subentry that enables user billyd to modify an entry below ou=system
-// createAccessControlSubentry( "billydAdd", "{ " +
-// "identificationTag \"addAci\", " +
-// "precedence 14, " +
-// "authenticationLevel none, " +
-// "itemOrUserFirst userFirst: { " +
-// "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
-// "userPermissions { { " +
-// "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-// "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
-//
-// // should work now that billyd is authorized by name
-// assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
-// }
-//
-//
-// /**
-// * Checks to make sure subtree based userClass works for modify operations.
-// *
-// * @throws javax.naming.NamingException if the test encounters an error
-// */
-// public void testGrantModifyBySubtree() throws NamingException
-// {
-// // create the non-admin user
-// createUser( "billyd", "billyd" );
-//
-// // try a modify operation which should fail without any ACI
-// assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
-//
-// // now add a subentry that enables user billyd to modify an entry below ou=system
-// createAccessControlSubentry( "billyAddBySubtree", "{ " +
-// "identificationTag \"addAci\", " +
-// "precedence 14, " +
-// "authenticationLevel none, " +
-// "itemOrUserFirst userFirst: { " +
-// "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
-// "userPermissions { { " +
-// "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-// "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
-//
-// // should work now that billyd is authorized by the subtree userClass
-// assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
-// }
-//
-//
-// /**
-// * Checks to make sure <b>allUsers</b> userClass works for modify operations.
-// *
-// * @throws javax.naming.NamingException if the test encounters an error
-// */
-// public void testGrantModifyAllUsers() throws NamingException
-// {
-// // create the non-admin user
-// createUser( "billyd", "billyd" );
-//
-// // try an add operation which should fail without any ACI
-// assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
-//
-// // now add a subentry that enables anyone to add an entry below ou=system
-// createAccessControlSubentry( "anybodyAdd", "{ " +
-// "identificationTag \"addAci\", " +
-// "precedence 14, " +
-// "authenticationLevel none, " +
-// "itemOrUserFirst userFirst: { " +
-// "userClasses { allUsers }, " +
-// "userPermissions { { " +
-// "protectedItems {entry, allUserAttributeTypesAndValues}, " +
-// "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
-//
-// // see if we can now modify that test entry's number which we could not before
-// // should work with billyd now that all users are authorized
-// assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
-// }
+ // /**
+ // * Checks to make sure name based userClass works for modify operations.
+ // *
+ // * @throws javax.naming.NamingException if the test encounters an error
+ // */
+ // public void testGrantModifyByName() throws NamingException
+ // {
+ // // create the non-admin user
+ // createUser( "billyd", "billyd" );
+ //
+ // // try an modify operation which should fail without any ACI
+ // assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ //
+ // // now add a subentry that enables user billyd to modify an entry below ou=system
+ // createAccessControlSubentry( "billydAdd", "{ " +
+ // "identificationTag \"addAci\", " +
+ // "precedence 14, " +
+ // "authenticationLevel none, " +
+ // "itemOrUserFirst userFirst: { " +
+ // "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ // "userPermissions { { " +
+ // "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ // "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
+ //
+ // // should work now that billyd is authorized by name
+ // assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ // }
+ //
+ //
+ // /**
+ // * Checks to make sure subtree based userClass works for modify operations.
+ // *
+ // * @throws javax.naming.NamingException if the test encounters an error
+ // */
+ // public void testGrantModifyBySubtree() throws NamingException
+ // {
+ // // create the non-admin user
+ // createUser( "billyd", "billyd" );
+ //
+ // // try a modify operation which should fail without any ACI
+ // assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ //
+ // // now add a subentry that enables user billyd to modify an entry below ou=system
+ // createAccessControlSubentry( "billyAddBySubtree", "{ " +
+ // "identificationTag \"addAci\", " +
+ // "precedence 14, " +
+ // "authenticationLevel none, " +
+ // "itemOrUserFirst userFirst: { " +
+ // "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
+ // "userPermissions { { " +
+ // "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ // "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
+ //
+ // // should work now that billyd is authorized by the subtree userClass
+ // assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ // }
+ //
+ //
+ // /**
+ // * Checks to make sure <b>allUsers</b> userClass works for modify operations.
+ // *
+ // * @throws javax.naming.NamingException if the test encounters an error
+ // */
+ // public void testGrantModifyAllUsers() throws NamingException
+ // {
+ // // create the non-admin user
+ // createUser( "billyd", "billyd" );
+ //
+ // // try an add operation which should fail without any ACI
+ // assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ //
+ // // now add a subentry that enables anyone to add an entry below ou=system
+ // createAccessControlSubentry( "anybodyAdd", "{ " +
+ // "identificationTag \"addAci\", " +
+ // "precedence 14, " +
+ // "authenticationLevel none, " +
+ // "itemOrUserFirst userFirst: { " +
+ // "userClasses { allUsers }, " +
+ // "userPermissions { { " +
+ // "protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ // "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
+ //
+ // // see if we can now modify that test entry's number which we could not before
+ // // should work with billyd now that all users are authorized
+ // assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ // }
}
Propchange: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationTest.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id
Modified: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationTest.java
URL: http://svn.apache.org/viewcvs/directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationTest.java?rev=379013&r1=379012&r2=379013&view=diff
==============================================================================
--- directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationTest.java (original)
+++ directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationTest.java Sun Feb 19 19:57:02 2006
@@ -48,7 +48,7 @@
* @throws javax.naming.NamingException if there are problems conducting the test
*/
public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newRdn )
- throws NamingException
+ throws NamingException
{
Attributes testEntry = new BasicAttributes( "ou", "testou", true );
Attribute objectClass = new BasicAttribute( "objectClass" );
@@ -62,7 +62,7 @@
// create the new entry as the admin user
adminContext.createSubcontext( entryRdn, testEntry );
- LdapName userName = new LdapName( "uid="+uid+",ou=users,ou=system" );
+ LdapName userName = new LdapName( "uid=" + uid + ",ou=users,ou=system" );
DirContext userContext = getContextAs( userName, password );
userContext.rename( entryRdn, newRdn );
@@ -99,15 +99,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm to all users in the Administrators group for entries
- createAccessControlSubentry( "grantRenameByAdmin", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
// see if we can now rename that test entry which we could not before
// rename op should still fail since billyd is not in the admin group
@@ -136,15 +131,11 @@
// Gives grantRename, grantImport, grantExport perm to all users in the Administrators
// group for entries - browse is needed just to read navigate the tree at root
- createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, "
+ + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
@@ -172,15 +163,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
// Gives grantImport, and grantExport perm to all users in the Administrators group for entries
- createAccessControlSubentry( "grantMoveByAdmin", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// see if we can now move that test entry which we could not before
// op should still fail since billyd is not in the admin group
@@ -218,15 +204,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm specifically to the billyd user
- createAccessControlSubentry( "grantRenameByName", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -246,15 +227,11 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to billyd user on entries
- createAccessControlSubentry( "grantRenameMoveByName", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, "
+ + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
@@ -274,15 +251,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
// Gives grantImport, and grantExport perm to billyd user for entries
- createAccessControlSubentry( "grantMoveByName", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// try move operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
@@ -312,15 +284,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to those users selected by the subtree
- createAccessControlSubentry( "grantRenameByTree", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -340,15 +307,11 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to users selected by subtree
- createAccessControlSubentry( "grantRenameMoveByTree", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+ + "protectedItems {entry}, "
+ + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
@@ -368,15 +331,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to subtree selected users
- createAccessControlSubentry( "grantMoveByTree", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
+ + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// try move operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
@@ -406,15 +364,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to any user
- createAccessControlSubentry( "grantRenameByAny", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { allUsers }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+ + "userPermissions { { " + "protectedItems {entry}, "
+ + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -434,15 +387,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to any user
- createAccessControlSubentry( "grantRenameMoveByAny", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { allUsers }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", "
+ + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+ + "userClasses { allUsers }, " + "userPermissions { { " + "protectedItems {entry}, "
+ + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
@@ -462,15 +410,10 @@
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to any user
- createAccessControlSubentry( "grantMoveByAny", "{ " +
- "identificationTag \"addAci\", " +
- "precedence 14, " +
- "authenticationLevel none, " +
- "itemOrUserFirst userFirst: { " +
- "userClasses { allUsers }, " +
- "userPermissions { { " +
- "protectedItems {entry}, " +
- "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+ createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
+ + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
+ + "userPermissions { { " + "protectedItems {entry}, "
+ + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
// try move operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=testou,ou=groups" ) );
Propchange: directory/trunks/apacheds/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationTest.java
------------------------------------------------------------------------------
--- svn:keywords (added)
+++ svn:keywords Sun Feb 19 19:57:02 2006
@@ -0,0 +1,4 @@
+Rev
+Revision
+Date
+Id