You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by er...@apache.org on 2006/08/29 20:28:19 UTC
svn commit: r438144 - /directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java

Author: ersiner
Date: Tue Aug 29 11:28:19 2006
New Revision: 438144

URL: http://svn.apache.org/viewvc?rev=438144&view=rev
Log:
Added a test case to show that EXPORT/IMPORT permissions are not handled correctly.

Modified:
    directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java

Modified: directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java
URL: http://svn.apache.org/viewvc/directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java?rev=438144&r1=438143&r2=438144&view=diff
==============================================================================
--- directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java (original)
+++ directory/branches/apacheds/1.0/core-unit/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationITest.java Tue Aug 29 11:28:19 2006
@@ -65,7 +65,7 @@
             // create the new entry as the admin user
             adminContext.createSubcontext( entryRdn, testEntry );
 
-            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" );
+            LdapDN userName = new LdapDN( "uid=" + uid + ",ou=users,ou=system" ); 
             DirContext userContext = getContextAs( userName, password );
             userContext.rename( entryRdn, newRdn );
 
@@ -425,4 +425,80 @@
         deleteAccessControlSubentry( "grantMoveByAny" );
         deleteUser( "billyd" );
     }
+    
+    
+    /**
+     * FIXME: THIS TEST FAILS
+     * 
+     * Checks to make sure Export and Import permissions work correctly
+     * when they are defined on seperate contexts.
+     *
+     * @throws javax.naming.NamingException if the test encounters an error
+     */
+    /*
+    public void testExportAndImportSeperately() throws NamingException
+    {
+        // ----------------------------------------------------------------------------
+        // Test move and RDN change at the same time.
+        // ----------------------------------------------------------------------------
+
+        // create the non-admin user
+        createUser( "billyd", "billyd" );
+
+        // try an move w/ rdn change which should fail without any ACI
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        
+        // Gives grantBrowse perm to all users in the Administrators
+        // group for entries
+        // It's is needed just to read navigate the tree at root
+        createAccessControlSubentry(
+            "grantBrowseForTheWholeNamingContext",
+            "{ }",
+            "{ " + "identificationTag \"browseACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantBrowse } } } } }" );
+        
+        // Gives grantExport, grantRename perm to all users in the Administrators
+        // group for entries
+        createAccessControlSubentry(
+            "grantExportFromASubtree",
+            "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users" }
+            "{ " + "identificationTag \"exportACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantExport, grantRename } } } } }" );
+        
+        // Gives grantImport perm to all users in the Administrators
+        // group for the target context
+        createAccessControlSubentry(
+            "grantImportToASubtree",
+            "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups" }
+            "{ " + "identificationTag \"importACI\", "
+            + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
+            + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
+            + "protectedItems { entry }, "
+            + "grantsAndDenials { grantImport } } } } }" );
+
+        // see if we can move and rename the test entry which we could not before
+        // op should still fail since billyd is not in the admin group
+        assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now add billyd to the Administrator group and try again
+        addUserToGroup( "billyd", "Administrators" );
+
+        // try move w/ rdn change which should succeed with ACI and group membership change
+        assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname,ou=groups" ) );
+
+        // now let's cleanup
+        removeUserFromGroup( "billyd", "Administrators" );
+        deleteAccessControlSubentry( "grantBrowseForTheWholeNamingContext" );
+        deleteAccessControlSubentry( "grantExportFromASubtree" );
+        deleteAccessControlSubentry( "grantImportToASubtree" );
+        deleteUser( "billyd" );
+    }
+    */
 }