You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2010/08/20 21:32:02 UTC
svn commit: r987611 [4/13] - in /directory/apacheds/trunk: ./ all/
core-annotations/ core-api/
core-api/src/main/java/org/apache/directory/server/core/
core-api/src/main/java/org/apache/directory/server/core/event/
core-api/src/main/java/org/apache/dir...
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=987611&r1=987610&r2=987611&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Fri Aug 20 19:31:58 2010
@@ -19,6 +19,7 @@
*/
package org.apache.directory.server.core.authz;
+
import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
@@ -31,13 +32,13 @@ import static org.junit.Assert.assertFal
import static org.junit.Assert.assertTrue;
import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.message.ModifyDnResponse;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.integ.IntegrationUtils;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.DefaultEntry;
import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.message.ModifyDnResponse;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.DN;
import org.junit.After;
@@ -51,44 +52,45 @@ import org.junit.runner.RunWith;
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
-@RunWith ( FrameworkRunner.class )
+@RunWith(FrameworkRunner.class)
public class MoveRenameAuthorizationIT extends AbstractLdapTestUnit
{
@Before
public void setService()
{
- AutzIntegUtils.service = service;
- service.setAccessControlEnabled( true );
+ AutzIntegUtils.service = service;
+ service.setAccessControlEnabled( true );
}
-
+
+
@After
public void closeConnections()
{
IntegrationUtils.closeConnections();
}
-
-
+
+
public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newNameRdn ) throws Exception
{
DN entryDN = new DN( entryRdn + ",ou=system" );
boolean result;
-
+
Entry testEntry = new DefaultEntry( entryDN );
testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
testEntry.add( SchemaConstants.OU_AT, "testou" );
-
+
LdapConnection adminConnection = getAdminConnection();
// create the new entry as the admin user
adminConnection.add( testEntry );
-
+
DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
-
+
LdapConnection userConnection = getConnectionAs( userName, password );
ModifyDnResponse resp = userConnection.rename( entryDN.getName(), newNameRdn );
-
- if( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
+
+ if ( resp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
{
userConnection.delete( newNameRdn + ",ou=system" );
result = true;
@@ -98,11 +100,11 @@ public class MoveRenameAuthorizationIT e
adminConnection.delete( entryDN );
result = false;
}
-
+
return result;
}
-
-
+
+
/**
* Checks if a simple entry (organizationalUnit) can be renamed at an RDN relative
* to ou=system by a specific non-admin user. If a permission exception
@@ -119,28 +121,28 @@ public class MoveRenameAuthorizationIT e
* @return true if the entry can be renamed by the user at the specified location, false otherwise
* @throws Exception if there are problems conducting the test
*/
- public boolean checkCanMoveAndRenameAs( String uid, String password, String entryRdn, String newNameRdn, String newParentRdn )
- throws Exception
+ public boolean checkCanMoveAndRenameAs( String uid, String password, String entryRdn, String newNameRdn,
+ String newParentRdn ) throws Exception
{
DN entryDN = new DN( entryRdn + ",ou=system" );
boolean result;
-
+
Entry testEntry = new DefaultEntry( entryDN );
testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
testEntry.add( SchemaConstants.OU_AT, "testou" );
-
+
LdapConnection adminConnection = getAdminConnection();
// create the new entry as the admin user
adminConnection.add( testEntry );
-
+
DN userName = new DN( "uid=" + uid + ",ou=users,ou=system" );
-
+
LdapConnection userConnection = getConnectionAs( userName, password );
boolean isMoved = false;
ModifyDnResponse moveResp = userConnection.move( entryDN.getName(), newParentRdn + ",ou=system" );
-
+
if ( moveResp.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS )
{
isMoved = true;
@@ -150,11 +152,12 @@ public class MoveRenameAuthorizationIT e
adminConnection.delete( entryDN );
return false;
}
-
- ModifyDnResponse resp = userConnection.rename( entryRdn + "," + newParentRdn + ",ou=system", newNameRdn );
-
+
+ ModifyDnResponse resp = userConnection
+ .rename( entryRdn + "," + newParentRdn + ",ou=system", newNameRdn );
+
ResultCodeEnum code = resp.getLdapResult().getResultCode();
-
+
if ( ( code == ResultCodeEnum.SUCCESS ) || ( code == ResultCodeEnum.ENTRY_ALREADY_EXISTS ) )
{
userConnection.delete( newNameRdn + "," + newParentRdn + ",ou=system" );
@@ -162,15 +165,15 @@ public class MoveRenameAuthorizationIT e
}
else
{
- if( isMoved )
+ if ( isMoved )
{
entryDN = entryDN.add( 1, newParentRdn );
adminConnection.delete( entryDN );
}
-
+
result = false;
}
-
+
// delete the renamed context as the admin user
return result;
}
@@ -196,27 +199,11 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm to all users in the Administrators group for entries
- createAccessControlSubentry(
- "grantRenameByAdmin",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameByAdmin", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses " + " { " + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+ + " }, " + " userPermissions " + " { " + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantRename, grantBrowse } " + " } " + " } " + " } " + "}" );
// see if we can now rename that test entry which we could not before
// rename op should still fail since billyd is not in the admin group
@@ -245,27 +232,12 @@ public class MoveRenameAuthorizationIT e
// Gives grantRename, grantImport, grantExport perm to all users in the Administrators
// group for entries - browse is needed just to read navigate the tree at root
- createAccessControlSubentry(
- "grantRenameMoveByAdmin",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses " + " { " + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+ + " }, " + " userPermissions " + " { " + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
@@ -293,27 +265,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to all users in the Administrators group for entries
- createAccessControlSubentry(
- "grantMoveByAdmin",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantMoveByAdmin", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses " + " { " + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } "
+ + " }, " + " userPermissions " + " { " + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now move that test entry which we could not before
// op should still fail since billyd is not in the admin group
@@ -352,24 +309,11 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm specifically to the billyd user
- createAccessControlSubentry(
- "grantRenameByName",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameByName", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantRename, grantBrowse } " + " } " + " } " + " } " + "}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -389,24 +333,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to billyd user on entries
- createAccessControlSubentry(
- "grantRenameMoveByName",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameMoveByName", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -426,24 +358,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to billyd user for entries
- createAccessControlSubentry(
- "grantMoveByName",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantMoveByName", "{ " + " identificationTag \"addAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -474,27 +394,11 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to those users selected by the subtree
- createAccessControlSubentry(
- "grantRenameByTree",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " subtree { { base \"ou=users,ou=system\" } } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameByTree", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, "
+ + " userPermissions " + " { " + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantRename, grantBrowse } " + " } " + " } " + " } " + "}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -514,26 +418,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to users selected by subtree
- createAccessControlSubentry(
- "grantRenameMoveByTree",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: { " +
- " userClasses " +
- " { " +
- " subtree { { base \"ou=users,ou=system\" } } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameMoveByTree", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: { "
+ + " userClasses " + " { " + " subtree { { base \"ou=users,ou=system\" } } " + " }, "
+ + " userPermissions " + " { " + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -553,27 +443,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to subtree selected users
- createAccessControlSubentry(
- "grantMoveByTree",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " subtree { { base \"ou=users,ou=system\" } } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantMoveByTree", "{ " + " identificationTag \"addAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + " userClasses " + " { "
+ + " subtree { { base \"ou=users,ou=system\" } } " + " }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -604,24 +479,11 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to any user
- createAccessControlSubentry(
- "grantRenameByAny",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameByAny", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry}, " + " grantsAndDenials { grantRename, grantBrowse } "
+ + " } " + " } " + " } " + "}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -641,24 +503,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to any user
- createAccessControlSubentry(
- "grantRenameMoveByAny",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantRenameMoveByAny", "{ " + " identificationTag \"addAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -678,24 +528,12 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to any user
- createAccessControlSubentry(
- "grantMoveByAny",
- "{ " +
- " identificationTag \"addAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry}, " +
- " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantMoveByAny", "{ " + " identificationTag \"addAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry}, "
+ + " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -704,8 +542,8 @@ public class MoveRenameAuthorizationIT e
deleteAccessControlSubentry( "grantMoveByAny" );
deleteUser( "billyd" );
}
-
-
+
+
/**
* Checks to make sure Export and Import permissions work correctly
* when they are defined on seperate contexts.
@@ -725,73 +563,33 @@ public class MoveRenameAuthorizationIT e
// try an move w/ rdn change which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
-
// Gives grantBrowse perm to all users in the Administrators
// group for entries
// It's is needed just to read navigate the tree at root
- createAccessControlSubentry(
- "grantBrowseForTheWholeNamingContext",
- "{ }",
- "{ " +
- " identificationTag \"browseACI\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems { entry }, " +
- " grantsAndDenials { grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
-
+ createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }", "{ "
+ + " identificationTag \"browseACI\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions "
+ + " { " + " { " + " protectedItems { entry }, "
+ + " grantsAndDenials { grantBrowse } " + " } " + " } " + " } " + "}" );
+
// Gives grantExport, grantRename perm to all users in the Administrators
// group for entries
- createAccessControlSubentry(
- "grantExportFromASubtree",
- "{ base \"ou=users\" }",
- "{ " +
- " identificationTag \"exportACI\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems { entry }, " +
- " grantsAndDenials { grantExport, grantRename } " +
- " } " +
- " } " +
- " } " +
- "}" );
-
+ createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }", "{ "
+ + " identificationTag \"exportACI\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions "
+ + " { " + " { " + " protectedItems { entry }, "
+ + " grantsAndDenials { grantExport, grantRename } " + " } " + " } " + " } " + "}" );
+
// Gives grantImport perm to all users in the Administrators
// group for the target context
- createAccessControlSubentry(
- "grantImportToASubtree",
- "{ base \"ou=groups\" }",
- "{ " +
- " identificationTag \"importACI\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems { entry }, " +
- " grantsAndDenials { grantImport } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }", "{ "
+ + " identificationTag \"importACI\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + " userPermissions "
+ + " { " + " { " + " protectedItems { entry }, "
+ + " grantsAndDenials { grantImport } " + " } " + " } " + " } " + "}" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=987611&r1=987610&r2=987611&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Fri Aug 20 19:31:58 2010
@@ -39,8 +39,6 @@ import java.util.HashMap;
import java.util.Map;
import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.message.SearchResponse;
-import org.apache.directory.ldap.client.api.message.SearchResultEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
@@ -50,6 +48,8 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.entry.DefaultEntry;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.filter.SearchScope;
+import org.apache.directory.shared.ldap.message.Response;
+import org.apache.directory.shared.ldap.message.SearchResultEntry;
import org.apache.directory.shared.ldap.name.DN;
import org.junit.After;
import org.junit.Before;
@@ -65,13 +65,14 @@ import org.junit.runner.RunWith;
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
@RunWith(FrameworkRunner.class)
-@CreateDS( enableAccessControl=true )
+@CreateDS(enableAccessControl = true)
public class SearchAuthorizationIT extends AbstractLdapTestUnit
{
// to avoid creating too many connections during recursive operations
private LdapConnection reusableAdminCon;
-
+
+
@Before
public void setService() throws Exception
{
@@ -79,13 +80,13 @@ public class SearchAuthorizationIT exten
reusableAdminCon = getAdminConnection();
}
+
@After
public void closeConnections()
{
IntegrationUtils.closeConnections();
}
-
-
+
/**
* The search results of tests are added to this map via put (<String, Entry>)
* the map is also cleared before each search test. This allows further inspections
@@ -104,11 +105,11 @@ public class SearchAuthorizationIT exten
private Entry[] getTestNodes( final int count )
{
Entry[] entries = new DefaultEntry[count];
-
+
for ( int i = 0; i < count; i++ )
{
Entry entry = new DefaultEntry();
-
+
try
{
entry.add( "objectClass", "organizationalUnit" );
@@ -119,7 +120,7 @@ public class SearchAuthorizationIT exten
{
e.printStackTrace();
}
-
+
entries[i] = entry;
}
@@ -190,7 +191,8 @@ public class SearchAuthorizationIT exten
*/
private void recursivelyDelete( DN rdn ) throws Exception
{
- Cursor<SearchResponse> results = reusableAdminCon.search( rdn.getName(), "(objectClass=*)", SearchScope.ONELEVEL, "*" );
+ Cursor<Response> results = reusableAdminCon.search( rdn.getName(), "(objectClass=*)",
+ SearchScope.ONELEVEL, "*" );
while ( results.next() )
{
@@ -275,7 +277,7 @@ public class SearchAuthorizationIT exten
DN userDn = new DN( "uid=" + uid + ",ou=users,ou=system" );
results.clear();
LdapConnection userCtx = getConnectionAs( userDn, password );
- Cursor<SearchResponse> cursor = userCtx.search( base.getName(), filter, scope, "*" );
+ Cursor<Response> cursor = userCtx.search( base.getName(), filter, scope, "*" );
int counter = 0;
while ( cursor.next() )
@@ -315,7 +317,7 @@ public class SearchAuthorizationIT exten
results.clear();
LdapConnection userCtx = getConnectionAs( userDn, password );
- Cursor<SearchResponse> cursor = userCtx.search( base.getName(), "(objectClass=*)", scope, "*" );
+ Cursor<Response> cursor = userCtx.search( base.getName(), "(objectClass=*)", scope, "*" );
int counter = 0;
while ( cursor.next() )
@@ -344,8 +346,8 @@ public class SearchAuthorizationIT exten
LdapConnection connection = getAdminConnection();
DN base = addSearchData( new DN( "ou=system" ), 3, 10 );
- Cursor<SearchResponse> results = connection
- .search( base.getName(), "(objectClass=*)", SearchScope.SUBTREE, "+" );
+ Cursor<Response> results = connection.search( base.getName(), "(objectClass=*)", SearchScope.SUBTREE,
+ "+" );
int counter = 0;
while ( results.next() )
@@ -382,27 +384,12 @@ public class SearchAuthorizationIT exten
// Gives search perms to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry(
- "searchAdmin",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "searchAdmin", "{ " + " identificationTag \"searchAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + " userClasses " + " { "
+ + " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " + " }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search that test entry which we could not before
// add or should still fail since billd is not in the admin group
@@ -431,27 +418,12 @@ public class SearchAuthorizationIT exten
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// now add a subentry that enables user billyd to search an entry below ou=system
- createAccessControlSubentry(
- "billydSearch",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " name { \"uid=billyd,ou=users,ou=system\" } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " }" +
- " } " +
- "}" );
+ createAccessControlSubentry( "billydSearch", "{ " + " identificationTag \"searchAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + " userClasses " + " { "
+ + " name { \"uid=billyd,ou=users,ou=system\" } " + " }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " }" + " } "
+ + "}" );
// should work now that billyd is authorized by name
assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
@@ -474,27 +446,12 @@ public class SearchAuthorizationIT exten
assertFalse( checkCanSearchAs( "BillyD", "billyd" ) );
// now add a subentry that enables user billyd to search an entry below ou=system
- createAccessControlSubentry(
- "billydSearch",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " name { \"uid=billyd,ou=users,ou=system\" } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "billydSearch", "{ " + " identificationTag \"searchAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { " + " userClasses " + " { "
+ + " name { \"uid=billyd,ou=users,ou=system\" } " + " }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// should work now that billyd is authorized by name
assertTrue( checkCanSearchAs( "BillyD", "billyd" ) );
@@ -516,30 +473,13 @@ public class SearchAuthorizationIT exten
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// now add a subentry that enables user billyd to search an entry below ou=system
- createAccessControlSubentry(
- "billySearchBySubtree",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses " +
- " { " +
- " subtree " +
- " { " +
- " { base \"ou=users,ou=system\" } " +
- " } " +
- " }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "billySearchBySubtree", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses " + " { " + " subtree " + " { "
+ + " { base \"ou=users,ou=system\" } " + " } " + " }, " + " userPermissions " + " { "
+ + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// should work now that billyd is authorized by the subtree userClass
assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
@@ -561,24 +501,12 @@ public class SearchAuthorizationIT exten
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// now add a subentry that enables anyone to search an entry below ou=system
- createAccessControlSubentry(
- "anybodySearch",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "anybodySearch", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search that tree which we could not before
// should work now with billyd now that all users are authorized
@@ -607,25 +535,12 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3
- createAccessControlSubentry(
- "anybodySearch",
- "{ maximum 2 }",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "anybodySearch", "{ maximum 2 }", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search that test entry which we could not before
// should work now with billyd now that all users are authorized
@@ -651,25 +566,12 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. It only grants access to
// the ou and objectClass attributes however.
- createAccessControlSubentry(
- "excludeTelephoneNumber",
- "{ maximum 2 }",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allAttributeValues { ou, objectClass } }, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "excludeTelephoneNumber", "{ maximum 2 }", "{ "
+ + " identificationTag \"searchAci\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { " + " userClasses { allUsers }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allAttributeValues { ou, objectClass } }, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search and find 4 entries
assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
@@ -686,25 +588,12 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. This time we should be able
// to see the telephoneNumber attribute
- createAccessControlSubentry(
- "includeAllAttributeTypesAndValues",
- "{ maximum 2 }",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues }, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " }" +
- " } " +
- "}" );
+ createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ "
+ + " identificationTag \"searchAci\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { " + " userClasses { allUsers }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues }, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " }" + " } "
+ + "}" );
// again we should find four entries
assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
@@ -736,31 +625,13 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. It only grants access to
// the ou and objectClass attributes however.
- createAccessControlSubentry(
- "excludeOUValue",
- "{ maximum 2 }",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems " +
- " {" +
- " entry, " +
- " attributeType { ou }, " +
- " allAttributeValues { objectClass }, " +
- " attributeValue { ou=0, ou=1, ou=2 } " +
- " }, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "excludeOUValue", "{ maximum 2 }", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems " + " {" + " entry, " + " attributeType { ou }, "
+ + " allAttributeValues { objectClass }, " + " attributeValue { ou=0, ou=1, ou=2 } "
+ + " }, " + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } "
+ + " } " + " } " + "}" );
// see if we can now search and find 4 entries
assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
@@ -777,25 +648,12 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. This time we should be able
// to see the telephoneNumber attribute
- createAccessControlSubentry(
- "includeAllAttributeTypesAndValues",
- "{ maximum 2 }",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues }, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " }" +
- "}" );
+ createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ "
+ + " identificationTag \"searchAci\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { " + " userClasses { allUsers }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues }, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " }"
+ + "}" );
// again we should find four entries
assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
@@ -822,23 +680,10 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// now add an entryACI denies browse, read and returnDN to a specific entry
- String aci =
- "{ " +
- " identificationTag \"denyAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
- " } " +
- " } " +
- " } " +
- "}";
+ String aci = "{ " + " identificationTag \"denyAci\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { " + " userClasses { allUsers }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + " } " + " } " + " } " + "}";
// try a search operation which should fail without any prescriptive ACI
DN testsDn = new DN( "ou=system" );
@@ -846,24 +691,12 @@ public class SearchAuthorizationIT exten
assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
// now add a subentry that enables anyone to search below ou=system
- createAccessControlSubentry(
- "anybodySearch",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "anybodySearch", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
@@ -892,23 +725,10 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// now add an entryACI denying browse, read and returnDN to a specific entry
- String aci =
- "{ " +
- " identificationTag \"denyAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
- " } " +
- " } " +
- " } " +
- "}";
+ String aci = "{ " + " identificationTag \"denyAci\", " + " precedence 14, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { " + " userClasses { allUsers }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + " } " + " } " + " } " + "}";
// try a search operation which should fail without any prescriptive ACI
DN testsDn = new DN( "ou=system" );
@@ -916,24 +736,12 @@ public class SearchAuthorizationIT exten
assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
// now add a subentry that enables anyone to search below ou=system
- createAccessControlSubentry(
- "anybodySearch",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 15, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "anybodySearch", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 15, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
@@ -945,23 +753,10 @@ public class SearchAuthorizationIT exten
// now add an entryACI denies browse, read and returnDN to a specific entry
// but this time the precedence will be higher than that of the grant
- aci =
- "{ " +
- " identificationTag \"denyAci\", " +
- " precedence 16, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
- " } " +
- " } " +
- " } " +
- "}";
+ aci = "{ " + " identificationTag \"denyAci\", " + " precedence 16, " + " authenticationLevel none, "
+ + " itemOrUserFirst userFirst: " + " { " + " userClasses { allUsers }, " + " userPermissions "
+ + " { " + " { " + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + " } " + " } " + " } " + "}";
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
@@ -986,7 +781,7 @@ public class SearchAuthorizationIT exten
{
LdapConnection userCtx = getConnectionAs( new DN( "uid=" + uid + ",ou=users,ou=system" ), password );
SearchResultEntry result = null;
- Cursor<SearchResponse> list = null;
+ Cursor<Response> list = null;
list = userCtx.search( dn.getName(), "(objectClass=*)", SearchScope.OBJECT, "*" );
if ( list.next() )
@@ -1007,46 +802,22 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// now add a subentry that enables anyone to search below ou=system
- createAccessControlSubentry(
- "anybodySearch",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "anybodySearch", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// check and see if we can access the subentry now
assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
// now add a denial to prevent all users except the admin from accessing the subentry
- addSubentryACI(
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ addSubentryACI( "{ " + " identificationTag \"searchAci\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + " } " + " } " + " } " + "}" );
// now we should not be able to access the subentry with a search
assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
@@ -1061,33 +832,13 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search/lookup and disclose on error
// below ou=system, with the exclusion of ou=groups and everything below it
- createAccessControlSubentry(
- "selectiveDiscloseOnError",
- "{ specificExclusions " +
- " { chopBefore:\"ou=groups\" } " +
- "}",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst:" +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials " +
- " { " +
- " grantRead, " +
- " grantReturnDN, " +
- " grantBrowse, " +
- " grantDiscloseOnError " +
- " } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "selectiveDiscloseOnError", "{ specificExclusions "
+ + " { chopBefore:\"ou=groups\" } " + "}", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst:" + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, " + " grantsAndDenials "
+ + " { " + " grantRead, " + " grantReturnDN, " + " grantBrowse, "
+ + " grantDiscloseOnError " + " } " + " } " + " } " + " } " + "}" );
// get a context as the user and try a lookup of a non-existant entry under ou=groups,ou=system
LdapConnection userCtx = getConnectionAs( "uid=billyd,ou=users,ou=system", "billyd" );
@@ -1098,30 +849,12 @@ public class SearchAuthorizationIT exten
// now delete and replace subentry with one that does not excluse ou=groups,ou=system
deleteAccessControlSubentry( "selectiveDiscloseOnError" );
- createAccessControlSubentry(
- "selectiveDiscloseOnError",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials " +
- " { " +
- " grantRead, " +
- " grantReturnDN, " +
- " grantBrowse, " +
- " grantDiscloseOnError " +
- " } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "selectiveDiscloseOnError", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, " + " grantsAndDenials "
+ + " { " + " grantRead, " + " grantReturnDN, " + " grantBrowse, "
+ + " grantDiscloseOnError " + " } " + " } " + " } " + " } " + "}" );
// now try a lookup of a non-existant entry under ou=groups,ou=system again
entry = ( SearchResultEntry ) userCtx.lookup( "cn=blah,ou=groups" );
@@ -1143,48 +876,24 @@ public class SearchAuthorizationIT exten
getAdminConnection().add( phoneBook );
// now add a subentry that enables anyone to search below their own entries
- createAccessControlSubentry(
- "anybodySearchTheirSubordinates",
- "{ " +
- " identificationTag \"searchAci\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + " identificationTag \"searchAci\", "
+ + " precedence 14, " + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// check and see if we can access the subentry now
assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN(
"ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
// now add a denial to prevent all users except the admin from accessing the subentry
- addPrescriptiveACI(
- "anybodySearchTheirSubordinates",
- "{ " +
- " identificationTag \"anybodyDontSearchTheirSubordinates\", " +
- " precedence 14, " +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { parentOfEntry }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems {entry, allUserAttributeTypesAndValues}, " +
- " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ "
+ + " identificationTag \"anybodyDontSearchTheirSubordinates\", " + " precedence 14, "
+ + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { parentOfEntry }, " + " userPermissions " + " { " + " { "
+ + " protectedItems {entry, allUserAttributeTypesAndValues}, "
+ + " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " + " } " + " } " + " } " + "}" );
// now we should not be able to access the subentry with a search
assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
@@ -1207,28 +916,14 @@ public class SearchAuthorizationIT exten
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// now add a subentry that allows a user to read the CN only
- createAccessControlSubentry(
- "rangeOfValues",
- "{ " +
- " identificationTag \"rangeOfValuesAci\", " +
- " precedence 14," +
- " authenticationLevel none, " +
- " itemOrUserFirst userFirst: " +
- " { " +
- " userClasses { allUsers }, " +
- " userPermissions " +
- " { " +
- " { " +
- " protectedItems { entry }, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " }, " +
- " { " +
- " protectedItems { rangeOfValues (cn=billyd) }, " +
- " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
- " } " +
- " } " +
- " } " +
- "}" );
+ createAccessControlSubentry( "rangeOfValues", "{ " + " identificationTag \"rangeOfValuesAci\", "
+ + " precedence 14," + " authenticationLevel none, " + " itemOrUserFirst userFirst: " + " { "
+ + " userClasses { allUsers }, " + " userPermissions " + " { " + " { "
+ + " protectedItems { entry }, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " }, " + " { "
+ + " protectedItems { rangeOfValues (cn=billyd) }, "
+ + " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " + " } " + " } " + " } "
+ + "}" );
// see if we can now search and find 4 entries
assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/changelog/DefaultChangeLogIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/changelog/DefaultChangeLogIT.java?rev=987611&r1=987610&r2=987611&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/changelog/DefaultChangeLogIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/changelog/DefaultChangeLogIT.java Fri Aug 20 19:31:58 2010
@@ -28,8 +28,6 @@ import static org.junit.Assert.assertTru
import java.util.Arrays;
import org.apache.directory.ldap.client.api.LdapConnection;
-import org.apache.directory.ldap.client.api.message.ModifyRequest;
-import org.apache.directory.ldap.client.api.message.SearchResultEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.factory.DefaultDirectoryServiceFactory;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
@@ -40,6 +38,9 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.exception.LdapException;
+import org.apache.directory.shared.ldap.message.ModifyRequest;
+import org.apache.directory.shared.ldap.message.ModifyRequestImpl;
+import org.apache.directory.shared.ldap.message.SearchResultEntry;
import org.apache.directory.shared.ldap.name.DN;
import org.junit.After;
import org.junit.Test;
@@ -55,8 +56,8 @@ import org.slf4j.LoggerFactory;
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
-@RunWith ( FrameworkRunner.class )
-@CreateDS( factory=DefaultDirectoryServiceFactory.class, name="DefaultChangeLogIT-class" )
+@RunWith(FrameworkRunner.class)
+@CreateDS(factory = DefaultDirectoryServiceFactory.class, name = "DefaultChangeLogIT-class")
public class DefaultChangeLogIT extends AbstractLdapTestUnit
{
public static final Logger LOG = LoggerFactory.getLogger( DefaultChangeLogIT.class );
@@ -80,7 +81,7 @@ public class DefaultChangeLogIT extends
entry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
entry.add( SchemaConstants.OU_AT, "test0" );
sysRoot.add( entry );
-
+
assertEquals( revision + 1, service.getChangeLog().getCurrentRevision() );
Tag t0 = service.getChangeLog().tag();
@@ -134,7 +135,7 @@ public class DefaultChangeLogIT extends
// no sync this time but should happen automatically
service.shutdown();
service.startup();
-
+
sysRoot = getAdminConnection( service );
assertEquals( revision + 7, service.getChangeLog().getCurrentRevision() );
assertEquals( t1, service.getChangeLog().getLatest() );
@@ -168,7 +169,7 @@ public class DefaultChangeLogIT extends
service.shutdown();
service.startup();
-
+
sysRoot = getAdminConnection( service );
assertEquals( revision + 1, service.getChangeLog().getCurrentRevision() );
assertEquals( t0, service.getChangeLog().getLatest() );
@@ -289,7 +290,8 @@ public class DefaultChangeLogIT extends
assertPresent( sysRoot, "ou=test5,ou=system" );
// modify the test entry to add description and test new attr appears
- ModifyRequest modReq = new ModifyRequest( entry.getDn() );
+ ModifyRequest modReq = new ModifyRequestImpl();
+ modReq.setName( entry.getDn() );
modReq.add( "description", "a desc value" );
sysRoot.modify( modReq );
@@ -310,7 +312,8 @@ public class DefaultChangeLogIT extends
// -------------------------------------------------------------------
// add the attribute again and make sure it is old value
- modReq = new ModifyRequest( resusitated.getDn() );
+ modReq = new ModifyRequestImpl();
+ modReq.setName( resusitated.getDn() );
modReq.add( "description", "old value" );
sysRoot.modify( modReq );
resusitated = ( ( SearchResultEntry ) sysRoot.lookup( "ou=test5,ou=system" ) ).getEntry();
@@ -321,7 +324,8 @@ public class DefaultChangeLogIT extends
// now tag then replace the value to "new value" and confirm
Tag t1 = service.getChangeLog().tag();
- modReq = new ModifyRequest( resusitated.getDn() );
+ modReq = new ModifyRequestImpl();
+ modReq.setName( resusitated.getDn() );
modReq.replace( "description", "new value" );
sysRoot.modify( modReq );
@@ -339,13 +343,13 @@ public class DefaultChangeLogIT extends
assertNotNull( description );
assertEquals( description.getString(), "old value" );
-
// -------------------------------------------------------------------
// Modify REMOVE Test
// -------------------------------------------------------------------
Tag t2 = service.getChangeLog().tag();
- modReq = new ModifyRequest( resusitated.getDn() );
+ modReq = new ModifyRequestImpl();
+ modReq.setName( resusitated.getDn() );
modReq.remove( "description", "old value" );
sysRoot.modify( modReq );
@@ -367,17 +371,19 @@ public class DefaultChangeLogIT extends
// -------------------------------------------------------------------
// add a userPassword attribute so we can test replacing it
- modReq = new ModifyRequest( resusitated.getDn() );
+ modReq = new ModifyRequestImpl();
+ modReq.setName( resusitated.getDn() );
modReq.add( "userPassword", "to be replaced" );
sysRoot.modify( modReq );
resusitated = ( ( SearchResultEntry ) sysRoot.lookup( "ou=test5,ou=system" ) ).getEntry();
assertPassword( resusitated, "to be replaced" );
- modReq = new ModifyRequest( resusitated.getDn() );
+ modReq = new ModifyRequestImpl();
+ modReq.setName( resusitated.getDn() );
modReq.remove( "description", "old value" );
modReq.add( "seeAlso", "ou=added" );
modReq.replace( "userPassword", "a replaced value" );
-
+
Tag t3 = service.getChangeLog().tag();
// now make the modification and check that description is gone,
@@ -418,8 +424,8 @@ public class DefaultChangeLogIT extends
SearchResultEntry se = ( SearchResultEntry ) connection.lookup( dn );
assertNull( se );
}
-
-
+
+
private void assertPresent( LdapConnection connection, String dn ) throws LdapException
{
Entry entry = ( ( SearchResultEntry ) connection.lookup( dn ) ).getEntry();