You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2010/07/02 19:08:19 UTC
svn commit: r960058 - in /directory/apacheds/trunk:
core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
Author: elecharny
Date: Fri Jul 2 17:08:19 2010
New Revision: 960058
URL: http://svn.apache.org/viewvc?rev=960058&view=rev
Log:
o Added 3 tests which were commented due to some bad ACI
o Fixed a problem in the RelatedProtectedItemFilter
Modified:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java?rev=960058&r1=960057&r2=960058&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/ModifyAuthorizationIT.java Fri Jul 2 17:08:19 2010
@@ -581,92 +581,146 @@ public class ModifyAuthorizationIT exten
}
- // /**
- // * Checks to make sure name based userClass works for modify operations.
- // *
- // * @throws javax.naming.Exception if the test encounters an error
- // */
- // public void testGrantModifyByName() throws Exception
- // {
- // // create the non-admin user
- // createUser( "billyd", "billyd" );
- //
- // // try an modify operation which should fail without any ACI
- // assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
- //
- // // now add a subentry that enables user billyd to modify an entry below ou=system
- // createAccessControlSubentry( "billydAdd", "{ " +
- // "identificationTag \"addAci\", " +
- // "precedence 14, " +
- // "authenticationLevel none, " +
- // "itemOrUserFirst userFirst: { " +
- // "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
- // "userPermissions { { " +
- // "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- // "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
- //
- // // should work now that billyd is authorized by name
- // assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
- // }
- //
- //
- // /**
- // * Checks to make sure subtree based userClass works for modify operations.
- // *
- // * @throws javax.naming.Exception if the test encounters an error
- // */
- // public void testGrantModifyBySubtree() throws Exception
- // {
- // // create the non-admin user
- // createUser( "billyd", "billyd" );
- //
- // // try a modify operation which should fail without any ACI
- // assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
- //
- // // now add a subentry that enables user billyd to modify an entry below ou=system
- // createAccessControlSubentry( "billyAddBySubtree", "{ " +
- // "identificationTag \"addAci\", " +
- // "precedence 14, " +
- // "authenticationLevel none, " +
- // "itemOrUserFirst userFirst: { " +
- // "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " +
- // "userPermissions { { " +
- // "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- // "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
- //
- // // should work now that billyd is authorized by the subtree userClass
- // assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
- // }
- //
- //
- // /**
- // * Checks to make sure <b>allUsers</b> userClass works for modify operations.
- // *
- // * @throws javax.naming.Exception if the test encounters an error
- // */
- // public void testGrantModifyAllUsers() throws Exception
- // {
- // // create the non-admin user
- // createUser( "billyd", "billyd" );
+ /**
+ * Checks to make sure name based userClass works for modify operations.
+ *
+ * @throws javax.naming.Exception if the test encounters an error
+ */
+ @Test
+ public void testGrantModifyByName() throws Exception
+ {
+ Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE,
+ new DefaultEntryAttribute( "telephoneNumber", "012-3456" ) );
+
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an modify operation which should fail without any ACI
+ assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+ // now add a subentry that enables user billyd to modify an entry below ou=system
+ createAccessControlSubentry(
+ "billydAdd",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantModify, grantRead, grantBrowse } " +
+ " }, " +
+ " { " +
+ " protectedItems {allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantRead, grantRemove } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
+
+ // should work now that billyd is authorized by name
+ assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+ }
+
+
+ /**
+ * Checks to make sure subtree based userClass works for modify operations.
+ *
+ * @throws javax.naming.Exception if the test encounters an error
+ */
+ @Test
+ public void testGrantModifyBySubtree() throws Exception
+ {
+ Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE,
+ new DefaultEntryAttribute( "telephoneNumber", "012-345678" ) );
+
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try a modify operation which should fail without any ACI
+ assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+ // now add a subentry that enables user billyd to modify an entry below ou=system
+ createAccessControlSubentry(
+ "billyAddBySubtree",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " {" +
+ " subtree { { base \"ou=users,ou=system\" } } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantModify, grantRead, grantBrowse } " +
+ " }, " +
+ " { " +
+ " protectedItems {allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantRead, grantRemove } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
//
- // // try an add operation which should fail without any ACI
- // assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
+ // should work now that billyd is authorized by the subtree userClass
+ assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+ }
//
- // // now add a subentry that enables anyone to add an entry below ou=system
- // createAccessControlSubentry( "anybodyAdd", "{ " +
- // "identificationTag \"addAci\", " +
- // "precedence 14, " +
- // "authenticationLevel none, " +
- // "itemOrUserFirst userFirst: { " +
- // "userClasses { allUsers }, " +
- // "userPermissions { { " +
- // "protectedItems {entry, allUserAttributeTypesAndValues}, " +
- // "grantsAndDenials { grantModify, grantRead, grantBrowse } } } } }" );
//
- // // see if we can now modify that test entry's number which we could not before
- // // should work with billyd now that all users are authorized
- // assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", "867-5309" ) );
- // }
+ /**
+ * Checks to make sure <b>allUsers</b> userClass works for modify operations.
+ *
+ * @throws javax.naming.Exception if the test encounters an error
+ */
+ @Test
+ public void testGrantModifyAllUsers() throws Exception
+ {
+ Modification[] mods = toItems( ModificationOperation.ADD_ATTRIBUTE,
+ new DefaultEntryAttribute( "telephoneNumber", "001-012345" ) );
+
+ // create the non-admin user
+ createUser( "billyd", "billyd" );
+
+ // try an add operation which should fail without any ACI
+ assertFalse( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+
+ // now add a subentry that enables anyone to add an entry below ou=system
+ createAccessControlSubentry(
+ "anybodyAdd",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantModify, grantRead, grantBrowse } " +
+ " }, " +
+ " { " +
+ " protectedItems {allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantAdd, grantRead, grantRemove } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
+
+ // see if we can now modify that test entry's number which we could not before
+ // should work with billyd now that all users are authorized
+ assertTrue( checkCanModifyAs( "billyd", "billyd", "ou=testou", mods ) );
+ }
@Test
public void testPresciptiveACIModification() throws Exception
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?rev=960058&r1=960057&r2=960058&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java Fri Jul 2 17:08:19 2010
@@ -123,10 +123,12 @@ public class RelatedProtectedItemFilter
{
if ( item == ProtectedItem.ENTRY )
{
- if ( scope == OperationScope.ENTRY )
+ if ( scope != OperationScope.ENTRY )
{
- return true;
+ continue;
}
+
+ return true;
}
else if ( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES )
{