You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2010/07/02 14:22:54 UTC
svn commit: r959961 - in /directory/apacheds/trunk:
core-integ/src/test/java/org/apache/directory/server/core/authz/
core/src/main/java/org/apache/directory/server/core/authz/
Author: elecharny
Date: Fri Jul 2 12:22:53 2010
New Revision: 959961
URL: http://svn.apache.org/viewvc?rev=959961&view=rev
Log:
o Minor refactoring in the ACI interceptor
o Formated the ACI in tests
Modified:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java?rev=959961&r1=959960&r2=959961&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/MoveRenameAuthorizationIT.java Fri Jul 2 12:22:53 2010
@@ -196,10 +196,27 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm to all users in the Administrators group for entries
- createAccessControlSubentry( "grantRenameByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameByAdmin",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now rename that test entry which we could not before
// rename op should still fail since billyd is not in the admin group
@@ -228,11 +245,27 @@ public class MoveRenameAuthorizationIT e
// Gives grantRename, grantImport, grantExport perm to all users in the Administrators
// group for entries - browse is needed just to read navigate the tree at root
- createAccessControlSubentry( "grantRenameMoveByAdmin", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry}, "
- + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameMoveByAdmin",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
@@ -260,10 +293,27 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to all users in the Administrators group for entries
- createAccessControlSubentry( "grantMoveByAdmin", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantMoveByAdmin",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now move that test entry which we could not before
// op should still fail since billyd is not in the admin group
@@ -302,10 +352,24 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm specifically to the billyd user
- createAccessControlSubentry( "grantRenameByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameByName",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -325,11 +389,24 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to billyd user on entries
- createAccessControlSubentry( "grantRenameMoveByName", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry}, "
- + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameMoveByName",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -349,10 +426,24 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to billyd user for entries
- createAccessControlSubentry( "grantMoveByName", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantMoveByName",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -383,10 +474,27 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to those users selected by the subtree
- createAccessControlSubentry( "grantRenameByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
- + "protectedItems {entry}, " + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameByTree",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " subtree { { base \"ou=users,ou=system\" } } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -406,11 +514,26 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to users selected by subtree
- createAccessControlSubentry( "grantRenameMoveByTree", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
- + "protectedItems {entry}, "
- + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameMoveByTree",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: { " +
+ " userClasses " +
+ " { " +
+ " subtree { { base \"ou=users,ou=system\" } } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -430,10 +553,27 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to subtree selected users
- createAccessControlSubentry( "grantMoveByTree", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
- + "protectedItems {entry}, " + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantMoveByTree",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " subtree { { base \"ou=users,ou=system\" } } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -464,10 +604,24 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to any user
- createAccessControlSubentry( "grantRenameByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry}, "
- + "grantsAndDenials { grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameByAny",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
@@ -487,10 +641,24 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to any user
- createAccessControlSubentry( "grantRenameMoveByAny", "{ " + "identificationTag \"addAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, " + "userPermissions { { " + "protectedItems {entry}, "
- + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantRenameMoveByAny",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
@@ -510,10 +678,24 @@ public class MoveRenameAuthorizationIT e
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to any user
- createAccessControlSubentry( "grantMoveByAny", "{ " + "identificationTag \"addAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry}, "
- + "grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "grantMoveByAny",
+ "{ " +
+ " identificationTag \"addAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry}, " +
+ " grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
@@ -550,33 +732,66 @@ public class MoveRenameAuthorizationIT e
createAccessControlSubentry(
"grantBrowseForTheWholeNamingContext",
"{ }",
- "{ " + "identificationTag \"browseACI\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems { entry }, "
- + "grantsAndDenials { grantBrowse } } } } }" );
+ "{ " +
+ " identificationTag \"browseACI\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems { entry }, " +
+ " grantsAndDenials { grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// Gives grantExport, grantRename perm to all users in the Administrators
// group for entries
createAccessControlSubentry(
"grantExportFromASubtree",
- "{ base \"ou=users\" }", // !!!!! =====>>>>> { base "ou=users" }
- "{ " + "identificationTag \"exportACI\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems { entry }, "
- + "grantsAndDenials { grantExport, grantRename } } } } }" );
+ "{ base \"ou=users\" }",
+ "{ " +
+ " identificationTag \"exportACI\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems { entry }, " +
+ " grantsAndDenials { grantExport, grantRename } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// Gives grantImport perm to all users in the Administrators
// group for the target context
createAccessControlSubentry(
"grantImportToASubtree",
- "{ base \"ou=groups\" }", // !!!!! =====>>>>> { base "ou=groups" }
- "{ " + "identificationTag \"importACI\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems { entry }, "
- + "grantsAndDenials { grantImport } } } } }" );
+ "{ base \"ou=groups\" }",
+ "{ " +
+ " identificationTag \"importACI\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems { entry }, " +
+ " grantsAndDenials { grantImport } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=959961&r1=959960&r2=959961&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Fri Jul 2 12:22:53 2010
@@ -103,24 +103,27 @@ public class SearchAuthorizationIT exten
*/
private Entry[] getTestNodes( final int count )
{
- Entry[] attributes = new DefaultEntry[count];
- for ( int ii = 0; ii < count; ii++ )
+ Entry[] entries = new DefaultEntry[count];
+
+ for ( int i = 0; i < count; i++ )
{
+ Entry entry = new DefaultEntry();
+
try
{
- attributes[ii] = new DefaultEntry();
- attributes[ii].add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
- attributes[ii].add( SchemaConstants.OU_AT, String.valueOf( ii ) );
- attributes[ii].add( SchemaConstants.OU_AT, "testEntry" );
- attributes[ii].add( "telephoneNumber", String.valueOf( count ) );
+ entry.add( "objectClass", "organizationalUnit" );
+ entry.add( "ou", "testEntry", String.valueOf( i ) );
+ entry.add( "telephoneNumber", String.valueOf( count ) );
}
catch ( Exception e )
{
e.printStackTrace();
}
+
+ entries[i] = entry;
}
- return attributes;
+ return entries;
}
@@ -353,7 +356,7 @@ public class SearchAuthorizationIT exten
assertEquals( 10, counter );
recursivelyDelete( base );
- //noinspection EmptyCatchBlock
+
SearchResultEntry entry = ( SearchResultEntry ) connection.lookup( base.getName() );
assertNull( entry );
}
@@ -374,25 +377,41 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// Gives search perms to all users in the Administrators group for
// entries and all attribute types and values
- createAccessControlSubentry( "searchAdmin", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "searchAdmin",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
- // see if we can now add that test entry which we could not before
- // add op should still fail since billd is not in the admin group
+ // see if we can now search that test entry which we could not before
+ // add or should still fail since billd is not in the admin group
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
- // try an add operation which should succeed with ACI and group membership change
+ // try a search operation which should succeed with ACI and group membership change
assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
}
@@ -408,15 +427,31 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
- // now add a subentry that enables user billyd to add an entry below ou=system
- createAccessControlSubentry( "billydSearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ // now add a subentry that enables user billyd to search an entry below ou=system
+ createAccessControlSubentry(
+ "billydSearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " name { \"uid=billyd,ou=users,ou=system\" } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " }" +
+ " } " +
+ "}" );
// should work now that billyd is authorized by name
assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
@@ -435,15 +470,31 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "BillyD", "billyd" ) );
- // now add a subentry that enables user billyd to add an entry below ou=system
- createAccessControlSubentry( "billydSearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ // now add a subentry that enables user billyd to search an entry below ou=system
+ createAccessControlSubentry(
+ "billydSearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " name { \"uid=billyd,ou=users,ou=system\" } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// should work now that billyd is authorized by name
assertTrue( checkCanSearchAs( "BillyD", "billyd" ) );
@@ -461,15 +512,34 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
- // now add a subentry that enables user billyd to add an entry below ou=system
- createAccessControlSubentry( "billySearchBySubtree", "{ " + "identificationTag \"searchAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { subtree { { base \"ou=users,ou=system\" } } }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ // now add a subentry that enables user billyd to search an entry below ou=system
+ createAccessControlSubentry(
+ "billySearchBySubtree",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses " +
+ " { " +
+ " subtree " +
+ " { " +
+ " { base \"ou=users,ou=system\" } " +
+ " } " +
+ " }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// should work now that billyd is authorized by the subtree userClass
assertTrue( checkCanSearchAs( "billyd", "billyd" ) );
@@ -487,14 +557,28 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an search operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd" ) );
// now add a subentry that enables anyone to search an entry below ou=system
- createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "anybodySearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now search that tree which we could not before
// should work now with billyd now that all users are authorized
@@ -518,18 +602,32 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
- // now add a subentry that enables anyone to add an entry below ou=system
+ // now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3
- createAccessControlSubentry( "anybodySearch", "{ maximum 2 }", "{ " + "identificationTag \"searchAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "anybodySearch",
+ "{ maximum 2 }",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
- // see if we can now add that test entry which we could not before
+ // see if we can now search that test entry which we could not before
// should work now with billyd now that all users are authorized
assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
}
@@ -547,19 +645,33 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. It only grants access to
// the ou and objectClass attributes however.
- createAccessControlSubentry( "excluseTelephoneNumber", "{ maximum 2 }", "{ "
- + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allAttributeValues { ou, objectClass } }, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "excludeTelephoneNumber",
+ "{ maximum 2 }",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allAttributeValues { ou, objectClass } }, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
- // see if we can now add that search and find 4 entries
+ // see if we can now search and find 4 entries
assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
// check to make sure the telephoneNumber attribute is not present in results
@@ -569,16 +681,30 @@ public class SearchAuthorizationIT exten
}
// delete the subentry to test more general rule's inclusion of telephoneNumber
- deleteAccessControlSubentry( "excluseTelephoneNumber" );
+ deleteAccessControlSubentry( "excludeTelephoneNumber" );
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. This time we should be able
// to see the telephoneNumber attribute
- createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ "
- + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues }, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "includeAllAttributeTypesAndValues",
+ "{ maximum 2 }",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues }, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " }" +
+ " } " +
+ "}" );
// again we should find four entries
assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 4 ) );
@@ -604,26 +730,39 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // try an add operation which should fail without any ACI
+ // try a search operation which should fail without any ACI
assertFalse( checkCanSearchAs( "billyd", "billyd", 3 ) );
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. It only grants access to
// the ou and objectClass attributes however.
createAccessControlSubentry(
- "excluseOUValue",
+ "excludeOUValue",
"{ maximum 2 }",
- "{ "
- + "identificationTag \"searchAci\", "
- + "precedence 14, "
- + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, "
- + "userPermissions { { "
- + "protectedItems {entry, attributeType { ou }, allAttributeValues { objectClass }, attributeValue { ou=0, ou=1, ou=2 } }, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems " +
+ " {" +
+ " entry, " +
+ " attributeType { ou }, " +
+ " allAttributeValues { objectClass }, " +
+ " attributeValue { ou=0, ou=1, ou=2 } " +
+ " }, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
- // see if we can now add that search and find 4 entries
+ // see if we can now search and find 4 entries
assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
// check to make sure the ou attribute value "testEntry" is not present in results
@@ -633,16 +772,30 @@ public class SearchAuthorizationIT exten
}
// delete the subentry to test more general rule's inclusion of all values
- deleteAccessControlSubentry( "excluseOUValue" );
+ deleteAccessControlSubentry( "excludeOUValue" );
// now add a subentry that enables anyone to search an entry below ou=system
// down two more rdns for DNs of a max size of 3. This time we should be able
// to see the telephoneNumber attribute
- createAccessControlSubentry( "includeAllAttributeTypesAndValues", "{ maximum 2 }", "{ "
- + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues }, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "includeAllAttributeTypesAndValues",
+ "{ maximum 2 }",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues }, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " }" +
+ "}" );
// again we should find four entries
assertTrue( checkCanSearchAs( "billyd", "billyd", 3 ) );
@@ -669,10 +822,23 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// now add an entryACI denies browse, read and returnDN to a specific entry
- String aci = "{ " + "identificationTag \"denyAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+ String aci =
+ "{ " +
+ " identificationTag \"denyAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}";
// try a search operation which should fail without any prescriptive ACI
DN testsDn = new DN( "ou=system" );
@@ -680,10 +846,24 @@ public class SearchAuthorizationIT exten
assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
// now add a subentry that enables anyone to search below ou=system
- createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "anybodySearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
@@ -691,7 +871,7 @@ public class SearchAuthorizationIT exten
assertTrue( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
assertNull( results.get( "ou=tests,ou=system" ) );
- // try without the entry ACI .. just perscriptive and see ou=tests,ou=system
+ // try without the entry ACI, just perscriptive and see ou=tests,ou=system
assertTrue( checkCanSearchAs( "billyd", "billyd", SearchScope.SUBTREE, 10 ) );
assertNotNull( results.get( "ou=tests,ou=system" ) );
}
@@ -711,11 +891,24 @@ public class SearchAuthorizationIT exten
// create the non-admin user
createUser( "billyd", "billyd" );
- // now add an entryACI denies browse, read and returnDN to a specific entry
- String aci = "{ " + "identificationTag \"denyAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+ // now add an entryACI denying browse, read and returnDN to a specific entry
+ String aci =
+ "{ " +
+ " identificationTag \"denyAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}";
// try a search operation which should fail without any prescriptive ACI
DN testsDn = new DN( "ou=system" );
@@ -723,10 +916,24 @@ public class SearchAuthorizationIT exten
assertFalse( checkSearchAsWithEntryACI( "billyd", "billyd", SearchScope.SUBTREE, testsDn, aci, 9 ) );
// now add a subentry that enables anyone to search below ou=system
- createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 15, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "anybodySearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 15, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
@@ -738,10 +945,23 @@ public class SearchAuthorizationIT exten
// now add an entryACI denies browse, read and returnDN to a specific entry
// but this time the precedence will be higher than that of the grant
- aci = "{ " + "identificationTag \"denyAci\", " + "precedence 16, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }";
+ aci =
+ "{ " +
+ " identificationTag \"denyAci\", " +
+ " precedence 16, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}";
// see if we can now search the tree which we could not before
// should work with billyd now that all users are authorized
@@ -787,19 +1007,46 @@ public class SearchAuthorizationIT exten
createUser( "billyd", "billyd" );
// now add a subentry that enables anyone to search below ou=system
- createAccessControlSubentry( "anybodySearch", "{ " + "identificationTag \"searchAci\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, "
- + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "anybodySearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// check and see if we can access the subentry now
assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
// now add a denial to prevent all users except the admin from accessing the subentry
- addSubentryACI( "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+ addSubentryACI(
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// now we should not be able to access the subentry with a search
assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "cn=anybodySearch,ou=system" ) ) );
@@ -814,11 +1061,33 @@ public class SearchAuthorizationIT exten
// now add a subentry that enables anyone to search/lookup and disclose on error
// below ou=system, with the exclusion of ou=groups and everything below it
- createAccessControlSubentry( "selectiveDiscloseOnError", "{ specificExclusions { chopBefore:\"ou=groups\" } }",
- "{ " + "identificationTag \"searchAci\", " + "precedence 14, " + "authenticationLevel none, "
- + "itemOrUserFirst userFirst: { " + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" );
+ createAccessControlSubentry(
+ "selectiveDiscloseOnError",
+ "{ specificExclusions " +
+ " { chopBefore:\"ou=groups\" } " +
+ "}",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst:" +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials " +
+ " { " +
+ " grantRead, " +
+ " grantReturnDN, " +
+ " grantBrowse, " +
+ " grantDiscloseOnError " +
+ " } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// get a context as the user and try a lookup of a non-existant entry under ou=groups,ou=system
LdapConnection userCtx = getConnectionAs( "uid=billyd,ou=users,ou=system", "billyd" );
@@ -829,11 +1098,30 @@ public class SearchAuthorizationIT exten
// now delete and replace subentry with one that does not excluse ou=groups,ou=system
deleteAccessControlSubentry( "selectiveDiscloseOnError" );
- createAccessControlSubentry( "selectiveDiscloseOnError", "{ " + "identificationTag \"searchAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } }" );
+ createAccessControlSubentry(
+ "selectiveDiscloseOnError",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials " +
+ " { " +
+ " grantRead, " +
+ " grantReturnDN, " +
+ " grantBrowse, " +
+ " grantDiscloseOnError " +
+ " } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// now try a lookup of a non-existant entry under ou=groups,ou=system again
entry = ( SearchResultEntry ) userCtx.lookup( "cn=blah,ou=groups" );
@@ -855,22 +1143,48 @@ public class SearchAuthorizationIT exten
getAdminConnection().add( phoneBook );
// now add a subentry that enables anyone to search below their own entries
- createAccessControlSubentry( "anybodySearchTheirSubordinates", "{ " + "identificationTag \"searchAci\", "
- + "precedence 14, " + "authenticationLevel none, " + "itemOrUserFirst userFirst: { "
- + "userClasses { allUsers }, " + "userPermissions { { "
- + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { grantRead, grantReturnDN, grantBrowse } } } } }" );
+ createAccessControlSubentry(
+ "anybodySearchTheirSubordinates",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// check and see if we can access the subentry now
assertNotNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN(
"ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
// now add a denial to prevent all users except the admin from accessing the subentry
- addPrescriptiveACI( "anybodySearchTheirSubordinates", "{ "
- + "identificationTag \"anybodyDontSearchTheirSubordinates\", " + "precedence 14, "
- + "authenticationLevel none, " + "itemOrUserFirst userFirst: { " + "userClasses { parentOfEntry }, "
- + "userPermissions { { " + "protectedItems {entry, allUserAttributeTypesAndValues}, "
- + "grantsAndDenials { denyRead, denyReturnDN, denyBrowse } } } } }" );
+ addPrescriptiveACI(
+ "anybodySearchTheirSubordinates",
+ "{ " +
+ " identificationTag \"anybodyDontSearchTheirSubordinates\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { parentOfEntry }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { denyRead, denyReturnDN, denyBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
// now we should not be able to access the subentry with a search
assertNull( checkCanSearhSubentryAs( "billyd", "billyd", new DN( "ou=phoneBook,uid=billyd,ou=users,ou=system" ) ) );
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=959961&r1=959960&r2=959961&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Fri Jul 2 12:22:53 2010
@@ -160,14 +160,17 @@ public class AciAuthorizationInterceptor
/** the system wide subschemaSubentryDn */
private String subschemaSubentryDn;
- private AttributeType objectClassType;
- private AttributeType acSubentryType;
+ /** The ObjectClass AttributeType */
+ private static AttributeType OBJECT_CLASS_AT;
+
+ /** The AccessControlSubentry AttributeType */
+ private static AttributeType ACCESS_CONTROL_SUBENTRY_AT;
/** A storage for the entryACI attributeType */
- private AttributeType entryAciType;
+ private static AttributeType ENTRY_ACI_AT;
/** the subentry ACI attribute type */
- private AttributeType subentryAciType;
+ private static AttributeType SUBENTRY_ACI_AT;
public static final SearchControls DEFAULT_SEARCH_CONTROLS = new SearchControls();
@@ -187,20 +190,22 @@ public class AciAuthorizationInterceptor
adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() );
CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ),
directoryService );
+ schemaManager = directoryService.getSchemaManager();
+ chain = directoryService.getInterceptorChain();
+ // Create the caches
tupleCache = new TupleCache( adminSession );
groupCache = new GroupCache( adminSession );
- schemaManager = directoryService.getSchemaManager();
// look up some constant information
- objectClassType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.OBJECT_CLASS_AT );
- acSubentryType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
- entryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID );
- subentryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID );
+ OBJECT_CLASS_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.OBJECT_CLASS_AT );
+ ACCESS_CONTROL_SUBENTRY_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT );
+ ENTRY_ACI_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID );
+ SUBENTRY_ACI_AT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID );
+ // Iitialize the ACI PARSER and ACDF engine
aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( schemaManager ), schemaManager );
engine = new ACDFEngine( schemaManager );
- chain = directoryService.getInterceptorChain();
// stuff for dealing with subentries (garbage for now)
Value<?> subschemaSubentry = directoryService.getPartitionNexus().getRootDSE( null ).get(
@@ -252,11 +257,11 @@ public class AciAuthorizationInterceptor
if ( entry instanceof ClonedServerEntry )
{
- oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( objectClassType );
+ oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( OBJECT_CLASS_AT );
}
else
{
- oc = entry.get( objectClassType );
+ oc = entry.get( OBJECT_CLASS_AT );
}
/*
@@ -275,7 +280,7 @@ public class AciAuthorizationInterceptor
entry = opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS );
}
- EntryAttribute subentries = entry.get( acSubentryType );
+ EntryAttribute subentries = entry.get( ACCESS_CONTROL_SUBENTRY_AT );
if ( subentries == null )
{
@@ -300,7 +305,7 @@ public class AciAuthorizationInterceptor
*/
private void addEntryAciTuples( Collection<ACITuple> tuples, Entry entry ) throws LdapException
{
- EntryAttribute entryAci = entry.get( entryAciType );
+ EntryAttribute entryAci = entry.get( ENTRY_ACI_AT );
if ( entryAci == null )
{
@@ -354,7 +359,7 @@ public class AciAuthorizationInterceptor
Entry administrativeEntry = ( ( ClonedServerEntry ) opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS ) )
.getOriginalEntry();
- EntryAttribute subentryAci = administrativeEntry.get( subentryAciType );
+ EntryAttribute subentryAci = administrativeEntry.get( SUBENTRY_ACI_AT );
if ( subentryAci == null )
{
@@ -705,8 +710,10 @@ public class AciAuthorizationInterceptor
*/
private void checkLookupAccess( LookupOperationContext lookupContext, Entry entry ) throws LdapException
{
+ DN dn = lookupContext.getDn();
+
// no permissions checks on the RootDSE
- if ( lookupContext.getDn().getNormName().trim().equals( "" ) )
+ if ( dn.isRootDSE() )
{
return;
}
@@ -715,13 +722,13 @@ public class AciAuthorizationInterceptor
DN userName = principal.getDN();
Set<DN> userGroups = groupCache.getGroups( userName.getNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
- addPerscriptiveAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
+ addPerscriptiveAciTuples( lookupContext, tuples, dn, entry );
addEntryAciTuples( tuples, entry );
- addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
+ addSubentryAciTuples( lookupContext, tuples, dn, entry );
// check that we have read access to the entry
engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(),
- lookupContext.getDn(), null, null, LOOKUP_PERMS, tuples, entry, null );
+ dn, null, null, LOOKUP_PERMS, tuples, entry, null );
// check that we have read access to every attribute type and value
for ( EntryAttribute attribute : entry )
@@ -730,13 +737,16 @@ public class AciAuthorizationInterceptor
for ( Value<?> value : attribute )
{
engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal
- .getAuthenticationLevel(), lookupContext.getDn(), attribute.getAttributeType(), value, READ_PERMS, tuples,
+ .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, READ_PERMS, tuples,
entry, null );
}
}
}
+ /**
+ * {@inheritDoc}
+ */
public Entry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws LdapException
{
CoreSession session = lookupContext.getSession();
@@ -750,6 +760,7 @@ public class AciAuthorizationInterceptor
principalDn.normalize( schemaManager.getNormalizerMapping() );
}
+ // Bypass this interceptor if we disabled the AC subsystem or if the principal is the admin
if ( isPrincipalAnAdministrator( principalDn ) || !directoryService.isAccessControlEnabled() )
{
return next.lookup( lookupContext );