/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
package org.apache.directory.server.core.authz;
import static org.apache.directory.server.core.authz.AutzIntegUtils.addUserToGroup;
import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
import static org.apache.directory.server.core.authz.AutzIntegUtils.createUser;
import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteAccessControlSubentry;
import static org.apache.directory.server.core.authz.AutzIntegUtils.deleteUser;
import static org.apache.directory.server.core.authz.AutzIntegUtils.getAdminConnection;
import static org.apache.directory.server.core.authz.AutzIntegUtils.getConnectionAs;
import static org.apache.directory.server.core.authz.AutzIntegUtils.removeUserFromGroup;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.integ.IntegrationUtils;
import org.apache.directory.shared.ldap.model.constants.SchemaConstants;
import org.apache.directory.shared.ldap.model.entry.DefaultEntry;
import org.apache.directory.shared.ldap.model.entry.Entry;
import org.apache.directory.shared.ldap.model.exception.LdapEntryAlreadyExistsException;
import org.apache.directory.shared.ldap.model.exception.LdapException;
import org.apache.directory.shared.ldap.model.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.model.name.Dn;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
/**
* Tests whether or not authorization around entry renames and moves work properly.
*
* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
*/
@RunWith(FrameworkRunner.class)
@CreateDS(name = "MoveRenameAuthorizationIT")
public class MoveRenameAuthorizationIT extends AbstractLdapTestUnit
{
@Before
public void setService()
{
AutzIntegUtils.service = getService();
getService().setAccessControlEnabled( true );
}
@After
public void closeConnections()
{
IntegrationUtils.closeConnections();
}
public boolean checkCanRenameAs( String uid, String password, String entryRdn, String newNameRdn ) throws Exception
{
Dn entryDn = new Dn( entryRdn + ",ou=system" );
boolean result;
Entry testEntry = new DefaultEntry(entryDn);
testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
testEntry.add( SchemaConstants.OU_AT, "testou" );
LdapConnection adminConnection = getAdminConnection();
// create the new entry as the admin user
adminConnection.add( testEntry );
assertTrue( adminConnection.exists( entryDn ) );
Dn userName = new Dn( "uid=" + uid + ",ou=users,ou=system" );
LdapConnection userConnection = getConnectionAs( userName, password );
try
{
userConnection.rename( entryDn.getName(), newNameRdn );
adminConnection.delete( newNameRdn + ",ou=system" );
result = true;
}
catch ( LdapException le )
{
adminConnection.delete( entryDn );
assertFalse( adminConnection.exists( entryDn ) );
result = false;
}
return result;
}
/**
* Checks if a simple entry (organizationalUnit) can be renamed at an Rdn relative
* to ou=system by a specific non-admin user. If a permission exception
* is encountered it is caught and false is returned, otherwise true is returned
* when the entry is created. The entry is deleted after being created just in case
* subsequent calls to this method do not fail: the admin account is used to delete
* this test entry so permissions to delete are not required to delete it by the user.
*
* @param uid the unique identifier for the user (presumed to exist under ou=users,ou=system)
* @param password the password of this user
* @param entryRdn the relative Dn, relative to ou=system where entry renames are tested
* @param newNameRdn the new Rdn for the entry under ou=system
* @param newParentRdn the new parent Rdn for the entry under ou=system
* @return true if the entry can be renamed by the user at the specified location, false otherwise
* @throws Exception if there are problems conducting the test
*/
public boolean checkCanMoveAndRenameAs( String uid, String password, String entryRdn, String newNameRdn,
String newParentRdn ) throws Exception
{
Dn entryDn = new Dn( entryRdn + ",ou=system" );
boolean result;
Entry testEntry = new DefaultEntry( entryDn );
testEntry.add( SchemaConstants.OBJECT_CLASS_AT, "organizationalUnit" );
testEntry.add( SchemaConstants.OU_AT, "testou" );
LdapConnection adminConnection = getAdminConnection();
// create the new entry as the admin user
adminConnection.add( testEntry );
assertTrue( adminConnection.exists( entryDn ) );
Dn userName = new Dn( "uid=" + uid + ",ou=users,ou=system" );
LdapConnection userConnection = getConnectionAs( userName, password );
boolean isMoved = false;
String movedName = entryRdn + "," + newParentRdn + ",ou=system";
try
{
userConnection.move( entryDn.getName(), newParentRdn + ",ou=system" );
isMoved = true;
assertTrue( adminConnection.exists( movedName ) );
assertFalse( userConnection.exists( entryDn ) );
}
catch ( LdapNoPermissionException lnpe )
{
assertFalse( adminConnection.exists( movedName ) );
assertTrue( adminConnection.exists( entryDn ) );
adminConnection.delete( entryDn );
return false;
}
String renamedName = newNameRdn + ", " + newParentRdn + ",ou=system";
try
{
userConnection.rename( movedName, newNameRdn );
assertTrue( adminConnection.exists( renamedName ) );
assertFalse( adminConnection.exists( movedName ) );
adminConnection.delete( renamedName );
result = true;
}
catch ( LdapEntryAlreadyExistsException leaee )
{
adminConnection.delete( renamedName );
result = true;
}
catch ( LdapException le )
{
if ( isMoved )
{
adminConnection.delete( movedName );
}
result = false;
}
// delete the renamed context as the admin user
return result;
}
/**
* Checks to make sure group membership based userClass works for renames,
* moves and moves with renames.
*
* @throws Exception if the test encounters an error
*/
@Test
public void testGrantByAdministrators() throws Exception
{
// ----------------------------------------------------------------------------
// Test simple Rdn change: NO SUBTREE MOVEMENT!
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try the rename operation which should fail without any ACI
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm to all users in the Administrators group for entries
createAccessControlSubentry( "grantRenameByAdmin",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses " +
" { " +
" userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
" }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// see if we can now rename that test entry which we could not before
// rename op should still fail since billyd is not in the admin group
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try a rename operation which should succeed with ACI and group membership change
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );
deleteAccessControlSubentry( "grantRenameByAdmin" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move and Rdn change at the same time.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to all users in the Administrators
// group for entries - browse is needed just to read navigate the tree at root
createAccessControlSubentry( "grantRenameMoveByAdmin",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses " +
" { " +
" userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
" }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try move w/ rdn change which should succeed with ACI and group membership change
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );
deleteAccessControlSubentry( "grantRenameMoveByAdmin" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move ONLY without any Rdn changes.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// Gives grantImport, and grantExport perm to all users in the Administrators group for entries
createAccessControlSubentry( "grantMoveByAdmin",
"{ " +
" identificationTag \"addAci\", "
+ " precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses " +
" { " +
" userGroup { \"cn=Administrators,ou=groups,ou=system\" } " +
" }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// see if we can now move that test entry which we could not before
// op should still fail since billyd is not in the admin group
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try move operation which should succeed with ACI and group membership change
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );
deleteAccessControlSubentry( "grantMoveByAdmin" );
deleteUser( "billyd" );
}
/**
* Checks to make sure name based userClass works for rename, move, and
* rename with move operation access controls.
*
* @throws Exception if the test encounters an error
*/
@Test
public void testGrantByName() throws Exception
{
// ----------------------------------------------------------------------------
// Test simple Rdn change: NO SUBTREE MOVEMENT!
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try the rename operation which should fail without any ACI
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm specifically to the billyd user
createAccessControlSubentry( "grantRenameByName",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameByName" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move and Rdn change at the same time.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou,ou=users", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport perm to billyd user on entries
createAccessControlSubentry( "grantRenameMoveByName",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameMoveByName" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move ONLY without any Rdn changes.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=testou", "ou=groups" ) );
// Gives grantImport, and grantExport perm to billyd user for entries
createAccessControlSubentry( "grantMoveByName",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { name { \"uid=billyd,ou=users,ou=system\" } }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByName" );
deleteUser( "billyd" );
}
/**
* Checks to make sure subtree based userClass works for rename, move, and
* rename with move operation access controls.
*
* @throws Exception if the test encounters an error
*/
@Test
public void testGrantBySubtree() throws Exception
{
// ----------------------------------------------------------------------------
// Test simple Rdn change: NO SUBTREE MOVEMENT!
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try the rename operation which should fail without any ACI
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to those users selected by the subtree
createAccessControlSubentry( "grantRenameByTree",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses " +
" { " +
" subtree { { base \"ou=users,ou=system\" } } " +
" }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameByTree" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move and Rdn change at the same time.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to users selected by subtree
createAccessControlSubentry( "grantRenameMoveByTree",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: { " +
" userClasses " +
" { " +
" subtree { { base \"ou=users,ou=system\" } } " +
" }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameMoveByTree" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move ONLY without any Rdn changes.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to subtree selected users
createAccessControlSubentry( "grantMoveByTree",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses " +
" { " +
" subtree { { base \"ou=users,ou=system\" } } " +
" }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByTree" );
deleteUser( "billyd" );
}
/**
* Checks to make sure the <b>anyUser</b> userClass works for rename, move, and
* rename with move operation access controls.
*
* @throws Exception if the test encounters an error
*/
@Test
public void testGrantByAnyuser() throws Exception
{
// ----------------------------------------------------------------------------
// Test simple Rdn change: NO SUBTREE MOVEMENT!
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try the rename operation which should fail without any ACI
assertFalse( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// Gives grantRename perm for entries to any user
createAccessControlSubentry( "grantRenameByAny",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { allUsers }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try a rename operation which should succeed with ACI
assertTrue( checkCanRenameAs( "billyd", "billyd", "ou=testou", "ou=newname" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameByAny" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move and Rdn change at the same time.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantRename, grantImport, grantExport for entries to any user
createAccessControlSubentry( "grantRenameMoveByAny",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { allUsers }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try move w/ rdn change which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantRenameMoveByAny" );
deleteUser( "billyd" );
// ----------------------------------------------------------------------------
// Test move ONLY without any Rdn changes.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try move operation which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// Gives grantImport, and grantExport perm for entries to any user
createAccessControlSubentry( "grantMoveByAny",
"{ " +
" identificationTag \"addAci\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { allUsers }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems {entry}, " +
" grantsAndDenials { grantExport, grantImport, grantRename, grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// try move operation which should succeed with ACI
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou1", "ou=testou2", "ou=groups" ) );
// now let's cleanup
deleteAccessControlSubentry( "grantMoveByAny" );
deleteUser( "billyd" );
}
/**
* Checks to make sure Export and Import permissions work correctly
* when they are defined on seperate contexts.
*
* @throws Exception if the test encounters an error
*/
@Test
public void testExportAndImportSeperately() throws Exception
{
// ----------------------------------------------------------------------------
// Test move and Rdn change at the same time.
// ----------------------------------------------------------------------------
// create the non-admin user
createUser( "billyd", "billyd" );
// try an move w/ rdn change which should fail without any ACI
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// Gives grantBrowse perm to all users in the Administrators
// group for entries
// It's is needed just to read navigate the tree at root
createAccessControlSubentry( "grantBrowseForTheWholeNamingContext", "{ }",
"{ " +
" identificationTag \"browseACI\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems { entry }, " +
" grantsAndDenials { grantBrowse } " +
" } " +
" } " +
" } " +
"}" );
// Gives grantExport, grantRename perm to all users in the Administrators
// group for entries
createAccessControlSubentry( "grantExportFromASubtree", "{ base \"ou=users\" }",
"{ " +
" identificationTag \"exportACI\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems { entry }, " +
" grantsAndDenials { grantExport, grantRename } " +
" } " +
" } " +
" } " +
"}" );
// Gives grantImport perm to all users in the Administrators
// group for the target context
createAccessControlSubentry( "grantImportToASubtree", "{ base \"ou=groups\" }",
"{ " +
" identificationTag \"importACI\", " +
" precedence 14, " +
" authenticationLevel none, " +
" itemOrUserFirst userFirst: " +
" { " +
" userClasses { userGroup { \"cn=Administrators,ou=groups,ou=system\" } }, " +
" userPermissions " +
" { " +
" { " +
" protectedItems { entry }, " +
" grantsAndDenials { grantImport } " + " } " +
" } " +
" } " +
"}" );
// see if we can move and rename the test entry which we could not before
// op should still fail since billyd is not in the admin group
assertFalse( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now add billyd to the Administrator group and try again
addUserToGroup( "billyd", "Administrators" );
// try move w/ rdn change which should succeed with ACI and group membership change
assertTrue( checkCanMoveAndRenameAs( "billyd", "billyd", "ou=testou", "ou=newname", "ou=groups" ) );
// now let's cleanup
removeUserFromGroup( "billyd", "Administrators" );
deleteAccessControlSubentry( "grantBrowseForTheWholeNamingContext" );
deleteAccessControlSubentry( "grantExportFromASubtree" );
deleteAccessControlSubentry( "grantImportToASubtree" );
deleteUser( "billyd" );
}
}