From 745d3ccec1c5673231f872a7bc8d9ff6fa655279 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 25 Jul 2007 23:12:49 +0000
Subject: [PATCH] Add new ACI keyword "extop" that can be used to enforce access based on the OID of an extended operation. For example, a new global access extended operation rule is also being added:
---
opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java | 29 +++++++++++++++++++++--------
1 files changed, 21 insertions(+), 8 deletions(-)
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
index 6c2f536..4be19c9 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
@@ -1069,26 +1069,38 @@
"allow(write)", BIND_RULE_USERDN_SELF);
private static final String GLOBAL_SCHEMA_ACI =
- buildGlobalAciValue("name", "User-Visible Schema Operational Attributes",
+ buildGlobalAciValue("name",
+ "User-Visible Schema Operational Attributes",
"target", "ldap:///cn=schema", "targetscope", "base",
"targetattr",
- "attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses",
+ "attributeTypes||dITContentRules||dITStructureRules||" +
+ "ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||" +
+ "objectClasses",
"allow(read, search, compare)", BIND_RULE_USERDN_ANYONE);
private static final String GLOBAL_DSE_ACI = buildGlobalAciValue(
"name","User-Visible Root DSE Operational Attributes",
"target", "ldap:///", "targetscope", "base",
"targetattr",
- "namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedSASLMechanisms||vendorName||vendorVersion",
+ "namingContexts||supportedAuthPasswordSchemes||supportedControl||" +
+ "supportedExtension||supportedFeatures||supportedSASLMechanisms||" +
+ "vendorName||vendorVersion",
"allow(read, search, compare)",BIND_RULE_USERDN_ANYONE);
private static final String GLOBAL_USER_OP_ATTRS_ACI = buildGlobalAciValue(
"name", "User-Visible Operational Attributes", "targetattr",
- "createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry",
+ "createTimestamp||creatorsName||modifiersName||modifyTimestamp||" +
+ "entryDN||entryUUID||subschemaSubentry",
"allow(read, search, compare)", BIND_RULE_USERDN_ANYONE);
private static final String GLOBAL_CONTROL_ACI = buildGlobalAciValue(
- "name", "Control", "targetcontrol", "*",
+ "name", "Anonymous control access", "targetcontrol",
+ "*",
+ "allow(read)", BIND_RULE_USERDN_ANYONE);
+
+ private static final String GLOBAL_EXT_OP_ACI = buildGlobalAciValue(
+ "name", "Anonymous extend op access", "extop",
+ "*",
"allow(read)", BIND_RULE_USERDN_ANYONE);
private static final String GLOBAL_DEFAULT_ACIS =
@@ -1096,7 +1108,7 @@
GLOBAL_ANONYMOUS_READ_ACI,
GLOBAL_SELF_WRITE_ACI, GLOBAL_SCHEMA_ACI,
GLOBAL_DSE_ACI, GLOBAL_USER_OP_ATTRS_ACI,
- GLOBAL_CONTROL_ACI);
+ GLOBAL_CONTROL_ACI, GLOBAL_EXT_OP_ACI);
//ACI used to test LDAP compare.
private static final
@@ -2065,7 +2077,7 @@
String aciField = aciFields[i];
String aciValue = aciFields[i+1];
- if (aciField.startsWith("targ")) {
+ if (aciField.startsWith("targ") || aciField.equals("extop")) {
if (!aciField.endsWith("=")) { // We allow = or more importantly != to be included with the target
aciField += "=";
}
@@ -2092,7 +2104,8 @@
String permission = aciFields[i];
String bindRule = aciFields[i+1];
- if (!permission.startsWith("targ") && !permission.equals("name")) {
+ if (!permission.startsWith("targ") && !permission.equals("extop") &&
+ !permission.equals("name")) {
aci.append(EOL + " " + permission + " " + bindRule + ";");
}
}
--
Gitblit v1.10.0