From 454f30a6833ee040d5014000ffea7eb1221980d6 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Tue, 13 Oct 2009 00:34:20 +0000
Subject: [PATCH] Unit test for issue 4278.
---
opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 3 +--
opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/TargetTestCase.java | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index c41b659..b3a0e96 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -1431,6 +1431,7 @@
LinkedList<Aci> allows = evalCtx.getAllowList();
// If allows list is empty and not doing geteffectiverights return
// false.
+ evalCtx.setDenyEval(true);
if (allows.isEmpty()
&& !(evalCtx.isGetEffectiveRightsEval()
&& !evalCtx.hasRights(ACI_SELF) && evalCtx
@@ -1438,10 +1439,8 @@
{
evalCtx.setEvalReason(EnumEvalReason.NO_ALLOW_ACIS);
evalCtx.setDecidingAci(null);
- evalCtx.setDenyEval(true);
return false;
}
- evalCtx.setDenyEval(true);
for (Aci denyAci : denys)
{
res = Aci.evaluate(evalCtx, denyAci);
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/TargetTestCase.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/TargetTestCase.java
index de60d20..5043444 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/TargetTestCase.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/TargetTestCase.java
@@ -30,13 +30,34 @@
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.ByteString;
+import static org.opends.server.config.ConfigConstants.ATTR_AUTHZ_GLOBAL_ACI;
+import org.opends.server.TestCaseUtils;
+import org.opends.server.protocols.ldap.LDAPResultCode;
import static org.testng.Assert.assertTrue;
import static org.testng.Assert.fail;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
+import org.testng.annotations.BeforeClass;
+import org.testng.Assert;
+
+import javax.naming.Context;
+import java.util.Hashtable;
public class TargetTestCase extends AciTestCase
{
+ private static final String testUser="uid=user.3,ou=People,o=test";
+ private static final String aciUser = "o=test";
+
+ private static final
+ String entryCheckACI = "(target=\"ldap:///ou=People,o=test\")" +
+ "(version 3.0; acl \"entryCheck aci\";" +
+ "deny(all) (ssf < \"1\");)";
+
+ private static final
+ String attrACI = "(targetattr!=\"userPassword\")" +
+ "(version 3.0; acl \"user attr ACI\"; " +
+ "allow (search, read, compare) " +
+ "userdn=\"ldap:///anyone\";)";
@DataProvider
@@ -369,6 +390,12 @@
};
}
+ @BeforeClass
+ public void setupClass() throws Exception {
+ deleteAttrFromAdminEntry(ACCESS_HANDLER_DN, ATTR_AUTHZ_GLOBAL_ACI);
+ addEntries("o=test");
+ }
+
@Test(dataProvider = "matchingPatterns")
public void matchingPatterns(String pattern, String entryDN)
@@ -425,4 +452,27 @@
assertTrue(!match, aciString + " in entry " + aciDN +
" incorrectly applied to " + entryDN);
}
+
+ /**
+ * Test entry check ACI. Related to issue 4278.
+ *
+ * @throws Exception If a test doesn't pass.
+ */
+ @Test()
+ public void testEntryCheckACI() throws Exception {
+ try {
+ String addACILDIF = makeAddLDIF("aci", aciUser, entryCheckACI);
+ LDIFModify(addACILDIF, DIR_MGR_DN, PWD);
+ String addAttrACILDIF = makeAddLDIF("aci", aciUser, attrACI);
+ LDIFModify(addAttrACILDIF, DIR_MGR_DN, PWD);
+ String userResults =
+ LDAPSearchParams(testUser, PWD, null,null, null,
+ testUser, filter, null);
+ Assert.assertTrue(userResults.equals(""));
+ }
+ finally
+ {
+ deleteAttrFromEntry(aciUser, "aci");
+ }
+ }
}
--
Gitblit v1.10.0