From 6f188eb41717d3783b41cdfa862e2b66ac35e580 Mon Sep 17 00:00:00 2001
From: coulbeck <coulbeck@localhost>
Date: Mon, 12 Mar 2007 20:22:47 +0000
Subject: [PATCH] Add support for subordinate subtree to ACI.
---
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java | 1 +
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java | 17 ++++++++---------
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/UserDN.java | 6 ++++++
3 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
index 59230ee..dce9200 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
@@ -321,9 +321,6 @@
targetScope, targAttrFilters);
}
- /*
- * TODO Add support for the SearchScope.SUBORDINATE_SUBTREE scope.
- */
/**
* Evaluates a provided scope string and returns an appropriate
* SearchScope enumeration.
@@ -340,6 +337,8 @@
return SearchScope.SINGLE_LEVEL;
else if(expression.equalsIgnoreCase("subtree"))
return SearchScope.WHOLE_SUBTREE;
+ else if(expression.equalsIgnoreCase("subordinate"))
+ return SearchScope.SUBORDINATE_SUBTREE;
else {
int msgID =
MSGID_ACI_SYNTAX_INVALID_TARGETSCOPE_EXPRESSION;
@@ -501,12 +500,12 @@
if(!entryDN.isDescendantOf(targetDN))
return false;
break;
- /*
- * TODO Add support for the SearchScope.SUBORDINATE_SUBTREE scope.
- *
- * The isTargetApplicable method doesn't account for the subordinate
- * subtree search scope.
- */
+ case SUBORDINATE_SUBTREE:
+ if ((entryDN.getNumComponents() <= targetDN.getNumComponents()) ||
+ !entryDN.isDescendantOf(targetDN)) {
+ return false;
+ }
+ break;
default:
return false;
}
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/UserDN.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/UserDN.java
index 4ec5643..0f88075 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/UserDN.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/UserDN.java
@@ -343,6 +343,12 @@
DN parent=evalCtx.getClientDN().getParent();
if((parent != null) && !parent.equals(urlDN))
return EnumEvalResult.FALSE;
+ } else if(scope == SearchScope.SUBORDINATE_SUBTREE) {
+ DN userDN = evalCtx.getClientDN();
+ if ((userDN.getNumComponents() <= urlDN.getNumComponents()) ||
+ !userDN.isDescendantOf(urlDN)) {
+ return EnumEvalResult.FALSE;
+ }
} else {
if(!evalCtx.getClientDN().equals(urlDN))
return EnumEvalResult.FALSE;
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
index 5418bf1..a2a8ee2 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
@@ -515,6 +515,7 @@
buildAciValue("name", "w/ targetScope", "targetScope", "base", "allow (write)", BIND_RULE_USERDN_SELF),
buildAciValue("name", "w/ targetScope", "targetScope", "onelevel", "allow (write)", BIND_RULE_USERDN_SELF),
buildAciValue("name", "w/ targetScope", "targetScope", "subtree", "allow (write)", BIND_RULE_USERDN_SELF),
+ buildAciValue("name", "w/ targetScope", "targetScope", "subordinate", "allow (write)", BIND_RULE_USERDN_SELF),
buildAciValue("name", "w/ !target", "target!=", LDAP_URL_OU_INNER, "allow (write)", BIND_RULE_USERDN_SELF),
buildAciValue("name", "w/ 1 !targetattr", "targetattr!=", "cn", "allow (write)", BIND_RULE_USERDN_SELF),
buildAciValue("name", "w/ 2 !targetattr", "targetattr!=", "cn || sn", "allow (write)", BIND_RULE_USERDN_SELF),
--
Gitblit v1.10.0