directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [directory-fortress-core] branch FC-265 updated: + DA checks to user add
Date Thu, 14 Mar 2019 02:05:50 GMT
This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch FC-265
in repository https://gitbox.apache.org/repos/asf/directory-fortress-core.git


The following commit(s) were added to refs/heads/FC-265 by this push:
     new c70ca68  + DA checks to user add
c70ca68 is described below

commit c70ca683cc1fb4684550cdf724eba7287daee167
Author: Shawn McKinney <smckinney@apache.org>
AuthorDate: Wed Mar 13 21:03:55 2019 -0500

    + DA checks to user add
---
 .../directory/fortress/core/DelAccessMgr.java      |  29 ++
 .../directory/fortress/core/GlobalErrIds.java      |   9 +
 .../directory/fortress/core/impl/AdminMgrImpl.java |  17 +-
 .../directory/fortress/core/impl/AdminUtil.java    |  44 ++-
 .../fortress/core/impl/DelAccessMgrImpl.java       |  84 ++++++
 .../fortress/core/rest/DelAccessMgrRestImpl.java   |  22 ++
 .../fortress/core/ProcessMenuCommand.java          |   2 +-
 .../fortress/core/impl/AuditMgrImplTest.java       |  29 +-
 .../fortress/core/impl/DelegatedMgrImplTest.java   |   5 +
 .../directory/fortress/core/impl/PermTestData.java | 310 ++++++++++++++++++++-
 10 files changed, 538 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java b/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java
index 6dbe186..974c3dd 100755
--- a/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/DelAccessMgr.java
@@ -116,6 +116,35 @@ public interface DelAccessMgr extends Manageable
 
 
     /**
+     * This function will determine if the user contains an AdminRole that is authorized
to add a new User.
+     *
+     * @param session This object must be instantiated by calling
+     * {@link AccessMgr#createSession(org.apache.directory.fortress.core.model.User, boolean)}
before passing into the method.  No variables need to be set by client after returned from
createSession.
+     * @param user    Instantiated User entity requires only valid userId attribute set.
+     * @return boolean value true indicates access allowed.
+     * @throws SecurityException
+     *          In the event of data validation error (i.e. invalid userId or role name)
or system error.
+     */
+    boolean canAdd( Session session, User user )
+            throws SecurityException;
+
+
+    /**
+     * This function will determine if the user contains an AdminRole that is authorized
update/delete control over
+     * User.
+     *
+     * @param session This object must be instantiated by calling
+     * {@link AccessMgr#createSession(org.apache.directory.fortress.core.model.User, boolean)}
before passing into the method.  No variables need to be set by client after returned from
createSession.
+     * @param user    Instantiated User entity requires only valid userId attribute set.
+     * @return boolean value true indicates access allowed.
+     * @throws SecurityException
+     *          In the event of data validation error (i.e. invalid userId or role name)
or system error.
+     */
+    boolean canEdit( Session session, User user )
+            throws SecurityException;
+
+
+    /**
      * This function returns a Boolean value meaning whether the subject of a given session
is
      * allowed or not to perform a given operation on a given object. The function is valid
if and
      * only if the session is a valid Fortress session, the object is a member of the OBJS
data set,
diff --git a/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java b/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
index fef9811..0749bac 100755
--- a/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
+++ b/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
@@ -392,6 +392,15 @@ public final class GlobalErrIds
     public static final int USER_ADMIN_CANNOT_ADD = 1039;
 
     /**
+     * The Admin is not authorized to edit the User.
+     */
+    public static final int USER_ADMIN_CANNOT_CHANGE = 1040;
+    /**
+     * The User ou name supplied for User was not found on server.
+     */
+    public static final int USER_OU_NULL = 1041;
+
+    /**
      * 2000's User-Role assignments
      */
 
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
index 93c7191..2e58816 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
@@ -104,7 +104,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
         // Perform delegated admin check:
-        AdminUtil.checkUser(user.getAdminSession(), user);
+        AdminUtil.canDo( adminSess, user, contextId, true );
+        //AdminUtil.checkUser(user.getAdminSession(), user);
         // Add the User record to ldap.
         return userP.add( user );
     }
@@ -120,6 +121,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         String methodName = "disableUser";
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         // set the user's status to "deleted"
         String userDn = userP.softDelete( user );
         // lock the user out of ldap.
@@ -143,6 +146,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         String methodName = "deleteUser";
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         // remove the userId attribute from any granted permission operations (if applicable).
         permP.remove( user );
         // remove the user inetOrgPerson object from ldap.
@@ -165,6 +170,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         return userP.update( user );
     }
 
@@ -179,6 +186,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         String methodName = "changePassword";
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         VUtil.assertNotNullOrEmpty( newPassword, GlobalErrIds.USER_PW_NULL, CLS_NM + methodName
);
         userP.changePassword( user, newPassword );
     }
@@ -194,6 +203,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         String methodName = "lockUserAccount";
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         userP.lock( user );
     }
 
@@ -223,6 +234,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         VUtil.assertNotNullOrEmpty( newPassword, GlobalErrIds.USER_PW_NULL, CLS_NM + "."
+ methodName );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         user.setPassword( newPassword );
         userP.resetPassword( user );
     }
@@ -238,6 +251,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr,
Serializ
         String methodName = "deletePasswordPolicy";
         assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
         setEntitySession( CLS_NM, methodName, user );
+        // Perform delegated admin check:
+        AdminUtil.canDo( adminSess, user, contextId, false );
         userP.deletePwPolicy( user );
     }
 
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java
index 641514b..afa24f0 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java
@@ -19,18 +19,12 @@
  */
 package org.apache.directory.fortress.core.impl;
 
-import org.apache.commons.collections.CollectionUtils;
 import org.apache.directory.fortress.core.DelAccessMgr;
 import org.apache.directory.fortress.core.AuthorizationException;
 import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.DelAccessMgrFactory;
 import org.apache.directory.fortress.core.model.*;
-import org.apache.directory.fortress.core.util.Config;
-
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
 
 /**
  * This class supplies static wrapper utilities to provide ARBAC functionality to Fortress
internal Manager APIs.
@@ -50,6 +44,7 @@ final class AdminUtil
     {
     }
 
+/*
     static void checkUser(Session session, User user) throws SecurityException
     {
         String SUPER_ADMIN = Config.getInstance().getProperty("superadmin.role", "fortress-core-super-admin");
@@ -100,6 +95,7 @@ final class AdminUtil
             throw new SecurityException(GlobalErrIds.USER_ADMIN_CANNOT_ADD, warning);
         }
     }
+*/
 
     /**
      * Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.model.Session,
org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
@@ -204,6 +200,42 @@ final class AdminUtil
     }
 
     /**
+     * Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.model.Session,
org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
+     * This will determine if the user contains an AdminRole that is authorized assignment
control over User.
+     *
+     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession}
method before passing into the method.  No variables need to be set by client after returned
from createSession.
+     * @param user    Instantiated User entity requires only valid userId attribute set.
+     * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
+     * @throws org.apache.directory.fortress.core.SecurityException In the event of data
validation error (i.e. invalid userId or role name) or system error.
+     */
+    static void canDo(Session session, User user, String contextId, boolean isAdd) throws
SecurityException
+    {
+        if (session != null)
+        {
+            boolean result;
+            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+            if(isAdd)
+            {
+                result = dAccessMgr.canAdd(session, user);
+                if (!result)
+                {
+                    String warning = "canDo User [" + user.getUserId() + "] Admin [" + session.getUserId()
+ "] failed check.";
+                    throw new SecurityException(GlobalErrIds.USER_ADMIN_CANNOT_ADD, warning);
+                }
+            }
+            else
+            {
+                result = dAccessMgr.canEdit(session, user);
+                if (!result)
+                {
+                    String warning = "canDo User [" + user.getUserId() + "] Admin [" + session.getUserId()
+ "] failed check.";
+                    throw new SecurityException(GlobalErrIds.USER_ADMIN_CANNOT_CHANGE, warning);
+                }
+            }
+        }
+    }
+
+    /**
      * Method is called by Manager APIs to load contextual information on {@link org.apache.directory.fortress.core.model.FortEntity}
and perform checkAccess on Administrative permission.
      * <p>
      * The information is used to
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
index e250889..19ecb41 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/DelAccessMgrImpl.java
@@ -138,6 +138,33 @@ public class DelAccessMgrImpl extends AccessMgrImpl implements DelAccessMgr,
Ser
      * {@inheritDoc}
      */
     @Override
+    public boolean canAdd(Session session, User user)
+            throws SecurityException
+    {
+        String methodName = "canAssign";
+        assertContext(CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL);
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        VUtil.assertNotNullOrEmpty(user.getOu(), GlobalErrIds.USER_OU_NULL, methodName);
+        return checkUser(session, user, true);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public boolean canEdit(Session session, User user)
+            throws SecurityException
+    {
+        String methodName = "canAssign";
+        assertContext(CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL);
+        assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
+        return checkUser(session, user, false);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
     public boolean checkAccess(Session session, Permission perm)
         throws SecurityException
     {
@@ -257,6 +284,63 @@ public class DelAccessMgrImpl extends AccessMgrImpl implements DelAccessMgr,
Ser
     }
 
     /**
+     * This helper function processes "can do".
+     * @param session
+     * @param user
+     * @return boolean
+     * @throws SecurityException
+     */
+    private boolean checkUser(Session session, User user, boolean isAdd)
+        throws SecurityException
+    {
+        boolean result = false;
+        List<UserAdminRole> uaRoles = session.getAdminRoles();
+        if(CollectionUtils.isNotEmpty( uaRoles ))
+        {
+            // validate user and retrieve user' ou:
+            // TODO: If this is an 'add', use the value of ou passed in 'user', other read
from directory and use that.
+            User ue;
+            if(!isAdd)
+            {
+                ue = userP.read(user, false);
+            }
+            else
+            {
+                ue = user;
+            }
+
+            for(UserAdminRole uaRole : uaRoles)
+            {
+                if(uaRole.getName().equalsIgnoreCase(SUPER_ADMIN))
+                {
+                    result = true;
+                    break;
+                }
+                Set<String> osUs = uaRole.getOsUSet();
+                if(CollectionUtils.isNotEmpty( osUs ))
+                {
+                    // create Set with case insensitive comparator:
+                    Set<String> osUsFinal = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+                    for(String osU : osUs)
+                    {
+                        // Add osU children to the set:
+                        osUsFinal.add(osU);
+                        Set<String> children = UsoUtil.getInstance().getDescendants(
osU, this.contextId );
+                        osUsFinal.addAll(children);
+                    }
+                    // does the admin role have authority over the user object?
+                    if(osUsFinal.contains(ue.getOu()))
+                    {
+                        result = true;
+                        break;
+                    }
+                }
+            }
+        }
+        return result;
+    }
+
+    /**
      * This helper function processes ARBAC URA "can assign".
      * @param session
      * @param user
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/DelAccessMgrRestImpl.java
b/src/main/java/org/apache/directory/fortress/core/rest/DelAccessMgrRestImpl.java
index ab1baf7..82a910a 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/DelAccessMgrRestImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/DelAccessMgrRestImpl.java
@@ -382,4 +382,26 @@ public class DelAccessMgrRestImpl extends AccessMgrRestImpl implements
DelAccess
         }
         return retPerms;
     }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public boolean canAdd(Session session, User user)
+            throws SecurityException
+    {
+        throw new UnsupportedOperationException( "not implemented" );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public boolean canEdit(Session session, User user)
+            throws SecurityException
+    {
+        throw new UnsupportedOperationException( "not implemented" );
+    }
 }
\ No newline at end of file
diff --git a/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java b/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
index f9f1790..5f7b0a9 100755
--- a/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
+++ b/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
@@ -195,7 +195,7 @@ class ProcessMenuCommand
         }
         catch ( Exception e )
         {
-            LOG.error( "Exception caught in processEncryptManagerFunction = " + e );
+            LOG.error( "Exception caught in processGroupManagerFunction = " + e );
         }
     }
 
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/AuditMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/impl/AuditMgrImplTest.java
index d718412..db7f847 100755
--- a/src/test/java/org/apache/directory/fortress/core/impl/AuditMgrImplTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/impl/AuditMgrImplTest.java
@@ -34,6 +34,7 @@ import org.apache.directory.fortress.core.model.Mod;
 import org.apache.directory.fortress.core.model.Session;
 import org.apache.directory.fortress.core.model.User;
 import org.apache.directory.fortress.core.model.UserAudit;
+import org.apache.directory.fortress.core.util.Config;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -107,9 +108,13 @@ public class AuditMgrImplTest extends TestCase
         disabled = new HashMap();
         disabled.put("AdminMgrImpl.updateSsdSet", null);
         disabled.put("AdminMgrImpl.updateDsdSet", null);
+        disabled.put("AdminMgrImpl.enableRoleConstraint", null);
+        disabled.put("AdminMgrImpl.disableRoleConstraint", null);
+        disabled.put("AdminMgrImpl.addPermissionAttributeToSet", null);
+        disabled.put("AdminMgrImpl.addPermissionAttributeSet", null);
+        disabled.put("AdminMgrImpl.deletePermissionAttributeSet", null);
         disabled.put("PwPolicyMgrImpl.search", null);
-        //disabled.put("AdminMgrImpl.changePassword", null);
-        //disabled.put("AdminMgrRestImpl.changePassword", null);
+        disabled.put("PwPolicyMgrImpl.read", null);
         LOG.info( "loadAuditMap isFirstRun [" + FortressJUnitTest.isFirstRun() + "]" );
         if ( FortressJUnitTest.isFirstRun() )
         {
@@ -126,6 +131,8 @@ public class AuditMgrImplTest extends TestCase
             disabled.put( "AdminMgrImpl.deleteDsdRoleMember", null );
             disabled.put( "AdminMgrImpl.deleteDsdSet", null );
             disabled.put( "AdminMgrImpl.disableUser", null );
+            disabled.put( "AdminMgrImpl.deletePermissionAttributeSet", null );
+            disabled.put( "AdminMgrImpl.removePermissionAttributeFromSet", null );
 
             disabled.put( "DelAdminMgrImpl.deleteRole", null );
             disabled.put( "DelAdminMgrImpl.deassignUser", null );
@@ -136,6 +143,24 @@ public class AuditMgrImplTest extends TestCase
             disabled.put( "PwPolicyMgrImpl.deletePasswordPolicy", null );
             disabled.put( "PwPolicyMgrImpl.delete", null );
         }
+        // Only for OpenLDAP and ApacheDS
+        if ( !Config.getInstance().isOpenldap() && !Config.getInstance().isApacheds()
)
+        {
+            LOG.info( "loadAuditMap Disable Password Policy" );
+            disabled.put( "PswdPolicyMgrImpl.testMinAge", null );
+            disabled.put( "PswdPolicyMgrImpl.testMaxAge", null );
+            disabled.put( "PswdPolicyMgrImpl.testInHistory", null );
+            disabled.put( "PswdPolicyMgrImpl.testMinLength", null );
+            disabled.put( "PswdPolicyMgrImpl.testExpireWarning", null );
+            disabled.put( "PswdPolicyMgrImpl.testGraceLoginLimit", null );
+            disabled.put( "PswdPolicyMgrImpl.testMaxFailure", null );
+            disabled.put( "PswdPolicyMgrImpl.testLockoutDuration", null );
+            disabled.put( "PswdPolicyMgrImpl.testLockout", null );
+            disabled.put( "PswdPolicyMgrImpl.testFailureCountInterval", null );
+            disabled.put( "PswdPolicyMgrImpl.testMustChange", null );
+            disabled.put( "PswdPolicyMgrImpl.testAllowUserChange", null );
+            disabled.put( "PswdPolicyMgrImpl.testSafeModify", null );
+        }
         return disabled;
     }
 
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/DelegatedMgrImplTest.java
b/src/test/java/org/apache/directory/fortress/core/impl/DelegatedMgrImplTest.java
index e1f26df..c272d89 100755
--- a/src/test/java/org/apache/directory/fortress/core/impl/DelegatedMgrImplTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/impl/DelegatedMgrImplTest.java
@@ -141,6 +141,11 @@ public class DelegatedMgrImplTest extends TestCase
             AdminMgrImplTest.addPermObjs( "ADD-OBS DELEGATEDREVIEWMGR_OBJ", PermTestData.DELEGATEDREVIEWMGR_OBJ,
false,
                 false );
             AdminMgrImplTest.addPermObjs( "ADD-OBS REVIEWMGR_OBJ", PermTestData.REVIEWMGR_OBJ,
false, false );
+            AdminMgrImplTest.addPermObjs( "ADD-OBS GROUPMGR_OBJ", PermTestData.GROUPMGR_OBJ,
false, false );
+            AdminMgrImplTest.addPermOps( "ADD-OPS GROUPMGR_OBJ GROUPMGR_OPS", PermTestData.GROUPMGR_OBJ,
+                    PermTestData.GROUPMGR_OPS, false, false );
+
+
             AdminMgrImplTest.addPermOps( "ADD-OPS PSWDMGR_OBJ PSWDMGR_OPS", PermTestData.PSWDMGR_OBJ,
                 PermTestData.PSWDMGR_OPS, false, false );
             AdminMgrImplTest.addPermOps( "ADD-OPS ADMINMGR_OBJ ADMINMGR_OPS", PermTestData.ADMINMGR_OBJ,
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java b/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
index e489987..5be2ff2 100755
--- a/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
+++ b/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
@@ -1639,7 +1639,18 @@ public class PermTestData extends TestCase
                 "", /* USERS_COL */
                 "", /* GROUPS_COL */
                 "T" /* IS_ADMIN_COL */
-}
+},
+            {
+                "read", /* NAME_COL */
+                "PasswordMgr Operation", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+},
     };
 
     public static final String[][] ADMINMGR_OBJ =
@@ -2088,9 +2099,94 @@ public class PermTestData extends TestCase
                 "", /* GROUPS_COL */
                 "T" /* IS_ADMIN_COL */
 },
-
+            {
+                "addPermissionAttributeSet", /* NAME_COL */
+                "AdminMgr Operation", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+},
+            {
+                "addPermissionAttributeToSet", /* NAME_COL */
+                "AdminMgr Operation", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+},
+            {
+                "deletePermissionAttributeSet", /* NAME_COL */
+                "AdminMgr Operation", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+},
+/*
+                    "addPermissionAttributeToSet"
+                    "removePermissionAttributeFromSet"
+                    "updatePermissionAttributeInSet",
+                    "addPermissionAttributeSet"
+                    "deletePermissionAttributeSet"
+
+*/
+            {
+                    "addRoleConstraint", /* NAME_COL */
+                    "AdminMgr Operation", /* DESC_COL */
+                    "", /* OBJ_ID_COL */
+                    "ADMIN", /* TYPE_COL */
+                    "", /* PROPS_COL */
+                    "", /* ROLES_COL */
+                    "", /* USERS_COL */
+                    "", /* GROUPS_COL */
+                    "T" /* IS_ADMIN_COL */
+            },
+            {
+                    "removeRoleConstraint", /* NAME_COL */
+                    "AdminMgr Operation", /* DESC_COL */
+                    "", /* OBJ_ID_COL */
+                    "ADMIN", /* TYPE_COL */
+                    "", /* PROPS_COL */
+                    "", /* ROLES_COL */
+                    "", /* USERS_COL */
+                    "", /* GROUPS_COL */
+                    "T" /* IS_ADMIN_COL */
+            },
+            {
+                    "enableRoleConstraint", /* NAME_COL */
+                    "AdminMgr Operation", /* DESC_COL */
+                    "", /* OBJ_ID_COL */
+                    "ADMIN", /* TYPE_COL */
+                    "", /* PROPS_COL */
+                    "", /* ROLES_COL */
+                    "", /* USERS_COL */
+                    "", /* GROUPS_COL */
+                    "T" /* IS_ADMIN_COL */
+            },
+            {
+                    "disableRoleConstraint", /* NAME_COL */
+                    "AdminMgr Operation", /* DESC_COL */
+                    "", /* OBJ_ID_COL */
+                    "ADMIN", /* TYPE_COL */
+                    "", /* PROPS_COL */
+                    "", /* ROLES_COL */
+                    "", /* USERS_COL */
+                    "", /* GROUPS_COL */
+                    "T" /* IS_ADMIN_COL */
+            },
     };
 
+
     public static final String[][] DELEGATEDMGR_OBJ =
         {
             {
@@ -2369,6 +2465,18 @@ public class PermTestData extends TestCase
                 "", /* GROUPS_COL */
                 "T" /* IS_ADMIN_COL */
 },
+                {
+                        "rolePermissions", /* NAME_COL */
+                        "Delegated ReviewMgr Op", /* DESC_COL */
+                        "", /* OBJ_ID_COL */
+                        "ADMIN", /* TYPE_COL */
+                        "", /* PROPS_COL */
+                        "", /* ROLES_COL */
+                        "", /* USERS_COL */
+                        "", /* GROUPS_COL */
+                        "T" /* IS_ADMIN_COL */
+                },
+
     };
 
     public static final String[][] REVIEWMGR_OBJ =
@@ -2433,6 +2541,28 @@ public class PermTestData extends TestCase
                 "T" /* IS_ADMIN_COL */
 },
             {
+                "findPermsByObj", /* NAME_COL */
+                "ReviewMgr Op", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+},
+            {
+                "findAnyPermissions", /* NAME_COL */
+                "ReviewMgr Op", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+},
+            {
                 "readRole", /* NAME_COL */
                 "ReviewMgr Op", /* DESC_COL */
                 "", /* OBJ_ID_COL */
@@ -2695,9 +2825,32 @@ public class PermTestData extends TestCase
                 "", /* USERS_COL */
                 "", /* GROUPS_COL */
                 "T" /* IS_ADMIN_COL */
-}
+            },
+            {
+                "readPermAttributeSet", /* NAME_COL */
+                "ReviewMgr Op", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+            },
+            {
+                "findRoleConstraints", /* NAME_COL */
+                "ReviewMgr Op", /* DESC_COL */
+                "", /* OBJ_ID_COL */
+                "ADMIN", /* TYPE_COL */
+                "", /* PROPS_COL */
+                "", /* ROLES_COL */
+                "", /* USERS_COL */
+                "", /* GROUPS_COL */
+                "T" /* IS_ADMIN_COL */
+            },
     };
 
+
     public static final String[][] AUDITMGR_OBJ =
         {
             {
@@ -2784,6 +2937,157 @@ public class PermTestData extends TestCase
     };
 
 
+    public static final String[][] GROUPMGR_OBJ =
+            {
+                    {
+                            "org.apache.directory.fortress.core.impl.GroupMgrImpl",
+                            "ARBAC02 policies", /* DESC_COL */
+                            "APP0", /* ORG_COL */
+                            "TST", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    }
+            };
+
+    /**
+     * Test Case TOP1:
+     */
+    public static final String[][] GROUPMGR_OPS =
+            {
+                    {
+                            "add", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "update", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "delete", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "read", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "find", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "findWithUsers", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "roleGroups", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "groupRoles", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "assign", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "deassign", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "addProperty", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+                    {
+                            "deleteProperty", /* NAME_COL */
+                            "GroupMgr Operation", /* DESC_COL */
+                            "", /* OBJ_ID_COL */
+                            "ADMIN", /* TYPE_COL */
+                            "", /* PROPS_COL */
+                            "", /* ROLES_COL */
+                            "", /* USERS_COL */
+                            "", /* GROUPS_COL */
+                            "T" /* IS_ADMIN_COL */
+                    },
+            };
+
     public static final String[][] ABAC_TELLER_OBJS =
         {
             {


Mime
View raw message