/*
|
* CDDL HEADER START
|
*
|
* The contents of this file are subject to the terms of the
|
* Common Development and Distribution License, Version 1.0 only
|
* (the "License"). You may not use this file except in compliance
|
* with the License.
|
*
|
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
|
* or http://forgerock.org/license/CDDLv1.0.html.
|
* See the License for the specific language governing permissions
|
* and limitations under the License.
|
*
|
* When distributing Covered Code, include this CDDL HEADER in each
|
* file and include the License file at legal-notices/CDDLv1_0.txt.
|
* If applicable, add the following below this CDDL HEADER, with the
|
* fields enclosed by brackets "[]" replaced with your own identifying
|
* information:
|
* Portions Copyright [yyyy] [name of copyright owner]
|
*
|
* CDDL HEADER END
|
*
|
*
|
* Copyright 2006-2009 Sun Microsystems, Inc.
|
*/
|
package org.opends.server.core.networkgroups;
|
|
|
|
import java.util.ArrayList;
|
import java.util.List;
|
import java.util.Set;
|
|
import org.opends.messages.Message;
|
import org.opends.server.admin.server.ConfigurationChangeListener;
|
import org.opends.server.admin.std.meta.PluginCfgDefn;
|
import org.opends.server.admin.std.server.NetworkGroupPluginCfg;
|
import org.opends.server.admin.std.server.PluginCfg;
|
import org.opends.server.api.ClientConnection;
|
import org.opends.server.api.plugin.*;
|
import org.opends.server.config.ConfigException;
|
import org.opends.server.types.AuthenticationType;
|
import org.opends.server.types.ConfigChangeResult;
|
import org.opends.server.types.DirectoryException;
|
import org.opends.server.types.DisconnectReason;
|
import org.opends.server.types.DN;
|
import org.opends.server.types.ResultCode;
|
|
import org.opends.server.types.operation.PreParseAddOperation;
|
import org.opends.server.types.operation.PreParseBindOperation;
|
import org.opends.server.types.operation.PreParseCompareOperation;
|
import org.opends.server.types.operation.PreParseDeleteOperation;
|
import org.opends.server.types.operation.PreParseExtendedOperation;
|
import org.opends.server.types.operation.PreParseModifyOperation;
|
import org.opends.server.types.operation.PreParseModifyDNOperation;
|
import org.opends.server.types.operation.PreParseSearchOperation;
|
import org.opends.server.types.operation.PreParseUnbindOperation;
|
import org.opends.server.types.operation.PostResponseBindOperation;
|
import org.opends.server.types.operation.PostResponseExtendedOperation;
|
import org.opends.server.types.operation.PreParseOperation;
|
import static org.opends.messages.PluginMessages.*;
|
import static org.opends.server.util.ServerConstants.*;
|
|
|
/**
|
* This class implements a Directory Server plugin that will evaluate
|
* the appropriate network group for each client connection.
|
* A network group enforces specific resource limits.
|
*/
|
public final class NetworkGroupPlugin
|
extends DirectoryServerPlugin<NetworkGroupPluginCfg>
|
implements ConfigurationChangeListener<NetworkGroupPluginCfg>
|
{
|
|
/**
|
* Creates a new instance of this Directory Server plugin. Every plugin must
|
* implement a default constructor (it is the only one that will be used to
|
* create plugins defined in the configuration), and every plugin constructor
|
* must call <CODE>super()</CODE> as its first element.
|
*/
|
public NetworkGroupPlugin()
|
{
|
super();
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final void initializePlugin(Set<PluginType> pluginTypes,
|
NetworkGroupPluginCfg configuration)
|
throws ConfigException
|
{
|
// Make sure that the plugin has been enabled for the appropriate types.
|
for (PluginType t : pluginTypes)
|
{
|
switch (t)
|
{
|
case POST_CONNECT:
|
case PRE_PARSE_ADD:
|
case PRE_PARSE_BIND:
|
case PRE_PARSE_COMPARE:
|
case PRE_PARSE_DELETE:
|
case PRE_PARSE_EXTENDED:
|
case PRE_PARSE_MODIFY:
|
case PRE_PARSE_MODIFY_DN:
|
case PRE_PARSE_SEARCH:
|
case PRE_PARSE_UNBIND:
|
case POST_RESPONSE_BIND:
|
case POST_RESPONSE_EXTENDED:
|
// These are acceptable
|
break;
|
default:
|
Message message =
|
ERR_PLUGIN_NETWORKGROUP_INVALID_PLUGIN_TYPE.get(t.toString());
|
throw new ConfigException(message);
|
}
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final void finalizePlugin()
|
{
|
}
|
|
/**
|
* Performs resource limits checks and request filtering policy checks.
|
*
|
* @param connection The client connection on which the operation is done
|
* @param operation The operation to be performed
|
* @param fullCheck boolean indicating whether all the resource limit checks
|
* must be performed or only a limited set
|
* @param messages The list of error messages returned during the checking
|
*/
|
private boolean checkNetworkGroup(
|
ClientConnection connection,
|
PreParseOperation operation,
|
boolean fullCheck,
|
ArrayList<Message> messages)
|
{
|
if (!connection.getNetworkGroup().checkResourceLimitsPolicy(
|
connection, operation, fullCheck, messages)) {
|
return false;
|
}
|
if (operation != null) {
|
if (!connection.getNetworkGroup().checkRequestFilteringPolicy(
|
operation, messages)) {
|
return false;
|
}
|
}
|
return true;
|
}
|
|
/**
|
* Sets the network group and checks resource limits + request
|
* filtering policy.
|
*
|
* @param connection The client connection on which the operation is
|
* executed
|
*/
|
private boolean setAndCheckNetworkGroup(
|
ClientConnection connection,
|
PreParseOperation operation,
|
ArrayList<Message> messages)
|
{
|
boolean fullCheck = false;
|
if (connection.mustEvaluateNetworkGroup(operation)) {
|
NetworkGroup ng = NetworkGroup.findMatchingNetworkGroup(connection);
|
if (ng != connection.getNetworkGroup()) {
|
connection.setNetworkGroup(ng);
|
fullCheck = true;
|
}
|
connection.mustEvaluateNetworkGroup(false);
|
}
|
|
return (checkNetworkGroup(connection, operation, fullCheck, messages));
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public final PluginResult.PostConnect
|
doPostConnect(ClientConnection clientConnection)
|
{
|
ArrayList<Message> messages = new ArrayList<Message>();
|
if (setAndCheckNetworkGroup(clientConnection, null, messages)) {
|
return PluginResult.PostConnect.continueConnectProcessing();
|
} else {
|
return PluginResult.PostConnect.disconnectClient(
|
DisconnectReason.ADMIN_LIMIT_EXCEEDED, true, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseAddOperation addOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = addOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, addOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseBindOperation bindOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = bindOperation.getClientConnection();
|
boolean fullCheck = false;
|
|
if (connection.mustEvaluateNetworkGroup(bindOperation)) {
|
DN dn;
|
try {
|
dn = DN.decode(bindOperation.getRawBindDN());
|
} catch (DirectoryException ex) {
|
return PluginResult.PreParse.stopProcessing(ResultCode.OPERATIONS_ERROR,
|
ex.getMessageObject());
|
}
|
AuthenticationType authType = bindOperation.getAuthenticationType();
|
|
NetworkGroup ng = NetworkGroup.findBindMatchingNetworkGroup(connection,
|
dn, authType, connection.isSecure());
|
|
if (ng != connection.getNetworkGroup()) {
|
connection.setNetworkGroup(ng);
|
fullCheck = true;
|
}
|
connection.mustEvaluateNetworkGroup(false);
|
}
|
if (!checkNetworkGroup(connection, bindOperation, fullCheck, messages)) {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
return PluginResult.PreParse.continueOperationProcessing();
|
}
|
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseCompareOperation compareOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = compareOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, compareOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseDeleteOperation deleteOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = deleteOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, deleteOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseExtendedOperation extendedOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = extendedOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, extendedOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseModifyOperation modifyOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = modifyOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, modifyOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseModifyDNOperation modifyDNOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = modifyDNOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, modifyDNOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseSearchOperation searchOperation) {
|
ArrayList<Message> messages = new ArrayList<Message>();
|
ClientConnection connection = searchOperation.getClientConnection();
|
if (setAndCheckNetworkGroup(connection, searchOperation, messages)) {
|
return PluginResult.PreParse.continueOperationProcessing();
|
} else {
|
return PluginResult.PreParse.stopProcessing(
|
ResultCode.ADMIN_LIMIT_EXCEEDED, messages.get(0));
|
}
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PreParse
|
doPreParse(PreParseUnbindOperation unbindOperation) {
|
ClientConnection connection = unbindOperation.getClientConnection();
|
connection.mustEvaluateNetworkGroup(true);
|
return PluginResult.PreParse.continueOperationProcessing();
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PostResponse
|
doPostResponse(PostResponseBindOperation bindOperation) {
|
if (bindOperation.getResultCode() != ResultCode.SUCCESS) {
|
bindOperation.getClientConnection().mustEvaluateNetworkGroup(true);
|
}
|
return PluginResult.PostResponse.continueOperationProcessing();
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override
|
public PluginResult.PostResponse
|
doPostResponse(PostResponseExtendedOperation extendedOperation) {
|
if ((extendedOperation.getRequestOID().equals(OID_START_TLS_REQUEST))
|
&& (extendedOperation.getResultCode() == ResultCode.SUCCESS)) {
|
extendedOperation.getClientConnection().mustEvaluateNetworkGroup(true);
|
}
|
return PluginResult.PostResponse.continueOperationProcessing();
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
@Override()
|
public boolean isConfigurationAcceptable(PluginCfg configuration,
|
List<Message> unacceptableReasons)
|
{
|
NetworkGroupPluginCfg cfg = (NetworkGroupPluginCfg) configuration;
|
return isConfigurationChangeAcceptable(cfg, unacceptableReasons);
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
public boolean isConfigurationChangeAcceptable(
|
NetworkGroupPluginCfg configuration,
|
List<Message> unacceptableReasons)
|
{
|
boolean configAcceptable = true;
|
|
// Ensure that the set of plugin types contains only LDIF import and
|
// pre-operation add.
|
for (PluginCfgDefn.PluginType pluginType : configuration.getPluginType())
|
{
|
switch (pluginType)
|
{
|
case POSTCONNECT:
|
case PREPARSEADD:
|
case PREPARSEBIND:
|
case PREPARSECOMPARE:
|
case PREPARSEDELETE:
|
case PREPARSEEXTENDED:
|
case PREPARSEMODIFY:
|
case PREPARSEMODIFYDN:
|
case PREPARSESEARCH:
|
case PREPARSEUNBIND:
|
case POSTRESPONSEBIND:
|
case POSTRESPONSEEXTENDED:
|
// These are acceptable.
|
break;
|
|
|
default:
|
Message message = ERR_PLUGIN_NETWORKGROUP_INVALID_PLUGIN_TYPE.get(
|
pluginType.toString());
|
unacceptableReasons.add(message);
|
configAcceptable = false;
|
}
|
}
|
|
return configAcceptable;
|
}
|
|
/**
|
* {@inheritDoc}
|
*/
|
public ConfigChangeResult applyConfigurationChange(
|
NetworkGroupPluginCfg configuration)
|
{
|
return new ConfigChangeResult(ResultCode.SUCCESS, false);
|
}
|
}
|
