mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 9d696add | patch | commit | ignore whitespace
Gaetan Boismal
23.45.2014 0a11b89eca502b8c4e566f7e5496a80e7a7c5a0e 
OPENDJ-1351 (CR-3830) Require a privilege needed for searching cn=changelog - Upgrade task
* tools.properties
** Adding the description message of the upgrade task
* Upgrade.java
** Upgrade task n° 2.7.0.10820 which add the 'changelog-read' value to the Root DNs default privilege list
* ExternalChangeLogTest.java
** ChangeLog privilege unit test code refactoring to make it more compact ant more meaningful
3 files modified
35 ■■■■ changed files
opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties 1 ●●●● patch | view | raw | blame | history
opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java 7 ●●●●● patch | view | raw | blame | history
opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java 27 ●●●●● patch | view | raw | blame | history 
 opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties


@@ -2589,3 +2589,4 @@


INFO_UPGRADE_TASK_10339_1_SUMMARY_10026=Updating ds-cfg-override-severity attribute in Replication Repair Logger


INFO_UPGRADE_TASK_10733_1_SUMMARY_10027=Removing 'dc=replicationchanges' backend


INFO_UPGRADE_TASK_10733_2_SUMMARY_10028=Removing ACI for 'dc=replicationchanges'


INFO_UPGRADE_TASK_10820_SUMMARY_10029=Adding default privilege 'changelog-read' to all root DNs




 opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java


@@ -366,6 +366,13 @@


            + "(version 3.0; acl \"Replication backend access\"; "


            + "deny (all) userdn=\"ldap:///anyone\";)"));




    /** See OPENDJ-1351 */


    register("2.7.0.10820",


        modifyConfigEntry(INFO_UPGRADE_TASK_10820_SUMMARY.get(),


        "(objectClass=ds-cfg-root-dn)",


        "add: ds-cfg-default-root-privilege-name",


        "ds-cfg-default-root-privilege-name: changelog-read"));




    /*


     * All upgrades will refresh the server configuration schema and generate


     * a new upgrade folder.




 opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java


@@ -399,26 +399,19 @@


    ECLFilterOnReplicationCSN(csn);


  }


  


  //Verifies that is not possible to read the changelog without the changelog-read privilege


  /**


   * Verifies that is not possible to read the changelog without the changelog-read privilege


   */


  @Test(enabled=true, dependsOnMethods = { "ECLReplicationServerTest"})


  public void ECLChangelogReadPrivilegeTest() throws Exception


  {  


     InternalClientConnection conn =


           new InternalClientConnection(new AuthenticationInfo());


     InternalSearchOperation ico = conn.processSearch(


          "cn=changelog",


          SearchScope.WHOLE_SUBTREE,


          DereferenceAliasesPolicy.NEVER,


          0, // Size limit


          0, // Time limit


          false, // Types only


          "(objectclass=*)",


          ALL_ATTRIBUTES,


          NO_CONTROL,


          null);


  {


    AuthenticationInfo nonPrivilegedUser = new AuthenticationInfo();


     


     assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);


     assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());


    InternalClientConnection conn = new InternalClientConnection(nonPrivilegedUser);


    InternalSearchOperation ico = conn.processSearch("cn=changelog", SearchScope.WHOLE_SUBTREE, "(objectclass=*)");




    assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);


    assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());


  }


  


  private void ECLIsNotASupportedSuffix() throws Exception