external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 7965fe86 | patch | commit | ignore whitespace

Fix for one failing ACI unit test. The ACI syntax checks in the access con...

coulbeck

09.04.2007 5efddccbae9cee21b3bb838193f8ab43b4d25627

Fix for one failing ACI unit test.  The ACI syntax checks in the access control handler were doing some additional validation using the DN of the entry containing the ACI.  These checks cannot be done by the ACI attribute syntax since it does not have the entry DN.  Keep the ACI attribute syntax but put the syntax checks back into the ACI handler.

2 files modified

	opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java	104 ●●●●● patch \| view \| raw \| blame \| history
	opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciMessages.java	28 ●●●●● patch \| view \| raw \| blame \| history

 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java

@@ -87,6 +87,7 @@
                                 ModifyOperation operation,
                                 boolean skipAccessCheck) {
        Entry resourceEntry=container.getResourceEntry();
        DN dn=resourceEntry.getDN();
        List<Modification> modifications=container.getModifications();
        for(Modification m : modifications) {
            Attribute modAttr=m.getAttribute();
@@ -137,7 +138,6 @@
              }
            }
            if(modAttr.hasValue()) {
               boolean checkPrivileges=true;
               for(AttributeValue v : modAttr.getValues()) {
                   container.setCurrentAttributeType(modType);
                   switch (m.getModificationType())
@@ -175,6 +175,25 @@
                       }
                       break;
                   }
                  /*
                   Check if the modification type has an "aci" attribute type.
                   If so, check the syntax of that attribute value. Fail the
                   the operation if the syntax check fails.
                   */
                  if(modType.equals(aciType)) {
                      try {
                          Aci.decode(v.getValue(),dn);
                      } catch (AciException ex) {
                          int    msgID  = MSGID_ACI_MODIFY_FAILED_DECODE;
                          String message = getMessage(msgID,
                                  String.valueOf(dn),
                                  ex.getMessage());
                          logError(ErrorLogCategory.ACCESS_CONTROL,
                                   ErrorLogSeverity.SEVERE_WARNING,
                                   message, msgID);
                          return false;
                      }
                  }
               }
            }
        }
@@ -446,6 +465,63 @@
    }

    /**
     * Evaluate an entry to be added to see if it has any "aci"
     * attribute type. If it does, examines each "aci" attribute type
     * value for syntax errors. All of the "aci" attribute type values
     * must pass syntax check for the add operation to proceed. Any
     * entry with an "aci" attribute type must have "modify-acl"
     * privileges.
     *
     * @param entry  The entry to be examined.
     * @param operation The operation to to check privileges on.
     * @param clientDN The authorization DN.
     * @return True if the entry has no ACI attributes or if all of the "aci"
     * attributes values pass ACI syntax checking.
     */
    private boolean
       verifySyntax(Entry entry, Operation operation, DN clientDN) {
      if(entry.hasOperationalAttribute(aciType)) {
        /*
         * Check that the operation has "modify-acl" privileges since the
         * entry to be added has an "aci" attribute type.
         */
        if (!operation.getClientConnection().
             hasPrivilege(Privilege.MODIFY_ACL, operation))  {
          int    msgID  = MSGID_ACI_ADD_FAILED_PRIVILEGE;
          String message = getMessage(msgID,
                                      String.valueOf(entry.getDN()),
                                      String.valueOf(clientDN));
          logError(ErrorLogCategory.ACCESS_CONTROL,
                   ErrorLogSeverity.SEVERE_WARNING,
                   message, msgID);
          return false;
        }
        List<Attribute> attributeList =
             entry.getOperationalAttribute(aciType, null);
        for (Attribute attribute : attributeList)
        {
          for (AttributeValue value : attribute.getValues())
          {
            try {
              DN dn=entry.getDN();
              Aci.decode(value.getValue(),dn);
            } catch (AciException ex) {
              int    msgID  = MSGID_ACI_ADD_FAILED_DECODE;
              String message = getMessage(msgID,
                                          String.valueOf(entry.getDN()),
                                          ex.getMessage());
              logError(ErrorLogCategory.ACCESS_CONTROL,
                       ErrorLogSeverity.SEVERE_WARNING,
                       message, msgID);
              return false;
            }
          }
        }
      }
    return true;
  }

    /**
     * Check access on add operations.
     *
     * @param operation The add operation to check access on.
@@ -456,27 +532,11 @@
                new AciLDAPOperationContainer(operation, ACI_ADD);
        boolean ret=isAllowed(operationContainer,operation);

        if(ret) {
          Entry entry = operation.getEntryToAdd();
          if(entry.hasOperationalAttribute(aciType)) {
            /*
             * Check that the operation has "modify-acl" privileges since the
             * entry to be added has an "aci" attribute type.
             */
            if (!operation.getClientConnection().
                 hasPrivilege(Privilege.MODIFY_ACL, operation))  {
              int    msgID  = MSGID_ACI_ADD_FAILED_PRIVILEGE;
              String message =
                   getMessage(msgID,
                              String.valueOf(entry.getDN()),
                              String.valueOf(operationContainer.getClientDN()));
              logError(ErrorLogCategory.ACCESS_CONTROL,
                       ErrorLogSeverity.SEVERE_WARNING,
                       message, msgID);
              ret = false;
            }
          }
        }
        //LDAP add needs a verify ACI syntax step in case any
        //"aci" attribute types are being added.
        if(ret)
          ret=verifySyntax(operation.getEntryToAdd(), operation,
                           operationContainer.getClientDN());
        return ret;
    }


 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciMessages.java

@@ -474,6 +474,24 @@
        CATEGORY_MASK_ACCESS_CONTROL  | 45;

    /**
     * The message ID for the ACI message that will be generated when a client
     * attempts to add an entry with the "aci" attribute type
     * and the ACI decode failed because of an syntax error.  This takes one
     * argument, which is the message string thrown by the AciException.
     */
    public static final int MSGID_ACI_ADD_FAILED_DECODE =
        CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 46;

    /**
     * The message ID for the ACI message that will be generated when a client
     * attempts to perform a modification on an "aci" attribute type
     * and the ACI decode failed because of a syntax error.  This takes one
     * argument, which is the message string thrown by the AciException.
     */
    public static final int MSGID_ACI_MODIFY_FAILED_DECODE =
       CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 47;

    /**
     * The message ID for the ACI message that will be generated when
     * an ACI decode failed because of an syntax error. This message is usually
     * generated by an invalid ACI that was added during import which
@@ -858,6 +876,16 @@
                "attribute type in the entry \"%s\" failed, because the" +
                "authorization DN \"%s\" lacked modify-acl privileges.");

        registerMessage(MSGID_ACI_ADD_FAILED_DECODE,
                "An attempt to add the entry \"%s\" containing" +
                " an aci attribute type failed because of the following" +
                " reason: %s");

        registerMessage(MSGID_ACI_MODIFY_FAILED_DECODE,
               "An attempt to modify an aci "+
               "attribute type in the entry \"%s\" failed "+
               "because of the following reason: %s");

        registerMessage(MSGID_ACI_ADD_LIST_FAILED_DECODE,
                "An attempt to decode an Access Control Instruction (ACI)" +
                " failed because of the following reason: %s");

			@@ -87,6 +87,7 @@
			ModifyOperation operation,
			boolean skipAccessCheck) {
			Entry resourceEntry=container.getResourceEntry();
			DN dn=resourceEntry.getDN();
			List<Modification> modifications=container.getModifications();
			for(Modification m : modifications) {
			Attribute modAttr=m.getAttribute();
			@@ -137,7 +138,6 @@
			}
			}
			if(modAttr.hasValue()) {
			boolean checkPrivileges=true;
			for(AttributeValue v : modAttr.getValues()) {
			container.setCurrentAttributeType(modType);
			switch (m.getModificationType())
			@@ -175,6 +175,25 @@
			}
			break;
			}
			/*
			Check if the modification type has an "aci" attribute type.
			If so, check the syntax of that attribute value. Fail the
			the operation if the syntax check fails.
			*/
			if(modType.equals(aciType)) {
			try {
			Aci.decode(v.getValue(),dn);
			} catch (AciException ex) {
			int msgID = MSGID_ACI_MODIFY_FAILED_DECODE;
			String message = getMessage(msgID,
			String.valueOf(dn),
			ex.getMessage());
			logError(ErrorLogCategory.ACCESS_CONTROL,
			ErrorLogSeverity.SEVERE_WARNING,
			message, msgID);
			return false;
			}
			}
			}
			}
			}
			@@ -446,6 +465,63 @@
			}

			/**
			* Evaluate an entry to be added to see if it has any "aci"
			* attribute type. If it does, examines each "aci" attribute type
			* value for syntax errors. All of the "aci" attribute type values
			* must pass syntax check for the add operation to proceed. Any
			* entry with an "aci" attribute type must have "modify-acl"
			* privileges.
			*
			* @param entry The entry to be examined.
			* @param operation The operation to to check privileges on.
			* @param clientDN The authorization DN.
			* @return True if the entry has no ACI attributes or if all of the "aci"
			* attributes values pass ACI syntax checking.
			*/
			private boolean
			verifySyntax(Entry entry, Operation operation, DN clientDN) {
			if(entry.hasOperationalAttribute(aciType)) {
			/*
			* Check that the operation has "modify-acl" privileges since the
			* entry to be added has an "aci" attribute type.
			*/
			if (!operation.getClientConnection().
			hasPrivilege(Privilege.MODIFY_ACL, operation)) {
			int msgID = MSGID_ACI_ADD_FAILED_PRIVILEGE;
			String message = getMessage(msgID,
			String.valueOf(entry.getDN()),
			String.valueOf(clientDN));
			logError(ErrorLogCategory.ACCESS_CONTROL,
			ErrorLogSeverity.SEVERE_WARNING,
			message, msgID);
			return false;
			}
			List<Attribute> attributeList =
			entry.getOperationalAttribute(aciType, null);
			for (Attribute attribute : attributeList)
			{
			for (AttributeValue value : attribute.getValues())
			{
			try {
			DN dn=entry.getDN();
			Aci.decode(value.getValue(),dn);
			} catch (AciException ex) {
			int msgID = MSGID_ACI_ADD_FAILED_DECODE;
			String message = getMessage(msgID,
			String.valueOf(entry.getDN()),
			ex.getMessage());
			logError(ErrorLogCategory.ACCESS_CONTROL,
			ErrorLogSeverity.SEVERE_WARNING,
			message, msgID);
			return false;
			}
			}
			}
			}
			return true;
			}

			/**
			* Check access on add operations.
			*
			* @param operation The add operation to check access on.
			@@ -456,27 +532,11 @@
			new AciLDAPOperationContainer(operation, ACI_ADD);
			boolean ret=isAllowed(operationContainer,operation);

			if(ret) {
			Entry entry = operation.getEntryToAdd();
			if(entry.hasOperationalAttribute(aciType)) {
			/*
			* Check that the operation has "modify-acl" privileges since the
			* entry to be added has an "aci" attribute type.
			*/
			if (!operation.getClientConnection().
			hasPrivilege(Privilege.MODIFY_ACL, operation)) {
			int msgID = MSGID_ACI_ADD_FAILED_PRIVILEGE;
			String message =
			getMessage(msgID,
			String.valueOf(entry.getDN()),
			String.valueOf(operationContainer.getClientDN()));
			logError(ErrorLogCategory.ACCESS_CONTROL,
			ErrorLogSeverity.SEVERE_WARNING,
			message, msgID);
			ret = false;
			}
			}
			}
			//LDAP add needs a verify ACI syntax step in case any
			//"aci" attribute types are being added.
			if(ret)
			ret=verifySyntax(operation.getEntryToAdd(), operation,
			operationContainer.getClientDN());
			return ret;
			}

			@@ -474,6 +474,24 @@
			CATEGORY_MASK_ACCESS_CONTROL \| 45;

			/**
			* The message ID for the ACI message that will be generated when a client
			* attempts to add an entry with the "aci" attribute type
			* and the ACI decode failed because of an syntax error. This takes one
			* argument, which is the message string thrown by the AciException.
			*/
			public static final int MSGID_ACI_ADD_FAILED_DECODE =
			CATEGORY_MASK_ACCESS_CONTROL \| SEVERITY_MASK_SEVERE_WARNING \| 46;

			/**
			* The message ID for the ACI message that will be generated when a client
			* attempts to perform a modification on an "aci" attribute type
			* and the ACI decode failed because of a syntax error. This takes one
			* argument, which is the message string thrown by the AciException.
			*/
			public static final int MSGID_ACI_MODIFY_FAILED_DECODE =
			CATEGORY_MASK_ACCESS_CONTROL \| SEVERITY_MASK_SEVERE_WARNING \| 47;

			/**
			* The message ID for the ACI message that will be generated when
			* an ACI decode failed because of an syntax error. This message is usually
			* generated by an invalid ACI that was added during import which
			@@ -858,6 +876,16 @@
			"attribute type in the entry \"%s\" failed, because the" +
			"authorization DN \"%s\" lacked modify-acl privileges.");

			registerMessage(MSGID_ACI_ADD_FAILED_DECODE,
			"An attempt to add the entry \"%s\" containing" +
			" an aci attribute type failed because of the following" +
			" reason: %s");

			registerMessage(MSGID_ACI_MODIFY_FAILED_DECODE,
			"An attempt to modify an aci "+
			"attribute type in the entry \"%s\" failed "+
			"because of the following reason: %s");

			registerMessage(MSGID_ACI_ADD_LIST_FAILED_DECODE,
			"An attempt to decode an Access Control Instruction (ACI)" +
			" failed because of the following reason: %s");