Fix for OPENDJ-433: Every other permissions-subjects pair in ACI is ignored

Matthew Swift

05.21.2012 73c6ebc2c7569aa0dd072dfa24d149ceed9cca16

Fix for OPENDJ-433:  Every other permissions-subjects pair in ACI is ignored

Thanks to Auke Schrijnen for contributing part of the bug fix.

 opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java

@@ -23,6 +23,7 @@
 *
 *
 *      Copyright 2008-2009 Sun Microsystems, Inc.
 *      Portions copyright 2012 ForgeRock AS.
 */

package org.opends.server.authorization.dseecompat;
@@ -137,7 +138,7 @@
        "\\(" + ZERO_OR_MORE_WHITESPACE + versionToken +
        ZERO_OR_MORE_WHITESPACE + versionRegex +
        ACI_STATEMENT_SEPARATOR + aclToken + ZERO_OR_MORE_WHITESPACE +
        "\"(.*)\"" + ACI_STATEMENT_SEPARATOR + actionRegex +
        "\"([^\"]*)\"" + ACI_STATEMENT_SEPARATOR + actionRegex +
        ZERO_OR_MORE_WHITESPACE  + "\\)";

    /*
@@ -191,20 +192,31 @@
                throw new AciException(message);
            }
            name = bodyMatcher.group(NAME);
            input = input.substring(bodyMatcher.end());
        }
        Pattern bodyPattern1 = Pattern.compile(
                ACI_STATEMENT_SEPARATOR + actionRegex);

        Pattern bodyPattern1 = Pattern.compile("\\G" + actionRegex);
        Matcher bodyMatcher1 = bodyPattern1.matcher(input);

        /*
         * The may be many permission-bind rule pairs.
         */
        int lastIndex = -1;
        while(bodyMatcher1.find()) {
         String perm=bodyMatcher1.group(PERM);
         String rights=bodyMatcher1.group(RIGHTS);
         String bRule=bodyMatcher1.group(BINDRULE);
         PermBindRulePair pair = PermBindRulePair.decode(perm, rights, bRule);
         permBindRulePairs.add(pair);
         lastIndex = bodyMatcher1.end();
        }

        if (lastIndex >= 0 && input.charAt(lastIndex) != ')')
        {
          Message message = WARN_ACI_SYNTAX_GENERAL_PARSE_FAILED.get(input);
          throw new AciException(message);
        }

        return new AciBody(version, name, startPos, permBindRulePairs);
    }


 opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java

@@ -23,7 +23,7 @@
 *
 *
 *      Copyright 2008-2010 Sun Microsystems, Inc.
 *      Portions Copyright 2011 ForgeRock AS
 *      Portions Copyright 2011-2012 ForgeRock AS
 *
 */
package org.opends.server.authorization.dseecompat;
@@ -723,6 +723,11 @@
          buildAciValue("name", "invalid", "targetattr", "cn ||", "allow (write)", BIND_RULE_USERDN_SELF),
          buildAciValue("name", "invalid", "targetattr", "not/an/attr", "allow (write)", BIND_RULE_USERDN_SELF),
          buildAciValue("name", "invalid", "targetattr", "cn", "allow (write)", BIND_RULE_INVALID_DAY),
          /* Test cases for OPENDJ-433 */
          buildAciValue("name", "invalid", "targetattr", "cn", "garbage allow (read)", BIND_RULE_USERDN_SELF),
          buildAciValue("name", "invalid", "targetattr", "cn", "allow (read)", BIND_RULE_USERDN_SELF, "garbage allow (search)", BIND_RULE_USERDN_SELF),
          buildAciValue("name", "invalid", "targetattr", "cn", "allow (read)", BIND_RULE_USERDN_SELF, "allow (search)", BIND_RULE_USERDN_SELF, "garbage allow (compare)", BIND_RULE_USERDN_SELF),
          buildAciValue("name", "invalid", "targetattr", "cn", "allow (read)", BIND_RULE_USERDN_SELF, "allow (search)", BIND_RULE_USERDN_SELF, "allow (compare)", BIND_RULE_USERDN_SELF, "garbage allow (delete)", BIND_RULE_USERDN_SELF),
          // Add tests with invalid keywords : typos in "targetattr", "targattfilters", "targetfilter"
          buildAciValue("name", "bad_filters", "targattrfilters",TARG_ATTR_FILTERS_INVALID_FILTER, "allow (write)", BIND_RULE_USERDN_SELF),
          buildAciValue("name", "bad_op", "targattrfilters",TARG_ATTR_FILTERS_BAD_OP, "allow (write)", BIND_RULE_USERDN_SELF),