external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: ef6e766f | patch | commit | ignore whitespace

Attempt at making AccessControlHandler free of references to org.opends.ser...

Jean-Noel Rouvignac

26.11.2013 bdacd211f1f69175185e7bdd7cd202061a08a418

Attempt at making AccessControlHandler free of references to org.opends.server.workflowelement.localbackend package (clearly not public API).


AccessControlHandler.java:
Made the code a bit more generic by using the interfaces instead of the concrete LocalBackend*Operation classes.
I could not change them all, because methods specific to LocalBackend*Operation classes are sometimes called. Not sure how to fix that fully.

*.java:
Consequence of the changes to AccessControlHandler.

4 files modified

	opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java	19 ●●●●● patch \| view \| raw \| blame \| history
	opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java	65 ●●●●● patch \| view \| raw \| blame \| history
	opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java	3 ●●●●● patch \| view \| raw \| blame \| history
	opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java	10 ●●●●● patch \| view \| raw \| blame \| history

 opendj-sdk/opends/src/server/org/opends/server/api/AccessControlHandler.java

@@ -27,19 +27,15 @@
 */
package org.opends.server.api;



import org.opends.messages.Message;

import java.util.List;

import org.opends.messages.Message;
import org.opends.server.admin.std.server.AccessControlHandlerCfg;
import org.opends.server.config.ConfigException;
import org.opends.server.core.*;
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;


/**
 * This class defines the set of methods and structures that must be
 * implemented by a Directory Server access control handler. All
@@ -74,7 +70,6 @@
   *           related to the server configuration.
   */
  public abstract void initializeAccessControlHandler(T configuration)

  throws ConfigException, InitializationException;


@@ -184,8 +179,7 @@
   *           be decoded. Care must be taken not to expose any
   *           potentially sensitive information in the exception.
   */
  public abstract boolean isAllowed(
      LocalBackendBindOperation bindOperation)
  public abstract boolean isAllowed(BindOperation bindOperation)
    throws DirectoryException;


@@ -247,8 +241,7 @@
   *           be decoded. Care must be taken not to expose any
   *           potentially sensitive information in the exception.
   */
  public abstract boolean isAllowed(
      ExtendedOperation extendedOperation)
  public abstract boolean isAllowed(ExtendedOperation extendedOperation)
    throws DirectoryException;


@@ -289,8 +282,7 @@
   *           be decoded. Care must be taken not to expose any
   *           potentially sensitive information in the exception.
   */
  public abstract boolean isAllowed(
      LocalBackendModifyDNOperation modifyDNOperation)
  public abstract boolean isAllowed(ModifyDNOperation modifyDNOperation)
    throws DirectoryException;


@@ -313,8 +305,7 @@
   *           be decoded. Care must be taken not to expose any
   *           potentially sensitive information in the exception.
   */
  public abstract boolean isAllowed(
      LocalBackendSearchOperation searchOperation)
  public abstract boolean isAllowed(SearchOperation searchOperation)
    throws DirectoryException;



 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java

@@ -28,8 +28,6 @@
 */
package org.opends.server.authorization.dseecompat;



import static org.opends.messages.AccessControlMessages.*;
import static org.opends.server.authorization.dseecompat.Aci.*;
import static org.opends.server.config.ConfigConstants.*;
@@ -39,11 +37,7 @@
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;

import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.SortedSet;
import java.util.*;
import java.util.concurrent.locks.Lock;

import org.opends.messages.Message;
@@ -54,9 +48,7 @@
import org.opends.server.backends.jeb.EntryContainer;
import org.opends.server.config.ConfigException;
import org.opends.server.controls.GetEffectiveRightsRequestControl;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ExtendedOperation;
import org.opends.server.core.SearchOperation;
import org.opends.server.core.*;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
@@ -64,8 +56,6 @@
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;



/**
 * The AciHandler class performs the main processing for the dseecompat
 * package.
@@ -209,7 +199,7 @@
      SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry)
  {
    AciLDAPOperationContainer operationContainer =
      new AciLDAPOperationContainer(operation, (ACI_READ), unfilteredEntry);
        new AciLDAPOperationContainer(operation, ACI_READ, unfilteredEntry);

    // Proxy access check has already been done for this entry in the
    // maySend method, set the seen flag to true to bypass any proxy
@@ -361,7 +351,7 @@
   * {@inheritDoc}
   */
  @Override
  public boolean isAllowed(LocalBackendBindOperation bindOperation)
  public boolean isAllowed(BindOperation bindOperation)
  {
    // Not planned to be implemented.
    return true;
@@ -436,7 +426,7 @@
   * @return True if access is allowed.
   */
  @Override
  public boolean isAllowed(LocalBackendModifyDNOperation operation)
  public boolean isAllowed(ModifyDNOperation operation)
  {
    boolean ret = true;
    DN newSuperiorDN;
@@ -468,7 +458,7 @@
      if (ret && (newSuperiorDN != null))
      {
        AciLDAPOperationContainer operationContainer =
            new AciLDAPOperationContainer(operation, (ACI_EXPORT),
            new AciLDAPOperationContainer(operation, ACI_EXPORT,
                operation.getOriginalEntry());
        // The RDNs are not equal, skip the proxy check since it was
        // already performed in the aciCheckRDNs call above.
@@ -504,7 +494,7 @@
   * {@inheritDoc}
   */
  @Override
  public boolean isAllowed(LocalBackendSearchOperation searchOperation)
  public boolean isAllowed(SearchOperation searchOperation)
  {
    // Not planned to be implemented.
    return true;
@@ -526,7 +516,7 @@
    else
    {
      AciLDAPOperationContainer operationContainer =
        new AciLDAPOperationContainer(operation, (ACI_READ), entry);
          new AciLDAPOperationContainer(operation, ACI_READ, entry);
      return testFilter(operationContainer, filter);
    }
  }
@@ -580,7 +570,7 @@
      e.addAttribute(builder.toAttribute(), null);
      SearchResultEntry se = new SearchResultEntry(e);
      AciLDAPOperationContainer operationContainer =
          new AciLDAPOperationContainer(operation, (ACI_READ), se);
          new AciLDAPOperationContainer(operation, ACI_READ, se);
      operationContainer.setCurrentAttributeType(refAttrType);
      ret = accessAllowed(operationContainer);
    }
@@ -601,7 +591,7 @@
    }

    AciLDAPOperationContainer operationContainer =
      new AciLDAPOperationContainer(operation, (ACI_SEARCH), entry);
        new AciLDAPOperationContainer(operation, ACI_SEARCH, entry);

    // Pre/post read controls are associated with other types of operation.
    if (operation instanceof SearchOperation)
@@ -1016,31 +1006,35 @@


  /**
   * Perform all needed RDN checks for the modifyDN operation. The old
   * RDN is not equal to the new RDN. The access checks are: - Verify
   * WRITE access to the original entry. - Verfiy WRITE_ADD access on
   * each RDN component of the new RDN. The WRITE_ADD access is used
   * because this access could be restricted by the targattrfilters
   * keyword. - If the deleteOLDRDN flag is set, verify WRITE_DELETE
   * access on the old RDN. The WRITE_DELETE access is used because this
   * access could be restricted by the targattrfilters keyword.
   * Perform all needed RDN checks for the modifyDN operation. The old RDN is
   * not equal to the new RDN. The access checks are:
   * <ul>
   * <li>Verify WRITE access to the original entry.</li>
   * <li>Verify WRITE_ADD access on each RDN component of the new RDN. The
   * WRITE_ADD access is used because this access could be restricted by the
   * targattrfilters keyword.</li>
   * <li>If the deleteOLDRDN flag is set, verify WRITE_DELETE access on the old
   * RDN. The WRITE_DELETE access is used because this access could be
   * restricted by the targattrfilters keyword.
   * <li>
   * </ul>
   *
   * @param operation
   *          The ModifyDN operation class containing information to
   *          check access on.
   *          The ModifyDN operation class containing information to check
   *          access on.
   * @param oldRDN
   *          The old RDN component.
   * @param newRDN
   *          The new RDN component.
   * @return True if access is allowed.
   */
  private boolean aciCheckRDNs(LocalBackendModifyDNOperation operation,
  private boolean aciCheckRDNs(ModifyDNOperation operation,
      RDN oldRDN, RDN newRDN)
  {
    boolean ret;

    AciLDAPOperationContainer operationContainer =
        new AciLDAPOperationContainer(operation, (ACI_WRITE), operation
        new AciLDAPOperationContainer(operation, ACI_WRITE, operation
            .getOriginalEntry());
    ret = accessAllowed(operationContainer);
    if (ret)
@@ -1069,8 +1063,8 @@
   *           If a problem occurs while trying to retrieve the new
   *           superior entry.
   */
  private boolean aciCheckSuperiorEntry(DN superiorDN,
      LocalBackendModifyDNOperation op) throws DirectoryException
  private boolean aciCheckSuperiorEntry(DN superiorDN, ModifyDNOperation op)
      throws DirectoryException
  {
    boolean ret = false;
    final Lock entryLock = LockManager.lockRead(superiorDN);
@@ -1088,8 +1082,7 @@
      if (superiorEntry != null)
      {
        AciLDAPOperationContainer operationContainer =
            new AciLDAPOperationContainer(op, (ACI_IMPORT),
                superiorEntry);
            new AciLDAPOperationContainer(op, ACI_IMPORT, superiorEntry);
        ret = accessAllowed(operationContainer);
      }
    }

 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java

@@ -25,7 +25,6 @@
 *      Copyright 2008-2009 Sun Microsystems, Inc.
 *      Portions Copyright 2011 ForgeRock AS
 */

package org.opends.server.authorization.dseecompat;

import org.opends.server.core.*;
@@ -145,7 +144,7 @@
     * @param rights  The rights of the modify DN operation.
     * @param entry  The entry to evaluated for this modify DN.
     */
    public AciLDAPOperationContainer(LocalBackendModifyDNOperation operation,
    public AciLDAPOperationContainer(ModifyDNOperation operation,
                                     int rights,
                                     Entry entry) {
        super(operation, rights,  entry);

 opendj-sdk/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java

@@ -27,16 +27,12 @@
 */
package org.opends.server.core;



import org.opends.server.admin.std.server.AccessControlHandlerCfg;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.config.ConfigException;
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;



/**
 * This class implements a default access control provider for the Directory
 * Server.
@@ -98,7 +94,7 @@
   * {@inheritDoc}
   */
  @Override
  public boolean isAllowed(LocalBackendBindOperation bindOperation)
  public boolean isAllowed(BindOperation bindOperation)
  {
    return true;
  }
@@ -164,7 +160,7 @@
   * {@inheritDoc}
   */
  @Override
  public boolean isAllowed(LocalBackendModifyDNOperation modifyDNOperation)
  public boolean isAllowed(ModifyDNOperation modifyDNOperation)
  {
    return true;
  }
@@ -175,7 +171,7 @@
   * {@inheritDoc}
   */
  @Override
  public boolean isAllowed(LocalBackendSearchOperation searchOperation)
  public boolean isAllowed(SearchOperation searchOperation)
  {
    return true;
  }

			@@ -27,19 +27,15 @@
			*/
			package org.opends.server.api;



			import org.opends.messages.Message;

			import java.util.List;

			import org.opends.messages.Message;
			import org.opends.server.admin.std.server.AccessControlHandlerCfg;
			import org.opends.server.config.ConfigException;
			import org.opends.server.core.*;
			import org.opends.server.types.*;
			import org.opends.server.workflowelement.localbackend.*;


			/**
			* This class defines the set of methods and structures that must be
			* implemented by a Directory Server access control handler. All
			@@ -74,7 +70,6 @@
			* related to the server configuration.
			*/
			public abstract void initializeAccessControlHandler(T configuration)

			throws ConfigException, InitializationException;


			@@ -184,8 +179,7 @@
			* be decoded. Care must be taken not to expose any
			* potentially sensitive information in the exception.
			*/
			public abstract boolean isAllowed(
			LocalBackendBindOperation bindOperation)
			public abstract boolean isAllowed(BindOperation bindOperation)
			throws DirectoryException;


			@@ -247,8 +241,7 @@
			* be decoded. Care must be taken not to expose any
			* potentially sensitive information in the exception.
			*/
			public abstract boolean isAllowed(
			ExtendedOperation extendedOperation)
			public abstract boolean isAllowed(ExtendedOperation extendedOperation)
			throws DirectoryException;


			@@ -289,8 +282,7 @@
			* be decoded. Care must be taken not to expose any
			* potentially sensitive information in the exception.
			*/
			public abstract boolean isAllowed(
			LocalBackendModifyDNOperation modifyDNOperation)
			public abstract boolean isAllowed(ModifyDNOperation modifyDNOperation)
			throws DirectoryException;


			@@ -313,8 +305,7 @@
			* be decoded. Care must be taken not to expose any
			* potentially sensitive information in the exception.
			*/
			public abstract boolean isAllowed(
			LocalBackendSearchOperation searchOperation)
			public abstract boolean isAllowed(SearchOperation searchOperation)
			throws DirectoryException;

			@@ -28,8 +28,6 @@
			*/
			package org.opends.server.authorization.dseecompat;



			import static org.opends.messages.AccessControlMessages.*;
			import static org.opends.server.authorization.dseecompat.Aci.*;
			import static org.opends.server.config.ConfigConstants.*;
			@@ -39,11 +37,7 @@
			import static org.opends.server.util.ServerConstants.*;
			import static org.opends.server.util.StaticUtils.*;

			import java.util.LinkedHashSet;
			import java.util.LinkedList;
			import java.util.List;
			import java.util.Map;
			import java.util.SortedSet;
			import java.util.*;
			import java.util.concurrent.locks.Lock;

			import org.opends.messages.Message;
			@@ -54,9 +48,7 @@
			import org.opends.server.backends.jeb.EntryContainer;
			import org.opends.server.config.ConfigException;
			import org.opends.server.controls.GetEffectiveRightsRequestControl;
			import org.opends.server.core.DirectoryServer;
			import org.opends.server.core.ExtendedOperation;
			import org.opends.server.core.SearchOperation;
			import org.opends.server.core.*;
			import org.opends.server.loggers.debug.DebugTracer;
			import org.opends.server.protocols.internal.InternalClientConnection;
			import org.opends.server.protocols.internal.InternalSearchOperation;
			@@ -64,8 +56,6 @@
			import org.opends.server.types.*;
			import org.opends.server.workflowelement.localbackend.*;



			/**
			* The AciHandler class performs the main processing for the dseecompat
			* package.
			@@ -209,7 +199,7 @@
			SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry)
			{
			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, (ACI_READ), unfilteredEntry);
			new AciLDAPOperationContainer(operation, ACI_READ, unfilteredEntry);

			// Proxy access check has already been done for this entry in the
			// maySend method, set the seen flag to true to bypass any proxy
			@@ -361,7 +351,7 @@
			* {@inheritDoc}
			*/
			@Override
			public boolean isAllowed(LocalBackendBindOperation bindOperation)
			public boolean isAllowed(BindOperation bindOperation)
			{
			// Not planned to be implemented.
			return true;
			@@ -436,7 +426,7 @@
			* @return True if access is allowed.
			*/
			@Override
			public boolean isAllowed(LocalBackendModifyDNOperation operation)
			public boolean isAllowed(ModifyDNOperation operation)
			{
			boolean ret = true;
			DN newSuperiorDN;
			@@ -468,7 +458,7 @@
			if (ret && (newSuperiorDN != null))
			{
			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, (ACI_EXPORT),
			new AciLDAPOperationContainer(operation, ACI_EXPORT,
			operation.getOriginalEntry());
			// The RDNs are not equal, skip the proxy check since it was
			// already performed in the aciCheckRDNs call above.
			@@ -504,7 +494,7 @@
			* {@inheritDoc}
			*/
			@Override
			public boolean isAllowed(LocalBackendSearchOperation searchOperation)
			public boolean isAllowed(SearchOperation searchOperation)
			{
			// Not planned to be implemented.
			return true;
			@@ -526,7 +516,7 @@
			else
			{
			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, (ACI_READ), entry);
			new AciLDAPOperationContainer(operation, ACI_READ, entry);
			return testFilter(operationContainer, filter);
			}
			}
			@@ -580,7 +570,7 @@
			e.addAttribute(builder.toAttribute(), null);
			SearchResultEntry se = new SearchResultEntry(e);
			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, (ACI_READ), se);
			new AciLDAPOperationContainer(operation, ACI_READ, se);
			operationContainer.setCurrentAttributeType(refAttrType);
			ret = accessAllowed(operationContainer);
			}
			@@ -601,7 +591,7 @@
			}

			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, (ACI_SEARCH), entry);
			new AciLDAPOperationContainer(operation, ACI_SEARCH, entry);

			// Pre/post read controls are associated with other types of operation.
			if (operation instanceof SearchOperation)
			@@ -1016,31 +1006,35 @@


			/**
			* Perform all needed RDN checks for the modifyDN operation. The old
			* RDN is not equal to the new RDN. The access checks are: - Verify
			* WRITE access to the original entry. - Verfiy WRITE_ADD access on
			* each RDN component of the new RDN. The WRITE_ADD access is used
			* because this access could be restricted by the targattrfilters
			* keyword. - If the deleteOLDRDN flag is set, verify WRITE_DELETE
			* access on the old RDN. The WRITE_DELETE access is used because this
			* access could be restricted by the targattrfilters keyword.
			* Perform all needed RDN checks for the modifyDN operation. The old RDN is
			* not equal to the new RDN. The access checks are:
			* <ul>
			* <li>Verify WRITE access to the original entry.</li>
			* <li>Verify WRITE_ADD access on each RDN component of the new RDN. The
			* WRITE_ADD access is used because this access could be restricted by the
			* targattrfilters keyword.</li>
			* <li>If the deleteOLDRDN flag is set, verify WRITE_DELETE access on the old
			* RDN. The WRITE_DELETE access is used because this access could be
			* restricted by the targattrfilters keyword.
			* <li>
			* </ul>
			*
			* @param operation
			* The ModifyDN operation class containing information to
			* check access on.
			* The ModifyDN operation class containing information to check
			* access on.
			* @param oldRDN
			* The old RDN component.
			* @param newRDN
			* The new RDN component.
			* @return True if access is allowed.
			*/
			private boolean aciCheckRDNs(LocalBackendModifyDNOperation operation,
			private boolean aciCheckRDNs(ModifyDNOperation operation,
			RDN oldRDN, RDN newRDN)
			{
			boolean ret;

			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, (ACI_WRITE), operation
			new AciLDAPOperationContainer(operation, ACI_WRITE, operation
			.getOriginalEntry());
			ret = accessAllowed(operationContainer);
			if (ret)
			@@ -1069,8 +1063,8 @@
			* If a problem occurs while trying to retrieve the new
			* superior entry.
			*/
			private boolean aciCheckSuperiorEntry(DN superiorDN,
			LocalBackendModifyDNOperation op) throws DirectoryException
			private boolean aciCheckSuperiorEntry(DN superiorDN, ModifyDNOperation op)
			throws DirectoryException
			{
			boolean ret = false;
			final Lock entryLock = LockManager.lockRead(superiorDN);
			@@ -1088,8 +1082,7 @@
			if (superiorEntry != null)
			{
			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(op, (ACI_IMPORT),
			superiorEntry);
			new AciLDAPOperationContainer(op, ACI_IMPORT, superiorEntry);
			ret = accessAllowed(operationContainer);
			}
			}

			@@ -25,7 +25,6 @@
			* Copyright 2008-2009 Sun Microsystems, Inc.
			* Portions Copyright 2011 ForgeRock AS
			*/

			package org.opends.server.authorization.dseecompat;

			import org.opends.server.core.*;
			@@ -145,7 +144,7 @@
			* @param rights The rights of the modify DN operation.
			* @param entry The entry to evaluated for this modify DN.
			*/
			public AciLDAPOperationContainer(LocalBackendModifyDNOperation operation,
			public AciLDAPOperationContainer(ModifyDNOperation operation,
			int rights,
			Entry entry) {
			super(operation, rights, entry);

			@@ -27,16 +27,12 @@
			*/
			package org.opends.server.core;



			import org.opends.server.admin.std.server.AccessControlHandlerCfg;
			import org.opends.server.api.AccessControlHandler;
			import org.opends.server.config.ConfigException;
			import org.opends.server.types.*;
			import org.opends.server.workflowelement.localbackend.*;



			/**
			* This class implements a default access control provider for the Directory
			* Server.
			@@ -98,7 +94,7 @@
			* {@inheritDoc}
			*/
			@Override
			public boolean isAllowed(LocalBackendBindOperation bindOperation)
			public boolean isAllowed(BindOperation bindOperation)
			{
			return true;
			}
			@@ -164,7 +160,7 @@
			* {@inheritDoc}
			*/
			@Override
			public boolean isAllowed(LocalBackendModifyDNOperation modifyDNOperation)
			public boolean isAllowed(ModifyDNOperation modifyDNOperation)
			{
			return true;
			}
			@@ -175,7 +171,7 @@
			* {@inheritDoc}
			*/
			@Override
			public boolean isAllowed(LocalBackendSearchOperation searchOperation)
			public boolean isAllowed(SearchOperation searchOperation)
			{
			return true;
			}