mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: f5bbe1f5 | patch | commit | ignore whitespace
Gaetan Boismal
23.51.2014 bffb0216bf1c1ae7a7988670a535a18d5905f186 
OPENDJ-1351 (CR-3830) Require a privilege needed for searching cn=changelog - Upgrade task 
* tools.properties
** Adding the description message of the upgrade task
* Upgrade.java
** Upgrade task n° 2.7.0.10820 which add the 'changelog-read' value to the Root DNs default privilege list
* ExternalChangeLogTest.java
** ChangeLog privilege unit test code refactoring to make it more compact ant more meaningful
3 files modified
33 ■■■■ changed files
opendj-sdk/opends/src/messages/messages/tools.properties 1 ●●●● patch | view | raw | blame | history
opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java 7 ●●●●● patch | view | raw | blame | history
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java 25 ●●●●● patch | view | raw | blame | history 
 opendj-sdk/opends/src/messages/messages/tools.properties


@@ -2587,3 +2587,4 @@


INFO_UPGRADE_TASK_10133_2_SUMMARY_10022=Configuring 'CertificateExactMatch' matching rule


INFO_UPGRADE_TASK_10733_1_SUMMARY_10023=Removing 'dc=replicationchanges' backend


INFO_UPGRADE_TASK_10733_2_SUMMARY_10024=Removing ACI for 'dc=replicationchanges'


INFO_UPGRADE_TASK_10820_SUMMARY_100025=Adding default privilege 'changelog-read' to all root DNs




 opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java


@@ -329,6 +329,13 @@


            + "(version 3.0; acl \"Replication backend access\"; "


            + "deny (all) userdn=\"ldap:///anyone\";)"));




    /** See OPENDJ-1351 */


    register("2.7.0.10820",


        modifyConfigEntry(INFO_UPGRADE_TASK_10820_SUMMARY.get(),


        "(objectClass=ds-cfg-root-dn)",


        "add: ds-cfg-default-root-privilege-name",


        "ds-cfg-default-root-privilege-name: changelog-read"));




    /*


     * All upgrades will refresh the server configuration schema and generate


     * a new upgrade folder.




 opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java


@@ -395,26 +395,19 @@


    ECLFilterOnReplicationCSN(csn);


  }




  //Verifies that is not possible to read the changelog without the changelog-read privilege


  /**


   * Verifies that is not possible to read the changelog without the changelog-read privilege


   */


  @Test(enabled=true, dependsOnMethods = { "PrimaryTest"})


  public void ECLChangelogReadPrivilegeTest() throws Exception


  {


     InternalClientConnection conn =


           new InternalClientConnection(new AuthenticationInfo());


     InternalSearchOperation ico = conn.processSearch(


          "cn=changelog",


          SearchScope.WHOLE_SUBTREE,


          DereferencePolicy.NEVER_DEREF_ALIASES,


          0, // Size limit


          0, // Time limit


          false, // Types only


          "(objectclass=*)",


          ALL_ATTRIBUTES,


          NO_CONTROL,


          null);


    AuthenticationInfo nonPrivilegedUser = new AuthenticationInfo();




     assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);


     assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());


    InternalClientConnection conn = new InternalClientConnection(nonPrivilegedUser);


    InternalSearchOperation ico = conn.processSearch("cn=changelog", SearchScope.WHOLE_SUBTREE, "(objectclass=*)");




    assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);


    assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());


  }




  private void ECLIsNotASupportedSuffix() throws Exception