external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: d7ff20ab | patch | commit | show whitespace

Remove unnecessary null checks for Operation.getRequestControls()

Jean-Noël Rouvignac

22.13.2015 edf8944f0ae80b608797206944cbd2db8d08a9a7

Remove unnecessary null checks for Operation.getRequestControls()

13 files modified

	opendj-server-legacy/src/main/java/org/opends/server/backends/pluggable/EntryContainer.java	6 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/core/ExtendedOperationBasis.java	36 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/extensions/PasswordModifyExtendedOperation.java	34 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/replication/plugin/MultimasterReplication.java	7 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/types/AbstractOperation.java	18 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java	31 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java	14 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java	23 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java	31 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java	35 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java	28 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java	56 ●●●●● patch \| view \| raw \| blame \| history
	opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java	22 ●●●●● patch \| view \| raw \| blame \| history

 opendj-server-legacy/src/main/java/org/opends/server/backends/pluggable/EntryContainer.java

@@ -2352,17 +2352,13 @@
   */
  private static boolean isManageDsaITOperation(Operation operation)
  {
    List<Control> controls = operation.getRequestControls();
    if (controls != null)
    {
      for (Control control : controls)
    for (Control control : operation.getRequestControls())
      {
        if (ServerConstants.OID_MANAGE_DSAIT_CONTROL.equals(control.getOID()))
        {
          return true;
        }
      }
    }
    return false;
  }


 opendj-server-legacy/src/main/java/org/opends/server/core/ExtendedOperationBasis.java

@@ -38,9 +38,16 @@
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.ExtendedOperationHandler;
import org.opends.server.types.*;
import org.opends.server.types.AbstractOperation;
import org.opends.server.types.CancelResult;
import org.opends.server.types.CanceledOperationException;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.OperationType;
import org.opends.server.types.operation.PostOperationExtendedOperation;
import org.opends.server.types.operation.PostResponseExtendedOperation;
import org.opends.server.types.operation.PreOperationExtendedOperation;
@@ -303,30 +310,22 @@

      // Look at the controls included in the request and ensure that all
      // critical controls are supported by the handler.
      List<Control> requestControls = getRequestControls();
      if (requestControls != null && !requestControls.isEmpty())
      {
        for (Iterator<Control> iter = requestControls.iterator(); iter
            .hasNext();)
      for (Iterator<Control> iter = getRequestControls().iterator(); iter.hasNext();)
        {
          final Control c = iter.next();
          try
          {
            if (!AccessControlConfigManager.getInstance()
                .getAccessControlHandler()
                .isAllowed(getAuthorizationDN(), this, c))
          if (!getAccessControlHandler().isAllowed(getAuthorizationDN(), this, c))
            {
              // As per RFC 4511 4.1.11.
              if (c.isCritical())
              {
                setResultCode(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
                appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS
                    .get(c.getOID()));
              appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(c.getOID()));
              }
              else
              {
                // We don't want to process this non-critical control, so
                // remove it.
              // We don't want to process this non-critical control, so remove it.
                iter.remove();
                continue;
              }
@@ -351,7 +350,6 @@
            return;
          }
        }
      }


      // Check to see if the client has permission to perform the
@@ -362,7 +360,7 @@
      // and any other controls specified.
      try
      {
        if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this))
        if (!getAccessControlHandler().isAllowed(this))
        {
          setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
          appendErrorMessage(ERR_EXTENDED_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(requestOID));
@@ -438,7 +436,11 @@
    }
  }

  /** {@inheritDoc} */
  private AccessControlHandler<?> getAccessControlHandler()
  {
    return AccessControlConfigManager.getInstance().getAccessControlHandler();
  }

  @Override
  public final void toString(StringBuilder buffer)
  {
@@ -450,6 +452,4 @@
    buffer.append(requestOID);
    buffer.append(")");
  }

}


 opendj-server-legacy/src/main/java/org/opends/server/extensions/PasswordModifyExtendedOperation.java

@@ -37,7 +37,13 @@
import static org.opends.server.util.StaticUtils.*;

import java.io.IOException;
import java.util.*;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
@@ -54,7 +60,11 @@
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.server.ExtendedOperationHandlerCfg;
import org.opends.server.admin.std.server.PasswordModifyExtendedOperationHandlerCfg;
import org.opends.server.api.*;
import org.opends.server.api.AuthenticationPolicy;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.ExtendedOperationHandler;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.PasswordStorageScheme;
import org.opends.server.controls.PasswordPolicyErrorType;
import org.opends.server.controls.PasswordPolicyResponseControl;
import org.opends.server.core.DirectoryServer;
@@ -64,8 +74,20 @@
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.schema.AuthPasswordSyntax;
import org.opends.server.schema.UserPasswordSyntax;
import org.opends.server.types.*;
import org.opends.server.types.AccountStatusNotification;
import org.opends.server.types.AccountStatusNotificationProperty;
import org.opends.server.types.AdditionalLogItem;
import org.opends.server.types.AttributeBuilder;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Control;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.LockManager.DNLock;
import org.opends.server.types.Modification;
import org.opends.server.types.Privilege;

/**
 * This class implements the password modify extended operation defined in RFC
@@ -167,10 +189,7 @@
    // Look at the set of controls included in the request, if there are any.
    boolean                   noOpRequested        = false;
    boolean                   pwPolicyRequested    = false;
    List<Control> controls = operation.getRequestControls();
    if (controls != null)
    {
      for (Control c : controls)
    for (Control c : operation.getRequestControls())
      {
        String oid = c.getOID();
        if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
@@ -182,7 +201,6 @@
          pwPolicyRequested = true;
        }
      }
    }

    // Parse the encoded request, if there is one.
    ByteString requestValue = operation.getRequestValue();

 opendj-server-legacy/src/main/java/org/opends/server/replication/plugin/MultimasterReplication.java

@@ -156,10 +156,9 @@
         * running later do not generate CSN, solve conflicts and forward the
         * operation to the replication server.
         */
        final List<Control> controls = op.getRequestControls();
        for (Iterator<Control> iter = controls.iterator(); iter.hasNext();)
        for (Iterator<Control> it = op.getRequestControls().iterator(); it.hasNext();)
        {
          Control c = iter.next();
          Control c = it.next();
          if (OID_REPLICATION_REPAIR_CONTROL.equals(c.getOID()))
          {
            op.setSynchronizationOperation(true);
@@ -169,7 +168,7 @@
            processed and the local backend will fail if it finds a control that
            it does not know about and that is marked as critical.
            */
            iter.remove();
            it.remove();
            return null;
          }
        }

 opendj-server-legacy/src/main/java/org/opends/server/types/AbstractOperation.java

@@ -31,6 +31,7 @@
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.ListIterator;
import java.util.Map;

import org.forgerock.i18n.LocalizableMessage;
@@ -167,16 +168,7 @@
    this.operationID      = operationID;
    this.messageID        = messageID;
    this.useNanoTime = DirectoryServer.getUseNanoTime();

    if (requestControls == null)
    {
      this.requestControls = new ArrayList<>(0);
    }
    else
    {
      this.requestControls  = requestControls;
    }

    this.requestControls = requestControls != null ? requestControls : new ArrayList<Control>(0);
    authorizationEntry = clientConnection.getAuthenticationInfo().getAuthorizationEntry();
  }

@@ -225,16 +217,16 @@
      ControlDecoder<T> d) throws DirectoryException
  {
    String oid = d.getOID();
    for(int i = 0; i < requestControls.size(); i++)
    for (ListIterator<Control> it = requestControls.listIterator(); it.hasNext();)
    {
      Control c = requestControls.get(i);
      Control c = it.next();
      if(c.getOID().equals(oid))
      {
        if(c instanceof LDAPControl)
        {
          T decodedControl = d.decode(c.isCritical(),
              ((LDAPControl) c).getValue());
          requestControls.set(i, decodedControl);
          it.set(decodedControl);
          return decodedControl;
        }
        else

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java

@@ -980,10 +980,7 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(parentDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (Control c : requestControls)
    for (Control c : getRequestControls())
      {
        final String  oid = c.getOID();

@@ -992,8 +989,7 @@
          // RFC 4528 mandates support for Add operation basically
          // suggesting an assertion on self. As daft as it may be
          // we gonna have to support this for RFC compliance.
          LDAPAssertionRequestControl assertControl =
            getRequestControl(LDAPAssertionRequestControl.DECODER);
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
@@ -1005,15 +1001,13 @@
            logger.traceException(de);

            throw newDirectoryException(entryDN, de.getResultCode(),
                ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
              ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
                ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

@@ -1021,8 +1015,7 @@
          {
            if (!filter.matchesEntry(entry))
            {
              throw newDirectoryException(entryDN, ResultCode.ASSERTION_FAILED,
                  ERR_ADD_ASSERTION_FAILED.get(entryDN));
            throw newDirectoryException(entryDN, ResultCode.ASSERTION_FAILED, ERR_ADD_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
@@ -1035,8 +1028,7 @@
            logger.traceException(de);

            throw newDirectoryException(entryDN, de.getResultCode(),
                ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
              ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }
        }
        else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
@@ -1045,8 +1037,7 @@
        }
        else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
        {
          postReadRequest =
                getRequestControl(LDAPPostReadRequestControl.DECODER);
        postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        {
@@ -1057,17 +1048,13 @@
          // We don't need to do anything here because it's already handled
          // in LocalBackendAddOperation.handlePasswordPolicy().
        }
        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
        {
          throw newDirectoryException(entryDN,
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw newDirectoryException(entryDN, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_ADD_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
    }
  }

  private AccessControlHandler<?> getAccessControlHandler()
  {

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendBindOperation.java

@@ -325,10 +325,7 @@
  {
    LocalBackendWorkflowElement.removeAllDisallowedControls(bindDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (Control c : requestControls)
    for (Control c : getRequestControls())
      {
        final String  oid = c.getOID();

@@ -340,17 +337,13 @@
        {
          pwPolicyControlRequested = true;
        }

        // NYI -- Add support for additional controls.
        else if (c.isCritical())
        {
          throw new DirectoryException(
                         ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                         ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
        }
      }
    }
  }

  /**
   * Performs the processing necessary for a simple bind operation.
@@ -363,8 +356,7 @@
   */
  private boolean processSimpleBind() throws DirectoryException
  {
    // See if this is an anonymous bind.  If so, then determine whether
    // to allow it.
    // See if this is an anonymous bind. If so, then determine whether to allow it.
    ByteString simplePassword = getSimplePassword();
    if (simplePassword == null || simplePassword.length() == 0)
    {

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java

@@ -318,17 +318,13 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (Control c : requestControls)
    for (Control c : getRequestControls())
      {
        final String  oid = c.getOID();

        if (OID_LDAP_ASSERTION.equals(oid))
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
@@ -346,8 +342,7 @@
          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

@@ -355,8 +350,7 @@
          {
            if (!filter.matchesEntry(entry))
            {
              throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED,
                  ERR_COMPARE_ASSERTION_FAILED.get(entryDN));
            throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED, ERR_COMPARE_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
@@ -376,18 +370,13 @@
        {
          continue;
        }

        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
        {
          throw new DirectoryException(
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_COMPARE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
    }
  }

  private AccessControlHandler<?> getAccessControlHandler()
  {

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java

@@ -26,7 +26,6 @@
 */
package org.opends.server.workflowelement.localbackend;

import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;

import org.forgerock.i18n.LocalizableMessage;
@@ -392,16 +391,12 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (Control c : requestControls)
    for (Control c : getRequestControls())
      {
        final String oid = c.getOID();
        if (OID_LDAP_ASSERTION.equals(oid))
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
@@ -419,8 +414,7 @@
          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

@@ -428,8 +422,7 @@
          {
            if (!filter.matchesEntry(entry))
            {
              throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED,
                  ERR_DELETE_ASSERTION_FAILED.get(entryDN));
            throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED, ERR_DELETE_ASSERTION_FAILED.get(entryDN));
            }
          }
          catch (DirectoryException de)
@@ -451,29 +444,19 @@
        }
        else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
        {
          preReadRequest =
                getRequestControl(LDAPPreReadRequestControl.DECODER);
        preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
        {
          continue;
        }
        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
        {
          throw newDirectoryException(entry,
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw newDirectoryException(entry, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_DELETE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
    }
  }

  private DN getName(Entry e)
  {
    return e != null ? e.getName() : DN.rootDN();
  }

  /**
   * Handle conflict resolution.

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java

@@ -37,6 +37,7 @@
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.ResultCode;
import org.opends.server.api.AccessControlHandler;
import org.opends.server.api.Backend;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.SynchronizationProvider;
@@ -360,8 +361,7 @@
      // to the client.
      try
      {
        if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
            .isAllowed(this))
        if (!getAccessControlHandler().isAllowed(this))
        {
          setResultCodeAndMessageNoInfoDisclosure(currentEntry, entryDN,
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
@@ -527,18 +527,14 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    final List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
    for (ListIterator<Control> iter = getRequestControls().listIterator(); iter.hasNext();)
      {
        final Control c = iter.next();
        final String  oid = c.getOID();

        if (OID_LDAP_ASSERTION.equals(oid))
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
@@ -553,13 +549,10 @@
                ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make
          // this determination.
          if (!AccessControlConfigManager.getInstance().
            getAccessControlHandler().isAllowed(this, currentEntry, filter))
        // Check if the current user has permission to make this determination.
        if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

@@ -567,8 +560,7 @@
          {
            if (!filter.matchesEntry(currentEntry))
            {
              throw newDirectoryException(currentEntry,
                  ResultCode.ASSERTION_FAILED,
            throw newDirectoryException(currentEntry, ResultCode.ASSERTION_FAILED,
                  ERR_MODDN_ASSERTION_FAILED.get(entryDN));
            }
          }
@@ -610,20 +602,17 @@
        {
          continue;
        }
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
        {
          throw new DirectoryException(
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_MODDN_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
    }
  }

  private DN getName(Entry e)
  private AccessControlHandler<?> getAccessControlHandler()
  {
    return e != null ? e.getName() : DN.rootDN();
    return AccessControlConfigManager.getInstance().getAccessControlHandler();
  }

  /**

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java

@@ -632,18 +632,14 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

    List<Control> requestControls = getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
    for (ListIterator<Control> iter = getRequestControls().listIterator(); iter.hasNext();)
      {
        final Control c = iter.next();
        final String  oid = c.getOID();

        if (OID_LDAP_ASSERTION.equals(oid))
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter filter;
          try
@@ -655,15 +651,13 @@
            logger.traceException(de);

            throw newDirectoryException(currentEntry, de.getResultCode(),
                ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
              ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

@@ -671,8 +665,7 @@
          {
            if (!filter.matchesEntry(currentEntry))
            {
              throw newDirectoryException(currentEntry,
                  ResultCode.ASSERTION_FAILED,
            throw newDirectoryException(currentEntry, ResultCode.ASSERTION_FAILED,
                  ERR_MODIFY_ASSERTION_FAILED.get(entryDN));
            }
          }
@@ -686,8 +679,7 @@
            logger.traceException(de);

            throw newDirectoryException(currentEntry, de.getResultCode(),
                ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
                    entryDN, de.getMessageObject()));
              ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
          }
        }
        else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
@@ -722,17 +714,13 @@
        {
          pwPolicyControlRequested = true;
        }
        // NYI -- Add support for additional controls.
        else if (c.isCritical()
            && (backend == null || !backend.supportsControl(oid)))
      else if (c.isCritical() && (backend == null || !backend.supportsControl(oid)))
        {
          throw newDirectoryException(currentEntry,
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw newDirectoryException(currentEntry, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_MODIFY_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
        }
      }
    }
  }

  private void processNonPasswordModifications() throws DirectoryException
  {

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java

@@ -26,7 +26,6 @@
 */
package org.opends.server.workflowelement.localbackend;

import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;

import org.forgerock.i18n.slf4j.LocalizedLogger;
@@ -285,17 +284,13 @@
    LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
    LocalBackendWorkflowElement.removeAllDisallowedControls(baseDN, this);

    List<Control> requestControls  = getRequestControls();
    if (requestControls != null && ! requestControls.isEmpty())
    {
      for (Control c : requestControls)
    for (Control c : getRequestControls())
      {
        final String  oid = c.getOID();

        if (OID_LDAP_ASSERTION.equals(oid))
        {
          LDAPAssertionRequestControl assertControl =
                getRequestControl(LDAPAssertionRequestControl.DECODER);
        LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

          SearchFilter assertionFilter;
          try
@@ -307,8 +302,7 @@
            logger.traceException(de);

            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                de.getMessageObject()), de);
              ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()), de);
          }

          Entry entry;
@@ -321,29 +315,26 @@
            logger.traceException(de);

            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
                                de.getMessageObject()));
              ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(de.getMessageObject()));
          }

          if (entry == null)
          {
            throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
                           ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
          throw new DirectoryException(ResultCode.NO_SUCH_OBJECT, ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
          }

          // Check if the current user has permission to make this determination.
          if (!getAccessControlHandler().isAllowed(this, entry, assertionFilter))
          {
            throw new DirectoryException(
              ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
          throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
              ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
          }

          try {
        try
        {
            if (! assertionFilter.matchesEntry(entry))
            {
              throw new DirectoryException(ResultCode.ASSERTION_FAILED,
                                           ERR_SEARCH_ASSERTION_FAILED.get());
            throw new DirectoryException(ResultCode.ASSERTION_FAILED, ERR_SEARCH_ASSERTION_FAILED.get());
            }
          }
          catch (DirectoryException de)
@@ -356,8 +347,7 @@
            logger.traceException(de);

            throw new DirectoryException(de.getResultCode(),
                           ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
                                de.getMessageObject()), de);
              ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()), de);
          }
        }
        else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
@@ -366,31 +356,24 @@
        }
        else if (OID_PERSISTENT_SEARCH.equals(oid))
        {
          final PersistentSearchControl ctrl =
              getRequestControl(PersistentSearchControl.DECODER);

          persistentSearch = new PersistentSearch(this,
              ctrl.getChangeTypes(), ctrl.getChangesOnly(), ctrl.getReturnECs());
        final PersistentSearchControl ctl = getRequestControl(PersistentSearchControl.DECODER);
        persistentSearch = new PersistentSearch(this, ctl.getChangeTypes(), ctl.getChangesOnly(), ctl.getReturnECs());
        }
        else if (OID_LDAP_SUBENTRIES.equals(oid))
        {
          SubentriesControl subentriesControl =
                  getRequestControl(SubentriesControl.DECODER);
        SubentriesControl subentriesControl = getRequestControl(SubentriesControl.DECODER);
          setReturnSubentriesOnly(subentriesControl.getVisibility());
        }
        else if (OID_LDUP_SUBENTRIES.equals(oid))
        {
          // Support for legacy draft-ietf-ldup-subentry.
          addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(),
              "obsoleteSubentryControl"));
        addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(), "obsoleteSubentryControl"));

          setReturnSubentriesOnly(true);
        }
        else if (OID_MATCHED_VALUES.equals(oid))
        {
          MatchedValuesControl matchedValuesControl =
                getRequestControl(MatchedValuesControl.DECODER);
          setMatchedValuesControl(matchedValuesControl);
        setMatchedValuesControl(getRequestControl(MatchedValuesControl.DECODER));
        }
        else if (OID_ACCOUNT_USABLE_CONTROL.equals(oid))
        {
@@ -404,22 +387,17 @@
        {
          setVirtualAttributesOnly(true);
        }
        else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid) &&
          DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS))
      else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid) && DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS))
        {
          // Do nothing here and let AciHandler deal with it.
        }

        // NYI -- Add support for additional controls.
        else if (c.isCritical() && !backendSupportsControl(oid))
        {
          throw new DirectoryException(
              ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
              ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
        }
      }
    }
  }

  private AccessControlHandler<?> getAccessControlHandler()
  {

 opendj-server-legacy/src/main/java/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java

@@ -315,10 +315,7 @@
   */
  static void removeAllDisallowedControls(DN targetDN, Operation operation) throws DirectoryException
  {
    List<Control> requestControls = operation.getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (Iterator<Control> iter = requestControls.iterator(); iter.hasNext();)
    for (Iterator<Control> iter = operation.getRequestControls().iterator(); iter.hasNext();)
      {
        final Control control = iter.next();
        if (isProxyAuthzControl(control.getOID()))
@@ -331,8 +328,7 @@
          // As per RFC 4511 4.1.11.
          if (control.isCritical())
          {
            throw new DirectoryException(
                ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
          throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
          }

@@ -341,7 +337,6 @@
        }
      }
    }
  }

  /**
   * Evaluate all aci and privilege checks for any proxy auth controls.
@@ -354,16 +349,13 @@
   */
  static void evaluateProxyAuthControls(Operation operation) throws DirectoryException
  {
    final List<Control> requestControls = operation.getRequestControls();
    if (requestControls != null && !requestControls.isEmpty())
    {
      for (Control control : requestControls)
    for (Control control : operation.getRequestControls())
      {
        final String oid = control.getOID();
        if (isProxyAuthzControl(oid))
        {
          if (getAccessControlHandler().isAllowed(operation.getClientConnection()
                  .getAuthenticationInfo().getAuthenticationDN(), operation, control))
        DN authDN = operation.getClientConnection().getAuthenticationInfo().getAuthenticationDN();
        if (getAccessControlHandler().isAllowed(authDN, operation, control))
          {
            processProxyAuthControls(operation, oid);
          }
@@ -372,15 +364,13 @@
            // As per RFC 4511 4.1.11.
            if (control.isCritical())
            {
              throw new DirectoryException(
                      ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
            throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
                      ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
            }
          }
        }
      }
    }
  }

  /**
   * Check the requester has the PROXIED_AUTH privilege in order to be able to use a proxy auth control.

			@@ -2352,17 +2352,13 @@
			*/
			private static boolean isManageDsaITOperation(Operation operation)
			{
			List<Control> controls = operation.getRequestControls();
			if (controls != null)
			{
			for (Control control : controls)
			for (Control control : operation.getRequestControls())
			{
			if (ServerConstants.OID_MANAGE_DSAIT_CONTROL.equals(control.getOID()))
			{
			return true;
			}
			}
			}
			return false;
			}

			@@ -38,9 +38,16 @@
			import org.forgerock.i18n.slf4j.LocalizedLogger;
			import org.forgerock.opendj.ldap.ByteString;
			import org.forgerock.opendj.ldap.ResultCode;
			import org.opends.server.api.AccessControlHandler;
			import org.opends.server.api.ClientConnection;
			import org.opends.server.api.ExtendedOperationHandler;
			import org.opends.server.types.*;
			import org.opends.server.types.AbstractOperation;
			import org.opends.server.types.CancelResult;
			import org.opends.server.types.CanceledOperationException;
			import org.opends.server.types.Control;
			import org.opends.server.types.DN;
			import org.opends.server.types.DirectoryException;
			import org.opends.server.types.OperationType;
			import org.opends.server.types.operation.PostOperationExtendedOperation;
			import org.opends.server.types.operation.PostResponseExtendedOperation;
			import org.opends.server.types.operation.PreOperationExtendedOperation;
			@@ -303,30 +310,22 @@

			// Look at the controls included in the request and ensure that all
			// critical controls are supported by the handler.
			List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Iterator<Control> iter = requestControls.iterator(); iter
			.hasNext();)
			for (Iterator<Control> iter = getRequestControls().iterator(); iter.hasNext();)
			{
			final Control c = iter.next();
			try
			{
			if (!AccessControlConfigManager.getInstance()
			.getAccessControlHandler()
			.isAllowed(getAuthorizationDN(), this, c))
			if (!getAccessControlHandler().isAllowed(getAuthorizationDN(), this, c))
			{
			// As per RFC 4511 4.1.11.
			if (c.isCritical())
			{
			setResultCode(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION);
			appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS
			.get(c.getOID()));
			appendErrorMessage(ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(c.getOID()));
			}
			else
			{
			// We don't want to process this non-critical control, so
			// remove it.
			// We don't want to process this non-critical control, so remove it.
			iter.remove();
			continue;
			}
			@@ -351,7 +350,6 @@
			return;
			}
			}
			}


			// Check to see if the client has permission to perform the
			@@ -362,7 +360,7 @@
			// and any other controls specified.
			try
			{
			if (!AccessControlConfigManager.getInstance().getAccessControlHandler().isAllowed(this))
			if (!getAccessControlHandler().isAllowed(this))
			{
			setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
			appendErrorMessage(ERR_EXTENDED_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS.get(requestOID));
			@@ -438,7 +436,11 @@
			}
			}

			/** {@inheritDoc} */
			private AccessControlHandler<?> getAccessControlHandler()
			{
			return AccessControlConfigManager.getInstance().getAccessControlHandler();
			}

			@Override
			public final void toString(StringBuilder buffer)
			{
			@@ -450,6 +452,4 @@
			buffer.append(requestOID);
			buffer.append(")");
			}

			}

			@@ -37,7 +37,13 @@
			import static org.opends.server.util.StaticUtils.*;

			import java.io.IOException;
			import java.util.*;
			import java.util.ArrayList;
			import java.util.Collection;
			import java.util.HashSet;
			import java.util.LinkedHashSet;
			import java.util.List;
			import java.util.Map;
			import java.util.Set;

			import org.forgerock.i18n.LocalizableMessage;
			import org.forgerock.i18n.LocalizableMessageBuilder;
			@@ -54,7 +60,11 @@
			import org.opends.server.admin.server.ConfigurationChangeListener;
			import org.opends.server.admin.std.server.ExtendedOperationHandlerCfg;
			import org.opends.server.admin.std.server.PasswordModifyExtendedOperationHandlerCfg;
			import org.opends.server.api.*;
			import org.opends.server.api.AuthenticationPolicy;
			import org.opends.server.api.ClientConnection;
			import org.opends.server.api.ExtendedOperationHandler;
			import org.opends.server.api.IdentityMapper;
			import org.opends.server.api.PasswordStorageScheme;
			import org.opends.server.controls.PasswordPolicyErrorType;
			import org.opends.server.controls.PasswordPolicyResponseControl;
			import org.opends.server.core.DirectoryServer;
			@@ -64,8 +74,20 @@
			import org.opends.server.protocols.internal.InternalClientConnection;
			import org.opends.server.schema.AuthPasswordSyntax;
			import org.opends.server.schema.UserPasswordSyntax;
			import org.opends.server.types.*;
			import org.opends.server.types.AccountStatusNotification;
			import org.opends.server.types.AccountStatusNotificationProperty;
			import org.opends.server.types.AdditionalLogItem;
			import org.opends.server.types.AttributeBuilder;
			import org.opends.server.types.AttributeType;
			import org.opends.server.types.AuthenticationInfo;
			import org.opends.server.types.Control;
			import org.opends.server.types.DN;
			import org.opends.server.types.DirectoryException;
			import org.opends.server.types.Entry;
			import org.opends.server.types.InitializationException;
			import org.opends.server.types.LockManager.DNLock;
			import org.opends.server.types.Modification;
			import org.opends.server.types.Privilege;

			/**
			* This class implements the password modify extended operation defined in RFC
			@@ -167,10 +189,7 @@
			// Look at the set of controls included in the request, if there are any.
			boolean noOpRequested = false;
			boolean pwPolicyRequested = false;
			List<Control> controls = operation.getRequestControls();
			if (controls != null)
			{
			for (Control c : controls)
			for (Control c : operation.getRequestControls())
			{
			String oid = c.getOID();
			if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
			@@ -182,7 +201,6 @@
			pwPolicyRequested = true;
			}
			}
			}

			// Parse the encoded request, if there is one.
			ByteString requestValue = operation.getRequestValue();

			@@ -156,10 +156,9 @@
			* running later do not generate CSN, solve conflicts and forward the
			* operation to the replication server.
			*/
			final List<Control> controls = op.getRequestControls();
			for (Iterator<Control> iter = controls.iterator(); iter.hasNext();)
			for (Iterator<Control> it = op.getRequestControls().iterator(); it.hasNext();)
			{
			Control c = iter.next();
			Control c = it.next();
			if (OID_REPLICATION_REPAIR_CONTROL.equals(c.getOID()))
			{
			op.setSynchronizationOperation(true);
			@@ -169,7 +168,7 @@
			processed and the local backend will fail if it finds a control that
			it does not know about and that is marked as critical.
			*/
			iter.remove();
			it.remove();
			return null;
			}
			}

			@@ -31,6 +31,7 @@
			import java.util.HashMap;
			import java.util.LinkedList;
			import java.util.List;
			import java.util.ListIterator;
			import java.util.Map;

			import org.forgerock.i18n.LocalizableMessage;
			@@ -167,16 +168,7 @@
			this.operationID = operationID;
			this.messageID = messageID;
			this.useNanoTime = DirectoryServer.getUseNanoTime();

			if (requestControls == null)
			{
			this.requestControls = new ArrayList<>(0);
			}
			else
			{
			this.requestControls = requestControls;
			}

			this.requestControls = requestControls != null ? requestControls : new ArrayList<Control>(0);
			authorizationEntry = clientConnection.getAuthenticationInfo().getAuthorizationEntry();
			}

			@@ -225,16 +217,16 @@
			ControlDecoder<T> d) throws DirectoryException
			{
			String oid = d.getOID();
			for(int i = 0; i < requestControls.size(); i++)
			for (ListIterator<Control> it = requestControls.listIterator(); it.hasNext();)
			{
			Control c = requestControls.get(i);
			Control c = it.next();
			if(c.getOID().equals(oid))
			{
			if(c instanceof LDAPControl)
			{
			T decodedControl = d.decode(c.isCritical(),
			((LDAPControl) c).getValue());
			requestControls.set(i, decodedControl);
			it.set(decodedControl);
			return decodedControl;
			}
			else

			@@ -980,10 +980,7 @@
			LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
			LocalBackendWorkflowElement.removeAllDisallowedControls(parentDN, this);

			List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Control c : requestControls)
			for (Control c : getRequestControls())
			{
			final String oid = c.getOID();

			@@ -992,8 +989,7 @@
			// RFC 4528 mandates support for Add operation basically
			// suggesting an assertion on self. As daft as it may be
			// we gonna have to support this for RFC compliance.
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);
			LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			@@ -1005,15 +1001,13 @@
			logger.traceException(de);

			throw newDirectoryException(entryDN, de.getResultCode(),
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
			entryDN, de.getMessageObject()));
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
			}

			// Check if the current user has permission to make this determination.
			if (!getAccessControlHandler().isAllowed(this, entry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			@@ -1021,8 +1015,7 @@
			{
			if (!filter.matchesEntry(entry))
			{
			throw newDirectoryException(entryDN, ResultCode.ASSERTION_FAILED,
			ERR_ADD_ASSERTION_FAILED.get(entryDN));
			throw newDirectoryException(entryDN, ResultCode.ASSERTION_FAILED, ERR_ADD_ASSERTION_FAILED.get(entryDN));
			}
			}
			catch (DirectoryException de)
			@@ -1035,8 +1028,7 @@
			logger.traceException(de);

			throw newDirectoryException(entryDN, de.getResultCode(),
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
			entryDN, de.getMessageObject()));
			ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
			}
			}
			else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
			@@ -1045,8 +1037,7 @@
			}
			else if (OID_LDAP_READENTRY_POSTREAD.equals(oid))
			{
			postReadRequest =
			getRequestControl(LDAPPostReadRequestControl.DECODER);
			postReadRequest = getRequestControl(LDAPPostReadRequestControl.DECODER);
			}
			else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
			{
			@@ -1057,17 +1048,13 @@
			// We don't need to do anything here because it's already handled
			// in LocalBackendAddOperation.handlePasswordPolicy().
			}
			// NYI -- Add support for additional controls.
			else if (c.isCritical()
			&& (backend == null \|\| !backend.supportsControl(oid)))
			else if (c.isCritical() && (backend == null \|\| !backend.supportsControl(oid)))
			{
			throw newDirectoryException(entryDN,
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw newDirectoryException(entryDN, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_ADD_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
			}
			}
			}
			}

			private AccessControlHandler<?> getAccessControlHandler()
			{

			@@ -325,10 +325,7 @@
			{
			LocalBackendWorkflowElement.removeAllDisallowedControls(bindDN, this);

			List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Control c : requestControls)
			for (Control c : getRequestControls())
			{
			final String oid = c.getOID();

			@@ -340,17 +337,13 @@
			{
			pwPolicyControlRequested = true;
			}

			// NYI -- Add support for additional controls.
			else if (c.isCritical())
			{
			throw new DirectoryException(
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
			}
			}
			}
			}

			/**
			* Performs the processing necessary for a simple bind operation.
			@@ -363,8 +356,7 @@
			*/
			private boolean processSimpleBind() throws DirectoryException
			{
			// See if this is an anonymous bind. If so, then determine whether
			// to allow it.
			// See if this is an anonymous bind. If so, then determine whether to allow it.
			ByteString simplePassword = getSimplePassword();
			if (simplePassword == null \|\| simplePassword.length() == 0)
			{

			@@ -318,17 +318,13 @@
			LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
			LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

			List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Control c : requestControls)
			for (Control c : getRequestControls())
			{
			final String oid = c.getOID();

			if (OID_LDAP_ASSERTION.equals(oid))
			{
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);
			LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			@@ -346,8 +342,7 @@
			// Check if the current user has permission to make this determination.
			if (!getAccessControlHandler().isAllowed(this, entry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			@@ -355,8 +350,7 @@
			{
			if (!filter.matchesEntry(entry))
			{
			throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED,
			ERR_COMPARE_ASSERTION_FAILED.get(entryDN));
			throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED, ERR_COMPARE_ASSERTION_FAILED.get(entryDN));
			}
			}
			catch (DirectoryException de)
			@@ -376,18 +370,13 @@
			{
			continue;
			}

			// NYI -- Add support for additional controls.
			else if (c.isCritical()
			&& (backend == null \|\| !backend.supportsControl(oid)))
			else if (c.isCritical() && (backend == null \|\| !backend.supportsControl(oid)))
			{
			throw new DirectoryException(
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_COMPARE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
			}
			}
			}
			}

			private AccessControlHandler<?> getAccessControlHandler()
			{

			@@ -26,7 +26,6 @@
			*/
			package org.opends.server.workflowelement.localbackend;

			import java.util.List;
			import java.util.concurrent.atomic.AtomicBoolean;

			import org.forgerock.i18n.LocalizableMessage;
			@@ -392,16 +391,12 @@
			LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
			LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

			List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Control c : requestControls)
			for (Control c : getRequestControls())
			{
			final String oid = c.getOID();
			if (OID_LDAP_ASSERTION.equals(oid))
			{
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);
			LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			@@ -419,8 +414,7 @@
			// Check if the current user has permission to make this determination.
			if (!getAccessControlHandler().isAllowed(this, entry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			@@ -428,8 +422,7 @@
			{
			if (!filter.matchesEntry(entry))
			{
			throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED,
			ERR_DELETE_ASSERTION_FAILED.get(entryDN));
			throw newDirectoryException(entry, ResultCode.ASSERTION_FAILED, ERR_DELETE_ASSERTION_FAILED.get(entryDN));
			}
			}
			catch (DirectoryException de)
			@@ -451,29 +444,19 @@
			}
			else if (OID_LDAP_READENTRY_PREREAD.equals(oid))
			{
			preReadRequest =
			getRequestControl(LDAPPreReadRequestControl.DECODER);
			preReadRequest = getRequestControl(LDAPPreReadRequestControl.DECODER);
			}
			else if (LocalBackendWorkflowElement.isProxyAuthzControl(oid))
			{
			continue;
			}
			// NYI -- Add support for additional controls.
			else if (c.isCritical()
			&& (backend == null \|\| !backend.supportsControl(oid)))
			else if (c.isCritical() && (backend == null \|\| !backend.supportsControl(oid)))
			{
			throw newDirectoryException(entry,
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw newDirectoryException(entry, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_DELETE_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
			}
			}
			}
			}

			private DN getName(Entry e)
			{
			return e != null ? e.getName() : DN.rootDN();
			}

			/**
			* Handle conflict resolution.

			@@ -37,6 +37,7 @@
			import org.forgerock.opendj.ldap.ByteString;
			import org.forgerock.opendj.ldap.ModificationType;
			import org.forgerock.opendj.ldap.ResultCode;
			import org.opends.server.api.AccessControlHandler;
			import org.opends.server.api.Backend;
			import org.opends.server.api.ClientConnection;
			import org.opends.server.api.SynchronizationProvider;
			@@ -360,8 +361,7 @@
			// to the client.
			try
			{
			if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
			.isAllowed(this))
			if (!getAccessControlHandler().isAllowed(this))
			{
			setResultCodeAndMessageNoInfoDisclosure(currentEntry, entryDN,
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			@@ -527,18 +527,14 @@
			LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
			LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

			final List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
			for (ListIterator<Control> iter = getRequestControls().listIterator(); iter.hasNext();)
			{
			final Control c = iter.next();
			final String oid = c.getOID();

			if (OID_LDAP_ASSERTION.equals(oid))
			{
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);
			LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			@@ -553,13 +549,10 @@
			ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
			}

			// Check if the current user has permission to make
			// this determination.
			if (!AccessControlConfigManager.getInstance().
			getAccessControlHandler().isAllowed(this, currentEntry, filter))
			// Check if the current user has permission to make this determination.
			if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			@@ -567,8 +560,7 @@
			{
			if (!filter.matchesEntry(currentEntry))
			{
			throw newDirectoryException(currentEntry,
			ResultCode.ASSERTION_FAILED,
			throw newDirectoryException(currentEntry, ResultCode.ASSERTION_FAILED,
			ERR_MODDN_ASSERTION_FAILED.get(entryDN));
			}
			}
			@@ -610,20 +602,17 @@
			{
			continue;
			}
			else if (c.isCritical()
			&& (backend == null \|\| !backend.supportsControl(oid)))
			else if (c.isCritical() && (backend == null \|\| !backend.supportsControl(oid)))
			{
			throw new DirectoryException(
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_MODDN_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
			}
			}
			}
			}

			private DN getName(Entry e)
			private AccessControlHandler<?> getAccessControlHandler()
			{
			return e != null ? e.getName() : DN.rootDN();
			return AccessControlConfigManager.getInstance().getAccessControlHandler();
			}

			/**

			@@ -632,18 +632,14 @@
			LocalBackendWorkflowElement.evaluateProxyAuthControls(this);
			LocalBackendWorkflowElement.removeAllDisallowedControls(entryDN, this);

			List<Control> requestControls = getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (ListIterator<Control> iter = requestControls.listIterator(); iter.hasNext();)
			for (ListIterator<Control> iter = getRequestControls().listIterator(); iter.hasNext();)
			{
			final Control c = iter.next();
			final String oid = c.getOID();

			if (OID_LDAP_ASSERTION.equals(oid))
			{
			LDAPAssertionRequestControl assertControl =
			getRequestControl(LDAPAssertionRequestControl.DECODER);
			LDAPAssertionRequestControl assertControl = getRequestControl(LDAPAssertionRequestControl.DECODER);

			SearchFilter filter;
			try
			@@ -655,15 +651,13 @@
			logger.traceException(de);

			throw newDirectoryException(currentEntry, de.getResultCode(),
			ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
			entryDN, de.getMessageObject()));
			ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
			}

			// Check if the current user has permission to make this determination.
			if (!getAccessControlHandler().isAllowed(this, currentEntry, filter))
			{
			throw new DirectoryException(
			ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			throw new DirectoryException(ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
			}

			@@ -671,8 +665,7 @@
			{
			if (!filter.matchesEntry(currentEntry))
			{
			throw newDirectoryException(currentEntry,
			ResultCode.ASSERTION_FAILED,
			throw newDirectoryException(currentEntry, ResultCode.ASSERTION_FAILED,
			ERR_MODIFY_ASSERTION_FAILED.get(entryDN));
			}
			}
			@@ -686,8 +679,7 @@
			logger.traceException(de);

			throw newDirectoryException(currentEntry, de.getResultCode(),
			ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
			entryDN, de.getMessageObject()));
			ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(entryDN, de.getMessageObject()));
			}
			}
			else if (OID_LDAP_NOOP_OPENLDAP_ASSIGNED.equals(oid))
			@@ -722,17 +714,13 @@
			{
			pwPolicyControlRequested = true;
			}
			// NYI -- Add support for additional controls.
			else if (c.isCritical()
			&& (backend == null \|\| !backend.supportsControl(oid)))
			else if (c.isCritical() && (backend == null \|\| !backend.supportsControl(oid)))
			{
			throw newDirectoryException(currentEntry,
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw newDirectoryException(currentEntry, ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_MODIFY_UNSUPPORTED_CRITICAL_CONTROL.get(entryDN, oid));
			}
			}
			}
			}

			private void processNonPasswordModifications() throws DirectoryException
			{

			@@ -315,10 +315,7 @@
			*/
			static void removeAllDisallowedControls(DN targetDN, Operation operation) throws DirectoryException
			{
			List<Control> requestControls = operation.getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Iterator<Control> iter = requestControls.iterator(); iter.hasNext();)
			for (Iterator<Control> iter = operation.getRequestControls().iterator(); iter.hasNext();)
			{
			final Control control = iter.next();
			if (isProxyAuthzControl(control.getOID()))
			@@ -331,8 +328,7 @@
			// As per RFC 4511 4.1.11.
			if (control.isCritical())
			{
			throw new DirectoryException(
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
			}

			@@ -341,7 +337,6 @@
			}
			}
			}
			}

			/**
			* Evaluate all aci and privilege checks for any proxy auth controls.
			@@ -354,16 +349,13 @@
			*/
			static void evaluateProxyAuthControls(Operation operation) throws DirectoryException
			{
			final List<Control> requestControls = operation.getRequestControls();
			if (requestControls != null && !requestControls.isEmpty())
			{
			for (Control control : requestControls)
			for (Control control : operation.getRequestControls())
			{
			final String oid = control.getOID();
			if (isProxyAuthzControl(oid))
			{
			if (getAccessControlHandler().isAllowed(operation.getClientConnection()
			.getAuthenticationInfo().getAuthenticationDN(), operation, control))
			DN authDN = operation.getClientConnection().getAuthenticationInfo().getAuthenticationDN();
			if (getAccessControlHandler().isAllowed(authDN, operation, control))
			{
			processProxyAuthControls(operation, oid);
			}
			@@ -372,15 +364,13 @@
			// As per RFC 4511 4.1.11.
			if (control.isCritical())
			{
			throw new DirectoryException(
			ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
			ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
			}
			}
			}
			}
			}
			}

			/**
			* Check the requester has the PROXIED_AUTH privilege in order to be able to use a proxy auth control.