From 10f0e9c1ad2e1296678c3706152a84437da35a78 Mon Sep 17 00:00:00 2001
From: Jean-Noël Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Wed, 06 Apr 2016 16:25:31 +0000
Subject: [PATCH] Fix uninstall tool + add upgrade task for removing configuration backend
---
opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java | 143 ++---------------------------------------------
1 files changed, 8 insertions(+), 135 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
index 953d0ac..ef801b0 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -22,7 +22,6 @@
import java.util.SortedSet;
import java.util.TreeSet;
-import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizedIllegalArgumentException;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigException;
@@ -33,23 +32,17 @@
import org.forgerock.opendj.ldap.ModificationType;
import org.forgerock.opendj.ldap.RDN;
import org.forgerock.opendj.ldap.ResultCode;
-import org.forgerock.opendj.ldap.SearchScope;
import org.forgerock.opendj.ldap.schema.AttributeType;
import org.forgerock.opendj.server.config.server.DseeCompatAccessControlHandlerCfg;
import org.opends.server.api.AccessControlHandler;
-import org.opends.server.api.Backend;
import org.opends.server.api.ClientConnection;
import org.opends.server.backends.pluggable.SuffixContainer;
import org.opends.server.controls.GetEffectiveRightsRequestControl;
import org.opends.server.core.BindOperation;
-import org.opends.server.core.ConfigurationBackend;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ExtendedOperation;
import org.opends.server.core.ModifyDNOperation;
import org.opends.server.core.SearchOperation;
-import org.opends.server.protocols.internal.InternalClientConnection;
-import org.opends.server.protocols.internal.InternalSearchOperation;
-import org.opends.server.protocols.internal.SearchRequest;
import org.opends.server.protocols.ldap.LDAPControl;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeBuilder;
@@ -68,22 +61,17 @@
import org.opends.server.workflowelement.localbackend.LocalBackendCompareOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendDeleteOperation;
import org.opends.server.workflowelement.localbackend.LocalBackendModifyOperation;
-import org.opends.server.workflowelement.localbackend.LocalBackendSearchOperation;
import static org.opends.messages.AccessControlMessages.*;
import static org.opends.server.authorization.dseecompat.Aci.*;
import static org.opends.server.authorization.dseecompat.EnumEvalReason.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.core.DirectoryServer.*;
-import static org.opends.server.protocols.internal.InternalClientConnection.*;
-import static org.opends.server.protocols.internal.Requests.*;
import static org.opends.server.schema.SchemaConstants.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
-/**
- * The AciHandler class performs the main processing for the dseecompat package.
- */
+/** The AciHandler class performs the main processing for the dseecompat package. */
public final class AciHandler extends
AccessControlHandler<DseeCompatAccessControlHandlerCfg>
{
@@ -129,8 +117,6 @@
initStatics();
}
-
-
/**
* We initialize these for each new AciHandler so that we can clear out the
* stale references that can occur during an in-core restart.
@@ -168,7 +154,6 @@
// the intializeAccessControlHandler method.
}
- /** {@inheritDoc} */
@Override
public void filterEntry(Operation operation,
SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry)
@@ -194,7 +179,6 @@
}
}
- /** {@inheritDoc} */
@Override
public void finalizeAccessControlHandler()
{
@@ -203,7 +187,6 @@
DirectoryServer.deregisterSupportedControl(OID_GET_EFFECTIVE_RIGHTS);
}
- /** {@inheritDoc} */
@Override
public void initializeAccessControlHandler(
DseeCompatAccessControlHandlerCfg configuration)
@@ -214,11 +197,9 @@
aciList = new AciList(configurationDN);
aciListenerMgr = new AciListenerManager(aciList, configurationDN);
processGlobalAcis(configuration);
- processConfigAcis();
DirectoryServer.registerSupportedControl(OID_GET_EFFECTIVE_RIGHTS);
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(DN entryDN, Operation op, Control control)
throws DirectoryException
@@ -257,7 +238,6 @@
return true;
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(ExtendedOperation operation)
{
@@ -272,7 +252,6 @@
return accessAllowed(container);
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(LocalBackendAddOperation operation)
throws DirectoryException
@@ -284,7 +263,6 @@
&& verifySyntax(operation.getEntryToAdd(), operation, container.getClientDN());
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(BindOperation bindOperation)
{
@@ -292,8 +270,6 @@
return true;
}
-
-
/**
* Check access on compare operations. Note that the attribute type is
* unavailable at this time, so this method partially parses the raw
@@ -328,8 +304,6 @@
return isAllowed(container, operation);
}
-
-
/**
* Check access on delete operations.
*
@@ -345,8 +319,6 @@
return isAllowed(container, operation);
}
-
-
/**
* Checks access on a modifyDN operation.
*
@@ -394,7 +366,6 @@
return rdnChangesAllowed;
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(LocalBackendModifyOperation operation)
throws DirectoryException
@@ -403,7 +374,6 @@
return aciCheckMods(container, operation, skipAccessCheck(operation));
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(SearchOperation searchOperation)
{
@@ -411,7 +381,6 @@
return true;
}
- /** {@inheritDoc} */
@Override
public boolean isAllowed(Operation operation, Entry entry,
SearchFilter filter) throws DirectoryException
@@ -426,7 +395,6 @@
return testFilter(container, filter);
}
- /** {@inheritDoc} */
@Override
public boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation op)
{
@@ -443,7 +411,6 @@
return accessAllowedEntry(container);
}
- /** {@inheritDoc} */
@Override
public boolean maySend(DN dn, Operation operation, SearchResultReference reference)
{
@@ -465,7 +432,6 @@
return accessAllowed(container);
}
- /** {@inheritDoc} */
@Override
public boolean maySend(Operation operation, SearchResultEntry entry)
{
@@ -513,8 +479,6 @@
return true;
}
-
-
/**
* Check access using the specified container. This container will
* have all of the information to gather applicable ACIs and perform
@@ -579,8 +543,6 @@
return ret;
}
-
-
/*
* TODO Evaluate performance of this method. TODO Evaluate security
* concerns of this method. Logic from this method taken almost
@@ -642,8 +604,6 @@
return false;
}
-
-
/**
* Performs an access check against all of the attributes of an entry. The
* attributes that fail access are removed from the entry. This method
@@ -676,8 +636,6 @@
}
}
-
-
/**
* Checks to see if a LDAP modification is allowed access.
*
@@ -708,8 +666,7 @@
if (modAttrType.equals(aciType)
/*
- * Check that the operation has modify privileges if it contains
- * an "aci" attribute type.
+ * Check that the operation has modify privileges if it contains an "aci" attribute type.
*/
&& !operation.getClientConnection().hasPrivilege(
Privilege.MODIFY_ACL, operation))
@@ -725,8 +682,8 @@
|| modType == ModificationType.REPLACE
|| modType == ModificationType.INCREMENT)
/*
- * Check if we have rights to delete all values of an attribute
- * type in the resource entry.
+ * Check if we have rights to delete all values of an attribute type in the resource
+ * entry.
*/
&& resourceEntry.hasAttribute(modAttrType))
{
@@ -816,8 +773,6 @@
return true;
}
-
-
/**
* Perform all needed RDN checks for the modifyDN operation. The old RDN is
* not equal to the new RDN. The access checks are:
@@ -860,8 +815,6 @@
return ret;
}
-
-
/**
* Check access on the new superior entry if it exists. If superiordn is null,
* the entry does not exist or the DN cannot be locked then false is returned.
@@ -891,8 +844,6 @@
}
}
-
-
/**
* Check access on each attribute-value pair component of the
* specified RDN. There may be more than one attribute-value pair if
@@ -922,8 +873,6 @@
return true;
}
-
-
/**
* Creates the allow and deny ACI lists based on the provided target
* match context. These lists are stored in the evaluation context.
@@ -960,8 +909,6 @@
targetMatchCtx.setDenyList(denys);
}
-
-
/**
* Gathers all of the attribute types in an entry along with the
* "objectclass" attribute type in a List. The "objectclass" attribute
@@ -988,8 +935,6 @@
return typeList;
}
-
-
/**
* Check access using the accessAllowed method. The LDAP add, compare,
* modify and delete operations use this function. The other supported
@@ -1021,70 +966,6 @@
return SYNTAX_DN_OID.equals(attribute.getSyntax().getOID());
}
-
-
- /**
- * Process all ACIs under the "cn=config" naming context and adds them
- * to the ACI list cache. It also logs messages about the number of
- * ACIs added to the cache. This method is called once at startup. It
- * will put the server in lockdown mode if needed.
- *
- * @throws InitializationException
- * If there is an error searching for the ACIs in the naming
- * context.
- */
- private void processConfigAcis() throws InitializationException
- {
- LinkedList<LocalizableMessage> failedACIMsgs = new LinkedList<>();
- InternalClientConnection conn = getRootConnection();
-
- Backend<?> configBackend = DirectoryServer.getBackend(ConfigurationBackend.CONFIG_BACKEND_ID);
- for (DN baseDN : configBackend.getBaseDNs())
- {
- try
- {
- if (! configBackend.entryExists(baseDN))
- {
- continue;
- }
- }
- catch (Exception e)
- {
- logger.traceException(e);
-
- // FIXME -- Is there anything that we need to do here?
- continue;
- }
-
- try {
- SearchRequest request = newSearchRequest(baseDN, SearchScope.WHOLE_SUBTREE, "aci=*").addAttribute("aci");
- InternalSearchOperation internalSearch =
- new InternalSearchOperation(conn, nextOperationID(), nextMessageID(), request);
- LocalBackendSearchOperation localSearch = new LocalBackendSearchOperation(internalSearch);
-
- configBackend.search(localSearch);
-
- if (!internalSearch.getSearchEntries().isEmpty())
- {
- int validAcis =
- aciList.addAci(internalSearch.getSearchEntries(), failedACIMsgs);
- if (!failedACIMsgs.isEmpty())
- {
- aciListenerMgr.logMsgsSetLockDownMode(failedACIMsgs);
- }
- logger.debug(INFO_ACI_ADD_LIST_ACIS, validAcis, baseDN);
- }
- }
- catch (Exception e)
- {
- LocalizableMessage message = INFO_ACI_HANDLER_FAIL_PROCESS_ACI.get();
- throw new InitializationException(message, e);
- }
- }
- }
-
-
-
/**
* Process all global ACI attribute types found in the configuration
* entry and adds them to that ACI list cache. It also logs messages
@@ -1105,7 +986,7 @@
{
try
{
- final SortedSet<Aci> globalAcis = new TreeSet<Aci>();
+ final SortedSet<Aci> globalAcis = new TreeSet<>();
for (String value : configuration.getGlobalACI())
{
globalAcis.add(Aci.decode(ByteString.valueOfUtf8(value), DN.rootDN()));
@@ -1124,8 +1005,6 @@
}
}
-
-
/**
* Check to see if the specified entry has the specified privilege.
*
@@ -1139,8 +1018,6 @@
return ClientConnection.hasPrivilege(e, Privilege.BYPASS_ACL);
}
-
-
/**
* Check to see if the client entry has BYPASS_ACL privileges for this
* operation.
@@ -1156,8 +1033,6 @@
Privilege.BYPASS_ACL, operation);
}
-
-
/**
* Performs the test of the deny and allow access lists using the
* provided evaluation context. The deny list is checked first.
@@ -1185,12 +1060,12 @@
final EnumEvalResult res = Aci.evaluate(evalCtx, denyAci);
// Failure could be returned if a system limit is hit or
// search fails
- if (res.equals(EnumEvalResult.FAIL))
+ if (EnumEvalResult.FAIL.equals(res))
{
evalCtx.setEvaluationResult(EVALUATED_DENY_ACI, denyAci);
return false;
}
- else if (res.equals(EnumEvalResult.TRUE))
+ else if (EnumEvalResult.TRUE.equals(res))
{
if (testAndSetTargAttrOperationMatches(evalCtx, denyAci, true))
{
@@ -1204,7 +1079,7 @@
for (Aci allowAci : evalCtx.getAllowList())
{
final EnumEvalResult res = Aci.evaluate(evalCtx, allowAci);
- if (res.equals(EnumEvalResult.TRUE))
+ if (EnumEvalResult.TRUE.equals(res))
{
if (testAndSetTargAttrOperationMatches(evalCtx, allowAci, false))
{
@@ -1281,8 +1156,6 @@
return true;
}
-
-
/**
* Evaluate an entry to be added to see if it has any "aci" attribute
* type. If it does, examines each "aci" attribute type value for
--
Gitblit v1.10.0