From 62b134351917387ee30ed318f06f0dae766e8b31 Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Wed, 15 Oct 2014 14:43:02 +0000
Subject: [PATCH] (CR-4811) Converted opendj3 code to use SearchRequest like API
---
opendj3-server-dev/src/server/org/opends/server/authorization/dseecompat/UserAttr.java | 109 +++++++++++++++++++-----------------------------------
1 files changed, 39 insertions(+), 70 deletions(-)
diff --git a/opendj3-server-dev/src/server/org/opends/server/authorization/dseecompat/UserAttr.java b/opendj3-server-dev/src/server/org/opends/server/authorization/dseecompat/UserAttr.java
index de9cb49..ca94f85 100644
--- a/opendj3-server-dev/src/server/org/opends/server/authorization/dseecompat/UserAttr.java
+++ b/opendj3-server-dev/src/server/org/opends/server/authorization/dseecompat/UserAttr.java
@@ -35,11 +35,11 @@
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.internal.SearchRequest;
-import static org.opends.server.protocols.internal.Requests.*;
import org.opends.server.types.*;
import static org.opends.messages.AccessControlMessages.*;
import static org.opends.server.protocols.internal.InternalClientConnection.*;
+import static org.opends.server.protocols.internal.Requests.*;
/*
* TODO Evaluate making this class more efficient.
@@ -59,43 +59,42 @@
* the "#" token.
*/
private enum UserAttrType {
- USERDN, GROUPDN, ROLEDN, URL, VALUE
- }
+ USERDN, GROUPDN, ROLEDN, URL, VALUE;
- /** Filter used internal search. */
- private static SearchFilter filter;
+ private static UserAttrType getType(String expr) throws AciException {
+ if("userdn".equalsIgnoreCase(expr)) {
+ return UserAttrType.USERDN;
+ } else if("groupdn".equalsIgnoreCase(expr)) {
+ return UserAttrType.GROUPDN;
+ } else if("roledn".equalsIgnoreCase(expr)) {
+ return UserAttrType.ROLEDN;
+ } else if("ldapurl".equalsIgnoreCase(expr)) {
+ return UserAttrType.URL;
+ }
+ return UserAttrType.VALUE;
+ }
+ }
/**
* Used to create an attribute type that can compare the value below in
* an entry returned from an internal search.
*/
- private String attrStr=null;
+ private String attrStr;
/**
* Used to compare a attribute value returned from a search against this
* value which might have been defined in the ACI userattr rule.
*/
- private String attrVal=null;
+ private String attrVal;
/** Contains the type of the userattr, one of the above enumerations. */
- private UserAttrType userAttrType=null;
+ private UserAttrType userAttrType;
/** An enumeration representing the bind rule type. */
- private EnumBindRuleType type=null;
+ private EnumBindRuleType type;
/** The class used to hold the parent inheritance information. */
- private ParentInheritance parentInheritance=null;
-
- static {
- /*
- * Set up the filter used to search private and public contexts.
- */
- try {
- filter=SearchFilter.createFilterFromString("(objectclass=*)");
- } catch (DirectoryException ex) {
- //TODO should never happen, error message?
- }
- }
+ private ParentInheritance parentInheritance;
/**
* Create an non-USERDN/GROUPDN instance of the userattr keyword class.
@@ -145,7 +144,7 @@
WARN_ACI_SYNTAX_INVALID_USERATTR_EXPRESSION.get(expression);
throw new AciException(message);
}
- UserAttrType userAttrType=getType(vals[1]);
+ UserAttrType userAttrType = UserAttrType.getType(vals[1]);
switch (userAttrType) {
case GROUPDN:
case USERDN: {
@@ -156,9 +155,7 @@
case ROLEDN: {
//The roledn keyword is not supported. Throw an exception with
//a message if it is seen in the expression.
- LocalizableMessage message =
- WARN_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED.get(expression);
- throw new AciException(message);
+ throw new AciException(WARN_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED.get(expression));
}
}
return new UserAttr(vals[0], vals[1], userAttrType, type);
@@ -205,9 +202,10 @@
EnumEvalResult matched= EnumEvalResult.FALSE;
boolean undefined=false;
AttributeType attrType;
- if((attrType = DirectoryServer.getAttributeType(attrStr)) == null)
+ if((attrType = DirectoryServer.getAttributeType(attrStr)) == null) {
attrType = DirectoryServer.getDefaultAttributeType(attrStr);
- final SearchRequest request = newSearchRequest(evalCtx.getClientDN(), SearchScope.BASE_OBJECT, filter);
+ }
+ final SearchRequest request = newSearchRequest(evalCtx.getClientDN(), SearchScope.BASE_OBJECT);
InternalSearchOperation op = getRootConnection().processSearch(request);
LinkedList<SearchResultEntry> result = op.getSearchEntries();
if (!result.isEmpty()) {
@@ -225,41 +223,6 @@
}
/**
- * Parses the substring after the '#' character to determine the userattr
- * type.
- * @param expr The string with the substring.
- * @return An enumeration containing the type.
- * @throws AciException If the substring contains an invalid type (roledn
- * or groupdn).
- */
- private static UserAttrType getType(String expr) throws AciException {
- UserAttrType userAttrType;
- if(expr.equalsIgnoreCase("userdn"))
- userAttrType=UserAttrType.USERDN;
- else if(expr.equalsIgnoreCase("groupdn")) {
- userAttrType=UserAttrType.GROUPDN;
- /*
- LocalizableMessage message = WARN_ACI_SYNTAX_INVALID_USERATTR_KEYWORD.get(
- "The groupdn userattr" +
- "keyword is not supported.");
- throw new AciException(message);
- */
- } else if(expr.equalsIgnoreCase("roledn")) {
- userAttrType=UserAttrType.ROLEDN;
- /*
- LocalizableMessage message = WARN_ACI_SYNTAX_INVALID_USERATTR_KEYWORD.get(
- "The roledn userattr" +
- "keyword is not supported.");
- throw new AciException(message);
- */
- } else if(expr.equalsIgnoreCase("ldapurl"))
- userAttrType=UserAttrType.URL;
- else
- userAttrType=UserAttrType.VALUE;
- return userAttrType;
- }
-
- /**
* Evaluate an URL userattr type. Look into the resource entry for the
* specified attribute and values. Assume it is an URL. Decode it an try
* and match it against the client entry attribute.
@@ -270,8 +233,9 @@
EnumEvalResult matched= EnumEvalResult.FALSE;
boolean undefined=false;
AttributeType attrType;
- if((attrType = DirectoryServer.getAttributeType(attrStr)) == null)
+ if((attrType = DirectoryServer.getAttributeType(attrStr)) == null) {
attrType = DirectoryServer.getDefaultAttributeType(attrStr);
+ }
List<Attribute> attrs=evalCtx.getResourceEntry().getAttribute(attrType);
if(!attrs.isEmpty()) {
for(Attribute a : attrs) {
@@ -320,11 +284,12 @@
AttributeType attrType=parentInheritance.getAttributeType();
DN baseDN=parentInheritance.getBaseDN();
if(baseDN != null) {
- if (evalCtx.getResourceEntry().hasAttribute(attrType))
+ if (evalCtx.getResourceEntry().hasAttribute(attrType)) {
matched=GroupDN.evaluate(evalCtx.getResourceEntry(),
evalCtx,attrType, baseDN);
+ }
} else {
- for(int i=0;((i < numLevels) && !stop); i++ ) {
+ for(int i=0;(i < numLevels && !stop); i++ ) {
//The ROLEDN keyword will always enter this statement. The others
//might. For the add operation, the resource itself (level 0)
//must never be allowed to give access.
@@ -335,14 +300,16 @@
matched =
evalEntryAttr(evalCtx.getResourceEntry(),
evalCtx,attrType);
- if(matched.equals(EnumEvalResult.TRUE))
+ if(matched.equals(EnumEvalResult.TRUE)) {
stop=true;
+ }
}
} else {
DN pDN = getDNParentLevel(levels[i], evalCtx.getResourceDN());
- if(pDN == null)
+ if(pDN == null) {
continue;
- final SearchRequest request = newSearchRequest(pDN, SearchScope.BASE_OBJECT, filter)
+ }
+ final SearchRequest request = newSearchRequest(pDN, SearchScope.BASE_OBJECT)
.addAttribute(parentInheritance.getAttrTypeStr());
InternalSearchOperation op = getRootConnection().processSearch(request);
LinkedList<SearchResultEntry> result = op.getSearchEntries();
@@ -350,8 +317,9 @@
Entry e = result.getFirst();
if(e.hasAttribute(attrType)) {
matched = evalEntryAttr(e, evalCtx, attrType);
- if(matched.equals(EnumEvalResult.TRUE))
+ if(matched.equals(EnumEvalResult.TRUE)) {
stop=true;
+ }
}
}
}
@@ -370,8 +338,9 @@
*/
private DN getDNParentLevel(int l, DN dn) {
int rdns=dn.size();
- if(l > rdns)
+ if(l > rdns) {
return null;
+ }
DN theDN=dn;
for(int i=0; i < l;i++) {
theDN=theDN.parent();
--
Gitblit v1.10.0