From 4e2366ebec6d1c05a9c22e7d01e010ee4dea45fc Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 06 Jun 2007 21:49:10 +0000
Subject: [PATCH] Put server into lockdown mode if ACI parsing fails during server startup or backend initialization. Issue #1750.
---
opends/src/server/org/opends/server/authorization/dseecompat/AciList.java | 73 ++++++++++++++++++++++--------------
1 files changed, 44 insertions(+), 29 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciList.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciList.java
index d472dc6..c8a720d 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciList.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciList.java
@@ -27,16 +27,16 @@
package org.opends.server.authorization.dseecompat;
-import static org.opends.server.messages.AciMessages.*;
+import org.opends.server.api.Backend;
+import static org.opends.server.authorization.dseecompat.AciHandler.aciType;
+import static org.opends.server.authorization.dseecompat.AciHandler.globalAciType;
import static org.opends.server.loggers.ErrorLogger.logError;
+import static org.opends.server.messages.AciMessages.MSGID_ACI_ADD_LIST_FAILED_DECODE;
import static org.opends.server.messages.MessageHandler.getMessage;
+import org.opends.server.types.*;
import java.util.*;
-import static org.opends.server.authorization.dseecompat.AciHandler.*;
-import org.opends.server.types.*;
-import org.opends.server.api.Backend;
-
/**
* The AciList class performs caching of the ACI attribute values
* using the entry DN as the key.
@@ -135,9 +135,12 @@
* to check for global ACIs since they are processe by the AciHandler at
* startup using the addACi single entry method.
* @param entries The set of entries containing the "aci" attribute values.
+ * @param failedACIMsgs List that will hold error messages from ACI decode
+ * exceptions.
* @return The number of valid ACI attribute values added to the ACI list.
*/
- public synchronized int addAci(List<? extends Entry> entries)
+ public synchronized int addAci(List<? extends Entry> entries,
+ LinkedList<String> failedACIMsgs)
{
// Copy the ACI list.
LinkedHashMap<DN,List<Aci>> aciCopy = copyList();
@@ -147,7 +150,8 @@
DN dn=entry.getDN();
List<Attribute> attributeList =
entry.getOperationalAttribute(AciHandler.aciType);
- validAcis += addAciAttributeList(aciCopy, dn, attributeList);
+ validAcis += addAciAttributeList(aciCopy, dn, configDN,
+ attributeList, failedACIMsgs);
}
// Replace the ACI list with the copy.
@@ -162,10 +166,13 @@
* @param hasAci True if the "aci" attribute type was seen in the entry.
* @param hasGlobalAci True if the "ds-cfg-global-aci" attribute type was
* seen in the entry.
+ * @param failedACIMsgs List that will hold error messages from ACI decode
+ * exceptions.
* @return The number of valid ACI attribute values added to the ACI list.
*/
public synchronized int addAci(Entry entry, boolean hasAci,
- boolean hasGlobalAci) {
+ boolean hasGlobalAci,
+ LinkedList<String> failedACIMsgs) {
int validAcis=0;
// Copy the ACI list.
@@ -175,12 +182,14 @@
//attributes are skipped.
if(hasGlobalAci && entry.getDN().equals(configDN)) {
List<Attribute> attributeList = entry.getAttribute(globalAciType);
- validAcis = addAciAttributeList(aciCopy, DN.nullDN(), attributeList);
+ validAcis = addAciAttributeList(aciCopy, DN.nullDN(), configDN,
+ attributeList, failedACIMsgs);
}
if(hasAci) {
List<Attribute> attributeList = entry.getAttribute(aciType);
- validAcis += addAciAttributeList(aciCopy, entry.getDN(), attributeList);
+ validAcis += addAciAttributeList(aciCopy, entry.getDN(), configDN,
+ attributeList, failedACIMsgs);
}
// Replace the ACI list with the copy.
aciList = aciCopy;
@@ -194,13 +203,18 @@
* returned of the number of valid ACIs added.
* @param aciList The ACI list to which the ACI is to be added.
* @param dn The DN to use as the key in the ACI list.
+ * @param configDN The DN of the configuration entry used to configure the
+ * ACI handler. Used if a global ACI has an decode exception.
* @param attributeList List of attributes containing the ACI attribute
* values.
+ * @param failedACIMsgs List that will hold error messages from ACI decode
+ * exceptions.
* @return The number of valid attribute values added to the ACI list.
*/
- private static int addAciAttributeList(
- LinkedHashMap<DN,List<Aci>> aciList, DN dn,
- List<Attribute> attributeList) {
+ private static int addAciAttributeList(LinkedHashMap<DN,List<Aci>> aciList,
+ DN dn, DN configDN,
+ List<Attribute> attributeList,
+ LinkedList<String> failedACIMsgs) {
if (attributeList == null) {
return 0;
@@ -215,19 +229,16 @@
acis.add(aci);
validAcis++;
} catch (AciException ex) {
- /* An illegal ACI might have been loaded
- * during import and is failing at ACI handler
- * initialization time. Log a message and continue
- * processing. ACIs added via LDAP add have their
- * syntax checked before adding and should never
- * hit this code.
- */
int msgID = MSGID_ACI_ADD_LIST_FAILED_DECODE;
- String message = getMessage(msgID,
- ex.getMessage());
- logError(ErrorLogCategory.ACCESS_CONTROL,
- ErrorLogSeverity.INFORMATIONAL,
- message, msgID);
+ DN msgDN=dn;
+ if(dn == DN.nullDN()) {
+ msgDN=configDN;
+ }
+ String t=value.getValue().toString();
+ String message = getMessage(msgID, value.getValue().toString(),
+ String.valueOf(msgDN),
+ ex.getMessage());
+ failedACIMsgs.add(message);
}
}
}
@@ -255,12 +266,14 @@
// Copy the ACI list.
LinkedHashMap<DN,List<Aci>> aciCopy = copyList();
+ LinkedList<String>failedACIMsgs=new LinkedList<String>();
//Process "aci" attribute types.
if(hasAci) {
aciCopy.remove(oldEntry.getDN());
List<Attribute> attributeList =
newEntry.getOperationalAttribute(aciType);
- addAciAttributeList(aciCopy,newEntry.getDN(),attributeList);
+ addAciAttributeList(aciCopy,newEntry.getDN(), configDN,
+ attributeList, failedACIMsgs);
}
//Process global "ds-cfg-global-aci" attribute type. The oldentry
//DN is checked to verify it is equal to the config DN. If not those
@@ -269,7 +282,8 @@
aciCopy.remove(DN.nullDN());
List<Attribute> attributeList =
newEntry.getAttribute(globalAciType);
- addAciAttributeList(aciCopy, DN.nullDN(), attributeList);
+ addAciAttributeList(aciCopy, DN.nullDN(), configDN,
+ attributeList, failedACIMsgs);
}
// Replace the ACI list with the copy.
aciList = aciCopy;
@@ -376,8 +390,9 @@
//ACI with a new DN is being made. Log a message if it does and
//keep going.
int msgID = MSGID_ACI_ADD_LIST_FAILED_DECODE;
- String message = getMessage(msgID,
- ex.getMessage());
+ String message = getMessage(msgID, aci.toString(),
+ String.valueOf(relocateDN),
+ ex.getMessage());
logError(ErrorLogCategory.ACCESS_CONTROL,
ErrorLogSeverity.INFORMATIONAL,
message, msgID);
--
Gitblit v1.10.0