From 0a11b89eca502b8c4e566f7e5496a80e7a7c5a0e Mon Sep 17 00:00:00 2001
From: Gaetan Boismal <gaetan.boismal@forgerock.com>
Date: Mon, 23 Jun 2014 13:45:16 +0000
Subject: [PATCH] OPENDJ-1351 (CR-3830) Require a privilege needed for searching cn=changelog - Upgrade task * tools.properties ** Adding the description message of the upgrade task * Upgrade.java ** Upgrade task n° 2.7.0.10820 which add the 'changelog-read' value to the Root DNs default privilege list * ExternalChangeLogTest.java ** ChangeLog privilege unit test code refactoring to make it more compact ant more meaningful

---
 opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties                                                             |    1 +
 opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java                                            |    7 +++++++
 opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java |   27 ++++++++++-----------------
 3 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties b/opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties
index 32b878e..ddb7380 100644
--- a/opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties
+++ b/opendj-sdk/opendj3-server-dev/src/messages/messages/tools.properties
@@ -2589,3 +2589,4 @@
 INFO_UPGRADE_TASK_10339_1_SUMMARY_10026=Updating ds-cfg-override-severity attribute in Replication Repair Logger
 INFO_UPGRADE_TASK_10733_1_SUMMARY_10027=Removing 'dc=replicationchanges' backend
 INFO_UPGRADE_TASK_10733_2_SUMMARY_10028=Removing ACI for 'dc=replicationchanges'
+INFO_UPGRADE_TASK_10820_SUMMARY_10029=Adding default privilege 'changelog-read' to all root DNs
diff --git a/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java b/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java
index 436b2c7..9ca8c1f 100644
--- a/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java
+++ b/opendj-sdk/opendj3-server-dev/src/server/org/opends/server/tools/upgrade/Upgrade.java
@@ -366,6 +366,13 @@
             + "(version 3.0; acl \"Replication backend access\"; "
             + "deny (all) userdn=\"ldap:///anyone\";)"));
 
+    /** See OPENDJ-1351 */
+    register("2.7.0.10820",
+        modifyConfigEntry(INFO_UPGRADE_TASK_10820_SUMMARY.get(),
+        "(objectClass=ds-cfg-root-dn)",
+        "add: ds-cfg-default-root-privilege-name",
+        "ds-cfg-default-root-privilege-name: changelog-read"));
+
     /*
      * All upgrades will refresh the server configuration schema and generate
      * a new upgrade folder.
diff --git a/opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java b/opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java
index 3cf9e53..d0b4e47 100644
--- a/opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java
+++ b/opendj-sdk/opendj3-server-dev/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java
@@ -399,26 +399,19 @@
     ECLFilterOnReplicationCSN(csn);
   }
   
-  //Verifies that is not possible to read the changelog without the changelog-read privilege
+  /**
+   * Verifies that is not possible to read the changelog without the changelog-read privilege
+   */
   @Test(enabled=true, dependsOnMethods = { "ECLReplicationServerTest"})
   public void ECLChangelogReadPrivilegeTest() throws Exception
-  {  
-     InternalClientConnection conn =
-           new InternalClientConnection(new AuthenticationInfo());
-     InternalSearchOperation ico = conn.processSearch(
-          "cn=changelog",
-          SearchScope.WHOLE_SUBTREE,
-          DereferenceAliasesPolicy.NEVER,
-          0, // Size limit
-          0, // Time limit
-          false, // Types only
-          "(objectclass=*)",
-          ALL_ATTRIBUTES,
-          NO_CONTROL,
-          null);
+  {
+    AuthenticationInfo nonPrivilegedUser = new AuthenticationInfo();
      
-     assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
-     assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());
+    InternalClientConnection conn = new InternalClientConnection(nonPrivilegedUser);
+    InternalSearchOperation ico = conn.processSearch("cn=changelog", SearchScope.WHOLE_SUBTREE, "(objectclass=*)");
+
+    assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+    assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());
   }
   
   private void ECLIsNotASupportedSuffix() throws Exception

--
Gitblit v1.10.0