From 2dc005ee50bb835a3c6130d3c1b757cf6ad63061 Mon Sep 17 00:00:00 2001
From: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Date: Fri, 27 Mar 2026 10:28:55 +0000
Subject: [PATCH] Fix referential integrity plugin silently bypassing check-references for modify operations
---
opendj-server-legacy/src/test/java/org/opends/server/plugins/ReferentialIntegrityPluginTestCase.java | 23 +++++++++++++++++++++++
opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java | 11 +++++------
2 files changed, 28 insertions(+), 6 deletions(-)
diff --git a/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java b/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java
index c5b74a0..a1995b6 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/plugins/ReferentialIntegrityPlugin.java
@@ -991,10 +991,9 @@
}
final List<Modification> mods = modifyOperation.getModifications();
- final Entry entry = modifyOperation.getModifiedEntry();
/* Make sure the entry belongs to one of the configured naming contexts. */
- DN entryDN = entry.getName();
+ DN entryDN = modifyOperation.getEntryDN();
DN entryBaseDN = getEntryBaseDN(entryDN);
if (entryBaseDN == null)
{
@@ -1009,14 +1008,14 @@
if (modType != ModificationType.ADD
&& modType != ModificationType.REPLACE)
{
- break;
+ continue;
}
- Attribute modifiedAttribute = entry.getAttribute(mod.getAttribute().getAttributeDescription());
- if (modifiedAttribute != null)
+ Attribute modifiedAttribute = mod.getAttribute();
+ if (modifiedAttribute != null && !modifiedAttribute.isEmpty())
{
PluginResult.PreOperation result =
- isIntegrityMaintained(modifiedAttribute, entryDN, entryBaseDN);
+ isIntegrityMaintained(modifiedAttribute, entryDN, entryBaseDN);
if (result.getResultCode() != ResultCode.SUCCESS)
{
return result;
diff --git a/opendj-server-legacy/src/test/java/org/opends/server/plugins/ReferentialIntegrityPluginTestCase.java b/opendj-server-legacy/src/test/java/org/opends/server/plugins/ReferentialIntegrityPluginTestCase.java
index 531e27a..2a6a312 100644
--- a/opendj-server-legacy/src/test/java/org/opends/server/plugins/ReferentialIntegrityPluginTestCase.java
+++ b/opendj-server-legacy/src/test/java/org/opends/server/plugins/ReferentialIntegrityPluginTestCase.java
@@ -1829,4 +1829,27 @@
"member", "uid=user.1,ou=people,ou=dept,o=test");
assertEquals(modOperation.getResultCode(), ResultCode.SUCCESS);
}
+
+ @Test
+ public void testEnforceIntegrityModifyGroupAddMissingUniqueMember() throws Exception
+ {
+ replaceAttrEntry(configDN, "ds-cfg-enabled", "false");
+ replaceAttrEntry(configDN, dsConfigPluginType,
+ "postoperationdelete",
+ "postoperationmodifydn",
+ "subordinatemodifydn",
+ "subordinatedelete",
+ "preoperationadd",
+ "preoperationmodify");
+ addAttrEntry(configDN, dsConfigBaseDN, "dc=example,dc=com");
+ replaceAttrEntry(configDN, dsConfigEnforceIntegrity, "true");
+ replaceAttrEntry(configDN, dsConfigAttrType, "uniquemember");
+ addAttrEntry(configDN, dsConfigAttrFiltMapping,
+ "uniquemember:(objectclass=person)");
+ replaceAttrEntry(configDN, "ds-cfg-enabled", "true");
+
+ ModifyOperation modOperation = addAttrEntry(DN.valueOf(ugroup),
+ "uniquemember", "uid=user.100,ou=people,ou=dept,dc=example,dc=com");
+ assertEquals(modOperation.getResultCode(), ResultCode.CONSTRAINT_VIOLATION);
+ }
}
--
Gitblit v1.10.0