From 58e55d3b2ce362a2ec2d0f0b88333e602bae7c99 Mon Sep 17 00:00:00 2001
From: jdemendi <jdemendi@localhost>
Date: Tue, 31 Mar 2009 15:52:47 +0000
Subject: [PATCH] fix 3892, ACI evaluation is made optional when returning entries and references to clients
---
opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationWrapper.java | 28 +++++++++++++
opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationBasis.java | 41 +++++++++++++++++---
opendj-sdk/opends/src/server/org/opends/server/core/SearchOperation.java | 41 ++++++++++++++++++++
3 files changed, 101 insertions(+), 9 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperation.java b/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperation.java
index ee0edfa..c69a599 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperation.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperation.java
@@ -22,7 +22,7 @@
* CDDL HEADER END
*
*
- * Copyright 2006-2008 Sun Microsystems, Inc.
+ * Copyright 2006-2009 Sun Microsystems, Inc.
*/
package org.opends.server.core;
@@ -242,6 +242,26 @@
public abstract boolean returnEntry(Entry entry, List<Control> controls);
/**
+ * Used as a callback for backends to indicate that the provided entry matches
+ * the search criteria and that additional processing should be performed to
+ * potentially send it back to the client.
+ *
+ * @param entry The entry that matches the search criteria and should
+ * be sent to the client.
+ * @param controls The set of controls to include with the entry (may be
+ * <CODE>null</CODE> if none are needed).
+ * @param evaluateAci Indicates whether the access rights to the entry
+ * should be evaluated.
+ *
+ * @return <CODE>true</CODE> if the caller should continue processing the
+ * search request and sending additional entries and references, or
+ * <CODE>false</CODE> if not for some reason (e.g., the size limit
+ * has been reached or the search has been abandoned).
+ */
+ public abstract boolean returnEntry(Entry entry, List<Control> controls,
+ boolean evaluateAci);
+
+ /**
* Used as a callback for backends to indicate that the provided search
* reference was encountered during processing and that additional processing
* should be performed to potentially send it back to the client.
@@ -258,6 +278,25 @@
SearchResultReference reference);
/**
+ * Used as a callback for backends to indicate that the provided search
+ * reference was encountered during processing and that additional processing
+ * should be performed to potentially send it back to the client.
+ *
+ * @param reference The search reference to send to the client.
+ * @param dn The DN related to the specified search reference.
+ * @param evaluateAci Indicates whether the access rights to the entry
+ * should be evaluated.
+ *
+ * @return <CODE>true</CODE> if the caller should continue processing the
+ * search request and sending additional entries and references , or
+ * <CODE>false</CODE> if not for some reason (e.g., the size limit
+ * has been reached or the search has been abandoned).
+ */
+ public abstract boolean returnReference(DN dn,
+ SearchResultReference reference,
+ boolean evaluateAci);
+
+ /**
* Sends the search result done message to the client. Note that this method
* should only be called from external classes in special cases (e.g.,
* persistent search) where they are sure that the result won't be sent by the
diff --git a/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationBasis.java b/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationBasis.java
index f31ee88..fb1e83e 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationBasis.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationBasis.java
@@ -576,6 +576,15 @@
*/
public final boolean returnEntry(Entry entry, List<Control> controls)
{
+ return returnEntry(entry, controls, true);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public final boolean returnEntry(Entry entry, List<Control> controls,
+ boolean evaluateAci)
+ {
boolean typesOnly = getTypesOnly();
// See if the size limit has been exceeded. If so, then don't send the
@@ -702,11 +711,14 @@
}
// Check to see if the entry can be read by the client.
- SearchResultEntry tmpSearchEntry = new SearchResultEntry(entry,
+ if (evaluateAci)
+ {
+ SearchResultEntry tmpSearchEntry = new SearchResultEntry(entry,
controls);
- if (AccessControlConfigManager.getInstance()
- .getAccessControlHandler().maySend(this, tmpSearchEntry) == false) {
- return true;
+ if (AccessControlConfigManager.getInstance()
+ .getAccessControlHandler().maySend(this, tmpSearchEntry) == false) {
+ return true;
+ }
}
// Make a copy of the entry and pare it down to only include the set
@@ -803,8 +815,11 @@
// FIXME: need some way to prevent plugins from adding attributes or
// values that the client is not permitted to see.
- searchEntry = AccessControlConfigManager.getInstance()
+ if (evaluateAci)
+ {
+ searchEntry = AccessControlConfigManager.getInstance()
.getAccessControlHandler().filterEntry(this, searchEntry);
+ }
// Invoke any search entry plugins that may be registered with the server.
PluginResult.IntermediateResponse pluginResult =
@@ -842,6 +857,15 @@
*/
public final boolean returnReference(DN dn, SearchResultReference reference)
{
+ return returnReference(dn, reference, true);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ public final boolean returnReference(DN dn, SearchResultReference reference,
+ boolean evaluateAci)
+ {
// See if the time limit has expired. If so, then don't send the entry and
// indicate that the search should end.
if ((getTimeLimit() > 0) && (TimeThread.getTime() >=
@@ -862,9 +886,12 @@
// See if the client has permission to read this reference.
- if (AccessControlConfigManager.getInstance()
+ if (evaluateAci)
+ {
+ if (AccessControlConfigManager.getInstance()
.getAccessControlHandler().maySend(dn, this, reference) == false) {
- return true;
+ return true;
+ }
}
diff --git a/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationWrapper.java b/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationWrapper.java
index ebeb62c..ba54d02 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationWrapper.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/core/SearchOperationWrapper.java
@@ -22,7 +22,7 @@
* CDDL HEADER END
*
*
- * Copyright 2008 Sun Microsystems, Inc.
+ * Copyright 2008-2009 Sun Microsystems, Inc.
*/
package org.opends.server.core;
@@ -70,6 +70,19 @@
/**
* {@inheritDoc}
*/
+ public boolean returnEntry(Entry entry, List<Control> controls,
+ boolean evaluateAci)
+ {
+ boolean result;
+
+ result = this.search.returnEntry(entry, controls, evaluateAci);
+
+ return result;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
public boolean returnReference(DN dn, SearchResultReference reference)
{
boolean result;
@@ -82,6 +95,19 @@
/**
* {@inheritDoc}
*/
+ public boolean returnReference(DN dn, SearchResultReference reference,
+ boolean evaluateAci)
+ {
+ boolean result;
+
+ result = this.search.returnReference(dn, reference, evaluateAci);
+
+ return result;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
public String toString()
{
return search.toString();
--
Gitblit v1.10.0