From 5ab71727e25999e8bafe2f299ea4ac05bf4290b6 Mon Sep 17 00:00:00 2001
From: matthew_swift <matthew_swift@localhost>
Date: Mon, 08 Jun 2009 16:53:14 +0000
Subject: [PATCH] Fix issue 4042: LDAP assertion control access control evaluation results in protocol error
---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java | 42 +++++--
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java | 72 ++++++++-----
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java | 42 +++++--
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java | 42 +++++--
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java | 42 +++++--
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java | 50 ++++++---
6 files changed, 193 insertions(+), 97 deletions(-)
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
index 118297f..a10e64b 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
@@ -1465,30 +1465,46 @@
if (oid.equals(OID_LDAP_ASSERTION))
{
// RFC 4528 mandates support for Add operation basically
- // suggesting an asertion on self. As daft as it may be
+ // suggesting an assertion on self. As daft as it may be
// we gonna have to support this for RFC compliance.
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter filter;
try
{
- SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
+ filter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (! filter.matchesEntry(entry))
+ throw new DirectoryException(de.getResultCode(),
+ ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, entry, filter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try
+ {
+ if (!filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
- ERR_ADD_ASSERTION_FAILED.get(
- String.valueOf(entryDN)));
+ ERR_ADD_ASSERTION_FAILED.get(String
+ .valueOf(entryDN)));
}
}
catch (DirectoryException de)
@@ -1503,10 +1519,10 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
- ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
- String.valueOf(entryDN),
- de.getMessageObject()));
+ throw new DirectoryException(de.getResultCode(),
+ ERR_ADD_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
}
}
else if (oid.equals(OID_LDAP_NOOP_OPENLDAP_ASSIGNED))
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
index 5a67494..a1c8031 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
@@ -446,25 +446,41 @@
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter filter;
try
{
- SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
+ filter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (! filter.matchesEntry(entry))
+ throw new DirectoryException(de.getResultCode(),
+ ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, entry, filter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try
+ {
+ if (!filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
- ERR_COMPARE_ASSERTION_FAILED.get(
- String.valueOf(entryDN)));
+ ERR_COMPARE_ASSERTION_FAILED.get(String
+ .valueOf(entryDN)));
}
}
catch (DirectoryException de)
@@ -479,7 +495,7 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
+ throw new DirectoryException(de.getResultCode(),
ERR_COMPARE_CANNOT_PROCESS_ASSERTION_FILTER.get(
String.valueOf(entryDN),
de.getMessageObject()));
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
index aea75df..c33d77f 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
@@ -530,25 +530,41 @@
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter filter;
try
{
- SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
+ filter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (! filter.matchesEntry(entry))
+ throw new DirectoryException(de.getResultCode(),
+ ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, entry, filter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try
+ {
+ if (!filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
- ERR_DELETE_ASSERTION_FAILED.get(
- String.valueOf(entryDN)));
+ ERR_DELETE_ASSERTION_FAILED.get(String
+ .valueOf(entryDN)));
}
}
catch (DirectoryException de)
@@ -563,7 +579,7 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
+ throw new DirectoryException(de.getResultCode(),
ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
String.valueOf(entryDN),
de.getMessageObject()));
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
index e53dcc2..589ab7c 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
@@ -754,25 +754,41 @@
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter filter;
try
{
- SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, currentEntry, filter))
+ filter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (! filter.matchesEntry(currentEntry))
+ throw new DirectoryException(de.getResultCode(),
+ ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, currentEntry, filter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try
+ {
+ if (!filter.matchesEntry(currentEntry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
- ERR_MODDN_ASSERTION_FAILED.get(
- String.valueOf(entryDN)));
+ ERR_MODDN_ASSERTION_FAILED.get(String
+ .valueOf(entryDN)));
}
}
catch (DirectoryException de)
@@ -787,7 +803,7 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
+ throw new DirectoryException(de.getResultCode(),
ERR_MODDN_CANNOT_PROCESS_ASSERTION_FILTER.get(
String.valueOf(entryDN),
de.getMessageObject()));
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
index e468240..b8e1d38 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
@@ -780,25 +780,41 @@
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter filter;
try
{
- SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, currentEntry, filter))
+ filter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (! filter.matchesEntry(currentEntry))
+ throw new DirectoryException(de.getResultCode(),
+ ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ String.valueOf(entryDN),
+ de.getMessageObject()));
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, currentEntry, filter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try
+ {
+ if (!filter.matchesEntry(currentEntry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
- ERR_MODIFY_ASSERTION_FAILED.get(
- String.valueOf(entryDN)));
+ ERR_MODIFY_ASSERTION_FAILED.get(String
+ .valueOf(entryDN)));
}
}
catch (DirectoryException de)
@@ -813,7 +829,7 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
+ throw new DirectoryException(de.getResultCode(),
ERR_MODIFY_CANNOT_PROCESS_ASSERTION_FILTER.get(
String.valueOf(entryDN),
de.getMessageObject()));
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
index b80325c..3413328 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
@@ -359,42 +359,58 @@
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
+ SearchFilter assertionFilter;
+
try
{
- SearchFilter assertionFilter = assertControl.getSearchFilter();
- Entry entry;
- try
+ assertionFilter = assertControl.getSearchFilter();
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- entry = DirectoryServer.getEntry(baseDN);
- }
- catch (DirectoryException de)
- {
- if (debugEnabled())
- {
- TRACER.debugCaught(DebugLogLevel.ERROR, de);
- }
-
- throw new DirectoryException(de.getResultCode(),
- ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
- de.getMessageObject()));
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- if (entry == null)
+ throw new DirectoryException(de.getResultCode(),
+ ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
+ de.getMessageObject()), de);
+ }
+
+ Entry entry;
+ try
+ {
+ entry = DirectoryServer.getEntry(baseDN);
+ }
+ catch (DirectoryException de)
+ {
+ if (debugEnabled())
{
- throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
- ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
+ TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, assertionFilter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
+ throw new DirectoryException(de.getResultCode(),
+ ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(
+ de.getMessageObject()));
+ }
+ if (entry == null)
+ {
+ throw new DirectoryException(ResultCode.NO_SUCH_OBJECT,
+ ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
+ }
+
+ // Check if the current user has permission to make
+ // this determination.
+ if (!AccessControlConfigManager.getInstance().
+ getAccessControlHandler().isAllowed(this, entry, assertionFilter))
+ {
+ throw new DirectoryException(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
+ }
+
+ try {
if (! assertionFilter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -413,7 +429,7 @@
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
- throw new DirectoryException(ResultCode.PROTOCOL_ERROR,
+ throw new DirectoryException(de.getResultCode(),
ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(
de.getMessageObject()), de);
}
--
Gitblit v1.10.0