From 5d98bf319deb5d5c23e834a9984c784bc084d7cb Mon Sep 17 00:00:00 2001
From: abobrov <abobrov@localhost>
Date: Tue, 19 May 2009 15:53:55 +0000
Subject: [PATCH] - revert Revision: 5370 commit so that related changes land on the trunk from the branch instead of direct commit.
---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java | 29 +----
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java | 12 --
opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java | 24 ----
opends/src/server/org/opends/server/workflowelement/ndb/NDBSearchOperation.java | 12 --
opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java | 16 ---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java | 31 ++----
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java | 13 --
opends/src/server/org/opends/server/api/AccessControlHandler.java | 42 --------
opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 45 +++-----
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java | 22 +---
opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java | 27 +----
11 files changed, 55 insertions(+), 218 deletions(-)
diff --git a/opends/src/server/org/opends/server/api/AccessControlHandler.java b/opends/src/server/org/opends/server/api/AccessControlHandler.java
index 6f5f534..ccb590a 100644
--- a/opends/src/server/org/opends/server/api/AccessControlHandler.java
+++ b/opends/src/server/org/opends/server/api/AccessControlHandler.java
@@ -319,30 +319,6 @@
/**
- * Indicates whether the provided operation search filter is allowed
- * based on the access control configuration. This method should not
- * alter the provided operation in any way.
- *
- * @param operation
- * The operation for which to make the determination.
- * @param entry
- * The entry for which to make the determination.
- * @param filter
- * The filter to check access on.
- * @return {@code true} if the operation should be allowed by the
- * access control configuration, or {@code false} if not.
- * @throws DirectoryException
- * If an error occurred while performing the access
- * control check. For example, if an attribute could not
- * be decoded. Care must be taken not to expose any
- * potentially sensitive information in the exception.
- */
- public abstract boolean isAllowed(Operation operation, Entry entry,
- SearchFilter filter) throws DirectoryException;
-
-
-
- /**
* Indicates whether the provided search result entry may be sent to
* the client. Implementations <b>must not under any
* circumstances</b> modify the search entry in any way.
@@ -381,24 +357,6 @@
/**
- * Filter the contents of the provided entry such that it no longer
- * contains any attributes or values that the client is not
- * permitted to access.
- *
- * @param operation
- * The operation with which the provided entry is
- * associated.
- * @param entry
- * The entry to be filtered.
- * @return Returns the entry with filtered attributes and values
- * removed.
- */
- public abstract SearchResultEntry filterEntry(
- Operation operation, Entry entry);
-
-
-
- /**
* Indicates whether the provided search result reference may be
* sent to the client based on the access control configuration.
*
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index c88ec16..829d1e9 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -230,8 +230,24 @@
+ /*
+ * TODO Rename this method. Needs to be changed in SearchOperation. I
+ * find the name of the filterEntry method to be misleading because it
+ * works on a search operation but has nothing to do with the search
+ * filter. Something like "removeDisallowedAttributes" would be
+ * clearer.
+ */
+
/**
- * {@inheritDoc}
+ * Checks access on each attribute in an entry. It removes those
+ * attributes that fail access check.
+ *
+ * @param operation
+ * The search operation class containing information to check
+ * access on.
+ * @param entry
+ * The entry containing the attributes.
+ * @return The entry to return minus filtered attributes.
*/
@Override
public SearchResultEntry filterEntry(SearchOperation operation,
@@ -268,19 +284,6 @@
/**
* {@inheritDoc}
*/
- @Override
- public SearchResultEntry filterEntry(Operation operation, Entry entry)
- {
- AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_READ), entry);
- return accessAllowedAttrs(operationContainer);
- }
-
-
-
- /**
- * {@inheritDoc}
- */
@Override()
public void finalizeAccessControlHandler()
{
@@ -558,20 +561,6 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(Operation operation, Entry entry,
- SearchFilter filter) throws DirectoryException
- {
- AciLDAPOperationContainer operationContainer =
- new AciLDAPOperationContainer(operation, (ACI_READ), entry);
- return testFilter(operationContainer, filter);
- }
-
-
-
- /**
- * {@inheritDoc}
- */
- @Override
public boolean mayProxy(Entry proxyUser, Entry proxiedUser,
Operation op)
{
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java
index 6e14b0b..8354477 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciLDAPOperationContainer.java
@@ -51,20 +51,6 @@
private List<Modification> modifications;
/**
- * Constructor interface for all currently supported LDAP operations.
- * @param operation The compare operation to evaluate.
- * @param rights The rights of a compare operation.
- * @param entry The entry for evaluation.
- */
- public AciLDAPOperationContainer(Operation operation,
- int rights, Entry entry)
- {
- super(operation, rights, entry);
- this.searchEntry = new SearchResultEntry(entry);
- }
-
-
- /**
* Constructor interface for the compare operation.
* @param operation The compare operation to evaluate.
* @param rights The rights of a compare operation.
@@ -72,7 +58,7 @@
public AciLDAPOperationContainer(LocalBackendCompareOperation operation,
int rights)
{
- super(operation, rights, operation.getEntryToCompare());
+ super(operation, rights, operation.getEntryToCompare());
}
diff --git a/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java b/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java
index 9b8d633..c634bd2 100644
--- a/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java
+++ b/opends/src/server/org/opends/server/core/DefaultAccessControlHandler.java
@@ -192,18 +192,6 @@
* {@inheritDoc}
*/
@Override
- public boolean isAllowed(Operation operation, Entry entry,
- SearchFilter filter) throws DirectoryException
- {
- return true;
- }
-
-
-
- /**
- * {@inheritDoc}
- */
- @Override
public boolean maySend(SearchOperation searchOperation,
SearchResultEntry searchEntry)
{
@@ -228,18 +216,6 @@
* {@inheritDoc}
*/
@Override
- public SearchResultEntry filterEntry(Operation operation, Entry entry)
- {
- // No implementation required.
- return new SearchResultEntry(entry);
- }
-
-
-
- /**
- * {@inheritDoc}
- */
- @Override
public boolean maySend(DN dn, SearchOperation searchOperation,
SearchResultReference searchReference)
{
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
index 118297f..bb0ace1 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendAddOperation.java
@@ -1464,26 +1464,14 @@
if (oid.equals(OID_LDAP_ASSERTION))
{
- // RFC 4528 mandates support for Add operation basically
- // suggesting an asertion on self. As daft as it may be
- // we gonna have to support this for RFC compliance.
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -1632,13 +1620,12 @@
}
}
- // Check access controls on the entry and strip out
- // any not allowed attributes.
- SearchResultEntry searchEntry =
- AccessControlConfigManager.getInstance().
- getAccessControlHandler().filterEntry(this, addedEntry);
+ // FIXME -- Check access controls on the entry to see if it should
+ // be returned or if any attributes need to be stripped
+ // out..
+ SearchResultEntry searchEntry = new SearchResultEntry(addedEntry);
LDAPPostReadResponseControl responseControl =
- new LDAPPostReadResponseControl(searchEntry);
+ new LDAPPostReadResponseControl(searchEntry);
addResponseControl(responseControl);
}
}
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
index 5a67494..aab4329 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendCompareOperation.java
@@ -448,18 +448,9 @@
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
index aea75df..6b60609 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendDeleteOperation.java
@@ -532,18 +532,9 @@
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, filter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -689,11 +680,10 @@
}
}
- // Check access controls on the entry and strip out
- // any not allowed attributes.
- SearchResultEntry searchEntry =
- AccessControlConfigManager.getInstance().
- getAccessControlHandler().filterEntry(this, entryCopy);
+ // FIXME -- Check access controls on the entry to see if it should
+ // be returned or if any attributes need to be stripped
+ // out..
+ SearchResultEntry searchEntry = new SearchResultEntry(entryCopy);
LDAPPreReadResponseControl responseControl =
new LDAPPreReadResponseControl(preReadRequest.isCritical(),
searchEntry);
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
index e53dcc2..451d4f1 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyDNOperation.java
@@ -756,18 +756,9 @@
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, currentEntry, filter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! filter.matchesEntry(currentEntry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -1104,11 +1095,10 @@
}
}
- // Check access controls on the entry and strip out
- // any not allowed attributes.
- SearchResultEntry searchEntry =
- AccessControlConfigManager.getInstance().
- getAccessControlHandler().filterEntry(this, entry);
+ // FIXME -- Check access controls on the entry to see if it should
+ // be returned or if any attributes need to be stripped
+ // out..
+ SearchResultEntry searchEntry = new SearchResultEntry(entry);
LDAPPreReadResponseControl responseControl =
new LDAPPreReadResponseControl(preReadRequest.isCritical(),
searchEntry);
@@ -1155,11 +1145,10 @@
}
}
- // Check access controls on the entry and strip out
- // any not allowed attributes.
- SearchResultEntry searchEntry =
- AccessControlConfigManager.getInstance().
- getAccessControlHandler().filterEntry(this, entry);
+ // FIXME -- Check access controls on the entry to see if it should
+ // be returned or if any attributes need to be stripped
+ // out..
+ SearchResultEntry searchEntry = new SearchResultEntry(entry);
LDAPPostReadResponseControl responseControl =
new LDAPPostReadResponseControl(searchEntry);
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
index e468240..0431fb0 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendModifyOperation.java
@@ -782,18 +782,9 @@
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter filter = assertControl.getSearchFilter();
-
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, currentEntry, filter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! filter.matchesEntry(currentEntry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
@@ -2124,11 +2115,9 @@
}
}
- // Check access controls on the entry and strip out
- // any not allowed attributes.
- SearchResultEntry searchEntry =
- AccessControlConfigManager.getInstance().
- getAccessControlHandler().filterEntry(this, entry);
+ // FIXME -- Check access controls on the entry to see if it should be
+ // returned or if any attributes need to be stripped out..
+ SearchResultEntry searchEntry = new SearchResultEntry(entry);
LDAPPreReadResponseControl responseControl =
new LDAPPreReadResponseControl(preReadRequest.isCritical(),
searchEntry);
@@ -2174,11 +2163,9 @@
}
}
- // Check access controls on the entry and strip out
- // any not allowed attributes.
- SearchResultEntry searchEntry =
- AccessControlConfigManager.getInstance().
- getAccessControlHandler().filterEntry(this, entry);
+ // FIXME -- Check access controls on the entry to see if it should be
+ // returned or if any attributes need to be stripped out..
+ SearchResultEntry searchEntry = new SearchResultEntry(entry);
LDAPPostReadResponseControl responseControl =
new LDAPPostReadResponseControl(searchEntry);
diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
index b80325c..b80adaf 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendSearchOperation.java
@@ -361,6 +361,8 @@
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter assertionFilter = assertControl.getSearchFilter();
Entry entry;
try
@@ -385,16 +387,6 @@
ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
}
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, assertionFilter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! assertionFilter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
diff --git a/opends/src/server/org/opends/server/workflowelement/ndb/NDBSearchOperation.java b/opends/src/server/org/opends/server/workflowelement/ndb/NDBSearchOperation.java
index fcc42d3..690cbcc 100644
--- a/opends/src/server/org/opends/server/workflowelement/ndb/NDBSearchOperation.java
+++ b/opends/src/server/org/opends/server/workflowelement/ndb/NDBSearchOperation.java
@@ -304,6 +304,8 @@
try
{
+ // FIXME -- We need to determine whether the current user has
+ // permission to make this determination.
SearchFilter assertionFilter = assertControl.getSearchFilter();
Entry entry;
try
@@ -328,16 +330,6 @@
ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
}
- // Check if the current user has permission to make
- // this determination.
- if (!AccessControlConfigManager.getInstance().
- getAccessControlHandler().isAllowed(this, entry, assertionFilter))
- {
- throw new DirectoryException(
- ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
- ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
- }
-
if (! assertionFilter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
--
Gitblit v1.10.0