From bffb0216bf1c1ae7a7988670a535a18d5905f186 Mon Sep 17 00:00:00 2001
From: Gaetan Boismal <gaetan.boismal@forgerock.com>
Date: Mon, 23 Jun 2014 09:51:38 +0000
Subject: [PATCH] OPENDJ-1351 (CR-3830) Require a privilege needed for searching cn=changelog - Upgrade task  * tools.properties ** Adding the description message of the upgrade task * Upgrade.java ** Upgrade task n° 2.7.0.10820 which add the 'changelog-read' value to the Root DNs default privilege list * ExternalChangeLogTest.java ** ChangeLog privilege unit test code refactoring to make it more compact ant more meaningful

---
 opendj-sdk/opends/src/messages/messages/tools.properties                                                             |    1 +
 opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java                                            |    7 +++++++
 opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java |   25 +++++++++----------------
 3 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/opendj-sdk/opends/src/messages/messages/tools.properties b/opendj-sdk/opends/src/messages/messages/tools.properties
index 59ba407..9318ad7 100644
--- a/opendj-sdk/opends/src/messages/messages/tools.properties
+++ b/opendj-sdk/opends/src/messages/messages/tools.properties
@@ -2587,3 +2587,4 @@
 INFO_UPGRADE_TASK_10133_2_SUMMARY_10022=Configuring 'CertificateExactMatch' matching rule
 INFO_UPGRADE_TASK_10733_1_SUMMARY_10023=Removing 'dc=replicationchanges' backend
 INFO_UPGRADE_TASK_10733_2_SUMMARY_10024=Removing ACI for 'dc=replicationchanges'
+INFO_UPGRADE_TASK_10820_SUMMARY_100025=Adding default privilege 'changelog-read' to all root DNs
diff --git a/opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java b/opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java
index fb43fa1..fd62a59 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/tools/upgrade/Upgrade.java
@@ -329,6 +329,13 @@
             + "(version 3.0; acl \"Replication backend access\"; "
             + "deny (all) userdn=\"ldap:///anyone\";)"));
 
+    /** See OPENDJ-1351 */
+    register("2.7.0.10820",
+        modifyConfigEntry(INFO_UPGRADE_TASK_10820_SUMMARY.get(),
+        "(objectClass=ds-cfg-root-dn)",
+        "add: ds-cfg-default-root-privilege-name",
+        "ds-cfg-default-root-privilege-name: changelog-read"));
+
     /*
      * All upgrades will refresh the server configuration schema and generate
      * a new upgrade folder.
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java
index 5fdfba7..46da8a1 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/replication/server/ExternalChangeLogTest.java
@@ -395,26 +395,19 @@
     ECLFilterOnReplicationCSN(csn);
   }
 
-  //Verifies that is not possible to read the changelog without the changelog-read privilege
+  /**
+   * Verifies that is not possible to read the changelog without the changelog-read privilege
+   */
   @Test(enabled=true, dependsOnMethods = { "PrimaryTest"})
   public void ECLChangelogReadPrivilegeTest() throws Exception
   {
-     InternalClientConnection conn =
-           new InternalClientConnection(new AuthenticationInfo());
-     InternalSearchOperation ico = conn.processSearch(
-          "cn=changelog",
-          SearchScope.WHOLE_SUBTREE,
-          DereferencePolicy.NEVER_DEREF_ALIASES,
-          0, // Size limit
-          0, // Time limit
-          false, // Types only
-          "(objectclass=*)",
-          ALL_ATTRIBUTES,
-          NO_CONTROL,
-          null);
+    AuthenticationInfo nonPrivilegedUser = new AuthenticationInfo();
 
-     assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
-     assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());
+    InternalClientConnection conn = new InternalClientConnection(nonPrivilegedUser);
+    InternalSearchOperation ico = conn.processSearch("cn=changelog", SearchScope.WHOLE_SUBTREE, "(objectclass=*)");
+
+    assertEquals(ico.getResultCode(), ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
+    assertEquals(ico.getErrorMessage().toMessage(), NOTE_SEARCH_CHANGELOG_INSUFFICIENT_PRIVILEGES.get());
   }
 
   private void ECLIsNotASupportedSuffix() throws Exception

--
Gitblit v1.10.0