From f8fda0d8fcc71d68e644dcb21fcb282edc0fdc2c Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Fri, 18 May 2007 14:09:11 +0000
Subject: [PATCH] Remove ACI roledn bind rule keyword. Issue #1577.
---
/dev/null | 164 --------------------------------
opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java | 9 +
opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java | 19 +--
opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java | 38 +------
opends/src/server/org/opends/server/messages/AciMessages.java | 16 +++
5 files changed, 34 insertions(+), 212 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java b/opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java
index e021286..502d8b1 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/BindRule.java
@@ -486,7 +486,7 @@
EnumBindRuleKeyword keyword,
EnumBindRuleType op)
throws AciException {
- KeywordBindRule rule;
+ KeywordBindRule rule=null;
switch (keyword) {
case USERDN:
{
@@ -495,8 +495,11 @@
}
case ROLEDN:
{
- rule = RoleDN.decode(expr, op);
- break;
+ //The roledn keyword is not supported. Throw an exception with
+ //a message if it is seen in the ACI.
+ int msgID=MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED;
+ String message = getMessage(msgID, expr);
+ throw new AciException(msgID, message);
}
case GROUPDN:
{
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/RoleDN.java b/opends/src/server/org/opends/server/authorization/dseecompat/RoleDN.java
deleted file mode 100644
index 41d08ee..0000000
--- a/opends/src/server/org/opends/server/authorization/dseecompat/RoleDN.java
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * CDDL HEADER START
- *
- * The contents of this file are subject to the terms of the
- * Common Development and Distribution License, Version 1.0 only
- * (the "License"). You may not use this file except in compliance
- * with the License.
- *
- * You can obtain a copy of the license at
- * trunk/opends/resource/legal-notices/OpenDS.LICENSE
- * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
- * See the License for the specific language governing permissions
- * and limitations under the License.
- *
- * When distributing Covered Code, include this CDDL HEADER in each
- * file and include the License file at
- * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
- * add the following below this CDDL HEADER, with the fields enclosed
- * by brackets "[]" replaced with your own identifying information:
- * Portions Copyright [yyyy] [name of copyright owner]
- *
- * CDDL HEADER END
- *
- *
- * Portions Copyright 2007 Sun Microsystems, Inc.
- */
-
-package org.opends.server.authorization.dseecompat;
-
-import static org.opends.server.messages.AciMessages.*;
-import static org.opends.server.authorization.dseecompat.Aci.*;
-import static org.opends.server.messages.MessageHandler.getMessage;
-import org.opends.server.types.*;
-import org.opends.server.api.Group;
-import org.opends.server.core.GroupManager;
-import org.opends.server.core.DirectoryServer;
-
-import java.util.LinkedList;
-import java.util.Iterator;
-import java.util.List;
-import java.util.LinkedHashSet;
-import java.util.regex.Pattern;
-import java.util.regex.Matcher;
-
-/**
- * A class representing a roledn bind rule keyword. This class is almost
- * an exact copy of groupDN, except for variable names and error messages.
- */
-public class RoleDN implements KeywordBindRule {
-
- /*
- * List of DNs parsed from the ACI bind rule.
- */
- LinkedList<DN> roleDNs=null;
-
- /*
- * The bind rule type of the RoleDN statement.
- */
- private EnumBindRuleType type=null;
-
- /*
- * Group manager needed by the class.
- */
- private static GroupManager groupManager =
- DirectoryServer.getGroupManager();
-
- /**
- * Constructor creating a class representing a roledn keyword of a bind
- * rule.
- * @param type An enumeration of the type of the bind rule.
- * @param roleDNs A list of the role dns parsed from the expression string.
- */
- private RoleDN(EnumBindRuleType type, LinkedList<DN> roleDNs ) {
- this.roleDNs=roleDNs;
- this.type=type;
- }
-
- /**
- * Decodes an expression string representing an roledn bind rule.
- * @param expr A string representation of the bind rule.
- * @param type An enumeration of the type of the bind rule.
- * @return A keyword bind rule class that can be used to evaluate
- * this bind rule.
- * @throws AciException If the expression is invalid.
- */
- public static KeywordBindRule decode(String expr, EnumBindRuleType type)
- throws AciException {
- if (!Pattern.matches(GroupDN.LDAP_URLS, expr)) {
- int msgID = MSGID_ACI_SYNTAX_INVALID_ROLEDN_EXPRESSION;
- String message = getMessage(msgID, expr);
- throw new AciException(msgID, message);
- }
- LinkedList<DN>roleDNs=new LinkedList<DN>();
- int ldapURLPos = 1;
- Pattern ldapURLPattern = Pattern.compile(LDAP_URL);
- Matcher ldapURLMatcher = ldapURLPattern.matcher(expr);
- while (ldapURLMatcher.find()) {
- String value = ldapURLMatcher.group(ldapURLPos).trim();
- try {
- DN dn=LDAPURL.decode(value, true).getBaseDN();
- roleDNs.add(dn);
- } catch (DirectoryException ex) {
- int msgID = MSGID_ACI_SYNTAX_INVALID_ROLEDN_URL;
- String message = getMessage(msgID, ex.getErrorMessage());
- throw new AciException(msgID, message);
- }
- }
- return new RoleDN(type, roleDNs);
- }
-
-
- /**
- * Performs the evaluation of a roledn bind rule based on the
- * evaluation context passed to it. The method uses an exact copy
- * evaluation method as the groupDN.evaluate(). The evaluation stops when
- * there are no more group DNs to evaluate, or if a group DN evaluates to
- * true if it contains the authorization DN.
- * @param evalCtx An evaluation context to use in the evaluation.
- * @return Enumeration evaluation result.
- */
- public EnumEvalResult evaluate(AciEvalContext evalCtx) {
- EnumEvalResult matched = EnumEvalResult.FALSE;
- Iterator<DN> it=roleDNs.iterator();
- for(; it.hasNext() && matched != EnumEvalResult.TRUE;) {
- DN groupDN=it.next();
- Group group = groupManager.getGroupInstance(groupDN);
- if(evalCtx.isMemberOf(group))
- matched = EnumEvalResult.TRUE;
- }
- return matched.getRet(type, false);
- }
-
- /**
- * Performs an evaluation of a group that was specified in an attribute
- * type value of the specified entry and attribute type. Each
- * value of the attribute type is assumed to be a group DN and evaluation
- * stops when there are no more values or if the group DN evaluates to
- * true if it contains the client DN.
- * @param e The entry to use in the evaluation.
- * @param evalCtx The evaluation context to use in the evaluation.
- * @param attributeType The attribute type of the entry to use to get the
- * values for the groupd DNs.
- * @return Enumeration evaluation result.
- */
- public static EnumEvalResult evaluate (Entry e, AciEvalContext evalCtx,
- AttributeType attributeType) {
- EnumEvalResult matched= EnumEvalResult.FALSE;
- List<Attribute> attrs = e.getAttribute(attributeType);
- LinkedHashSet<AttributeValue> vals = attrs.get(0).getValues();
- for(AttributeValue v : vals) {
- try {
- DN groupDN=DN.decode(v.getStringValue());
- Group group = groupManager.getGroupInstance(groupDN);
- if((group != null) && (evalCtx.isMemberOf(group))) {
- matched=EnumEvalResult.TRUE;
- break;
- }
- } catch (DirectoryException ex) {
- break;
- }
- }
- return matched;
- }
-}
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java b/opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java
index 632f9c9..c3295fc 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/UserAttr.java
@@ -157,14 +157,11 @@
return new UserAttr (userAttrType, type, parentInheritance);
}
case ROLEDN: {
- //Even though parent inheritance is invalid for the ROLEDN
- //keyword, we are going to up a simple parent inheritance
- //class so that most of the evaluate methods in this class
- //can be re-used. The true boolean means to skip parsing,
- //except for a quick validation parse.
- ParentInheritance parentInheritance =
- new ParentInheritance(vals[0], true);
- return new UserAttr(userAttrType, type, parentInheritance);
+ //The roledn keyword is not supported. Throw an exception with
+ //a message if it is seen in the expression.
+ int msgID=MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED;
+ String message = getMessage(msgID, expression);
+ throw new AciException(msgID, message);
}
}
return new UserAttr(vals[0], vals[1], userAttrType, type);
@@ -383,7 +380,8 @@
/**
* This method evaluates the user attribute type and calls the correct
* evalaution method. The three user attribute types that can be selected
- * are ROLEDN, USERDN or GROUPDN.
+ * are USERDN or GROUPDN.
+ *
* @param e The entry to use in the evaluation.
* @param evalCtx The evaluation context to use in the evaluation.
* @param attributeType The attribute type to use in the evaluation.
@@ -398,9 +396,6 @@
attributeType);
break;
}
- case ROLEDN:
- result=RoleDN.evaluate(e, evalCtx, attributeType);
- break;
case GROUPDN: {
result=GroupDN.evaluate(e, evalCtx, attributeType);
break;
diff --git a/opends/src/server/org/opends/server/messages/AciMessages.java b/opends/src/server/org/opends/server/messages/AciMessages.java
index 9935405..536d22f 100644
--- a/opends/src/server/org/opends/server/messages/AciMessages.java
+++ b/opends/src/server/org/opends/server/messages/AciMessages.java
@@ -747,7 +747,7 @@
public static final int MSGID_ACI_TARGETATTR_INVALID_OP_USER_ATTR =
CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 74;
- /**
+ /**
* The message ID for the message that will be used if a targetattr
* keyword expression performs both an inequality operation using
* operational attribute types. This takes one argument, which is the
@@ -756,6 +756,14 @@
public static final int MSGID_ACI_TARGATTR_INVALID_OP_ATTR_INEQUALITY =
CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 75;
+ /**
+ * The message ID for the message that will be used if a roledn
+ * keyword expression is parsed. The roledn keyword is not supported.
+ * This takes one argument, which is the roledn expression string.
+ */
+ public static final int MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED =
+ CATEGORY_MASK_ACCESS_CONTROL | SEVERITY_MASK_SEVERE_WARNING | 76;
+
/**
* Associates a set of generic messages with the message IDs defined in
* this class.
@@ -1189,5 +1197,11 @@
"targetattr expression value \"%s\" is invalid because" +
" the expression performs an inequality operation using " +
"operational attribute types");
+
+ registerMessage(MSGID_ACI_SYNTAX_ROLEDN_NOT_SUPPORTED,
+ "The provided Access Control Instruction (ACI) expression " +
+ "value \"%s\" is invalid because it contains" +
+ " the roledn keyword, which is not supported, replace it with " +
+ "the groupdn keyword");
}
}
diff --git a/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java b/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
index d28050c..1b8dc21 100644
--- a/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
+++ b/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/AciTests.java
@@ -225,9 +225,6 @@
private static final String BIND_RULE_USERDN_TOP_LEVEL_CN_ADMINS = "userdn=\"ldap:///dc=example,dc=com??one?(cn=*admin*)\""; // TODO: this might be invalid?
private static final String BIND_RULE_GROUPDN_GROUP_1 =
"groupdn=\"ldap:///" + OU_GROUP_1_DN + "\"";
- private static final String BIND_RULE_ROLEDN_GROUP_1 =
- "roledn=\"ldap:///" + OU_GROUP_1_DN + "\"";
-
private static final String BIND_RULE_IP_LOCALHOST = "ip=\"127.0.0.1\"";
private static final String BIND_RULE_IP_LOCALHOST_WITH_MASK = "ip=\"127.0.0.1+255.255.255.254\"";
private static final String BIND_RULE_IP_LOCALHOST_SUBNET = "ip=\"127.0.0.*\"";
@@ -263,10 +260,6 @@
private static final String BIND_RULE_GROUPDN_1 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com\"";
private static final String BIND_RULE_GROUPDN_2 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com\"";
private static final String BIND_RULE_GROUPDN_3 = "groupdn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com || ldap:///cn=SomeThirdGroup,dc=example,dc=com\"";
- private static final String BIND_RULE_ROLEDN_1 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com\"";
- private static final String BIND_RULE_ROLEDN_2 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com\"";
- private static final String BIND_RULE_ROLEDN_3 = "roledn=\"ldap:///cn=SomeGroup,dc=example,dc=com || ldap:///cn=SomeOtherGroup,dc=example,dc=com || ldap:///cn=SomeThirdGroup,dc=example,dc=com\"";
-
private static final String BIND_RULE_USERDN_FILTER = "userdn=\"ldap:///dc=example,dc=com??one?(|(ou=eng)(ou=acct))\"";
//bind rule user attr ACIs
@@ -275,8 +268,6 @@
private static final String BIND_RULE_USERATTR_URL = "userattr=\"cn#LDAPURL\"";
private static final String BIND_RULE_USERATTR_GROUPDN = "userattr=\"manager#GROUPDN\"";
private static final String BIND_RULE_USERATTR_GROUPDN_1 = "userattr=\"ldap:///dc=example,dc=com?owner#GROUPDN\"";
- private static final String BIND_RULE_USERATTR_ROLEDN = "userattr=\"manager#ROLEDN\"";
- private static final String BIND_RULE_USERATTR_ROLEDN_1 = "userattr=\"ldap:///dc=example,dc=com?owner#ROLEDN\"";
private static final String BIND_RULE_USERATTR_USERDN_INHERITANCE = "userattr=\"parent[0,1,2].cn#USERDN\"";
private static final String BIND_RULE_USERATTR_GROUPDN_INHERITANCE = "userattr=\"parent[0,1,2].cn#GROUPDN\"";
private static final String BIND_RULE_USERATTR_VALUE = "userattr=\"manager#a manager\"";
@@ -375,10 +366,6 @@
buildAciValue("name", "allow search to group1 groupdn", "targetattr",
"*", "allow(search, read)", BIND_RULE_GROUPDN_GROUP_1);
- private static final String ALLOW_SEARCH_TO_GROUP1_ROLEDN =
- buildAciValue("name", "allow search to group1 roledn", "targetattr",
- "*", "allow(search, read)", BIND_RULE_ROLEDN_GROUP_1);
-
private static final String ALLOW_SEARCH_TO_ADMIN =
buildAciValue("name", "allow search to admin", "targetattr", "*", "allow(search, read)", BIND_RULE_USERDN_ADMIN);
@@ -668,16 +655,11 @@
buildAciValue("name", "read group dn 1", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_1),
buildAciValue("name", "read group dn 2", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_2),
buildAciValue("name", "read group dn 3", "targetattr", "*", "allow (read)", BIND_RULE_GROUPDN_3),
- buildAciValue("name", "read group dn 1", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_1),
- buildAciValue("name", "read group dn 2", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_2),
- buildAciValue("name", "read group dn 3", "targetattr", "*", "allow (read)", BIND_RULE_ROLEDN_3),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN_1),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_URL),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN_1),
- buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_ROLEDN),
- buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_ROLEDN_1),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_USERDN_INHERITANCE),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_GROUPDN_INHERITANCE),
buildAciValue("name", "userattr", "targetattr", "*", "allow (read)", BIND_RULE_USERATTR_VALUE),
@@ -747,6 +729,8 @@
buildAciValue("targetattr", "*", "allows (read, write, add, delete, search, compare, selfwrite, all)", BIND_RULE_USERDN_SELF),
buildAciValue("name", "bad groupdn url", "targetattr", "*", "allow (read, write, add, delete, search, compare, selfwrite, all)", "groupdn=\"ldap:///bogus\""),
buildAciValue("name", "bad groupdn url2", "targetattr", "*", "allow (read, write, add, delete, search, compare, selfwrite, all)", "groupdn=\"ldap1:///bogus\""),
+ //Roledn keyword is not supported anymore.
+ buildAciValue("name", "unsupported roledn", "targetattr", "*", "allow (all)", "roledn=\"ldap:///cn=foo, dc=bar\""),
// </PASSES>
};
@@ -1136,11 +1120,7 @@
private static final String ACI_PROXY_MOVED_ENTRY =
makeAddAciLdif(SALES_USER_1, ALLOW_PROXY_TO_MOVED_ENTRY);
-//ACI used in testing the groupdn/roledn bind rule keywords.
-
- private static final
- String GROUP1_ROLEDN_MODS = makeAddAciLdif(OU_LEAF_DN,
- ALLOW_SEARCH_TO_GROUP1_ROLEDN);
+//ACI used in testing the groupdn bind rule keywords.
private static final
String GROUP1_GROUPDN_MODS = makeAddAciLdif(OU_LEAF_DN,
@@ -1908,8 +1888,8 @@
/**
- * Test group and role bind rule ACI keywords. Both groupdn and roledn keywords
- * funnel through the same code so the results should be the same.
+ * Test group bind rule ACI keywords.
+ *
* @throws Throwable
*/
@Test()
@@ -1927,17 +1907,11 @@
null, null, null);
try {
addEntries(BASIC_LDIF__GROUP_SEARCH_TESTS, DIR_MGR_DN, DIR_MGR_PW);
- modEntries(GROUP1_ROLEDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
+ modEntries(GROUP1_GROUPDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
String userResults = ldapSearch(userParam.getLdapSearchArgs());
Assert.assertFalse(userResults.equals(""));
String adminResults = ldapSearch(adminParam.getLdapSearchArgs());
Assert.assertTrue(adminResults.equals(""));
- deleteAttrFromEntry(OU_LEAF_DN, "aci", true);
- modEntries(GROUP1_GROUPDN_MODS, DIR_MGR_DN, DIR_MGR_PW);
- userResults = ldapSearch(userParam.getLdapSearchArgs());
- Assert.assertFalse(userResults.equals(""));
- adminResults = ldapSearch(adminParam.getLdapSearchArgs());
- Assert.assertTrue(adminResults.equals(""));
} catch(Throwable e) {
throw e;
}
--
Gitblit v1.10.0