From fa5264094d49e39b71693f9b451afe0119b7e9c3 Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Wed, 19 Feb 2014 15:54:33 +0000
Subject: [PATCH] Fix OPENDJ-1350: Access controls and timelimits are not enforced when searching cn=changelog
---
opendj-sdk/opends/src/messages/messages/replication_zh_TW.properties | 3 ++-
opendj-sdk/opends/src/messages/messages/replication_de.properties | 3 ++-
opendj-sdk/opends/src/messages/messages/replication.properties | 4 +++-
opendj-sdk/opends/src/messages/messages/replication_es.properties | 3 ++-
opendj-sdk/opends/src/messages/messages/replication_fr.properties | 3 ++-
opendj-sdk/opends/src/messages/messages/replication_ko.properties | 3 ++-
opendj-sdk/opends/src/messages/messages/replication_zh_CN.properties | 4 ++--
opendj-sdk/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java | 27 ++++++++++++++++++++++++++-
opendj-sdk/opends/src/messages/messages/replication_ja.properties | 3 ++-
9 files changed, 43 insertions(+), 10 deletions(-)
diff --git a/opendj-sdk/opends/src/messages/messages/replication.properties b/opendj-sdk/opends/src/messages/messages/replication.properties
index 189ff40..2656d2d 100644
--- a/opendj-sdk/opends/src/messages/messages/replication.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2010 Sun Microsystems, Inc.
-# Portions copyright 2011-2013 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -534,3 +534,5 @@
FATAL_ERR_CHANGE_NUMBER_INDEXER_INCONSISTENT_CSN_READ_237=Aborting initialization: \
expected the newest change number index record CSN '%s' to be equal to \
the CSN read from the replica DBs '%s'
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=This search operation has checked the \
+ maximum of %d entries for matches
\ No newline at end of file
diff --git a/opendj-sdk/opends/src/messages/messages/replication_de.properties b/opendj-sdk/opends/src/messages/messages/replication_de.properties
index 4796349..b202499 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_de.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_de.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2010 Sun Microsystems, Inc.
-# Portions copyright 2011-2013 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -191,3 +191,4 @@
NOTICE_RESENDING_INIT_TARGET_199=Aufgrund des Root-Fehlers %s wird erneut eine neue Initialisierungsanforderung f\u00fcr eine Initialisierung eines Remote-Servers gesendet
SEVERE_ERR_RSQUEUE_DIFFERENT_MSGS_WITH_SAME_CN_201=Verarbeitung von zwei verschiedenen \u00c4nderungen mit derselben changeNumber=%s. Vorherige msg=<%s>, Neue msg=<%s>
SEVERE_ERR_COULD_NOT_SOLVE_CONFLICT_202=Fehler beim Versuch, Konflikt mit DN zu l\u00f6sen: %s FEHLER : %s
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=Bei diesem Suchvorgang wurden maximal %d Eintr\u00e4ge auf \u00dcbereinstimmungen \u00fcberpr\u00fcft
diff --git a/opendj-sdk/opends/src/messages/messages/replication_es.properties b/opendj-sdk/opends/src/messages/messages/replication_es.properties
index 5d6af3c..9900374 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_es.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_es.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2010 Sun Microsystems, Inc.
-# Portions copyright 2011-2013 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -191,3 +191,4 @@
NOTICE_RESENDING_INIT_TARGET_199=Se est\u00e1 reenviando un nuevo inicio de inicializaci\u00f3n para una inicializaci\u00f3n de un servidor remoto debido al error ra\u00edz: %s
SEVERE_ERR_RSQUEUE_DIFFERENT_MSGS_WITH_SAME_CN_201=Procesando dos cambios diferentes con el mismo n\u00famero de cambio changeNumber=%s. Anterior msg=<%s>, Nuevo msg=<%s>
SEVERE_ERR_COULD_NOT_SOLVE_CONFLICT_202=Error al tratar de solucionar el conflicto con DN: %s ERROR : %s
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=Esta operaci\u00f3n de b\u00fasqueda ha comprobado el m\u00e1ximo de %d entradas que coinciden
diff --git a/opendj-sdk/opends/src/messages/messages/replication_fr.properties b/opendj-sdk/opends/src/messages/messages/replication_fr.properties
index a4c69a3..0683eda 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_fr.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_fr.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2010 Sun Microsystems, Inc.
-# Portions copyright 2011-2013 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -191,3 +191,4 @@
NOTICE_RESENDING_INIT_TARGET_199=Renvoi d'un nouveau d\u00e9marrage d'initialisation pour l'initialisation d'un serveur distant en raison de l'erreur racine\u00a0: %s
SEVERE_ERR_RSQUEUE_DIFFERENT_MSGS_WITH_SAME_CN_201=Traitement de deux modifications diff\u00e9rentes ayant le m\u00eame param\u00e8tre changeNumber=%s. Pr\u00e9c\u00e9dent msg=<%s>, Nouveau msg=<%s>
SEVERE_ERR_COULD_NOT_SOLVE_CONFLICT_202=Une erreur est survenue lors de la tentative de r\u00e9solution d'un conflit avec le DN\u00a0: %s ERREUR : %s
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=Cette op\u00e9ration de recherche a v\u00e9rifi\u00e9 le maximum d'entr\u00e9es %d \u00e0 des fins de correspondance
diff --git a/opendj-sdk/opends/src/messages/messages/replication_ja.properties b/opendj-sdk/opends/src/messages/messages/replication_ja.properties
index b37cfa8..cbd0220 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_ja.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_ja.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2010 Sun Microsystems, Inc.
-# Portions copyright 2011-2013 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -190,3 +190,4 @@
NOTICE_RESENDING_INIT_TARGET_199=\u30eb\u30fc\u30c8\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3057\u305f\u305f\u3081\u3001\u30ea\u30e2\u30fc\u30c8\u30b5\u30fc\u30d0\u30fc\u306e\u521d\u671f\u5316\u7528\u306e\u65b0\u3057\u3044\u521d\u671f\u5316\u306e\u958b\u59cb\u3092\u518d\u9001\u3057\u3066\u3044\u307e\u3059: %s
SEVERE_ERR_RSQUEUE_DIFFERENT_MSGS_WITH_SAME_CN_201=2 \u3064\u306e\u7570\u306a\u308b\u5909\u66f4\u3092\u540c\u3058 changeNumber=%s \u3067\u51e6\u7406\u3057\u3066\u3044\u307e\u3059\u3002\u4ee5\u524d\u306e msg=<%s>\u3001\u65b0\u3057\u3044 msg=<%s>
SEVERE_ERR_COULD_NOT_SOLVE_CONFLICT_202=DN \u306e\u7af6\u5408\u3092\u89e3\u6c7a\u4e2d\u306b\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3057\u307e\u3057\u305f : %s \u30a8\u30e9\u30fc : %s
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=\u3053\u306e\u691c\u7d22\u64cd\u4f5c\u306f\u3001\u6700\u5927\u6570\u3067\u3042\u308b %d \u500b\u306e\u4e00\u81f4\u30a8\u30f3\u30c8\u30ea\u3092\u78ba\u8a8d\u3057\u307e\u3057\u305f
diff --git a/opendj-sdk/opends/src/messages/messages/replication_ko.properties b/opendj-sdk/opends/src/messages/messages/replication_ko.properties
index 90b1653..4c4fc78 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_ko.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_ko.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2008 Sun Microsystems, Inc.
-# Portions copyright 2011 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -120,3 +120,4 @@
SEVERE_ERR_COMPUTING_FAKE_OPS_115=\ubcf5\uc81c \uc11c\ubc84 %2$s\uc5d0 \ub300\ud574 %1$s \ub3c4\uba54\uc778\uc758 \ubaa8\uc758 \uc791\uc5c5\uc744 \uacc4\uc0b0\ud558\ub294 \ub3d9\uc548 \uc608\uc678\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4: %3$s
NOTICE_SERVER_STATE_RECOVERY_117=%s \ub3c4\uba54\uc778\uc5d0 \ub300\ud55c ServerState \ubcf5\uad6c\uac00 changeNumber %s(\uc73c)\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uc5c8\uc2b5\ub2c8\ub2e4.
SEVERE_ERR_RESET_GENERATION_CONN_ERR_ID_118=%s \ub3c4\uba54\uc778\uc774 \ubcf5\uc81c\uc5d0 \uc5f0\uacb0\ub418\uc5b4 \uc788\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 \uc774 \ub3c4\uba54\uc778\uc5d0 \ub300\ud55c \uc0dd\uc131 \uc544\uc774\ub514\ub97c \ub2e4\uc2dc \uc124\uc815\ud558\uc9c0 \ubabb\ud588\uc2b5\ub2c8\ub2e4. \uad6c\uc131\uc5d0\uc11c \ub3c4\uba54\uc778\uc774 \ud65c\uc131\ud654\ub418\uc5b4 \uc788\ub294\uc9c0 \ud655\uc778\ud574\uc57c \ud569\ub2c8\ub2e4.
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=\uc774 \uac80\uc0c9 \uc791\uc5c5\uc5d0\uc11c \ucd5c\ub300 %d\uac1c \ud56d\ubaa9\uc758 \uc77c\uce58\ub97c \ud655\uc778\ud588\uc2b5\ub2c8\ub2e4.
diff --git a/opendj-sdk/opends/src/messages/messages/replication_zh_CN.properties b/opendj-sdk/opends/src/messages/messages/replication_zh_CN.properties
index b96ccc3..b009c00 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_zh_CN.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_zh_CN.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2010 Sun Microsystems, Inc.
-# Portions copyright 2011-2013 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -190,4 +190,4 @@
NOTICE_RESENDING_INIT_TARGET_199=\u7531\u4e8e\u8d85\u7ea7\u7528\u6237\u9519\u8bef\uff0c\u91cd\u65b0\u53d1\u9001\u9488\u5bf9\u8fdc\u7a0b\u670d\u52a1\u5668\u521d\u59cb\u5316\u7684\u65b0\u521d\u59cb\u5316\u5f00\u59cb: %s
SEVERE_ERR_RSQUEUE_DIFFERENT_MSGS_WITH_SAME_CN_201=\u7528\u76f8\u540c\u7684\u66f4\u6539\u53f7=%s \u6765\u5904\u7406\u4e24\u4e2a\u4e0d\u540c\u7684\u66f4\u6539\u3002\u4ee5\u524d\u7684 msg=<%s>\uff0c\u65b0\u7684 msg=<%s>
SEVERE_ERR_COULD_NOT_SOLVE_CONFLICT_202=\u5c1d\u8bd5\u89e3\u51b3\u4e0e DN %s \u7684\u51b2\u7a81\u65f6\u51fa\u73b0\u9519\u8bef\uff1a\u9519\u8bef %s
-
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=\u8be5\u641c\u7d22\u64cd\u4f5c\u68c0\u67e5\u4e86 %d\uff08\u6700\u5927\u503c\uff09\u4e2a\u6761\u76ee\u4ee5\u83b7\u53d6\u5339\u914d\u9879
diff --git a/opendj-sdk/opends/src/messages/messages/replication_zh_TW.properties b/opendj-sdk/opends/src/messages/messages/replication_zh_TW.properties
index 9c271fc..13521b0 100644
--- a/opendj-sdk/opends/src/messages/messages/replication_zh_TW.properties
+++ b/opendj-sdk/opends/src/messages/messages/replication_zh_TW.properties
@@ -20,7 +20,7 @@
# CDDL HEADER END
#
# Copyright 2006-2008 Sun Microsystems, Inc.
-# Portions copyright 2011 ForgeRock AS
+# Portions copyright 2011-2014 ForgeRock AS
#
#
# This file contains the primary Directory Server configuration. It must not
@@ -120,3 +120,4 @@
SEVERE_ERR_COMPUTING_FAKE_OPS_115=\u70ba\u8907\u88fd\u4f3a\u670d\u5668 %2$s \u8a08\u7b97\u7db2\u57df %1$s \u7684\u5047\u4f5c\u696d\u6642\u767c\u751f\u7570\u5e38: %3$s
NOTICE_SERVER_STATE_RECOVERY_117=\u7db2\u57df %s \u7684 ServerState \u56de\u5fa9\u5df2\u4f7f\u7528 changeNumber %s \u66f4\u65b0
SEVERE_ERR_RESET_GENERATION_CONN_ERR_ID_118=\u7121\u6cd5\u91cd\u8a2d\u7db2\u57df %s \u7684\u7522\u751f ID\uff0c\u56e0\u70ba\u8a72\u7db2\u57df\u672a\u9023\u7dda\u5230\u8907\u88fd\u3002\u60a8\u61c9\u5728\u914d\u7f6e\u4e2d\u6aa2\u67e5\u8a72\u7db2\u57df\u662f\u5426\u5df2\u555f\u7528
+NOTICE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED_238=\u6b64\u641c\u5c0b\u4f5c\u696d\u6aa2\u67e5\u6709\u7121\u76f8\u7b26\u9805\u76ee\u7684\u9805\u76ee\u6578\u5df2\u9054\u4e0a\u9650 %d
diff --git a/opendj-sdk/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java b/opendj-sdk/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java
index 919b038..f26b81d 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/workflowelement/externalchangelog/ECLSearchOperation.java
@@ -22,7 +22,7 @@
*
*
* Copyright 2008-2010 Sun Microsystems, Inc.
- * Portions Copyright 2010-2013 ForgeRock AS
+ * Portions Copyright 2010-2014 ForgeRock AS
*/
package org.opends.server.workflowelement.externalchangelog;
@@ -50,8 +50,10 @@
import org.opends.server.types.operation.SearchEntrySearchOperation;
import org.opends.server.types.operation.SearchReferenceSearchOperation;
import org.opends.server.util.ServerConstants;
+import org.opends.server.util.TimeThread;
import static org.opends.messages.CoreMessages.*;
+import static org.opends.messages.ReplicationMessages.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.loggers.ErrorLogger.*;
import static org.opends.server.loggers.debug.DebugLogger.*;
@@ -617,9 +619,20 @@
return;
}
+ int lookthroughCount = 0;
+ int lookthroughLimit = getClientConnection().getLookthroughLimit();
+
// Process change log entries.
while (update != null)
{
+ if(lookthroughLimit > 0 && lookthroughCount > lookthroughLimit)
+ {
+ //Lookthrough limit exceeded
+ setResultCode(ResultCode.ADMIN_LIMIT_EXCEEDED);
+ appendErrorMessage(
+ NOTE_ECL_LOOKTHROUGH_LIMIT_EXCEEDED.get(lookthroughLimit));
+ return;
+ }
// Check for a request to cancel this operation.
checkIfCanceled(false);
@@ -630,6 +643,8 @@
return;
}
+ lookthroughCount++;
+
update = eclServerHandler.getNextECLUpdate();
}
}
@@ -684,6 +699,16 @@
}
return returnEntry(entry, controls);
}
+
+ // Check the timelimit here as well, in case there are no matches
+ if ((getTimeLimit() > 0) && (TimeThread.getTime() >=
+ getTimeLimitExpiration()))
+ {
+ setResultCode(ResultCode.TIME_LIMIT_EXCEEDED);
+ appendErrorMessage(ERR_SEARCH_TIME_LIMIT_EXCEEDED.get(getTimeLimit()));
+ return false;
+ }
+
return true;
}
--
Gitblit v1.10.0