Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 74719 invoked from network); 29 May 2010 14:31:02 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 May 2010 14:31:02 -0000 Received: (qmail 69759 invoked by uid 500); 29 May 2010 14:31:02 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 69723 invoked by uid 500); 29 May 2010 14:31:02 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 69716 invoked by uid 99); 29 May 2010 14:31:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 May 2010 14:31:02 +0000 X-ASF-Spam-Status: No, hits=-1485.3 required=10.0 tests=ALL_TRUSTED,AWL X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 May 2010 14:30:58 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 38F0423889BB; Sat, 29 May 2010 14:30:38 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r949396 [1/2] - in /directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core: ./ authz/ event/ exception/ normalization/ subtree/ trigger/ Date: Sat, 29 May 2010 14:30:38 -0000 To: commits@directory.apache.org From: elecharny@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20100529143038.38F0423889BB@eris.apache.org> Author: elecharny Date: Sat May 29 14:30:37 2010 New Revision: 949396 URL: http://svn.apache.org/viewvc?rev=949396&view=rev Log: o Removed useless lookup() for the modification operation Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/DefaultOperationManager.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/event/EventInterceptor.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/normalization/NormalizationInterceptor.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/subtree/SubentryInterceptor.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/trigger/TriggerInterceptor.java Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/DefaultOperationManager.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/DefaultOperationManager.java?rev=949396&r1=949395&r2=949396&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/DefaultOperationManager.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/DefaultOperationManager.java Sat May 29 14:30:37 2010 @@ -49,8 +49,8 @@ import org.apache.directory.server.core. import org.apache.directory.server.i18n.I18n; import org.apache.directory.shared.ldap.codec.util.LdapURLEncodingException; import org.apache.directory.shared.ldap.constants.SchemaConstants; -import org.apache.directory.shared.ldap.entry.EntryAttribute; import org.apache.directory.shared.ldap.entry.Entry; +import org.apache.directory.shared.ldap.entry.EntryAttribute; import org.apache.directory.shared.ldap.entry.Value; import org.apache.directory.shared.ldap.exception.LdapAffectMultipleDsaException; import org.apache.directory.shared.ldap.exception.LdapInvalidDnException; @@ -87,63 +87,62 @@ public class DefaultOperationManager imp { this.directoryService = directoryService; } - - - private LdapReferralException buildReferralException( Entry parentEntry, DN childDn ) + + + private LdapReferralException buildReferralException( Entry parentEntry, DN childDn ) throws LdapInvalidDnException, LdapURLEncodingException { // Get the Ref attributeType EntryAttribute refs = parentEntry.get( SchemaConstants.REF_AT ); - + List urls = new ArrayList(); - + // manage each Referral, building the correct URL for each of them - for ( Value url:refs ) + for ( Value url : refs ) { // we have to replace the parent by the referral LdapURL ldapUrl = new LdapURL( url.getString() ); - + // We have a problem with the DN : we can't use the UpName, // as we may have some spaces around the ',' and '+'. // So we have to take the RDN one by one, and create a // new DN with the type and value UP form - - DN urlDn = (DN)ldapUrl.getDn().addAll( childDn ); - + + DN urlDn = ( DN ) ldapUrl.getDn().addAll( childDn ); + ldapUrl.setDn( urlDn ); urls.add( ldapUrl.toString() ); } - + // Return with an exception LdapReferralException lre = new LdapReferralException( urls ); lre.setRemainingDn( childDn ); lre.setResolvedDn( parentEntry.getDn() ); lre.setResolvedObject( parentEntry ); - + return lre; } - - - private LdapReferralException buildReferralExceptionForSearch( - Entry parentEntry, DN childDn, SearchScope scope ) + + + private LdapReferralException buildReferralExceptionForSearch( Entry parentEntry, DN childDn, SearchScope scope ) throws LdapInvalidDnException, LdapURLEncodingException { // Get the Ref attributeType EntryAttribute refs = parentEntry.get( SchemaConstants.REF_AT ); - + List urls = new ArrayList(); - + // manage each Referral, building the correct URL for each of them - for ( Value url:refs ) + for ( Value url : refs ) { // we have to replace the parent by the referral try { LdapURL ldapUrl = new LdapURL( url.getString() ); - + StringBuilder urlString = new StringBuilder(); - - if ( ( ldapUrl.getDn() == null ) || ( ldapUrl.getDn() == DN.EMPTY_DN) ) + + if ( ( ldapUrl.getDn() == null ) || ( ldapUrl.getDn() == DN.EMPTY_DN ) ) { ldapUrl.setDn( parentEntry.getDn() ); } @@ -153,29 +152,29 @@ public class DefaultOperationManager imp // as we may have some spaces around the ',' and '+'. // So we have to take the RDN one by one, and create a // new DN with the type and value UP form - - DN urlDn = (DN)ldapUrl.getDn().addAll( childDn ); - + + DN urlDn = ( DN ) ldapUrl.getDn().addAll( childDn ); + ldapUrl.setDn( urlDn ); } - + urlString.append( ldapUrl.toString() ).append( "??" ); - + switch ( scope ) { - case OBJECT : + case OBJECT: urlString.append( "base" ); break; - - case SUBTREE : + + case SUBTREE: urlString.append( "sub" ); break; - - case ONELEVEL : + + case ONELEVEL: urlString.append( "one" ); break; } - + urls.add( urlString.toString() ); } catch ( LdapURLEncodingException luee ) @@ -184,13 +183,13 @@ public class DefaultOperationManager imp urls.add( url.getString() ); } } - + // Return with an exception LdapReferralException lre = new LdapReferralException( urls ); lre.setRemainingDn( childDn ); lre.setResolvedDn( parentEntry.getDn() ); lre.setResolvedObject( parentEntry ); - + return lre; } @@ -198,14 +197,14 @@ public class DefaultOperationManager imp private LdapPartialResultException buildLdapPartialResultException( DN childDn ) { LdapPartialResultException lpre = new LdapPartialResultException( I18n.err( I18n.ERR_315 ) ); - + lpre.setRemainingDn( childDn ); lpre.setResolvedDn( DN.EMPTY_DN ); - + return lpre; } - - + + /** * {@inheritDoc} */ @@ -213,10 +212,10 @@ public class DefaultOperationManager imp { LOG.debug( ">> AddOperation : {}", opContext ); LOG_CHANGES.debug( ">> AddOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -229,14 +228,14 @@ public class DefaultOperationManager imp if ( directoryService.getReferralManager().hasParentReferral( dn ) ) { Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); + DN childDn = ( DN ) dn.getSuffix( parentEntry.getDn().size() ); // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -244,7 +243,7 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -275,10 +274,10 @@ public class DefaultOperationManager imp public void bind( BindOperationContext opContext ) throws Exception { LOG.debug( ">> BindOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { directoryService.getInterceptorChain().bind( opContext ); @@ -298,10 +297,10 @@ public class DefaultOperationManager imp public boolean compare( CompareOperationContext opContext ) throws Exception { LOG.debug( ">> CompareOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -313,12 +312,12 @@ public class DefaultOperationManager imp // Check if we have an ancestor for this DN Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + if ( parentEntry != null ) { // We have found a parent referral for the current DN - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); - + DN childDn = ( DN ) dn.getSuffix( parentEntry.getDn().size() ); + if ( directoryService.getReferralManager().isReferral( dn ) ) { // This is a referral. We can delete it if the ManageDsaIt flag is true @@ -328,7 +327,7 @@ public class DefaultOperationManager imp // Throw a Referral Exception // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -340,7 +339,7 @@ public class DefaultOperationManager imp if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -348,7 +347,7 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -378,10 +377,10 @@ public class DefaultOperationManager imp { LOG.debug( ">> DeleteOperation : {}", opContext ); LOG_CHANGES.debug( ">> DeleteOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -392,12 +391,12 @@ public class DefaultOperationManager imp directoryService.getReferralManager().lockRead(); Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + if ( parentEntry != null ) { // We have found a parent referral for the current DN DN childDn = dn.getSuffix( parentEntry.getDn().size() ); - + if ( directoryService.getReferralManager().isReferral( dn ) ) { // This is a referral. We can delete it if the ManageDsaIt flag is true @@ -407,7 +406,7 @@ public class DefaultOperationManager imp // Throw a Referral Exception // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -415,13 +414,13 @@ public class DefaultOperationManager imp else if ( directoryService.getReferralManager().hasParentReferral( dn ) ) { // We can't delete an entry which has an ancestor referral - + // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -429,7 +428,7 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -459,10 +458,10 @@ public class DefaultOperationManager imp public DN getMatchedName( GetMatchedNameOperationContext opContext ) throws Exception { LOG.debug( ">> GetMatchedNameOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { return directoryService.getInterceptorChain().getMatchedName( opContext ); @@ -479,14 +478,13 @@ public class DefaultOperationManager imp /** * {@inheritDoc} */ - public ClonedServerEntry getRootDSE( GetRootDSEOperationContext opContext ) - throws Exception + public ClonedServerEntry getRootDSE( GetRootDSEOperationContext opContext ) throws Exception { LOG.debug( ">> GetRootDSEOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { InterceptorChain chain = directoryService.getInterceptorChain(); @@ -507,10 +505,10 @@ public class DefaultOperationManager imp public DN getSuffix( GetSuffixOperationContext opContext ) throws Exception { LOG.debug( ">> GetSuffixOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { return directoryService.getInterceptorChain().getSuffix( opContext ); @@ -530,10 +528,10 @@ public class DefaultOperationManager imp public boolean hasEntry( EntryOperationContext opContext ) throws Exception { LOG.debug( ">> hasEntryOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { return directoryService.getInterceptorChain().hasEntry( opContext ); @@ -553,10 +551,10 @@ public class DefaultOperationManager imp public EntryFilteringCursor list( ListOperationContext opContext ) throws Exception { LOG.debug( ">> ListOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { return directoryService.getInterceptorChain().list( opContext ); @@ -573,14 +571,13 @@ public class DefaultOperationManager imp /** * {@inheritDoc} */ - public Set listSuffixes( ListSuffixOperationContext opContext ) - throws Exception + public Set listSuffixes( ListSuffixOperationContext opContext ) throws Exception { LOG.debug( ">> ListSuffixesOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { return directoryService.getInterceptorChain().listSuffixes( opContext ); @@ -600,10 +597,10 @@ public class DefaultOperationManager imp public Entry lookup( LookupOperationContext opContext ) throws Exception { LOG.debug( ">> LookupOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { InterceptorChain chain = directoryService.getInterceptorChain(); @@ -625,28 +622,27 @@ public class DefaultOperationManager imp { LOG.debug( ">> ModifyOperation : {}", opContext ); LOG_CHANGES.debug( ">> ModifyOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN DN dn = opContext.getDn(); dn.normalize( directoryService.getSchemaManager().getNormalizerMapping() ); + ReferralManager referralManager = directoryService.getReferralManager(); + // We have to deal with the referral first - directoryService.getReferralManager().lockRead(); + referralManager.lockRead(); // Check if we have an ancestor for this DN - Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + Entry parentEntry = referralManager.getParentReferral( dn ); + if ( parentEntry != null ) { - // We have found a parent referral for the current DN - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); - - if ( directoryService.getReferralManager().isReferral( dn ) ) + if ( referralManager.isReferral( dn ) ) { // This is a referral. We can delete it if the ManageDsaIt flag is true // Otherwise, we just throw a LdapReferralException @@ -654,30 +650,39 @@ public class DefaultOperationManager imp { // Throw a Referral Exception // Unlock the referral manager - directoryService.getReferralManager().unlock(); - + referralManager.unlock(); + + // We have found a parent referral for the current DN + DN childDn = dn.getSuffix( parentEntry.getDn().size() ); + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } } - else if ( directoryService.getReferralManager().hasParentReferral( dn ) ) + else if ( referralManager.hasParentReferral( dn ) ) { // We can't delete an entry which has an ancestor referral - + // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { - directoryService.getReferralManager().unlock(); - + referralManager.unlock(); + + // We have found a parent referral for the current DN + DN childDn = dn.getSuffix( parentEntry.getDn().size() ); + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } else { // Unlock the referral manager - directoryService.getReferralManager().unlock(); - + referralManager.unlock(); + + // We have found a parent referral for the current DN + DN childDn = dn.getSuffix( parentEntry.getDn().size() ); + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -685,7 +690,7 @@ public class DefaultOperationManager imp } // Unlock the ReferralManager - directoryService.getReferralManager().unlock(); + referralManager.unlock(); // Call the Add method InterceptorChain interceptorChain = directoryService.getInterceptorChain(); @@ -708,10 +713,10 @@ public class DefaultOperationManager imp { LOG.debug( ">> MoveOperation : {}", opContext ); LOG_CHANGES.debug( ">> MoveOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -723,12 +728,12 @@ public class DefaultOperationManager imp // Check if we have an ancestor for this DN Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + if ( parentEntry != null ) { // We have found a parent referral for the current DN - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); - + DN childDn = ( DN ) dn.getSuffix( parentEntry.getDn().size() ); + if ( directoryService.getReferralManager().isReferral( dn ) ) { // This is a referral. We can delete it if the ManageDsaIt flag is true @@ -738,7 +743,7 @@ public class DefaultOperationManager imp // Throw a Referral Exception // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -746,13 +751,13 @@ public class DefaultOperationManager imp else if ( directoryService.getReferralManager().hasParentReferral( dn ) ) { // We can't delete an entry which has an ancestor referral - + // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -760,13 +765,13 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } } } - + // Now, check the destination // Normalize the opContext DN DN parentDn = opContext.getParent(); @@ -774,15 +779,15 @@ public class DefaultOperationManager imp // If he parent DN is a referral, or has a referral ancestor, we have to issue a AffectMultipleDsas result // as stated by RFC 3296 Section 5.6.2 - if ( directoryService.getReferralManager().isReferral( parentDn ) || - directoryService.getReferralManager().hasParentReferral( parentDn ) ) + if ( directoryService.getReferralManager().isReferral( parentDn ) + || directoryService.getReferralManager().hasParentReferral( parentDn ) ) { // Unlock the referral manager directoryService.getReferralManager().unlock(); LdapAffectMultipleDsaException exception = new LdapAffectMultipleDsaException(); //exception.setRemainingName( dn ); - + throw exception; } @@ -810,10 +815,10 @@ public class DefaultOperationManager imp { LOG.debug( ">> MoveAndRenameOperation : {}", opContext ); LOG_CHANGES.debug( ">> MoveAndRenameOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -825,12 +830,12 @@ public class DefaultOperationManager imp // Check if we have an ancestor for this DN Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + if ( parentEntry != null ) { // We have found a parent referral for the current DN - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); - + DN childDn = ( DN ) dn.getSuffix( parentEntry.getDn().size() ); + if ( directoryService.getReferralManager().isReferral( dn ) ) { // This is a referral. We can delete it if the ManageDsaIt flag is true @@ -840,7 +845,7 @@ public class DefaultOperationManager imp // Throw a Referral Exception // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -848,13 +853,13 @@ public class DefaultOperationManager imp else if ( directoryService.getReferralManager().hasParentReferral( dn ) ) { // We can't delete an entry which has an ancestor referral - + // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -862,13 +867,13 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } } } - + // Now, check the destination // Normalize the opContext DN DN parentDn = opContext.getParent(); @@ -876,8 +881,8 @@ public class DefaultOperationManager imp // If he parent DN is a referral, or has a referral ancestor, we have to issue a AffectMultipleDsas result // as stated by RFC 3296 Section 5.6.2 - if ( directoryService.getReferralManager().isReferral( parentDn ) || - directoryService.getReferralManager().hasParentReferral( parentDn ) ) + if ( directoryService.getReferralManager().isReferral( parentDn ) + || directoryService.getReferralManager().hasParentReferral( parentDn ) ) { // Unlock the referral manager directoryService.getReferralManager().unlock(); @@ -886,10 +891,10 @@ public class DefaultOperationManager imp // as stated by RFC 3296 Section 5.6.2 LdapAffectMultipleDsaException exception = new LdapAffectMultipleDsaException(); //exception.setRemainingName( dn ); - + throw exception; } - + // Unlock the ReferralManager directoryService.getReferralManager().unlock(); @@ -914,10 +919,10 @@ public class DefaultOperationManager imp { LOG.debug( ">> RenameOperation : {}", opContext ); LOG_CHANGES.debug( ">> RenameOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -928,23 +933,23 @@ public class DefaultOperationManager imp // Inject the new DN into the context if ( !dn.isEmpty() ) { - DN newDn = (DN)dn.clone(); + DN newDn = ( DN ) dn.clone(); newDn.remove( dn.size() - 1 ); newDn.add( opContext.getNewRdn() ); opContext.setNewDn( newDn ); } - + // We have to deal with the referral first directoryService.getReferralManager().lockRead(); // Check if we have an ancestor for this DN Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + if ( parentEntry != null ) { // We have found a parent referral for the current DN - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); - + DN childDn = ( DN ) dn.getSuffix( parentEntry.getDn().size() ); + if ( directoryService.getReferralManager().isReferral( dn ) ) { // This is a referral. We can delete it if the ManageDsaIt flag is true @@ -954,7 +959,7 @@ public class DefaultOperationManager imp // Throw a Referral Exception // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -962,13 +967,13 @@ public class DefaultOperationManager imp else if ( directoryService.getReferralManager().hasParentReferral( dn ) ) { // We can't delete an entry which has an ancestor referral - + // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -976,7 +981,7 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - + LdapReferralException exception = buildReferralException( parentEntry, childDn ); throw exception; } @@ -1006,10 +1011,10 @@ public class DefaultOperationManager imp public EntryFilteringCursor search( SearchOperationContext opContext ) throws Exception { LOG.debug( ">> SearchOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { // Normalize the opContext DN @@ -1021,12 +1026,12 @@ public class DefaultOperationManager imp // Check if we have an ancestor for this DN Entry parentEntry = directoryService.getReferralManager().getParentReferral( dn ); - + if ( parentEntry != null ) { // We have found a parent referral for the current DN - DN childDn = (DN)dn.getSuffix( parentEntry.getDn().size() ); - + DN childDn = ( DN ) dn.getSuffix( parentEntry.getDn().size() ); + if ( directoryService.getReferralManager().isReferral( dn ) ) { // This is a referral. We can return it if the ManageDsaIt flag is true @@ -1036,21 +1041,22 @@ public class DefaultOperationManager imp // Throw a Referral Exception // Unlock the referral manager directoryService.getReferralManager().unlock(); - - LdapReferralException exception = buildReferralExceptionForSearch( parentEntry, childDn, opContext.getScope() ); + + LdapReferralException exception = buildReferralExceptionForSearch( parentEntry, childDn, + opContext.getScope() ); throw exception; } } else if ( directoryService.getReferralManager().hasParentReferral( dn ) ) { // We can't search an entry which has an ancestor referral - + // Depending on the Context.REFERRAL property value, we will throw // a different exception. if ( opContext.isReferralIgnored() ) { directoryService.getReferralManager().unlock(); - + LdapPartialResultException exception = buildLdapPartialResultException( childDn ); throw exception; } @@ -1058,8 +1064,9 @@ public class DefaultOperationManager imp { // Unlock the referral manager directoryService.getReferralManager().unlock(); - - LdapReferralException exception = buildReferralExceptionForSearch( parentEntry, childDn, opContext.getScope() ); + + LdapReferralException exception = buildReferralExceptionForSearch( parentEntry, childDn, + opContext.getScope() ); throw exception; } } @@ -1087,10 +1094,10 @@ public class DefaultOperationManager imp public void unbind( UnbindOperationContext opContext ) throws Exception { LOG.debug( ">> UnbindOperation : {}", opContext ); - + ensureStarted(); push( opContext ); - + try { directoryService.getInterceptorChain().unbind( opContext ); @@ -1106,14 +1113,14 @@ public class DefaultOperationManager imp private void ensureStarted() throws LdapServiceUnavailableException { - if ( ! directoryService.isStarted() ) + if ( !directoryService.isStarted() ) { throw new LdapServiceUnavailableException( ResultCodeEnum.UNAVAILABLE, I18n.err( I18n.ERR_316 ) ); } } - - - private void pop() + + + private void pop() { // TODO - need to remove Context caller and PartitionNexusProxy from Invocations InvocationStack stack = InvocationStack.getInstance(); Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=949396&r1=949395&r2=949396&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Sat May 29 14:30:37 2010 @@ -66,9 +66,9 @@ import org.apache.directory.shared.ldap. import org.apache.directory.shared.ldap.aci.MicroOperation; import org.apache.directory.shared.ldap.constants.AuthenticationLevel; import org.apache.directory.shared.ldap.constants.SchemaConstants; +import org.apache.directory.shared.ldap.entry.Entry; import org.apache.directory.shared.ldap.entry.EntryAttribute; import org.apache.directory.shared.ldap.entry.Modification; -import org.apache.directory.shared.ldap.entry.Entry; import org.apache.directory.shared.ldap.entry.Value; import org.apache.directory.shared.ldap.exception.LdapNoPermissionException; import org.apache.directory.shared.ldap.exception.LdapOperationErrorException; @@ -150,22 +150,22 @@ public class AciAuthorizationInterceptor /** a tupleCache that responds to add, delete, and modify attempts */ private TupleCache tupleCache; - + /** a groupCache that responds to add, delete, and modify attempts */ private GroupCache groupCache; - + /** a normalizing ACIItem parser */ private ACIItemParser aciParser; - + /** use and instance of the ACDF engine */ private ACDFEngine engine; - + /** interceptor chain */ private InterceptorChain chain; - + /** Global registries */ private SchemaManager schemaManager; - + /** the system wide subschemaSubentryDn */ private String subschemaSubentryDn; @@ -179,9 +179,10 @@ public class AciAuthorizationInterceptor /** the subentry ACI attribute type */ private AttributeType subentryAciType; - + public static final SearchControls DEFAULT_SEARCH_CONTROLS = new SearchControls(); + /** * Initializes this interceptor based service by getting a handle on the nexus, setting up * the tupe and group membership caches and the ACIItem parser and the ACDF engine. @@ -195,31 +196,31 @@ public class AciAuthorizationInterceptor DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED ); adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() ); - CoreSession adminSession = new DefaultCoreSession( - new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService ); + CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), + directoryService ); tupleCache = new TupleCache( adminSession ); groupCache = new GroupCache( adminSession ); schemaManager = directoryService.getSchemaManager(); //ocRegistry = registries.getObjectClassRegistry(); - + // look up some constant information String objectClassOid = schemaManager.getAttributeTypeRegistry().getOidByName( SchemaConstants.OBJECT_CLASS_AT ); subentryOid = schemaManager.getObjectClassRegistry().getOidByName( SchemaConstants.SUBENTRY_OC ); String acSubentryOid = schemaManager.getAttributeTypeRegistry().getOidByName( AC_SUBENTRY_ATTR ); objectClassType = schemaManager.lookupAttributeTypeRegistry( objectClassOid ); acSubentryType = schemaManager.lookupAttributeTypeRegistry( acSubentryOid ); - entryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID ); + entryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.ENTRY_ACI_AT_OID ); subentryAciType = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.SUBENTRY_ACI_AT_OID ); - - aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( schemaManager ), schemaManager.getNormalizerMapping() ); + + aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( schemaManager ), schemaManager + .getNormalizerMapping() ); engine = new ACDFEngine( schemaManager.getGlobalOidRegistry(), schemaManager ); chain = directoryService.getInterceptorChain(); // stuff for dealing with subentries (garbage for now) - Value subschemaSubentry = - directoryService.getPartitionNexus().getRootDSE( null ). - get( SchemaConstants.SUBSCHEMA_SUBENTRY_AT ).get(); + Value subschemaSubentry = directoryService.getPartitionNexus().getRootDSE( null ).get( + SchemaConstants.SUBSCHEMA_SUBENTRY_AT ).get(); DN subschemaSubentryDnName = new DN( subschemaSubentry.getString() ); subschemaSubentryDnName.normalize( schemaManager.getNormalizerMapping() ); subschemaSubentryDn = subschemaSubentryDnName.getNormName(); @@ -260,20 +261,20 @@ public class AciAuthorizationInterceptor * @throws Exception if there are problems accessing attribute values * @param proxy the partition nexus proxy object */ - private void addPerscriptiveAciTuples( OperationContext opContext, Collection tuples, DN dn, - Entry entry ) throws Exception + private void addPerscriptiveAciTuples( OperationContext opContext, Collection tuples, DN dn, Entry entry ) + throws Exception { EntryAttribute oc = null; - + if ( entry instanceof ClonedServerEntry ) { - oc = ((ClonedServerEntry)entry).getOriginalEntry().get( objectClassType ); + oc = ( ( ClonedServerEntry ) entry ).getOriginalEntry().get( objectClassType ); } else { oc = entry.get( objectClassType ); } - + /* * If the protected entry is a subentry, then the entry being evaluated * for perscriptiveACIs is in fact the administrative entry. By @@ -291,13 +292,13 @@ public class AciAuthorizationInterceptor } EntryAttribute subentries = entry.get( acSubentryType ); - + if ( subentries == null ) { return; } - - for ( Value value:subentries ) + + for ( Value value : subentries ) { String subentryDn = value.getString(); tuples.addAll( tupleCache.getACITuples( subentryDn ) ); @@ -316,13 +317,13 @@ public class AciAuthorizationInterceptor private void addEntryAciTuples( Collection tuples, Entry entry ) throws Exception { EntryAttribute entryAci = entry.get( entryAciType ); - + if ( entryAci == null ) { return; } - for ( Value value:entryAci ) + for ( Value value : entryAci ) { String aciString = value.getString(); ACIItem item; @@ -366,8 +367,9 @@ public class AciAuthorizationInterceptor // will contain the subentryACI attributes that effect subentries DN parentDn = ( DN ) dn.clone(); parentDn.remove( dn.size() - 1 ); - Entry administrativeEntry = ((ClonedServerEntry)opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS )).getOriginalEntry(); - + Entry administrativeEntry = ( ( ClonedServerEntry ) opContext.lookup( parentDn, ByPassConstants.LOOKUP_BYPASS ) ) + .getOriginalEntry(); + EntryAttribute subentryAci = administrativeEntry.get( subentryAciType ); if ( subentryAci == null ) @@ -375,7 +377,7 @@ public class AciAuthorizationInterceptor return; } - for ( Value value:subentryAci ) + for ( Value value : subentryAci ) { String aciString = value.getString(); ACIItem item; @@ -422,8 +424,8 @@ public class AciAuthorizationInterceptor // Access the principal requesting the operation, and bypass checks if it is the admin LdapPrincipal principal = addContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); - - Entry serverEntry = addContext.getEntry(); + + Entry serverEntry = addContext.getEntry(); //Attributes entry = ServerEntryUtils.toAttributesImpl( serverEntry ); DN name = addContext.getDn(); @@ -445,10 +447,11 @@ public class AciAuthorizationInterceptor } // perform checks below here for all non-admin users - SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() ); + SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class + .getName() ); Entry subentryAttrs = subentryInterceptor.getSubentryAttributes( name, serverEntry ); - - for ( EntryAttribute attribute:serverEntry ) + + for ( EntryAttribute attribute : serverEntry ) { subentryAttrs.put( attribute ); } @@ -463,17 +466,16 @@ public class AciAuthorizationInterceptor addSubentryAciTuples( addContext, tuples, name, subentryAttrs ); // check if entry scope permission is granted - engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null, - ADD_PERMS, tuples, subentryAttrs, null ); + engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal.getAuthenticationLevel(), + name, null, null, ADD_PERMS, tuples, subentryAttrs, null ); // now we must check if attribute type and value scope permission is granted - for ( EntryAttribute attribute:serverEntry ) + for ( EntryAttribute attribute : serverEntry ) { - for ( Value value:attribute ) + for ( Value value : attribute ) { - engine.checkPermission( schemaManager, addContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, attribute.getUpId(), value, - ADD_PERMS, tuples, serverEntry, null ); + engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal + .getAuthenticationLevel(), name, attribute.getUpId(), value, ADD_PERMS, tuples, serverEntry, null ); } } @@ -496,9 +498,9 @@ public class AciAuthorizationInterceptor public void delete( NextInterceptor next, DeleteOperationContext deleteContext ) throws Exception { CoreSession session = deleteContext.getSession(); - + // bypass authz code if we are disabled - if ( ! session.getDirectoryService().isAccessControlEnabled() ) + if ( !session.getDirectoryService().isAccessControlEnabled() ) { next.delete( deleteContext ); return; @@ -516,24 +518,24 @@ public class AciAuthorizationInterceptor if ( isPrincipalAnAdministrator( principalDn ) ) { next.delete( deleteContext ); - + tupleCache.subentryDeleted( dn, entry ); groupCache.groupDeleted( dn, entry ); - + return; } Set userGroups = groupCache.getGroups( principalDn.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( deleteContext, tuples, dn, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( deleteContext, tuples, dn, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); addEntryAciTuples( tuples, entry ); addSubentryAciTuples( deleteContext, tuples, dn, entry ); - engine.checkPermission( schemaManager, deleteContext, userGroups, principalDn, - principal.getAuthenticationLevel(), dn, null, null, REMOVE_PERMS, tuples, entry, null ); + engine.checkPermission( schemaManager, deleteContext, userGroups, principalDn, principal + .getAuthenticationLevel(), dn, null, null, REMOVE_PERMS, tuples, entry, null ); next.delete( deleteContext ); - + tupleCache.subentryDeleted( dn, entry ); groupCache.groupDeleted( dn, entry ); } @@ -547,7 +549,8 @@ public class AciAuthorizationInterceptor // Access the principal requesting the operation, and bypass checks if it is the admin Entry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS ); - + // Entry entry = opContext.getEntry(); + LdapPrincipal principal = opContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); @@ -575,37 +578,36 @@ public class AciAuthorizationInterceptor Set userGroups = groupCache.getGroups( principalDn.getName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( opContext, tuples, name, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( opContext, tuples, name, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); addEntryAciTuples( tuples, entry ); addSubentryAciTuples( opContext, tuples, name, entry ); - engine.checkPermission( schemaManager, opContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, null, null, - Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null ); + engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), + name, null, null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null ); Collection perms = null; Entry entryView = ( Entry ) entry.clone(); - + for ( Modification mod : mods ) { EntryAttribute attr = mod.getAttribute(); switch ( mod.getOperation() ) { - case ADD_ATTRIBUTE : + case ADD_ATTRIBUTE: perms = ADD_PERMS; - + // If the attribute is being created with an initial value ... if ( entry.get( attr.getId() ) == null ) { // ... we also need to check if adding the attribute is permitted - engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), name, - attr.getId(), null, perms, tuples, entry, null ); + engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal + .getAuthenticationLevel(), name, attr.getId(), null, perms, tuples, entry, null ); } - + break; - case REMOVE_ATTRIBUTE : + case REMOVE_ATTRIBUTE: perms = REMOVE_PERMS; EntryAttribute entryAttr = entry.get( attr.getId() ); @@ -615,15 +617,14 @@ public class AciAuthorizationInterceptor if ( entryAttr.size() == 1 ) { // ... we also need to check if removing the attribute at all is permitted - engine.checkPermission( schemaManager, opContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, attr.getId(), - null, perms, tuples, entry, null ); + engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal + .getAuthenticationLevel(), name, attr.getId(), null, perms, tuples, entry, null ); } } - + break; - case REPLACE_ATTRIBUTE : + case REPLACE_ATTRIBUTE: perms = REPLACE_PERMS; break; } @@ -642,17 +643,14 @@ public class AciAuthorizationInterceptor * attribute is being checked for relevant permissions below. */ entryView = ServerEntryUtils.getTargetEntry( mod, entryView, schemaManager ); - - for ( Value value:attr ) - { - engine.checkPermission( schemaManager, opContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, attr.getId(), value, - perms, tuples, entry, entryView ); + + for ( Value value : attr ) + { + engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal + .getAuthenticationLevel(), name, attr.getId(), value, perms, tuples, entry, entryView ); } } - - next.modify( opContext ); /** * @TODO: A virtual entry can be created here for not hitting the backend again. @@ -662,16 +660,16 @@ public class AciAuthorizationInterceptor groupCache.groupModified( name, mods, entry, schemaManager ); } - + public boolean hasEntry( NextInterceptor next, EntryOperationContext entryContext ) throws Exception { DN name = entryContext.getDn(); - - if ( ! entryContext.getSession().getDirectoryService().isAccessControlEnabled() ) + + if ( !entryContext.getSession().getDirectoryService().isAccessControlEnabled() ) { return name.size() == 0 || next.hasEntry( entryContext ); } - + boolean answer = next.hasEntry( entryContext ); // no checks on the RootDSE @@ -681,7 +679,7 @@ public class AciAuthorizationInterceptor // It's the rootDSE, and it exists ! return answer; } - + // TODO - eventually replace this with a check on session.isAnAdministrator() LdapPrincipal principal = entryContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); @@ -693,14 +691,14 @@ public class AciAuthorizationInterceptor Entry entry = entryContext.lookup( name, ByPassConstants.HAS_ENTRY_BYPASS ); Set userGroups = groupCache.getGroups( principalDn.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( entryContext, tuples, name, ((ClonedServerEntry)entry).getOriginalEntry() ); - addEntryAciTuples( tuples, ((ClonedServerEntry)entry).getOriginalEntry() ); - addSubentryAciTuples( entryContext, tuples, name, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( entryContext, tuples, name, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); + addEntryAciTuples( tuples, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); + addSubentryAciTuples( entryContext, tuples, name, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); // check that we have browse access to the entry - engine.checkPermission( schemaManager, entryContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, null, null, - BROWSE_PERMS, tuples, ((ClonedServerEntry)entry).getOriginalEntry(), null ); + engine.checkPermission( schemaManager, entryContext, userGroups, principalDn, principal + .getAuthenticationLevel(), name, null, null, BROWSE_PERMS, tuples, ( ( ClonedServerEntry ) entry ) + .getOriginalEntry(), null ); return next.hasEntry( entryContext ); } @@ -738,29 +736,18 @@ public class AciAuthorizationInterceptor addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry ); // check that we have read access to the entry - engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(), - lookupContext.getDn(), null, null, - LOOKUP_PERMS, tuples, entry, null ); + engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(), + lookupContext.getDn(), null, null, LOOKUP_PERMS, tuples, entry, null ); // check that we have read access to every attribute type and value - for ( EntryAttribute attribute:entry ) + for ( EntryAttribute attribute : entry ) { - - for ( Value value:attribute ) + + for ( Value value : attribute ) { - engine.checkPermission( - schemaManager, - lookupContext, - userGroups, - userName, - principal.getAuthenticationLevel(), - lookupContext.getDn(), - attribute.getUpId(), - value, - READ_PERMS, - tuples, - entry, - null ); + engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal + .getAuthenticationLevel(), lookupContext.getDn(), attribute.getUpId(), value, READ_PERMS, tuples, + entry, null ); } } } @@ -770,15 +757,15 @@ public class AciAuthorizationInterceptor { CoreSession session = lookupContext.getSession(); DirectoryService directoryService = session.getDirectoryService(); - + LdapPrincipal principal = session.getEffectivePrincipal(); DN principalDn = principal.getDN(); - + if ( !principalDn.isNormalized() ) { principalDn.normalize( schemaManager.getNormalizerMapping() ); } - + if ( isPrincipalAnAdministrator( principalDn ) || !directoryService.isAccessControlEnabled() ) { return next.lookup( lookupContext ); @@ -788,21 +775,21 @@ public class AciAuthorizationInterceptor Entry entry = directoryService.getOperationManager().lookup( lookupContext ); checkLookupAccess( lookupContext, entry ); - + return next.lookup( lookupContext ); } - + public void rename( NextInterceptor next, RenameOperationContext renameContext ) throws Exception { DN oldName = renameContext.getDn(); Entry originalEntry = null; - + if ( renameContext.getEntry() != null ) { originalEntry = renameContext.getEntry().getOriginalEntry(); } - + LdapPrincipal principal = renameContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); DN newName = renameContext.getNewDn(); @@ -821,7 +808,7 @@ public class AciAuthorizationInterceptor { next.rename( renameContext ); tupleCache.subentryRenamed( oldName, newName ); - + // TODO : this method returns a boolean : what should we do with the result ? groupCache.groupRenamed( oldName, newName ); @@ -834,9 +821,8 @@ public class AciAuthorizationInterceptor addEntryAciTuples( tuples, originalEntry ); addSubentryAciTuples( renameContext, tuples, oldName, originalEntry ); - engine.checkPermission( schemaManager, renameContext, userGroups, principalDn, - principal.getAuthenticationLevel(), oldName, null, null, - RENAME_PERMS, tuples, originalEntry, null ); + engine.checkPermission( schemaManager, renameContext, userGroups, principalDn, principal + .getAuthenticationLevel(), oldName, null, null, RENAME_PERMS, tuples, originalEntry, null ); next.rename( renameContext ); tupleCache.subentryRenamed( oldName, newName ); @@ -851,7 +837,7 @@ public class AciAuthorizationInterceptor DN newParentName = moveAndRenameContext.getParent(); Entry entry = moveAndRenameContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS ); - + LdapPrincipal principal = moveAndRenameContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); DN newName = ( DN ) newParentName.clone(); @@ -877,45 +863,44 @@ public class AciAuthorizationInterceptor Set userGroups = groupCache.getGroups( principalDn.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( moveAndRenameContext, tuples, oriChildName, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( moveAndRenameContext, tuples, oriChildName, ( ( ClonedServerEntry ) entry ) + .getOriginalEntry() ); addEntryAciTuples( tuples, entry ); addSubentryAciTuples( moveAndRenameContext, tuples, oriChildName, entry ); - engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, - principalDn, principal.getAuthenticationLevel(), oriChildName, null, - null, MOVERENAME_PERMS, tuples, entry, null ); + engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, principal + .getAuthenticationLevel(), oriChildName, null, null, MOVERENAME_PERMS, tuples, entry, null ); // Get the entry again without operational attributes // because access control subentry operational attributes // will not be valid at the new location. // This will certainly be fixed by the SubentryInterceptor, // but after this service. - - Entry importedEntry = moveAndRenameContext.lookup( oriChildName, + + Entry importedEntry = moveAndRenameContext.lookup( oriChildName, ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ); - + // As the target entry does not exist yet and so // its subentry operational attributes are not there, // we need to construct an entry to represent it // at least with minimal requirements which are object class // and access control subentry operational attributes. - SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() ); + SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class + .getName() ); Entry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry ); - - for ( EntryAttribute attribute:importedEntry ) + + for ( EntryAttribute attribute : importedEntry ) { subentryAttrs.put( attribute ); } - + Collection destTuples = new HashSet(); // Import permission is only valid for prescriptive ACIs addPerscriptiveAciTuples( moveAndRenameContext, destTuples, newName, subentryAttrs ); // Evaluate the target context to see whether it // allows an entry named newName to be imported as a subordinate. - engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, - principal.getAuthenticationLevel(), newName, null, - null, IMPORT_PERMS, destTuples, subentryAttrs, null ); - + engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, principal + .getAuthenticationLevel(), newName, null, null, IMPORT_PERMS, destTuples, subentryAttrs, null ); next.moveAndRename( moveAndRenameContext ); tupleCache.subentryRenamed( oriChildName, newName ); @@ -927,10 +912,10 @@ public class AciAuthorizationInterceptor { DN oriChildName = moveContext.getDn(); DN newParentName = moveContext.getParent(); - + // Access the principal requesting the operation, and bypass checks if it is the admin Entry entry = moveContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS ); - + DN newName = ( DN ) newParentName.clone(); newName.add( oriChildName.get( oriChildName.size() - 1 ) ); LdapPrincipal principal = moveContext.getSession().getEffectivePrincipal(); @@ -943,7 +928,7 @@ public class AciAuthorizationInterceptor return; } - protectCriticalEntries( oriChildName); + protectCriticalEntries( oriChildName ); // bypass authz code but manage caches if operation is performed by the admin if ( isPrincipalAnAdministrator( principalDn ) ) @@ -956,61 +941,59 @@ public class AciAuthorizationInterceptor Set userGroups = groupCache.getGroups( principalDn.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( moveContext, tuples, oriChildName, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( moveContext, tuples, oriChildName, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); addEntryAciTuples( tuples, entry ); addSubentryAciTuples( moveContext, tuples, oriChildName, entry ); - engine.checkPermission( schemaManager, moveContext, userGroups, principalDn, - principal.getAuthenticationLevel(), oriChildName, null, - null, EXPORT_PERMS, tuples, entry, null ); - + engine.checkPermission( schemaManager, moveContext, userGroups, principalDn, + principal.getAuthenticationLevel(), oriChildName, null, null, EXPORT_PERMS, tuples, entry, null ); + // Get the entry again without operational attributes // because access control subentry operational attributes // will not be valid at the new location. // This will certainly be fixed by the SubentryInterceptor, // but after this service. - Entry importedEntry = moveContext.lookup( oriChildName, - ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ); - + Entry importedEntry = moveContext.lookup( oriChildName, ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ); + // As the target entry does not exist yet and so // its subentry operational attributes are not there, // we need to construct an entry to represent it // at least with minimal requirements which are object class // and access control subentry operational attributes. - SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) - chain.get( SubentryInterceptor.class.getName() ); + SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class + .getName() ); Entry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry ); - - for ( EntryAttribute attribute:importedEntry ) + + for ( EntryAttribute attribute : importedEntry ) { subentryAttrs.put( attribute ); } - + Collection destTuples = new HashSet(); // Import permission is only valid for prescriptive ACIs addPerscriptiveAciTuples( moveContext, destTuples, newName, subentryAttrs ); // Evaluate the target context to see whether it // allows an entry named newName to be imported as a subordinate. - engine.checkPermission( schemaManager, moveContext, userGroups, principalDn, - principal.getAuthenticationLevel(), newName, null, - null, IMPORT_PERMS, destTuples, subentryAttrs, null ); + engine.checkPermission( schemaManager, moveContext, userGroups, principalDn, + principal.getAuthenticationLevel(), newName, null, null, IMPORT_PERMS, destTuples, subentryAttrs, null ); next.move( moveContext ); tupleCache.subentryRenamed( oriChildName, newName ); groupCache.groupRenamed( oriChildName, newName ); } - + public EntryFilteringCursor list( NextInterceptor next, ListOperationContext opContext ) throws Exception { LdapPrincipal user = opContext.getSession().getEffectivePrincipal(); EntryFilteringCursor cursor = next.list( opContext ); - - if ( isPrincipalAnAdministrator( user.getDNRef() ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) + + if ( isPrincipalAnAdministrator( user.getDNRef() ) + || !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { return cursor; } - + AuthorizationFilter authzFilter = new AuthorizationFilter(); cursor.addEntryFilter( authzFilter ); return cursor; @@ -1025,23 +1008,26 @@ public class AciAuthorizationInterceptor boolean isSubschemaSubentryLookup = subschemaSubentryDn.equals( opContext.getDn().getNormName() ); SearchControls searchCtls = opContext.getSearchControls(); - boolean isRootDSELookup = opContext.getDn().size() == 0 && searchCtls.getSearchScope() == SearchControls.OBJECT_SCOPE; + boolean isRootDSELookup = opContext.getDn().size() == 0 + && searchCtls.getSearchScope() == SearchControls.OBJECT_SCOPE; - if ( isPrincipalAnAdministrator( principalDn ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() || isRootDSELookup || isSubschemaSubentryLookup ) + if ( isPrincipalAnAdministrator( principalDn ) + || !opContext.getSession().getDirectoryService().isAccessControlEnabled() || isRootDSELookup + || isSubschemaSubentryLookup ) { return cursor; } - + cursor.addEntryFilter( new AuthorizationFilter() ); return cursor; } - + public final boolean isPrincipalAnAdministrator( DN principalDn ) { return groupCache.isPrincipalAnAdministrator( principalDn ); } - + public boolean compare( NextInterceptor next, CompareOperationContext opContext ) throws Exception { @@ -1054,35 +1040,35 @@ public class AciAuthorizationInterceptor LdapPrincipal principal = opContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); - if ( isPrincipalAnAdministrator( principalDn ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) + if ( isPrincipalAnAdministrator( principalDn ) + || !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { return next.compare( opContext ); } Set userGroups = groupCache.getGroups( principalDn.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( opContext, tuples, name, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( opContext, tuples, name, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); addEntryAciTuples( tuples, entry ); addSubentryAciTuples( opContext, tuples, name, entry ); - engine.checkPermission( schemaManager, opContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, null, null, - READ_PERMS, tuples, entry, null ); - engine.checkPermission( schemaManager, opContext, userGroups, principalDn, - principal.getAuthenticationLevel(), name, oid, value, - COMPARE_PERMS, tuples, entry, null ); + engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), + name, null, null, READ_PERMS, tuples, entry, null ); + engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), + name, oid, value, COMPARE_PERMS, tuples, entry, null ); return next.compare( opContext ); } - public DN getMatchedName ( NextInterceptor next, GetMatchedNameOperationContext opContext ) throws Exception + public DN getMatchedName( NextInterceptor next, GetMatchedNameOperationContext opContext ) throws Exception { // Access the principal requesting the operation, and bypass checks if it is the admin LdapPrincipal principal = opContext.getSession().getEffectivePrincipal(); DN principalDn = principal.getDN(); - - if ( isPrincipalAnAdministrator( principalDn ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) + + if ( isPrincipalAnAdministrator( principalDn ) + || !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { return next.getMatchedName( opContext ); } @@ -1097,16 +1083,15 @@ public class AciAuthorizationInterceptor while ( matched.size() > 0 ) { entry = opContext.lookup( matched, ByPassConstants.GETMATCHEDDN_BYPASS ); - + Set userGroups = groupCache.getGroups( principalDn.getNormName() ); Collection tuples = new HashSet(); - addPerscriptiveAciTuples( opContext, tuples, matched, ((ClonedServerEntry)entry).getOriginalEntry() ); + addPerscriptiveAciTuples( opContext, tuples, matched, ( ( ClonedServerEntry ) entry ).getOriginalEntry() ); addEntryAciTuples( tuples, entry ); addSubentryAciTuples( opContext, tuples, matched, entry ); - if ( engine.hasPermission( schemaManager, opContext, userGroups, principalDn, - principal.getAuthenticationLevel(), matched, null, - null, MATCHEDNAME_PERMS, tuples, entry, null ) ) + if ( engine.hasPermission( schemaManager, opContext, userGroups, principalDn, principal + .getAuthenticationLevel(), matched, null, null, MATCHEDNAME_PERMS, tuples, entry, null ) ) { return matched; } @@ -1124,15 +1109,14 @@ public class AciAuthorizationInterceptor } - private boolean filter( OperationContext opContext, DN normName, ClonedServerEntry clonedEntry ) - throws Exception + private boolean filter( OperationContext opContext, DN normName, ClonedServerEntry clonedEntry ) throws Exception { /* * First call hasPermission() for entry level "Browse" and "ReturnDN" perm * tests. If we hasPermission() returns false we immediately short the * process and return false. */ - + LdapPrincipal principal = opContext.getSession().getEffectivePrincipal(); DN userDn = principal.getDN(); Set userGroups = groupCache.getGroups( userDn.getNormName() ); @@ -1141,19 +1125,8 @@ public class AciAuthorizationInterceptor addEntryAciTuples( tuples, clonedEntry.getOriginalEntry() ); addSubentryAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() ); - if ( !engine.hasPermission( - schemaManager, - opContext, - userGroups, - userDn, - principal.getAuthenticationLevel(), - normName, - null, - null, - SEARCH_ENTRY_PERMS, - tuples, - clonedEntry.getOriginalEntry(), - null ) ) + if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal.getAuthenticationLevel(), + normName, null, null, SEARCH_ENTRY_PERMS, tuples, clonedEntry.getOriginalEntry(), null ) ) { return false; } @@ -1166,67 +1139,46 @@ public class AciAuthorizationInterceptor * values remaining then the entire attribute is removed. */ List attributeToRemove = new ArrayList(); - - for ( AttributeType attributeType:clonedEntry.getAttributeTypes() ) + + for ( AttributeType attributeType : clonedEntry.getAttributeTypes() ) { // if attribute type scope access is not allowed then remove the attribute and continue String id = attributeType.getName(); EntryAttribute attr = clonedEntry.get( attributeType ); - - if ( !engine.hasPermission( - schemaManager, - opContext, - userGroups, - userDn, - principal.getAuthenticationLevel(), - normName, - id, - null, - SEARCH_ATTRVAL_PERMS, - tuples, - clonedEntry, - null ) ) + + if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal + .getAuthenticationLevel(), normName, id, null, SEARCH_ATTRVAL_PERMS, tuples, clonedEntry, null ) ) { attributeToRemove.add( attributeType ); - + continue; } List> valueToRemove = new ArrayList>(); - + // attribute type scope is ok now let's determine value level scope - for ( Value value:attr ) + for ( Value value : attr ) { - if ( !engine.hasPermission( - schemaManager, - opContext, - userGroups, - userDn, - principal.getAuthenticationLevel(), - normName, - attr.getUpId(), - value, - SEARCH_ATTRVAL_PERMS, - tuples, - clonedEntry, - null ) ) + if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal + .getAuthenticationLevel(), normName, attr.getUpId(), value, SEARCH_ATTRVAL_PERMS, tuples, + clonedEntry, null ) ) { valueToRemove.add( value ); } } - - for ( Value value:valueToRemove ) + + for ( Value value : valueToRemove ) { attr.remove( value ); } - + if ( attr.size() == 0 ) { attributeToRemove.add( attributeType ); } } - - for ( AttributeType attributeType:attributeToRemove ) + + for ( AttributeType attributeType : attributeToRemove ) { clonedEntry.removeAttributes( attributeType ); } @@ -1234,14 +1186,12 @@ public class AciAuthorizationInterceptor return true; } - /** * WARNING: create one of these filters fresh every time for each new search. */ class AuthorizationFilter implements EntryFilter { - public boolean accept( SearchingOperationContext operationContext, ClonedServerEntry entry ) - throws Exception + public boolean accept( SearchingOperationContext operationContext, ClonedServerEntry entry ) throws Exception { DN normName = entry.getDn().normalize( schemaManager.getNormalizerMapping() ); return filter( operationContext, normName, entry );