Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 12750 invoked from network); 29 May 2010 17:37:14 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 29 May 2010 17:37:14 -0000 Received: (qmail 72265 invoked by uid 500); 29 May 2010 17:37:14 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 72237 invoked by uid 500); 29 May 2010 17:37:14 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 72230 invoked by uid 99); 29 May 2010 17:37:14 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 May 2010 17:37:14 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 29 May 2010 17:37:11 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id A69BA238897D; Sat, 29 May 2010 17:36:49 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r949425 - in /directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core: authz/DefaultAuthorizationInterceptor.java exception/ExceptionInterceptor.java Date: Sat, 29 May 2010 17:36:49 -0000 To: commits@directory.apache.org From: elecharny@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20100529173649.A69BA238897D@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: elecharny Date: Sat May 29 17:36:49 2010 New Revision: 949425 URL: http://svn.apache.org/viewvc?rev=949425&view=rev Log: Some more cleanup for the modify operation : mainly cleaning DN operations. Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java?rev=949425&r1=949424&r2=949425&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java Sat May 29 17:36:49 2010 @@ -51,8 +51,8 @@ import org.apache.directory.server.core. import org.apache.directory.server.i18n.I18n; import org.apache.directory.shared.ldap.constants.AuthenticationLevel; import org.apache.directory.shared.ldap.constants.SchemaConstants; -import org.apache.directory.shared.ldap.entry.EntryAttribute; import org.apache.directory.shared.ldap.entry.Entry; +import org.apache.directory.shared.ldap.entry.EntryAttribute; import org.apache.directory.shared.ldap.entry.Value; import org.apache.directory.shared.ldap.exception.LdapNoPermissionException; import org.apache.directory.shared.ldap.name.DN; @@ -87,8 +87,8 @@ public class DefaultAuthorizationInterce /** the distinguished {@link Name} for the administrator group */ private static DN ADMIN_GROUP_DN; - private Set administrators = new HashSet(2); - + private Set administrators = new HashSet( 2 ); + private PartitionNexus nexus; /** A starage for the uniqueMember attributeType */ @@ -111,48 +111,48 @@ public class DefaultAuthorizationInterce ADMIN_SYSTEM_DN = new DN( ServerDNConstants.ADMIN_SYSTEM_DN ); ADMIN_SYSTEM_DN.normalize( schemaManager.getNormalizerMapping() ); - + GROUP_BASE_DN = new DN( ServerDNConstants.GROUPS_SYSTEM_DN ); GROUP_BASE_DN.normalize( schemaManager.getNormalizerMapping() ); - + ADMIN_GROUP_DN = new DN( ServerDNConstants.ADMINISTRATORS_GROUP_DN ); ADMIN_GROUP_DN.normalize( schemaManager.getNormalizerMapping() ); uniqueMemberAT = schemaManager.lookupAttributeTypeRegistry( SchemaConstants.UNIQUE_MEMBER_AT_OID ); - + loadAdministrators( directoryService ); } - - + + private void loadAdministrators( DirectoryService directoryService ) throws Exception { // read in the administrators and cache their normalized names Set newAdministrators = new HashSet( 2 ); DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED ); adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() ); - CoreSession adminSession = new DefaultCoreSession( - new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService ); + CoreSession adminSession = new DefaultCoreSession( new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), + directoryService ); Entry adminGroup = nexus.lookup( new LookupOperationContext( adminSession, ADMIN_GROUP_DN ) ); - + if ( adminGroup == null ) { return; } - + EntryAttribute uniqueMember = adminGroup.get( uniqueMemberAT ); - - for ( Value value:uniqueMember ) + + for ( Value value : uniqueMember ) { DN memberDn = new DN( value.getString() ); memberDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() ); newAdministrators.add( memberDn.getNormName() ); } - + administrators = newAdministrators; } - + // Note: // Lookup, search and list operations need to be handled using a filter // and so we need access to the filter service. @@ -180,7 +180,7 @@ public class DefaultAuthorizationInterce LOG.error( msg ); throw new LdapNoPermissionException( msg ); } - + DN principalDN = getPrincipal().getDNRef(); if ( dn.equals( ADMIN_SYSTEM_DN ) ) @@ -198,7 +198,7 @@ public class DefaultAuthorizationInterce LOG.error( msg ); throw new LdapNoPermissionException( msg ); } - + if ( dn.isChildOf( GROUP_BASE_DN ) ) { String msg = I18n.err( I18n.ERR_16, principalDN.getName(), dn.getName() ); @@ -210,18 +210,18 @@ public class DefaultAuthorizationInterce nextInterceptor.delete( opContext ); } - + private boolean isTheAdministrator( DN normalizedDn ) { return normalizedDn.equals( ADMIN_SYSTEM_DN ); } - - + + private boolean isAnAdministrator( DN dn ) { return isTheAdministrator( dn ) || administrators.contains( dn.getNormName() ); } - + // ------------------------------------------------------------------------ // Entry Modification Operations @@ -233,18 +233,17 @@ public class DefaultAuthorizationInterce * users to self access these resources. As far as we're concerned no one but * the admin needs access. */ - public void modify( NextInterceptor nextInterceptor, ModifyOperationContext opContext ) - throws Exception + public void modify( NextInterceptor nextInterceptor, ModifyOperationContext opContext ) throws Exception { if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { DN dn = opContext.getDn(); - + protectModifyAlterations( dn ); nextInterceptor.modify( opContext ); // update administrators if we change administrators group - if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) ) + if ( dn.equals( ADMIN_GROUP_DN ) ) { loadAdministrators( opContext.getSession().getDirectoryService() ); } @@ -267,30 +266,30 @@ public class DefaultAuthorizationInterce throw new LdapNoPermissionException( msg ); } - if ( ! isAnAdministrator( principalDn ) ) + if ( !isAnAdministrator( principalDn ) ) { // allow self modifications - if ( dn.getNormName().equals( getPrincipal().getName() ) ) + if ( dn.equals( getPrincipal() ) ) { return; } - - if ( dn.getNormName().equals( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED ) ) + + if ( dn.equals( ServerDNConstants.ADMIN_SYSTEM_DN ) ) { String msg = I18n.err( I18n.ERR_18, principalDn.getName() ); LOG.error( msg ); throw new LdapNoPermissionException( msg ); } - if ( dn.size() > 2 ) - { + if ( dn.size() > 2 ) + { if ( dn.isChildOf( ADMIN_SYSTEM_DN ) ) { - String msg = I18n.err( I18n.ERR_19, principalDn.getName(), dn.getName() ); + String msg = I18n.err( I18n.ERR_19, principalDn.getName(), dn.getName() ); LOG.error( msg ); throw new LdapNoPermissionException( msg ); } - + if ( dn.isChildOf( GROUP_BASE_DN ) ) { String msg = I18n.err( I18n.ERR_20, principalDn.getName(), dn.getName() ); @@ -300,8 +299,8 @@ public class DefaultAuthorizationInterce } } } - - + + // ------------------------------------------------------------------------ // DN altering operations are a no no for any user entry. Basically here // are the rules of conduct to follow: @@ -311,14 +310,13 @@ public class DefaultAuthorizationInterce // o The administrator entry cannot be moved or renamed by anyone // ------------------------------------------------------------------------ - public void rename( NextInterceptor nextInterceptor, RenameOperationContext opContext ) - throws Exception + public void rename( NextInterceptor nextInterceptor, RenameOperationContext opContext ) throws Exception { if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { protectDnAlterations( opContext.getDn() ); } - + nextInterceptor.rename( opContext ); } @@ -329,18 +327,19 @@ public class DefaultAuthorizationInterce { protectDnAlterations( opContext.getDn() ); } - + nextInterceptor.move( opContext ); } - public void moveAndRename( NextInterceptor nextInterceptor, MoveAndRenameOperationContext opContext ) throws Exception + public void moveAndRename( NextInterceptor nextInterceptor, MoveAndRenameOperationContext opContext ) + throws Exception { if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { protectDnAlterations( opContext.getDn() ); } - + nextInterceptor.moveAndRename( opContext ); } @@ -362,7 +361,7 @@ public class DefaultAuthorizationInterce LOG.error( msg ); throw new LdapNoPermissionException( msg ); } - + if ( isTheAdministrator( dn ) ) { String msg = I18n.err( I18n.ERR_22, principalDn.getName(), dn.getName() ); @@ -390,14 +389,14 @@ public class DefaultAuthorizationInterce { CoreSession session = opContext.getSession(); Entry entry = nextInterceptor.lookup( opContext ); - + if ( session.getDirectoryService().isAccessControlEnabled() || ( entry == null ) ) { return entry; } protectLookUp( session.getEffectivePrincipal().getDN(), opContext.getDn() ); - + return entry; } @@ -408,14 +407,14 @@ public class DefaultAuthorizationInterce { if ( normalizedDn.size() > 2 ) { - if( normalizedDn.isChildOf( ADMIN_SYSTEM_DN ) ) + if ( normalizedDn.isChildOf( ADMIN_SYSTEM_DN ) ) { // allow for self reads if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) ) { return; } - + String msg = I18n.err( I18n.ERR_25, normalizedDn.getName(), principalDn.getName() ); LOG.error( msg ); throw new LdapNoPermissionException( msg ); @@ -428,7 +427,7 @@ public class DefaultAuthorizationInterce { return; } - + String msg = I18n.err( I18n.ERR_26, normalizedDn.getName(), principalDn.getName() ); LOG.error( msg ); throw new LdapNoPermissionException( msg ); @@ -443,7 +442,7 @@ public class DefaultAuthorizationInterce return; } - String msg = I18n.err( I18n.ERR_27, principalDn.getName() ); + String msg = I18n.err( I18n.ERR_27, principalDn.getName() ); LOG.error( msg ); throw new LdapNoPermissionException( msg ); } @@ -451,7 +450,8 @@ public class DefaultAuthorizationInterce } - public EntryFilteringCursor search( NextInterceptor nextInterceptor, SearchOperationContext opContext ) throws Exception + public EntryFilteringCursor search( NextInterceptor nextInterceptor, SearchOperationContext opContext ) + throws Exception { EntryFilteringCursor cursor = nextInterceptor.search( opContext ); @@ -460,7 +460,8 @@ public class DefaultAuthorizationInterce return cursor; } - cursor.addEntryFilter( new EntryFilter() { + cursor.addEntryFilter( new EntryFilter() + { public boolean accept( SearchingOperationContext operation, ClonedServerEntry result ) throws Exception { return DefaultAuthorizationInterceptor.this.isSearchable( operation, result ); @@ -470,10 +471,11 @@ public class DefaultAuthorizationInterce } - public EntryFilteringCursor list( NextInterceptor nextInterceptor, ListOperationContext opContext ) throws Exception + public EntryFilteringCursor list( NextInterceptor nextInterceptor, ListOperationContext opContext ) + throws Exception { EntryFilteringCursor cursor = nextInterceptor.list( opContext ); - + if ( opContext.getSession().getDirectoryService().isAccessControlEnabled() ) { return cursor; @@ -496,7 +498,7 @@ public class DefaultAuthorizationInterce { DN principalDn = opContext.getSession().getEffectivePrincipal().getDN(); DN dn = result.getDn(); - + if ( !dn.isNormalized() ) { dn.normalize( opContext.getSession().getDirectoryService().getSchemaManager().getNormalizerMapping() ); @@ -507,30 +509,30 @@ public class DefaultAuthorizationInterce { return true; } - + // Users reading their own entries should be allowed to see all boolean isSelfRead = dn.getNormName().equals( principalDn.getNormName() ); - + if ( isSelfRead ) { return true; } - + // Block off reads to anything under ou=users and ou=groups if not a self read if ( dn.size() > 2 ) { // stuff this if in here instead of up in outer if to prevent // constant needless reexecution for all entries in other depths - - if ( dn.getNormName().endsWith( ADMIN_SYSTEM_DN.getNormName() ) + + if ( dn.getNormName().endsWith( ADMIN_SYSTEM_DN.getNormName() ) || dn.getNormName().endsWith( GROUP_BASE_DN.getNormName() ) ) { return false; } } - + // Non-admin users cannot read the admin entry - return ! isTheAdministrator( dn ); + return !isTheAdministrator( dn ); } } Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java?rev=949425&r1=949424&r2=949425&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/exception/ExceptionInterceptor.java Sat May 29 17:36:49 2010 @@ -292,18 +292,21 @@ public class ExceptionInterceptor extend // handle operations against the schema subentry in the schema service // and never try to look it up in the nexus below - if ( opContext.getDn().getNormName().equalsIgnoreCase( subschemSubentryDn.getNormName() ) ) + if ( opContext.getDn().equals( subschemSubentryDn ) ) { nextInterceptor.modify( opContext ); return; } + // Check that the entry we read at the beginning exists. If + // not, we will throw an exception here assertHasEntry( opContext, msg ); Entry entry = opContext.getEntry(); List items = opContext.getModItems(); + // Check that we aren't adding a value that already exists in the current entry for ( Modification item : items ) { if ( item.getOperation() == ModificationOperation.ADD_ATTRIBUTE ) @@ -317,7 +320,8 @@ public class ExceptionInterceptor extend { if ( entryAttr.contains( value ) ) { - throw new LdapAttributeInUseException( I18n.err( I18n.ERR_254, value, modAttr.getId() ) ); + throw new LdapAttributeInUseException( I18n.err( I18n.ERR_254_ADD_EXISTING_VALUE, value, + modAttr.getId() ) ); } } }