/**
* Process this search operation against a local backend.
*
* @param wfe The local backend work-flow element.
* @throws CanceledOperationException if this operation should be cancelled
*/
public void processLocalSearch(LocalBackendWorkflowElement wfe)
throws CanceledOperationException {
this.backend = wfe.getBackend();
this.clientConnection = getClientConnection();
// Check for a request to cancel this operation.
checkIfCanceled(false);
try {
BooleanHolder executePostOpPlugins = new BooleanHolder(false);
processSearch(executePostOpPlugins);
// Check for a request to cancel this operation.
checkIfCanceled(false);
// Invoke the post-operation search plugins.
if (executePostOpPlugins.value) {
PluginResult.PostOperation postOpResult =
DirectoryServer.getPluginConfigManager().invokePostOperationSearchPlugins(this);
if (!postOpResult.continueProcessing()) {
setResultCode(postOpResult.getResultCode());
appendErrorMessage(postOpResult.getErrorMessage());
setMatchedDN(postOpResult.getMatchedDN());
setReferralURLs(postOpResult.getReferralURLs());
}
}
} finally {
LocalBackendWorkflowElement.filterNonDisclosableMatchedDN(this);
}
}
/**
* Handles request control processing for this bind operation.
*
* @throws DirectoryException If there is a problem with any of the controls.
*/
private void handleRequestControls() throws DirectoryException {
LocalBackendWorkflowElement.removeAllDisallowedControls(bindDN, this);
List<Control> requestControls = getRequestControls();
if (requestControls != null && !requestControls.isEmpty()) {
for (Control c : requestControls) {
final String oid = c.getOID();
if (OID_AUTHZID_REQUEST.equals(oid)) {
returnAuthzID = true;
} else if (OID_PASSWORD_POLICY_CONTROL.equals(oid)) {
pwPolicyControlRequested = true;
}
// NYI -- Add support for additional controls.
else if (c.isCritical()) {
throw new DirectoryException(
ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
ERR_BIND_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
}
}
}
}
/**
* Creates a new operation that may be used to search for entries in a local backend of the
* Directory Server.
*
* @param search The operation to process.
*/
public LocalBackendSearchOperation(SearchOperation search) {
super(search);
LocalBackendWorkflowElement.attachLocalOperation(search, this);
}
/**
* Handles any controls contained in the request.
*
* @throws DirectoryException If there is a problem with any of the request controls.
*/
private void handleRequestControls() throws DirectoryException {
LocalBackendWorkflowElement.removeAllDisallowedControls(baseDN, this);
List<Control> requestControls = getRequestControls();
if (requestControls != null && !requestControls.isEmpty()) {
for (Control c : requestControls) {
String oid = c.getOID();
if (OID_LDAP_ASSERTION.equals(oid)) {
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
SearchFilter assertionFilter;
try {
assertionFilter = assertControl.getSearchFilter();
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(
de.getResultCode(),
ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()),
de);
}
Entry entry;
try {
entry = DirectoryServer.getEntry(baseDN);
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(
de.getResultCode(),
ERR_SEARCH_CANNOT_GET_ENTRY_FOR_ASSERTION.get(de.getMessageObject()));
}
if (entry == null) {
throw new DirectoryException(
ResultCode.NO_SUCH_OBJECT, ERR_SEARCH_NO_SUCH_ENTRY_FOR_ASSERTION.get());
}
// Check if the current user has permission to make
// this determination.
if (!AccessControlConfigManager.getInstance()
.getAccessControlHandler()
.isAllowed(this, entry, assertionFilter)) {
throw new DirectoryException(
ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
}
try {
if (!assertionFilter.matchesEntry(entry)) {
throw new DirectoryException(
ResultCode.ASSERTION_FAILED, ERR_SEARCH_ASSERTION_FAILED.get());
}
} catch (DirectoryException de) {
if (de.getResultCode() == ResultCode.ASSERTION_FAILED) {
throw de;
}
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(
de.getResultCode(),
ERR_SEARCH_CANNOT_PROCESS_ASSERTION_FILTER.get(de.getMessageObject()),
de);
}
} else if (OID_PROXIED_AUTH_V1.equals(oid)) {
// Log usage of legacy proxy authz V1 control.
addAdditionalLogItem(
AdditionalLogItem.keyOnly(getClass(), "obsoleteProxiedAuthzV1Control"));
// The requester must have the PROXIED_AUTH privilege in order to be
// able to use this control.
if (!clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this)) {
throw new DirectoryException(
ResultCode.AUTHORIZATION_DENIED, ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get());
}
ProxiedAuthV1Control proxyControl = getRequestControl(ProxiedAuthV1Control.DECODER);
Entry authorizationEntry = proxyControl.getAuthorizationEntry();
setAuthorizationEntry(authorizationEntry);
setProxiedAuthorizationDN(getDN(authorizationEntry));
} else if (OID_PROXIED_AUTH_V2.equals(oid)) {
// The requester must have the PROXIED_AUTH privilege in order to be
// able to use this control.
if (!clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this)) {
throw new DirectoryException(
ResultCode.AUTHORIZATION_DENIED, ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get());
}
ProxiedAuthV2Control proxyControl = getRequestControl(ProxiedAuthV2Control.DECODER);
Entry authorizationEntry = proxyControl.getAuthorizationEntry();
setAuthorizationEntry(authorizationEntry);
setProxiedAuthorizationDN(getDN(authorizationEntry));
} else if (OID_PERSISTENT_SEARCH.equals(oid)) {
final PersistentSearchControl ctrl = getRequestControl(PersistentSearchControl.DECODER);
persistentSearch =
new PersistentSearch(
this, ctrl.getChangeTypes(), ctrl.getChangesOnly(), ctrl.getReturnECs());
} else if (OID_LDAP_SUBENTRIES.equals(oid)) {
SubentriesControl subentriesControl = getRequestControl(SubentriesControl.DECODER);
setReturnSubentriesOnly(subentriesControl.getVisibility());
} else if (OID_LDUP_SUBENTRIES.equals(oid)) {
// Support for legacy draft-ietf-ldup-subentry.
addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(), "obsoleteSubentryControl"));
setReturnSubentriesOnly(true);
} else if (OID_MATCHED_VALUES.equals(oid)) {
MatchedValuesControl matchedValuesControl =
getRequestControl(MatchedValuesControl.DECODER);
setMatchedValuesControl(matchedValuesControl);
} else if (OID_ACCOUNT_USABLE_CONTROL.equals(oid)) {
setIncludeUsableControl(true);
} else if (OID_REAL_ATTRS_ONLY.equals(oid)) {
setRealAttributesOnly(true);
} else if (OID_VIRTUAL_ATTRS_ONLY.equals(oid)) {
setVirtualAttributesOnly(true);
} else if (OID_GET_EFFECTIVE_RIGHTS.equals(oid)
&& DirectoryServer.isSupportedControl(OID_GET_EFFECTIVE_RIGHTS)) {
// Do nothing here and let AciHandler deal with it.
}
// NYI -- Add support for additional controls.
else if (c.isCritical() && !backendSupportsControl(oid)) {
throw new DirectoryException(
ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
ERR_SEARCH_UNSUPPORTED_CRITICAL_CONTROL.get(oid));
}
}
}
}
/**
* Process this bind operation in a local backend.
*
* @param wfe The local backend work-flow element.
*/
public void processLocalBind(LocalBackendWorkflowElement wfe) {
this.backend = wfe.getBackend();
// Initialize a number of variables for use during the bind processing.
clientConnection = getClientConnection();
returnAuthzID = false;
executePostOpPlugins = false;
sizeLimit = DirectoryServer.getSizeLimit();
timeLimit = DirectoryServer.getTimeLimit();
lookthroughLimit = DirectoryServer.getLookthroughLimit();
idleTimeLimit = DirectoryServer.getIdleTimeLimit();
bindDN = getBindDN();
saslMechanism = getSASLMechanism();
authPolicyState = null;
pwPolicyErrorType = null;
pwPolicyControlRequested = false;
isGraceLogin = false;
isFirstWarning = false;
mustChangePassword = false;
pwPolicyWarningType = null;
pwPolicyWarningValue = -1;
pluginConfigManager = DirectoryServer.getPluginConfigManager();
processBind();
// Update the user's account with any password policy changes that may be
// required.
try {
if (authPolicyState != null) {
authPolicyState.finalizeStateAfterBind();
}
} catch (DirectoryException de) {
logger.traceException(de);
setResponseData(de);
}
// Invoke the post-operation bind plugins.
if (executePostOpPlugins) {
PluginResult.PostOperation postOpResult =
pluginConfigManager.invokePostOperationBindPlugins(this);
if (!postOpResult.continueProcessing()) {
setResultCode(postOpResult.getResultCode());
appendErrorMessage(postOpResult.getErrorMessage());
setMatchedDN(postOpResult.getMatchedDN());
setReferralURLs(postOpResult.getReferralURLs());
}
}
// Update the authentication information for the user.
AuthenticationInfo authInfo = getAuthenticationInfo();
if (getResultCode() == ResultCode.SUCCESS && authInfo != null) {
clientConnection.setAuthenticationInfo(authInfo);
clientConnection.setSizeLimit(sizeLimit);
clientConnection.setTimeLimit(timeLimit);
clientConnection.setIdleTimeLimit(idleTimeLimit);
clientConnection.setLookthroughLimit(lookthroughLimit);
clientConnection.setMustChangePassword(mustChangePassword);
if (returnAuthzID) {
addResponseControl(new AuthorizationIdentityResponseControl(authInfo.getAuthorizationDN()));
}
}
// See if we need to send a password policy control to the client. If so,
// then add it to the response.
if (getResultCode() == ResultCode.SUCCESS) {
if (pwPolicyControlRequested) {
PasswordPolicyResponseControl pwpControl =
new PasswordPolicyResponseControl(
pwPolicyWarningType, pwPolicyWarningValue, pwPolicyErrorType);
addResponseControl(pwpControl);
} else {
if (pwPolicyErrorType == PasswordPolicyErrorType.PASSWORD_EXPIRED) {
addResponseControl(new PasswordExpiredControl());
} else if (pwPolicyWarningType == PasswordPolicyWarningType.TIME_BEFORE_EXPIRATION) {
addResponseControl(new PasswordExpiringControl(pwPolicyWarningValue));
} else if (mustChangePassword) {
addResponseControl(new PasswordExpiredControl());
}
}
} else {
if (pwPolicyControlRequested) {
PasswordPolicyResponseControl pwpControl =
new PasswordPolicyResponseControl(
pwPolicyWarningType, pwPolicyWarningValue, pwPolicyErrorType);
addResponseControl(pwpControl);
} else {
if (pwPolicyErrorType == PasswordPolicyErrorType.PASSWORD_EXPIRED) {
addResponseControl(new PasswordExpiredControl());
}
}
}
}
/**
* Creates a new operation that may be used to bind where the bound user entry is stored in a
* local backend of the Directory Server.
*
* @param bind The operation to enhance.
*/
public LocalBackendBindOperation(BindOperation bind) {
super(bind);
LocalBackendWorkflowElement.attachLocalOperation(bind, this);
}
