/**
* Process all ACIs under the "cn=config" naming context and adds them to the ACI list cache. It
* also logs messages about the number of ACIs added to the cache. This method is called once at
* startup. It will put the server in lockdown mode if needed.
*
* @throws InitializationException If there is an error searching for the ACIs in the naming
* context.
*/
private void processConfigAcis() throws InitializationException {
LinkedHashSet<String> requestAttrs = new LinkedHashSet<String>(1);
requestAttrs.add("aci");
LinkedList<Message> failedACIMsgs = new LinkedList<Message>();
InternalClientConnection conn = InternalClientConnection.getRootConnection();
ConfigHandler configBackend = DirectoryServer.getConfigHandler();
for (DN baseDN : configBackend.getBaseDNs()) {
try {
if (!configBackend.entryExists(baseDN)) {
continue;
}
} catch (Exception e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
// FIXME -- Is there anything that we need to do here?
continue;
}
try {
InternalSearchOperation internalSearch =
new InternalSearchOperation(
conn,
InternalClientConnection.nextOperationID(),
InternalClientConnection.nextMessageID(),
null,
baseDN,
SearchScope.WHOLE_SUBTREE,
DereferencePolicy.NEVER_DEREF_ALIASES,
0,
0,
false,
SearchFilter.createFilterFromString("aci=*"),
requestAttrs,
null);
LocalBackendSearchOperation localSearch = new LocalBackendSearchOperation(internalSearch);
configBackend.search(localSearch);
if (!internalSearch.getSearchEntries().isEmpty()) {
int validAcis = aciList.addAci(internalSearch.getSearchEntries(), failedACIMsgs);
if (!failedACIMsgs.isEmpty()) {
aciListenerMgr.logMsgsSetLockDownMode(failedACIMsgs);
}
Message message =
INFO_ACI_ADD_LIST_ACIS.get(Integer.toString(validAcis), String.valueOf(baseDN));
logError(message);
}
} catch (Exception e) {
Message message = INFO_ACI_HANDLER_FAIL_PROCESS_ACI.get();
throw new InitializationException(message, e);
}
}
}
/**
* Test the attribute types of the search filter for access. This method supports the search
* right.
*
* @param container The container used in the access evaluation.
* @param filter The filter to check access on.
* @return True if all attribute types in the filter have access.
* @throws DirectoryException If there is a problem matching the entry using the provided filter.
*/
private boolean testFilter(AciLDAPOperationContainer container, SearchFilter filter)
throws DirectoryException {
boolean ret = true;
// If the resource entry has a dn equal to "cn=debugsearch" and it
// contains the special attribute type "debugsearchindex", then the
// resource entry is a pseudo entry created for debug purposes.
// Return true if that is the case.
if (debugSearchIndexDN.equals(container.getResourceDN())
&& container.getResourceEntry().hasAttribute(debugSearchIndex)) {
return true;
}
switch (filter.getFilterType()) {
case AND:
case OR:
{
for (SearchFilter f : filter.getFilterComponents()) {
if (!testFilter(container, f)) {
return false;
}
}
break;
}
case NOT:
{
SearchFilter f = filter.getNotComponent();
ret = testFilter(container, f);
break;
}
default:
{
AttributeType attrType = filter.getAttributeType();
container.setCurrentAttributeType(attrType);
ret = accessAllowed(container);
}
}
return ret;
}
