/**
* A utility method which may be used by implementations in order to obtain the value of the
* specified attribute from the provided entry as a boolean.
*
* @param entry The entry whose attribute is to be parsed as a boolean.
* @param attributeType The attribute type whose value should be parsed as a boolean.
* @return The attribute's value represented as a ConditionResult value, or
* ConditionResult.UNDEFINED if the specified attribute does not exist in the entry.
* @throws DirectoryException If the value cannot be decoded as a boolean.
*/
protected static final ConditionResult getBoolean(
final Entry entry, final AttributeType attributeType) throws DirectoryException {
final List<Attribute> attrList = entry.getAttribute(attributeType);
if (attrList != null) {
for (final Attribute a : attrList) {
if (a.isEmpty()) {
continue;
}
final String valueString = toLowerCase(a.iterator().next().getValue().toString());
if (valueString.equals("true")
|| valueString.equals("yes")
|| valueString.equals("on")
|| valueString.equals("1")) {
if (debugEnabled()) {
TRACER.debugInfo(
"Attribute %s resolves to true for user entry " + "%s",
attributeType.getNameOrOID(), entry.getDN().toString());
}
return ConditionResult.TRUE;
}
if (valueString.equals("false")
|| valueString.equals("no")
|| valueString.equals("off")
|| valueString.equals("0")) {
if (debugEnabled()) {
TRACER.debugInfo(
"Attribute %s resolves to false for user " + "entry %s",
attributeType.getNameOrOID(), entry.getDN().toString());
}
return ConditionResult.FALSE;
}
if (debugEnabled()) {
TRACER.debugError(
"Unable to resolve value %s for attribute %s " + "in user entry %s as a Boolean.",
valueString, attributeType.getNameOrOID(), entry.getDN().toString());
}
final Message message =
ERR_PWPSTATE_CANNOT_DECODE_BOOLEAN.get(
valueString, attributeType.getNameOrOID(), entry.getDN().toString());
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
if (debugEnabled()) {
TRACER.debugInfo(
"Returning %s because attribute %s does not exist " + "in user entry %s",
ConditionResult.UNDEFINED.toString(),
attributeType.getNameOrOID(),
entry.getDN().toString());
}
return ConditionResult.UNDEFINED;
}
/**
* Evaluate an entry to be added to see if it has any "aci" attribute type. If it does, examines
* each "aci" attribute type value for syntax errors. All of the "aci" attribute type values must
* pass syntax check for the add operation to proceed. Any entry with an "aci" attribute type must
* have "modify-acl" privileges.
*
* @param entry The entry to be examined.
* @param operation The operation to to check privileges on.
* @param clientDN The authorization DN.
* @return True if the entry has no ACI attributes or if all of the "aci" attributes values pass
* ACI syntax checking.
* @throws DirectoryException If a modified ACI could not be decoded.
*/
private boolean verifySyntax(Entry entry, Operation operation, DN clientDN)
throws DirectoryException {
if (entry.hasOperationalAttribute(aciType)) {
/*
* Check that the operation has "modify-acl" privileges since the
* entry to be added has an "aci" attribute type.
*/
if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
Message message =
INFO_ACI_ADD_FAILED_PRIVILEGE.get(
String.valueOf(entry.getDN()), String.valueOf(clientDN));
logError(message);
return false;
}
List<Attribute> attributeList = entry.getOperationalAttribute(aciType, null);
for (Attribute attribute : attributeList) {
for (AttributeValue value : attribute) {
try {
DN dn = entry.getDN();
Aci.decode(value.getValue(), dn);
} catch (AciException ex) {
Message message =
WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry.getDN()), ex.getMessage());
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
}
return true;
}
/**
* Test entry.
*
* @throws Exception If the test failed unexpectedly.
*/
@Test()
public void testEntryToAndFromDatabase() throws Exception {
// Make sure that the server is up and running.
TestCaseUtils.startServer();
// Convert the test LDIF string to a byte array
byte[] originalLDIFBytes = StaticUtils.getBytes(ldifString);
LDIFReader reader =
new LDIFReader(new LDIFImportConfig(new ByteArrayInputStream(originalLDIFBytes)));
Entry entryBefore, entryAfter;
while ((entryBefore = reader.readEntry(false)) != null) {
ByteString bytes = ID2Entry.entryToDatabase(entryBefore, new DataConfig(false, false, null));
entryAfter = ID2Entry.entryFromDatabase(bytes, DirectoryServer.getDefaultCompressedSchema());
// check DN and number of attributes
assertEquals(entryBefore.getAttributes().size(), entryAfter.getAttributes().size());
assertEquals(entryBefore.getDN(), entryAfter.getDN());
// check the object classes were not changed
for (String ocBefore : entryBefore.getObjectClasses().values()) {
ObjectClass objectClass = DirectoryServer.getObjectClass(ocBefore.toLowerCase());
if (objectClass == null) {
objectClass = DirectoryServer.getDefaultObjectClass(ocBefore);
}
String ocAfter = entryAfter.getObjectClasses().get(objectClass);
assertEquals(ocBefore, ocAfter);
}
// check the user attributes were not changed
for (AttributeType attrType : entryBefore.getUserAttributes().keySet()) {
List<Attribute> listBefore = entryBefore.getAttribute(attrType);
List<Attribute> listAfter = entryAfter.getAttribute(attrType);
assertTrue(listAfter != null);
assertEquals(listBefore.size(), listAfter.size());
for (Attribute attrBefore : listBefore) {
boolean found = false;
for (Attribute attrAfter : listAfter) {
if (attrAfter.optionsEqual(attrBefore.getOptions())) {
// Found the corresponding attribute
assertEquals(attrBefore, attrAfter);
found = true;
}
}
assertTrue(found);
}
}
}
reader.close();
}
private void setDNAndEntryFields(final T o, final Entry e) throws LDAPPersistException {
if (dnField != null) {
try {
dnField.set(o, e.getDN());
} catch (Exception ex) {
debugException(ex);
throw new LDAPPersistException(
ERR_OBJECT_HANDLER_ERROR_SETTING_DN.get(
type.getName(), e.getDN(), dnField.getName(), getExceptionMessage(ex)),
ex);
}
}
if (entryField != null) {
try {
entryField.set(o, new ReadOnlyEntry(e));
} catch (Exception ex) {
debugException(ex);
throw new LDAPPersistException(
ERR_OBJECT_HANDLER_ERROR_SETTING_ENTRY.get(
type.getName(), entryField.getName(), getExceptionMessage(ex)),
ex);
}
}
}
/**
* A utility method which may be used by implementations in order to obtain the value of the
* specified attribute from the provided entry as a time in generalized time format.
*
* @param entry The entry whose attribute is to be parsed as a boolean.
* @param attributeType The attribute type whose value should be parsed as a generalized time
* value.
* @return The requested time, or -1 if it could not be determined.
* @throws DirectoryException If a problem occurs while attempting to decode the value as a
* generalized time.
*/
protected static final long getGeneralizedTime(
final Entry entry, final AttributeType attributeType) throws DirectoryException {
long timeValue = -1;
final List<Attribute> attrList = entry.getAttribute(attributeType);
if (attrList != null) {
for (final Attribute a : attrList) {
if (a.isEmpty()) {
continue;
}
final AttributeValue v = a.iterator().next();
try {
timeValue = GeneralizedTimeSyntax.decodeGeneralizedTimeValue(v.getNormalizedValue());
} catch (final Exception e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
TRACER.debugWarning(
"Unable to decode value %s for attribute %s " + "in user entry %s: %s",
v.getValue().toString(),
attributeType.getNameOrOID(),
entry.getDN().toString(),
stackTraceToSingleLineString(e));
}
final Message message =
ERR_PWPSTATE_CANNOT_DECODE_GENERALIZED_TIME.get(
v.getValue().toString(),
attributeType.getNameOrOID(),
entry.getDN().toString(),
String.valueOf(e));
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message, e);
}
break;
}
}
if (timeValue == -1) {
if (debugEnabled()) {
TRACER.debugInfo(
"Returning -1 because attribute %s does not " + "exist in user entry %s",
attributeType.getNameOrOID(), entry.getDN().toString());
}
}
// FIXME: else to be consistent...
return timeValue;
}
/** {@inheritDoc} */
@Override()
public boolean hasValue(Entry entry, VirtualAttributeRule rule) {
Backend backend = DirectoryServer.getBackend(entry.getDN());
try {
ConditionResult ret = backend.hasSubordinates(entry.getDN());
return ret != null && ret != ConditionResult.UNDEFINED;
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
return false;
}
}
/** {@inheritDoc} */
@Override
public void replaceEntry(Entry oldEntry, Entry newEntry, ModifyOperation modifyOperation)
throws DirectoryException {
throw new DirectoryException(
ResultCode.UNWILLING_TO_PERFORM,
ERR_BACKEND_MODIFY_NOT_SUPPORTED.get(String.valueOf(oldEntry.getDN()), getBackendID()));
}
/**
* Encodes this entry using the V3 encoding.
*
* @param buffer The buffer to encode into.
* @throws DirectoryException If a problem occurs while attempting to encode the entry.
*/
private void encodeV1(Entry entry, ByteStringBuilder buffer) throws DirectoryException {
// The version number will be one byte.
buffer.append((byte) 0x01);
// TODO: Can we encode the DN directly into buffer?
byte[] dnBytes = getBytes(entry.getDN().toString());
buffer.appendBERLength(dnBytes.length);
buffer.append(dnBytes);
// Encode number of OCs and 0 terminated names.
int i = 1;
ByteStringBuilder bsb = new ByteStringBuilder();
for (String ocName : entry.getObjectClasses().values()) {
bsb.append(ocName);
if (i < entry.getObjectClasses().values().size()) {
bsb.append((byte) 0x00);
}
i++;
}
buffer.appendBERLength(bsb.length());
buffer.append(bsb);
// Encode the user attributes in the appropriate manner.
encodeV1Attributes(buffer, entry.getUserAttributes());
// The operational attributes will be encoded in the same way as
// the user attributes.
encodeV1Attributes(buffer, entry.getOperationalAttributes());
}
/**
* Attempt to read a single entry.
*
* @throws Exception If the test failed unexpectedly.
*/
@Test(dependsOnMethods = {"testReadEntryEmptyStream"})
public void testReadEntrySingle() throws Exception {
final String ldifString =
"dn: cn=john, dc=foo, dc=com\n"
+ "objectClass: top\n"
+ "objectClass: person\n"
+ "cn: john\n"
+ "sn: smith\n";
LDIFReader reader = createLDIFReader(ldifString);
try {
Entry entry = reader.readEntry();
Assert.assertNotNull(entry);
Assert.assertEquals(entry.getDN(), DN.decode("cn=john, dc=foo, dc=com"));
Assert.assertTrue(entry.hasObjectClass(OC_TOP));
Assert.assertTrue(entry.hasObjectClass(OC_PERSON));
Assert.assertTrue(entry.hasValue(AT_CN, null, AttributeValues.create(AT_CN, "john")));
Assert.assertTrue(entry.hasValue(AT_SN, null, AttributeValues.create(AT_SN, "smith")));
Assert.assertNull(reader.readEntry());
Assert.assertEquals(reader.getEntriesIgnored(), 0);
Assert.assertEquals(reader.getEntriesRead(), 1);
Assert.assertEquals(reader.getEntriesRejected(), 0);
Assert.assertEquals(reader.getLastEntryLineNumber(), 1);
} finally {
reader.close();
}
}
/** {@inheritDoc} */
@Override()
public void replaceEntry(Entry oldEntry, Entry newEntry, ModifyOperation modifyOperation)
throws DirectoryException, CanceledOperationException {
checkDiskSpace(modifyOperation);
writerBegin();
DN entryDN = newEntry.getDN();
EntryContainer ec;
if (rootContainer != null) {
ec = rootContainer.getEntryContainer(entryDN);
} else {
Message message = ERR_ROOT_CONTAINER_NOT_INITIALIZED.get(getBackendID());
throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), message);
}
ec.sharedLock.lock();
try {
ec.replaceEntry(oldEntry, newEntry, modifyOperation);
} catch (DatabaseException e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
throw createDirectoryException(e);
} finally {
ec.sharedLock.unlock();
writerEnd();
}
}
/** {@inheritDoc} */
@Override()
public Set<AttributeValue> getValues(Entry entry, VirtualAttributeRule rule) {
Backend backend = DirectoryServer.getBackend(entry.getDN());
try {
ConditionResult ret = backend.hasSubordinates(entry.getDN());
if (ret != null && ret != ConditionResult.UNDEFINED) {
AttributeValue value =
AttributeValues.create(
ByteString.valueOf(ret.toString()), ByteString.valueOf(ret.toString()));
return Collections.singleton(value);
}
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
}
return Collections.emptySet();
}
/** {@inheritDoc} */
@Override
public boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation op) {
boolean ret;
if (!(ret = skipAccessCheck(proxyUser))) {
AuthenticationInfo authInfo =
new AuthenticationInfo(proxyUser, DirectoryServer.isRootDN(proxyUser.getDN()));
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(op, proxiedUser, authInfo, ACI_PROXY);
ret = accessAllowedEntry(operationContainer);
}
return ret;
}
/**
* Returns {@code true} if this authentication policy state is associated with a user whose
* account has been administratively disabled.
*
* <p>The default implementation is use the value of the "ds-pwp-account-disable" attribute in the
* user's entry.
*
* @return {@code true} if this authentication policy state is associated with a user whose
* account has been administratively disabled.
*/
public boolean isDisabled() {
final AttributeType type = DirectoryServer.getAttributeType(OP_ATTR_ACCOUNT_DISABLED, true);
try {
isDisabled = getBoolean(userEntry, type);
} catch (final Exception e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
isDisabled = ConditionResult.TRUE;
if (debugEnabled()) {
TRACER.debugWarning(
"User %s is considered administratively "
+ "disabled because an error occurred while "
+ "attempting to make the determination: %s.",
userEntry.getDN().toString(), stackTraceToSingleLineString(e));
}
return true;
}
if (isDisabled == ConditionResult.UNDEFINED) {
isDisabled = ConditionResult.FALSE;
if (debugEnabled()) {
TRACER.debugInfo(
"User %s is not administratively disabled since "
+ "the attribute \"%s\" is not present in the entry.",
userEntry.getDN().toString(), OP_ATTR_ACCOUNT_DISABLED);
}
return false;
}
if (debugEnabled()) {
TRACER.debugInfo(
"User %s %s administratively disabled.",
userEntry.getDN().toString(), ((isDisabled == ConditionResult.TRUE) ? " is" : " is not"));
}
return isDisabled == ConditionResult.TRUE;
}
/**
* Performs a successful LDAP bind using CRAM-MD5 using the dn: form of the authentication ID
* using a long password (longer than 64 bytes).
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testLDAPBindSuccessWithDNAndLongPassword() throws Exception {
TestCaseUtils.initializeTestBackend(true);
String password = "******";
Entry e =
TestCaseUtils.makeEntry(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: "******"ds-pwp-password-policy-dn: cn=Clear UserPassword Policy,"
+ "cn=Password Policies,cn=config");
InternalClientConnection conn = InternalClientConnection.getRootConnection();
AddOperation addOperation =
conn.processAdd(
e.getDN(), e.getObjectClasses(),
e.getUserAttributes(), e.getOperationalAttributes());
assertEquals(addOperation.getResultCode(), ResultCode.SUCCESS);
String[] args = {
"--noPropertiesFile",
"-h",
"127.0.0.1",
"-p",
String.valueOf(TestCaseUtils.getServerLdapPort()),
"-o",
"mech=CRAM-MD5",
"-o",
"authid=dn:uid=test.user,o=test",
"-w",
password,
"-b",
"",
"-s",
"base",
"(objectClass=*)"
};
assertEquals(LDAPSearch.mainSearch(args, false, null, System.err), 0);
}
/**
* Performs a failed LDAP bind using CRAM-MD5 using the dn: form of the authentication ID with the
* DN of a user that doesn't exist.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testLDAPBindFailNoSuchUser() throws Exception {
TestCaseUtils.initializeTestBackend(true);
Entry e =
TestCaseUtils.makeEntry(
"dn: uid=test.user,o=test",
"objectClass: top",
"objectClass: person",
"objectClass: organizationalPerson",
"objectClass: inetOrgPerson",
"uid: test.user",
"givenName: Test",
"sn: User",
"cn: Test User",
"userPassword: password");
InternalClientConnection conn = InternalClientConnection.getRootConnection();
AddOperation addOperation =
conn.processAdd(
e.getDN(), e.getObjectClasses(),
e.getUserAttributes(), e.getOperationalAttributes());
assertEquals(addOperation.getResultCode(), ResultCode.SUCCESS);
String[] args = {
"--noPropertiesFile",
"-h",
"127.0.0.1",
"-p",
String.valueOf(TestCaseUtils.getServerLdapPort()),
"-o",
"mech=CRAM-MD5",
"-o",
"authid=dn:uid=doesntexist,o=test",
"-w",
"password",
"-b",
"",
"-s",
"base",
"(objectClass=*)"
};
assertFalse(LDAPSearch.mainSearch(args, false, null, null) == 0);
}
/**
* Encodes this entry using the V3 encoding.
*
* @param buffer The buffer to encode into.
* @throws DirectoryException If a problem occurs while attempting to encode the entry.
*/
private void encodeV2(Entry entry, ByteStringBuilder buffer, EntryEncodeConfig config)
throws DirectoryException {
// The version number will be one byte.
buffer.append((byte) 0x02);
// Get the encoded respresentation of the config.
config.encode(buffer);
// If we should include the DN, then it will be encoded as a
// one-to-five byte length followed by the UTF-8 byte
// representation.
if (!config.excludeDN()) {
// TODO: Can we encode the DN directly into buffer?
byte[] dnBytes = getBytes(entry.getDN().toString());
buffer.appendBERLength(dnBytes.length);
buffer.append(dnBytes);
}
// Encode the object classes in the appropriate manner.
if (config.compressObjectClassSets()) {
config.getCompressedSchema().encodeObjectClasses(buffer, entry.getObjectClasses());
} else {
// Encode number of OCs and 0 terminated names.
int i = 1;
ByteStringBuilder bsb = new ByteStringBuilder();
for (String ocName : entry.getObjectClasses().values()) {
bsb.append(ocName);
if (i < entry.getObjectClasses().values().size()) {
bsb.append((byte) 0x00);
}
i++;
}
buffer.appendBERLength(bsb.length());
buffer.append(bsb);
}
// Encode the user attributes in the appropriate manner.
encodeV2Attributes(buffer, entry.getUserAttributes(), config);
// The operational attributes will be encoded in the same way as
// the user attributes.
encodeV2Attributes(buffer, entry.getOperationalAttributes(), config);
}
/**
* Tests the entry encoding and decoding process the version 1 encoding.
*
* @throws Exception If the test failed unexpectedly.
*/
@Test(dataProvider = "encodeConfigs")
public void testEntryToAndFromDatabaseV3(EntryEncodeConfig config) throws Exception {
// Make sure that the server is up and running.
TestCaseUtils.startServer();
// Convert the test LDIF string to a byte array
byte[] originalLDIFBytes = StaticUtils.getBytes(ldifString);
LDIFReader reader =
new LDIFReader(new LDIFImportConfig(new ByteArrayInputStream(originalLDIFBytes)));
Entry entryBefore, entryAfterV3;
while ((entryBefore = reader.readEntry(false)) != null) {
ByteStringBuilder bsb = new ByteStringBuilder();
entryBefore.encode(bsb, config);
entryAfterV3 = Entry.decode(bsb.asReader());
if (config.excludeDN()) {
entryAfterV3.setDN(entryBefore.getDN());
}
assertEquals(entryBefore, entryAfterV3);
}
reader.close();
}
/** {@inheritDoc} */
@Override()
public void renameEntry(DN currentDN, Entry entry, ModifyDNOperation modifyDNOperation)
throws DirectoryException, CanceledOperationException {
checkDiskSpace(modifyDNOperation);
writerBegin();
EntryContainer currentContainer;
if (rootContainer != null) {
currentContainer = rootContainer.getEntryContainer(currentDN);
} else {
Message message = ERR_ROOT_CONTAINER_NOT_INITIALIZED.get(getBackendID());
throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), message);
}
EntryContainer container = rootContainer.getEntryContainer(entry.getDN());
if (currentContainer != container) {
// FIXME: No reason why we cannot implement a move between containers
// since the containers share the same database environment.
Message msg = WARN_JEB_FUNCTION_NOT_SUPPORTED.get();
throw new DirectoryException(ResultCode.UNWILLING_TO_PERFORM, msg);
}
currentContainer.sharedLock.lock();
try {
currentContainer.renameEntry(currentDN, entry, modifyDNOperation);
} catch (DatabaseException e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
throw createDirectoryException(e);
} finally {
currentContainer.sharedLock.unlock();
writerEnd();
}
}
/**
* Tests performing an internal search using the VLV control to retrieve a subset of the entries
* using an assertion value before any actual value in the list.
*
* @throws Exception If an unexpected problem occurred.
*/
@Test()
public void testInternalSearchByValueBeforeAll() throws Exception {
populateDB();
InternalClientConnection conn = InternalClientConnection.getRootConnection();
ArrayList<Control> requestControls = new ArrayList<Control>();
requestControls.add(new ServerSideSortRequestControl("givenName"));
requestControls.add(new VLVRequestControl(0, 3, ByteString.valueOf("a")));
InternalSearchOperation internalSearch =
new InternalSearchOperation(
conn,
InternalClientConnection.nextOperationID(),
InternalClientConnection.nextMessageID(),
requestControls,
DN.decode("dc=example,dc=com"),
SearchScope.WHOLE_SUBTREE,
DereferencePolicy.NEVER_DEREF_ALIASES,
0,
0,
false,
SearchFilter.createFilterFromString("(objectClass=person)"),
null,
null);
internalSearch.run();
assertEquals(internalSearch.getResultCode(), ResultCode.SUCCESS);
ArrayList<DN> expectedDNOrder = new ArrayList<DN>();
expectedDNOrder.add(aaccfJohnsonDN); // Aaccf
expectedDNOrder.add(aaronZimmermanDN); // Aaron
expectedDNOrder.add(albertZimmermanDN); // Albert, lower entry ID
expectedDNOrder.add(albertSmithDN); // Albert, higher entry ID
ArrayList<DN> returnedDNOrder = new ArrayList<DN>();
for (Entry e : internalSearch.getSearchEntries()) {
returnedDNOrder.add(e.getDN());
}
assertEquals(returnedDNOrder, expectedDNOrder);
List<Control> responseControls = internalSearch.getResponseControls();
assertNotNull(responseControls);
assertEquals(responseControls.size(), 2);
ServerSideSortResponseControl sortResponse = null;
VLVResponseControl vlvResponse = null;
for (Control c : responseControls) {
if (c.getOID().equals(OID_SERVER_SIDE_SORT_RESPONSE_CONTROL)) {
if (c instanceof LDAPControl) {
sortResponse =
ServerSideSortResponseControl.DECODER.decode(
c.isCritical(), ((LDAPControl) c).getValue());
} else {
sortResponse = (ServerSideSortResponseControl) c;
}
} else if (c.getOID().equals(OID_VLV_RESPONSE_CONTROL)) {
if (c instanceof LDAPControl) {
vlvResponse =
VLVResponseControl.DECODER.decode(c.isCritical(), ((LDAPControl) c).getValue());
} else {
vlvResponse = (VLVResponseControl) c;
}
} else {
fail("Response control with unexpected OID " + c.getOID());
}
}
assertNotNull(sortResponse);
assertEquals(sortResponse.getResultCode(), 0);
assertNotNull(vlvResponse);
assertEquals(vlvResponse.getVLVResultCode(), 0);
assertEquals(vlvResponse.getTargetPosition(), 1);
assertEquals(vlvResponse.getContentCount(), 9);
}
/**
* Tests performing an internal search using the VLV control with a start start position beyond
* the end of the result set.
*
* @throws Exception If an unexpected problem occurred.
*/
@Test()
public void testInternalSearchByOffsetStartPositionTooHigh() throws Exception {
populateDB();
InternalClientConnection conn = InternalClientConnection.getRootConnection();
ArrayList<Control> requestControls = new ArrayList<Control>();
requestControls.add(new ServerSideSortRequestControl("givenName"));
requestControls.add(new VLVRequestControl(3, 3, 30, 0));
InternalSearchOperation internalSearch =
new InternalSearchOperation(
conn,
InternalClientConnection.nextOperationID(),
InternalClientConnection.nextMessageID(),
requestControls,
DN.decode("dc=example,dc=com"),
SearchScope.WHOLE_SUBTREE,
DereferencePolicy.NEVER_DEREF_ALIASES,
0,
0,
false,
SearchFilter.createFilterFromString("(objectClass=person)"),
null,
null);
internalSearch.run();
assertEquals(internalSearch.getResultCode(), ResultCode.SUCCESS);
ArrayList<DN> expectedDNOrder = new ArrayList<DN>();
expectedDNOrder.add(maryJonesDN); // Mary
expectedDNOrder.add(samZweckDN); // Sam
expectedDNOrder.add(zorroDN); // No first name
ArrayList<DN> returnedDNOrder = new ArrayList<DN>();
for (Entry e : internalSearch.getSearchEntries()) {
returnedDNOrder.add(e.getDN());
}
assertEquals(returnedDNOrder, expectedDNOrder);
List<Control> responseControls = internalSearch.getResponseControls();
assertNotNull(responseControls);
VLVResponseControl vlvResponse = null;
for (Control c : responseControls) {
if (c.getOID().equals(OID_VLV_RESPONSE_CONTROL)) {
if (c instanceof LDAPControl) {
vlvResponse =
VLVResponseControl.DECODER.decode(c.isCritical(), ((LDAPControl) c).getValue());
} else {
vlvResponse = (VLVResponseControl) c;
}
}
}
assertNotNull(vlvResponse);
assertEquals(vlvResponse.getVLVResultCode(), LDAPResultCode.SUCCESS);
assertEquals(vlvResponse.getTargetPosition(), 10);
assertEquals(vlvResponse.getContentCount(), 9);
}
/**
* Checks to see if a LDAP modification is allowed access.
*
* @param container The structure containing the LDAP modifications
* @param operation The operation to check modify privileges on. operation to check and the
* evaluation context to apply the check against.
* @param skipAccessCheck True if access checking should be skipped.
* @return True if access is allowed.
* @throws DirectoryException If a modified ACI could not be decoded.
*/
private boolean aciCheckMods(
AciLDAPOperationContainer container,
LocalBackendModifyOperation operation,
boolean skipAccessCheck)
throws DirectoryException {
Entry resourceEntry = container.getResourceEntry();
DN dn = resourceEntry.getDN();
List<Modification> modifications = operation.getModifications();
for (Modification m : modifications) {
Attribute modAttr = m.getAttribute();
AttributeType modAttrType = modAttr.getAttributeType();
if (modAttrType.equals(aciType)) {
/*
* Check that the operation has modify privileges if it contains
* an "aci" attribute type.
*/
if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
Message message =
INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(
String.valueOf(container.getResourceDN()),
String.valueOf(container.getClientDN()));
logError(message);
return false;
}
}
// This access check handles the case where all attributes of this
// type are being replaced or deleted. If only a subset is being
// deleted than this access check is skipped.
ModificationType modType = m.getModificationType();
if (((modType == ModificationType.DELETE) && modAttr.isEmpty())
|| ((modType == ModificationType.REPLACE) || (modType == ModificationType.INCREMENT))) {
/*
* Check if we have rights to delete all values of an attribute
* type in the resource entry.
*/
if (resourceEntry.hasAttribute(modAttrType)) {
container.setCurrentAttributeType(modAttrType);
List<Attribute> attrList = resourceEntry.getAttribute(modAttrType, modAttr.getOptions());
if (attrList != null) {
for (Attribute a : attrList) {
for (AttributeValue v : a) {
container.setCurrentAttributeValue(v);
container.setRights(ACI_WRITE_DELETE);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
}
}
}
}
}
if (!modAttr.isEmpty()) {
for (AttributeValue v : modAttr) {
container.setCurrentAttributeType(modAttrType);
switch (m.getModificationType()) {
case ADD:
case REPLACE:
container.setCurrentAttributeValue(v);
container.setRights(ACI_WRITE_ADD);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
break;
case DELETE:
container.setCurrentAttributeValue(v);
container.setRights(ACI_WRITE_DELETE);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
break;
case INCREMENT:
Entry modifiedEntry = operation.getModifiedEntry();
List<Attribute> modifiedAttrs =
modifiedEntry.getAttribute(modAttrType, modAttr.getOptions());
if (modifiedAttrs != null) {
for (Attribute attr : modifiedAttrs) {
for (AttributeValue val : attr) {
container.setCurrentAttributeValue(val);
container.setRights(ACI_WRITE_ADD);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
}
}
}
break;
}
/*
* Check if the modification type has an "aci" attribute type.
* If so, check the syntax of that attribute value. Fail the
* the operation if the syntax check fails.
*/
if (modAttrType.equals(aciType) || modAttrType.equals(globalAciType)) {
try {
// A global ACI needs a NULL DN, not the DN of the
// modification.
if (modAttrType.equals(globalAciType)) {
dn = DN.nullDN();
}
Aci.decode(v.getValue(), dn);
} catch (AciException ex) {
Message message =
WARN_ACI_MODIFY_FAILED_DECODE.get(String.valueOf(dn), ex.getMessage());
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
}
}
return true;
}
/** {@inheritDoc} */
@Override
public void addEntry(Entry entry, AddOperation addOperation) throws DirectoryException {
throw new DirectoryException(
ResultCode.UNWILLING_TO_PERFORM,
ERR_BACKEND_ADD_NOT_SUPPORTED.get(String.valueOf(entry.getDN()), getBackendID()));
}
private DN getDN(Entry e) {
return e != null ? e.getDN() : DN.nullDN();
}
