AciListenerManager.java revision 040cba63ba4af5bed76846f0edb63c853b009da9
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2014 ForgeRock AS
*/
/**
* The AciListenerManager updates an ACI list after each modification
* operation. Also, updates ACI list when backends are initialized and
* finalized.
*/
public class AciListenerManager implements
{
/**
* The fully-qualified name of this class.
*/
private static final String CLASS_NAME =
"org.opends.server.authorization.dseecompat.AciListenerManager";
/**
* Internal plugin used for updating the cache before a response is
* sent to the client.
*/
private final class AciChangeListenerPlugin extends
{
private AciChangeListenerPlugin()
{
PluginType.POST_OPERATION_MODIFY_DN), true);
}
/**
* {@inheritDoc}
*/
public void doPostSynchronization(
{
{
}
}
/**
* {@inheritDoc}
*/
public void doPostSynchronization(
{
{
}
}
/**
* {@inheritDoc}
*/
public void doPostSynchronization(
{
{
}
}
/**
* {@inheritDoc}
*/
public void doPostSynchronization(
{
{
}
}
/**
* {@inheritDoc}
*/
public PostOperation doPostOperation(
{
// Only do something if the operation is successful, meaning there
// has been a change.
{
}
// If we've gotten here, then everything is acceptable.
}
/**
* {@inheritDoc}
*/
public PostOperation doPostOperation(
{
// Only do something if the operation is successful, meaning there
// has been a change.
{
}
// If we've gotten here, then everything is acceptable.
}
/**
* {@inheritDoc}
*/
public PostOperation doPostOperation(
{
// Only do something if the operation is successful, meaning there
// has been a change.
{
}
// If we've gotten here, then everything is acceptable.
}
/**
* {@inheritDoc}
*/
public PostOperation doPostOperation(
{
// Only do something if the operation is successful, meaning there
// has been a change.
{
}
// If we've gotten here, then everything is acceptable.
}
{
// This entry might have both global and aci attribute types.
if (hasAci || hasGlobalAci)
{
// Ignore this list, the ACI syntax has already passed and it
// should be empty.
}
}
{
// This entry might have both global and aci attribute types.
}
{
}
{
// A change to the ACI list is expensive so let's first make sure
// that the modification included changes to the ACI. We'll check
// for both "aci" attribute types and global "ds-cfg-global-aci"
// attribute types.
boolean hasAci = false, hasGlobalAci = false;
{
.getAttributeType();
{
hasAci = true;
}
{
hasGlobalAci = true;
}
if (hasAci && hasGlobalAci)
{
break;
}
}
if (hasAci || hasGlobalAci)
{
}
}
}
/*
* The configuration DN.
*/
private DN configurationDN;
/*
* True if the server is in lockdown mode.
*/
private boolean inLockDownMode = false;
/*
* The AciList caches the ACIs.
*/
/*
* Search filter used in context search for "aci" attribute types.
*/
private static SearchFilter aciFilter;
/*
* Internal plugin used for updating the cache before a response is
* sent to the client.
*/
private final AciChangeListenerPlugin plugin;
/*
* The aci attribute type is operational so we need to specify it to
* be returned.
*/
new LinkedHashSet<String>();
static
{
/*
* Set up the filter used to search private and public contexts.
*/
try
{
}
catch (DirectoryException ex)
{
// TODO should never happen, error message?
}
}
/**
* Save the list created by the AciHandler routine. Registers as an
* Alert Generator that can send alerts when the server is being put
* in lockdown mode. Registers as backend initialization listener that
* is used to manage the ACI list cache when backends are
* initialized/finalized. Registers as a change notification listener
* that is used to manage the ACI list cache after ACI modifications
* have been performed.
*
* @param aciList
* The list object created and loaded by the handler.
* @param cfgDN
* The DN of the access control configuration entry.
*/
{
this.configurationDN = cfgDN;
this.plugin = new AciChangeListenerPlugin();
// Process ACI from already registered backends.
if (backendMap != null) {
}
}
}
/**
* Deregister from the change notification listener, the backend
* initialization listener and the alert generator.
*/
public void finalizeListenerManager()
{
}
/**
* {@inheritDoc} In this case, the server will search the backend to
* find all aci attribute type values that it may contain and add them
* to the ACI list.
*/
{
// Check to make sure that the backend has a presence index defined
// for the ACI attribute. If it does not, then log a warning message
// because this processing could be very expensive.
{
}
// Add manageDsaIT control so any ACIs in referral entries will be
// picked up.
// Add group membership control to let a backend look for it and
// decide if it would abort searches.
{
try
{
{
continue;
}
}
catch (Exception e)
{
logger.traceException(e);
continue;
}
.addControl(c1)
.addControl(c2)
try
{
}
catch (Exception e)
{
logger.traceException(e);
continue;
}
{
if (!failedACIMsgs.isEmpty())
}
}
}
/**
* {@inheritDoc} In this case, the server will remove all aci
* attribute type values associated with entries in the provided
* backend.
*/
{
}
/**
* Retrieves the fully-qualified name of the Java class for this alert
* generator implementation.
*
* @return The fully-qualified name of the Java class for this alert
* generator implementation.
*/
public String getClassName()
{
return CLASS_NAME;
}
/**
* Retrieves the DN of the configuration entry used to configure the
* handler.
*
* @return The DN of the configuration entry containing the Access
* Control configuration information.
*/
public DN getComponentEntryDN()
{
return this.configurationDN;
}
/**
* Retrieves information about the set of alerts that this generator
* may produce. The map returned should be between the notification
* type for a particular notification and the human-readable
* description for that notification. This alert generator must not
* generate any alerts with types that are not contained in this list.
*
* @return Information about the set of alerts that this generator may
* produce.
*/
{
return alerts;
}
/**
* Log the exception messages from the failed ACI decode and then put
* the server in lockdown mode -- if needed.
*
* @param failedACIMsgs
* List of exception messages from failed ACI decodes.
*/
{
{
}
if (!inLockDownMode)
}
/**
* Send an WARN_ACI_ENTER_LOCKDOWN_MODE alert notification and put the
* server in lockdown mode.
*/
private void setLockDownMode()
{
if (!inLockDownMode)
{
inLockDownMode = true;
// Send ALERT_TYPE_ACCESS_CONTROL_PARSE_FAILED alert that
// lockdown is about to be entered.
// Enter lockdown mode.
DirectoryServer.setLockdownMode(true);
}
}
}