/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2011-2015 ForgeRock AS
*/
/**
* This class defines an operation that may be used to locate entries in the
* Directory Server based on a given set of criteria.
*/
public class SearchOperationBasis
extends AbstractOperation
implements PreParseSearchOperation,
{
/**
* Indicates whether a search result done response has been sent to the
* client.
*/
/** Indicates whether the client is able to handle referrals. */
private boolean clientAcceptsReferrals = true;
/**
* Indicates whether to include the account usable control with search result
* entries.
*/
private boolean includeUsableControl;
/** Indicates whether to only real attributes should be returned. */
private boolean realAttributesOnly;
/** Indicates whether only LDAP subentries should be returned. */
private boolean returnSubentriesOnly;
/**
* Indicates whether the filter references subentry or ldapSubentry object
* class.
*/
private boolean filterIncludesSubentries;
private boolean filterNeedsCheckingForSubentries = true;
/**
* Indicates whether to include attribute types only or both types and values.
*/
private boolean typesOnly;
/** Indicates whether to only virtual attributes should be returned. */
private boolean virtualAttributesOnly;
/**
* The raw, unprocessed base DN as included in the request from the client.
*/
/** The dereferencing policy for the search operation. */
/** The base DN for the search operation. */
/** The proxied authorization target DN for this operation. */
/** The number of entries that have been sent to the client. */
private int entriesSent;
/**
* The number of search result references that have been sent to the client.
*/
private int referencesSent;
/** The size limit for the search operation. */
private int sizeLimit;
/** The time limit for the search operation. */
private int timeLimit;
/** The raw, unprocessed filter as included in the request from the client. */
/** The set of attributes that should be returned in matching entries. */
/** The set of response controls for this search operation. */
/** The time that the search time limit has expired. */
private long timeLimitExpiration;
/** The matched values control associated with this search operation. */
/** The search filter for the search operation. */
/** The search scope for the search operation. */
/** Indicates whether to send the search result done to the client or not. */
private boolean sendResponse = true;
/**
* Creates a new search operation with the provided information.
*
* @param clientConnection The client connection with which this operation
* is associated.
* @param operationID The operation ID for this operation.
* @param messageID The message ID of the request with which this
* operation is associated.
* @param requestControls The set of controls included in the request.
* @param rawBaseDN The raw, unprocessed base DN as included in the
* request from the client.
* @param scope The scope for this search operation.
* @param derefPolicy The alias dereferencing policy for this search
* operation.
* @param sizeLimit The size limit for this search operation.
* @param timeLimit The time limit for this search operation.
* @param typesOnly The typesOnly flag for this search operation.
* @param rawFilter the raw, unprocessed filter as included in the
* request from the client.
* @param attributes The requested attributes for this search
* operation.
*/
long operationID,
{
this.derefPolicy = derefPolicy;
}
/**
* Creates a new search operation with the provided information.
*
* @param clientConnection The client connection with which this operation
* is associated.
* @param operationID The operation ID for this operation.
* @param messageID The message ID of the request with which this
* operation is associated.
* @param requestControls The set of controls included in the request.
* @param baseDN The base DN for this search operation.
* @param scope The scope for this search operation.
* @param derefPolicy The alias dereferencing policy for this search
* operation.
* @param sizeLimit The size limit for this search operation.
* @param timeLimit The time limit for this search operation.
* @param typesOnly The typesOnly flag for this search operation.
* @param filter The filter for this search operation.
* @param attributes The attributes for this search operation.
*/
long operationID,
{
this.derefPolicy = derefPolicy;
}
{
{
return sizeLimit;
}
else if (sizeLimit <= 0)
{
return clientConnection.getSizeLimit();
}
}
{
{
return timeLimit;
}
else if (timeLimit <= 0)
{
return clientConnection.getTimeLimit();
}
}
{
return rawBaseDN;
}
{
}
{
try
{
{
}
}
catch (DirectoryException de)
{
}
return baseDN;
}
{
}
{
return scope;
}
{
}
{
return derefPolicy;
}
{
this.derefPolicy = derefPolicy;
}
public final int getSizeLimit()
{
return sizeLimit;
}
{
}
public final int getTimeLimit()
{
return timeLimit;
}
{
}
public final boolean getTypesOnly()
{
return typesOnly;
}
{
}
{
return rawFilter;
}
{
}
{
try
{
{
}
}
catch (DirectoryException de)
{
}
return filter;
}
{
return attributes;
}
{
if (attributes == null)
{
this.attributes.clear();
}
else
{
this.attributes = attributes;
}
}
public final int getEntriesSent()
{
return entriesSent;
}
public final int getReferencesSent()
{
return referencesSent;
}
{
}
boolean evaluateAci)
{
boolean typesOnly = getTypesOnly();
// See if the size limit has been exceeded. If so, then don't send the
// entry and indicate that the search should end.
{
return false;
}
// See if the time limit has expired. If so, then don't send the entry and
// indicate that the search should end.
if (getTimeLimit() > 0
{
return false;
}
// Determine whether the provided entry is a subentry and if so whether it
// should be returned.
{
{
filterNeedsCheckingForSubentries = false;
}
&& !isReturnSubentriesOnly())
{
return true;
}
}
else if (isReturnSubentriesOnly())
{
// Subentries are visible and normal entries are not.
return true;
}
// Determine whether to include the account usable control. If so, then
// create it now.
if (isIncludeUsableControl())
{
{
}
try
{
// FIXME -- Need a way to enable PWP debugging.
entry, false);
if (state.isPasswordPolicy())
{
|| pwpState.isAccountExpired();
{
}
else
{
}
}
// Another type of authentication policy (e.g. PTA).
else if (state.isDisabled())
{
-1, true, -1));
}
else
{
}
}
catch (Exception e)
{
logger.traceException(e);
}
}
// Check to see if the entry can be read by the client.
{
return true;
}
// Make a copy of the entry and pare it down to only include the set
// of requested attributes.
// NOTE: that this copy will include the objectClass attribute.
// If there is a matched values control, then further pare down the entry
// based on the filters that it contains.
{
// First, look at the set of objectclasses.
// NOTE: the objectClass attribute is also present and must be
// dealt with later.
while (ocIterator.hasNext())
{
{
ocIterator.remove();
}
}
// Next, the set of user attributes (incl. objectClass attribute).
.getUserAttributes().entrySet())
{
AttributeType t = e.getKey();
for (Attribute a : oldAttributes)
{
// Assume that the attribute will be either empty or contain
// very few values.
for (ByteString v : a)
{
if (matchedValuesControl.valueMatches(t, v))
{
}
}
}
}
// Then the set of operational attributes.
{
AttributeType t = e.getKey();
for (Attribute a : oldAttributes)
{
// Assume that the attribute will be either empty or contain
// very few values.
for (ByteString v : a)
{
if (matchedValuesControl.valueMatches(t, v))
{
}
}
}
}
}
// Convert the provided entry to a search result entry.
// Strip out any attributes that the client does not have access to.
// FIXME: need some way to prevent plugins from adding attributes or
// values that the client is not permitted to see.
if (evaluateAci)
{
}
// Invoke any search entry plugins that may be registered with the server.
// Send the entry to the client.
if (pluginResult.sendResponse())
{
// Log the entry sent to the client.
try
{
entriesSent++;
}
catch (DirectoryException de)
{
return false;
}
}
return pluginResult.continueProcessing();
}
{
}
{
}
boolean evaluateAci)
{
// See if the time limit has expired. If so, then don't send the entry and
// indicate that the search should end.
if (getTimeLimit() > 0
{
return false;
}
// See if we know that this client can't handle referrals. If so, then
// don't even try to send it.
if (!isClientAcceptsReferrals()
// See if the client has permission to read this reference.
{
return true;
}
// Invoke any search reference plugins that may be registered with the
// server.
// Send the reference to the client. Note that this could throw an
// exception, which would indicate that the associated client can't handle
// referrals. If that't the case, then set a flag so we'll know not to try
// to send any more.
if (pluginResult.sendResponse())
{
// Log the entry sent to the client.
logSearchResultReference(this, reference);
try
{
if (sendSearchReference(reference))
{
// FIXME -- Should the size limit apply here?
}
else
{
// We know that the client can't handle referrals, so we won't try to
// send it any more.
setClientAcceptsReferrals(false);
}
}
catch (DirectoryException de)
{
return false;
}
}
return pluginResult.continueProcessing();
}
public final void sendSearchResultDone()
{
// Send the search result done message to the client. We want to make sure
// that this only gets sent once, and it's possible that this could be
// multithreaded in the event of a persistent search, so do it safely.
if (responseSent.compareAndSet(false, true))
{
logSearchResultDone(this);
clientConnection.sendResponse(this);
}
}
{
// Note that no debugging will be done in this method because it is a likely
// candidate for being called by the logging subsystem.
return OperationType.SEARCH;
}
{
return proxiedAuthorizationDN;
}
{
return responseControls;
}
{
}
{
}
{
{
this.cancelRequest = cancelRequest;
}
}
{
}
{
}
public boolean isReturnSubentriesOnly()
{
return returnSubentriesOnly;
}
{
}
{
return matchedValuesControl;
}
{
this.matchedValuesControl = controls;
}
public boolean isIncludeUsableControl()
{
return includeUsableControl;
}
{
}
public long getTimeLimitExpiration()
{
return timeLimitExpiration;
}
public boolean isClientAcceptsReferrals()
{
return clientAcceptsReferrals;
}
{
}
public boolean isSendResponse()
{
return sendResponse;
}
{
this.sendResponse = sendResponse;
}
public boolean isRealAttributesOnly()
{
return this.realAttributesOnly;
}
public boolean isVirtualAttributesOnly()
{
return this.virtualAttributesOnly;
}
{
this.realAttributesOnly = realAttributesOnly;
}
{
}
throws DirectoryException
{
}
throws DirectoryException
{
}
{
}
public final void run()
{
// Start the processing timer.
logSearchRequest(this);
setSendResponse(true);
int timeLimit = getTimeLimit();
long timeLimitExpiration;
if (timeLimit <= 0)
{
}
else
{
// FIXME -- Factor in the user's effective time limit.
}
try
{
// Check for and handle a request to cancel this operation.
checkIfCanceled(false);
{
return;
}
// Check for and handle a request to cancel this operation.
checkIfCanceled(false);
// Process the search base and filter to convert them from their raw forms
// as provided by the client to the forms required for the rest of the
// search processing.
return;
}
}
catch(CanceledOperationException coe)
{
}
finally
{
// Stop the processing timer.
{
// If everything is successful to this point and it is not a persistent
// search, then send the search result done message to the client.
// Otherwise, we'll want to make the size and time limit values
// unlimited to ensure that the remainder of the persistent search
// isn't subject to those restrictions.
if (isSendResponse())
{
}
else
{
setSizeLimit(0);
setTimeLimit(0);
}
}
else if(cancelRequest.notifyOriginalRequestor() ||
{
}
// If no cancel result, set it
if(cancelResult == null)
{
}
}
}
/** Invokes the post response plugins. */
private void invokePostResponsePlugins()
{
// Invoke the post response plugins that have been registered with
// the current operation
}
public void updateOperationErrMsgAndResCode()
{
}
/**
* Checks if the filter contains an equality element with the objectclass
* attribute type and a value of "ldapSubentry" and if so sets
* returnSubentriesOnly to <code>true</code>.
*
* @param filter
* The complete filter being checked, of which this filter may be a
* subset.
* @param depth
* The current depth of the evaluation, which is used to prevent
* infinite recursion due to highly nested filters and eventually
* running out of stack space.
* @return {@code true} if the filter references the sub-entry object class.
*/
{
// Paranoid check to avoid recursion deep enough to provoke
// the stack overflow. This should never happen because if
// a given filter is too nested SearchFilter exception gets
// raised long before this method is invoked.
if (depth >= MAX_NESTED_FILTER_DEPTH)
{
if (logger.isTraceEnabled())
{
}
return false;
}
switch (filter.getFilterType())
{
case EQUALITY:
{
// FIXME : technically this is not correct since the presence
// of draft oc would trigger rfc oc visibility and visa versa.
{
return true;
}
}
break;
case AND:
case OR:
{
{
return true;
}
}
break;
}
return false;
}
}