You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ka...@apache.org on 2010/05/28 16:34:01 UTC
svn commit: r949186 - in /directory/apacheds/trunk:
core/src/main/java/org/apache/directory/server/core/operational/
ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/
Author: kayyagari
Date: Fri May 28 14:34:00 2010
New Revision: 949186
URL: http://svn.apache.org/viewvc?rev=949186&view=rev
Log:
fix for DIRSERVER-1416 (we now allow modification of modifyTimestamp and modifiersName operational AT by admin user, this is needed by the replication system)
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientAddRequestTest.java
directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientModifyRequestTest.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java?rev=949186&r1=949185&r2=949186&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/operational/OperationalAttributeInterceptor.java Fri May 28 14:34:00 2010
@@ -168,38 +168,8 @@ public class OperationalAttributeInterce
Entry entry = opContext.getEntry();
- /*
- * @TODO : This code was probably created while working on Mitosis. Most probably dead code. Commented.
- * Check JIRA DIRSERVER-1416
- if ( opContext.getEntry().containsAttribute( CREATE_TIMESTAMP_ATTRIBUTE_TYPE ) )
- {
- // As we already have a CreateTimeStamp value in the context, use it, but only if
- // the principal is admin
- if ( opContext.getSession().getAuthenticatedPrincipal().getName().equals(
- ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED ))
- {
- entry.put( SchemaConstants.CREATE_TIMESTAMP_AT, DateUtils.getGeneralizedTime() );
- }
- else
- {
- String message = "The CreateTimeStamp attribute cannot be created by a user";
- LOG.error( message );
- throw new LdapSchemaViolationException( message, ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS );
- }
- }
- else
- {
- entry.put( SchemaConstants.CREATE_TIMESTAMP_AT, DateUtils.getGeneralizedTime() );
- }
- */
-
- // Add the UUID and the entryCSN. The UUID is stored as a byte[] representation of
- // its String value
- // @TODO : If we are using replication, those four OAs may be already present.
- // We have to deal with this as soon as we have the replication working again
-
- // Check that we don't have an entryUUID AT in the incoming entry, as it's a NO-USER-MODIFICATION AT
- // Of course, we will allow if for replication (see above @TODO)
+ // If we are using replication, the below four OAs may already be present and we retain
+ // those values if the user is admin.
boolean isAdmin = opContext.getSession().getAuthenticatedPrincipal().getName().equals(
ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
@@ -232,9 +202,36 @@ public class OperationalAttributeInterce
{
entry.put( SchemaConstants.ENTRY_CSN_AT, service.getCSN().toString() );
}
-
- entry.put( SchemaConstants.CREATORS_NAME_AT, principal );
- entry.put( SchemaConstants.CREATE_TIMESTAMP_AT, DateUtils.getGeneralizedTime() );
+
+ if ( entry.containsAttribute( SchemaConstants.CREATORS_NAME_AT ) )
+ {
+ if ( !isAdmin )
+ {
+ // Wrong !
+ String message = I18n.err( I18n.ERR_30, SchemaConstants.CREATORS_NAME_AT );
+ LOG.error( message );
+ throw new LdapNoPermissionException( message );
+ }
+ }
+ else
+ {
+ entry.put( SchemaConstants.CREATORS_NAME_AT, principal );
+ }
+
+ if ( entry.containsAttribute( SchemaConstants.CREATE_TIMESTAMP_AT ) )
+ {
+ if ( !isAdmin )
+ {
+ // Wrong !
+ String message = I18n.err( I18n.ERR_30, SchemaConstants.CREATE_TIMESTAMP_AT );
+ LOG.error( message );
+ throw new LdapNoPermissionException( message );
+ }
+ }
+ else
+ {
+ entry.put( SchemaConstants.CREATE_TIMESTAMP_AT, DateUtils.getGeneralizedTime() );
+ }
nextInterceptor.add( opContext );
}
@@ -245,48 +242,74 @@ public class OperationalAttributeInterce
{
// We must check that the user hasn't injected either the modifiersName
// or the modifyTimestamp operational attributes : they are not supposed to be
- // added at this point.
+ // added at this point EXCEPT in cases of replication by a admin user.
// If so, remove them, and if there are no more attributes, simply return.
// otherwise, inject those values into the list of modifications
List<Modification> mods = opContext.getModItems();
+ boolean isAdmin = opContext.getSession().getAuthenticatedPrincipal().getName().equals(
+ ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
+
+ boolean modifierAtPresent = false;
+ boolean modifiedTimeAtPresent = false;
+
for ( Modification modification: mods )
{
AttributeType attributeType = modification.getAttribute().getAttributeType();
if ( attributeType.equals( MODIFIERS_NAME_ATTRIBUTE_TYPE ) )
{
- String message = I18n.err( I18n.ERR_31 );
- LOG.error( message );
- throw new LdapSchemaViolationException( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, message );
+ if( ! isAdmin )
+ {
+ String message = I18n.err( I18n.ERR_31 );
+ LOG.error( message );
+ throw new LdapSchemaViolationException( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, message );
+ }
+ else
+ {
+ modifierAtPresent = true;
+ }
}
if ( attributeType.equals( MODIFY_TIMESTAMP_ATTRIBUTE_TYPE ) )
{
- String message = I18n.err( I18n.ERR_32 );
- LOG.error( message );
- throw new LdapSchemaViolationException( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, message );
+ if( ! isAdmin )
+ {
+ String message = I18n.err( I18n.ERR_32 );
+ LOG.error( message );
+ throw new LdapSchemaViolationException( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, message );
+ }
+ else
+ {
+ modifiedTimeAtPresent = true;
+ }
}
}
-
- // Inject the ModifiersName AT if it's not present
- EntryAttribute attribute = new DefaultEntryAttribute(
- MODIFIERS_NAME_ATTRIBUTE_TYPE,
- getPrincipal().getName());
- Modification modifiersName = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, attribute );
+ if ( ! modifierAtPresent )
+ {
+ // Inject the ModifiersName AT if it's not present
+ EntryAttribute attribute = new DefaultEntryAttribute(
+ MODIFIERS_NAME_ATTRIBUTE_TYPE,
+ getPrincipal().getName());
- mods.add( modifiersName );
-
- // Inject the ModifyTimestamp AT if it's not present
- attribute = new DefaultEntryAttribute(
- MODIFY_TIMESTAMP_ATTRIBUTE_TYPE,
- DateUtils.getGeneralizedTime() );
-
- Modification timestamp = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, attribute );
+ Modification modifiersName = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, attribute );
+
+ mods.add( modifiersName );
+ }
+
+ if ( ! modifiedTimeAtPresent )
+ {
+ // Inject the ModifyTimestamp AT if it's not present
+ EntryAttribute attribute = new DefaultEntryAttribute(
+ MODIFY_TIMESTAMP_ATTRIBUTE_TYPE,
+ DateUtils.getGeneralizedTime() );
+
+ Modification timestamp = new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, attribute );
+
+ mods.add( timestamp );
+ }
- mods.add( timestamp );
-
// Go down in the chain
nextInterceptor.modify( opContext );
Modified: directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientAddRequestTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientAddRequestTest.java?rev=949186&r1=949185&r2=949186&view=diff
==============================================================================
--- directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientAddRequestTest.java (original)
+++ directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientAddRequestTest.java Fri May 28 14:34:00 2010
@@ -49,6 +49,7 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.DN;
+import org.apache.directory.shared.ldap.util.DateUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -163,12 +164,17 @@ public class ClientAddRequestTest extend
"userPassword: secret"
})
@Test
- public void testAddEntryUUIDAndEntryCsn() throws Exception
+ /**
+ * tests adding entryUUID, entryCSN, creatorsName and createTimestamp attributes
+ */
+ public void testAddSystemOperationalAttributes() throws Exception
{
//test as admin first
DN dn = new DN( "cn=x,ou=system" );
String uuid = UUID.randomUUID().toString();
String csn = new CsnFactory( 0 ).newInstance().toString();
+ String creator = dn.getName();
+ String createdTime = DateUtils.getGeneralizedTime();
Entry entry = new DefaultEntry( dn );
entry.add( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.PERSON_OC );
@@ -176,6 +182,8 @@ public class ClientAddRequestTest extend
entry.add( SchemaConstants.SN_AT, "x" );
entry.add( SchemaConstants.ENTRY_UUID_AT, uuid );
entry.add( SchemaConstants.ENTRY_CSN_AT, csn );
+ entry.add( SchemaConstants.CREATORS_NAME_AT, creator );
+ entry.add( SchemaConstants.CREATE_TIMESTAMP_AT, createdTime );
connection.add( entry );
@@ -184,6 +192,8 @@ public class ClientAddRequestTest extend
// successful for admin
assertEquals( uuid, loadedEntry.get( SchemaConstants.ENTRY_UUID_AT ).getString() );
assertEquals( csn, loadedEntry.get( SchemaConstants.ENTRY_CSN_AT ).getString() );
+ assertEquals( creator, loadedEntry.get( SchemaConstants.CREATORS_NAME_AT ).getString() );
+ assertEquals( createdTime, loadedEntry.get( SchemaConstants.CREATE_TIMESTAMP_AT ).getString() );
connection.delete( dn );
connection.unBind();
Modified: directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientModifyRequestTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientModifyRequestTest.java?rev=949186&r1=949185&r2=949186&view=diff
==============================================================================
--- directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientModifyRequestTest.java (original)
+++ directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/operations/ClientModifyRequestTest.java Fri May 28 14:34:00 2010
@@ -48,6 +48,7 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.entry.ModificationOperation;
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.DN;
+import org.apache.directory.shared.ldap.util.DateUtils;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -186,6 +187,9 @@ public class ClientModifyRequestTest ext
}
+ /**
+ * ApacheDS doesn't allow modifying entryUUID and entryCSN AT
+ */
@Test
public void testModifyEntryUUIDAndEntryCSN() throws Exception
{
@@ -203,4 +207,30 @@ public class ClientModifyRequestTest ext
modResp = connection.modify( modReq );
assertEquals( ResultCodeEnum.INSUFFICIENT_ACCESS_RIGHTS, modResp.getLdapResult().getResultCode() );
}
+
+
+ /**
+ * ApacheDS allows modifying the modifiersName and modifyTimestamp operational AT
+ */
+ @Test
+ public void testModifyModifierNameAndModifyTimestamp() throws Exception
+ {
+ DN dn = new DN( "uid=admin,ou=system" );
+
+ String modifierName = "uid=x,ou=system";
+ String modifiedTime = DateUtils.getGeneralizedTime();
+
+ ModifyRequest modReq = new ModifyRequest( dn );
+ modReq.replace( SchemaConstants.MODIFIERS_NAME_AT, modifierName );
+ modReq.replace( SchemaConstants.MODIFY_TIMESTAMP_AT, modifiedTime );
+
+ ModifyResponse modResp = connection.modify( modReq );
+ assertEquals( ResultCodeEnum.SUCCESS, modResp.getLdapResult().getResultCode() );
+
+ Entry loadedEntry = ( ( SearchResultEntry ) connection.lookup( dn.getName(), "+" ) ).getEntry();
+
+ assertEquals( modifierName, loadedEntry.get( SchemaConstants.MODIFIERS_NAME_AT ).getString() );
+ assertEquals( modifiedTime, loadedEntry.get( SchemaConstants.MODIFY_TIMESTAMP_AT ).getString() );
+ }
+
}