Skip to content
Snippets Groups Projects
Commit 0a079113 authored by Patrick Dowler's avatar Patrick Dowler
Browse files

add check timeout codes and throw TransientException; re-implement... 

add check timeout codes and throw TransientException; re-implement checkgroupExists as a filtered search instead of using getGroupNames
parent cb44021e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapDAO.java
+ 13
8
View file @ 0a079113
......@@ -227,7 +227,12 @@ public abstract class LdapDAO
throws TransientException
{
logger.debug("Ldap result: " + code);
if (code == ResultCode.SUCCESS
|| code == ResultCode.NO_SUCH_OBJECT)
{
return;
}
if (code == ResultCode.INSUFFICIENT_ACCESS_RIGHTS)
{
throw new AccessControlException("Not authorized ");
......@@ -236,20 +241,20 @@ public abstract class LdapDAO
{
throw new AccessControlException("Invalid credentials ");
}
else if ((code == ResultCode.SUCCESS) || (code
== ResultCode.NO_SUCH_OBJECT))
{
// all good. nothing to do
}
else if (code == ResultCode.PARAM_ERROR)
{
throw new IllegalArgumentException("Error in Ldap parameters ");
}
else if (code == ResultCode.BUSY ||
code == ResultCode.CONNECT_ERROR)
else if (code == ResultCode.BUSY
|| code == ResultCode.CONNECT_ERROR)
{
throw new TransientException("Connection problems ");
}
else if (code == ResultCode.TIMEOUT
|| code == ResultCode.TIME_LIMIT_EXCEEDED)
{
throw new TransientException("ldap timeout");
}
else
{
throw new RuntimeException("Ldap error (" + code.getName() + ")");
......
projects/cadcAccessControl-Server/src/ca/nrc/cadc/ac/server/ldap/LdapGroupDAO.java
+ 96
72
View file @ 0a079113
......@@ -235,7 +235,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
for (Group groupMember : groups)
{
final String groupMemberID = groupMember.getID();
if (!checkGroupExists(groupMemberID))
if (!checkGroupExists(groupMemberID, false))
{
throw new GroupNotFoundException(groupMemberID);
}
......@@ -346,12 +346,11 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
catch (LDAPSearchException e)
{
logger.debug("Could not find groups root", e);
LdapDAO.checkLdapResult(e.getResultCode());
if (e.getResultCode() == ResultCode.NO_SUCH_OBJECT)
{
throw new IllegalStateException("Could not find groups root");
}
else if (e.getResultCode() == ResultCode.TIME_LIMIT_EXCEEDED)
throw new TransientException("time limit exceeded", e);
throw new IllegalStateException("unexpected failure", e);
}
......@@ -622,77 +621,76 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
{
mods.add(new Modification(ModificationType.REPLACE, "description", group.description));
}
Set<String> newMembers = new HashSet<String>();
for (User<?> member : group.getUserMembers())
{
DN memberDN = userPersist.getUserDN(member);
newMembers.add(memberDN.toNormalizedString());
}
for (Group gr : group.getGroupMembers())
try
{
if (!checkGroupExists(gr.getID()))
Set<String> newMembers = new HashSet<String>();
for (User<?> member : group.getUserMembers())
{
throw new GroupNotFoundException(gr.getID());
DN memberDN = userPersist.getUserDN(member);
newMembers.add(memberDN.toNormalizedString());
}
DN grDN = getGroupDN(gr.getID());
newMembers.add(grDN.toNormalizedString());
}
Set<String> newAdmins = new HashSet<String>();
Set<User<? extends Principal>> existingUserAdmins = new HashSet<User<? extends Principal>>(0);
if (existing != null)
{
existingUserAdmins = existing.getUserAdmins();
}
for (User<?> member : group.getUserAdmins())
{
DN memberDN = userPersist.getUserDN(member);
newAdmins.add(memberDN.toNormalizedString());
if (!existingUserAdmins.contains(member))
for (Group gr : group.getGroupMembers())
{
adminChanges = true;
if (!checkGroupExists(gr.getID(), false))
{
throw new GroupNotFoundException(gr.getID());
}
DN grDN = getGroupDN(gr.getID());
newMembers.add(grDN.toNormalizedString());
}
}
Set<Group> existingGroupAdmins = new HashSet<Group>(0);
if (existing != null)
{
existingGroupAdmins = existing.getGroupAdmins();
}
for (Group gr : group.getGroupAdmins())
{
if (!checkGroupExists(gr.getID()))
Set<String> newAdmins = new HashSet<String>();
Set<User<? extends Principal>> existingUserAdmins = new HashSet<User<? extends Principal>>(0);
if (existing != null)
{
throw new GroupNotFoundException(gr.getID());
existingUserAdmins = existing.getUserAdmins();
}
for (User<?> member : group.getUserAdmins())
{
DN memberDN = userPersist.getUserDN(member);
newAdmins.add(memberDN.toNormalizedString());
if (!existingUserAdmins.contains(member))
{
adminChanges = true;
}
}
DN grDN = getGroupDN(gr.getID());
newAdmins.add(grDN.toNormalizedString());
if (!existingGroupAdmins.contains(gr))
Set<Group> existingGroupAdmins = new HashSet<Group>(0);
if (existing != null)
{
adminChanges = true;
existingGroupAdmins = existing.getGroupAdmins();
}
for (Group gr : group.getGroupAdmins())
{
if (!checkGroupExists(gr.getID(), false))
{
throw new GroupNotFoundException(gr.getID());
}
DN grDN = getGroupDN(gr.getID());
newAdmins.add(grDN.toNormalizedString());
if (!existingGroupAdmins.contains(gr))
{
adminChanges = true;
}
}
}
mods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newMembers.toArray(new String[newMembers.size()])));
adminMods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newAdmins.toArray(new String[newAdmins.size()])));
mods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newMembers.toArray(new String[newMembers.size()])));
adminMods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newAdmins.toArray(new String[newAdmins.size()])));
try
{
// modify admin group first (if necessary)
if (adminChanges)
{
ModifyRequest modifyRequest = new ModifyRequest(getAdminGroupDN(group.getID()), adminMods);
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LdapDAO.checkLdapResult(getConnection().
modify(modifyRequest).getResultCode());
}
// modify admin group first (if necessary)
if (adminChanges)
{
ModifyRequest modifyRequest = new ModifyRequest(getAdminGroupDN(group.getID()), adminMods);
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LdapDAO.checkLdapResult(getConnection().
modify(modifyRequest).getResultCode());
}
// modify the group itself now
ModifyRequest modifyRequest = new ModifyRequest(getGroupDN(group.getID()), mods);
......@@ -705,7 +703,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e1)
{
logger.debug("Modify Exception: " + e1, e1);
logger.debug("Modify Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode());
}
try
......@@ -1066,7 +1064,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e)
{
logger.debug("getGroupDN Exception: " + e, e);
logger.debug("getGroupDN Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode());
}
throw new IllegalArgumentException(groupID + " not a valid group ID");
......@@ -1085,7 +1083,7 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
catch (LDAPException e)
{
logger.debug("getAdminGroupDN Exception: " + e, e);
logger.debug("getAdminGroupDN Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode());
}
throw new IllegalArgumentException(groupID + " not a valid group ID");
......@@ -1117,17 +1115,43 @@ public class LdapGroupDAO<T extends Principal> extends LdapDAO
}
}
private boolean checkGroupExists(String groupID)
throws TransientException
private boolean checkGroupExists(String groupID, boolean lockedGroupsExist)
throws LDAPException, TransientException
{
for (String groupName : getGroupNames())
try
{
if (groupName.equalsIgnoreCase(groupID))
DN groupDN = getGroupDN(groupID);
Filter filter = Filter.createEqualityFilter("entrydn", groupDN.toNormalizedString());
SearchRequest searchRequest = new SearchRequest(
config.getGroupsDN(), SearchScope.SUB, filter,
"cn", "nsaccountlock");
//searchRequest.addControl(
// new ProxiedAuthorizationV2RequestControl("dn:" +
// getSubjectDN().toNormalizedString()));
SearchResultEntry searchResult =
getConnection().searchForEntry(searchRequest);
if (searchResult == null)
{
return true;
String msg = "Group not found " + groupDN;
logger.debug(msg);
return false;
}
if (searchResult.getAttribute("nsaccountlock") != null)
{
// deleted group
String msg = "Group marked deleted " + groupDN;
logger.debug(msg);
return lockedGroupsExist;
}
return true;
}
return false;
}
finally { }
}
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment