directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DIRSERVER-2206) RefinementEvaluator fails when "objectClass" attribute is not present in the list of attributes
Date Thu, 24 Aug 2017 05:45:01 GMT

    [ https://issues.apache.org/jira/browse/DIRSERVER-2206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16139585#comment-16139585
] 

Emmanuel Lecharny edited comment on DIRSERVER-2206 at 8/24/17 5:44 AM:
-----------------------------------------------------------------------

Another idea would be to move the {{SchemaInterceptor}} filter so that it's executed at the
end of the evaluations. I have tried a patch that does that, and it does the job, but it's
a kind of horrible hack.

Basically, I have added a {{isLast()}} method to the {{EntryFilter}} interface, implemented
it in all the filters with a {{false}} returned except for the {{TopFilter}} which belongs
to the {{SchemaInterceptor}} class. Now, the filter loop in the {{EntryFilteringCursor}} class
looks like :

{code:java}
            EntryFilter lastFilter = null;
            
            for ( EntryFilter filter : filters )
            {
                if ( filter.isLast() )
                {
                    lastFilter = filter;
                }
                else
                { 
                    // if a filter rejects then short and continue with outer loop
                    if ( !filter.accept( operationContext, tempResult ) )
                    {
                        continue outer;
                    }
                }
            }

            if ( ( lastFilter != null ) && !lastFilter.accept( operationContext, tempResult
) )
            {
                continue outer;
            }
{code}

This is kind of ugly though, I'd rather have the filter list built properly, but it would
require some changes in the way the interceptors are initialized.

Btw, integ tests are passing with such a modification.


was (Author: elecharny):
Another idea would be to move the {{SchemaInterceptor}} filter so that it's executed at the
end of the evaluations. I have tried a patch that does that, and it does the job, but it's
a kind of horrible hack.

Basically, I have added a {{isLast()}} method to the {{EntryFilter}} interface, implemented
it in all the filters with a {{false}} returned except for the {{TopFilter}} which belongs
to the {{SchemaInterceptor}} class. Now, the filter loop in the {{EntryFilteringCursor}} class
looks like :

{code:java}
            EntryFilter lastFilter = null;
            
            for ( EntryFilter filter : filters )
            {
                if ( filter.isLast() )
                {
                    lastFilter = filter;
                }
                else
                { 
                    // if a filter rejects then short and continue with outer loop
                    if ( !filter.accept( operationContext, tempResult ) )
                    {
                        continue outer;
                    }
                }
            }

            if ( ( lastFilter != null ) && !lastFilter.accept( operationContext, tempResult
) )
            {
                continue outer;
            }
{code}

> RefinementEvaluator fails when "objectClass" attribute is not present in the list of
attributes
> -----------------------------------------------------------------------------------------------
>
>                 Key: DIRSERVER-2206
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2206
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 2.0.0-M24
>            Reporter: Kiran Ayyagari
>             Fix For: 2.0.0-M25
>
>         Attachments: allowreadusers.ldif
>
>
> I have a ACI that filters entries based on the the {{classes}} protected item but when
> the search request doesn't contain {{objectClass}} in the requested attributes the below
> exception is thrown.
> {noformat}
> org.apache.directory.api.ldap.model.message.SearchRequestImpl@c452319: ERR_296 objectClasses
cannot be null:
> java.lang.IllegalArgumentException: ERR_296 objectClasses cannot be null
> 	at org.apache.directory.server.core.api.subtree.RefinementEvaluator.evaluate(RefinementEvaluator.java:65)
> 	at org.apache.directory.server.core.authz.support.RelatedProtectedItemFilter.isRelated(RelatedProtectedItemFilter.java:213)
> 	at org.apache.directory.server.core.authz.support.RelatedProtectedItemFilter.filter(RelatedProtectedItemFilter.java:86)
> 	at org.apache.directory.server.core.authz.support.ACDFEngine.hasPermission(ACDFEngine.java:160)
> 	at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.filter(AciAuthorizationInterceptor.java:1368)
> 	at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.access$200(AciAuthorizationInterceptor.java:91)
> 	at org.apache.directory.server.core.authz.AciAuthorizationInterceptor$AuthorizationFilter.accept(AciAuthorizationInterceptor.java:1428)
> 	at org.apache.directory.server.core.api.filtering.EntryFilteringCursorImpl.next(EntryFilteringCursorImpl.java:454)
> 	at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.writeResults(SearchRequestHandler.java:380)
> 	at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:840)
> 	at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1164)
> 	at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1258)
> 	at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:212)
> 	at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:92)
> 	at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:222)
> 	at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> 	at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:243)
> 	at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:216)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:858)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48)
> 	at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:947)
> 	at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
> 	at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
> 	at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:476)
> 	at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:430)
> 	at java.lang.Thread.run(Thread.java:745)
> {noformat}
> Steps to reproduce:
> # Apply the allowreadusers.ldif
> # restart the server
> # run the command ldapsearch -H ldap://localhost:10389 -D "" -b "uid=kayyagari,ou=Users,dc=example,dc=com"
-s base -a always "(objectClass=*)" "uid"
> Note that if you request "objectClass" attribute along with "uid" then the request succeeds.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message