/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE
* or https://OpenDS.dev.java.net/OpenDS.LICENSE.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2006-2009 Sun Microsystems, Inc.
* Portions copyright 2011-2013 ForgeRock AS
*/
package org.opends.server.api;
import java.net.InetAddress;
import java.nio.channels.ByteChannel;
import java.nio.channels.Selector;
import java.nio.channels.SocketChannel;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.atomic.AtomicBoolean;
import org.opends.messages.Message;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.PersistentSearch;
import org.opends.server.core.PluginConfigManager;
import org.opends.server.core.SearchOperation;
import org.opends.server.core.networkgroups.NetworkGroup;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.CancelRequest;
import org.opends.server.types.CancelResult;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.DisconnectReason;
import org.opends.server.types.Entry;
import org.opends.server.types.IntermediateResponse;
import org.opends.server.types.Operation;
import org.opends.server.types.OperationType;
import org.opends.server.types.Privilege;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.SearchResultReference;
import org.opends.server.types.operation.PreParseOperation;
import org.opends.server.util.TimeThread;
import static org.opends.messages.CoreMessages.*;
import static org.opends.server.config.ConfigConstants.*;
import static org.opends.server.loggers.debug.DebugLogger.*;
import static org.opends.server.util.StaticUtils.*;
/**
* This class defines the set of methods and structures that must be
* implemented by a Directory Server client connection.
*/
@org.opends.server.types.PublicAPI(
stability=org.opends.server.types.StabilityLevel.VOLATILE,
mayInstantiate=true,
mayExtend=true,
mayInvoke=true)
public abstract class ClientConnection
{
/**
* The tracer object for the debug logger.
*/
private static final DebugTracer TRACER = getTracer();
/**
* The set of authentication information for this client connection.
*/
protected AuthenticationInfo authenticationInfo;
/**
* Indicates whether a multistage SASL bind is currently in progress
* on this client connection. If so, then no other operations
* should be allowed until the bind completes.
*/
protected AtomicBoolean saslBindInProgress;
/**
* Indicates if a bind or start TLS request is currently in progress
* on this client connection. If so, then no further socket reads
* will occur until the request completes.
*/
protected AtomicBoolean bindOrStartTLSInProgress;
/**
* Indicates whether any necessary finalization work has been done for this
* client connection.
*/
private boolean finalized;
/** The set of privileges assigned to this client connection. */
private HashSet<Privilege> privileges;
/** The size limit for use with this client connection. */
private int sizeLimit;
/** The time limit for use with this client connection. */
private int timeLimit;
/** The lookthrough limit for use with this client connection. */
private int lookthroughLimit;
/** The time that this client connection was established. */
private final long connectTime;
/** The idle time limit for this client connection. */
private long idleTimeLimit;
/**
* The opaque information used for storing intermediate state information
* needed across multi-stage SASL binds.
*/
private Object saslAuthState;
/**
* A string representation of the time that this client connection was
* established.
*/
private final String connectTimeString;
/** A set of persistent searches registered for this client. */
private final CopyOnWriteArrayList<PersistentSearch>
persistentSearches;
/** The network group to which the connection belongs to. */
private NetworkGroup networkGroup;
/** Need to evaluate the network group for the first operation. */
protected boolean mustEvaluateNetworkGroup;
/**
* Performs the appropriate initialization generic to all client
* connections.
*/
protected ClientConnection()
{
connectTime = TimeThread.getTime();
connectTimeString = TimeThread.getGMTTime();
authenticationInfo = new AuthenticationInfo();
saslAuthState = null;
saslBindInProgress = new AtomicBoolean(false);
bindOrStartTLSInProgress = new AtomicBoolean(false);
persistentSearches = new CopyOnWriteArrayList<PersistentSearch>();
sizeLimit = DirectoryServer.getSizeLimit();
timeLimit = DirectoryServer.getTimeLimit();
idleTimeLimit = DirectoryServer.getIdleTimeLimit();
lookthroughLimit = DirectoryServer.getLookthroughLimit();
finalized = false;
privileges = new HashSet<Privilege>();
networkGroup = NetworkGroup.getDefaultNetworkGroup();
networkGroup.addConnection(this);
mustEvaluateNetworkGroup = true;
if (debugEnabled())
{
Message message =
INFO_CHANGE_NETWORK_GROUP.get(
getConnectionID(),
"null",
networkGroup.getID());
TRACER.debugMessage(DebugLogLevel.INFO, message.toString());
}
}
/**
* Performs any internal cleanup that may be necessary when this
* client connection is disconnected. In
* this case, it will be used to ensure that the connection is
* deregistered with the {@code AuthenticatedUsers} manager, and
* will then invoke the {@code finalizeClientConnection} method.
*/
@org.opends.server.types.PublicAPI(
stability=org.opends.server.types.StabilityLevel.PRIVATE,
mayInstantiate=false,
mayExtend=false,
mayInvoke=true,
notes="This method should only be invoked by connection " +
"handlers.")
protected final void finalizeConnectionInternal()
{
if (finalized)
{
return;
}
finalized = true;
// Deregister with the set of authenticated users.
Entry authNEntry = authenticationInfo.getAuthenticationEntry();
Entry authZEntry = authenticationInfo.getAuthorizationEntry();
if (authNEntry != null)
{
if ((authZEntry == null) ||
authZEntry.getDN().equals(authNEntry.getDN()))
{
DirectoryServer.getAuthenticatedUsers().remove(
authNEntry.getDN(), this);
}
else
{
DirectoryServer.getAuthenticatedUsers().remove(
authNEntry.getDN(), this);
DirectoryServer.getAuthenticatedUsers().remove(
authZEntry.getDN(), this);
}
}
else if (authZEntry != null)
{
DirectoryServer.getAuthenticatedUsers().remove(
authZEntry.getDN(), this);
}
networkGroup.removeConnection(this);
}
/**
* Retrieves the time that this connection was established, measured
* in the number of milliseconds since January 1, 1970 UTC.
*
* @return The time that this connection was established, measured
* in the number of milliseconds since January 1, 1970 UTC.
*/
public final long getConnectTime()
{
return connectTime;
}
/**
* Retrieves a string representation of the time that this
* connection was established.
*
* @return A string representation of the time that this connection
* was established.
*/
public final String getConnectTimeString()
{
return connectTimeString;
}
/**
* Retrieves the unique identifier that has been assigned to this
* connection.
*
* @return The unique identifier that has been assigned to this
* connection.
*/
public abstract long getConnectionID();
/**
* Retrieves the connection handler that accepted this client
* connection.
*
* @return The connection handler that accepted this client
* connection.
*/
public abstract ConnectionHandler<?> getConnectionHandler();
/**
* Retrieves the protocol that the client is using to communicate
* with the Directory Server.
*
* @return The protocol that the client is using to communicate
* with the Directory Server.
*/
public abstract String getProtocol();
/**
* Retrieves a string representation of the address of the client.
*
* @return A string representation of the address of the client.
*/
public abstract String getClientAddress();
/**
* Retrieves the port number for this connection on the client
* system if available.
*
* @return The port number for this connection on the client system
* or -1 if there is no client port associated with this
* connection (e.g. internal client).
*/
public abstract int getClientPort();
/**
* Retrieves the address and port (if available) of the client
* system, separated by a colon.
*
* @return The address and port of the client system, separated by a
* colon.
*/
public final String getClientHostPort()
{
int port = getClientPort();
if (port >= 0)
{
return getClientAddress() + ":" + port;
}
else
{
return getClientAddress();
}
}
/**
* Retrieves a string representation of the address on the server to
* which the client connected.
*
* @return A string representation of the address on the server to
* which the client connected.
*/
public abstract String getServerAddress();
/**
* Retrieves the port number for this connection on the server
* system if available.
*
* @return The port number for this connection on the server system
* or -1 if there is no server port associated with this
* connection (e.g. internal client).
*/
public abstract int getServerPort();
/**
* Retrieves the address and port of the server system, separated by
* a colon.
*
* @return The address and port of the server system, separated by a
* colon.
*/
public final String getServerHostPort()
{
int port = getServerPort();
if (port >= 0)
{
return getServerAddress() + ":" + port;
}
else
{
return getServerAddress();
}
}
/**
* Retrieves the {@code java.net.InetAddress} associated with the
* remote client system.
*
* @return The {@code java.net.InetAddress} associated with the
* remote client system. It may be {@code null} if the
* client is not connected over an IP-based connection.
*/
public abstract InetAddress getRemoteAddress();
/**
* Retrieves the {@code java.net.InetAddress} for the Directory
* Server system to which the client has established the connection.
*
* @return The {@code java.net.InetAddress} for the Directory
* Server system to which the client has established the
* connection. It may be {@code null} if the client is not
* connected over an IP-based connection.
*/
public abstract InetAddress getLocalAddress();
/**
* Returns whether the Directory Server believes this connection to be valid
* and available for communication.
*
* @return true if the connection is valid, false otherwise
*/
public abstract boolean isConnectionValid();
/**
* Indicates whether this client connection is currently using a
* secure mechanism to communicate with the server. Note that this
* may change over time based on operations performed by the client
* or server (e.g., it may go from {@code false} to {@code true} if
* if the client uses the StartTLS extended operation).
*
* @return {@code true} if the client connection is currently using
* a secure mechanism to communicate with the server, or
* {@code false} if not.
*/
public abstract boolean isSecure();
/**
* Retrieves a {@code Selector} that may be used to ensure that
* write operations complete in a timely manner, or terminate the
* connection in the event that they fail to do so. This is an
* optional method for client connections, and the default
* implementation returns {@code null} to indicate that the maximum
* blocked write time limit is not supported for this connection.
* Subclasses that do wish to support this functionality should
* return a valid {@code Selector} object.
*
* @return The {@code Selector} that may be used to ensure that
* write operations complete in a timely manner, or
* {@code null} if this client connection does not support
* maximum blocked write time limit functionality.
*/
public Selector getWriteSelector()
{
// There will not be a write selector in the default
// implementation.
return null;
}
/**
* Retrieves the maximum length of time in milliseconds that
* attempts to write data to the client should be allowed to block.
* A value of zero indicates there should be no limit.
*
* @return The maximum length of time in milliseconds that attempts
* to write data to the client should be allowed to block,
* or zero if there should be no limit.
*/
public long getMaxBlockedWriteTimeLimit()
{
// By default, we'll return 0, which indicates that there should
// be no maximum time limit. Subclasses should override this if
// they want to support a maximum blocked write time limit.
return 0L;
}
/**
* Retrieves the total number of operations performed
* on this connection.
*
* @return The total number of operations performed
* on this connection.
*/
public abstract long getNumberOfOperations();
/**
* Indicates whether the network group must be evaluated for
* the next connection.
* @param operation The operation going to be performed. Bind
* operations imply a network group evaluation.
* @return boolean indicating if the network group must be evaluated
*/
public boolean mustEvaluateNetworkGroup(
PreParseOperation operation) {
// Connections inside the internal network group MUST NOT
// change network group
if (this.networkGroup == NetworkGroup.getInternalNetworkGroup()) {
return false;
}
// Connections inside the admin network group MUST NOT
// change network group
if (this.networkGroup == NetworkGroup.getAdminNetworkGroup()) {
return false;
}
// If the operation is a BIND, the network group MUST be evaluated
if (operation != null
&& operation.getOperationType() == OperationType.BIND) {
return true;
}
return mustEvaluateNetworkGroup;
}
/**
* Indicates that the network group will have to be evaluated
* for the next connection.
*
* @param bool true if the network group must be evaluated
*/
public void mustEvaluateNetworkGroup(boolean bool) {
mustEvaluateNetworkGroup = bool;
}
/**
* Sends a response to the client based on the information in the
* provided operation.
*
* @param operation The operation for which to send the response.
*/
public abstract void sendResponse(Operation operation);
/**
* Sends the provided search result entry to the client.
*
* @param searchOperation The search operation with which the
* entry is associated.
* @param searchEntry The search result entry to be sent to
* the client.
*
* @throws DirectoryException If a problem occurs while attempting
* to send the entry to the client and
* the search should be terminated.
*/
public abstract void sendSearchEntry(
SearchOperation searchOperation,
SearchResultEntry searchEntry)
throws DirectoryException;
/**
* Sends the provided search result reference to the client.
*
* @param searchOperation The search operation with which the
* reference is associated.
* @param searchReference The search result reference to be sent
* to the client.
*
* @return {@code true} if the client is able to accept referrals,
* or {@code false} if the client cannot handle referrals
* and no more attempts should be made to send them for the
* associated search operation.
*
* @throws DirectoryException If a problem occurs while attempting
* to send the reference to the client
* and the search should be terminated.
*/
public abstract boolean sendSearchReference(
SearchOperation searchOperation,
SearchResultReference searchReference)
throws DirectoryException;
/**
* Invokes the intermediate response plugins on the provided
* response message and sends it to the client.
*
* @param intermediateResponse The intermediate response message
* to be sent.
*
* @return {@code true} if processing on the associated operation
* should continue, or {@code false} if not.
*/
public final boolean sendIntermediateResponse(
IntermediateResponse intermediateResponse)
{
// Invoke the intermediate response plugins for the response
// message.
PluginConfigManager pluginConfigManager =
DirectoryServer.getPluginConfigManager();
PluginResult.IntermediateResponse pluginResult =
pluginConfigManager.invokeIntermediateResponsePlugins(
intermediateResponse);
boolean continueProcessing = true;
if (pluginResult.sendResponse())
{
continueProcessing =
sendIntermediateResponseMessage(intermediateResponse);
}
return (continueProcessing && pluginResult.continueProcessing());
}
/**
* Sends the provided intermediate response message to the client.
*
* @param intermediateResponse The intermediate response message
* to be sent.
*
* @return {@code true} if processing on the associated operation
* should continue, or {@code false} if not.
*/
protected abstract boolean
sendIntermediateResponseMessage(
IntermediateResponse intermediateResponse);
/**
* Closes the connection to the client, optionally sending it a
* message indicating the reason for the closure. Note that the
* ability to send a notice of disconnection may not be available
* for all protocols or under all circumstances. Also note that
* when attempting to disconnect a client connection as a part of
* operation processing (e.g., within a plugin or other extension),
* the {@code disconnectClient} method within that operation should
* be called rather than invoking this method directly.
* <BR><BR>
* All subclasses must invoke the {@code finalizeConnectionInternal}
* method during the course of processing this method.
*
* @param disconnectReason The disconnect reason that provides the
* generic cause for the disconnect.
* @param sendNotification Indicates whether to try to provide
* notification to the client that the
* connection will be closed.
* @param message The message to send to the client. It
* may be {@code null} if no notification
* is to be sent.
*/
public abstract void disconnect(DisconnectReason disconnectReason,
boolean sendNotification,
Message message);
/**
* Indicates whether the user associated with this client connection
* must change their password before they will be allowed to do
* anything else.
*
* @return {@code true} if the user associated with this client
* connection must change their password before they will
* be allowed to do anything else, or {@code false} if not.
*/
public final boolean mustChangePassword()
{
if (authenticationInfo == null)
{
return false;
}
else
{
return authenticationInfo.mustChangePassword();
}
}
/**
* Specifies whether the user associated with this client connection
* must change their password before they will be allowed to do
* anything else.
*
* @param mustChangePassword Specifies whether the user associated
* with this client connection must
* change their password before they
* will be allowed to do anything else.
*/
public final void setMustChangePassword(boolean mustChangePassword)
{
if (authenticationInfo == null)
{
setAuthenticationInfo(new AuthenticationInfo());
}
authenticationInfo.setMustChangePassword(mustChangePassword);
}
/**
* Retrieves the set of operations in progress for this client
* connection. This list must not be altered by any caller.
*
* @return The set of operations in progress for this client
* connection.
*/
public abstract Collection<Operation> getOperationsInProgress();
/**
* Retrieves the operation in progress with the specified message
* ID.
*
* @param messageID The message ID of the operation to retrieve.
*
* @return The operation in progress with the specified message ID,
* or {@code null} if no such operation could be found.
*/
public abstract Operation getOperationInProgress(int messageID);
/**
* Removes the provided operation from the set of operations in
* progress for this client connection. Note that this does not
* make any attempt to cancel any processing that may already be in
* progress for the operation.
*
* @param messageID The message ID of the operation to remove from
* the set of operations in progress.
*
* @return {@code true} if the operation was found and removed from
* the set of operations in progress, or {@code false} if
* not.
*/
public abstract boolean removeOperationInProgress(int messageID);
/**
* Retrieves the set of persistent searches registered for this
* client.
*
* @return The set of persistent searches registered for this
* client.
*/
public final List<PersistentSearch> getPersistentSearches()
{
return persistentSearches;
}
/**
* Registers the provided persistent search for this client. Note
* that this should only be called by
* {@code DirectoryServer.registerPersistentSearch} and not through
* any other means.
*
* @param persistentSearch The persistent search to register for
* this client.
*/
@org.opends.server.types.PublicAPI(
stability=org.opends.server.types.StabilityLevel.PRIVATE,
mayInstantiate=false,
mayExtend=false,
mayInvoke=false)
public final void registerPersistentSearch(PersistentSearch
persistentSearch)
{
persistentSearches.add(persistentSearch);
}
/**
* Deregisters the provided persistent search for this client. Note
* that this should only be called by
* {@code DirectoryServer.deregisterPersistentSearch} and not
* through any other means.
*
* @param persistentSearch The persistent search to deregister for
* this client.
*/
@org.opends.server.types.PublicAPI(
stability=org.opends.server.types.StabilityLevel.PRIVATE,
mayInstantiate=false,
mayExtend=false,
mayInvoke=false)
public final void deregisterPersistentSearch(PersistentSearch
persistentSearch)
{
persistentSearches.remove(persistentSearch);
}
/**
* Attempts to cancel the specified operation.
*
* @param messageID The message ID of the operation to cancel.
* @param cancelRequest An object providing additional information
* about how the cancel should be processed.
*
* @return A cancel result that either indicates that the cancel
* was successful or provides a reason that it was not.
*/
public abstract CancelResult cancelOperation(int messageID,
CancelRequest cancelRequest);
/**
* Attempts to cancel all operations in progress on this connection.
*
* @param cancelRequest An object providing additional information
* about how the cancel should be processed.
*/
public abstract void cancelAllOperations(
CancelRequest cancelRequest);
/**
* Attempts to cancel all operations in progress on this connection
* except the operation with the specified message ID.
*
* @param cancelRequest An object providing additional information
* about how the cancel should be processed.
* @param messageID The message ID of the operation that
* should not be canceled.
*/
public abstract void cancelAllOperationsExcept(
CancelRequest cancelRequest,
int messageID);
/**
* Retrieves information about the authentication that has been
* performed for this connection.
*
* @return Information about the user that is currently
* authenticated on this connection.
*/
public AuthenticationInfo getAuthenticationInfo()
{
return authenticationInfo;
}
/**
* Specifies information about the authentication that has been
* performed for this connection.
*
* @param authenticationInfo Information about the authentication
* that has been performed for this
* connection. It should not be
* {@code null}.
*/
public void setAuthenticationInfo(AuthenticationInfo
authenticationInfo)
{
if (this.authenticationInfo != null)
{
Entry authNEntry =
this.authenticationInfo.getAuthenticationEntry();
Entry authZEntry =
this.authenticationInfo.getAuthorizationEntry();
if (authNEntry != null)
{
if ((authZEntry == null) ||
authZEntry.getDN().equals(authNEntry.getDN()))
{
DirectoryServer.getAuthenticatedUsers().remove(
authNEntry.getDN(), this);
}
else
{
DirectoryServer.getAuthenticatedUsers().remove(
authNEntry.getDN(), this);
DirectoryServer.getAuthenticatedUsers().remove(
authZEntry.getDN(), this);
}
}
else if (authZEntry != null)
{
DirectoryServer.getAuthenticatedUsers().remove(
authZEntry.getDN(), this);
}
}
if (authenticationInfo == null)
{
this.authenticationInfo = new AuthenticationInfo();
updatePrivileges(null, false);
}
else
{
this.authenticationInfo = authenticationInfo;
Entry authNEntry = authenticationInfo.getAuthenticationEntry();
Entry authZEntry = authenticationInfo.getAuthorizationEntry();
if (authNEntry != null)
{
if ((authZEntry == null) ||
authZEntry.getDN().equals(authNEntry.getDN()))
{
DirectoryServer.getAuthenticatedUsers().put(
authNEntry.getDN(), this);
}
else
{
DirectoryServer.getAuthenticatedUsers().put(
authNEntry.getDN(), this);
DirectoryServer.getAuthenticatedUsers().put(
authZEntry.getDN(), this);
}
}
else
{
if (authZEntry != null)
{
DirectoryServer.getAuthenticatedUsers().put(
authZEntry.getDN(), this);
}
}
updatePrivileges(authZEntry, authenticationInfo.isRoot());
}
}
/**
* Updates the cached entry associated with either the
* authentication and/or authorization identity with the provided
* version.
*
* @param oldEntry The user entry currently serving as the
* authentication and/or authorization identity.
* @param newEntry The updated entry that should replace the
* existing entry. It may optionally have a
* different DN than the old entry.
*/
public final void updateAuthenticationInfo(Entry oldEntry,
Entry newEntry)
{
Entry authNEntry = authenticationInfo.getAuthenticationEntry();
Entry authZEntry = authenticationInfo.getAuthorizationEntry();
if ((authNEntry != null) &&
authNEntry.getDN().equals(oldEntry.getDN()))
{
if ((authZEntry == null) ||
(! authZEntry.getDN().equals(authNEntry.getDN())))
{
setAuthenticationInfo(
authenticationInfo.duplicate(newEntry, authZEntry));
updatePrivileges(newEntry, authenticationInfo.isRoot());
}
else
{
setAuthenticationInfo(
authenticationInfo.duplicate(newEntry, newEntry));
updatePrivileges(newEntry, authenticationInfo.isRoot());
}
}
else if ((authZEntry != null) &&
(authZEntry.getDN().equals(oldEntry.getDN())))
{
setAuthenticationInfo(
authenticationInfo.duplicate(authNEntry, newEntry));
}
}
/**
* Sets properties in this client connection to indicate that the
* client is unauthenticated. This includes setting the
* authentication info structure to an empty default, as well as
* setting the size and time limit values to their defaults.
*/
public void setUnauthenticated()
{
setAuthenticationInfo(new AuthenticationInfo());
this.sizeLimit = networkGroup.getSizeLimit();
this.timeLimit = networkGroup.getTimeLimit();
}
/**
* Indicate whether the specified authorization entry parameter
* has the specified privilege. The method can be used to perform
* a "what-if" scenario.
*
* @param authorizationEntry The authentication entry to use.
* @param privilege The privilege to check for.
*
* @return {@code true} if the authentication entry has the
* specified privilege, or {@code false} if not.
*/
public static boolean hasPrivilege(Entry authorizationEntry,
Privilege privilege) {
boolean isRoot =
DirectoryServer.isRootDN(authorizationEntry.getDN());
return getPrivileges(authorizationEntry,
isRoot).contains(privilege) ||
DirectoryServer.isDisabled(privilege);
}
/**
* Indicates whether the authenticated client has the specified
* privilege.
*
* @param privilege The privilege for which to make the
* determination.
* @param operation The operation being processed which needs to
* make the privilege determination, or
* {@code null} if there is no associated
* operation.
*
* @return {@code true} if the authenticated client has the
* specified privilege, or {@code false} if not.
*/
public boolean hasPrivilege(Privilege privilege,
Operation operation)
{
if (privilege == Privilege.PROXIED_AUTH)
{
// This determination should always be made against the
// authentication identity rather than the authorization
// identity.
Entry authEntry = authenticationInfo.getAuthenticationEntry();
boolean isRoot = authenticationInfo.isRoot();
return getPrivileges(authEntry,
isRoot).contains(Privilege.PROXIED_AUTH) ||
DirectoryServer.isDisabled(Privilege.PROXIED_AUTH);
}
boolean result;
if (operation == null)
{
result = privileges.contains(privilege);
if (debugEnabled())
{
DN authDN = authenticationInfo.getAuthenticationDN();
Message message = INFO_CLIENTCONNECTION_AUDIT_HASPRIVILEGE
.get(getConnectionID(), -1L,
String.valueOf(authDN),
privilege.getName(), result);
TRACER.debugMessage(DebugLogLevel.INFO, message.toString());
}
}
else
{
if (operation.getAuthorizationDN().equals(
authenticationInfo.getAuthorizationDN()) ||
(operation.getAuthorizationDN().equals(DN.NULL_DN) &&
!authenticationInfo.isAuthenticated())) {
result = privileges.contains(privilege) ||
DirectoryServer.isDisabled(privilege);
if (debugEnabled())
{
DN authDN = authenticationInfo.getAuthenticationDN();
Message message =
INFO_CLIENTCONNECTION_AUDIT_HASPRIVILEGE.get(
getConnectionID(),
operation.getOperationID(),
String.valueOf(authDN),
privilege.getName(), result);
TRACER.debugMessage(DebugLogLevel.INFO, message.toString());
}
}
else
{
Entry authorizationEntry = operation.getAuthorizationEntry();
if (authorizationEntry == null)
{
result = false;
}
else
{
boolean isRoot =
DirectoryServer.isRootDN(authorizationEntry.getDN());
result = getPrivileges(authorizationEntry,
isRoot).contains(privilege) ||
DirectoryServer.isDisabled(privilege);
}
}
}
return result;
}
/**
* Indicates whether the authenticate client has all of the
* specified privileges.
*
* @param privileges The array of privileges for which to make the
* determination.
* @param operation The operation being processed which needs to
* make the privilege determination, or
* {@code null} if there is no associated
* operation.
*
* @return {@code true} if the authenticated client has all of the
* specified privileges, or {@code false} if not.
*/
public boolean hasAllPrivileges(Privilege[] privileges,
Operation operation)
{
HashSet<Privilege> privSet = this.privileges;
if (debugEnabled())
{
for (Privilege p : privileges)
{
if (! privSet.contains(p))
{
return false;
}
}
return true;
}
else
{
boolean result = true;
StringBuilder buffer = new StringBuilder();
buffer.append("{");
for (int i=0; i < privileges.length; i++)
{
if (i > 0)
{
buffer.append(",");
}
buffer.append(privileges[i].getName());
if (! privSet.contains(privileges[i]))
{
result = false;
}
}
buffer.append(" }");
if (operation == null)
{
DN authDN = authenticationInfo.getAuthenticationDN();
Message message =
INFO_CLIENTCONNECTION_AUDIT_HASPRIVILEGES.get(
getConnectionID(), -1L,
String.valueOf(authDN),
buffer.toString(), result);
TRACER.debugMessage(DebugLogLevel.INFO,
message.toString());
}
else
{
DN authDN = authenticationInfo.getAuthenticationDN();
Message message = INFO_CLIENTCONNECTION_AUDIT_HASPRIVILEGES
.get(
getConnectionID(),
operation.getOperationID(),
String.valueOf(authDN),
buffer.toString(), result);
TRACER.debugMessage(DebugLogLevel.INFO, message.toString());
}
return result;
}
}
/**
* Retrieves the set of privileges encoded in the provided entry.
*
* @param entry The entry to use to obtain the privilege
* information.
* @param isRoot Indicates whether the set of root privileges
* should be automatically included in the
* privilege set.
*
* @return A set of the privileges that should be assigned.
*/
private static HashSet<Privilege> getPrivileges(Entry entry,
boolean isRoot)
{
if (entry == null)
{
return new HashSet<Privilege>(0);
}
HashSet<Privilege> newPrivileges = new HashSet<Privilege>();
HashSet<Privilege> removePrivileges = new HashSet<Privilege>();
if (isRoot)
{
newPrivileges.addAll(DirectoryServer.getRootPrivileges());
}
AttributeType privType =
DirectoryServer.getAttributeType(OP_ATTR_PRIVILEGE_NAME);
List<Attribute> attrList = entry.getAttribute(privType);
if (attrList != null)
{
for (Attribute a : attrList)
{
for (AttributeValue v : a)
{
String privName = toLowerCase(v.getValue().toString());
// If the name of the privilege is prefixed with a minus
// sign, then we will take away that privilege from the
// user. We'll handle that at the end so that we can make
// sure it's not added back later.
if (privName.startsWith("-"))
{
privName = privName.substring(1);
Privilege p = Privilege.privilegeForName(privName);
if (p == null)
{
// FIXME -- Generate an administrative alert.
// We don't know what privilege to remove, so we'll
// remove all of them.
newPrivileges.clear();
return newPrivileges;
}
else
{
removePrivileges.add(p);
}
}
else
{
Privilege p = Privilege.privilegeForName(privName);
if (p == null)
{
// FIXME -- Generate an administrative alert.
}
else
{
newPrivileges.add(p);
}
}
}
}
}
for (Privilege p : removePrivileges)
{
newPrivileges.remove(p);
}
return newPrivileges;
}
/**
* Updates the privileges associated with this client connection
* object based on the provided entry for the authentication
* identity.
*
* @param entry The entry for the authentication identity
* associated with this client connection.
* @param isRoot Indicates whether the associated user is a root
* user and should automatically inherit the root
* privilege set.
*/
protected void updatePrivileges(Entry entry, boolean isRoot)
{
privileges = getPrivileges(entry, isRoot);
}
/**
* Retrieves an opaque set of information that may be used for
* processing multi-stage SASL binds.
*
* @return An opaque set of information that may be used for
* processing multi-stage SASL binds.
*/
public final Object getSASLAuthStateInfo()
{
return saslAuthState;
}
/**
* Specifies an opaque set of information that may be used for
* processing multi-stage SASL binds.
*
* @param saslAuthState An opaque set of information that may be
* used for processing multi-stage SASL
* binds.
*/
public final void setSASLAuthStateInfo(Object saslAuthState)
{
this.saslAuthState = saslAuthState;
}
/**
* Return the lowest level channel associated with a connection.
* This is normally the channel associated with the socket
* channel.
*
* @return The lowest level channel associated with a connection.
*/
public ByteChannel getChannel() {
// By default, return null, which indicates that there should
// be no channel. Subclasses should override this if
// they want to support a channel.
return null;
}
/**
* Return the Socket channel associated with a connection.
*
* @return The Socket channel associated with a connection.
*/
public SocketChannel getSocketChannel() {
// By default, return null, which indicates that there should
// be no socket channel. Subclasses should override this if
// they want to support a socket channel.
return null;
}
/**
* Retrieves the size limit that will be enforced for searches
* performed using this client connection.
*
* @return The size limit that will be enforced for searches
* performed using this client connection.
*/
public final int getSizeLimit()
{
return sizeLimit;
}
/**
* Specifies the size limit that will be enforced for searches
* performed using this client connection.
*
* @param sizeLimit The size limit that will be enforced for
* searches performed using this client
* connection.
*/
public void setSizeLimit(int sizeLimit)
{
this.sizeLimit = sizeLimit;
}
/**
* Retrieves the maximum length of time in milliseconds that this
* client connection will be allowed to remain idle before it should
* be disconnected.
*
* @return The maximum length of time in milliseconds that this
* client connection will be allowed to remain idle before
* it should be disconnected.
*/
public final long getIdleTimeLimit()
{
return idleTimeLimit;
}
/**
* Specifies the maximum length of time in milliseconds that this
* client connection will be allowed to remain idle before it should
* be disconnected.
*
* @param idleTimeLimit The maximum length of time in milliseconds
* that this client connection will be
* allowed to remain idle before it should be
* disconnected.
*/
public void setIdleTimeLimit(long idleTimeLimit)
{
this.idleTimeLimit = idleTimeLimit;
}
/**
* Retrieves the default maximum number of entries that should
* checked for matches during a search.
*
* @return The default maximum number of entries that should
* checked for matches during a search.
*/
public final int getLookthroughLimit()
{
return lookthroughLimit;
}
/**
* Specifies the default maximum number of entries that should
* be checked for matches during a search.
*
* @param lookthroughLimit The default maximum number of
* entries that should be check for
* matches during a search.
*/
public void setLookthroughLimit(int lookthroughLimit)
{
this.lookthroughLimit = lookthroughLimit;
}
/**
* Retrieves the time limit that will be enforced for searches
* performed using this client connection.
*
* @return The time limit that will be enforced for searches
* performed using this client connection.
*/
public final int getTimeLimit()
{
return timeLimit;
}
/**
* Specifies the time limit that will be enforced for searches
* performed using this client connection.
*
* @param timeLimit The time limit that will be enforced for
* searches performed using this client
* connection.
*/
public void setTimeLimit(int timeLimit)
{
this.timeLimit = timeLimit;
}
/**
* Retrieves a one-line summary of this client connection in a form
* that is suitable for including in the monitor entry for the
* associated connection handler. It should be in a format that is
* both humand readable and machine parseable (e.g., a
* space-delimited name-value list, with quotes around the values).
*
* @return A one-line summary of this client connection in a form
* that is suitable for including in the monitor entry for
* the associated connection handler.
*/
public abstract String getMonitorSummary();
/**
* Indicates whether the user associated with this client connection
* should be considered a member of the specified group, optionally
* evaluated within the context of the provided operation. If an
* operation is given, then the determination should be made based
* on the authorization identity for that operation. If the
* operation is {@code null}, then the determination should be made
* based on the authorization identity for this client connection.
* Note that this is a point-in-time determination and the caller
* must not cache the result.
*
* @param group The group for which to make the determination.
* @param operation The operation to use to obtain the
* authorization identity for which to make the
* determination, or {@code null} if the
* authorization identity should be obtained from
* this client connection.
*
* @return {@code true} if the target user is currently a member of
* the specified group, or {@code false} if not.
*
* @throws DirectoryException If a problem occurs while attempting
* to make the determination.
*/
public boolean isMemberOf(Group<?> group, Operation operation)
throws DirectoryException
{
if (operation == null)
{
return group.isMember(authenticationInfo.getAuthorizationDN());
}
else
{
return group.isMember(operation.getAuthorizationDN());
}
}
/**
* Retrieves the set of groups in which the user associated with
* this client connection may be considered to be a member. If an
* operation is provided, then the determination should be made
* based on the authorization identity for that operation. If the
* operation is {@code null}, then it should be made based on the
* authorization identity for this client connection. Note that
* this is a point-in-time determination and the caller must not
* cache the result.
*
* @param operation The operation to use to obtain the
* authorization identity for which to retrieve
* the associated groups, or {@code null} if the
* authorization identity should be obtained from
* this client connection.
*
* @return The set of groups in which the target user is currently
* a member.
*
* @throws DirectoryException If a problem occurs while attempting
* to make the determination.
*/
public Set<Group<?>> getGroups(Operation operation)
throws DirectoryException
{
// FIXME -- This probably isn't the most efficient implementation.
DN authzDN;
if (operation == null)
{
if ((authenticationInfo == null) ||
(! authenticationInfo.isAuthenticated()))
{
authzDN = null;
}
else
{
authzDN = authenticationInfo.getAuthorizationDN();
}
}
else
{
authzDN = operation.getAuthorizationDN();
}
if ((authzDN == null) || authzDN.isNullDN())
{
return Collections.<Group<?>>emptySet();
}
Entry userEntry = DirectoryServer.getEntry(authzDN);
if (userEntry == null)
{
return Collections.<Group<?>>emptySet();
}
HashSet<Group<?>> groupSet = new HashSet<Group<?>>();
for (Group<?> g :
DirectoryServer.getGroupManager().getGroupInstances())
{
if (g.isMember(userEntry))
{
groupSet.add(g);
}
}
return groupSet;
}
/**
* Retrieves the DN of the key manager provider that should be used
* for operations requiring access to a key manager. The default
* implementation returns {@code null} to indicate that no key
* manager provider is available, but subclasses should override
* this method to return a valid DN if they perform operations which
* may need access to a key manager.
*
* @return The DN of the key manager provider that should be used
* for operations requiring access to a key manager, or
* {@code null} if there is no key manager provider
* configured for this client connection.
*/
public DN getKeyManagerProviderDN()
{
// In the default implementation, we'll return null.
return null;
}
/**
* Retrieves the DN of the trust manager provider that should be
* used for operations requiring access to a trust manager. The
* default implementation returns {@code null} to indicate that no
* trust manager provider is avaialble, but subclasses should
* override this method to return a valid DN if they perform
* operations which may need access to a trust manager.
*
* @return The DN of the trust manager provider that should be used
* for operations requiring access to a trust manager, or
* {@code null} if there is no trust manager provider
* configured for this client connection.
*/
public DN getTrustManagerProviderDN()
{
// In the default implementation, we'll return null.
return null;
}
/**
* Retrieves the alias of the server certificate that should be used
* for operations requiring a server certificate. The default
* implementation returns {@code null} to indicate that any alias is
* acceptable.
*
* @return The alias of the server certificate that should be used
* for operations requring a server certificate, or
* {@code null} if any alias is acceptable.
*/
public String getCertificateAlias()
{
// In the default implementation, we'll return null.
return null;
}
/**
* Retrieves a string representation of this client connection.
*
* @return A string representation of this client connection.
*/
@Override
public final String toString()
{
StringBuilder buffer = new StringBuilder();
toString(buffer);
return buffer.toString();
}
/**
* Appends a string representation of this client connection to the
* provided buffer.
*
* @param buffer The buffer to which the information should be
* appended.
*/
public abstract void toString(StringBuilder buffer);
/**
* Returns the network group to which the connection belongs.
*
* @return the network group attached to the connection
*/
public final NetworkGroup getNetworkGroup()
{
return networkGroup;
}
/**
* Sets the network group to which the connection belongs.
*
* @param networkGroup the network group to which the
* connections belongs to
*/
public final void setNetworkGroup (NetworkGroup networkGroup)
{
if (this.networkGroup != networkGroup) {
if (debugEnabled())
{
Message message =
INFO_CHANGE_NETWORK_GROUP.get(
getConnectionID(),
this.networkGroup.getID(),
networkGroup.getID());
TRACER.debugMessage(DebugLogLevel.INFO, message.toString());
}
// If there is a change, first remove this connection
// from the current network group
this.networkGroup.removeConnection(this);
// Then set the new network group
this.networkGroup = networkGroup;
// And add the connection to the new ng
this.networkGroup.addConnection(this);
// The client connection inherits the resource limits
sizeLimit = networkGroup.getSizeLimit();
timeLimit = networkGroup.getTimeLimit();
}
}
/**
* Retrieves the length of time in milliseconds that this client
* connection has been idle.
* <BR><BR>
* Note that the default implementation will always return zero.
* Subclasses associated with connection handlers should override
* this method if they wish to provided idle time limit
* functionality.
*
* @return The length of time in milliseconds that this client
* connection has been idle.
*/
public long getIdleTime()
{
return 0L;
}
/**
* Return the Security Strength Factor of a client connection.
*
* @return An integer representing the SSF value of a connection.
*/
public abstract int getSSF();
/**
* Indicates a bind or start TLS request processing is finished
* and the client connection may start processing data read from
* the socket again. This must be called after processing each
* bind request in a multistage SASL bind.
*/
public void finishBindOrStartTLS()
{
bindOrStartTLSInProgress.set(false);
}
/**
* Indicates a multistage SASL bind operation is finished and the
* client connection may accept additional LDAP messages.
*/
public void finishSaslBind()
{
saslBindInProgress.set(false);
}
/**
* Returns whether this connection is used for inner work not directly
* requested by an external client.
*
* @return {@code true} if this is an inner connection, {@code false}
* otherwise
*/
public boolean isInnerConnection()
{
return getConnectionID() < 0;
}
}