/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE
* or https://OpenDS.dev.java.net/OpenDS.LICENSE.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008-2009 Sun Microsystems, Inc.
* Portions Copyright 2011-2013 ForgeRock AS
*/
package org.opends.server.workflowelement.localbackend;
import java.util.List;
import java.util.concurrent.locks.Lock;
import org.opends.messages.Message;
import org.opends.server.api.Backend;
import org.opends.server.api.ChangeNotificationListener;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.SynchronizationProvider;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.controls.*;
import org.opends.server.core.*;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.*;
import org.opends.server.types.operation.PostOperationDeleteOperation;
import org.opends.server.types.operation.PostResponseDeleteOperation;
import org.opends.server.types.operation.PostSynchronizationDeleteOperation;
import org.opends.server.types.operation.PreOperationDeleteOperation;
import static org.opends.messages.CoreMessages.*;
import static org.opends.server.loggers.ErrorLogger.*;
import static org.opends.server.loggers.debug.DebugLogger.*;
import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.*;
/**
* This class defines an operation used to delete an entry in a local backend
* of the Directory Server.
*/
public class LocalBackendDeleteOperation
extends DeleteOperationWrapper
implements PreOperationDeleteOperation, PostOperationDeleteOperation,
PostResponseDeleteOperation,
PostSynchronizationDeleteOperation
{
/**
* The tracer object for the debug logger.
*/
private static final DebugTracer TRACER = getTracer();
/**
* The backend in which the operation is to be processed.
*/
protected Backend backend;
/**
* Indicates whether the LDAP no-op control has been requested.
*/
protected boolean noOp;
/**
* The client connection on which this operation was requested.
*/
protected ClientConnection clientConnection;
/**
* The DN of the entry to be deleted.
*/
protected DN entryDN;
/**
* The entry to be deleted.
*/
protected Entry entry;
// The pre-read request control included in the request, if applicable.
private LDAPPreReadRequestControl preReadRequest;
/**
* Creates a new operation that may be used to delete an entry from a
* local backend of the Directory Server.
*
* @param delete The operation to enhance.
*/
public LocalBackendDeleteOperation(DeleteOperation delete)
{
super(delete);
LocalBackendWorkflowElement.attachLocalOperation (delete, this);
}
/**
* Retrieves the entry to be deleted.
*
* @return The entry to be deleted, or <CODE>null</CODE> if the entry is not
* yet available.
*/
@Override
public Entry getEntryToDelete()
{
return entry;
}
/**
* Process this delete operation in a local backend.
*
* @param wfe
* The local backend work-flow element.
* @throws CanceledOperationException
* if this operation should be cancelled
*/
public void processLocalDelete(final LocalBackendWorkflowElement wfe)
throws CanceledOperationException
{
boolean executePostOpPlugins = false;
this.backend = wfe.getBackend();
clientConnection = getClientConnection();
// Get the plugin config manager that will be used for invoking plugins.
PluginConfigManager pluginConfigManager =
DirectoryServer.getPluginConfigManager();
// Check for a request to cancel this operation.
checkIfCanceled(false);
// Create a labeled block of code that we can break out of if a problem is
// detected.
deleteProcessing:
{
// Process the entry DN to convert it from its raw form as provided by the
// client to the form required for the rest of the delete processing.
entryDN = getEntryDN();
if (entryDN == null){
break deleteProcessing;
}
// Grab a write lock on the entry.
final Lock entryLock = LockManager.lockWrite(entryDN);
if (entryLock == null)
{
setResultCode(ResultCode.BUSY);
appendErrorMessage(ERR_DELETE_CANNOT_LOCK_ENTRY.get(
String.valueOf(entryDN)));
break deleteProcessing;
}
try
{
// Get the entry to delete. If it doesn't exist, then fail.
try
{
entry = backend.getEntry(entryDN);
if (entry == null)
{
setResultCode(ResultCode.NO_SUCH_OBJECT);
appendErrorMessage(ERR_DELETE_NO_SUCH_ENTRY.get(
String.valueOf(entryDN)));
try
{
DN parentDN = entryDN.getParentDNInSuffix();
while (parentDN != null)
{
if (DirectoryServer.entryExists(parentDN))
{
setMatchedDN(parentDN);
break;
}
parentDN = parentDN.getParentDNInSuffix();
}
}
catch (Exception e)
{
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
}
break deleteProcessing;
}
}
catch (DirectoryException de)
{
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
setResponseData(de);
break deleteProcessing;
}
if(!handleConflictResolution()) {
break deleteProcessing;
}
// Check to see if the client has permission to perform the
// delete.
// Check to see if there are any controls in the request. If so, then
// see if there is any special processing required.
try
{
handleRequestControls();
}
catch (DirectoryException de)
{
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
setResponseData(de);
break deleteProcessing;
}
// FIXME: for now assume that this will check all permission
// pertinent to the operation. This includes proxy authorization
// and any other controls specified.
// FIXME: earlier checks to see if the entry already exists may
// have already exposed sensitive information to the client.
try
{
if (!AccessControlConfigManager.getInstance()
.getAccessControlHandler().isAllowed(this))
{
setResultCode(ResultCode.INSUFFICIENT_ACCESS_RIGHTS);
appendErrorMessage(ERR_DELETE_AUTHZ_INSUFFICIENT_ACCESS_RIGHTS
.get(String.valueOf(entryDN)));
break deleteProcessing;
}
}
catch (DirectoryException e)
{
setResultCode(e.getResultCode());
appendErrorMessage(e.getMessageObject());
break deleteProcessing;
}
// Check for a request to cancel this operation.
checkIfCanceled(false);
// If the operation is not a synchronization operation,
// invoke the pre-delete plugins.
if (! isSynchronizationOperation())
{
executePostOpPlugins = true;
PluginResult.PreOperation preOpResult =
pluginConfigManager.invokePreOperationDeletePlugins(this);
if (!preOpResult.continueProcessing())
{
setResultCode(preOpResult.getResultCode());
appendErrorMessage(preOpResult.getErrorMessage());
setMatchedDN(preOpResult.getMatchedDN());
setReferralURLs(preOpResult.getReferralURLs());
break deleteProcessing;
}
}
// Get the backend to use for the delete. If there is none, then fail.
if (backend == null)
{
setResultCode(ResultCode.NO_SUCH_OBJECT);
appendErrorMessage(ERR_DELETE_NO_SUCH_ENTRY.get(
String.valueOf(entryDN)));
break deleteProcessing;
}
// If it is not a private backend, then check to see if the server or
// backend is operating in read-only mode.
if (! backend.isPrivateBackend())
{
switch (DirectoryServer.getWritabilityMode())
{
case DISABLED:
setResultCode(ResultCode.UNWILLING_TO_PERFORM);
appendErrorMessage(ERR_DELETE_SERVER_READONLY.get(
String.valueOf(entryDN)));
break deleteProcessing;
case INTERNAL_ONLY:
if (! (isInternalOperation() || isSynchronizationOperation()))
{
setResultCode(ResultCode.UNWILLING_TO_PERFORM);
appendErrorMessage(ERR_DELETE_SERVER_READONLY.get(
String.valueOf(entryDN)));
break deleteProcessing;
}
}
switch (backend.getWritabilityMode())
{
case DISABLED:
setResultCode(ResultCode.UNWILLING_TO_PERFORM);
appendErrorMessage(ERR_DELETE_BACKEND_READONLY.get(
String.valueOf(entryDN)));
break deleteProcessing;
case INTERNAL_ONLY:
if (! (isInternalOperation() || isSynchronizationOperation()))
{
setResultCode(ResultCode.UNWILLING_TO_PERFORM);
appendErrorMessage(ERR_DELETE_BACKEND_READONLY.get(
String.valueOf(entryDN)));
break deleteProcessing;
}
}
}
// The selected backend will have the responsibility of making sure that
// the entry actually exists and does not have any children (or possibly
// handling a subtree delete). But we will need to check if there are
// any subordinate backends that should stop us from attempting the
// delete.
Backend[] subBackends = backend.getSubordinateBackends();
for (Backend b : subBackends)
{
DN[] baseDNs = b.getBaseDNs();
for (DN dn : baseDNs)
{
if (dn.isDescendantOf(entryDN))
{
setResultCode(ResultCode.NOT_ALLOWED_ON_NONLEAF);
appendErrorMessage(ERR_DELETE_HAS_SUB_BACKEND.get(
String.valueOf(entryDN),
String.valueOf(dn)));
break deleteProcessing;
}
}
}
// Actually perform the delete.
try
{
if (noOp)
{
setResultCode(ResultCode.NO_OPERATION);
appendErrorMessage(INFO_DELETE_NOOP.get());
}
else
{
if(!processPreOperation()) {
break deleteProcessing;
}
backend.deleteEntry(entryDN, this);
}
LocalBackendWorkflowElement.addPreReadResponse(this,
preReadRequest, entry);
if (! noOp)
{
setResultCode(ResultCode.SUCCESS);
}
}
catch (DirectoryException de)
{
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
setResponseData(de);
break deleteProcessing;
}
}
finally
{
LockManager.unlock(entryDN, entryLock);
processSynchPostOperationPlugins();
}
}
// Invoke the post-operation or post-synchronization delete plugins.
if (isSynchronizationOperation())
{
if (getResultCode() == ResultCode.SUCCESS)
{
pluginConfigManager.invokePostSynchronizationDeletePlugins(this);
}
}
else if (executePostOpPlugins)
{
PluginResult.PostOperation postOpResult =
pluginConfigManager.invokePostOperationDeletePlugins(this);
if (!postOpResult.continueProcessing())
{
setResultCode(postOpResult.getResultCode());
appendErrorMessage(postOpResult.getErrorMessage());
setMatchedDN(postOpResult.getMatchedDN());
setReferralURLs(postOpResult.getReferralURLs());
return;
}
}
// Register a post-response call-back which will notify persistent
// searches and change listeners.
if (getResultCode() == ResultCode.SUCCESS)
{
registerPostResponseCallback(new Runnable()
{
@Override
public void run()
{
// Notify persistent searches.
for (PersistentSearch psearch : wfe.getPersistentSearches()) {
psearch.processDelete(entry, getChangeNumber());
}
// Notify change listeners.
for (ChangeNotificationListener changeListener : DirectoryServer
.getChangeNotificationListeners())
{
try
{
changeListener.handleDeleteOperation(
LocalBackendDeleteOperation.this, entry);
}
catch (Exception e)
{
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
Message message = ERR_DELETE_ERROR_NOTIFYING_CHANGE_LISTENER
.get(getExceptionMessage(e));
logError(message);
}
}
}
});
}
}
/**
* Performs any request control processing needed for this operation.
*
* @throws DirectoryException If a problem occurs that should cause the
* operation to fail.
*/
protected void handleRequestControls()
throws DirectoryException
{
List<Control> requestControls = getRequestControls();
if ((requestControls != null) && (! requestControls.isEmpty()))
{
for (int i=0; i < requestControls.size(); i++)
{
Control c = requestControls.get(i);
String oid = c.getOID();
if (!LocalBackendWorkflowElement.isControlAllowed(entryDN, this, c))
{
// Skip disallowed non-critical controls.
continue;
}
if (oid.equals(OID_LDAP_ASSERTION))
{
LDAPAssertionRequestControl assertControl =
getRequestControl(LDAPAssertionRequestControl.DECODER);
SearchFilter filter;
try
{
filter = assertControl.getSearchFilter();
}
catch (DirectoryException de)
{
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(de.getResultCode(),
ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
String.valueOf(entryDN),
de.getMessageObject()));
}
// Check if the current user has permission to make
// this determination.
if (!AccessControlConfigManager.getInstance().
getAccessControlHandler().isAllowed(this, entry, filter))
{
throw new DirectoryException(
ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(oid));
}
try
{
if (!filter.matchesEntry(entry))
{
throw new DirectoryException(ResultCode.ASSERTION_FAILED,
ERR_DELETE_ASSERTION_FAILED.get(String
.valueOf(entryDN)));
}
}
catch (DirectoryException de)
{
if (de.getResultCode() == ResultCode.ASSERTION_FAILED)
{
throw de;
}
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
throw new DirectoryException(de.getResultCode(),
ERR_DELETE_CANNOT_PROCESS_ASSERTION_FILTER.get(
String.valueOf(entryDN),
de.getMessageObject()));
}
}
else if (oid.equals(OID_LDAP_NOOP_OPENLDAP_ASSIGNED))
{
noOp = true;
}
else if (oid.equals(OID_LDAP_READENTRY_PREREAD))
{
preReadRequest =
getRequestControl(LDAPPreReadRequestControl.DECODER);
}
else if (oid.equals(OID_PROXIED_AUTH_V1))
{
// Log usage of legacy proxy authz V1 control.
addAdditionalLogItem(AdditionalLogItem.keyOnly(getClass(),
"obsoleteProxiedAuthzV1Control"));
// The requester must have the PROXIED_AUTH privilige in order to
// be able to use this control.
if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
{
throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED,
ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get());
}
ProxiedAuthV1Control proxyControl =
getRequestControl(ProxiedAuthV1Control.DECODER);
Entry authorizationEntry = proxyControl.getAuthorizationEntry();
setAuthorizationEntry(authorizationEntry);
if (authorizationEntry == null)
{
setProxiedAuthorizationDN(DN.nullDN());
}
else
{
setProxiedAuthorizationDN(authorizationEntry.getDN());
}
}
else if (oid.equals(OID_PROXIED_AUTH_V2))
{
// The requester must have the PROXIED_AUTH privilige in order to
// be able to use this control.
if (! clientConnection.hasPrivilege(Privilege.PROXIED_AUTH, this))
{
throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED,
ERR_PROXYAUTH_INSUFFICIENT_PRIVILEGES.get());
}
ProxiedAuthV2Control proxyControl =
getRequestControl(ProxiedAuthV2Control.DECODER);
Entry authorizationEntry = proxyControl.getAuthorizationEntry();
setAuthorizationEntry(authorizationEntry);
if (authorizationEntry == null)
{
setProxiedAuthorizationDN(DN.nullDN());
}
else
{
setProxiedAuthorizationDN(authorizationEntry.getDN());
}
}
// NYI -- Add support for additional controls.
else if (c.isCritical())
{
if ((backend == null) || (! backend.supportsControl(oid)))
{
throw new DirectoryException(
ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
ERR_DELETE_UNSUPPORTED_CRITICAL_CONTROL.get(
String.valueOf(entryDN), oid));
}
}
}
}
}
/**
* Handle conflict resolution.
* @return {@code true} if processing should continue for the operation, or
* {@code false} if not.
*/
protected boolean handleConflictResolution() {
boolean returnVal = true;
for (SynchronizationProvider<?> provider :
DirectoryServer.getSynchronizationProviders()) {
try {
SynchronizationProviderResult result =
provider.handleConflictResolution(this);
if (! result.continueProcessing()) {
setResultCode(result.getResultCode());
appendErrorMessage(result.getErrorMessage());
setMatchedDN(result.getMatchedDN());
setReferralURLs(result.getReferralURLs());
returnVal = false;
break;
}
} catch (DirectoryException de) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
logError(ERR_DELETE_SYNCH_CONFLICT_RESOLUTION_FAILED.get(
getConnectionID(), getOperationID(),
getExceptionMessage(de)));
setResponseData(de);
returnVal = false;
break;
}
}
return returnVal;
}
/**
* Invoke post operation synchronization providers.
*/
protected void processSynchPostOperationPlugins() {
for (SynchronizationProvider<?> provider :
DirectoryServer.getSynchronizationProviders()) {
try {
provider.doPostOperation(this);
} catch (DirectoryException de) {
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
logError(ERR_DELETE_SYNCH_POSTOP_FAILED.get(getConnectionID(),
getOperationID(), getExceptionMessage(de)));
setResponseData(de);
break;
}
}
}
/**
* Process pre operation.
* @return {@code true} if processing should continue for the operation, or
* {@code false} if not.
*/
protected boolean processPreOperation() {
boolean returnVal = true;
for (SynchronizationProvider<?> provider :
DirectoryServer.getSynchronizationProviders()) {
try {
SynchronizationProviderResult result =
provider.doPreOperation(this);
if (! result.continueProcessing()) {
setResultCode(result.getResultCode());
appendErrorMessage(result.getErrorMessage());
setMatchedDN(result.getMatchedDN());
setReferralURLs(result.getReferralURLs());
returnVal = false;
break;
}
} catch (DirectoryException de) {
if (debugEnabled())
{
TRACER.debugCaught(DebugLogLevel.ERROR, de);
}
logError(ERR_DELETE_SYNCH_PREOP_FAILED.get(getConnectionID(),
getOperationID(), getExceptionMessage(de)));
setResponseData(de);
returnVal = false;
break;
}
}
return returnVal;
}
}