use of com.unboundid.ldap.sdk.unboundidds.extensions.GetSubtreeAccessibilityExtendedRequest in project ldapsdk by pingidentity.
the class SubtreeAccessibilityTestCase method testServerInteraction.
/**
* Tests the behavior of the tool when actually interacting with a server.
* <BR><BR>
* Access to a Directory Server instance that supports the get and set subtree
* accessibility operations is required for complete processing.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test()
public void testServerInteraction() throws Exception {
if (!isDirectoryInstanceAvailable()) {
return;
}
final LDAPConnection conn = getAdminConnection();
try {
final RootDSE rootDSE = conn.getRootDSE();
if (!(rootDSE.supportsExtendedOperation(GetSubtreeAccessibilityExtendedRequest.GET_SUBTREE_ACCESSIBILITY_REQUEST_OID) && rootDSE.supportsExtendedOperation(SetSubtreeAccessibilityExtendedRequest.SET_SUBTREE_ACCESSIBILITY_REQUEST_OID))) {
return;
}
// Ensure that the base entry exists.
conn.add(getTestBaseDN(), getBaseEntryAttributes());
// Verify that the server doesn't have any restrictions defined.
GetSubtreeAccessibilityExtendedResult getResult = (GetSubtreeAccessibilityExtendedResult) conn.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
assertResultCodeEquals(getResult, ResultCode.SUCCESS);
assertNotNull(getResult.getAccessibilityRestrictions());
assertTrue(getResult.getAccessibilityRestrictions().isEmpty());
// Verify that we can use the tool in "get" mode with no restrictions
// defined.
String[] args = { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword() };
ResultCode resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Use the tool to create a new subtree accessibility restriction.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword(), "--set", "--baseDN", "ou=subtree," + getTestBaseDN(), "--state", "read-only-bind-allowed", "--bypassUserDN", "uid=bypass," + getTestBaseDN() };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Verify that the server now has a restriction defined.
getResult = (GetSubtreeAccessibilityExtendedResult) conn.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
assertResultCodeEquals(getResult, ResultCode.SUCCESS);
assertNotNull(getResult.getAccessibilityRestrictions());
assertFalse(getResult.getAccessibilityRestrictions().isEmpty());
// Verify that we can use the tool in "get" mode with a restriction
// defined.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword() };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Use the tool to modify the subtree accessibility restriction.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword(), "--set", "--baseDN", "ou=subtree," + getTestBaseDN(), "--state", "read-only-bind-denied", "--bypassUserDN", "uid=bypass," + getTestBaseDN() };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Verify that the server still has only one restriction defined.
getResult = (GetSubtreeAccessibilityExtendedResult) conn.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
assertResultCodeEquals(getResult, ResultCode.SUCCESS);
assertNotNull(getResult.getAccessibilityRestrictions());
assertEquals(getResult.getAccessibilityRestrictions().size(), 1);
// Use the tool to add a second restriction.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword(), "--set", "--baseDN", "ou=subtree2," + getTestBaseDN(), "--state", "hidden" };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Verify that the server now has two restrictions defined.
getResult = (GetSubtreeAccessibilityExtendedResult) conn.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
assertResultCodeEquals(getResult, ResultCode.SUCCESS);
assertNotNull(getResult.getAccessibilityRestrictions());
assertEquals(getResult.getAccessibilityRestrictions().size(), 2);
// Verify that we can use the tool in "get" mode with multiple
// restrictions defined.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword() };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Use the tool to remove the first subtree accessibility restriction.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword(), "--set", "--baseDN", "ou=subtree," + getTestBaseDN(), "--state", "accessible" };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Verify that the server no longer has any restrictions defined.
getResult = (GetSubtreeAccessibilityExtendedResult) conn.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
assertResultCodeEquals(getResult, ResultCode.SUCCESS);
assertNotNull(getResult.getAccessibilityRestrictions());
assertEquals(getResult.getAccessibilityRestrictions().size(), 1);
// Use the tool to remove the remaining subtree accessibility restriction.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword(), "--set", "--baseDN", "ou=subtree2," + getTestBaseDN(), "--state", "accessible" };
resultCode = SubtreeAccessibility.main(args, null, null);
assertEquals(resultCode, ResultCode.SUCCESS);
// Verify that the server no longer has any restrictions defined.
getResult = (GetSubtreeAccessibilityExtendedResult) conn.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
assertResultCodeEquals(getResult, ResultCode.SUCCESS);
assertNotNull(getResult.getAccessibilityRestrictions());
assertTrue(getResult.getAccessibilityRestrictions().isEmpty());
// Invoke the tool in get mode with the wrong password so it will fail.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", "wrong-" + getTestBindPassword() };
resultCode = SubtreeAccessibility.main(args, null, null);
assertFalse(resultCode == ResultCode.SUCCESS);
// Invoke the tool in set mode with a bad base DN so it will fail.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", getTestBindDN(), "--bindPassword", getTestBindPassword(), "--set", "--baseDN", "dc=does,dc=not,dc=exist", "--state", "accessible" };
resultCode = SubtreeAccessibility.main(args, null, null);
assertFalse(resultCode == ResultCode.SUCCESS);
// Invoke the tool in get mode with no credentials so it will fail.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", "", "--bindPassword", "" };
resultCode = SubtreeAccessibility.main(args, null, null);
assertFalse(resultCode == ResultCode.SUCCESS);
// Invoke the tool in get mode with no credentials so it will fail.
args = new String[] { "--hostname", getTestHost(), "--port", String.valueOf(getTestPort()), "--bindDN", "", "--bindPassword", "", "--set", "--baseDN", "ou=subtree,dc=example,dc=com", "--state", "accessible" };
resultCode = SubtreeAccessibility.main(args, null, null);
assertFalse(resultCode == ResultCode.SUCCESS);
} finally {
try {
conn.delete(getTestBaseDN());
} catch (final Exception e) {
}
conn.close();
}
}
use of com.unboundid.ldap.sdk.unboundidds.extensions.GetSubtreeAccessibilityExtendedRequest in project ldapsdk by pingidentity.
the class MoveSubtree method checkInitialAccessibility.
/**
* Ensures that the specified subtree is accessible in both the source and
* target servers. If it is not accessible, then it may indicate that another
* administrative operation is in progress for the subtree, or that a previous
* move-subtree operation was interrupted before it could complete.
*
* @param sourceConnection The connection to use to communicate with the
* source directory server.
* @param targetConnection The connection to use to communicate with the
* target directory server.
* @param baseDN The base DN for which to verify accessibility.
* @param opPurposeControl An optional operation purpose request control
* that may be included in the requests.
*
* @return {@code null} if the specified subtree is accessible in both the
* source and target servers, or a non-{@code null} object with the
* result that should be used if there is an accessibility problem
* with the subtree on the source and/or target server.
*/
@Nullable()
private static MoveSubtreeResult checkInitialAccessibility(@NotNull final LDAPConnection sourceConnection, @NotNull final LDAPConnection targetConnection, @NotNull final String baseDN, @Nullable final OperationPurposeRequestControl opPurposeControl) {
final DN parsedBaseDN;
try {
parsedBaseDN = new DN(baseDN);
} catch (final Exception e) {
Debug.debugException(e);
return new MoveSubtreeResult(ResultCode.INVALID_DN_SYNTAX, ERR_MOVE_SUBTREE_CANNOT_PARSE_BASE_DN.get(baseDN, StaticUtils.getExceptionMessage(e)), null, false, false, 0, 0, 0);
}
final Control[] controls;
if (opPurposeControl == null) {
controls = StaticUtils.NO_CONTROLS;
} else {
controls = new Control[] { opPurposeControl };
}
// Get the restrictions from the source server. If there are any, then
// make sure that nothing in the hierarchy of the base DN is non-accessible.
final GetSubtreeAccessibilityExtendedResult sourceResult;
try {
sourceResult = (GetSubtreeAccessibilityExtendedResult) sourceConnection.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest(controls));
if (sourceResult.getResultCode() != ResultCode.SUCCESS) {
throw new LDAPException(sourceResult);
}
} catch (final LDAPException le) {
Debug.debugException(le);
return new MoveSubtreeResult(le.getResultCode(), ERR_MOVE_SUBTREE_CANNOT_GET_ACCESSIBILITY_STATE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_SOURCE.get(), le.getMessage()), null, false, false, 0, 0, 0);
}
boolean sourceMatch = false;
String sourceMessage = null;
SubtreeAccessibilityRestriction sourceRestriction = null;
final List<SubtreeAccessibilityRestriction> sourceRestrictions = sourceResult.getAccessibilityRestrictions();
if (sourceRestrictions != null) {
for (final SubtreeAccessibilityRestriction r : sourceRestrictions) {
if (r.getAccessibilityState() == SubtreeAccessibilityState.ACCESSIBLE) {
continue;
}
final DN restrictionDN;
try {
restrictionDN = new DN(r.getSubtreeBaseDN());
} catch (final Exception e) {
Debug.debugException(e);
return new MoveSubtreeResult(ResultCode.INVALID_DN_SYNTAX, ERR_MOVE_SUBTREE_CANNOT_PARSE_RESTRICTION_BASE_DN.get(r.getSubtreeBaseDN(), INFO_MOVE_SUBTREE_CONNECTION_NAME_SOURCE.get(), r.toString(), StaticUtils.getExceptionMessage(e)), null, false, false, 0, 0, 0);
}
if (restrictionDN.equals(parsedBaseDN)) {
sourceMatch = true;
sourceRestriction = r;
sourceMessage = ERR_MOVE_SUBTREE_NOT_ACCESSIBLE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_SOURCE.get(), r.getAccessibilityState().getStateName());
break;
} else if (restrictionDN.isAncestorOf(parsedBaseDN, false)) {
sourceRestriction = r;
sourceMessage = ERR_MOVE_SUBTREE_WITHIN_UNACCESSIBLE_TREE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_SOURCE.get(), r.getSubtreeBaseDN(), r.getAccessibilityState().getStateName());
break;
} else if (restrictionDN.isDescendantOf(parsedBaseDN, false)) {
sourceRestriction = r;
sourceMessage = ERR_MOVE_SUBTREE_CONTAINS_UNACCESSIBLE_TREE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_SOURCE.get(), r.getSubtreeBaseDN(), r.getAccessibilityState().getStateName());
break;
}
}
}
// Get the restrictions from the target server. If there are any, then
// make sure that nothing in the hierarchy of the base DN is non-accessible.
final GetSubtreeAccessibilityExtendedResult targetResult;
try {
targetResult = (GetSubtreeAccessibilityExtendedResult) targetConnection.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest(controls));
if (targetResult.getResultCode() != ResultCode.SUCCESS) {
throw new LDAPException(targetResult);
}
} catch (final LDAPException le) {
Debug.debugException(le);
return new MoveSubtreeResult(le.getResultCode(), ERR_MOVE_SUBTREE_CANNOT_GET_ACCESSIBILITY_STATE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_TARGET.get(), le.getMessage()), null, false, false, 0, 0, 0);
}
boolean targetMatch = false;
String targetMessage = null;
SubtreeAccessibilityRestriction targetRestriction = null;
final List<SubtreeAccessibilityRestriction> targetRestrictions = targetResult.getAccessibilityRestrictions();
if (targetRestrictions != null) {
for (final SubtreeAccessibilityRestriction r : targetRestrictions) {
if (r.getAccessibilityState() == SubtreeAccessibilityState.ACCESSIBLE) {
continue;
}
final DN restrictionDN;
try {
restrictionDN = new DN(r.getSubtreeBaseDN());
} catch (final Exception e) {
Debug.debugException(e);
return new MoveSubtreeResult(ResultCode.INVALID_DN_SYNTAX, ERR_MOVE_SUBTREE_CANNOT_PARSE_RESTRICTION_BASE_DN.get(r.getSubtreeBaseDN(), INFO_MOVE_SUBTREE_CONNECTION_NAME_TARGET.get(), r.toString(), StaticUtils.getExceptionMessage(e)), null, false, false, 0, 0, 0);
}
if (restrictionDN.equals(parsedBaseDN)) {
targetMatch = true;
targetRestriction = r;
targetMessage = ERR_MOVE_SUBTREE_NOT_ACCESSIBLE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_TARGET.get(), r.getAccessibilityState().getStateName());
break;
} else if (restrictionDN.isAncestorOf(parsedBaseDN, false)) {
targetRestriction = r;
targetMessage = ERR_MOVE_SUBTREE_WITHIN_UNACCESSIBLE_TREE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_TARGET.get(), r.getSubtreeBaseDN(), r.getAccessibilityState().getStateName());
break;
} else if (restrictionDN.isDescendantOf(parsedBaseDN, false)) {
targetRestriction = r;
targetMessage = ERR_MOVE_SUBTREE_CONTAINS_UNACCESSIBLE_TREE.get(baseDN, INFO_MOVE_SUBTREE_CONNECTION_NAME_TARGET.get(), r.getSubtreeBaseDN(), r.getAccessibilityState().getStateName());
break;
}
}
}
// to do anything else.
if ((sourceRestriction == null) && (targetRestriction == null)) {
return null;
}
// specific advice about how to recover.
if (sourceMatch || targetMatch) {
// accessible before running again.
if ((sourceRestriction != null) && sourceRestriction.getAccessibilityState().isReadOnly() && (targetRestriction != null) && targetRestriction.getAccessibilityState().isHidden()) {
return new MoveSubtreeResult(ResultCode.UNWILLING_TO_PERFORM, ERR_MOVE_SUBTREE_POSSIBLY_INTERRUPTED_IN_ADDS.get(baseDN, sourceConnection.getConnectedAddress(), sourceConnection.getConnectedPort(), targetConnection.getConnectedAddress(), targetConnection.getConnectedPort()), ERR_MOVE_SUBTREE_POSSIBLY_INTERRUPTED_IN_ADDS_ADMIN_MSG.get(), false, false, 0, 0, 0);
}
// subtree accessible. There shouldn't be a need to run again.
if ((sourceRestriction != null) && sourceRestriction.getAccessibilityState().isHidden() && (targetRestriction == null)) {
return new MoveSubtreeResult(ResultCode.UNWILLING_TO_PERFORM, ERR_MOVE_SUBTREE_POSSIBLY_INTERRUPTED_IN_DELETES.get(baseDN, sourceConnection.getConnectedAddress(), sourceConnection.getConnectedPort(), targetConnection.getConnectedAddress(), targetConnection.getConnectedPort()), ERR_MOVE_SUBTREE_POSSIBLY_INTERRUPTED_IN_DELETES_ADMIN_MSG.get(), false, false, 0, 0, 0);
}
}
// If we've made it here, then we're in a situation we don't recognize.
// Provide general information about the current state of the subtree and
// recommend that the user contact support if they need assistance.
final StringBuilder details = new StringBuilder();
if (sourceMessage != null) {
details.append(sourceMessage);
}
if (targetMessage != null) {
append(targetMessage, details);
}
return new MoveSubtreeResult(ResultCode.UNWILLING_TO_PERFORM, ERR_MOVE_SUBTREE_POSSIBLY_INTERRUPTED.get(baseDN, sourceConnection.getConnectedAddress(), sourceConnection.getConnectedPort(), targetConnection.getConnectedAddress(), targetConnection.getConnectedPort(), details.toString()), null, false, false, 0, 0, 0);
}
use of com.unboundid.ldap.sdk.unboundidds.extensions.GetSubtreeAccessibilityExtendedRequest in project ldapsdk by pingidentity.
the class SubtreeAccessibility method doGet.
/**
* Does the work necessary to retrieve the set of subtree accessibility
* restrictions defined in the server.
*
* @param connection The connection to use to communicate with the server.
*
* @return A result code with information about the result of operation
* processing.
*/
@NotNull()
private ResultCode doGet(@NotNull final LDAPConnection connection) {
final GetSubtreeAccessibilityExtendedResult result;
try {
result = (GetSubtreeAccessibilityExtendedResult) connection.processExtendedOperation(new GetSubtreeAccessibilityExtendedRequest());
} catch (final LDAPException le) {
Debug.debugException(le);
err("An error occurred while attempting to invoke the get subtree " + "accessibility request: ", StaticUtils.getExceptionMessage(le));
return le.getResultCode();
}
if (result.getResultCode() != ResultCode.SUCCESS) {
err("The server returned an error for the get subtree accessibility " + "request: ", result.getDiagnosticMessage());
return result.getResultCode();
}
final List<SubtreeAccessibilityRestriction> restrictions = result.getAccessibilityRestrictions();
if ((restrictions == null) || restrictions.isEmpty()) {
out("There are no subtree accessibility restrictions defined in the " + "server.");
return ResultCode.SUCCESS;
}
if (restrictions.size() == 1) {
out("1 subtree accessibility restriction was found in the server:");
} else {
out(restrictions.size(), " subtree accessibility restrictions were found in the server:");
}
for (final SubtreeAccessibilityRestriction r : restrictions) {
out("Subtree Base DN: ", r.getSubtreeBaseDN());
out("Accessibility State: ", r.getAccessibilityState().getStateName());
final String bypassDN = r.getBypassUserDN();
if (bypassDN != null) {
out("Bypass User DN: ", bypassDN);
}
out("Effective Time: ", r.getEffectiveTime());
out();
}
return ResultCode.SUCCESS;
}
Aggregations