/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at * docs/licenses/cddl.txt * or http://www.opensource.org/licenses/cddl1.php. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at * docs/licenses/cddl.txt. If applicable, * add the following below this CDDL HEADER, with the fields enclosed * by brackets "[]" replaced with your own identifying information: * Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END * * * Copyright 2017-2018 Ping Identity Corporation */ package com.unboundid.directory.sdk.examples; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; import com.unboundid.directory.sdk.common.schema.AttributeType; import com.unboundid.directory.sdk.common.operation.AddRequest; import com.unboundid.directory.sdk.common.operation.AddResult; import com.unboundid.directory.sdk.common.operation.ModifyRequest; import com.unboundid.directory.sdk.common.operation.ModifyResult; import com.unboundid.directory.sdk.common.operation.UpdatableAddRequest; import com.unboundid.directory.sdk.common.operation.UpdatableAddResult; import com.unboundid.directory.sdk.common.operation.UpdatableModifyRequest; import com.unboundid.directory.sdk.common.operation.UpdatableModifyResult; import com.unboundid.directory.sdk.common.types.ActiveOperationContext; import com.unboundid.directory.sdk.common.types.AlertSeverity; import com.unboundid.directory.sdk.common.types.CompletedOperationContext; import com.unboundid.directory.sdk.common.types.Entry; import com.unboundid.directory.sdk.common.types.InternalConnection; import com.unboundid.directory.sdk.common.types.OperationContext; import com.unboundid.directory.sdk.ds.api.Plugin; import com.unboundid.directory.sdk.ds.config.PluginConfig; import com.unboundid.directory.sdk.ds.types.DirectoryServerContext; import com.unboundid.directory.sdk.ds.types.PostResponsePluginResult; import com.unboundid.directory.sdk.ds.types.PreOperationPluginResult; import com.unboundid.directory.sdk.ds.types.PreParsePluginResult; import com.unboundid.ldap.sdk.Attribute; import com.unboundid.ldap.sdk.DereferencePolicy; import com.unboundid.ldap.sdk.DN; import com.unboundid.ldap.sdk.Filter; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPSearchException; import com.unboundid.ldap.sdk.Modification; import com.unboundid.ldap.sdk.ModificationType; import com.unboundid.ldap.sdk.RDN; import com.unboundid.ldap.sdk.ResultCode; import com.unboundid.ldap.sdk.SearchRequest; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; import com.unboundid.ldap.sdk.unboundidds.jsonfilter.ANDJSONObjectFilter; import com.unboundid.ldap.sdk.unboundidds.jsonfilter.EqualsAnyJSONObjectFilter; import com.unboundid.ldap.sdk.unboundidds.jsonfilter.EqualsJSONObjectFilter; import com.unboundid.ldap.sdk.unboundidds.jsonfilter.JSONObjectFilter; import com.unboundid.ldap.sdk.unboundidds.jsonfilter.NegateJSONObjectFilter; import com.unboundid.util.StaticUtils; import com.unboundid.util.args.ArgumentException; import com.unboundid.util.args.ArgumentParser; import com.unboundid.util.args.BooleanValueArgument; import com.unboundid.util.args.DNArgument; import com.unboundid.util.args.FilterArgument; import com.unboundid.util.args.StringArgument; import com.unboundid.util.json.JSONArray; import com.unboundid.util.json.JSONObject; import com.unboundid.util.json.JSONValue; /** * The JSON Field Uniqueness Plugin can be used to enforce uniqueness * constraints for values of a specified JSON field stored in a given LDAP * attribute. Uniqueness can be enforced across entries so that the same value * will not be allowed to appear in two different entries. It can also be * enforced within the same entry, so that each value of the JSON field (whether * in separate values of the LDAP attribute or within a JSON array in the same * LDAP attribute value). * <BR><BR> * This plugin can be used in either the Directory Server or the Directory Proxy * Server, although it is not recommended to be configured in both types of * servers in the same topology. In deployments in which each Directory Server * instance contains a complete copy of all the data (regardless of whether * requests to those instances pass through the Directory Proxy Server), the * plugin should be configured in all Directory Server instances as a * pre-operation and post-synchronization plugin for add and modify operations, * and it should not be configured in any Directory Proxy Server instances. For * each add and modify request received from an external client, the plugin will * check to see if that operation includes any changes involving the target JSON * field within the appropriate LDAP attribute, and will reject any change that * would introduce a conflict with a value that already exists in another entry, * or that includes duplicate values within the same entry if that is not * allowed. It will also examine each add and modify operation that is * replicated from another server, and if that operation introduced a conflict * (which may arise if two conflicting requests are processed by different * servers at the same time), the plugin will generate an alert to notify * administrators of the conflict so that it can be addressed by manual * interaction. * <BR><BR> * In deployments that use the Directory Proxy Server to separate data across * multiple servers, whether through entry balancing or by separating different * portions of the DIT across different sets of servers, the plugin should be * configured in all Directory Proxy Server instances as a pre-parse and * post-response plugin for add and modify operations, and it should not be * configured in any of the Directory Server instances. For each add and modify * request received by the Directory Proxy Server, the plugin will reject any * request that attempts to introduce a conflicting value for the target JSON * field. It will also check for conflicts after each of those operations have * completed (to ensure that no conflicts were introduced by two conflicting * requests processed by different servers at the same time), and the plugin * will generate an alert to notify administrators of each conflict identified * so that they can be addressed by manual interaction. */ public class JSONFieldUniquenessPlugin extends Plugin { /** * The parent DN for all JSON attribute constraints definitions contained in * the server configuration. */ private static final DN JSON_ATTRIBUTE_CONSTRAINTS_PARENT_DN = new DN( new RDN("cn", "JSON Attribute Constraints"), new RDN("cn", "Cluster"), new RDN("cn", "config")); /** * The set of expected plugin types for a plugin that is running in the * Directory Server. */ private final Set<String> EXPECTED_DIRECTORY_PLUGIN_TYPES = Collections.unmodifiableSet(new HashSet<String>(Arrays.asList( "preOperationAdd".toLowerCase(), "preOperationModify".toLowerCase(), "postSynchronizationAdd".toLowerCase(), "postSynchronizationModify".toLowerCase()))); /** * The set of expected plugin types for a plugin that is running in the * Directory Proxy Server. */ private final Set<String> EXPECTED_PROXY_PLUGIN_TYPES = Collections.unmodifiableSet(new HashSet<String>(Arrays.asList( "preParseAdd".toLowerCase(), "preParseModify".toLowerCase(), "postResponseAdd".toLowerCase(), "postResponseModify".toLowerCase()))); /** * The name of the required argument used to specify the name or OID of the * LDAP attribute for which uniqueness is to be maintained. */ private static final String ARG_ATTR_NAME = "ldap-attribute-name"; /** * The name of the required argument used to specify the path to the JSON * field for which uniqueness is to be maintained. */ private static final String ARG_JSON_FIELD_PATH = "json-field-path"; /** * The name of the optional argument used to indicate whether the plugin * should ensure that values of the target field must not conflict with values * for the same field across other entries within the branches indicated by * the configured base DN(s). */ private static final String ARG_REQUIRE_UNIQUENESS_ACROSS_ENTRIES = "require-uniqueness-across-entries"; /** * The name of the optional argument used to indicate whether the plugin * should ensure that multiple values of the target field within the same * entry will be required to be unique. */ private static final String ARG_REQUIRE_UNIQUENESS_WITHIN_AN_ENTRY = "require-uniqueness-within-an-entry"; /** * The name of the optional argument used to specify the base DN(s) that will * be used for searches to find conflicting entries. */ private static final String ARG_BASE_DN = "entry-base-dn"; /** * The name of the optional argument used to provide an LDAP search filter * that indicates the set of entries for which uniqueness must be enforced. */ private static final String ARG_UNIQUE_ENTRY_LDAP_FILTER = "unique-entry-ldap-filter"; /** * The name of the optional argument used to provide a JSON object filter that * a JSON object contained in a value of the specified LDAP attribute will * be required to match before applying the uniqueness constraint to it. */ private static final String ARG_UNIQUE_VALUE_JSON_OBJECT_FILTER = "unique-value-json-object-filter"; /** * The name of the attribute in JSON field constraints definitions that * indicates whether the associated JSON field is indexed. */ private static final String ATTR_JSON_FIELD_CONSTRAINTS_INDEX_VALUES = "ds-cfg-index-values"; /** * The OID for the JSONObject syntax, which is the required syntax for the * configured LDAP attribute type. */ private static final String OID_JSON_OBJECT_SYNTAX = "1.3.6.1.4.1.30221.2.3.4"; // The attribute type for which to enforce uniqueness. private volatile AttributeType ldapAttributeType; // Indicates whether to require uniqueness across entries. private volatile boolean requireUniquenessAcrossEntries; // Indicates whether to require uniqueness across multiple values in the same // entry. private volatile boolean requireUniquenessWithinAnEntry; // The server context to use during processing. private volatile DirectoryServerContext serverContext; // An LDAP filter that identifies which entries should be subject to // uniqueness constraints. private volatile Filter uniqueEntryLDAPFilter; // An connection that may be used to perform internal operations within the // server. private volatile InternalConnection internalConnection; // A JSON object filter that identifies which attribute values should be // subject to uniqueness constraints. private volatile JSONObjectFilter uniqueValueJSONObjectFilter; // The base DNs for subtrees in which to enforce uniqueness. private volatile List<DN> baseDNs; // The path to the JSON field for which to enforce uniqueness. private volatile List<String> jsonFieldPath; // The configuration for this plugin. private volatile PluginConfig config; // The string representation of the JSON field path. private volatile String jsonFieldPathString; /** * Creates a new instance of this plugin. */ public JSONFieldUniquenessPlugin() { ldapAttributeType = null; jsonFieldPath = null; jsonFieldPathString = null; requireUniquenessWithinAnEntry = true; requireUniquenessAcrossEntries = true; baseDNs = null; uniqueEntryLDAPFilter = null; uniqueValueJSONObjectFilter = null; serverContext = null; internalConnection = null; config = null; } /** * Retrieves the name for this extension. * * @return The name for this extension. */ @Override() public String getExtensionName() { return "JSON Field Uniqueness Plugin"; } /** * Retrieves a description for this extension. * * @return A description for this extension. */ @Override() public String[] getExtensionDescription() { return new String[] { "The JSON Field Uniqueness Plugin can be used to enforce uniqueness " + "constraints for values of a specified JSON field stored in a " + "given LDAP attribute. Uniqueness can be enforced across entries " + "so that the same value will not be allowed to appear in two " + "different entries. It can also be enforced within the same " + "entry, so that each value of the JSON field (whether in separate " + "values of the LDAP attribute or within a JSON array in the same " + "LDAP attribute value).", "This plugin can be used in either the Directory Server or the " + "Directory Proxy Server, although it is not recommended to be " + "configured in both types of servers in the same topology. In " + "deployments in which each Directory Server instance contains a " + "complete copy of all the data (regardless of whether requests to " + "those instances pass through the Directory Proxy Server), the " + "plugin should be configured in all Directory Server instances as " + "a pre-operation and post-synchronization plugin for add and " + "modify operations, and it should not be configured in any " + "Directory Proxy Server instances. For each add and modify " + "request received from an external client, the plugin will check " + "to see if that operation includes any changes involving the " + "target JSON field within the appropriate LDAP attribute, and " + "will reject any change that would introduce a conflict with a " + "value that already exists in another entry, or that includes " + "duplicate values within the same entry if that is not allowed. " + "It will also examine each add and modify operation that is " + "replicated from another server, and if that operation introduced " + "a conflict (which may arise if two conflicting requests are " + "processed by different servers at the same time), the plugin " + "will generate an alert to notify administrators of the conflict " + "so that it can be addressed by manual interaction.", "In deployments that use the Directory Proxy Server to separate data " + "across multiple servers, whether through entry balancing or by " + "separating different portions of the DIT across different sets " + "of servers, the plugin should be configured in all Directory " + "Proxy Server instances as a pre-parse and post-response plugin " + "for add and modify operations, and it should not be configured " + "in any of the Directory Server instances. For each add and " + "modify request received by the Directory Proxy Server, the " + "plugin will reject any request that attempts to introduce a " + "conflicting value for the target JSON field. It will also check " + "for conflicts after each of those operations have completed (to " + "ensure that no conflicts were introduced by two conflicting " + "requests processed by different servers at the same time), and " + "the plugin will generate an alert to notify administrators of " + "each conflict identified so that they can be addressed by " + "manual interaction." }; } /** * Updates the provided argument parser to include the arguments for this * extension. * * @param parser The argument parser to update. */ @Override() public void defineConfigArguments(final ArgumentParser parser) throws ArgumentException { parser.addArgument(new StringArgument(null, ARG_ATTR_NAME, true, 1, "{attribute}", "The name or OID of the LDAP attribute type whose values will be " + "examined for uniqueness conflicts. This attribute type must " + "be defined with a JSON Object syntax (OID " + "1.3.6.1.4.1.30221.2.3.4) in the schema for all Directory " + "Server and Directory Proxy Server instances in the topology. " + "All Directory Server instances must be configured with a JSON " + "object constraints definition for this attribute type. This " + "is a required argument.")); parser.addArgument(new StringArgument(null, ARG_JSON_FIELD_PATH, true, 1, "{path}", "The path to the JSON field for which uniqueness will be enforced. " + "For a top-level field, the path should simply be the name of " + "that field. For a nested field (a field contained in a JSON " + "object that is itself the value of a field in an outer JSON " + "object), the path to the field should be constructed by " + "concatenating the names of the fields in that path, in order " + "from outermost to innermost, and separating them with " + "periods. For example, if a JSON object has a top-level field " + "named \"contact-info\" whose value is a JSON object that may " + "contain an \"email-address\" field, then the json-field-path " + "value for that field would be " + "\"contact-info.email-address\". If the name of any field " + "in the path contains one or more periods, those periods " + "should be escaped by preceding them with a backslash so that " + "the only unescaped periods are those used as delimiters " + "between field names. All Directory Server instances must be " + "configured with a JSON field constraints definition for this " + "field, and that definition must have the index-values " + "property set to true. JSON field names will be treated in " + "a case-sensitive manner. This is a required argument.")); parser.addArgument(new BooleanValueArgument(null, ARG_REQUIRE_UNIQUENESS_ACROSS_ENTRIES, false, "{true|false}", "Indicates whether the plugin should check for uniqueness conflicts " + "across separate entries. If this is true, or if it is " + "omitted from the configuration, then the plugin will reject " + "any add or modify request that attempts to set one or more " + "values for the target JSON field if any of those values is " + "already in use in any other entry, and it will raise an " + "administrative alert for each conflict discovered after the " + "change has already been applied. If this is false, then the " + "plugin will not attempt to identify uniqueness conflicts in " + "separate entries. At least one of the " + "require-uniqueness-across-entries and " + "require-uniqueness-within-an-entry properties must be set to " + "true.", Boolean.TRUE)); parser.addArgument(new BooleanValueArgument(null, ARG_REQUIRE_UNIQUENESS_WITHIN_AN_ENTRY, false, "{true|false}", "Indicates whether the plugin should check for uniqueness conflicts " + "within the same entry. If this is true, or if it is omitted " + "from the configuration, then the plugin will reject any add " + "or modify request that attempts to set one or more values for " + "the target JSON field if any of those values is already in " + "use in the same entry, whether in separate value for the " + "LDAP attribute, or in another value in a JSON array. If this " + "is false, then the plugin will not attempt to identify " + "uniqueness conflicts within the same entry. At least one of " + "the require-uniqueness-across-entries and " + "require-uniqueness-within-an-entry properties must be set to " + "true.", Boolean.TRUE)); parser.addArgument(new DNArgument(null, ARG_BASE_DN, false, 0, "{dn}", "The base DN for a subtree in which the plugin will enforce " + "uniqueness constraints. This can be provided multiple times " + "to specify multiple base DNs, and if it is not specified, " + "then the plugin will use a default set of base DNs that is " + "the set of public naming contexts for the server. The " + "plugin will only examine add and modify requests that target " + "entries at or below one of these base DNs, and if uniqueness " + "is to be enforced across entries, it will ignore any " + "conflicts that may be identified outside any of the " + "configured base DNs.")); parser.addArgument(new FilterArgument(null, ARG_UNIQUE_ENTRY_LDAP_FILTER, false, 1, "{ldap-filter}", "An optional LDAP search filter that may be used to identify the " + "set of entries for which uniqueness should be enforced. If a " + "filter is configured, then the plugin will ignore any add or " + "modify requests that target entries that do not match this " + "filter, and if uniqueness is to be enforced across entries, " + "it will ignore conflicts that may be identified in entries " + "that do not match this filter.")); parser.addArgument(new StringArgument(null, ARG_UNIQUE_VALUE_JSON_OBJECT_FILTER, false, 1, "{json-object-filter}", "An optional JSON object filter that may be used to identify which " + "values of a multivalued attribute should be subject to the " + "uniqueness constraints. If a unique value JSON object " + "filter is configured, then the plugin will ignore field " + "values for JSON objects that do not match this filter.")); } /** * Initializes this plugin. * * @param serverContext A handle to the server context for the server in * which this extension is running. * @param config The general configuration for this plugin. * @param parser The argument parser which has been initialized from * the configuration for this plugin. * * @throws LDAPException If a problem occurs while initializing this plugin. */ @Override() public void initializePlugin(final DirectoryServerContext serverContext, final PluginConfig config, final ArgumentParser parser) throws LDAPException { this.serverContext = serverContext; this.config = config; // Make sure that we have an internal connection to use for processing // internal operations. if (internalConnection == null) { internalConnection = serverContext.getInternalRootConnection(); } // Use the applyConfiguration method to set up the plugin. final ArrayList<String> adminActionsRequired = new ArrayList<String>(5); final ArrayList<String> messages = new ArrayList<String>(5); final ResultCode resultCode = applyConfiguration(config, parser, adminActionsRequired, messages); if (resultCode != ResultCode.SUCCESS) { throw new LDAPException(resultCode, "One or more errors occurred while trying to initialize the JSON " + "field uniqueness plugin using the configuration contained " + "in '" + config.getConfigObjectDN() + "': " + StaticUtils.concatenateStrings(messages)); } } /** * Performs any processing which may be necessary before the server starts * processing for an add request. This will be invoked only for add * operations requested directly by clients, but not for add operations * received from another server via replication. * * @param operationContext The context for the add operation. * @param request The add request to be processed. It may be * altered if desired. * @param result The result that will be returned to the client if * the plugin result indicates that processing on * the operation should be interrupted. It may be * altered if desired. * * @return Information about the result of the plugin processing. */ @Override() public PreParsePluginResult doPreParse( final ActiveOperationContext operationContext, final UpdatableAddRequest request, final UpdatableAddResult result) { try { ensureUniqueness(request.getEntry().toLDAPSDKEntry(), serverContext, operationContext, config, internalConnection, ldapAttributeType, jsonFieldPathString, jsonFieldPath, requireUniquenessWithinAnEntry, requireUniquenessAcrossEntries, baseDNs, uniqueEntryLDAPFilter, uniqueValueJSONObjectFilter); return PreParsePluginResult.SUCCESS; } catch (final LDAPException le) { serverContext.debugCaught(le); result.setResultData(le); return new PreParsePluginResult(false, false, true, true); } } /** * Performs any processing which may be necessary before the server actually * attempts to add an entry to the appropriate backend. This will be invoked * only for add operations requested directly by clients, but not for add * operations received from another server via replication. * * @param operationContext The context for the add operation. * @param request The add request to be processed. * @param result The result that will be returned to the client if * the plugin result indicates that processing on * the operation should be interrupted. It may be * altered if desired. * * @return Information about the result of the plugin processing. */ @Override() public PreOperationPluginResult doPreOperation( final ActiveOperationContext operationContext, final AddRequest request, final UpdatableAddResult result) { try { ensureUniqueness(request.getEntry().toLDAPSDKEntry(), serverContext, operationContext, config, internalConnection, ldapAttributeType, jsonFieldPathString, jsonFieldPath, requireUniquenessWithinAnEntry, requireUniquenessAcrossEntries, baseDNs, uniqueEntryLDAPFilter, uniqueValueJSONObjectFilter); return PreOperationPluginResult.SUCCESS; } catch (final LDAPException le) { serverContext.debugCaught(le); result.setResultData(le); return new PreOperationPluginResult(false, false, true, true); } } /** * Performs any processing which may be necessary after all other processing * has been completed for an add operation and the response has been sent to * the client. This will be invoked only for add operations requested * directly by clients, but not for add operations received from another * server via replication. * * @param operationContext The context for the add operation. * @param request The add request that was processed. * @param result The result that was returned to the client. * * @return Information about the result of the plugin processing. */ @Override() public PostResponsePluginResult doPostResponse( final CompletedOperationContext operationContext, final AddRequest request, final AddResult result) { try { ensureUniqueness(request.getEntry().toLDAPSDKEntry(), serverContext, operationContext, config, internalConnection, ldapAttributeType, jsonFieldPathString, jsonFieldPath, requireUniquenessWithinAnEntry, requireUniquenessAcrossEntries, baseDNs, uniqueEntryLDAPFilter, uniqueValueJSONObjectFilter); } catch (final LDAPException le) { serverContext.debugCaught(le); // This means that a replicated operation generated a conflict. We can't // do anything to prevent this, but we can generate an administrative // alert to notify administrators of the problem. serverContext.sendAlert(AlertSeverity.ERROR, le.getMessage()); } return PostResponsePluginResult.SUCCESS; } /** * Performs any processing which may be necessary after all other processing * has been completed for an add operation which has been received from * another server via replication. * * @param operationContext The context for the add operation. * @param request The add request that was processed. * @param result The result that was returned to the client. */ @Override() public void doPostReplication( final CompletedOperationContext operationContext, final AddRequest request, final AddResult result) { try { ensureUniqueness(request.getEntry().toLDAPSDKEntry(), serverContext, operationContext, config, internalConnection, ldapAttributeType, jsonFieldPathString, jsonFieldPath, requireUniquenessWithinAnEntry, requireUniquenessAcrossEntries, baseDNs, uniqueEntryLDAPFilter, uniqueValueJSONObjectFilter); } catch (final LDAPException le) { serverContext.debugCaught(le); // This means that a replicated operation generated a conflict. We can't // do anything to prevent this, but we can generate an administrative // alert to notify administrators of the problem. serverContext.sendAlert(AlertSeverity.ERROR, le.getMessage()); } } /** * Performs any processing which may be necessary before the server starts * processing for a modify request. This will be invoked only for modify * operations requested directly by clients, but not for modify operations * received from another server via replication. * * @param operationContext The context for the modify operation. * @param request The modify request to be processed. It may be * altered if desired. * @param result The result that will be returned to the client if * the plugin result indicates that processing on * the operation should be interrupted. It may be * altered if desired. * * @return Information about the result of the plugin processing. */ @Override() public PreParsePluginResult doPreParse( final ActiveOperationContext operationContext, final UpdatableModifyRequest request, final UpdatableModifyResult result) { // We aren't given access to the entry (either before or after the changes // are applied), so we'll need to fetch it from a backend server and apply // the changes to it so we'll have a representation of the updated entry for // examination. But we'll only do that if the request could result in a // conflict, since otherwise retrieving the entry would be wasted effort. // // First, we want to make sure that we're dealing with a consistent // configuration, so get all of the configuration properties first. final AttributeType attributeType = ldapAttributeType; final List<String> fieldPath = jsonFieldPath; final String fieldPathString = jsonFieldPathString; final boolean uniqueWithinEntry = requireUniquenessWithinAnEntry; final boolean uniqueAcrossEntries = requireUniquenessAcrossEntries; final Filter uniqueEntryFilter = uniqueEntryLDAPFilter; final JSONObjectFilter uniqueValueFilter = uniqueValueJSONObjectFilter; if (! couldCreateConflict(request, attributeType, baseDNs, fieldPath)) { return PreParsePluginResult.SUCCESS; } // Retrieve the entry from a backend server. final SearchResultEntry currentEntry; try { currentEntry = internalConnection.getEntry(request.getDN(), "*", "+"); if (currentEntry == null) { result.setResultCode(ResultCode.NO_SUCH_OBJECT); result.setDiagnosticMessage("Could not find entry " + request.getDN()); return new PreParsePluginResult(false, false, true, true); } } catch (final LDAPException le) { serverContext.debugCaught(le); result.setResultData(le); return new PreParsePluginResult(false, false, true, true); } // Update the entry with the modifications from the request. final com.unboundid.ldap.sdk.Entry updatedEntry; try { updatedEntry = com.unboundid.ldap.sdk.Entry.applyModifications( currentEntry, false, request.getModifications()); } catch (final LDAPException le) { serverContext.debugCaught(le); result.setResultData(le); return new PreParsePluginResult(false, false, true, true); } try { ensureUniqueness(updatedEntry, serverContext, operationContext, config, internalConnection, attributeType, fieldPathString, fieldPath, uniqueWithinEntry, uniqueAcrossEntries, baseDNs, uniqueEntryFilter, uniqueValueFilter); return PreParsePluginResult.SUCCESS; } catch (final LDAPException le) { serverContext.debugCaught(le); result.setResultData(le); return new PreParsePluginResult(false, false, true, true); } } /** * Performs any processing which may be necessary before the server actually * attempts to update the entry in the backend. This will be invoked only for * modify operations requested directly by clients, but not for modify * operations received from another server via replication. * * @param operationContext The context for the modify operation. * @param request The modify request to be processed. * @param result The result that will be returned to the client if * the plugin result indicates that processing on * the operation should be interrupted. It may be * altered if desired. * @param oldEntry The entry as it appeared before the modifications * were applied. * @param newEntry The updated entry as it will appear after the * modifications have been applied. * * @return Information about the result of the plugin processing. */ @Override() public PreOperationPluginResult doPreOperation( final ActiveOperationContext operationContext, final ModifyRequest request, final UpdatableModifyResult result, final Entry oldEntry, final Entry newEntry) { try { ensureUniqueness(newEntry.toLDAPSDKEntry(), serverContext, operationContext, config, internalConnection, ldapAttributeType, jsonFieldPathString, jsonFieldPath, requireUniquenessWithinAnEntry, requireUniquenessAcrossEntries, baseDNs, uniqueEntryLDAPFilter, uniqueValueJSONObjectFilter); return PreOperationPluginResult.SUCCESS; } catch (final LDAPException le) { serverContext.debugCaught(le); result.setResultData(le); return new PreOperationPluginResult(false, false, true, true); } } /** * Performs any processing which may be necessary after all other processing * has been completed for a modify operation and the response has been sent * to the client. This will be invoked only for modify operations requested * directly by clients, but not for modify operations received from another * server via replication. * * @param operationContext The context for the modify operation. * @param request The modify request that was processed. * @param result The result that was returned to the client. * * @return Information about the result of the plugin processing. */ @Override() public PostResponsePluginResult doPostResponse( final CompletedOperationContext operationContext, final ModifyRequest request, final ModifyResult result) { // We aren't given access to the updated entry, so we'll need to fetch it // from a backend server. But we'll only do that if the request could // result in a conflict, since otherwise retrieving the entry would be // wasted effort. // // First, we want to make sure that we're dealing with a consistent // configuration, so get all of the configuration properties first. final AttributeType attributeType = ldapAttributeType; final List<String> fieldPath = jsonFieldPath; final String fieldPathString = jsonFieldPathString; final boolean uniqueWithinEntry = requireUniquenessWithinAnEntry; final boolean uniqueAcrossEntries = requireUniquenessAcrossEntries; final Filter uniqueEntryFilter = uniqueEntryLDAPFilter; final JSONObjectFilter uniqueValueFilter = uniqueValueJSONObjectFilter; if (! couldCreateConflict(request, attributeType, baseDNs, fieldPath)) { return PostResponsePluginResult.SUCCESS; } // Retrieve the entry. final SearchResultEntry entry; try { entry = internalConnection.getEntry(request.getDN(), "*", "+"); if (entry == null) { if (serverContext.debugEnabled()) { serverContext.debugWarning("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' could not find entry '" + request.getDN() + "' targeted by proxied modify operation conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ". This likely indicates that the entry was deleted shortly " + "after the modification. At any rate, no uniqueness conflict " + "processing can be performed for this entry."); } return PostResponsePluginResult.SUCCESS; } } catch (final Exception e) { if (serverContext.debugEnabled()) { serverContext.debugCaught(e); serverContext.debugError("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' encountered an error while trying to retrieve entry '" + request.getDN() + "' targeted by proxied modify operation " + "conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ": " + StaticUtils.getExceptionMessage(e) + ". No uniqueness conflict processing can be performed for this " + "entry."); } return PostResponsePluginResult.SUCCESS; } try { ensureUniqueness(entry, serverContext, operationContext, config, internalConnection, attributeType, fieldPathString, fieldPath, uniqueWithinEntry, uniqueAcrossEntries, baseDNs, uniqueEntryFilter, uniqueValueFilter); } catch (final LDAPException le) { serverContext.debugCaught(le); // This means that a proxied operation generated a conflict. We can't do // anything to prevent this, but we can generate an administrative alert // to notify administrators of the problem. serverContext.sendAlert(AlertSeverity.ERROR, le.getMessage()); } return PostResponsePluginResult.SUCCESS; } /** * Performs any processing which may be necessary after all other processing * has been completed for a modify operation which has been received from * another server via replication. * * @param operationContext The context for the modify operation. * @param request The modify request that was processed. * @param result The result that was returned to the client. */ @Override() public void doPostReplication( final CompletedOperationContext operationContext, final ModifyRequest request, final ModifyResult result) { // We aren't given access to the updated entry, so we'll need to fetch it // from the backend. But we'll only do that if the request could result // in a conflict, since otherwise retrieving the entry would be wasted // effort. // // First, we want to make sure that we're dealing with a consistent // configuration, so get all of the configuration properties first. final AttributeType attributeType = ldapAttributeType; final List<String> fieldPath = jsonFieldPath; final String fieldPathString = jsonFieldPathString; final boolean uniqueWithinEntry = requireUniquenessWithinAnEntry; final boolean uniqueAcrossEntries = requireUniquenessAcrossEntries; final Filter uniqueEntryFilter = uniqueEntryLDAPFilter; final JSONObjectFilter uniqueValueFilter = uniqueValueJSONObjectFilter; if (! couldCreateConflict(request, attributeType, baseDNs, fieldPath)) { return; } // Retrieve the entry. final SearchResultEntry entry; try { entry = internalConnection.getEntry(request.getDN(), "*", "+"); if (entry == null) { if (serverContext.debugEnabled()) { serverContext.debugWarning("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' could not find entry '" + request.getDN() + "' targeted by replicated modify operation conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ". This likely indicates that the entry was deleted shortly " + "after the modification. At any rate, no uniqueness conflict " + "processing can be performed for this entry."); } return; } } catch (final Exception e) { if (serverContext.debugEnabled()) { serverContext.debugCaught(e); serverContext.debugError("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' encountered an error while trying to retrieve entry '" + request.getDN() + "' targeted by replicated modify operation " + "conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ": " + StaticUtils.getExceptionMessage(e) + ". No uniqueness conflict processing can be performed for this " + "entry."); } return; } try { ensureUniqueness(entry, serverContext, operationContext, config, internalConnection, attributeType, fieldPathString, fieldPath, uniqueWithinEntry, uniqueAcrossEntries, baseDNs, uniqueEntryFilter, uniqueValueFilter); } catch (final LDAPException le) { serverContext.debugCaught(le); // This means that a replicated operation generated a conflict. We can't // do anything to prevent this, but we can generate an administrative // alert to notify administrators of the problem. serverContext.sendAlert(AlertSeverity.ERROR, le.getMessage()); } } /** * Attempts to determine whether the provided modify request could create a * uniqueness conflict. * * @param request The modify request being processed. * @param attributeType The LDAP attribute type for which uniqueness will be * enforced. * @param baseDNList The list of base DNs for which uniqueness will be * enforced. * @param fieldPath The path to the JSON field for which uniqueness will * be enforced. * * @return {@code true} if the provided modify request could create a * uniqueness conflict, or {@code false} if not. */ private boolean couldCreateConflict(final ModifyRequest request, final AttributeType attributeType, final List<DN> baseDNList, final List<String> fieldPath) { // See if the target entry is within any of the configured base DNs. If // not, then we don't care about it. try { final DN parsedEntryDN = new DN(request.getDN()); boolean withinBaseDN = false; for (final DN baseDN : baseDNList) { if (parsedEntryDN.isDescendantOf(baseDN, true)) { withinBaseDN = true; break; } } if (! withinBaseDN) { return false; } } catch (final Exception e) { serverContext.debugCaught(e); } // Now, iterate through the modifications to see if any of them could // generate a conflict. for (final Modification m : request.getModifications()) { // We only care about modification types of ADD or REPLACE. if (! ((m.getModificationType() == ModificationType.ADD) || (m.getModificationType() == ModificationType.REPLACE))) { continue; } // We only care about modifications that have values. A REPLACE // modification might not have any values if it's intended to remove // the attribute from the entry. final String[] values = m.getValues(); if ((values == null) || (values.length == 0)) { continue; } // See if the modification targets the right attribute type. // // NOTE: It's possible that the modification targeted an attribute with // options, so we need to check the base name without any options. final String baseName = Attribute.getBaseName(m.getAttributeName()); if (! attributeType.hasNameOrOID(baseName)) { continue; } // Try to parse each of the values as a JSON object and see if any of // them contains the target field. That'll be enough to convince us // that we need to get the entry. for (final String value : values) { try { final JSONObject o = new JSONObject(value); final List<JSONValue> fieldValues = getValues(o, fieldPath); if (fieldValues.isEmpty()) { continue; } return true; } catch (final Exception e) { serverContext.debugCaught(e); } } } // If we've gotten here, then the modification couldn't have introduced a // conflict. return false; } /** * Performs all necessary uniqueness processing for the provided entry. * * @param entry The entry to examine. * @param serverContext The server context. * @param operationContext The operation context. * @param config The configuration for the plugin. * @param internalConnection The internal connection to use to perform * internal searches. * @param attributeType The target attribute type. * @param fieldPathString The string representation of the JSON field * path. * @param fieldPath The components that comprise the path to the * target JSON field. * @param uniqueWithinEntry Indicates whether to enforce uniqueness across * multiple values within the same entry. * @param uniqueAcrossEntries Indicates whether to enforce uniqueness across * entries within the specified set of base DNs. * @param baseDNs The set of base DNs below which to enforce * uniqueness. * @param uniqueEntryFilter An optional filter that entries must match. * @param uniqueValueFilter An optional filter that values must match. * * @throws LDAPException If a conflict is found. */ private static void ensureUniqueness(final com.unboundid.ldap.sdk.Entry entry, final DirectoryServerContext serverContext, final OperationContext operationContext, final PluginConfig config, final InternalConnection internalConnection, final AttributeType attributeType, final String fieldPathString, final List<String> fieldPath, final boolean uniqueWithinEntry, final boolean uniqueAcrossEntries, final List<DN> baseDNs, final Filter uniqueEntryFilter, final JSONObjectFilter uniqueValueFilter) throws LDAPException { // See if the entry is below a base DN that we care about. try { final DN parsedEntryDN = entry.getParsedDN(); boolean withinBaseDN = false; for (final DN baseDN : baseDNs) { if (parsedEntryDN.isDescendantOf(baseDN, true)) { withinBaseDN = true; break; } } if (! withinBaseDN) { if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + " is skipping uniqueness processing for entry '" + entry.getDN() + "' for conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + " because it is not " + "within any of the configured base DNs " + baseDNs); } return; } } catch (final Exception e) { if (serverContext.debugEnabled()) { serverContext.debugCaught(e); serverContext.debugWarning("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' could not parse DN '" + entry.getDN() + "' encountered while processing operation conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ": " + StaticUtils.getExceptionMessage(e) + ". Going to assume that " + "the entry is within a base DN for which uniqueness should be " + "enforced."); } } // If there is a unique entry filter, then see if the entry matches it. if (uniqueEntryFilter != null) { try { if (! uniqueEntryFilter.matchesEntry(entry)) { if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + " is skipping uniqueness " + "processing for entry '" + entry.getDN() + "' for conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + " because it does not " + "match " + ARG_UNIQUE_ENTRY_LDAP_FILTER + " value " + uniqueEntryFilter); } return; } } catch (final Exception e) { if (serverContext.debugEnabled()) { serverContext.debugCaught(e); serverContext.debugWarning("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' encountered an error while evaluating " + ARG_UNIQUE_ENTRY_LDAP_FILTER + " value " + uniqueEntryFilter + " against entry '" + entry.getDN() + "' for conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ": " + StaticUtils.getExceptionMessage(e) + ". Going to assume that " + "the entry matches the filter."); } } } // Iterate through the attributes in the entry to get a list of all values // for the target field from the target attribute type. final ArrayList<JSONValue> fieldValues = new ArrayList<JSONValue>(10); for (final Attribute a : entry.getAttributes()) { // See if the attribute has the appropriate attribute type. // // NOTE: The attribute could have options, so make sure to check the // base name. if (! attributeType.hasNameOrOID(a.getBaseName())) { continue; } // Iterate through the values of the attribute and try to parse them as // JSON objects. for (final String value : a.getValues()) { final JSONObject o; try { o = new JSONObject(value); } catch (final Exception e) { if (serverContext.debugEnabled()) { serverContext.debugCaught(e); serverContext.debugWarning("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' encountered " + a.getName() + " value '" + value + "' in entry '" + entry.getDN() + "' that could not be parsed as a valid JSON object for conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + ": " + StaticUtils.getExceptionMessage(e)); } continue; } // If we have a uniqueValueFilter, then see if the provided object // matches that filter. If not, then skip this value. if ((uniqueValueFilter != null) && (! uniqueValueFilter.matchesJSONObject(o))) { continue; } // Extract the values of the target field from the object. Iterate // through them and see if any of them match a value that we've already // found. At the very least, we only want to do the processing for each // value once, but we might also want to reject conflicts in the same // entry. for (final JSONValue jsonValue : getValues(o, fieldPath)) { boolean conflictFound = false; for (final JSONValue v : fieldValues) { if (v.equals(jsonValue, false, true, false)) { conflictFound = true; break; } } if (conflictFound) { if (uniqueWithinEntry) { throw new LDAPException(ResultCode.UNWILLING_TO_PERFORM, "Entry '" + entry.getDN() + "' has duplicate values for " + "JSON field " + fieldPathString + " but the server is configured to require all values " + "for that field to be unique, even within the same " + "entry."); } } else { fieldValues.add(jsonValue); } } } } // If we shouldn't check for conflicts across other entries, or if we didn't // find any field values, then we're done. if (fieldValues.isEmpty()) { if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' did not find any " + attributeType.getNameOrOID() + " values for field " + fieldPathString + " in entry '" + entry.getDN() + "' for conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID()); } return; } if (! uniqueAcrossEntries) { if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' is only configured to look for duplicate " + fieldPathString + " values in attribute " + attributeType.getNames() + " within the same entry, and entry '" + entry.getDN() + "' for conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + " did not have any such conflicts."); } return; } if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin defined in " + "configuration entry '" + config.getConfigObjectDN() + "' found one or more values for JSON field " + fieldPathString + " in attribute " + attributeType.getNameOrOID() + " in entry '" + entry.getDN() + " for operation conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID() + "': " + fieldValues + ". Going to search for entries with conflicting values."); } // We need to look for conflicts across other entries. First, generate the // equals or equalsAny filter to use to identify entries with conflicting // values. JSONObjectFilter jsonObjectFilter; if (fieldValues.size() == 1) { jsonObjectFilter = new EqualsJSONObjectFilter(fieldPath, fieldValues.get(0)); } else { jsonObjectFilter = new EqualsAnyJSONObjectFilter(fieldPath, fieldValues); } // If we have a unique value filter, then we'll need to AND the JSON object // filter we just created with a NOT of that value filter so that we exclude // objects that don't match that filter. if (uniqueValueFilter != null) { jsonObjectFilter = new ANDJSONObjectFilter(jsonObjectFilter, new NegateJSONObjectFilter(uniqueValueFilter)); } // Get an LDAP filter that will allow us to process the JSON object filter. Filter ldapFilter = jsonObjectFilter.toLDAPFilter(attributeType.getNameOrOID()); // If we have a unique entry filter, then we'll need to AND the LDAP filter // we just created with that unique entry filter so that we only check // entries that match that filter. if (uniqueEntryFilter != null) { ldapFilter = Filter.createANDFilter(ldapFilter, uniqueEntryFilter); } // Iterate through the configured base DNs and search beneath them for // conflicting entries. // // NOTE: Use a size limit of 1 for the search request so that we don't // waste time finding all the matches once we know that there are at least // two matching entries. One matching entry may be okay if it's the entry // that we're currently validating, and we should only report a conflict for // one match if it doesn't match the DN of the entry we're currently // validating. But any more than one match (which should trigger a // SIZE_LIMIT_EXCEEDED result) means that there's definitely a conflict. final SearchRequest searchRequest = new SearchRequest("", SearchScope.SUB, DereferencePolicy.NEVER, 1, 0, false, ldapFilter, "1.1"); for (final DN baseDN : baseDNs) { searchRequest.setBaseDN(baseDN); SearchResult searchResult; try { searchResult = internalConnection.search(searchRequest); } catch (final LDAPSearchException lse) { searchResult = lse.getSearchResult(); } if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin " + "defined in configuration entry '" + config.getConfigObjectDN() + "' got search result " + searchResult + " for internal search " + searchRequest); } switch (searchResult.getResultCode().intValue()) { case ResultCode.SUCCESS_INT_VALUE: // The search completed successfully, but we need to check the entries // that were returned to see if it matched any entry other than the // target entry. switch (searchResult.getEntryCount()) { case 0: break; case 1: final DN parsedThisDN = entry.getParsedDN(); final DN parsedFoundDN = searchResult.getSearchEntries().get(0).getParsedDN(); if (! parsedThisDN.equals(parsedFoundDN)) { throw new LDAPException(ResultCode.UNWILLING_TO_PERFORM, "Entry '" + entry.getDN() + "' has one or more values " + "for JSON field '" + fieldPathString + "' that " + "already exist in at least one other entry in " + "the server, but the server is configured to " + "require all values for that field to be unique."); } break; default: throw new LDAPException(ResultCode.UNWILLING_TO_PERFORM, "Entry '" + entry.getDN() + "' has one or more values for " + "JSON field '" + fieldPathString + "' that already exist in at least one other entry in " + "the server, but the server is configured to " + "require all values for that field to be unique."); } break; case ResultCode.NO_SUCH_OBJECT_INT_VALUE: // This means that the search base didn't exist. This definitely // means no conflict. break; case ResultCode.SIZE_LIMIT_EXCEEDED_INT_VALUE: // This means that there was definitely a conflict. throw new LDAPException(ResultCode.UNWILLING_TO_PERFORM, "Entry '" + entry.getDN() + "' has one or more values for " + "JSON field '" + fieldPathString + "' that already exist in at least one other entry in " + "the server, but the server is configured to " + "require all values for that field to be unique."); default: // This indicates that some other error occurred that prevented the // search from succeeding. We'll treat this like a conflict in that // we'll throw an exception to reject the operation (or alert if it's // a replicated operation that's already been applied somewhere else) // but use a different message for the exception. throw new LDAPException(ResultCode.UNWILLING_TO_PERFORM, "An error occurred while looking for uniqueness conflicts " + "for values of the '" + fieldPathString + "' field in attribute " + attributeType.getNameOrOID() + " (result code " + searchResult.getResultCode() + ", diagnostic message '" + searchResult.getDiagnosticMessage() + "'."); } } // If we've gotten here, then there are no conflicts. if (serverContext.debugEnabled()) { serverContext.debugInfo("The JSON field uniqueness plugin defined in " + "configuration entry '" + config.getConfigObjectDN() + "' did not find any conflicts for values of JSON field " + fieldPathString + " in attribute " + attributeType.getNameOrOID() + " in entry '" + entry.getDN() + " for operation conn=" + operationContext.getConnectionID() + " op=" + operationContext.getOperationID()); } } /** * Retrieves a list of the values for the specified field from the provided * object. * * @param o The JSON object to examine. * @param fieldPath The path to the JSON field for which to retrieve the * values. * * @return The set of values that match the provided field name specifier, or * an empty list if the provided JSON object does not have any fields * matching the provided specifier. */ private static List<JSONValue> getValues(final JSONObject o, final List<String> fieldPath) { final ArrayList<JSONValue> values = new ArrayList<JSONValue>(10); getValues(o, fieldPath, 0, values); return values; } /** * Adds all values for the specified field to the provided list. * * @param o The JSON object to examine. * @param fieldPath The path to the JSON field for which to retrieve * the values. * @param fieldNameIndex The current index into the field name specifier. * @param values The list into which matching values should be * added. */ private static void getValues(final JSONObject o, final List<String> fieldPath, final int fieldNameIndex, final List<JSONValue> values) { final JSONValue v = o.getField(fieldPath.get(fieldNameIndex)); if (v == null) { return; } final int nextIndex = fieldNameIndex + 1; if (nextIndex < fieldPath.size()) { // This indicates that there are more elements in the field name // specifier. The value must either be a JSON object that we can look // further into, or it must be an array containing one or more JSON // objects. if (v instanceof JSONObject) { getValues((JSONObject) v, fieldPath, nextIndex, values); } else if (v instanceof JSONArray) { getValuesFromArray((JSONArray) v, fieldPath, nextIndex, values); } return; } // If we've gotten here, then there is no more of the field specifier, so // the value we retrieved matches the specifier. Add it to the list of // values. values.add(v); } /** * Calls {@code getValues} for any elements of the provided array that are * JSON objects, recursively descending into any nested arrays. * * @param a The array to process. * @param fieldPath The path to the JSON field for which to retrieve * the values. * @param fieldNameIndex The current index into the field name specifier. * @param values The list into which matching values should be * added. */ private static void getValuesFromArray(final JSONArray a, final List<String> fieldPath, final int fieldNameIndex, final List<JSONValue> values) { for (final JSONValue v : a.getValues()) { if (v instanceof JSONObject) { getValues((JSONObject) v, fieldPath, fieldNameIndex, values); } else if (v instanceof JSONArray) { getValuesFromArray((JSONArray) v, fieldPath, fieldNameIndex, values); } } } /** * Indicates whether the configuration represented by the provided argument * parser is acceptable for use by this extension. The parser will have been * used to parse any configuration available for this extension, and any * automatic validation will have been performed. This method may be used to * perform any more complex validation which cannot be performed automatically * by the argument parser. * * @param config The general configuration for this extension. * @param parser The argument parser that has been used to * parse the proposed configuration for this * extension. * @param unacceptableReasons A list to which messages may be added to * provide additional information about why the * provided configuration is not acceptable. * * @return {@code true} if the configuration in the provided argument parser * appears to be acceptable, or {@code false} if not. */ @Override() public boolean isConfigurationAcceptable(final PluginConfig config, final ArgumentParser parser, final List<String> unacceptableReasons) { // If the server context is null, then get an instance from the provided // configuration. if (serverContext == null) { serverContext = config.getServerContext(); } // Get an internal connection to use for processing internal operations. if (internalConnection == null) { internalConnection = serverContext.getInternalRootConnection(); } // Make sure that the plugin is configured with the appropriate set of // plugin types based on the type of product in which it is running. boolean acceptable = true; final boolean isDirectoryServer; final Set<String> pluginTypes = config.getPluginTypes(); if (serverContext.isDirectoryFunctionalityAvailable()) { isDirectoryServer = true; if (! pluginTypes.equals(EXPECTED_DIRECTORY_PLUGIN_TYPES)) { acceptable = false; unacceptableReasons.add("When the " + getExtensionName() + " is used in the Directory Server, it must be configured with " + "the following plugin types: " + EXPECTED_DIRECTORY_PLUGIN_TYPES + '.'); } } else if (serverContext.isDirectoryProxyFunctionalityAvailable()) { isDirectoryServer = false; if (! pluginTypes.equals(EXPECTED_PROXY_PLUGIN_TYPES)) { acceptable = false; unacceptableReasons.add("When the " + getExtensionName() + " is used in the Directory Proxy Server, it must be configured " + "with the following plugin types: " + EXPECTED_PROXY_PLUGIN_TYPES + '.'); } } else { isDirectoryServer = false; acceptable = false; unacceptableReasons.add("The " + getExtensionName() + " can only be used in the Directory Server or Directory Proxy " + "Server."); } // Get the configured LDAP attribute type. It must be defined in the server // schema. final AttributeType attrType; final StringArgument attrNameArg = parser.getStringArgument(ARG_ATTR_NAME); if ((attrNameArg == null) || (! attrNameArg.isPresent())) { // The argument parser should ensure that this never happens. acceptable = false; unacceptableReasons.add("No value was provided for the required " + ARG_ATTR_NAME + " argument."); attrType = null; } else { attrType = serverContext.getSchema().getAttributeType( attrNameArg.getValue(), false); if (attrType == null) { acceptable = false; unacceptableReasons.add("Value '" + attrNameArg.getValue() + "' for argument " + ARG_ATTR_NAME + " does not represent the " + "name or OID for any attribute type defined in the server " + "schema."); } } DN jsonAttributeConstraintsDN = null; if (attrType != null) { // The attribute type must have a JSONObject syntax. if ((attrType.getSyntax() == null) || (! attrType.getSyntax().getOID().equals(OID_JSON_OBJECT_SYNTAX))) { acceptable = false; unacceptableReasons.add("Attribute type " + attrNameArg.getValue() + " is not defined with a JSONObject syntax (OID " + OID_JSON_OBJECT_SYNTAX + ")."); } // If the plugin is being run in the Directory Server, then make sure that // the server is configured with a JSON attribute constraints definition // for the specified attribute type. Note that it's possible that the // definition was created with an alternate name for the attribute type, // so we'll see if the entry exists with any of the names (or OID) for // that attribute type. if (isDirectoryServer) { for (final String name : getNamesAndOID(attrType)) { final DN dn = new DN( new RDN("ds-cfg-attribute-type", name), JSON_ATTRIBUTE_CONSTRAINTS_PARENT_DN); try { if (internalConnection.getEntry(dn.toString(), "1.1") != null) { jsonAttributeConstraintsDN = dn; break; } } catch (final Exception e) { serverContext.debugCaught(e); acceptable = false; unacceptableReasons.add("An error occurred while attempting to " + "determine whether a JSON attribute constraints definition " + "exists in entry '" + dn + "': " + StaticUtils.getExceptionMessage(e)); break; } } if (jsonAttributeConstraintsDN == null) { acceptable = false; unacceptableReasons.add("The server is not configured with a JSON " + "attribute constraints definition for attribute " + attrNameArg.getValue() + '.'); } } } // Retrieve and validate the configured JSON field path. final String fieldPathStr; final StringArgument fieldPathArg = parser.getStringArgument(ARG_JSON_FIELD_PATH); if ((fieldPathArg == null) || (! fieldPathArg.isPresent())) { // The argument parser should ensure that this never happens. acceptable = false; unacceptableReasons.add("No value was provided for the required " + ARG_JSON_FIELD_PATH + " argument."); fieldPathStr = null; } else { fieldPathStr = fieldPathArg.getValue(); final List<String> fieldPath = parseFieldPath(fieldPathStr, unacceptableReasons); if (fieldPath == null) { // The unacceptable reasons will have already been updated by the // parseFieldPath method. acceptable = false; } } // If the plugin is being run in the Directory Server, then make sure that // the server is configured with a JSON field constraints definition for the // target field, and that it has a ds-cfg-index-values attribute with a // value of true. if (acceptable && isDirectoryServer) { final DN jsonFieldConstraintParentDN = new DN( new RDN("cn", "JSON Field Constraints"), jsonAttributeConstraintsDN); final DN jsonFieldConstraintsDN = new DN( new RDN("ds-cfg-json-field", fieldPathStr), jsonFieldConstraintParentDN); try { final SearchResultEntry jsonFieldConstraintsEntry = internalConnection.getEntry(jsonFieldConstraintsDN.toString(), ATTR_JSON_FIELD_CONSTRAINTS_INDEX_VALUES); if (jsonFieldConstraintsEntry == null) { acceptable = false; unacceptableReasons.add("The server is not configured with a JSON " + "field constraints definition for field " + fieldPathStr + " for attribute " + attrNameArg.getValue() + '.'); } else if (! jsonFieldConstraintsEntry.hasAttributeValue( ATTR_JSON_FIELD_CONSTRAINTS_INDEX_VALUES, "true")) { acceptable = false; unacceptableReasons.add("The JSON field constraints definition in " + "entry '" + jsonFieldConstraintsDN + "' does not have a " + ATTR_JSON_FIELD_CONSTRAINTS_INDEX_VALUES + " value of true."); } } catch (final Exception e) { serverContext.debugCaught(e); acceptable = false; unacceptableReasons.add("An error occurred while attempting to " + "retrieve the JSON field constraints definition contained in " + "entry '" + jsonFieldConstraintsDN + "': " + StaticUtils.getExceptionMessage(e)); } } // If a unique value JSON object filter was provided, then make sure that // it's a valid JSON object filter. final StringArgument jsonFilterArg = parser.getStringArgument(ARG_UNIQUE_VALUE_JSON_OBJECT_FILTER); if ((jsonFilterArg != null) && jsonFilterArg.isPresent()) { final JSONObjectFilter f = parseJSONObjectFilter(jsonFilterArg.getValue(), unacceptableReasons, serverContext); if (f == null) { // The unacceptable reasons will have already been updated by the // parseJSONObjectFilter method. acceptable = false; } } // At least one of the require-uniqueness-within-an-entry and // require-uniqueness-across-entries properties must have a value of true. final BooleanValueArgument uniqueWithEntryArg = parser.getBooleanValueArgument(ARG_REQUIRE_UNIQUENESS_WITHIN_AN_ENTRY); if ((uniqueWithEntryArg != null) && uniqueWithEntryArg.isPresent() && (uniqueWithEntryArg.getValue() == Boolean.FALSE)) { final BooleanValueArgument uniqueAcrossEntriesArg = parser.getBooleanValueArgument( ARG_REQUIRE_UNIQUENESS_ACROSS_ENTRIES); if ((uniqueAcrossEntriesArg != null) && uniqueAcrossEntriesArg.isPresent() && (uniqueAcrossEntriesArg.getValue() == Boolean.FALSE)) { acceptable = false; unacceptableReasons.add("The configuration cannot have both " + ARG_REQUIRE_UNIQUENESS_WITHIN_AN_ENTRY + " and " + ARG_REQUIRE_UNIQUENESS_ACROSS_ENTRIES + " arguments set to false."); } } return acceptable; } /** * Attempts to apply the configuration from the provided argument parser to * this extension. * * @param config The general configuration for this extension. * @param parser The argument parser that has been used to * parse the new configuration for this * extension. * @param adminActionsRequired A list to which messages may be added to * provide additional information about any * additional administrative actions that may * be required to apply some of the * configuration changes. * @param messages A list to which messages may be added to * provide additional information about the * processing performed by this method. * * @return A result code providing information about the result of applying * the configuration change. A result of {@code SUCCESS} should be * used to indicate that all processing completed successfully. Any * other result will indicate that a problem occurred during * processing. */ @Override() public ResultCode applyConfiguration(final PluginConfig config, final ArgumentParser parser, final List<String> adminActionsRequired, final List<String> messages) { // If the server context is null, then get an instance from the provided // configuration. if (serverContext == null) { serverContext = config.getServerContext(); } // Get an internal connection to use for processing internal operations. if (internalConnection == null) { internalConnection = serverContext.getInternalRootConnection(); } // Get the configured LDAP attribute type. final StringArgument attrNameArg = parser.getStringArgument(ARG_ATTR_NAME); final AttributeType attrType = serverContext.getSchema().getAttributeType( attrNameArg.getValue(), false); boolean valid = true; if (attrType == null) { valid = false; messages.add("Unable to retrieve attribute type " + attrNameArg.getValue() + " from the server schema."); } // Get the configured JSON field path. final StringArgument fieldPathArg = parser.getStringArgument(ARG_JSON_FIELD_PATH); final String fieldPathString = fieldPathArg.getValue(); final List<String> fieldPath = parseFieldPath(fieldPathString, messages); if (fieldPath == null) { valid = false; } // Determine whether to require uniqueness within an entry. boolean uniqueWithinEntry = true; final BooleanValueArgument uniqueWithinEntryArg = parser.getBooleanValueArgument(ARG_REQUIRE_UNIQUENESS_WITHIN_AN_ENTRY); if (uniqueWithinEntryArg != null) { uniqueWithinEntry = uniqueWithinEntryArg.getValue(); } // Determine whether to require uniqueness across entries. boolean uniqueAcrossEntries = true; final BooleanValueArgument uniqueAcrossEntriesArg = parser.getBooleanValueArgument(ARG_REQUIRE_UNIQUENESS_ACROSS_ENTRIES); if (uniqueAcrossEntriesArg != null) { uniqueAcrossEntries = uniqueAcrossEntriesArg.getValue(); } // Get the set of base DNs. If no values are provided in the configuration, // then get the set of naming contexts from the root DSE. List<DN> baseDNList = null; final DNArgument baseDNArg = parser.getDNArgument(ARG_BASE_DN); if ((baseDNArg != null) && baseDNArg.isPresent()) { baseDNList = baseDNArg.getValues(); } if ((baseDNList == null) || baseDNList.isEmpty()) { try { final String[] namingContextDNs = internalConnection.getRootDSE().getNamingContextDNs(); final ArrayList<DN> dnList = new ArrayList<DN>(namingContextDNs.length); for (final String dn : namingContextDNs) { dnList.add(new DN(dn)); } baseDNList = Collections.unmodifiableList(dnList); } catch (final Exception e) { serverContext.debugCaught(e); } if ((baseDNList == null) || baseDNList.isEmpty()) { valid = false; messages.add("No base DNs are configured, and the public naming " + "context DNs could not be obtained from the server root DSE."); } } // Get the unique entry filter. Filter entryFilter = null; final FilterArgument filterArg = parser.getFilterArgument(ARG_UNIQUE_ENTRY_LDAP_FILTER); if ((filterArg != null) && filterArg.isPresent()) { entryFilter = filterArg.getValue(); } // Get the unique object filter. JSONObjectFilter objectFilter = null; final StringArgument objectFilterArg = parser.getStringArgument(ARG_UNIQUE_VALUE_JSON_OBJECT_FILTER); if ((objectFilterArg != null) && objectFilterArg.isPresent()) { objectFilter = parseJSONObjectFilter(objectFilterArg.getValue(), messages, serverContext); if (objectFilter == null) { valid = false; } } // If the configuration is valid, then apply it. if (valid) { ldapAttributeType = attrType; jsonFieldPathString = fieldPathString; jsonFieldPath = fieldPath; requireUniquenessWithinAnEntry = uniqueWithinEntry; requireUniquenessAcrossEntries = uniqueAcrossEntries; baseDNs = baseDNList; uniqueEntryLDAPFilter = entryFilter; uniqueValueJSONObjectFilter = objectFilter; this.config = config; return ResultCode.SUCCESS; } else { return ResultCode.OTHER; } } /** * Retrieves a list containing all of the names and the OID for the provided * attribute type. * * @param attrType The attribute type for which to obtain the names and OID. * * @return A list containing all of the names and the OID for the provided * attribute type. */ private static List<String> getNamesAndOID(final AttributeType attrType) { final ArrayList<String> namesAndOID = new ArrayList<String>(5); namesAndOID.addAll(attrType.getNames()); namesAndOID.add(attrType.getOID()); return namesAndOID; } /** * Parses the provided string to extract the path to the target field as a * list. Levels of hierarchy will be separated by periods. Any periods * contained in field names must be escaped with backslashes. * * @param fieldPathStr The string representation of the field path. * @param unacceptableReasons A list that should be updated to include any * reason that the provided string is not a valid * path. * * @return The list containing the path to the field name, or {@code null} if * the provided field path string does not represent a valid path. */ private static List<String> parseFieldPath(final String fieldPathStr, final List<String> unacceptableReasons) { boolean escaped = false; final ArrayList<String> fieldList = new ArrayList<String>(5); final StringBuilder buffer = new StringBuilder(fieldPathStr.length()); for (final char c : fieldPathStr.toCharArray()) { if (escaped) { buffer.append(c); escaped = false; } else if (c == '\\') { escaped = true; } else if (c == '.') { if (buffer.length() > 0) { fieldList.add(buffer.toString()); buffer.setLength(0); } else { unacceptableReasons.add("Value '" + fieldPathStr + "' is not a " + "valid JSON field path because it includes an empty " + "field name component."); return null; } } else { buffer.append(c); } } if (buffer.length() == 0) { unacceptableReasons.add("Value '" + fieldPathStr + "' is not a valid " + "JSON field path because it includes an empty field name " + "component."); return null; } else { fieldList.add(buffer.toString()); } return Collections.unmodifiableList(fieldList); } /** * Parses the provided string as a JSON object filter. * * @param filterStr The string to be parsed as a JSON object * filter. * @param unacceptableReasons A list that should be updated to include any * reason that the provided string is not a valid * JSON object filter. * @param serverContext The server context to use for debugging * purposes. * * @return The parsed JSON object filter, or {@code null} if the provided * string does not represent a valid JSON object filter. */ private static JSONObjectFilter parseJSONObjectFilter(final String filterStr, final List<String> unacceptableReasons, final DirectoryServerContext serverContext) { final JSONObject filterObject; try { filterObject = new JSONObject(filterStr); } catch (final Exception e) { serverContext.debugCaught(e); unacceptableReasons.add(ARG_UNIQUE_VALUE_JSON_OBJECT_FILTER + " value '" + filterStr + "' is not a valid JSON object: " + StaticUtils.getExceptionMessage(e)); return null; } try { return JSONObjectFilter.decode(filterObject); } catch (final Exception e) { serverContext.debugCaught(e); unacceptableReasons.add(ARG_UNIQUE_VALUE_JSON_OBJECT_FILTER + " value '" + filterStr + "' does not represent a valid JSON " + "object filter: " + StaticUtils.getExceptionMessage(e)); return null; } } /** * Retrieves a map containing examples of configurations that may be used for * this extension. The map key should be a list of sample arguments, and the * corresponding value should be a description of the behavior that will be * exhibited by the extension when used with that configuration. * * @return A map containing examples of configurations that may be used for * this extension. It may be {@code null} or empty if there should * not be any example argument sets. */ @Override() public Map<List<String>,String> getExamplesArgumentSets() { final List<String> exampleArgs = Arrays.asList( ARG_ATTR_NAME + "=my-json-attribute", ARG_JSON_FIELD_PATH + "=my-json-field", ARG_REQUIRE_UNIQUENESS_WITHIN_AN_ENTRY + "=true", ARG_REQUIRE_UNIQUENESS_ACROSS_ENTRIES + "=true", ARG_BASE_DN + "=dc=example,dc=com"); final String exampleDescription = "Configure the " + getExtensionName() + " to ensure that all values of the 'my-json-field' field in the " + "'my-json-attribute' attribute are unique across all entries below " + "'dc=example,dc=com', including across multiple values within the " + "same entry."; return Collections.singletonMap(exampleArgs, exampleDescription); } }