[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [PATCH] 627 Fixed default cert-find filter.



To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.

https://fedorahosted.org/pki/ticket/1449

--
Endi S. Dewata
From 1333b5ffcd7454b43c99bc244a6bf7ab777aaf3b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata redhat com>
Date: Mon, 6 Jul 2015 13:31:22 -0400
Subject: [PATCH] Fixed default cert-find filter.

To improve the performance the default LDAP filter generated by
cert-find has been changed to (certStatus=*) to match an existing
VLV index.

https://fedorahosted.org/pki/ticket/1449
---
 .../org/dogtagpki/server/ca/rest/CertService.java  |  16 +-
 .../com/netscape/cmstools/cert/CertFindCLI.java    |   1 -
 .../netscape/cms/servlet/cert/FilterBuilder.java   | 244 +++++++++++----------
 3 files changed, 134 insertions(+), 127 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index ee974d446b689b089221bbaf2c7b6a5780c2f6bb..e43909bbb59837064711447c5e1733a3ca70970c 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -367,15 +367,13 @@ public class CertService extends PKIService implements CertResource {
     }
 
     private String createSearchFilter(String status) {
-        String filter = "";
+        String filter;
 
-        if ((status == null)) {
-            filter = "(serialno=*)";
-            return filter;
-        }
+        if (status == null) {
+            filter = "(certstatus=*)"; // allCerts VLV
 
-        if (status != null) {
-            filter += "(certStatus=" + LDAPUtil.escapeFilter(status) + ")";
+        } else  {
+            filter = "(certStatus=" + LDAPUtil.escapeFilter(status) + ")";
         }
 
         return filter;
@@ -398,7 +396,7 @@ public class CertService extends PKIService implements CertResource {
         size       = size == null ? DEFAULT_SIZE : size;
 
         String filter = createSearchFilter(status);
-        CMS.debug("listCerts: filter is " + filter);
+        CMS.debug("CertService.listCerts: filter: " + filter);
 
         CertDataInfos infos = new CertDataInfos();
         try {
@@ -450,7 +448,9 @@ public class CertService extends PKIService implements CertResource {
 
         start = start == null ? 0 : start;
         size = size == null ? DEFAULT_SIZE : size;
+
         String filter = createSearchFilter(data);
+        CMS.debug("CertService.searchCerts: filter: " + filter);
 
         CertDataInfos infos = new CertDataInfos();
         try {
diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
index 8c7a4df14c12985611b6f50f37a2c59671ad9fd1..cb2d80ef35446dcd5714f0b6957ab194d3bf6da2 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertFindCLI.java
@@ -254,7 +254,6 @@ public class CertFindCLI extends CLI {
 
         } else {
             searchData = new CertSearchRequest();
-            searchData.setSerialNumberRangeInUse(true);
         }
 
         String s = cmd.getOptionValue("start");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java b/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java
index 5c337afeebe90d768df4cf47d1dd20adb3ed6006..be44c47b5f7979b5a2bd35254ce65b27409e8af0 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/FilterBuilder.java
@@ -18,7 +18,9 @@
 
 package com.netscape.cms.servlet.cert;
 
+import java.util.ArrayList;
 import java.util.Calendar;
+import java.util.List;
 import java.util.StringTokenizer;
 
 import com.netscape.certsrv.cert.CertSearchRequest;
@@ -30,210 +32,214 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
  *
  */
 public class FilterBuilder {
-    private final static String MATCH_EXACTLY = "exact";
-    private String searchFilter = null;
-    private CertSearchRequest request = null;
+
+    private List<String> filters = new ArrayList<String>();
+    private CertSearchRequest request;
 
     public FilterBuilder(CertSearchRequest request) {
         this.request = request;
     }
 
     public String buildFilter() {
-        StringBuffer filter = new StringBuffer();
-        buildSerialNumberRangeFilter(filter);
-        buildSubjectFilter(filter);
-        buildStatusFilter(filter);
-        buildRevokedByFilter(filter);
-        buildRevokedOnFilter(filter);
-        buildRevocationReasonFilter(filter);
-        buildIssuedByFilter(filter);
-        buildIssuedOnFilter(filter);
-        buildValidNotBeforeFilter(filter);
-        buildValidNotAfterFilter(filter);
-        buildValidityLengthFilter(filter);
-        buildCertTypeFilter(filter);
 
-        searchFilter = filter.toString();
+        buildSerialNumberRangeFilter();
+        buildSubjectFilter();
+        buildStatusFilter();
+        buildRevokedByFilter();
+        buildRevokedOnFilter();
+        buildRevocationReasonFilter();
+        buildIssuedByFilter();
+        buildIssuedOnFilter();
+        buildValidNotBeforeFilter();
+        buildValidNotAfterFilter();
+        buildValidityLengthFilter();
+        buildCertTypeFilter();
 
-        if (searchFilter != null && !searchFilter.equals("")) {
-            searchFilter = "(&" + searchFilter + ")";
+        if (filters.size() == 0) {
+            return "(certstatus=*)"; // allCerts VLV
+
+        } else if (filters.size() == 1) {
+            return filters.get(0);
+
+        } else {
+            StringBuilder sb = new StringBuilder();
+            for (String filter : filters) {
+                sb.append(filter);
+            }
+            return "(&" + sb + ")";
         }
-
-        return searchFilter;
     }
 
-    private void buildSerialNumberRangeFilter(StringBuffer filter) {
+    private void buildSerialNumberRangeFilter() {
 
-        if (!request.getSerialNumberRangeInUse()) {
-            return;
-        }
-        boolean changed = false;
         String serialFrom = request.getSerialFrom();
         if (serialFrom != null && !serialFrom.equals("")) {
-            filter.append("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")");
-            changed = true;
+            filters.add("(certRecordId>=" + LDAPUtil.escapeFilter(serialFrom) + ")");
         }
+
         String serialTo = request.getSerialTo();
         if (serialTo != null && !serialTo.equals("")) {
-            filter.append("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")");
-            changed = true;
+            filters.add("(certRecordId<=" + LDAPUtil.escapeFilter(serialTo) + ")");
         }
-        if (!changed) {
-            filter.append("(certRecordId=*)");
-        }
-
     }
 
-    private void buildSubjectFilter(StringBuffer filter) {
+    private void buildSubjectFilter() {
+
         if (!request.getSubjectInUse()) {
             return;
         }
+
         StringBuffer lf = new StringBuffer();
-
-        String matchStr = null;
         boolean match = request.getMatchExactly();
 
-        if (match == true) {
-            matchStr = MATCH_EXACTLY;
-        }
-
-        buildAVAFilter(request.getEmail(), "E", lf, matchStr);
-        buildAVAFilter(request.getCommonName(), "CN", lf, matchStr);
-        buildAVAFilter(request.getUserID(), "UID", lf, matchStr);
-        buildAVAFilter(request.getOrgUnit(), "OU", lf, matchStr);
-        buildAVAFilter(request.getOrg(), "O", lf, matchStr);
-        buildAVAFilter(request.getLocality(), "L", lf, matchStr);
-        buildAVAFilter(request.getState(), "ST", lf, matchStr);
-        buildAVAFilter(request.getCountry(), "C", lf, matchStr);
+        buildAVAFilter(request.getEmail(), "E", lf, match);
+        buildAVAFilter(request.getCommonName(), "CN", lf, match);
+        buildAVAFilter(request.getUserID(), "UID", lf, match);
+        buildAVAFilter(request.getOrgUnit(), "OU", lf, match);
+        buildAVAFilter(request.getOrg(), "O", lf, match);
+        buildAVAFilter(request.getLocality(), "L", lf, match);
+        buildAVAFilter(request.getState(), "ST", lf, match);
+        buildAVAFilter(request.getCountry(), "C", lf, match);
 
         if (lf.length() == 0) {
-            filter.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*)");
-            return;
-        }
-        if (matchStr != null && matchStr.equals(MATCH_EXACTLY)) {
-            filter.append("(&");
-            filter.append(lf);
-            filter.append(")");
+            filters.add("(" + ICertRecord.ATTR_X509CERT_SUBJECT + "=*)");
+
+        } else if (match) {
+            filters.add("(&" + lf + ")");
+
         } else {
-            filter.append("(|");
-            filter.append(lf);
-            filter.append(")");
+            filters.add("(|" + lf + ")");
         }
     }
 
-    private void buildStatusFilter(StringBuffer filter) {
+    private void buildStatusFilter() {
+
         String status = request.getStatus();
         if (status == null || status.equals("")) {
             return;
         }
-        filter.append("(certStatus=");
-        filter.append(LDAPUtil.escapeFilter(status));
-        filter.append(")");
+
+        filters.add("(certStatus=" + LDAPUtil.escapeFilter(status) + ")");
     }
 
-    private void buildRevokedByFilter(StringBuffer filter) {
+    private void buildRevokedByFilter() {
+
         if (!request.getRevokedByInUse()) {
             return;
         }
 
         String revokedBy = request.getRevokedBy();
         if (revokedBy == null || revokedBy.equals("")) {
-            filter.append("(certRevokedBy=*)");
+            filters.add("(certRevokedBy=*)");
+
         } else {
-            filter.append("(certRevokedBy=");
-            filter.append(LDAPUtil.escapeFilter(revokedBy));
-            filter.append(")");
+            filters.add("(certRevokedBy=" + LDAPUtil.escapeFilter(revokedBy) + ")");
         }
     }
 
     private void buildDateFilter(String prefix,
-            String outStr, long adjustment,
-            StringBuffer filter) {
+            String outStr, long adjustment) {
+
         if (prefix == null || prefix.length() == 0) return;
+
         long epoch = Long.parseLong(prefix);
         Calendar from = Calendar.getInstance();
         from.setTimeInMillis(epoch);
+
+        StringBuilder filter = new StringBuilder();
         filter.append("(");
         filter.append(LDAPUtil.escapeFilter(outStr));
         filter.append(Long.toString(from.getTimeInMillis() + adjustment));
         filter.append(")");
+
+        filters.add(filter.toString());
     }
 
-    private void buildRevokedOnFilter(StringBuffer filter) {
+    private void buildRevokedOnFilter() {
+
         if (!request.getRevokedOnInUse()) {
             return;
         }
-        buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0, filter);
-        buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999, filter);
+
+        buildDateFilter(request.getRevokedOnFrom(), "certRevokedOn>=", 0);
+        buildDateFilter(request.getRevokedOnTo(), "certRevokedOn<=", 86399999);
     }
 
-    private void buildRevocationReasonFilter(StringBuffer filter) {
+    private void buildRevocationReasonFilter() {
+
         if (!request.getRevocationReasonInUse()) {
             return;
         }
+
         String reasons = request.getRevocationReason();
         if (reasons == null) {
             return;
         }
-        String queryCertFilter = null;
+
+        StringBuilder filter = new StringBuilder();
         StringTokenizer st = new StringTokenizer(reasons, ",");
         int count = st.countTokens();
         if (st.hasMoreTokens()) {
-            if (count >=2) filter.append("(|");
+            if (count >= 2) filter.append("(|");
             while (st.hasMoreTokens()) {
                 String token = st.nextToken();
-                if (queryCertFilter == null) {
-                    queryCertFilter = "";
-                }
                 filter.append("(x509cert.certRevoInfo=");
                 filter.append(LDAPUtil.escapeFilter(token));
                 filter.append(")");
             }
             if (count >= 2) filter.append(")");
         }
+
+        filters.add(filter.toString());
     }
 
-    private void buildIssuedByFilter(StringBuffer filter) {
+    private void buildIssuedByFilter() {
+
         if (!request.getIssuedByInUse()) {
             return;
         }
+
         String issuedBy = request.getIssuedBy();
         if (issuedBy == null || issuedBy.equals("")) {
-            filter.append("(certIssuedBy=*)");
+            filters.add("(certIssuedBy=*)");
         } else {
-            filter.append("(certIssuedBy=");
-            filter.append(LDAPUtil.escapeFilter(issuedBy));
-            filter.append(")");
+            filters.add("(certIssuedBy=" + LDAPUtil.escapeFilter(issuedBy) + ")");
         }
     }
 
-    private void buildIssuedOnFilter(StringBuffer filter) {
+    private void buildIssuedOnFilter() {
+
         if (!request.getIssuedOnInUse()) {
             return;
         }
-        buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0, filter);
-        buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999, filter);
+
+        buildDateFilter(request.getIssuedOnFrom(), "certCreateTime>=", 0);
+        buildDateFilter(request.getIssuedOnTo(), "certCreateTime<=", 86399999);
     }
 
-    private void buildValidNotBeforeFilter(StringBuffer filter) {
+    private void buildValidNotBeforeFilter() {
+
         if (!request.getValidNotBeforeInUse()) {
             return;
         }
-        buildDateFilter(request.getValidNotBeforeFrom(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+">=", 0, filter);
-        buildDateFilter(request.getValidNotBeforeTo(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+"<=", 86399999, filter);
+
+        buildDateFilter(request.getValidNotBeforeFrom(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+">=", 0);
+        buildDateFilter(request.getValidNotBeforeTo(), ICertRecord.ATTR_X509CERT_NOT_BEFORE+"<=", 86399999);
 
     }
 
-    private void buildValidNotAfterFilter(StringBuffer filter) {
+    private void buildValidNotAfterFilter() {
+
         if (!request.getValidNotAfterInUse()) {
             return;
         }
-        buildDateFilter(request.getValidNotAfterFrom(), ICertRecord.ATTR_X509CERT_NOT_AFTER+">=", 0, filter);
-        buildDateFilter(request.getValidNotAfterTo(), ICertRecord.ATTR_X509CERT_NOT_AFTER+"<=", 86399999, filter);
+
+        buildDateFilter(request.getValidNotAfterFrom(), ICertRecord.ATTR_X509CERT_NOT_AFTER+">=", 0);
+        buildDateFilter(request.getValidNotAfterTo(), ICertRecord.ATTR_X509CERT_NOT_AFTER+"<=", 86399999);
 
     }
 
-    private void buildValidityLengthFilter(StringBuffer filter) {
+    private void buildValidityLengthFilter() {
         if (!request.getValidityLengthInUse()) {
             return;
         }
@@ -242,70 +248,72 @@ public class FilterBuilder {
         Integer count = request.getValidityCount();
         Long unit = request.getValidityUnit();
 
+        StringBuilder filter = new StringBuilder();
         filter.append("(");
         filter.append(ICertRecord.ATTR_X509CERT_DURATION);
         filter.append(LDAPUtil.escapeFilter(op));
         filter.append(count * unit);
         filter.append(")");
+
+        filters.add(filter.toString());
     }
 
-    private void buildCertTypeFilter(StringBuffer filter) {
+    private void buildCertTypeFilter() {
+
         if (!request.getCertTypeInUse()) {
             return;
         }
+
         if (isOn(request.getCertTypeSSLClient())) {
-            filter.append("(x509cert.nsExtension.SSLClient=on)");
+            filters.add("(x509cert.nsExtension.SSLClient=on)");
         } else if (isOff(request.getCertTypeSSLClient())) {
-            filter.append("(x509cert.nsExtension.SSLClient=off)");
+            filters.add("(x509cert.nsExtension.SSLClient=off)");
         }
+
         if (isOn(request.getCertTypeSSLServer())) {
-            filter.append("(x509cert.nsExtension.SSLServer=on)");
+            filters.add("(x509cert.nsExtension.SSLServer=on)");
         } else if (isOff(request.getCertTypeSSLServer())) {
-            filter.append("(x509cert.nsExtension.SSLServer=off)");
+            filters.add("(x509cert.nsExtension.SSLServer=off)");
         }
+
         if (isOn(request.getCertTypeSecureEmail())) {
-            filter.append("(x509cert.nsExtension.SecureEmail=on)");
+            filters.add("(x509cert.nsExtension.SecureEmail=on)");
         } else if (isOff(request.getCertTypeSecureEmail())) {
-            filter.append("(x509cert.nsExtension.SecureEmail=off)");
+            filters.add("(x509cert.nsExtension.SecureEmail=off)");
         }
+
         if (isOn(request.getCertTypeSubSSLCA())) {
-            filter.append("(x509cert.nsExtension.SubordinateSSLCA=on)");
+            filters.add("(x509cert.nsExtension.SubordinateSSLCA=on)");
         } else if (isOff(request.getCertTypeSubSSLCA())) {
-            filter.append("(x509cert.nsExtension.SubordinateSSLCA=off)");
+            filters.add("(x509cert.nsExtension.SubordinateSSLCA=off)");
         }
+
         if (isOn(request.getCertTypeSubEmailCA())) {
-            filter.append("(x509cert.nsExtension.SubordinateEmailCA=on)");
+            filters.add("(x509cert.nsExtension.SubordinateEmailCA=on)");
         } else if (isOff(request.getCertTypeSubEmailCA())) {
-            filter.append("(x509cert.nsExtension.SubordinateEmailCA=off)");
+            filters.add("(x509cert.nsExtension.SubordinateEmailCA=off)");
         }
     }
 
     private boolean isOn(String value) {
-        String inUse = value;
-        if (inUse == null) {
-            return false;
-        }
-        if (inUse.equals("on")) {
+        if (value != null && value.equals("on")) {
             return true;
         }
         return false;
     }
 
     private boolean isOff(String value) {
-        String inUse = value;
-        if (inUse == null) {
-            return false;
-        }
-        if (inUse.equals("off")) {
+        if (value != null && value.equals("off")) {
             return true;
         }
         return false;
     }
 
     private void buildAVAFilter(String param,
-            String avaName, StringBuffer lf, String match) {
+            String avaName, StringBuffer lf, boolean match) {
+
         if (param != null && !param.equals("")) {
-            if (match != null && match.equals(MATCH_EXACTLY)) {
+            if (match) {
                 lf.append("(|");
                 lf.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*");
                 lf.append(avaName);
@@ -318,6 +326,7 @@ public class FilterBuilder {
                 lf.append(LDAPUtil.escapeFilter(LDAPUtil.escapeRDNValue(param)));
                 lf.append(")");
                 lf.append(")");
+
             } else {
                 lf.append("("+ICertRecord.ATTR_X509CERT_SUBJECT+"=*");
                 lf.append(avaName);
@@ -327,6 +336,5 @@ public class FilterBuilder {
                 lf.append("*)");
             }
         }
-
     }
 }
-- 
1.9.3


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]