/**
* Check access on each attribute-value pair component of the specified RDN. There may be more
* than one attribute-value pair if the RDN is multi-valued.
*
* @param right The access right to check for.
* @param rdn The RDN to examine the attribute-value pairs of.
* @param container The container containing the information needed to evaluate the specified RDN.
* @return True if access is allowed for all attribute-value pairs.
*/
private boolean checkRDN(int right, RDN rdn, AciContainer container) {
boolean ret = false;
int numAVAs = rdn.getNumValues();
container.setRights(right);
for (int i = 0; i < numAVAs; i++) {
AttributeType type = rdn.getAttributeType(i);
AttributeValue value = rdn.getAttributeValue(i);
container.setCurrentAttributeType(type);
container.setCurrentAttributeValue(value);
if (!(ret = accessAllowed(container))) {
break;
}
}
return ret;
}
/**
* Check access using the specified container. This container will have all of the information to
* gather applicable ACIs and perform evaluation on them.
*
* @param container An ACI operation container which has all of the information needed to check
* access.
* @return True if access is allowed.
*/
boolean accessAllowed(AciContainer container) {
DN dn = container.getResourceEntry().getDN();
// For ACI_WRITE_ADD and ACI_WRITE_DELETE set the ACI_WRITE
// right.
if (container.hasRights(ACI_WRITE_ADD) || container.hasRights(ACI_WRITE_DELETE)) {
container.setRights(container.getRights() | ACI_WRITE);
}
// Check if the ACI_SELF right needs to be set (selfwrite right).
// Only done if the right is ACI_WRITE, an attribute value is set
// and that attribute value is a DN.
if ((container.getCurrentAttributeValue() != null)
&& (container.hasRights(ACI_WRITE))
&& (isAttributeDN(container.getCurrentAttributeType()))) {
String DNString = null;
try {
DNString = container.getCurrentAttributeValue().getValue().toString();
DN tmpDN = DN.decode(DNString);
// Have a valid DN, compare to clientDN to see if the ACI_SELF
// right should be set.
if (tmpDN.equals(container.getClientDN())) {
container.setRights(container.getRights() | ACI_SELF);
}
} catch (DirectoryException ex) {
// Log a message and keep going.
Message message = WARN_ACI_NOT_VALID_DN.get(DNString);
logError(message);
}
}
// Check proxy authorization only if the entry has not already been
// processed (working on a new entry). If working on a new entry,
// then only do a proxy check if the right is not set to ACI_PROXY
// and the proxied authorization control has been decoded.
if (!container.hasSeenEntry()) {
if (container.isProxiedAuthorization()
&& !container.hasRights(ACI_PROXY)
&& !container.hasRights(ACI_SKIP_PROXY_CHECK)) {
int currentRights = container.getRights();
// Save the current rights so they can be put back if on
// success.
container.setRights(ACI_PROXY);
// Switch to the original authorization entry, not the proxied
// one.
container.useOrigAuthorizationEntry(true);
if (!accessAllowed(container)) {
return false;
}
// Access is ok, put the original rights back.
container.setRights(currentRights);
// Put the proxied authorization entry back to the current
// authorization entry.
container.useOrigAuthorizationEntry(false);
}
// Set the seen flag so proxy processing is not performed for this
// entry again.
container.setSeenEntry(true);
}
/*
* First get all allowed candidate ACIs.
*/
LinkedList<Aci> candidates = aciList.getCandidateAcis(dn);
/*
* Create an applicable list of ACIs by target matching each
* candidate ACI against the container's target match view.
*/
createApplicableList(candidates, container);
/*
* Evaluate the applicable list.
*/
boolean ret = testApplicableLists(container);
// Build summary string if doing geteffectiverights eval.
if (container.isGetEffectiveRightsEval()) {
AciEffectiveRights.createSummary(container, ret, "main");
}
return ret;
}