/**
* Evaluate an entry to be added to see if it has any "aci" attribute type. If it does, examines
* each "aci" attribute type value for syntax errors. All of the "aci" attribute type values must
* pass syntax check for the add operation to proceed. Any entry with an "aci" attribute type must
* have "modify-acl" privileges.
*
* @param entry The entry to be examined.
* @param operation The operation to to check privileges on.
* @param clientDN The authorization DN.
* @return True if the entry has no ACI attributes or if all of the "aci" attributes values pass
* ACI syntax checking.
* @throws DirectoryException If a modified ACI could not be decoded.
*/
private boolean verifySyntax(Entry entry, Operation operation, DN clientDN)
throws DirectoryException {
if (entry.hasOperationalAttribute(aciType)) {
/*
* Check that the operation has "modify-acl" privileges since the
* entry to be added has an "aci" attribute type.
*/
if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
Message message =
INFO_ACI_ADD_FAILED_PRIVILEGE.get(
String.valueOf(entry.getDN()), String.valueOf(clientDN));
logError(message);
return false;
}
List<Attribute> attributeList = entry.getOperationalAttribute(aciType, null);
for (Attribute attribute : attributeList) {
for (AttributeValue value : attribute) {
try {
DN dn = entry.getDN();
Aci.decode(value.getValue(), dn);
} catch (AciException ex) {
Message message =
WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry.getDN()), ex.getMessage());
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
}
return true;
}
/**
* Check to see if the client entry has BYPASS_ACL privileges for this operation.
*
* @param operation The operation to check privileges on.
* @return True if access checking can be skipped because the operation client connection has
* BYPASS_ACL privileges.
*/
private boolean skipAccessCheck(Operation operation) {
return operation.getClientConnection().hasPrivilege(Privilege.BYPASS_ACL, operation);
}
