/** {@inheritDoc} */
@Override
public boolean isAllowed(DN entryDN, Operation op, Control control) throws DirectoryException {
boolean ret;
if (!(ret = skipAccessCheck(op))) {
Entry e = new Entry(entryDN, null, null, null);
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(op, e, control, (ACI_READ | ACI_CONTROL));
ret = accessAllowed(operationContainer);
}
if (control.getOID().equals(OID_PROXIED_AUTH_V2)
|| control.getOID().equals(OID_PROXIED_AUTH_V1)) {
if (ret) {
op.setAttachment(ORIG_AUTH_ENTRY, op.getAuthorizationEntry());
}
} else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS)) {
if (ret) {
GetEffectiveRightsRequestControl getEffectiveRightsControl;
if (control instanceof LDAPControl) {
getEffectiveRightsControl =
GetEffectiveRightsRequestControl.DECODER.decode(
control.isCritical(), ((LDAPControl) control).getValue());
} else {
getEffectiveRightsControl = (GetEffectiveRightsRequestControl) control;
}
op.setAttachment(OID_GET_EFFECTIVE_RIGHTS, getEffectiveRightsControl);
}
}
return ret;
}
/** {@inheritDoc} */
@Override
public boolean maySend(Operation operation, SearchResultEntry entry) {
if (skipAccessCheck(operation)) {
return true;
}
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(operation, (ACI_SEARCH), entry);
// Pre/post read controls are associated with other types of operation.
if (operation instanceof SearchOperation) {
try {
if (!testFilter(operationContainer, ((SearchOperation) operation).getFilter())) {
return false;
}
} catch (DirectoryException ex) {
return false;
}
}
operationContainer.clearEvalAttributes(ACI_NULL);
operationContainer.setRights(ACI_READ);
if (!accessAllowedEntry(operationContainer)) {
return false;
}
if (!operationContainer.hasEvalUserAttributes()) {
operation.setAttachment(ALL_USER_ATTRS_MATCHED, ALL_USER_ATTRS_MATCHED);
}
if (!operationContainer.hasEvalOpAttributes()) {
operation.setAttachment(ALL_OP_ATTRS_MATCHED, ALL_OP_ATTRS_MATCHED);
}
return true;
}
