// We initialize these for each new AciHandler so that we can clear
// out the stale references that can occur during an in-core restart.
private static void initStatics() {
if ((aciType = DirectoryServer.getAttributeType("aci")) == null) {
aciType = DirectoryServer.getDefaultAttributeType("aci");
}
if ((globalAciType = DirectoryServer.getAttributeType(ATTR_AUTHZ_GLOBAL_ACI)) == null) {
globalAciType = DirectoryServer.getDefaultAttributeType(ATTR_AUTHZ_GLOBAL_ACI);
}
if ((debugSearchIndex =
DirectoryServer.getAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX))
== null) {
debugSearchIndex =
DirectoryServer.getDefaultAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX);
}
if ((refAttrType = DirectoryServer.getAttributeType(ATTR_REFERRAL_URL)) == null) {
refAttrType = DirectoryServer.getDefaultAttributeType(ATTR_REFERRAL_URL);
}
try {
debugSearchIndexDN = DN.decode("cn=debugsearch");
} catch (DirectoryException ex) {
// Should never happen.
}
}
/**
* Process all global ACI attribute types found in the configuration entry and adds them to that
* ACI list cache. It also logs messages about the number of ACI attribute types added to the
* cache. This method is called once at startup. It also will put the server into lockdown mode if
* needed.
*
* @param configuration The config handler containing the ACI configuration information.
* @throws InitializationException If there is an error reading the global ACIs from the
* configuration entry.
*/
private void processGlobalAcis(DseeCompatAccessControlHandlerCfg configuration)
throws InitializationException {
SortedSet<Aci> globalAcis = configuration.getGlobalACI();
try {
if (globalAcis != null) {
aciList.addAci(DN.nullDN(), globalAcis);
Message message = INFO_ACI_ADD_LIST_GLOBAL_ACIS.get(Integer.toString(globalAcis.size()));
logError(message);
}
} catch (Exception e) {
if (debugEnabled()) {
TRACER.debugCaught(DebugLogLevel.ERROR, e);
}
Message message =
INFO_ACI_HANDLER_FAIL_PROCESS_GLOBAL_ACI.get(String.valueOf(configuration.dn()));
throw new InitializationException(message, e);
}
}
/**
* Test the attribute types of the search filter for access. This method supports the search
* right.
*
* @param container The container used in the access evaluation.
* @param filter The filter to check access on.
* @return True if all attribute types in the filter have access.
* @throws DirectoryException If there is a problem matching the entry using the provided filter.
*/
private boolean testFilter(AciLDAPOperationContainer container, SearchFilter filter)
throws DirectoryException {
boolean ret = true;
// If the resource entry has a dn equal to "cn=debugsearch" and it
// contains the special attribute type "debugsearchindex", then the
// resource entry is a pseudo entry created for debug purposes.
// Return true if that is the case.
if (debugSearchIndexDN.equals(container.getResourceDN())
&& container.getResourceEntry().hasAttribute(debugSearchIndex)) {
return true;
}
switch (filter.getFilterType()) {
case AND:
case OR:
{
for (SearchFilter f : filter.getFilterComponents()) {
if (!testFilter(container, f)) {
return false;
}
}
break;
}
case NOT:
{
SearchFilter f = filter.getNotComponent();
ret = testFilter(container, f);
break;
}
default:
{
AttributeType attrType = filter.getAttributeType();
container.setCurrentAttributeType(attrType);
ret = accessAllowed(container);
}
}
return ret;
}
/**
* Checks to see if a LDAP modification is allowed access.
*
* @param container The structure containing the LDAP modifications
* @param operation The operation to check modify privileges on. operation to check and the
* evaluation context to apply the check against.
* @param skipAccessCheck True if access checking should be skipped.
* @return True if access is allowed.
* @throws DirectoryException If a modified ACI could not be decoded.
*/
private boolean aciCheckMods(
AciLDAPOperationContainer container,
LocalBackendModifyOperation operation,
boolean skipAccessCheck)
throws DirectoryException {
Entry resourceEntry = container.getResourceEntry();
DN dn = resourceEntry.getDN();
List<Modification> modifications = operation.getModifications();
for (Modification m : modifications) {
Attribute modAttr = m.getAttribute();
AttributeType modAttrType = modAttr.getAttributeType();
if (modAttrType.equals(aciType)) {
/*
* Check that the operation has modify privileges if it contains
* an "aci" attribute type.
*/
if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
Message message =
INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(
String.valueOf(container.getResourceDN()),
String.valueOf(container.getClientDN()));
logError(message);
return false;
}
}
// This access check handles the case where all attributes of this
// type are being replaced or deleted. If only a subset is being
// deleted than this access check is skipped.
ModificationType modType = m.getModificationType();
if (((modType == ModificationType.DELETE) && modAttr.isEmpty())
|| ((modType == ModificationType.REPLACE) || (modType == ModificationType.INCREMENT))) {
/*
* Check if we have rights to delete all values of an attribute
* type in the resource entry.
*/
if (resourceEntry.hasAttribute(modAttrType)) {
container.setCurrentAttributeType(modAttrType);
List<Attribute> attrList = resourceEntry.getAttribute(modAttrType, modAttr.getOptions());
if (attrList != null) {
for (Attribute a : attrList) {
for (AttributeValue v : a) {
container.setCurrentAttributeValue(v);
container.setRights(ACI_WRITE_DELETE);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
}
}
}
}
}
if (!modAttr.isEmpty()) {
for (AttributeValue v : modAttr) {
container.setCurrentAttributeType(modAttrType);
switch (m.getModificationType()) {
case ADD:
case REPLACE:
container.setCurrentAttributeValue(v);
container.setRights(ACI_WRITE_ADD);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
break;
case DELETE:
container.setCurrentAttributeValue(v);
container.setRights(ACI_WRITE_DELETE);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
break;
case INCREMENT:
Entry modifiedEntry = operation.getModifiedEntry();
List<Attribute> modifiedAttrs =
modifiedEntry.getAttribute(modAttrType, modAttr.getOptions());
if (modifiedAttrs != null) {
for (Attribute attr : modifiedAttrs) {
for (AttributeValue val : attr) {
container.setCurrentAttributeValue(val);
container.setRights(ACI_WRITE_ADD);
if (!skipAccessCheck && !accessAllowed(container)) {
return false;
}
}
}
}
break;
}
/*
* Check if the modification type has an "aci" attribute type.
* If so, check the syntax of that attribute value. Fail the
* the operation if the syntax check fails.
*/
if (modAttrType.equals(aciType) || modAttrType.equals(globalAciType)) {
try {
// A global ACI needs a NULL DN, not the DN of the
// modification.
if (modAttrType.equals(globalAciType)) {
dn = DN.nullDN();
}
Aci.decode(v.getValue(), dn);
} catch (AciException ex) {
Message message =
WARN_ACI_MODIFY_FAILED_DECODE.get(String.valueOf(dn), ex.getMessage());
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
}
}
return true;
}
/**
* Check access using the specified container. This container will have all of the information to
* gather applicable ACIs and perform evaluation on them.
*
* @param container An ACI operation container which has all of the information needed to check
* access.
* @return True if access is allowed.
*/
boolean accessAllowed(AciContainer container) {
DN dn = container.getResourceEntry().getDN();
// For ACI_WRITE_ADD and ACI_WRITE_DELETE set the ACI_WRITE
// right.
if (container.hasRights(ACI_WRITE_ADD) || container.hasRights(ACI_WRITE_DELETE)) {
container.setRights(container.getRights() | ACI_WRITE);
}
// Check if the ACI_SELF right needs to be set (selfwrite right).
// Only done if the right is ACI_WRITE, an attribute value is set
// and that attribute value is a DN.
if ((container.getCurrentAttributeValue() != null)
&& (container.hasRights(ACI_WRITE))
&& (isAttributeDN(container.getCurrentAttributeType()))) {
String DNString = null;
try {
DNString = container.getCurrentAttributeValue().getValue().toString();
DN tmpDN = DN.decode(DNString);
// Have a valid DN, compare to clientDN to see if the ACI_SELF
// right should be set.
if (tmpDN.equals(container.getClientDN())) {
container.setRights(container.getRights() | ACI_SELF);
}
} catch (DirectoryException ex) {
// Log a message and keep going.
Message message = WARN_ACI_NOT_VALID_DN.get(DNString);
logError(message);
}
}
// Check proxy authorization only if the entry has not already been
// processed (working on a new entry). If working on a new entry,
// then only do a proxy check if the right is not set to ACI_PROXY
// and the proxied authorization control has been decoded.
if (!container.hasSeenEntry()) {
if (container.isProxiedAuthorization()
&& !container.hasRights(ACI_PROXY)
&& !container.hasRights(ACI_SKIP_PROXY_CHECK)) {
int currentRights = container.getRights();
// Save the current rights so they can be put back if on
// success.
container.setRights(ACI_PROXY);
// Switch to the original authorization entry, not the proxied
// one.
container.useOrigAuthorizationEntry(true);
if (!accessAllowed(container)) {
return false;
}
// Access is ok, put the original rights back.
container.setRights(currentRights);
// Put the proxied authorization entry back to the current
// authorization entry.
container.useOrigAuthorizationEntry(false);
}
// Set the seen flag so proxy processing is not performed for this
// entry again.
container.setSeenEntry(true);
}
/*
* First get all allowed candidate ACIs.
*/
LinkedList<Aci> candidates = aciList.getCandidateAcis(dn);
/*
* Create an applicable list of ACIs by target matching each
* candidate ACI against the container's target match view.
*/
createApplicableList(candidates, container);
/*
* Evaluate the applicable list.
*/
boolean ret = testApplicableLists(container);
// Build summary string if doing geteffectiverights eval.
if (container.isGetEffectiveRightsEval()) {
AciEffectiveRights.createSummary(container, ret, "main");
}
return ret;
}