// We initialize these for each new AciHandler so that we can clear // out the stale references that can occur during an in-core restart. private static void initStatics() { if ((aciType = DirectoryServer.getAttributeType("aci")) == null) { aciType = DirectoryServer.getDefaultAttributeType("aci"); } if ((globalAciType = DirectoryServer.getAttributeType(ATTR_AUTHZ_GLOBAL_ACI)) == null) { globalAciType = DirectoryServer.getDefaultAttributeType(ATTR_AUTHZ_GLOBAL_ACI); } if ((debugSearchIndex = DirectoryServer.getAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX)) == null) { debugSearchIndex = DirectoryServer.getDefaultAttributeType(EntryContainer.ATTR_DEBUG_SEARCH_INDEX); } if ((refAttrType = DirectoryServer.getAttributeType(ATTR_REFERRAL_URL)) == null) { refAttrType = DirectoryServer.getDefaultAttributeType(ATTR_REFERRAL_URL); } try { debugSearchIndexDN = DN.decode("cn=debugsearch"); } catch (DirectoryException ex) { // Should never happen. } }
/** * Process all global ACI attribute types found in the configuration entry and adds them to that * ACI list cache. It also logs messages about the number of ACI attribute types added to the * cache. This method is called once at startup. It also will put the server into lockdown mode if * needed. * * @param configuration The config handler containing the ACI configuration information. * @throws InitializationException If there is an error reading the global ACIs from the * configuration entry. */ private void processGlobalAcis(DseeCompatAccessControlHandlerCfg configuration) throws InitializationException { SortedSet<Aci> globalAcis = configuration.getGlobalACI(); try { if (globalAcis != null) { aciList.addAci(DN.nullDN(), globalAcis); Message message = INFO_ACI_ADD_LIST_GLOBAL_ACIS.get(Integer.toString(globalAcis.size())); logError(message); } } catch (Exception e) { if (debugEnabled()) { TRACER.debugCaught(DebugLogLevel.ERROR, e); } Message message = INFO_ACI_HANDLER_FAIL_PROCESS_GLOBAL_ACI.get(String.valueOf(configuration.dn())); throw new InitializationException(message, e); } }
/** * Test the attribute types of the search filter for access. This method supports the search * right. * * @param container The container used in the access evaluation. * @param filter The filter to check access on. * @return True if all attribute types in the filter have access. * @throws DirectoryException If there is a problem matching the entry using the provided filter. */ private boolean testFilter(AciLDAPOperationContainer container, SearchFilter filter) throws DirectoryException { boolean ret = true; // If the resource entry has a dn equal to "cn=debugsearch" and it // contains the special attribute type "debugsearchindex", then the // resource entry is a pseudo entry created for debug purposes. // Return true if that is the case. if (debugSearchIndexDN.equals(container.getResourceDN()) && container.getResourceEntry().hasAttribute(debugSearchIndex)) { return true; } switch (filter.getFilterType()) { case AND: case OR: { for (SearchFilter f : filter.getFilterComponents()) { if (!testFilter(container, f)) { return false; } } break; } case NOT: { SearchFilter f = filter.getNotComponent(); ret = testFilter(container, f); break; } default: { AttributeType attrType = filter.getAttributeType(); container.setCurrentAttributeType(attrType); ret = accessAllowed(container); } } return ret; }
/** * Checks to see if a LDAP modification is allowed access. * * @param container The structure containing the LDAP modifications * @param operation The operation to check modify privileges on. operation to check and the * evaluation context to apply the check against. * @param skipAccessCheck True if access checking should be skipped. * @return True if access is allowed. * @throws DirectoryException If a modified ACI could not be decoded. */ private boolean aciCheckMods( AciLDAPOperationContainer container, LocalBackendModifyOperation operation, boolean skipAccessCheck) throws DirectoryException { Entry resourceEntry = container.getResourceEntry(); DN dn = resourceEntry.getDN(); List<Modification> modifications = operation.getModifications(); for (Modification m : modifications) { Attribute modAttr = m.getAttribute(); AttributeType modAttrType = modAttr.getAttributeType(); if (modAttrType.equals(aciType)) { /* * Check that the operation has modify privileges if it contains * an "aci" attribute type. */ if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) { Message message = INFO_ACI_MODIFY_FAILED_PRIVILEGE.get( String.valueOf(container.getResourceDN()), String.valueOf(container.getClientDN())); logError(message); return false; } } // This access check handles the case where all attributes of this // type are being replaced or deleted. If only a subset is being // deleted than this access check is skipped. ModificationType modType = m.getModificationType(); if (((modType == ModificationType.DELETE) && modAttr.isEmpty()) || ((modType == ModificationType.REPLACE) || (modType == ModificationType.INCREMENT))) { /* * Check if we have rights to delete all values of an attribute * type in the resource entry. */ if (resourceEntry.hasAttribute(modAttrType)) { container.setCurrentAttributeType(modAttrType); List<Attribute> attrList = resourceEntry.getAttribute(modAttrType, modAttr.getOptions()); if (attrList != null) { for (Attribute a : attrList) { for (AttributeValue v : a) { container.setCurrentAttributeValue(v); container.setRights(ACI_WRITE_DELETE); if (!skipAccessCheck && !accessAllowed(container)) { return false; } } } } } } if (!modAttr.isEmpty()) { for (AttributeValue v : modAttr) { container.setCurrentAttributeType(modAttrType); switch (m.getModificationType()) { case ADD: case REPLACE: container.setCurrentAttributeValue(v); container.setRights(ACI_WRITE_ADD); if (!skipAccessCheck && !accessAllowed(container)) { return false; } break; case DELETE: container.setCurrentAttributeValue(v); container.setRights(ACI_WRITE_DELETE); if (!skipAccessCheck && !accessAllowed(container)) { return false; } break; case INCREMENT: Entry modifiedEntry = operation.getModifiedEntry(); List<Attribute> modifiedAttrs = modifiedEntry.getAttribute(modAttrType, modAttr.getOptions()); if (modifiedAttrs != null) { for (Attribute attr : modifiedAttrs) { for (AttributeValue val : attr) { container.setCurrentAttributeValue(val); container.setRights(ACI_WRITE_ADD); if (!skipAccessCheck && !accessAllowed(container)) { return false; } } } } break; } /* * Check if the modification type has an "aci" attribute type. * If so, check the syntax of that attribute value. Fail the * the operation if the syntax check fails. */ if (modAttrType.equals(aciType) || modAttrType.equals(globalAciType)) { try { // A global ACI needs a NULL DN, not the DN of the // modification. if (modAttrType.equals(globalAciType)) { dn = DN.nullDN(); } Aci.decode(v.getValue(), dn); } catch (AciException ex) { Message message = WARN_ACI_MODIFY_FAILED_DECODE.get(String.valueOf(dn), ex.getMessage()); throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message); } } } } } return true; }
/** * Check access using the specified container. This container will have all of the information to * gather applicable ACIs and perform evaluation on them. * * @param container An ACI operation container which has all of the information needed to check * access. * @return True if access is allowed. */ boolean accessAllowed(AciContainer container) { DN dn = container.getResourceEntry().getDN(); // For ACI_WRITE_ADD and ACI_WRITE_DELETE set the ACI_WRITE // right. if (container.hasRights(ACI_WRITE_ADD) || container.hasRights(ACI_WRITE_DELETE)) { container.setRights(container.getRights() | ACI_WRITE); } // Check if the ACI_SELF right needs to be set (selfwrite right). // Only done if the right is ACI_WRITE, an attribute value is set // and that attribute value is a DN. if ((container.getCurrentAttributeValue() != null) && (container.hasRights(ACI_WRITE)) && (isAttributeDN(container.getCurrentAttributeType()))) { String DNString = null; try { DNString = container.getCurrentAttributeValue().getValue().toString(); DN tmpDN = DN.decode(DNString); // Have a valid DN, compare to clientDN to see if the ACI_SELF // right should be set. if (tmpDN.equals(container.getClientDN())) { container.setRights(container.getRights() | ACI_SELF); } } catch (DirectoryException ex) { // Log a message and keep going. Message message = WARN_ACI_NOT_VALID_DN.get(DNString); logError(message); } } // Check proxy authorization only if the entry has not already been // processed (working on a new entry). If working on a new entry, // then only do a proxy check if the right is not set to ACI_PROXY // and the proxied authorization control has been decoded. if (!container.hasSeenEntry()) { if (container.isProxiedAuthorization() && !container.hasRights(ACI_PROXY) && !container.hasRights(ACI_SKIP_PROXY_CHECK)) { int currentRights = container.getRights(); // Save the current rights so they can be put back if on // success. container.setRights(ACI_PROXY); // Switch to the original authorization entry, not the proxied // one. container.useOrigAuthorizationEntry(true); if (!accessAllowed(container)) { return false; } // Access is ok, put the original rights back. container.setRights(currentRights); // Put the proxied authorization entry back to the current // authorization entry. container.useOrigAuthorizationEntry(false); } // Set the seen flag so proxy processing is not performed for this // entry again. container.setSeenEntry(true); } /* * First get all allowed candidate ACIs. */ LinkedList<Aci> candidates = aciList.getCandidateAcis(dn); /* * Create an applicable list of ACIs by target matching each * candidate ACI against the container's target match view. */ createApplicableList(candidates, container); /* * Evaluate the applicable list. */ boolean ret = testApplicableLists(container); // Build summary string if doing geteffectiverights eval. if (container.isGetEffectiveRightsEval()) { AciEffectiveRights.createSummary(container, ret, "main"); } return ret; }