/** * Check if access is allowed on an entry. Access is checked by iterating through each attribute * of an entry, starting with the "objectclass" attribute type. If access is allowed on the entry * based on one of it's attribute types, then a possible second access check is performed. This * second check is only performed if an entry test ACI was found during the earlier successful * access check. An entry test ACI has no "targetattrs" keyword, so allowing access based on an * attribute type only would be incorrect. * * @param container ACI search container containing all of the information needed to check access. * @return True if access is allowed. */ boolean accessAllowedEntry(AciLDAPOperationContainer container) { boolean ret = false; // set flag that specifies this is the first attribute evaluated // in the entry container.setIsFirstAttribute(true); List<AttributeType> typeList = getAllAttrs(container.getResourceEntry()); for (AttributeType attrType : typeList) { container.setCurrentAttributeType(attrType); /* * Check if access is allowed. If true, then check to see if an * entry test rule was found (no targetattrs) during target match * evaluation. If such a rule was found, set the current attribute * type to "null" and check access again so that rule is applied. */ if (accessAllowed(container)) { if (container.hasEntryTestRule()) { container.setCurrentAttributeType(null); if (!accessAllowed(container)) { /* * If we failed because of a deny permission-bind rule, we * need to stop and return false. */ if (container.isDenyEval()) { return false; } /* * If we failed because there was no explicit allow rule, * then we grant implicit access to the entry. */ } } return true; } } return ret; }