/** {@inheritDoc} */
@Override
public boolean isAllowed(DN entryDN, Operation op, Control control) throws DirectoryException {
boolean ret;
if (!(ret = skipAccessCheck(op))) {
Entry e = new Entry(entryDN, null, null, null);
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(op, e, control, (ACI_READ | ACI_CONTROL));
ret = accessAllowed(operationContainer);
}
if (control.getOID().equals(OID_PROXIED_AUTH_V2)
|| control.getOID().equals(OID_PROXIED_AUTH_V1)) {
if (ret) {
op.setAttachment(ORIG_AUTH_ENTRY, op.getAuthorizationEntry());
}
} else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS)) {
if (ret) {
GetEffectiveRightsRequestControl getEffectiveRightsControl;
if (control instanceof LDAPControl) {
getEffectiveRightsControl =
GetEffectiveRightsRequestControl.DECODER.decode(
control.isCritical(), ((LDAPControl) control).getValue());
} else {
getEffectiveRightsControl = (GetEffectiveRightsRequestControl) control;
}
op.setAttachment(OID_GET_EFFECTIVE_RIGHTS, getEffectiveRightsControl);
}
}
return ret;
}
/**
* Evaluate an entry to be added to see if it has any "aci" attribute type. If it does, examines
* each "aci" attribute type value for syntax errors. All of the "aci" attribute type values must
* pass syntax check for the add operation to proceed. Any entry with an "aci" attribute type must
* have "modify-acl" privileges.
*
* @param entry The entry to be examined.
* @param operation The operation to to check privileges on.
* @param clientDN The authorization DN.
* @return True if the entry has no ACI attributes or if all of the "aci" attributes values pass
* ACI syntax checking.
* @throws DirectoryException If a modified ACI could not be decoded.
*/
private boolean verifySyntax(Entry entry, Operation operation, DN clientDN)
throws DirectoryException {
if (entry.hasOperationalAttribute(aciType)) {
/*
* Check that the operation has "modify-acl" privileges since the
* entry to be added has an "aci" attribute type.
*/
if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
Message message =
INFO_ACI_ADD_FAILED_PRIVILEGE.get(
String.valueOf(entry.getDN()), String.valueOf(clientDN));
logError(message);
return false;
}
List<Attribute> attributeList = entry.getOperationalAttribute(aciType, null);
for (Attribute attribute : attributeList) {
for (AttributeValue value : attribute) {
try {
DN dn = entry.getDN();
Aci.decode(value.getValue(), dn);
} catch (AciException ex) {
Message message =
WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry.getDN()), ex.getMessage());
throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
}
}
}
}
return true;
}
/** {@inheritDoc} */
@Override
public boolean maySend(Operation operation, SearchResultEntry entry) {
if (skipAccessCheck(operation)) {
return true;
}
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(operation, (ACI_SEARCH), entry);
// Pre/post read controls are associated with other types of operation.
if (operation instanceof SearchOperation) {
try {
if (!testFilter(operationContainer, ((SearchOperation) operation).getFilter())) {
return false;
}
} catch (DirectoryException ex) {
return false;
}
}
operationContainer.clearEvalAttributes(ACI_NULL);
operationContainer.setRights(ACI_READ);
if (!accessAllowedEntry(operationContainer)) {
return false;
}
if (!operationContainer.hasEvalUserAttributes()) {
operation.setAttachment(ALL_USER_ATTRS_MATCHED, ALL_USER_ATTRS_MATCHED);
}
if (!operationContainer.hasEvalOpAttributes()) {
operation.setAttachment(ALL_OP_ATTRS_MATCHED, ALL_OP_ATTRS_MATCHED);
}
return true;
}
/**
* Check to see if the client entry has BYPASS_ACL privileges for this operation.
*
* @param operation The operation to check privileges on.
* @return True if access checking can be skipped because the operation client connection has
* BYPASS_ACL privileges.
*/
private boolean skipAccessCheck(Operation operation) {
return operation.getClientConnection().hasPrivilege(Privilege.BYPASS_ACL, operation);
}