/** * Performs the test of the deny and allow access lists using the provided evaluation context. The * deny list is checked first. * * @param evalCtx The evaluation context to use. * @return True if access is allowed. */ private boolean testApplicableLists(AciEvalContext evalCtx) { EnumEvalResult res; evalCtx.setEvalReason(EnumEvalReason.NO_REASON); LinkedList<Aci> denys = evalCtx.getDenyList(); LinkedList<Aci> allows = evalCtx.getAllowList(); // If allows list is empty and not doing geteffectiverights return // false. evalCtx.setDenyEval(true); if (allows.isEmpty() && !(evalCtx.isGetEffectiveRightsEval() && !evalCtx.hasRights(ACI_SELF) && evalCtx.isTargAttrFilterMatchAciEmpty())) { evalCtx.setEvalReason(EnumEvalReason.NO_ALLOW_ACIS); evalCtx.setDecidingAci(null); return false; } for (Aci denyAci : denys) { res = Aci.evaluate(evalCtx, denyAci); // Failure could be returned if a system limit is hit or // search fails if (res.equals(EnumEvalResult.FAIL)) { evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI); evalCtx.setDecidingAci(denyAci); return false; } else if (res.equals(EnumEvalResult.TRUE)) { if (evalCtx.isGetEffectiveRightsEval() && !evalCtx.hasRights(ACI_SELF) && !evalCtx.isTargAttrFilterMatchAciEmpty()) { // Iterate to next only if deny ACI contains a targattrfilters // keyword. if (AciEffectiveRights.setTargAttrAci(evalCtx, denyAci, true)) { continue; } evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI); evalCtx.setDecidingAci(denyAci); return false; } else { evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI); evalCtx.setDecidingAci(denyAci); return false; } } } // Now check the allows -- flip the deny flag to false first. evalCtx.setDenyEval(false); for (Aci allowAci : allows) { res = Aci.evaluate(evalCtx, allowAci); if (res.equals(EnumEvalResult.TRUE)) { if (evalCtx.isGetEffectiveRightsEval() && !evalCtx.hasRights(ACI_SELF) && !evalCtx.isTargAttrFilterMatchAciEmpty()) { // Iterate to next only if deny ACI contains a targattrfilters // keyword. if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci, false)) { continue; } evalCtx.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI); evalCtx.setDecidingAci(allowAci); return true; } else { evalCtx.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI); evalCtx.setDecidingAci(allowAci); return true; } } } // Nothing matched fall through. evalCtx.setEvalReason(EnumEvalReason.NO_MATCHED_ALLOWS_ACIS); evalCtx.setDecidingAci(null); return false; }