예제 #1
0
 /**
  * Check access on each attribute-value pair component of the specified RDN. There may be more
  * than one attribute-value pair if the RDN is multi-valued.
  *
  * @param right The access right to check for.
  * @param rdn The RDN to examine the attribute-value pairs of.
  * @param container The container containing the information needed to evaluate the specified RDN.
  * @return True if access is allowed for all attribute-value pairs.
  */
 private boolean checkRDN(int right, RDN rdn, AciContainer container) {
   boolean ret = false;
   int numAVAs = rdn.getNumValues();
   container.setRights(right);
   for (int i = 0; i < numAVAs; i++) {
     AttributeType type = rdn.getAttributeType(i);
     AttributeValue value = rdn.getAttributeValue(i);
     container.setCurrentAttributeType(type);
     container.setCurrentAttributeValue(value);
     if (!(ret = accessAllowed(container))) {
       break;
     }
   }
   return ret;
 }
예제 #2
0
  /**
   * Check access using the specified container. This container will have all of the information to
   * gather applicable ACIs and perform evaluation on them.
   *
   * @param container An ACI operation container which has all of the information needed to check
   *     access.
   * @return True if access is allowed.
   */
  boolean accessAllowed(AciContainer container) {
    DN dn = container.getResourceEntry().getDN();
    // For ACI_WRITE_ADD and ACI_WRITE_DELETE set the ACI_WRITE
    // right.
    if (container.hasRights(ACI_WRITE_ADD) || container.hasRights(ACI_WRITE_DELETE)) {
      container.setRights(container.getRights() | ACI_WRITE);
    }
    // Check if the ACI_SELF right needs to be set (selfwrite right).
    // Only done if the right is ACI_WRITE, an attribute value is set
    // and that attribute value is a DN.
    if ((container.getCurrentAttributeValue() != null)
        && (container.hasRights(ACI_WRITE))
        && (isAttributeDN(container.getCurrentAttributeType()))) {
      String DNString = null;
      try {
        DNString = container.getCurrentAttributeValue().getValue().toString();
        DN tmpDN = DN.decode(DNString);
        // Have a valid DN, compare to clientDN to see if the ACI_SELF
        // right should be set.
        if (tmpDN.equals(container.getClientDN())) {
          container.setRights(container.getRights() | ACI_SELF);
        }
      } catch (DirectoryException ex) {
        // Log a message and keep going.
        Message message = WARN_ACI_NOT_VALID_DN.get(DNString);
        logError(message);
      }
    }

    // Check proxy authorization only if the entry has not already been
    // processed (working on a new entry). If working on a new entry,
    // then only do a proxy check if the right is not set to ACI_PROXY
    // and the proxied authorization control has been decoded.
    if (!container.hasSeenEntry()) {
      if (container.isProxiedAuthorization()
          && !container.hasRights(ACI_PROXY)
          && !container.hasRights(ACI_SKIP_PROXY_CHECK)) {
        int currentRights = container.getRights();
        // Save the current rights so they can be put back if on
        // success.
        container.setRights(ACI_PROXY);
        // Switch to the original authorization entry, not the proxied
        // one.
        container.useOrigAuthorizationEntry(true);
        if (!accessAllowed(container)) {
          return false;
        }
        // Access is ok, put the original rights back.
        container.setRights(currentRights);
        // Put the proxied authorization entry back to the current
        // authorization entry.
        container.useOrigAuthorizationEntry(false);
      }
      // Set the seen flag so proxy processing is not performed for this
      // entry again.
      container.setSeenEntry(true);
    }

    /*
     * First get all allowed candidate ACIs.
     */
    LinkedList<Aci> candidates = aciList.getCandidateAcis(dn);
    /*
     * Create an applicable list of ACIs by target matching each
     * candidate ACI against the container's target match view.
     */
    createApplicableList(candidates, container);
    /*
     * Evaluate the applicable list.
     */
    boolean ret = testApplicableLists(container);
    // Build summary string if doing geteffectiverights eval.
    if (container.isGetEffectiveRightsEval()) {
      AciEffectiveRights.createSummary(container, ret, "main");
    }
    return ret;
  }