예제 #1
0
  /** {@inheritDoc} */
  @Override
  public void filterEntry(
      Operation operation, SearchResultEntry unfilteredEntry, SearchResultEntry filteredEntry) {
    AciLDAPOperationContainer operationContainer =
        new AciLDAPOperationContainer(operation, (ACI_READ), unfilteredEntry);

    // Proxy access check has already been done for this entry in the
    // maySend method, set the seen flag to true to bypass any proxy
    // check.
    operationContainer.setSeenEntry(true);

    boolean skipCheck = skipAccessCheck(operation);
    if (!skipCheck) {
      filterEntry(operationContainer, filteredEntry);
    }

    if (operationContainer.hasGetEffectiveRightsControl()) {
      AciEffectiveRights.addRightsToEntry(
          this,
          ((SearchOperation) operation).getAttributes(),
          operationContainer,
          filteredEntry,
          skipCheck);
    }
  }
예제 #2
0
  /**
   * Check access using the specified container. This container will have all of the information to
   * gather applicable ACIs and perform evaluation on them.
   *
   * @param container An ACI operation container which has all of the information needed to check
   *     access.
   * @return True if access is allowed.
   */
  boolean accessAllowed(AciContainer container) {
    DN dn = container.getResourceEntry().getDN();
    // For ACI_WRITE_ADD and ACI_WRITE_DELETE set the ACI_WRITE
    // right.
    if (container.hasRights(ACI_WRITE_ADD) || container.hasRights(ACI_WRITE_DELETE)) {
      container.setRights(container.getRights() | ACI_WRITE);
    }
    // Check if the ACI_SELF right needs to be set (selfwrite right).
    // Only done if the right is ACI_WRITE, an attribute value is set
    // and that attribute value is a DN.
    if ((container.getCurrentAttributeValue() != null)
        && (container.hasRights(ACI_WRITE))
        && (isAttributeDN(container.getCurrentAttributeType()))) {
      String DNString = null;
      try {
        DNString = container.getCurrentAttributeValue().getValue().toString();
        DN tmpDN = DN.decode(DNString);
        // Have a valid DN, compare to clientDN to see if the ACI_SELF
        // right should be set.
        if (tmpDN.equals(container.getClientDN())) {
          container.setRights(container.getRights() | ACI_SELF);
        }
      } catch (DirectoryException ex) {
        // Log a message and keep going.
        Message message = WARN_ACI_NOT_VALID_DN.get(DNString);
        logError(message);
      }
    }

    // Check proxy authorization only if the entry has not already been
    // processed (working on a new entry). If working on a new entry,
    // then only do a proxy check if the right is not set to ACI_PROXY
    // and the proxied authorization control has been decoded.
    if (!container.hasSeenEntry()) {
      if (container.isProxiedAuthorization()
          && !container.hasRights(ACI_PROXY)
          && !container.hasRights(ACI_SKIP_PROXY_CHECK)) {
        int currentRights = container.getRights();
        // Save the current rights so they can be put back if on
        // success.
        container.setRights(ACI_PROXY);
        // Switch to the original authorization entry, not the proxied
        // one.
        container.useOrigAuthorizationEntry(true);
        if (!accessAllowed(container)) {
          return false;
        }
        // Access is ok, put the original rights back.
        container.setRights(currentRights);
        // Put the proxied authorization entry back to the current
        // authorization entry.
        container.useOrigAuthorizationEntry(false);
      }
      // Set the seen flag so proxy processing is not performed for this
      // entry again.
      container.setSeenEntry(true);
    }

    /*
     * First get all allowed candidate ACIs.
     */
    LinkedList<Aci> candidates = aciList.getCandidateAcis(dn);
    /*
     * Create an applicable list of ACIs by target matching each
     * candidate ACI against the container's target match view.
     */
    createApplicableList(candidates, container);
    /*
     * Evaluate the applicable list.
     */
    boolean ret = testApplicableLists(container);
    // Build summary string if doing geteffectiverights eval.
    if (container.isGetEffectiveRightsEval()) {
      AciEffectiveRights.createSummary(container, ret, "main");
    }
    return ret;
  }
예제 #3
0
 /** {@inheritDoc} */
 @Override()
 public void finalizeAccessControlHandler() {
   aciListenerMgr.finalizeListenerManager();
   AciEffectiveRights.finalizeOnShutdown();
   DirectoryServer.deregisterSupportedControl(OID_GET_EFFECTIVE_RIGHTS);
 }
예제 #4
0
 /**
  * Performs the test of the deny and allow access lists using the provided evaluation context. The
  * deny list is checked first.
  *
  * @param evalCtx The evaluation context to use.
  * @return True if access is allowed.
  */
 private boolean testApplicableLists(AciEvalContext evalCtx) {
   EnumEvalResult res;
   evalCtx.setEvalReason(EnumEvalReason.NO_REASON);
   LinkedList<Aci> denys = evalCtx.getDenyList();
   LinkedList<Aci> allows = evalCtx.getAllowList();
   // If allows list is empty and not doing geteffectiverights return
   // false.
   evalCtx.setDenyEval(true);
   if (allows.isEmpty()
       && !(evalCtx.isGetEffectiveRightsEval()
           && !evalCtx.hasRights(ACI_SELF)
           && evalCtx.isTargAttrFilterMatchAciEmpty())) {
     evalCtx.setEvalReason(EnumEvalReason.NO_ALLOW_ACIS);
     evalCtx.setDecidingAci(null);
     return false;
   }
   for (Aci denyAci : denys) {
     res = Aci.evaluate(evalCtx, denyAci);
     // Failure could be returned if a system limit is hit or
     // search fails
     if (res.equals(EnumEvalResult.FAIL)) {
       evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
       evalCtx.setDecidingAci(denyAci);
       return false;
     } else if (res.equals(EnumEvalResult.TRUE)) {
       if (evalCtx.isGetEffectiveRightsEval()
           && !evalCtx.hasRights(ACI_SELF)
           && !evalCtx.isTargAttrFilterMatchAciEmpty()) {
         // Iterate to next only if deny ACI contains a targattrfilters
         // keyword.
         if (AciEffectiveRights.setTargAttrAci(evalCtx, denyAci, true)) {
           continue;
         }
         evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
         evalCtx.setDecidingAci(denyAci);
         return false;
       } else {
         evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
         evalCtx.setDecidingAci(denyAci);
         return false;
       }
     }
   }
   // Now check the allows -- flip the deny flag to false first.
   evalCtx.setDenyEval(false);
   for (Aci allowAci : allows) {
     res = Aci.evaluate(evalCtx, allowAci);
     if (res.equals(EnumEvalResult.TRUE)) {
       if (evalCtx.isGetEffectiveRightsEval()
           && !evalCtx.hasRights(ACI_SELF)
           && !evalCtx.isTargAttrFilterMatchAciEmpty()) {
         // Iterate to next only if deny ACI contains a targattrfilters
         // keyword.
         if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci, false)) {
           continue;
         }
         evalCtx.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI);
         evalCtx.setDecidingAci(allowAci);
         return true;
       } else {
         evalCtx.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI);
         evalCtx.setDecidingAci(allowAci);
         return true;
       }
     }
   }
   // Nothing matched fall through.
   evalCtx.setEvalReason(EnumEvalReason.NO_MATCHED_ALLOWS_ACIS);
   evalCtx.setDecidingAci(null);
   return false;
 }