Пример #1
0
 /**
  * Evaluate an entry to be added to see if it has any "aci" attribute type. If it does, examines
  * each "aci" attribute type value for syntax errors. All of the "aci" attribute type values must
  * pass syntax check for the add operation to proceed. Any entry with an "aci" attribute type must
  * have "modify-acl" privileges.
  *
  * @param entry The entry to be examined.
  * @param operation The operation to to check privileges on.
  * @param clientDN The authorization DN.
  * @return True if the entry has no ACI attributes or if all of the "aci" attributes values pass
  *     ACI syntax checking.
  * @throws DirectoryException If a modified ACI could not be decoded.
  */
 private boolean verifySyntax(Entry entry, Operation operation, DN clientDN)
     throws DirectoryException {
   if (entry.hasOperationalAttribute(aciType)) {
     /*
      * Check that the operation has "modify-acl" privileges since the
      * entry to be added has an "aci" attribute type.
      */
     if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
       Message message =
           INFO_ACI_ADD_FAILED_PRIVILEGE.get(
               String.valueOf(entry.getDN()), String.valueOf(clientDN));
       logError(message);
       return false;
     }
     List<Attribute> attributeList = entry.getOperationalAttribute(aciType, null);
     for (Attribute attribute : attributeList) {
       for (AttributeValue value : attribute) {
         try {
           DN dn = entry.getDN();
           Aci.decode(value.getValue(), dn);
         } catch (AciException ex) {
           Message message =
               WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry.getDN()), ex.getMessage());
           throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
         }
       }
     }
   }
   return true;
 }
Пример #2
0
 /**
  * Gathers all of the attribute types in an entry along with the "objectclass" attribute type in a
  * List. The "objectclass" attribute is added to the list first so it is evaluated first.
  *
  * @param e Entry to gather the attributes for.
  * @return List containing the attribute types.
  */
 private List<AttributeType> getAllAttrs(Entry e) {
   Map<AttributeType, List<Attribute>> attrMap = e.getUserAttributes();
   Map<AttributeType, List<Attribute>> opAttrMap = e.getOperationalAttributes();
   List<AttributeType> typeList = new LinkedList<AttributeType>();
   Attribute attr = e.getObjectClassAttribute();
   /*
    * When a search is not all attributes returned, the "objectclass"
    * attribute type is missing from the entry.
    */
   if (attr != null) {
     AttributeType ocType = attr.getAttributeType();
     typeList.add(ocType);
   }
   typeList.addAll(attrMap.keySet());
   typeList.addAll(opAttrMap.keySet());
   return typeList;
 }
Пример #3
0
 /** {@inheritDoc} */
 @Override
 public boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation op) {
   boolean ret;
   if (!(ret = skipAccessCheck(proxyUser))) {
     AuthenticationInfo authInfo =
         new AuthenticationInfo(proxyUser, DirectoryServer.isRootDN(proxyUser.getDN()));
     AciLDAPOperationContainer operationContainer =
         new AciLDAPOperationContainer(op, proxiedUser, authInfo, ACI_PROXY);
     ret = accessAllowedEntry(operationContainer);
   }
   return ret;
 }
Пример #4
0
  /** {@inheritDoc} */
  @Override
  public boolean maySend(DN dn, Operation operation, SearchResultReference reference) {
    boolean ret;
    if (!(ret = skipAccessCheck(operation))) {
      Entry e = new Entry(dn, null, null, null);
      AttributeBuilder builder = new AttributeBuilder(refAttrType, ATTR_REFERRAL_URL);
      List<String> URLStrings = reference.getReferralURLs();

      // Load the values, a bind rule might want to evaluate them.
      for (String URLString : URLStrings) {
        builder.add(AttributeValues.create(refAttrType, URLString));
      }

      e.addAttribute(builder.toAttribute(), null);
      SearchResultEntry se = new SearchResultEntry(e);
      AciLDAPOperationContainer operationContainer =
          new AciLDAPOperationContainer(operation, (ACI_READ), se);
      operationContainer.setCurrentAttributeType(refAttrType);
      ret = accessAllowed(operationContainer);
    }
    return ret;
  }
Пример #5
0
 /**
  * Performs an access check against all of the attributes of an entry. The attributes that fail
  * access are removed from the entry. This method performs the processing needed for the
  * filterEntry method processing.
  *
  * @param container The search or compare container which has all of the information needed to
  *     filter the attributes for this entry.
  * @param filteredEntry The partially filtered search result entry being returned to the client.
  */
 private void filterEntry(AciLDAPOperationContainer container, Entry filteredEntry) {
   List<AttributeType> typeList = getAllAttrs(filteredEntry);
   for (AttributeType attrType : typeList) {
     if (container.hasAllUserAttributes() && !attrType.isOperational()) {
       continue;
     }
     if (container.hasAllOpAttributes() && attrType.isOperational()) {
       continue;
     }
     container.setCurrentAttributeType(attrType);
     if (!accessAllowed(container)) {
       filteredEntry.removeAttribute(attrType);
     }
   }
 }
Пример #6
0
  /**
   * Checks to see if a LDAP modification is allowed access.
   *
   * @param container The structure containing the LDAP modifications
   * @param operation The operation to check modify privileges on. operation to check and the
   *     evaluation context to apply the check against.
   * @param skipAccessCheck True if access checking should be skipped.
   * @return True if access is allowed.
   * @throws DirectoryException If a modified ACI could not be decoded.
   */
  private boolean aciCheckMods(
      AciLDAPOperationContainer container,
      LocalBackendModifyOperation operation,
      boolean skipAccessCheck)
      throws DirectoryException {
    Entry resourceEntry = container.getResourceEntry();
    DN dn = resourceEntry.getDN();
    List<Modification> modifications = operation.getModifications();

    for (Modification m : modifications) {
      Attribute modAttr = m.getAttribute();
      AttributeType modAttrType = modAttr.getAttributeType();

      if (modAttrType.equals(aciType)) {
        /*
         * Check that the operation has modify privileges if it contains
         * an "aci" attribute type.
         */
        if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
          Message message =
              INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(
                  String.valueOf(container.getResourceDN()),
                  String.valueOf(container.getClientDN()));
          logError(message);
          return false;
        }
      }
      // This access check handles the case where all attributes of this
      // type are being replaced or deleted. If only a subset is being
      // deleted than this access check is skipped.
      ModificationType modType = m.getModificationType();
      if (((modType == ModificationType.DELETE) && modAttr.isEmpty())
          || ((modType == ModificationType.REPLACE) || (modType == ModificationType.INCREMENT))) {
        /*
         * Check if we have rights to delete all values of an attribute
         * type in the resource entry.
         */
        if (resourceEntry.hasAttribute(modAttrType)) {
          container.setCurrentAttributeType(modAttrType);
          List<Attribute> attrList = resourceEntry.getAttribute(modAttrType, modAttr.getOptions());
          if (attrList != null) {
            for (Attribute a : attrList) {
              for (AttributeValue v : a) {
                container.setCurrentAttributeValue(v);
                container.setRights(ACI_WRITE_DELETE);
                if (!skipAccessCheck && !accessAllowed(container)) {
                  return false;
                }
              }
            }
          }
        }
      }

      if (!modAttr.isEmpty()) {
        for (AttributeValue v : modAttr) {
          container.setCurrentAttributeType(modAttrType);
          switch (m.getModificationType()) {
            case ADD:
            case REPLACE:
              container.setCurrentAttributeValue(v);
              container.setRights(ACI_WRITE_ADD);
              if (!skipAccessCheck && !accessAllowed(container)) {
                return false;
              }
              break;
            case DELETE:
              container.setCurrentAttributeValue(v);
              container.setRights(ACI_WRITE_DELETE);
              if (!skipAccessCheck && !accessAllowed(container)) {
                return false;
              }
              break;
            case INCREMENT:
              Entry modifiedEntry = operation.getModifiedEntry();
              List<Attribute> modifiedAttrs =
                  modifiedEntry.getAttribute(modAttrType, modAttr.getOptions());
              if (modifiedAttrs != null) {
                for (Attribute attr : modifiedAttrs) {
                  for (AttributeValue val : attr) {
                    container.setCurrentAttributeValue(val);
                    container.setRights(ACI_WRITE_ADD);
                    if (!skipAccessCheck && !accessAllowed(container)) {
                      return false;
                    }
                  }
                }
              }
              break;
          }
          /*
           * Check if the modification type has an "aci" attribute type.
           * If so, check the syntax of that attribute value. Fail the
           * the operation if the syntax check fails.
           */
          if (modAttrType.equals(aciType) || modAttrType.equals(globalAciType)) {
            try {
              // A global ACI needs a NULL DN, not the DN of the
              // modification.
              if (modAttrType.equals(globalAciType)) {
                dn = DN.nullDN();
              }
              Aci.decode(v.getValue(), dn);
            } catch (AciException ex) {
              Message message =
                  WARN_ACI_MODIFY_FAILED_DECODE.get(String.valueOf(dn), ex.getMessage());
              throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
            }
          }
        }
      }
    }
    return true;
  }