/**
* Check if access is allowed on an entry. Access is checked by iterating through each attribute
* of an entry, starting with the "objectclass" attribute type. If access is allowed on the entry
* based on one of it's attribute types, then a possible second access check is performed. This
* second check is only performed if an entry test ACI was found during the earlier successful
* access check. An entry test ACI has no "targetattrs" keyword, so allowing access based on an
* attribute type only would be incorrect.
*
* @param container ACI search container containing all of the information needed to check access.
* @return True if access is allowed.
*/
boolean accessAllowedEntry(AciLDAPOperationContainer container) {
boolean ret = false;
// set flag that specifies this is the first attribute evaluated
// in the entry
container.setIsFirstAttribute(true);
List<AttributeType> typeList = getAllAttrs(container.getResourceEntry());
for (AttributeType attrType : typeList) {
container.setCurrentAttributeType(attrType);
/*
* Check if access is allowed. If true, then check to see if an
* entry test rule was found (no targetattrs) during target match
* evaluation. If such a rule was found, set the current attribute
* type to "null" and check access again so that rule is applied.
*/
if (accessAllowed(container)) {
if (container.hasEntryTestRule()) {
container.setCurrentAttributeType(null);
if (!accessAllowed(container)) {
/*
* If we failed because of a deny permission-bind rule, we
* need to stop and return false.
*/
if (container.isDenyEval()) {
return false;
}
/*
* If we failed because there was no explicit allow rule,
* then we grant implicit access to the entry.
*/
}
}
return true;
}
}
return ret;
}
