示例#1
0
 /** {@inheritDoc} */
 @Override
 public boolean isAllowed(DN entryDN, Operation op, Control control) throws DirectoryException {
   boolean ret;
   if (!(ret = skipAccessCheck(op))) {
     Entry e = new Entry(entryDN, null, null, null);
     AciLDAPOperationContainer operationContainer =
         new AciLDAPOperationContainer(op, e, control, (ACI_READ | ACI_CONTROL));
     ret = accessAllowed(operationContainer);
   }
   if (control.getOID().equals(OID_PROXIED_AUTH_V2)
       || control.getOID().equals(OID_PROXIED_AUTH_V1)) {
     if (ret) {
       op.setAttachment(ORIG_AUTH_ENTRY, op.getAuthorizationEntry());
     }
   } else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS)) {
     if (ret) {
       GetEffectiveRightsRequestControl getEffectiveRightsControl;
       if (control instanceof LDAPControl) {
         getEffectiveRightsControl =
             GetEffectiveRightsRequestControl.DECODER.decode(
                 control.isCritical(), ((LDAPControl) control).getValue());
       } else {
         getEffectiveRightsControl = (GetEffectiveRightsRequestControl) control;
       }
       op.setAttachment(OID_GET_EFFECTIVE_RIGHTS, getEffectiveRightsControl);
     }
   }
   return ret;
 }
示例#2
0
 /**
  * Evaluate an entry to be added to see if it has any "aci" attribute type. If it does, examines
  * each "aci" attribute type value for syntax errors. All of the "aci" attribute type values must
  * pass syntax check for the add operation to proceed. Any entry with an "aci" attribute type must
  * have "modify-acl" privileges.
  *
  * @param entry The entry to be examined.
  * @param operation The operation to to check privileges on.
  * @param clientDN The authorization DN.
  * @return True if the entry has no ACI attributes or if all of the "aci" attributes values pass
  *     ACI syntax checking.
  * @throws DirectoryException If a modified ACI could not be decoded.
  */
 private boolean verifySyntax(Entry entry, Operation operation, DN clientDN)
     throws DirectoryException {
   if (entry.hasOperationalAttribute(aciType)) {
     /*
      * Check that the operation has "modify-acl" privileges since the
      * entry to be added has an "aci" attribute type.
      */
     if (!operation.getClientConnection().hasPrivilege(Privilege.MODIFY_ACL, operation)) {
       Message message =
           INFO_ACI_ADD_FAILED_PRIVILEGE.get(
               String.valueOf(entry.getDN()), String.valueOf(clientDN));
       logError(message);
       return false;
     }
     List<Attribute> attributeList = entry.getOperationalAttribute(aciType, null);
     for (Attribute attribute : attributeList) {
       for (AttributeValue value : attribute) {
         try {
           DN dn = entry.getDN();
           Aci.decode(value.getValue(), dn);
         } catch (AciException ex) {
           Message message =
               WARN_ACI_ADD_FAILED_DECODE.get(String.valueOf(entry.getDN()), ex.getMessage());
           throw new DirectoryException(ResultCode.INVALID_ATTRIBUTE_SYNTAX, message);
         }
       }
     }
   }
   return true;
 }
示例#3
0
  /** {@inheritDoc} */
  @Override
  public boolean maySend(Operation operation, SearchResultEntry entry) {
    if (skipAccessCheck(operation)) {
      return true;
    }

    AciLDAPOperationContainer operationContainer =
        new AciLDAPOperationContainer(operation, (ACI_SEARCH), entry);

    // Pre/post read controls are associated with other types of operation.
    if (operation instanceof SearchOperation) {
      try {
        if (!testFilter(operationContainer, ((SearchOperation) operation).getFilter())) {
          return false;
        }
      } catch (DirectoryException ex) {
        return false;
      }
    }

    operationContainer.clearEvalAttributes(ACI_NULL);
    operationContainer.setRights(ACI_READ);

    if (!accessAllowedEntry(operationContainer)) {
      return false;
    }

    if (!operationContainer.hasEvalUserAttributes()) {
      operation.setAttachment(ALL_USER_ATTRS_MATCHED, ALL_USER_ATTRS_MATCHED);
    }

    if (!operationContainer.hasEvalOpAttributes()) {
      operation.setAttachment(ALL_OP_ATTRS_MATCHED, ALL_OP_ATTRS_MATCHED);
    }

    return true;
  }
示例#4
0
 /**
  * Check to see if the client entry has BYPASS_ACL privileges for this operation.
  *
  * @param operation The operation to check privileges on.
  * @return True if access checking can be skipped because the operation client connection has
  *     BYPASS_ACL privileges.
  */
 private boolean skipAccessCheck(Operation operation) {
   return operation.getClientConnection().hasPrivilege(Privilege.BYPASS_ACL, operation);
 }