mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opendj-server-legacy/src/main/java/org/opends/server/authorization/dseecompat/AciContainer.java
@@ -28,14 +28,18 @@ import org.forgerock.opendj.ldap.ByteString; import org.forgerock.opendj.ldap.DN; import org.forgerock.opendj.ldap.schema.AttributeType; import org.opends.server.api.ClientConnection; import org.opends.server.api.Group; import org.opends.server.controls.GetEffectiveRightsRequestControl; import org.opends.server.core.AddOperation; import org.opends.server.core.SearchOperation; import org.opends.server.protocols.ldap.LDAPClientConnection; import org.forgerock.opendj.ldap.schema.AttributeType; import org.opends.server.types.*; import org.opends.server.types.AuthenticationInfo; import org.opends.server.types.AuthenticationType; import org.opends.server.types.DirectoryException; import org.opends.server.types.Entry; import org.opends.server.types.Operation; /** * The AciContainer class contains all of the needed information to perform @@ -43,29 +47,15 @@ * of testing if an ACI is applicable to an operation, and evaluation is * the actual access evaluation of the ACI. */ public abstract class AciContainer implements AciTargetMatchContext, AciEvalContext { /** * The allow and deny lists. */ abstract class AciContainer implements AciTargetMatchContext, AciEvalContext { /** The allow and deny lists. */ private List<Aci> denyList, allowList; /** * The attribute type in the resource entry currently being evaluated. */ /** The attribute type in the resource entry currently being evaluated. */ private AttributeType attributeType; /** * The attribute type value in the resource entry currently being * evaluated. */ /** The attribute type value in the resource entry currently being evaluated. */ private ByteString attributeValue; /** * True if this is the first attribute type in the resource entry being * evaluated. */ /** True if this is the first attribute type in the resource entry being evaluated. */ private boolean isFirst; /** @@ -74,29 +64,18 @@ */ private boolean isEntryTestRule; /** * The right mask to use in the evaluation of the LDAP operation. */ /** The right mask to use in the evaluation of the LDAP operation. */ private int rightsMask; /** * The entry being evaluated (resource entry). */ private Entry resourceEntry; /** The entry being evaluated (resource entry). */ private final Entry resourceEntry; /** * The client connection information. */ /** The client connection information. */ private final ClientConnection clientConnection; /** * The operation being evaluated. */ /** The operation being evaluated. */ private final Operation operation; /** * True if a targattrfilters match was found. */ /** True if a targattrfilters match was found. */ private boolean targAttrFiltersMatch; /** @@ -107,12 +86,10 @@ * switched back for non-proxy access checking. If proxied authentication * is not being used then this entry never changes. */ private Entry authorizationEntry; private final Entry authorizationEntry; /** * True if proxied authorization is being used. */ private boolean proxiedAuthorization; /** True if proxied authorization is being used. */ private final boolean proxiedAuthorization; /** * Used by proxied authorization processing. True if the entry has already @@ -122,20 +99,12 @@ */ private boolean seenEntry; /** * True if geteffectiverights evaluation is in progress. */ /** True if geteffectiverights evaluation is in progress. */ private boolean isGetEffectiveRightsEval; /** * True if the operation has a geteffectiverights control. */ private boolean hasGetEffectiveRightsControl; /** * The geteffectiverights authzID in DN format. */ private DN authzid; /** True if the operation has a geteffectiverights control. */ private final boolean hasGetEffectiveRightsControl; /** The geteffectiverights authzID in DN format. */ private final DN authzid; /** * True if the authZid should be used as the client DN, only used in @@ -147,7 +116,7 @@ * The list of specific attributes to get rights for, in addition to * any attributes requested in the search. */ private List<AttributeType> specificAttrs; private final List<AttributeType> specificAttrs; /** * Table of ACIs that have targattrfilter keywords that matched. Used @@ -169,10 +138,7 @@ */ private int targAttrMatch; /** * The ACI that decided the last evaluation. Used in geteffectiverights * loginfo processing. */ /** The ACI that decided the last evaluation. Used in geteffectiverights loginfo processing. */ private Aci decidingAci; /** @@ -188,25 +154,16 @@ */ private String summaryString; /** * Flag used to determine if ACI all attributes target matched. */ /** Flag used to determine if ACI all attributes target matched. */ private int evalAllAttributes; /** * String used to hold a control OID string. */ /** String used to hold a control OID string. */ private String controlOID; /** * String used to hold an extended operation OID string. */ /** String used to hold an extended operation OID string. */ private String extOpOID; /** * AuthenticationInfo class to use. */ private AuthenticationInfo authInfo; /** AuthenticationInfo class to use. */ private final AuthenticationInfo authInfo; /** * This constructor is used by all currently supported LDAP operations @@ -248,12 +205,13 @@ && operation instanceof SearchOperation) { hasGetEffectiveRightsControl = true; if (getEffectiveRightsControl.getAuthzDN() == null) { this.authzid = getClientDN(); } else { this.authzid = getEffectiveRightsControl.getAuthzDN(); } DN authzDN = getEffectiveRightsControl.getAuthzDN(); this.authzid = authzDN != null ? authzDN : getClientDN(); this.specificAttrs = getEffectiveRightsControl.getAttributes(); } else { hasGetEffectiveRightsControl = false; authzid = null; specificAttrs = null; } //If an ACI evaluated because of an Targetattr="*", then the @@ -273,6 +231,10 @@ { evalAllAttributes |= ACI_OP_ATTR_PLUS_MATCHED; } } else { hasGetEffectiveRightsControl = false; authzid = null; specificAttrs = null; } //Reference the current authorization entry, so it can be put back @@ -297,7 +259,12 @@ this.authInfo = authInfo; this.authorizationEntry = authInfo.getAuthorizationEntry(); this.rightsMask = rights; proxiedAuthorization = false; hasGetEffectiveRightsControl = false; authzid = null; specificAttrs = null; } /** * Returns true if an entry has already been processed by an access proxy * check. @@ -310,8 +277,7 @@ } /** * Set to true if an entry has already been processed by an access proxy * check. * Set to true if an entry has already been processed by an access proxy check. * * @param val The value to set the seenEntry boolean to. */ @@ -319,13 +285,11 @@ this.seenEntry=val; } /** {@inheritDoc} */ @Override public boolean isProxiedAuthorization() { return this.proxiedAuthorization; } /** {@inheritDoc} */ @Override public boolean isGetEffectiveRightsEval() { return this.isGetEffectiveRightsEval; @@ -371,19 +335,16 @@ return this.specificAttrs; } /** {@inheritDoc} */ @Override public void addTargAttrFiltersMatchAci(Aci aci) { this.targAttrFilterAcis.put(aci, aci); } /** {@inheritDoc} */ @Override public boolean hasTargAttrFiltersMatchAci(Aci aci) { return this.targAttrFilterAcis.containsKey(aci); } /** {@inheritDoc} */ @Override public boolean isTargAttrFilterMatchAciEmpty() { return this.targAttrFilterAcis.isEmpty(); @@ -404,31 +365,26 @@ this.targAttrMatch=0; } /** {@inheritDoc} */ @Override public void setTargAttrFiltersAciName(String name) { this.targAttrFiltersAciName=name; } /** {@inheritDoc} */ @Override public String getTargAttrFiltersAciName() { return this.targAttrFiltersAciName; } /** {@inheritDoc} */ @Override public void setTargAttrFiltersMatchOp(int flag) { this.targAttrMatch |= flag; } /** {@inheritDoc} */ @Override public boolean hasTargAttrFiltersMatchOp(int flag) { return (this.targAttrMatch & flag) != 0; } /** {@inheritDoc} */ @Override public String getDecidingAciName() { if(this.decidingAci != null) { @@ -437,7 +393,6 @@ return null; } /** {@inheritDoc} */ @Override public void setEvaluationResult(EnumEvalReason reason, Aci decidingAci) { @@ -445,19 +400,16 @@ this.decidingAci = decidingAci; } /** {@inheritDoc} */ @Override public EnumEvalReason getEvalReason() { return this.evalReason; } /** {@inheritDoc} */ @Override public void setEvalSummary(String summary) { this.summaryString=summary; } /** {@inheritDoc} */ @Override public String getEvalSummary() { return this.summaryString; @@ -473,104 +425,87 @@ return this.authzid.equals(this.authorizationEntry.getName()); } /** {@inheritDoc} */ @Override public void setDenyList(List<Aci> denys) { denyList=denys; } /** {@inheritDoc} */ @Override public void setAllowList(List<Aci> allows) { allowList=allows; } /** {@inheritDoc} */ @Override public AttributeType getCurrentAttributeType() { return attributeType; } /** {@inheritDoc} */ @Override public ByteString getCurrentAttributeValue() { return attributeValue; } /** {@inheritDoc} */ @Override public void setCurrentAttributeType(AttributeType type) { attributeType=type; } /** {@inheritDoc} */ @Override public void setCurrentAttributeValue(ByteString value) { attributeValue=value; } /** {@inheritDoc} */ @Override public boolean isFirstAttribute() { return isFirst; } /** {@inheritDoc} */ @Override public void setIsFirstAttribute(boolean val) { isFirst=val; } /** {@inheritDoc} */ @Override public boolean hasEntryTestRule() { return isEntryTestRule; } /** {@inheritDoc} */ @Override public void setEntryTestRule(boolean val) { isEntryTestRule=val; } /** {@inheritDoc} */ @Override public Entry getResourceEntry() { return resourceEntry; } /** {@inheritDoc} */ @Override public Entry getClientEntry() { return this.authorizationEntry; } /** {@inheritDoc} */ @Override public List<Aci> getDenyList() { return denyList; } /** {@inheritDoc} */ @Override public List<Aci> getAllowList() { return allowList; } /** {@inheritDoc} */ @Override public boolean isDenyEval() { return EnumEvalReason.NO_ALLOW_ACIS.equals(evalReason) || EnumEvalReason.EVALUATED_DENY_ACI.equals(evalReason); } /** {@inheritDoc} */ @Override public boolean isAnonymousUser() { return !authInfo.isAuthenticated(); } /** {@inheritDoc} */ @Override public DN getClientDN() { if(this.useAuthzid) @@ -584,7 +519,6 @@ return DN.rootDN(); } /** {@inheritDoc} */ @Override public DN getResourceDN() { return resourceEntry.getName(); @@ -602,55 +536,46 @@ return (this.rightsMask & rights) != 0; } /** {@inheritDoc} */ @Override public int getRights() { return this.rightsMask; } /** {@inheritDoc} */ @Override public void setRights(int rights) { this.rightsMask=rights; } /** {@inheritDoc} */ @Override public String getHostName() { return clientConnection.getRemoteAddress().getCanonicalHostName(); } /** {@inheritDoc} */ @Override public InetAddress getRemoteAddress() { return clientConnection.getRemoteAddress(); } /** {@inheritDoc} */ @Override public boolean isAddOperation() { return operation instanceof AddOperation; } /** {@inheritDoc} */ @Override public void setTargAttrFiltersMatch(boolean v) { this.targAttrFiltersMatch=v; } /** {@inheritDoc} */ @Override public boolean getTargAttrFiltersMatch() { return targAttrFiltersMatch; } /** {@inheritDoc} */ @Override public String getControlOID() { return controlOID; } /** {@inheritDoc} */ @Override public String getExtOpOID() { return extOpOID; @@ -665,7 +590,6 @@ this.controlOID=oid; } /** * Set the extended operation OID value to the specified oid string. * @@ -675,7 +599,6 @@ this.extOpOID=oid; } /** {@inheritDoc} */ @Override public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, String saslMech) { @@ -724,7 +647,6 @@ return matched; } /** {@inheritDoc} */ @Override public boolean isMemberOf(Group<?> group) { try { @@ -794,7 +716,6 @@ return null; } /** {@inheritDoc} */ @Override public void setEvalUserAttributes(int v) { if(rightsMask == ACI_READ) { @@ -809,7 +730,6 @@ } } /** {@inheritDoc} */ @Override public void setEvalOpAttributes(int v) { if(rightsMask == ACI_READ) { @@ -824,13 +744,11 @@ } } /** {@inheritDoc} */ @Override public boolean hasEvalUserAttributes() { return hasAttribute(ACI_FOUND_USER_ATTR_RULE); } /** {@inheritDoc} */ @Override public boolean hasEvalOpAttributes() { return hasAttribute(ACI_FOUND_OP_ATTR_RULE); @@ -861,7 +779,6 @@ return (evalAllAttributes & aciAttribute) == aciAttribute; } /** {@inheritDoc} */ @Override public void clearEvalAttributes(int v) { if(v == 0) @@ -874,13 +791,11 @@ } } /** {@inheritDoc} */ @Override public int getCurrentSSF() { return clientConnection.getSSF(); } /** {@inheritDoc} */ @Override public String toString() {
