mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
@@ -228,7 +228,7 @@ /** * ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check. */ public static final int ACI_SKIP_PROXY_CHECK = 0x4000; public static final int ACI_SKIP_PROXY_CHECK = 0x400000; /** * TARGATTRFILTER_ADD is used to specify that a opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
@@ -284,7 +284,7 @@ if(evalCtx.isDenyEval() && (p.hasAccessType(EnumAccessType.ALLOW))) continue; if(!p.hasRights(evalCtx.getRights())) if(!p.hasRights(getEvalRights(evalCtx))) continue; res=p.getBindRule().evaluate(evalCtx); // The evaluation result could be FAIL. Stop processing and return @@ -318,4 +318,39 @@ public String getName() { return this.name; } /** * Mainly used because geteffectiverights adds flags to the rights that aren't * needed in the actual evaluation of the ACI. This routine returns only the * rights needed in the evaluation. The order does matter, ACI_SELF evaluation * needs to be before ACI_WRITE. * * @param evalCtx The evaluation context to determine the rights of. * @return The evaluation rights to used in the evaluation. */ private int getEvalRights(AciEvalContext evalCtx) { if(evalCtx.hasRights(ACI_WRITE) && evalCtx.hasRights(ACI_SELF)) return ACI_SELF; else if(evalCtx.hasRights(ACI_COMPARE)) return ACI_COMPARE; else if(evalCtx.hasRights(ACI_SEARCH)) return ACI_SEARCH; else if(evalCtx.hasRights(ACI_READ)) return ACI_READ; else if(evalCtx.hasRights(ACI_DELETE)) return ACI_DELETE; else if(evalCtx.hasRights(ACI_ADD)) return ACI_ADD; else if(evalCtx.hasRights(ACI_WRITE)) return ACI_WRITE; else if(evalCtx.hasRights(ACI_PROXY)) return ACI_PROXY; else if(evalCtx.hasRights(ACI_IMPORT)) return ACI_IMPORT; else if(evalCtx.hasRights(ACI_EXPORT)) return ACI_EXPORT; return ACI_NULL; } } opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
@@ -105,6 +105,12 @@ //related to the "aclRightsInfo" attribute can be performed. private static AttributeType aclRightsInfo = null; //Attribute type used in the geteffectiverights selfwrite evaluation. private static AttributeType dnAttributeType=null; //The distinguishedName string. private static final String dnAttrStr = "distinguishedname"; //String used to fill in the summary status field when access was allowed. private static String ALLOWED="access allowed"; @@ -192,10 +198,12 @@ int attrMask=ACI_NULL; if(aclRights == null) aclRights = DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase()); DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase()); if(aclRightsInfo == null) aclRightsInfo = DirectoryServer.getAttributeType(aclRightsInfoAttrStr.toLowerCase()); if(dnAttributeType == null) dnAttributeType = DirectoryServer.getAttributeType(dnAttrStr); //Check if the attributes aclRights and aclRightsInfo were requested and //add attributes less those two attributes to a new list of attribute types. for(String a : searchAttributes) { @@ -227,13 +235,13 @@ //return the specific attribute rights if they exist. if(nonRightsAttrs.isEmpty()) { e=addAttributeLevelRights(container,handler,attrMask,e, container.getSpecificAttributes(), skipCheck); container.getSpecificAttributes(), skipCheck, true); e=addEntryLevelRights(container,handler,attrMask,e, skipCheck); } else { e=addAttributeLevelRights(container,handler,attrMask,e, nonRightsAttrs,skipCheck); nonRightsAttrs, skipCheck, false); e=addAttributeLevelRights(container,handler,attrMask,e, container.getSpecificAttributes(), skipCheck); container.getSpecificAttributes(), skipCheck, true); e=addEntryLevelRights(container,handler,attrMask,e,skipCheck); } return e; @@ -267,6 +275,8 @@ * @param attrList The list of attribute types to iterate over. * @param skipCheck True if ACI evaluation was skipped because bypass-acl * privilege was found. * @param specificAttr True if this evaluation is result of specific * attributes sent in the request. * @return A SearchResultEntry with geteffectiverights attribute level * information added to it. */ @@ -275,7 +285,8 @@ AciHandler handler, int mask, SearchResultEntry retEntry, List<AttributeType> attrList, boolean skipCheck) { boolean skipCheck, boolean specificAttr) { //The attribute list might be null. if(attrList == null) @@ -311,6 +322,8 @@ ByteString clientDNStr= new ASN1OctetString(container.getClientDN().toString()); AttributeValue val1=new AttributeValue(a, clientDNStr); if(!specificAttr) container.setCurrentAttributeType(dnAttributeType); container.setCurrentAttributeValue(val1); container.setRights(ACI_WRITE_ADD | ACI_SKIP_PROXY_CHECK); evalInfo.append(rightsString(container, handler, skipCheck, @@ -322,6 +335,7 @@ "selfwrite_delete")); addAttrLevelRightsInfo(container, mask, a, retEntry, "selfwrite_delete"); evalInfo.append(','); container.setCurrentAttributeType(a); container.setCurrentAttributeValue(null); container.setRights(ACI_PROXY | ACI_SKIP_PROXY_CHECK); evalInfo.append(rightsString(container, handler, skipCheck, "proxy")); opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
@@ -452,7 +452,9 @@ * skiprights rights mask. */ public static boolean skipRightsHasRights(int rights) { return ((skipRights & rights) == rights); //geteffectiverights sets this flag, turn it off before evaluating. int tmpRights=rights & ~ACI_SKIP_PROXY_CHECK; return ((skipRights & tmpRights) == tmpRights); }
@@ -67,7 +67,7 @@ //Results for attributeLevel searches private static final String srwMailAttrRights = "search:1,read:1,compare:0,write:1," + "selfwrite_add:1,selfwrite_delete:1,proxy:0"; "selfwrite_add:0,selfwrite_delete:0,proxy:0"; private static final String srDescrptionAttrRights = "search:1,read:1,compare:0,write:0," +
