external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 7c1607d6 | patch | commit | ignore whitespace

*.java: Switched the use of collections concrete classes to interfaces.

Jean-Noel Rouvignac

12.27.2013 d6b0cd5244b2b60ee9b222fa2d75e8b661e6262c

*.java:
Switched the use of collections concrete classes to interfaces.

AciHandler.java:
Switched use of collections concrete classes to interfaces.
Used the AutoRefactor plugin on the code to simplify the code.

4 files modified

	opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java	17 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/authorization/dseecompat/AciEvalContext.java	7 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java	134 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/authorization/dseecompat/AciTargetMatchContext.java	7 ●●●●● patch \| view \| raw \| blame \| history

 opends/src/server/org/opends/server/authorization/dseecompat/AciContainer.java

@@ -34,7 +34,6 @@
import java.net.InetAddress;
import java.security.cert.Certificate;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;

import org.opends.server.api.ClientConnection;
@@ -57,7 +56,7 @@
    /**
     * The allow and deny lists.
     */
    private LinkedList<Aci> denyList, allowList;
    private List<Aci> denyList, allowList;

    /**
     * The attribute type in the resource entry currently being evaluated.
@@ -338,7 +337,7 @@
    }

  /**
   * Set to true if an entry has already been processsed by an access proxy
   * Set to true if an entry has already been processed by an access proxy
   * check.
   *
   * @param val The value to set the seenEntry boolean to.
@@ -394,7 +393,7 @@

  /**
   * Return the list of additional attributes specified in the
   * geteffectiveritghts control.
   * geteffectiverights control.
   *
   * @return The list of attributes to return rights information about in the
   * entry.
@@ -526,7 +525,7 @@

  /**
   * Returns true if the geteffectiverights control's authZid DN is equal to the
   * authoritzation entry's DN.
   * authorization entry's DN.
   *
   * @return True if the authZid is equal to the authorization entry's DN.
   */
@@ -553,7 +552,7 @@
    * {@inheritDoc}
    */
    @Override
    public void setDenyList(LinkedList<Aci> denys) {
    public void setDenyList(List<Aci> denys) {
        denyList=denys;
    }

@@ -561,7 +560,7 @@
    * {@inheritDoc}
    */
    @Override
    public void setAllowList(LinkedList<Aci> allows) {
    public void setAllowList(List<Aci> allows) {
        allowList=allows;
    }

@@ -649,7 +648,7 @@
    * {@inheritDoc}
    */
    @Override
    public LinkedList<Aci> getDenyList() {
    public List<Aci> getDenyList() {
        return denyList;
    }

@@ -657,7 +656,7 @@
    * {@inheritDoc}
    */
    @Override
    public LinkedList<Aci> getAllowList() {
    public List<Aci> getAllowList() {
       return allowList;
    }


 opends/src/server/org/opends/server/authorization/dseecompat/AciEvalContext.java

@@ -25,7 +25,6 @@
 *      Copyright 2008-2010 Sun Microsystems, Inc.
 *      Portions Copyright 2011 ForgeRock AS
 */

package org.opends.server.authorization.dseecompat;

import org.opends.server.types.DN;
@@ -34,7 +33,7 @@
import org.opends.server.api.Group;

import java.net.InetAddress;
import java.util.LinkedList;
import java.util.List;

/**
 * Interface that provides a view of the AciContainer that is
@@ -66,13 +65,13 @@
     * Get the list of deny ACIs.
     * @return The deny ACI list.
     */
    public LinkedList<Aci> getDenyList();
    public List<Aci> getDenyList();

    /**
     * Get the list allow ACIs.
     * @return The allow ACI list.
     */
    public LinkedList<Aci> getAllowList();
    public List<Aci> getAllowList();

    /**
     * Set when the deny list is being evaluated.

 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java

@@ -98,7 +98,7 @@
   */
  private static AttributeType debugSearchIndex;

  /*
  /**
   * DN corresponding to "debugsearchindex" attribute type.
   */
  private static DN debugSearchIndexDN;
@@ -121,8 +121,10 @@



  // We initialize these for each new AciHandler so that we can clear
  // out the stale references that can occur during an in-core restart.
  /**
   * We initialize these for each new AciHandler so that we can clear out the
   * stale references that can occur during an in-core restart.
   */
  private static void initStatics()
  {
    if ((aciType = DirectoryServer.getAttributeType("aci")) == null)
@@ -262,8 +264,8 @@
  public boolean isAllowed(DN entryDN, Operation op, Control control)
      throws DirectoryException
  {
    boolean ret;
    if (!(ret = skipAccessCheck(op)))
    boolean ret = skipAccessCheck(op);
    if (!ret)
    {
      Entry e = new Entry(entryDN, null, null, null);
      AciLDAPOperationContainer operationContainer =
@@ -271,15 +273,15 @@
              (ACI_READ | ACI_CONTROL));
      ret = accessAllowed(operationContainer);
    }
    if (control.getOID().equals(OID_PROXIED_AUTH_V2)
        || control.getOID().equals(OID_PROXIED_AUTH_V1))
    if (OID_PROXIED_AUTH_V2.equals(control.getOID())
        || OID_PROXIED_AUTH_V1.equals(control.getOID()))
    {
      if (ret)
      {
        op.setAttachment(ORIG_AUTH_ENTRY, op.getAuthorizationEntry());
      }
    }
    else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS))
    else if (OID_GET_EFFECTIVE_RIGHTS.equals(control.getOID()))
    {
      if (ret)
      {
@@ -308,8 +310,8 @@
  @Override
  public boolean isAllowed(ExtendedOperation operation)
  {
    boolean ret;
    if (!(ret = skipAccessCheck(operation)))
    boolean ret = skipAccessCheck(operation);
    if (!ret)
    {
      Entry e =
          new Entry(operation.getAuthorizationDN(), null, null, null);
@@ -435,7 +437,7 @@
    if (!skipAccessCheck(operation))
    {
      // If this is a modifyDN move to a new superior, then check if the
      // superior DN has import accesss.
      // superior DN has import access.
      if ((newSuperiorDN = operation.getNewSuperior()) != null)
      {
        try
@@ -455,7 +457,7 @@

      // If this is a modifyDN move to a new superior, then check if the
      // original entry DN has export access.
      if (ret && (newSuperiorDN != null))
      if (ret && newSuperiorDN != null)
      {
        AciLDAPOperationContainer operationContainer =
            new AciLDAPOperationContainer(operation, ACI_EXPORT,
@@ -530,8 +532,8 @@
  public boolean mayProxy(Entry proxyUser, Entry proxiedUser,
      Operation op)
  {
    boolean ret;
    if (!(ret = skipAccessCheck(proxyUser)))
    boolean ret = skipAccessCheck(proxyUser);
    if (!ret)
    {
      AuthenticationInfo authInfo =
          new AuthenticationInfo(proxyUser, DirectoryServer
@@ -553,8 +555,8 @@
  public boolean maySend(DN dn, Operation operation,
      SearchResultReference reference)
  {
    boolean ret;
    if (!(ret = skipAccessCheck(operation)))
    boolean ret = skipAccessCheck(operation);
    if (!ret)
    {
      Entry e = new Entry(dn, null, null, null);
      AttributeBuilder builder =
@@ -656,9 +658,9 @@
    // Check if the ACI_SELF right needs to be set (selfwrite right).
    // Only done if the right is ACI_WRITE, an attribute value is set
    // and that attribute value is a DN.
    if ((container.getCurrentAttributeValue() != null)
        && (container.hasRights(ACI_WRITE))
        && (isAttributeDN(container.getCurrentAttributeType())))
    if (container.getCurrentAttributeValue() != null
        && container.hasRights(ACI_WRITE)
        && isAttributeDN(container.getCurrentAttributeType()))
    {
      String DNString = null;
      try
@@ -692,11 +694,9 @@
          && !container.hasRights(ACI_SKIP_PROXY_CHECK))
      {
        int currentRights = container.getRights();
        // Save the current rights so they can be put back if on
        // success.
        // Save the current rights so they can be put back if on success.
        container.setRights(ACI_PROXY);
        // Switch to the original authorization entry, not the proxied
        // one.
        // Switch to the original authorization entry, not the proxied one.
        container.useOrigAuthorizationEntry(true);
        if (!accessAllowed(container))
        {
@@ -713,18 +713,14 @@
      container.setSeenEntry(true);
    }

    /*
     * First get all allowed candidate ACIs.
     */
    LinkedList<Aci> candidates = aciList.getCandidateAcis(dn);
    // First get all allowed candidate ACIs.
    List<Aci> candidates = aciList.getCandidateAcis(dn);
    /*
     * Create an applicable list of ACIs by target matching each
     * candidate ACI against the container's target match view.
     */
    createApplicableList(candidates, container);
    /*
     * Evaluate the applicable list.
     */
    // Evaluate the applicable list.
    boolean ret = testApplicableLists(container);
    // Build summary string if doing geteffectiverights eval.
    if (container.isGetEffectiveRightsEval())
@@ -871,22 +867,19 @@
      Attribute modAttr = m.getAttribute();
      AttributeType modAttrType = modAttr.getAttributeType();

      if (modAttrType.equals(aciType))
      if (modAttrType.equals(aciType)
          /*
           * Check that the operation has modify privileges if it contains
           * an "aci" attribute type.
           */
          && !operation.getClientConnection().hasPrivilege(
              Privilege.MODIFY_ACL, operation))
      {
        /*
         * Check that the operation has modify privileges if it contains
         * an "aci" attribute type.
         */
        if (!operation.getClientConnection().hasPrivilege(
            Privilege.MODIFY_ACL, operation))
        {
          Message message =
              INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(String
                  .valueOf(container.getResourceDN()), String
                  .valueOf(container.getClientDN()));
          logError(message);
          return false;
        }
        Message message =
            INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(String.valueOf(container
                .getResourceDN()), String.valueOf(container.getClientDN()));
        logError(message);
        return false;
      }
      // This access check handles the case where all attributes of this
      // type are being replaced or deleted. If only a subset is being
@@ -1111,21 +1104,18 @@
   */
  private boolean checkRDN(int right, RDN rdn, AciContainer container)
  {
    boolean ret = false;
    int numAVAs = rdn.getNumValues();
    container.setRights(right);
    final int numAVAs = rdn.getNumValues();
    for (int i = 0; i < numAVAs; i++)
    {
      AttributeType type = rdn.getAttributeType(i);
      AttributeValue value = rdn.getAttributeValue(i);
      container.setCurrentAttributeType(type);
      container.setCurrentAttributeValue(value);
      if (!(ret = accessAllowed(container)))
      container.setCurrentAttributeType(rdn.getAttributeType(i));
      container.setCurrentAttributeValue(rdn.getAttributeValue(i));
      if (!accessAllowed(container))
      {
        break;
        return false;
      }
    }
    return ret;
    return true;
  }


@@ -1139,11 +1129,11 @@
   * @param targetMatchCtx
   *          Target matching context to use for testing each ACI.
   */
  private void createApplicableList(LinkedList<Aci> candidates,
  private void createApplicableList(List<Aci> candidates,
      AciTargetMatchContext targetMatchCtx)
  {
    LinkedList<Aci> denys = new LinkedList<Aci>();
    LinkedList<Aci> allows = new LinkedList<Aci>();
    List<Aci> denys = new LinkedList<Aci>();
    List<Aci> allows = new LinkedList<Aci>();
    for (Aci aci : candidates)
    {
      if (Aci.isApplicable(aci, targetMatchCtx))
@@ -1232,7 +1222,7 @@
   */
  private boolean isAttributeDN(AttributeType attribute)
  {
    return (attribute.getSyntaxOID().equals(SYNTAX_DN_OID));
    return SYNTAX_DN_OID.equals(attribute.getSyntaxOID());
  }


@@ -1399,14 +1389,11 @@
   */
  private boolean testApplicableLists(AciEvalContext evalCtx)
  {
    EnumEvalResult res;
    evalCtx.setEvalReason(EnumEvalReason.NO_REASON);
    LinkedList<Aci> denys = evalCtx.getDenyList();
    LinkedList<Aci> allows = evalCtx.getAllowList();
    // If allows list is empty and not doing geteffectiverights return
    // false.
    evalCtx.setDenyEval(true);
    if (allows.isEmpty()
    if (evalCtx.getAllowList().isEmpty()
        && !(evalCtx.isGetEffectiveRightsEval()
            && !evalCtx.hasRights(ACI_SELF) && evalCtx
            .isTargAttrFilterMatchAciEmpty()))
@@ -1415,9 +1402,10 @@
      evalCtx.setDecidingAci(null);
      return false;
    }
    for (Aci denyAci : denys)

    for (Aci denyAci : evalCtx.getDenyList())
    {
      res = Aci.evaluate(evalCtx, denyAci);
      final EnumEvalResult res = Aci.evaluate(evalCtx, denyAci);
      // Failure could be returned if a system limit is hit or
      // search fails
      if (res.equals(EnumEvalResult.FAIL))
@@ -1452,9 +1440,9 @@
    }
    // Now check the allows -- flip the deny flag to false first.
    evalCtx.setDenyEval(false);
    for (Aci allowAci : allows)
    for (Aci allowAci : evalCtx.getAllowList())
    {
      res = Aci.evaluate(evalCtx, allowAci);
      final EnumEvalResult res = Aci.evaluate(evalCtx, allowAci);
      if (res.equals(EnumEvalResult.TRUE))
      {
        if (evalCtx.isGetEffectiveRightsEval()
@@ -1463,8 +1451,7 @@
        {
          // Iterate to next only if deny ACI contains a targattrfilters
          // keyword.
          if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci,
              false))
          if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci, false))
          {
            continue;
          }
@@ -1504,7 +1491,6 @@
  private boolean testFilter(AciLDAPOperationContainer container,
      SearchFilter filter) throws DirectoryException
  {
    boolean ret = true;
    // If the resource entry has a dn equal to "cn=debugsearch" and it
    // contains the special attribute type "debugsearchindex", then the
    // resource entry is a pseudo entry created for debug purposes.
@@ -1531,17 +1517,16 @@
    case NOT:
    {
      SearchFilter f = filter.getNotComponent();
      ret = testFilter(container, f);
      break;
      return testFilter(container, f);
    }
    default:
    {
      AttributeType attrType = filter.getAttributeType();
      container.setCurrentAttributeType(attrType);
      ret = accessAllowed(container);
      return accessAllowed(container);
    }
    }
    return ret;
    return true;
  }


@@ -1590,8 +1575,7 @@
        {
          try
          {
            DN dn = entry.getDN();
            Aci.decode(value.getValue(), dn);
            Aci.decode(value.getValue(), entry.getDN());
          }
          catch (AciException ex)
          {

 opends/src/server/org/opends/server/authorization/dseecompat/AciTargetMatchContext.java

@@ -24,13 +24,12 @@
 *
 *      Copyright 2008 Sun Microsystems, Inc.
 */

package org.opends.server.authorization.dseecompat;

import org.opends.server.types.AttributeType;
import org.opends.server.types.AttributeValue;
import org.opends.server.types.Entry;
import java.util.LinkedList;
import java.util.List;

/**
 * The AciTargetMatchContext interface provides a
@@ -46,13 +45,13 @@
     * Set the deny ACI list.
     * @param denyList The deny ACI list.
     */
    public void setDenyList(LinkedList<Aci> denyList);
    public void setDenyList(List<Aci> denyList);

    /**
     * Set the allow ACI list.
     * @param allowList The list of allow ACIs.
     */
    public void setAllowList(LinkedList<Aci> allowList);
    public void setAllowList(List<Aci> allowList);

    /**
     * Get the entry being evaluated. This is known as the

			@@ -34,7 +34,6 @@
			import java.net.InetAddress;
			import java.security.cert.Certificate;
			import java.util.HashMap;
			import java.util.LinkedList;
			import java.util.List;

			import org.opends.server.api.ClientConnection;
			@@ -57,7 +56,7 @@
			/**
			* The allow and deny lists.
			*/
			private LinkedList<Aci> denyList, allowList;
			private List<Aci> denyList, allowList;

			/**
			* The attribute type in the resource entry currently being evaluated.
			@@ -338,7 +337,7 @@
			}

			/**
			* Set to true if an entry has already been processsed by an access proxy
			* Set to true if an entry has already been processed by an access proxy
			* check.
			*
			* @param val The value to set the seenEntry boolean to.
			@@ -394,7 +393,7 @@

			/**
			* Return the list of additional attributes specified in the
			* geteffectiveritghts control.
			* geteffectiverights control.
			*
			* @return The list of attributes to return rights information about in the
			* entry.
			@@ -526,7 +525,7 @@

			/**
			* Returns true if the geteffectiverights control's authZid DN is equal to the
			* authoritzation entry's DN.
			* authorization entry's DN.
			*
			* @return True if the authZid is equal to the authorization entry's DN.
			*/
			@@ -553,7 +552,7 @@
			* {@inheritDoc}
			*/
			@Override
			public void setDenyList(LinkedList<Aci> denys) {
			public void setDenyList(List<Aci> denys) {
			denyList=denys;
			}

			@@ -561,7 +560,7 @@
			* {@inheritDoc}
			*/
			@Override
			public void setAllowList(LinkedList<Aci> allows) {
			public void setAllowList(List<Aci> allows) {
			allowList=allows;
			}

			@@ -649,7 +648,7 @@
			* {@inheritDoc}
			*/
			@Override
			public LinkedList<Aci> getDenyList() {
			public List<Aci> getDenyList() {
			return denyList;
			}

			@@ -657,7 +656,7 @@
			* {@inheritDoc}
			*/
			@Override
			public LinkedList<Aci> getAllowList() {
			public List<Aci> getAllowList() {
			return allowList;
			}

			@@ -25,7 +25,6 @@
			* Copyright 2008-2010 Sun Microsystems, Inc.
			* Portions Copyright 2011 ForgeRock AS
			*/

			package org.opends.server.authorization.dseecompat;

			import org.opends.server.types.DN;
			@@ -34,7 +33,7 @@
			import org.opends.server.api.Group;

			import java.net.InetAddress;
			import java.util.LinkedList;
			import java.util.List;

			/**
			* Interface that provides a view of the AciContainer that is
			@@ -66,13 +65,13 @@
			* Get the list of deny ACIs.
			* @return The deny ACI list.
			*/
			public LinkedList<Aci> getDenyList();
			public List<Aci> getDenyList();

			/**
			* Get the list allow ACIs.
			* @return The allow ACI list.
			*/
			public LinkedList<Aci> getAllowList();
			public List<Aci> getAllowList();

			/**
			* Set when the deny list is being evaluated.

			@@ -98,7 +98,7 @@
			*/
			private static AttributeType debugSearchIndex;

			/*
			/**
			* DN corresponding to "debugsearchindex" attribute type.
			*/
			private static DN debugSearchIndexDN;
			@@ -121,8 +121,10 @@



			// We initialize these for each new AciHandler so that we can clear
			// out the stale references that can occur during an in-core restart.
			/**
			* We initialize these for each new AciHandler so that we can clear out the
			* stale references that can occur during an in-core restart.
			*/
			private static void initStatics()
			{
			if ((aciType = DirectoryServer.getAttributeType("aci")) == null)
			@@ -262,8 +264,8 @@
			public boolean isAllowed(DN entryDN, Operation op, Control control)
			throws DirectoryException
			{
			boolean ret;
			if (!(ret = skipAccessCheck(op)))
			boolean ret = skipAccessCheck(op);
			if (!ret)
			{
			Entry e = new Entry(entryDN, null, null, null);
			AciLDAPOperationContainer operationContainer =
			@@ -271,15 +273,15 @@
			(ACI_READ \| ACI_CONTROL));
			ret = accessAllowed(operationContainer);
			}
			if (control.getOID().equals(OID_PROXIED_AUTH_V2)
			\|\| control.getOID().equals(OID_PROXIED_AUTH_V1))
			if (OID_PROXIED_AUTH_V2.equals(control.getOID())
			\|\| OID_PROXIED_AUTH_V1.equals(control.getOID()))
			{
			if (ret)
			{
			op.setAttachment(ORIG_AUTH_ENTRY, op.getAuthorizationEntry());
			}
			}
			else if (control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS))
			else if (OID_GET_EFFECTIVE_RIGHTS.equals(control.getOID()))
			{
			if (ret)
			{
			@@ -308,8 +310,8 @@
			@Override
			public boolean isAllowed(ExtendedOperation operation)
			{
			boolean ret;
			if (!(ret = skipAccessCheck(operation)))
			boolean ret = skipAccessCheck(operation);
			if (!ret)
			{
			Entry e =
			new Entry(operation.getAuthorizationDN(), null, null, null);
			@@ -435,7 +437,7 @@
			if (!skipAccessCheck(operation))
			{
			// If this is a modifyDN move to a new superior, then check if the
			// superior DN has import accesss.
			// superior DN has import access.
			if ((newSuperiorDN = operation.getNewSuperior()) != null)
			{
			try
			@@ -455,7 +457,7 @@

			// If this is a modifyDN move to a new superior, then check if the
			// original entry DN has export access.
			if (ret && (newSuperiorDN != null))
			if (ret && newSuperiorDN != null)
			{
			AciLDAPOperationContainer operationContainer =
			new AciLDAPOperationContainer(operation, ACI_EXPORT,
			@@ -530,8 +532,8 @@
			public boolean mayProxy(Entry proxyUser, Entry proxiedUser,
			Operation op)
			{
			boolean ret;
			if (!(ret = skipAccessCheck(proxyUser)))
			boolean ret = skipAccessCheck(proxyUser);
			if (!ret)
			{
			AuthenticationInfo authInfo =
			new AuthenticationInfo(proxyUser, DirectoryServer
			@@ -553,8 +555,8 @@
			public boolean maySend(DN dn, Operation operation,
			SearchResultReference reference)
			{
			boolean ret;
			if (!(ret = skipAccessCheck(operation)))
			boolean ret = skipAccessCheck(operation);
			if (!ret)
			{
			Entry e = new Entry(dn, null, null, null);
			AttributeBuilder builder =
			@@ -656,9 +658,9 @@
			// Check if the ACI_SELF right needs to be set (selfwrite right).
			// Only done if the right is ACI_WRITE, an attribute value is set
			// and that attribute value is a DN.
			if ((container.getCurrentAttributeValue() != null)
			&& (container.hasRights(ACI_WRITE))
			&& (isAttributeDN(container.getCurrentAttributeType())))
			if (container.getCurrentAttributeValue() != null
			&& container.hasRights(ACI_WRITE)
			&& isAttributeDN(container.getCurrentAttributeType()))
			{
			String DNString = null;
			try
			@@ -692,11 +694,9 @@
			&& !container.hasRights(ACI_SKIP_PROXY_CHECK))
			{
			int currentRights = container.getRights();
			// Save the current rights so they can be put back if on
			// success.
			// Save the current rights so they can be put back if on success.
			container.setRights(ACI_PROXY);
			// Switch to the original authorization entry, not the proxied
			// one.
			// Switch to the original authorization entry, not the proxied one.
			container.useOrigAuthorizationEntry(true);
			if (!accessAllowed(container))
			{
			@@ -713,18 +713,14 @@
			container.setSeenEntry(true);
			}

			/*
			* First get all allowed candidate ACIs.
			*/
			LinkedList<Aci> candidates = aciList.getCandidateAcis(dn);
			// First get all allowed candidate ACIs.
			List<Aci> candidates = aciList.getCandidateAcis(dn);
			/*
			* Create an applicable list of ACIs by target matching each
			* candidate ACI against the container's target match view.
			*/
			createApplicableList(candidates, container);
			/*
			* Evaluate the applicable list.
			*/
			// Evaluate the applicable list.
			boolean ret = testApplicableLists(container);
			// Build summary string if doing geteffectiverights eval.
			if (container.isGetEffectiveRightsEval())
			@@ -871,22 +867,19 @@
			Attribute modAttr = m.getAttribute();
			AttributeType modAttrType = modAttr.getAttributeType();

			if (modAttrType.equals(aciType))
			if (modAttrType.equals(aciType)
			/*
			* Check that the operation has modify privileges if it contains
			* an "aci" attribute type.
			*/
			&& !operation.getClientConnection().hasPrivilege(
			Privilege.MODIFY_ACL, operation))
			{
			/*
			* Check that the operation has modify privileges if it contains
			* an "aci" attribute type.
			*/
			if (!operation.getClientConnection().hasPrivilege(
			Privilege.MODIFY_ACL, operation))
			{
			Message message =
			INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(String
			.valueOf(container.getResourceDN()), String
			.valueOf(container.getClientDN()));
			logError(message);
			return false;
			}
			Message message =
			INFO_ACI_MODIFY_FAILED_PRIVILEGE.get(String.valueOf(container
			.getResourceDN()), String.valueOf(container.getClientDN()));
			logError(message);
			return false;
			}
			// This access check handles the case where all attributes of this
			// type are being replaced or deleted. If only a subset is being
			@@ -1111,21 +1104,18 @@
			*/
			private boolean checkRDN(int right, RDN rdn, AciContainer container)
			{
			boolean ret = false;
			int numAVAs = rdn.getNumValues();
			container.setRights(right);
			final int numAVAs = rdn.getNumValues();
			for (int i = 0; i < numAVAs; i++)
			{
			AttributeType type = rdn.getAttributeType(i);
			AttributeValue value = rdn.getAttributeValue(i);
			container.setCurrentAttributeType(type);
			container.setCurrentAttributeValue(value);
			if (!(ret = accessAllowed(container)))
			container.setCurrentAttributeType(rdn.getAttributeType(i));
			container.setCurrentAttributeValue(rdn.getAttributeValue(i));
			if (!accessAllowed(container))
			{
			break;
			return false;
			}
			}
			return ret;
			return true;
			}


			@@ -1139,11 +1129,11 @@
			* @param targetMatchCtx
			* Target matching context to use for testing each ACI.
			*/
			private void createApplicableList(LinkedList<Aci> candidates,
			private void createApplicableList(List<Aci> candidates,
			AciTargetMatchContext targetMatchCtx)
			{
			LinkedList<Aci> denys = new LinkedList<Aci>();
			LinkedList<Aci> allows = new LinkedList<Aci>();
			List<Aci> denys = new LinkedList<Aci>();
			List<Aci> allows = new LinkedList<Aci>();
			for (Aci aci : candidates)
			{
			if (Aci.isApplicable(aci, targetMatchCtx))
			@@ -1232,7 +1222,7 @@
			*/
			private boolean isAttributeDN(AttributeType attribute)
			{
			return (attribute.getSyntaxOID().equals(SYNTAX_DN_OID));
			return SYNTAX_DN_OID.equals(attribute.getSyntaxOID());
			}


			@@ -1399,14 +1389,11 @@
			*/
			private boolean testApplicableLists(AciEvalContext evalCtx)
			{
			EnumEvalResult res;
			evalCtx.setEvalReason(EnumEvalReason.NO_REASON);
			LinkedList<Aci> denys = evalCtx.getDenyList();
			LinkedList<Aci> allows = evalCtx.getAllowList();
			// If allows list is empty and not doing geteffectiverights return
			// false.
			evalCtx.setDenyEval(true);
			if (allows.isEmpty()
			if (evalCtx.getAllowList().isEmpty()
			&& !(evalCtx.isGetEffectiveRightsEval()
			&& !evalCtx.hasRights(ACI_SELF) && evalCtx
			.isTargAttrFilterMatchAciEmpty()))
			@@ -1415,9 +1402,10 @@
			evalCtx.setDecidingAci(null);
			return false;
			}
			for (Aci denyAci : denys)

			for (Aci denyAci : evalCtx.getDenyList())
			{
			res = Aci.evaluate(evalCtx, denyAci);
			final EnumEvalResult res = Aci.evaluate(evalCtx, denyAci);
			// Failure could be returned if a system limit is hit or
			// search fails
			if (res.equals(EnumEvalResult.FAIL))
			@@ -1452,9 +1440,9 @@
			}
			// Now check the allows -- flip the deny flag to false first.
			evalCtx.setDenyEval(false);
			for (Aci allowAci : allows)
			for (Aci allowAci : evalCtx.getAllowList())
			{
			res = Aci.evaluate(evalCtx, allowAci);
			final EnumEvalResult res = Aci.evaluate(evalCtx, allowAci);
			if (res.equals(EnumEvalResult.TRUE))
			{
			if (evalCtx.isGetEffectiveRightsEval()
			@@ -1463,8 +1451,7 @@
			{
			// Iterate to next only if deny ACI contains a targattrfilters
			// keyword.
			if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci,
			false))
			if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci, false))
			{
			continue;
			}
			@@ -1504,7 +1491,6 @@
			private boolean testFilter(AciLDAPOperationContainer container,
			SearchFilter filter) throws DirectoryException
			{
			boolean ret = true;
			// If the resource entry has a dn equal to "cn=debugsearch" and it
			// contains the special attribute type "debugsearchindex", then the
			// resource entry is a pseudo entry created for debug purposes.
			@@ -1531,17 +1517,16 @@
			case NOT:
			{
			SearchFilter f = filter.getNotComponent();
			ret = testFilter(container, f);
			break;
			return testFilter(container, f);
			}
			default:
			{
			AttributeType attrType = filter.getAttributeType();
			container.setCurrentAttributeType(attrType);
			ret = accessAllowed(container);
			return accessAllowed(container);
			}
			}
			return ret;
			return true;
			}


			@@ -1590,8 +1575,7 @@
			{
			try
			{
			DN dn = entry.getDN();
			Aci.decode(value.getValue(), dn);
			Aci.decode(value.getValue(), entry.getDN());
			}
			catch (AciException ex)
			{

			@@ -24,13 +24,12 @@
			*
			* Copyright 2008 Sun Microsystems, Inc.
			*/

			package org.opends.server.authorization.dseecompat;

			import org.opends.server.types.AttributeType;
			import org.opends.server.types.AttributeValue;
			import org.opends.server.types.Entry;
			import java.util.LinkedList;
			import java.util.List;

			/**
			* The AciTargetMatchContext interface provides a
			@@ -46,13 +45,13 @@
			* Set the deny ACI list.
			* @param denyList The deny ACI list.
			*/
			public void setDenyList(LinkedList<Aci> denyList);
			public void setDenyList(List<Aci> denyList);

			/**
			* Set the allow ACI list.
			* @param allowList The list of allow ACIs.
			*/
			public void setAllowList(LinkedList<Aci> allowList);
			public void setAllowList(List<Aci> allowList);

			/**
			* Get the entry being evaluated. This is known as the