From 5c703f3851c86aacbcbcfd5cb216d84da4a204c3 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Thu, 17 May 2007 11:33:06 +0000
Subject: [PATCH] ACI fixes and unit tests for issues related to targetattr keyword and returning operational attributes.
---
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 50 ++++++++++++++++++++++++++++++++------------------
1 files changed, 32 insertions(+), 18 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index fc4d426..7521308 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -85,6 +85,13 @@
public static String ALL_ATTRS_RESOURCE_ENTRY = "allAttrsResourceEntry";
/**
+ * String used to indicate that the evaluating ACI had a all attributes
+ * targetattr match (targetattr="*").
+ */
+ public static String ALL_ATTRS_MATCHED = "allAttrsMatched";
+
+
+ /**
* This constructor instantiates the ACI handler class that performs the
* main processing for the dseecompat ACI package. It does the following
* initializations:
@@ -556,16 +563,16 @@
return ret;
}
- /**
- * Check if the specified attribute type is a DN by checking if its syntax
- * OID is equal to the DN syntax OID.
- * @param attribute The attribute type to check.
- * @return True if the attribute type syntax OID is equal to a DN syntax OID.
- */
- private boolean isAttributeDN(AttributeType attribute) {
- return (attribute.getSyntaxOID().equals(SYNTAX_DN_OID));
- }
-
+ /**
+ * Check if the specified attribute type is a DN by checking if its syntax
+ * OID is equal to the DN syntax OID.
+ * @param attribute The attribute type to check.
+ * @return True if the attribute type syntax OID is equal to a DN syntax
+ * OID.
+ */
+ private boolean isAttributeDN(AttributeType attribute) {
+ return (attribute.getSyntaxOID().equals(SYNTAX_DN_OID));
+ }
/**
* Performs an access check against all of the attributes of an entry.
@@ -579,15 +586,17 @@
*/
private SearchResultEntry
accessAllowedAttrs(AciLDAPOperationContainer container) {
- Entry e=container.getResourceEntry();
- List<AttributeType> typeList=getAllAttrs(e);
- for(AttributeType attrType : typeList) {
- container.setCurrentAttributeType(attrType);
- if(!accessAllowed(container)) {
- e.removeAttribute(attrType);
- }
+ Entry e=container.getResourceEntry();
+ List<AttributeType> typeList=getAllAttrs(e);
+ for(AttributeType attrType : typeList) {
+ if(!container.hasACIEvalAttributes() && !attrType.isOperational())
+ continue;
+ container.setCurrentAttributeType(attrType);
+ if(!accessAllowed(container)) {
+ e.removeAttribute(attrType);
}
- return container.getSearchResultEntry();
+ }
+ return container.getSearchResultEntry();
}
/**
@@ -600,6 +609,8 @@
*/
private List<AttributeType> getAllAttrs(Entry e) {
Map<AttributeType,List<Attribute>> attrMap = e.getUserAttributes();
+ Map<AttributeType,List<Attribute>> opAttrMap =
+ e.getOperationalAttributes();
List<AttributeType> typeList=new LinkedList<AttributeType>();
Attribute attr=e.getObjectClassAttribute();
/*
@@ -611,6 +622,7 @@
typeList.add(ocType);
}
typeList.addAll(attrMap.keySet());
+ typeList.addAll(opAttrMap.keySet());
return typeList;
}
@@ -877,6 +889,8 @@
if (ret) {
operationContainer.setRights(ACI_READ);
ret=accessAllowedEntry(operationContainer);
+ if(ret && !operationContainer.hasACIEvalAttributes())
+ operation.setAttachment(ALL_ATTRS_MATCHED, ALL_ATTRS_MATCHED);
}
}
if(ret && operation.getAttachment(OID_GET_EFFECTIVE_RIGHTS) != null)
--
Gitblit v1.10.0