From 74d7af9059994d7c6e1b08316429b8dcb017a70b Mon Sep 17 00:00:00 2001
From: Chris Ridd <chris.ridd@forgerock.com>
Date: Thu, 04 Jun 2015 10:53:55 +0000
Subject: [PATCH] FR-721 OPENDJ-2071 improve aci checks for proxy auth controls

---
 opendj-server-legacy/src/main/java/org/opends/server/extensions/WhoAmIExtendedOperation.java |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/extensions/WhoAmIExtendedOperation.java b/opendj-server-legacy/src/main/java/org/opends/server/extensions/WhoAmIExtendedOperation.java
index ad1ebe8..f6d42b1 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/extensions/WhoAmIExtendedOperation.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/extensions/WhoAmIExtendedOperation.java
@@ -35,12 +35,14 @@
 import org.forgerock.opendj.config.server.ConfigException;
 import org.opends.server.controls.ProxiedAuthV1Control;
 import org.opends.server.controls.ProxiedAuthV2Control;
+import org.opends.server.core.AccessControlConfigManager;
 import org.opends.server.core.ExtendedOperation;
 import org.forgerock.i18n.slf4j.LocalizedLogger;
 import org.opends.server.types.*;
 import org.forgerock.opendj.ldap.ResultCode;
 import org.forgerock.opendj.ldap.ByteString;
 import static org.opends.messages.ExtensionMessages.*;
+import static org.opends.messages.ProtocolMessages.ERR_PROXYAUTH_AUTHZ_NOT_PERMITTED;
 import static org.opends.server.util.ServerConstants.*;
 
 /**
@@ -111,6 +113,15 @@
 
           authorizationEntry = proxyControlV1.getAuthorizationEntry();
         }
+        // Check the requester has the authz user in scope of their proxy aci.
+        if (! AccessControlConfigManager.getInstance().getAccessControlHandler()
+                .mayProxy(clientConnection.getAuthenticationInfo().getAuthenticationEntry(),
+                        authorizationEntry, operation))
+        {
+          final DN dn = authorizationEntry.getName();
+          throw new DirectoryException(ResultCode.AUTHORIZATION_DENIED,
+              ERR_PROXYAUTH_AUTHZ_NOT_PERMITTED.get(dn));
+        }
         operation.setAuthorizationEntry(authorizationEntry);
       }
     }

--
Gitblit v1.10.0