From 745d3ccec1c5673231f872a7bc8d9ff6fa655279 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 25 Jul 2007 23:12:49 +0000
Subject: [PATCH] Add new ACI keyword "extop" that can be used to enforce access based on the OID of an extended operation. For example, a new global access extended operation rule is also being added:

---
 opends/src/server/org/opends/server/authorization/dseecompat/Aci.java |   64 ++++++++++++++++++++++++++-----
 1 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java b/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
index d1ace9d..4af0b45 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
@@ -282,6 +282,16 @@
     public static final int TARGATTRFILTERS_DELETE = 0x2000;
 
     /**
+     * Used by the control evaluation access check.
+     */
+    public static final int ACI_CONTROL = 0x4000;
+
+    /**
+     *  Used by the extended operation access check.
+     */
+    public static final int ACI_EXT_OP = 0x8000;
+
+    /**
      * ACI_ATTR_STAR_MATCHED is the flag set when the evaluation reason of a
      * AciHandler.maysend ACI_READ access evaluation was the result of an
      * ACI targetattr all attributes expression (targetattr="*") target match.
@@ -400,15 +410,40 @@
 
     /**
      * Test if the given ACI is applicable using the target match information
-     * provided. The ACI target can have four keywords at this time:
+     * provided. The ACI target can have seven keywords at this time:
+     *
+     * These two base decision on the resource entry DN:
      *
      *       1. target - checked in isTargetApplicable.
      *       2. targetscope - checked in isTargetApplicable.
+     *
+     * These three base decision on resource entry attributes:
+     *
      *       3. targetfilter - checked in isTargetFilterApplicable.
      *       4. targetattr - checked in isTargetAttrApplicable.
+     *       5. targattrfilters -  checked in isTargAttrFiltersApplicable.
      *
-     * One and two are checked for match first. If they return true, then
-     * three is checked. Lastly four is checked.
+     * These two base decisions on a resource entry built by the ACI handler
+     * that only contains a DN:
+     *       6. targetcontrol - check in isTargetControlApplicable.
+     *       7. extop - check in isExtOpApplicable.
+     *
+     * Six and seven are specific to the check being done: targetcontrol when a
+     * control is being evaluated and extop when an extended operation is
+     * evaluated.  None of the attribute based keywords should be checked
+     * when a control or extended op is being evaluated, because one
+     * of those attribute keywords rule might incorrectly make an ACI
+     * applicable that shouldn't be. This can happen by erroneously basing
+     * their decision on the ACI handler generated stub resource entry. For
+     * example, a "(targetattr != userpassword)" rule would match the generated
+     * stub resource entry, even though a control or extended op might be
+     * denied.
+     *
+     * What is allowed is the target and targetscope keywords, since the DN is
+     * known, so they are checked along with the correct method for the access
+     * check (isTargetControlApplicable for control and
+     * isTExtOpApplicable for extended operations). See comments in code
+     * where these checks are done.
      *
      * @param aci The ACI to test.
      * @param matchCtx The target matching context containing all the info
@@ -417,20 +452,27 @@
      */
     public static boolean
     isApplicable(Aci aci, AciTargetMatchContext matchCtx) {
-        int ctxRights=matchCtx.getRights();
-       //First check if the ACI and context have similar rights.
+      if(matchCtx.hasRights(ACI_EXT_OP)) {
+        //Extended operation is being evaluated.
+         return AciTargets.isTargetApplicable(aci, matchCtx) &&
+                 AciTargets.isExtOpApplicable(aci, matchCtx);
+      } else if(matchCtx.hasRights(ACI_CONTROL)) {
+        //Control is being evaluated.
+         return AciTargets.isTargetApplicable(aci, matchCtx) &&
+                AciTargets.isTargetControlApplicable(aci, matchCtx);
+      } else {
+        int ctxRights = matchCtx.getRights();
+        //First check if the ACI and context have similar rights.
         if(!aci.hasRights(ctxRights)) {
-           //TODO This check might be able to be removed further testing
-           //     is needed.
-           if(!(aci.hasRights(ACI_SEARCH| ACI_READ) &&
-                 matchCtx.hasRights(ACI_SEARCH | ACI_READ)))
-              return false;
+          if(!(aci.hasRights(ACI_SEARCH| ACI_READ) &&
+                  matchCtx.hasRights(ACI_SEARCH | ACI_READ)))
+            return false;
         }
         return AciTargets.isTargetApplicable(aci, matchCtx) &&
-                AciTargets.isTargetControlApplicable(aci, matchCtx) &&
                 AciTargets.isTargetFilterApplicable(aci, matchCtx) &&
                 AciTargets.isTargAttrFiltersApplicable(aci, matchCtx) &&
                 AciTargets.isTargetAttrApplicable(aci, matchCtx);
+      }
     }
 
     /**

--
Gitblit v1.10.0