From 139c40de1bc595ccd4b8ca952da9e2a37bc8a18e Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 05 Nov 2008 13:22:43 +0000
Subject: [PATCH] These fixes add confidentiality/integrity to the SASL GSSAPI and DIGEST-MD5 mechanisms. The issue links:

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |   36 ++++++++++++++++++++++++++++++++----
 1 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index f2f197c..d505d25 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -28,8 +28,6 @@
 package org.opends.server.authorization.dseecompat;
 import org.opends.messages.Message;
 
-
-
 import static org.opends.server.authorization.dseecompat.Aci.*;
 import static org.opends.server.config.ConfigConstants.ATTR_AUTHZ_GLOBAL_ACI;
 import static org.opends.server.loggers.ErrorLogger.logError;
@@ -39,12 +37,11 @@
 import static org.opends.server.schema.SchemaConstants.SYNTAX_DN_OID;
 import static org.opends.server.util.ServerConstants.*;
 import static org.opends.server.util.StaticUtils.toLowerCase;
-
 import java.util.*;
 import java.util.concurrent.locks.Lock;
-
 import org.opends.server.admin.std.server.DseeCompatAccessControlHandlerCfg;
 import org.opends.server.api.AccessControlHandler;
+import org.opends.server.api.ClientConnection;
 import org.opends.server.config.ConfigException;
 import org.opends.server.core.*;
 import org.opends.server.loggers.debug.DebugTracer;
@@ -535,6 +532,17 @@
     }
 
     /**
+     * Check to see if the specified entry has the specified privilege.
+     *
+     * @param e The entry to check privileges on.
+     * @return  {@code true} if the entry has the
+     *          specified privilege, or {@code false} if not.
+     */
+    private boolean skipAccessCheck(Entry e) {
+        return ClientConnection.hasPrivilege(e, Privilege.BYPASS_ACL);
+    }
+
+    /**
      * Check access using the specified container. This container will have all
      * of the information to gather applicable ACIs and perform evaluation on
      * them.
@@ -1242,6 +1250,26 @@
    * {@inheritDoc}
    */
   @Override
+  public boolean
+  mayProxy(Entry proxyUser, Entry proxiedUser, Operation op) {
+      boolean ret;
+      if(!(ret=skipAccessCheck(proxyUser))) {
+          AuthenticationInfo authInfo =
+              new AuthenticationInfo(proxyUser,
+                     DirectoryServer.isRootDN(proxyUser.getDN()));
+          AciLDAPOperationContainer operationContainer =
+              new AciLDAPOperationContainer(op, proxiedUser,
+                                            authInfo, ACI_PROXY);
+          ret=accessAllowedEntry(operationContainer);
+      }
+      return ret;
+  }
+
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
   public boolean isAllowed(LocalBackendBindOperation bindOperation) {
       //Not planned to be implemented.
       return true;

--
Gitblit v1.10.0