From 14c5f3996a46c1281cb133de439f25492c97530a Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 07 Mar 2007 14:56:34 +0000
Subject: [PATCH] These changes are mostly related to restructuring the regular expression patterns to make them more readable by defining constants. 

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |  153 +++++++++++++++------------------------------------
 1 files changed, 45 insertions(+), 108 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 2ccd972..6341904 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -29,20 +29,11 @@
 
 import org.opends.server.api.AccessControlHandler;
 import static org.opends.server.authorization.dseecompat.AciMessages.*;
+import static org.opends.server.authorization.dseecompat.Aci.*;
 import org.opends.server.core.*;
 import static org.opends.server.loggers.Error.logError;
 import static org.opends.server.messages.MessageHandler.getMessage;
-import org.opends.server.types.Attribute;
-import org.opends.server.types.AttributeType;
-import org.opends.server.types.AttributeValue;
-import org.opends.server.types.DN;
-import org.opends.server.types.Entry;
-import org.opends.server.types.ErrorLogCategory;
-import org.opends.server.types.ErrorLogSeverity;
-import org.opends.server.types.Modification;
-import org.opends.server.types.Privilege;
-import org.opends.server.types.SearchResultEntry;
-import org.opends.server.types.SearchResultReference;
+import org.opends.server.types.*;
 import static org.opends.server.util.StaticUtils.toLowerCase;
 import java.util.LinkedList;
 import java.util.List;
@@ -54,87 +45,6 @@
  */
 public class AciHandler extends AccessControlHandler
 {
-
-
-    /**
-     * ACI_ADD is used to set the container rights for a LDAP add operation.
-     */
-    public static final int ACI_ADD = 0x0001;
-
-    /**
-     * ACI_DELETE is used to set the container rights for a LDAP
-     * delete operation.
-     */
-    public static final int ACI_DELETE = 0x0002;
-
-    /**
-     * ACI_READ is used to set the container rights for a LDAP
-     * search operation.
-     */
-    public static final int ACI_READ = 0x0004;
-
-    /**
-     * ACI_WRITE is used to set the container rights for a LDAP
-     * modify operation.
-     */
-    public static final int ACI_WRITE = 0x0008;
-
-    /**
-     * ACI_COMPARE is used to set the container rights for a LDAP
-     * compare operation.
-     */
-    public static final int ACI_COMPARE = 0x0010;
-
-    /**
-     * ACI_SEARCH is used to set the container rights a LDAP search operation.
-     */
-    public static final int ACI_SEARCH = 0x0020;
-
-    /**
-     * ACI_SELF is used for the SELFWRITE right. Currently not implemented.
-     */
-    public static final int ACI_SELF = 0x0040;
-
-    /**
-     * ACI_ALL is used to as a mask for all of the above. These
-     * six below are not masked by the ACI_ALL.
-     */
-    public static final int ACI_ALL = 0x007F;
-
-    /**
-     * ACI_PROXY is used for the PROXY right. Currently not implemented.
-     */
-    public static final int ACI_PROXY = 0x0080;
-
-    /**
-     * ACI_IMPORT is used to set the container rights for a LDAP
-     * modify dn operation. Currently not implemented.
-     */
-    public static final int ACI_IMPORT = 0x0100;
-
-    /**
-     * ACI_EXPORT is used to set the container rights for a LDAP
-     * modify dn operation. Currently not implemented.
-     */
-    public static final int ACI_EXPORT = 0x0200;
-
-    /**
-     * ACI_WRITE_ADD and ACI_WRITE_DELETE are used by the LDAP modify
-     * operation. They currently don't have much value; but will be needed
-     * once the targetattrfilters target and modify dn are implemented.
-     */
-    public static final int ACI_WRITE_ADD = 0x800;
-    /**
-     * See above.
-     */
-    public static final int ACI_WRITE_DELETE = 0x400;
-
-    /**
-     * ACI_NULL is used to set the container rights to all zeros. Used
-     * by LDAP modify.
-     */
-    public static final int ACI_NULL = 0x0000;
-
     /*
      * The list that holds that ACIs keyed by the DN of the entry
       * holding the ACI.
@@ -511,6 +421,39 @@
     }
 
     /**
+     * Test the attribute types of the search filter for access. This method
+     * supports the search right.
+     *
+     * @param container  The container used in the access evaluation.
+     * @param filter The filter to check access on.
+     * @return  True if all attribute types in the filter have access.
+     */
+    private boolean
+    testFilter(AciLDAPOperationContainer container, SearchFilter filter) {
+        boolean ret=true;
+        switch (filter.getFilterType()) {
+            case AND:
+            case OR: {
+                for (SearchFilter f : filter.getFilterComponents())
+                    if(!testFilter(container, f))
+                        return false ;
+                break;
+            }
+            case NOT:  {
+                SearchFilter f = filter.getNotComponent();
+                ret=!testFilter(container, f);
+                break;
+            }
+            default: {
+                AttributeType attrType=filter.getAttributeType();
+                container.setCurrentAttributeType(attrType);
+                ret=accessAllowed(container);
+            }
+        }
+        return ret;
+    }
+
+    /**
      * Evaluate an entry to be added to see if it has any "aci"
      * attribute type. If it does, examines each "aci" attribute type
      * value for syntax errors. All of the "aci" attribute type values
@@ -657,19 +600,6 @@
                           skipAccessCheck(operation));
   }
 
-
-  /*
-   * TODO Add access testing of the filter against the entry. This was
-   * brought up in the first code review.
-   *
-   *  The static block that creates the arrays of EnumRight objects needs to
-   *  be documented to explain what they are.  Also, I still disagree with
-   *  the  interpretation that the READ right is all that is necessary to
-   *  perform either search or compare operations.  That definitely goes
-   *  against the documentation, which states that READ applies only to
-   *  the search operation, and that users must have both SEARCH and READ
-   *  in order to access the results.
-   */
   /**
    * Checks access on a search operation.
    * @param operation The search operation class containing information to
@@ -681,9 +611,16 @@
   maySend(SearchOperation operation, SearchResultEntry entry) {
       AciLDAPOperationContainer operationContainer =
               new AciLDAPOperationContainer(operation,
-                                           (ACI_READ | ACI_SEARCH), entry);
-      return skipAccessCheck(operation) ||
-              accessAllowedEntry(operationContainer);
+                      (ACI_SEARCH), entry);
+      boolean ret;
+      if(!(ret=skipAccessCheck(operation))) {
+          ret=testFilter(operationContainer, operation.getFilter());
+          if (ret) {
+              operationContainer.setRights(ACI_READ);
+              ret=accessAllowedEntry(operationContainer);
+          }
+      }
+      return ret;
   }
 
   /*

--
Gitblit v1.10.0