From 5b48640c910cc20ca84f1811854f9e77934bad3e Mon Sep 17 00:00:00 2001
From: coulbeck <coulbeck@localhost>
Date: Thu, 08 Mar 2007 23:08:37 +0000
Subject: [PATCH] Fix for issue #1317: Wrong Error Code For Improperly Formatted ACIs.
---
opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 148 ++++++++++++++-----------------------------------
1 files changed, 43 insertions(+), 105 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index 6341904..3ed8d65 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -57,7 +57,7 @@
public static AttributeType aciType;
/**
- * Constructor that registers the message catalog, creates the ACI list
+ * Constructor that creates the ACI list
* class that manages the ACI list. Instantiates and registers the change
* notification listener that is used to manage the ACI list on
* modifications and the backend initialization listener that is used to
@@ -65,7 +65,6 @@
* are initialized/finalized.
*/
public AciHandler() {
- AciMessages.registerMessages();
aciList = new AciList();
AciListenerManager aciListenerMgr =
new AciListenerManager(aciList);
@@ -88,11 +87,30 @@
ModifyOperation operation,
boolean skipAccessCheck) {
Entry resourceEntry=container.getResourceEntry();
- DN dn=resourceEntry.getDN();
List<Modification> modifications=container.getModifications();
for(Modification m : modifications) {
Attribute modAttr=m.getAttribute();
AttributeType modType=modAttr.getAttributeType();
+
+ if(modType.equals(aciType)) {
+ /*
+ * Check that the operation has modify privileges if
+ * it contains an "aci" attribute type.
+ */
+ if (!operation.getClientConnection().
+ hasPrivilege(Privilege.MODIFY_ACL, operation)) {
+ int msgID = MSGID_ACI_MODIFY_FAILED_PRIVILEGE;
+ String message =
+ getMessage(msgID,
+ String.valueOf(container.getResourceDN()),
+ String.valueOf(container.getClientDN()));
+ logError(ErrorLogCategory.ACCESS_CONTROL,
+ ErrorLogSeverity.SEVERE_WARNING,
+ message, msgID);
+ return false;
+ }
+ }
+
switch(m.getModificationType()) {
case DELETE:
case REPLACE:
@@ -157,46 +175,6 @@
}
break;
}
- /*
- Check if the modification type has an "aci" attribute type.
- If so, check the syntax of that attribute value. Fail the
- the operation if the syntax check fails.
- */
- if(modType.equals(aciType)) {
- try {
- /*
- * Check that the operation has modify privileges if
- * it contains an "aci" attribute type. Flip the
- * boolean to false so this check isn't made again
- * if there are several ACI values being added.
- */
- if(checkPrivileges) {
- if (!operation.getClientConnection().
- hasPrivilege(Privilege.MODIFY_ACL, operation)) {
- int msgID =
- MSGID_ACI_MODIFY_FAILED_PRIVILEGE;
- String message = getMessage(msgID,
- String.valueOf(container.getResourceDN()),
- String.valueOf(container.getClientDN()));
- logError(ErrorLogCategory.ACCESS_CONTROL,
- ErrorLogSeverity.SEVERE_WARNING,
- message, msgID);
- return false;
- }
- checkPrivileges=false;
- }
- Aci.decode(v.getValue(),dn);
- } catch (AciException ex) {
- int msgID = MSGID_ACI_MODIFY_FAILED_DECODE;
- String message = getMessage(msgID,
- String.valueOf(dn),
- ex.getMessage());
- logError(ErrorLogCategory.ACCESS_CONTROL,
- ErrorLogSeverity.SEVERE_WARNING,
- message, msgID);
- return false;
- }
- }
}
}
}
@@ -454,63 +432,6 @@
}
/**
- * Evaluate an entry to be added to see if it has any "aci"
- * attribute type. If it does, examines each "aci" attribute type
- * value for syntax errors. All of the "aci" attribute type values
- * must pass syntax check for the add operation to proceed. Any
- * entry with an "aci" attribute type must have "modify-acl"
- * privileges.
- *
- * @param entry The entry to be examined.
- * @param operation The operation to to check privileges on.
- * @param clientDN The authorization DN.
- * @return True if the entry has no ACI attributes or if all of the "aci"
- * attributes values pass ACI syntax checking.
- */
- private boolean
- verifySyntax(Entry entry, Operation operation, DN clientDN) {
- if(entry.hasOperationalAttribute(aciType)) {
- /*
- * Check that the operation has "modify-acl" privileges since the
- * entry to be added has an "aci" attribute type.
- */
- if (!operation.getClientConnection().
- hasPrivilege(Privilege.MODIFY_ACL, operation)) {
- int msgID = MSGID_ACI_ADD_FAILED_PRIVILEGE;
- String message = getMessage(msgID,
- String.valueOf(entry.getDN()),
- String.valueOf(clientDN));
- logError(ErrorLogCategory.ACCESS_CONTROL,
- ErrorLogSeverity.SEVERE_WARNING,
- message, msgID);
- return false;
- }
- List<Attribute> attributeList =
- entry.getOperationalAttribute(aciType, null);
- for (Attribute attribute : attributeList)
- {
- for (AttributeValue value : attribute.getValues())
- {
- try {
- DN dn=entry.getDN();
- Aci.decode(value.getValue(),dn);
- } catch (AciException ex) {
- int msgID = MSGID_ACI_ADD_FAILED_DECODE;
- String message = getMessage(msgID,
- String.valueOf(entry.getDN()),
- ex.getMessage());
- logError(ErrorLogCategory.ACCESS_CONTROL,
- ErrorLogSeverity.SEVERE_WARNING,
- message, msgID);
- return false;
- }
- }
- }
- }
- return true;
- }
-
- /**
* Check access using the accessAllowed method. The
* LDAP add, compare, modify and delete operations use this function.
* The other supported LDAP operations have more specialized checks.
@@ -534,11 +455,28 @@
AciLDAPOperationContainer operationContainer =
new AciLDAPOperationContainer(operation, ACI_ADD);
boolean ret=isAllowed(operationContainer,operation);
- //LDAP add needs a verify ACI syntax step in case any
- //"aci" attribute types are being added.
- if(ret)
- ret=verifySyntax(operation.getEntryToAdd(), operation,
- operationContainer.getClientDN());
+
+ if(ret) {
+ Entry entry = operation.getEntryToAdd();
+ if(entry.hasOperationalAttribute(aciType)) {
+ /*
+ * Check that the operation has "modify-acl" privileges since the
+ * entry to be added has an "aci" attribute type.
+ */
+ if (!operation.getClientConnection().
+ hasPrivilege(Privilege.MODIFY_ACL, operation)) {
+ int msgID = MSGID_ACI_ADD_FAILED_PRIVILEGE;
+ String message =
+ getMessage(msgID,
+ String.valueOf(entry.getDN()),
+ String.valueOf(operationContainer.getClientDN()));
+ logError(ErrorLogCategory.ACCESS_CONTROL,
+ ErrorLogSeverity.SEVERE_WARNING,
+ message, msgID);
+ ret = false;
+ }
+ }
+ }
return ret;
}
--
Gitblit v1.10.0