From 745d3ccec1c5673231f872a7bc8d9ff6fa655279 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Wed, 25 Jul 2007 23:12:49 +0000
Subject: [PATCH] Add new ACI keyword "extop" that can be used to enforce access based on the OID of an extended operation. For example, a new global access extended operation rule is also being added:

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |   33 +++++++++++++++++++++++----------
 1 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index e0969f0..77c3ba1 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -1195,7 +1195,8 @@
     if(!(ret=skipAccessCheck(op))) {
       Entry e = new Entry(entryDN, null, null, null);
       AciLDAPOperationContainer operationContainer =
-              new AciLDAPOperationContainer(op, e, control.getOID());
+              new AciLDAPOperationContainer(op, e, control,
+                                            (ACI_READ | ACI_CONTROL));
       ret=accessAllowed(operationContainer);
     }
     if(control.getOID().equals(OID_PROXIED_AUTH_V2) ||
@@ -1218,6 +1219,27 @@
     return ret;
   }
 
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public boolean isAllowed(ExtendedOperation operation) {
+    boolean ret;
+    if(!(ret=skipAccessCheck(operation))) {
+      Entry e = new Entry(operation.getAuthorizationDN(), null, null, null);
+      AciLDAPOperationContainer operationContainer =
+         new AciLDAPOperationContainer(operation, e, (ACI_READ | ACI_EXT_OP));
+      ret=accessAllowed(operationContainer);
+    }
+    if(operation.getRequestOID().equals(OID_PROXIED_AUTH_V2) ||
+            operation.getRequestOID().equals(OID_PROXIED_AUTH_V1))
+       operation.
+              setAttachment(ORIG_AUTH_ENTRY, operation.getAuthorizationEntry());
+    return ret;
+  }
+
+
   //Not planned to be implemented methods.
 
    /**
@@ -1243,15 +1265,6 @@
    * {@inheritDoc}
    */
   @Override
-  public boolean isAllowed(ExtendedOperation extendedOperation) {
-      //Not planned to be implemented.
-      return true;
-  }
-
-  /**
-   * {@inheritDoc}
-   */
-  @Override
   public boolean isAllowed(LocalBackendSearchOperation searchOperation) {
       //Not planned to be implemented.
       return true;

--
Gitblit v1.10.0