From d428f48a4cf79de5e3f7cbc38a2c1af7a0b80e4f Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Sat, 21 Jul 2007 00:56:42 +0000
Subject: [PATCH] Add the new ACI keyword "targetcontrol" that can be used to enforce access based on the OID of a control. For example, a new global access control rule is also being added:
---
opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java | 55 ++++++++++++++++++++++++++++++-------------------------
1 files changed, 30 insertions(+), 25 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index e321013..c03b0d7 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -37,7 +37,7 @@
import static org.opends.server.messages.AciMessages.*;
import static org.opends.server.messages.MessageHandler.getMessage;
import static org.opends.server.schema.SchemaConstants.SYNTAX_DN_OID;
-import static org.opends.server.util.ServerConstants.OID_GET_EFFECTIVE_RIGHTS;
+import static org.opends.server.util.ServerConstants.*;
import static org.opends.server.util.StaticUtils.stackTraceToSingleLineString;
import static org.opends.server.util.StaticUtils.toLowerCase;
@@ -53,7 +53,7 @@
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.types.*;
import org.opends.server.workflowelement.localbackend.*;
-
+import org.opends.server.controls.GetEffectiveRights;
/**
@@ -1153,32 +1153,37 @@
return ret;
}
- //TODO Check access to control, issue #452.
- /**
- * Called when a proxied authorization control was decoded. Currently used
- * to save the current authorization entry in an operation attachment, but
- * eventually will be used to check access to the actual control.
- * @param operation The operation to save the attachment to.
- * @param entry The new authorization entry.
- * @return True if the control is allowed access.
- */
- public boolean isProxiedAuthAllowed(Operation operation, Entry entry) {
- operation.setAttachment(ORIG_AUTH_ENTRY, operation.getAuthorizationEntry());
- return true;
- }
/**
- * Called when a geteffectiverights request control was decoded. Currently
- * used to save the control in the specified operation's attachment list.
- * Eventually will be used to check access to the actual control.
- * @param operation The operation to save the attachment to.
- * @param c The request control to save.
- * @return True if the control is allowed access.
+ * {@inheritDoc}
*/
- public boolean isGetEffectiveRightsAllowed(SearchOperation operation,
- Control c) {
- operation.setAttachment(OID_GET_EFFECTIVE_RIGHTS, c);
- return true;
+ @Override
+ public boolean isAllowed(DN entryDN, Operation op, Control control) {
+ boolean ret;
+ if(!(ret=skipAccessCheck(op))) {
+ Entry e = new Entry(entryDN, null, null, null);
+ AciLDAPOperationContainer operationContainer =
+ new AciLDAPOperationContainer(op, e, control.getOID());
+ ret=accessAllowed(operationContainer);
+ }
+ if(control.getOID().equals(OID_PROXIED_AUTH_V2) ||
+ control.getOID().equals(OID_PROXIED_AUTH_V1))
+ op.setAttachment(ORIG_AUTH_ENTRY, op.getAuthorizationEntry());
+ else if(control.getOID().equals(OID_GET_EFFECTIVE_RIGHTS)) {
+ try {
+ GetEffectiveRights getEffectiveRightsControl =
+ GetEffectiveRights.decodeControl(control);
+ op.setAttachment(OID_GET_EFFECTIVE_RIGHTS, getEffectiveRightsControl);
+ } catch (LDAPException le) {
+ int msgID=MSGID_ACI_SYNTAX_DECODE_EFFECTIVERIGHTS_FAIL;
+ String message = getMessage(msgID, le.getMessage());
+ logError(ErrorLogCategory.ACCESS_CONTROL,
+ ErrorLogSeverity.INFORMATIONAL,
+ message, msgID);
+ ret=false;
+ }
+ }
+ return ret;
}
//Not planned to be implemented methods.
--
Gitblit v1.10.0