From f5a956ac0f445f81fa06ed1875253dec8e306f1a Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Fri, 12 Jul 2013 12:12:39 +0000
Subject: [PATCH] AciEvalContext.java, AciContainer.java: Removed instance member isDenyEval, setDecidingAci() and setEvalReason(), replaced with setEvaluationResult() since both are always set at the same time. Changed the impl of isDenyEval() to use the evalReason.

---
 opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java |   72 ++++++++++++-----------------------
 1 files changed, 25 insertions(+), 47 deletions(-)

diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
index d097801..a0c13e2 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciHandler.java
@@ -30,6 +30,7 @@
 
 import static org.opends.messages.AccessControlMessages.*;
 import static org.opends.server.authorization.dseecompat.Aci.*;
+import static org.opends.server.authorization.dseecompat.EnumEvalReason.*;
 import static org.opends.server.config.ConfigConstants.*;
 import static org.opends.server.loggers.ErrorLogger.*;
 import static org.opends.server.loggers.debug.DebugLogger.*;
@@ -1389,17 +1390,15 @@
    */
   private boolean testApplicableLists(AciEvalContext evalCtx)
   {
-    evalCtx.setEvalReason(EnumEvalReason.NO_REASON);
-    // If allows list is empty and not doing geteffectiverights return
-    // false.
-    evalCtx.setDenyEval(true);
+    evalCtx.setEvaluationResult(NO_REASON, null);
+
     if (evalCtx.getAllowList().isEmpty()
-        && !(evalCtx.isGetEffectiveRightsEval()
-            && !evalCtx.hasRights(ACI_SELF) && evalCtx
-            .isTargAttrFilterMatchAciEmpty()))
+        && (!evalCtx.isGetEffectiveRightsEval()
+            || evalCtx.hasRights(ACI_SELF)
+            || !evalCtx.isTargAttrFilterMatchAciEmpty()))
     {
-      evalCtx.setEvalReason(EnumEvalReason.NO_ALLOW_ACIS);
-      evalCtx.setDecidingAci(null);
+      // If allows list is empty and not doing geteffectiverights return false.
+      evalCtx.setEvaluationResult(NO_ALLOW_ACIS, null);
       return false;
     }
 
@@ -1410,36 +1409,25 @@
       // search fails
       if (res.equals(EnumEvalResult.FAIL))
       {
-        evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
-        evalCtx.setDecidingAci(denyAci);
+        evalCtx.setEvaluationResult(EVALUATED_DENY_ACI, denyAci);
         return false;
       }
       else if (res.equals(EnumEvalResult.TRUE))
       {
         if (evalCtx.isGetEffectiveRightsEval()
             && !evalCtx.hasRights(ACI_SELF)
-            && !evalCtx.isTargAttrFilterMatchAciEmpty())
+            && !evalCtx.isTargAttrFilterMatchAciEmpty()
+            // Iterate to next only if deny ACI contains a targattrfilters
+            // keyword.
+            && AciEffectiveRights.setTargAttrAci(evalCtx, denyAci, true))
         {
-          // Iterate to next only if deny ACI contains a targattrfilters
-          // keyword.
-          if (AciEffectiveRights.setTargAttrAci(evalCtx, denyAci, true))
-          {
-            continue;
-          }
-          evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
-          evalCtx.setDecidingAci(denyAci);
-          return false;
+          continue;
         }
-        else
-        {
-          evalCtx.setEvalReason(EnumEvalReason.EVALUATED_DENY_ACI);
-          evalCtx.setDecidingAci(denyAci);
-          return false;
-        }
+        evalCtx.setEvaluationResult(EVALUATED_DENY_ACI, denyAci);
+        return false;
       }
     }
-    // Now check the allows -- flip the deny flag to false first.
-    evalCtx.setDenyEval(false);
+
     for (Aci allowAci : evalCtx.getAllowList())
     {
       final EnumEvalResult res = Aci.evaluate(evalCtx, allowAci);
@@ -1447,29 +1435,19 @@
       {
         if (evalCtx.isGetEffectiveRightsEval()
             && !evalCtx.hasRights(ACI_SELF)
-            && !evalCtx.isTargAttrFilterMatchAciEmpty())
+            && !evalCtx.isTargAttrFilterMatchAciEmpty()
+            // Iterate to next only if deny ACI contains a targattrfilters
+            // keyword.
+            && AciEffectiveRights.setTargAttrAci(evalCtx, allowAci, false))
         {
-          // Iterate to next only if deny ACI contains a targattrfilters
-          // keyword.
-          if (AciEffectiveRights.setTargAttrAci(evalCtx, allowAci, false))
-          {
-            continue;
-          }
-          evalCtx.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI);
-          evalCtx.setDecidingAci(allowAci);
-          return true;
+          continue;
         }
-        else
-        {
-          evalCtx.setEvalReason(EnumEvalReason.EVALUATED_ALLOW_ACI);
-          evalCtx.setDecidingAci(allowAci);
-          return true;
-        }
+        evalCtx.setEvaluationResult(EVALUATED_ALLOW_ACI, allowAci);
+        return true;
       }
     }
     // Nothing matched fall through.
-    evalCtx.setEvalReason(EnumEvalReason.NO_MATCHED_ALLOWS_ACIS);
-    evalCtx.setDecidingAci(null);
+    evalCtx.setEvaluationResult(NO_MATCHED_ALLOWS_ACIS, null);
     return false;
   }
 

--
Gitblit v1.10.0