From d428f48a4cf79de5e3f7cbc38a2c1af7a0b80e4f Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Sat, 21 Jul 2007 00:56:42 +0000
Subject: [PATCH] Add the new ACI keyword "targetcontrol" that can be used to enforce access based on the OID of a control. For example, a new global access control rule is also being added:
---
opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java b/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
index ca0a049..e55aca6 100644
--- a/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
+++ b/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
@@ -71,6 +71,11 @@
*/
private TargAttrFilters targAttrFilters=null;
+ /**
+ * The ACI syntax has a targetcontrol keyword.
+ */
+ private TargetControl targetControl=null;
+
/*
* The number of regular expression group positions in a valid ACI target
* expression.
@@ -139,16 +144,19 @@
* @param targetFilter The ACI targetfilter keyword if any.
* @param targetScope The ACI targetscope keyword if any.
* @param targAttrFilters The ACI targAttrFilters keyword if any.
+ * @param targetControl The ACI targetControl keyword if any.
*/
private AciTargets(Target targetEntry, TargetAttr targetAttr,
TargetFilter targetFilter,
SearchScope targetScope,
- TargAttrFilters targAttrFilters) {
+ TargAttrFilters targAttrFilters,
+ TargetControl targetControl) {
this.target=targetEntry;
this.targetAttr=targetAttr;
this.targetScope=targetScope;
this.targetFilter=targetFilter;
this.targAttrFilters=targAttrFilters;
+ this.targetControl=targetControl;
}
/**
@@ -194,6 +202,16 @@
public TargAttrFilters getTargAttrFilters() {
return targAttrFilters;
}
+
+ /**
+ * Return the class representing the ACI targetcontrol keyword. May be
+ * null.
+ * @return The targetcontrol information.
+ */
+ public TargetControl getTargetControl() {
+ return targetControl;
+ }
+
/**
* Decode an ACI's target part of the syntax from the string provided.
* @param input String representing an ACI target part of syntax.
@@ -207,6 +225,7 @@
TargetAttr targetAttr=null;
TargetFilter targetFilter=null;
TargAttrFilters targAttrFilters=null;
+ TargetControl targetControl=null;
SearchScope targetScope=SearchScope.WHOLE_SUBTREE;
Pattern targetPattern = Pattern.compile(targetRegex);
Matcher targetMatcher = targetPattern.matcher(input);
@@ -252,6 +271,22 @@
}
break;
}
+ case KEYWORD_TARGETCONTROL:
+ {
+ if (targetControl == null){
+ targetControl =
+ TargetControl.decode(targetOperator, expression);
+ }
+ else
+ {
+ int msgID =
+ MSGID_ACI_SYNTAX_INVALID_TARGET_DUPLICATE_KEYWORDS;
+ String message =
+ getMessage(msgID, "targetcontrol", input);
+ throw new AciException(msgID, message);
+ }
+ break;
+ }
case KEYWORD_TARGETATTR:
{
if (targetAttr == null){
@@ -318,7 +353,7 @@
}
}
return new AciTargets(target, targetAttr, targetFilter,
- targetScope, targAttrFilters);
+ targetScope, targAttrFilters, targetControl);
}
/**
@@ -365,6 +400,23 @@
}
/**
+ * Check an ACI's targetcontrol against a target match context.
+ *
+ * @param aci The ACI to match the targetcontrol against.
+ * @param matchCtx The target match context containing the information
+ * needed to perform the target match.
+ * @return True if the targetcontrol matched the target context.
+ */
+ public static boolean isTargetControlApplicable(Aci aci,
+ AciTargetMatchContext matchCtx) {
+ boolean ret=true;
+ TargetControl targetControl=aci.getTargets().getTargetControl();
+ if(targetControl != null)
+ ret=targetControl.isApplicable(matchCtx);
+ return ret;
+ }
+
+ /**
* Check an ACI's targattrfilters against a target match context.
* @param aci The ACI to match the targattrfilters against.
* @param matchCtx The target match context containing the information
--
Gitblit v1.10.0