From 9376e1bcaf90a83599c4102222b919dfd6526a91 Mon Sep 17 00:00:00 2001
From: matthew_swift <matthew_swift@localhost>
Date: Fri, 17 Sep 2010 22:21:02 +0000
Subject: [PATCH] More fixes to the sub-entry security model: add new subentry-write privilege; rename inheritFromBaseDN to inheritFromBaseRDN and restrict it to the root entry of the subentry scope; restrict DNs derived from inheritFromDNAttribute to the root entry of the subentry scope; remove band-aid subentry write access global ACI.
---
opends/src/server/org/opends/server/core/SubentryManager.java | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 55 insertions(+), 0 deletions(-)
diff --git a/opends/src/server/org/opends/server/core/SubentryManager.java b/opends/src/server/org/opends/server/core/SubentryManager.java
index adfa86d..b94f46a 100644
--- a/opends/src/server/org/opends/server/core/SubentryManager.java
+++ b/opends/src/server/org/opends/server/core/SubentryManager.java
@@ -28,6 +28,7 @@
+import org.opends.server.api.ClientConnection;
import org.opends.server.api.SubtreeSpecification;
import java.util.*;
import java.util.concurrent.CopyOnWriteArrayList;
@@ -52,6 +53,8 @@
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
+import org.opends.server.types.Privilege;
+import org.opends.server.types.ResultCode;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.SearchScope;
import org.opends.server.types.SearchFilter;
@@ -944,6 +947,15 @@
if (entry.isSubentry() || entry.isLDAPSubentry())
{
+ ClientConnection conn = addOperation.getClientConnection();
+ if (!conn.hasPrivilege(Privilege.SUBENTRY_WRITE,
+ conn.getOperationInProgress(
+ addOperation.getMessageID())))
+ {
+ return PluginResult.PreOperation.stopProcessing(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_SUBENTRY_WRITE_INSUFFICIENT_PRIVILEGES.get());
+ }
for (SubentryChangeListener changeListener :
changeListeners)
{
@@ -975,12 +987,29 @@
PreOperationDeleteOperation deleteOperation)
{
Entry entry = deleteOperation.getEntryToDelete();
+ boolean hasSubentryWritePrivilege = false;
lock.readLock().lock();
try
{
for (SubEntry subEntry : dit2SubEntry.getSubtree(entry.getDN()))
{
+ if (!hasSubentryWritePrivilege)
+ {
+ ClientConnection conn = deleteOperation.getClientConnection();
+ if (!conn.hasPrivilege(Privilege.SUBENTRY_WRITE,
+ conn.getOperationInProgress(
+ deleteOperation.getMessageID())))
+ {
+ return PluginResult.PreOperation.stopProcessing(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_SUBENTRY_WRITE_INSUFFICIENT_PRIVILEGES.get());
+ }
+ else
+ {
+ hasSubentryWritePrivilege = true;
+ }
+ }
for (SubentryChangeListener changeListener :
changeListeners)
{
@@ -1023,6 +1052,15 @@
if ((newEntry.isSubentry() || newEntry.isLDAPSubentry()) ||
(oldEntry.isSubentry() || oldEntry.isLDAPSubentry()))
{
+ ClientConnection conn = modifyOperation.getClientConnection();
+ if (!conn.hasPrivilege(Privilege.SUBENTRY_WRITE,
+ conn.getOperationInProgress(
+ modifyOperation.getMessageID())))
+ {
+ return PluginResult.PreOperation.stopProcessing(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_SUBENTRY_WRITE_INSUFFICIENT_PRIVILEGES.get());
+ }
for (SubentryChangeListener changeListener :
changeListeners)
{
@@ -1058,6 +1096,7 @@
Entry newEntry = modifyDNOperation.getUpdatedEntry();
String oldDNString = oldEntry.getDN().toNormalizedString();
String newDNString = newEntry.getDN().toNormalizedString();
+ boolean hasSubentryWritePrivilege = false;
lock.readLock().lock();
try
@@ -1066,6 +1105,22 @@
dit2SubEntry.getSubtree(oldEntry.getDN());
for (SubEntry subentry : setToDelete)
{
+ if (!hasSubentryWritePrivilege)
+ {
+ ClientConnection conn = modifyDNOperation.getClientConnection();
+ if (!conn.hasPrivilege(Privilege.SUBENTRY_WRITE,
+ conn.getOperationInProgress(
+ modifyDNOperation.getMessageID())))
+ {
+ return PluginResult.PreOperation.stopProcessing(
+ ResultCode.INSUFFICIENT_ACCESS_RIGHTS,
+ ERR_SUBENTRY_WRITE_INSUFFICIENT_PRIVILEGES.get());
+ }
+ else
+ {
+ hasSubentryWritePrivilege = true;
+ }
+ }
oldEntry = subentry.getEntry();
try
{
--
Gitblit v1.10.0