From 1112197854c0922ba9a48acbb986b3f20d743c8f Mon Sep 17 00:00:00 2001
From: Matthew Swift <matthew.swift@forgerock.com>
Date: Thu, 10 May 2012 11:28:13 +0000
Subject: [PATCH] Fix OPENDJ-475: Incorrect behaviour/result code regarding non-critical controls

---
 opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java |   42 ++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java
index 774b34a..3d70947 100644
--- a/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java
+++ b/opends/src/server/org/opends/server/workflowelement/localbackend/LocalBackendWorkflowElement.java
@@ -51,6 +51,7 @@
 import org.opends.server.types.*;
 import org.opends.server.workflowelement.LeafWorkflowElement;
 
+import static org.opends.messages.CoreMessages.*;
 import static org.opends.server.config.ConfigConstants.*;
 
 
@@ -325,6 +326,47 @@
 
 
   /**
+   * Determine whether or not the provided request control is permitted by the
+   * access control policy. If it is not allowed, then abort the operation if
+   * the control was critical, otherwise ignore it.
+   *
+   * @param targetDN
+   *          The operation target DN.
+   * @param op
+   *          The operation.
+   * @param control
+   *          The request control.
+   * @return {@code true} if access is allowed, or {@code false} if access is
+   *         not allowed, but the control is non-critical and should be ignored.
+   * @throws DirectoryException
+   *           If access is not allowed and the control is critical.
+   */
+  static boolean isControlAllowed(DN targetDN, Operation op, Control control)
+      throws DirectoryException
+  {
+    if (!AccessControlConfigManager.getInstance().getAccessControlHandler()
+        .isAllowed(targetDN, op, control))
+    {
+      // As per RFC 4511 4.1.11.
+      if (control.isCritical())
+      {
+        throw new DirectoryException(ResultCode.UNAVAILABLE_CRITICAL_EXTENSION,
+            ERR_CONTROL_INSUFFICIENT_ACCESS_RIGHTS.get(control.getOID()));
+      }
+      else
+      {
+        // We don't want the backend to process this non-critical control, so
+        // remove it.
+        op.removeRequestControl(control);
+        return false;
+      }
+    }
+    return true;
+  }
+
+
+
+  /**
    * Adds the post-read response control to the response if requested.
    *
    * @param operation

--
Gitblit v1.10.0