From 8fefc54e215e3f0c1520c6890bfb9908c13a9036 Mon Sep 17 00:00:00 2001
From: dugan <dugan@localhost>
Date: Thu, 31 May 2007 16:59:31 +0000
Subject: [PATCH] Fix erroneous delete and proxy effective rights results. Issue 1620.
---
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java | 4 +
opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/GetEffectiveRightsTestCase.java | 2
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java | 2
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java | 37 ++++++++++++++++++
opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java | 24 +++++++++--
5 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
index 834092f..6f5b75b 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Aci.java
@@ -228,7 +228,7 @@
/**
* ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check.
*/
- public static final int ACI_SKIP_PROXY_CHECK = 0x4000;
+ public static final int ACI_SKIP_PROXY_CHECK = 0x400000;
/**
* TARGATTRFILTER_ADD is used to specify that a
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
index 2300504..f14e5ad 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciBody.java
@@ -284,7 +284,7 @@
if(evalCtx.isDenyEval() &&
(p.hasAccessType(EnumAccessType.ALLOW)))
continue;
- if(!p.hasRights(evalCtx.getRights()))
+ if(!p.hasRights(getEvalRights(evalCtx)))
continue;
res=p.getBindRule().evaluate(evalCtx);
// The evaluation result could be FAIL. Stop processing and return
@@ -318,4 +318,39 @@
public String getName() {
return this.name;
}
+
+
+ /**
+ * Mainly used because geteffectiverights adds flags to the rights that aren't
+ * needed in the actual evaluation of the ACI. This routine returns only the
+ * rights needed in the evaluation. The order does matter, ACI_SELF evaluation
+ * needs to be before ACI_WRITE.
+ *
+ * @param evalCtx The evaluation context to determine the rights of.
+ * @return The evaluation rights to used in the evaluation.
+ */
+ private int getEvalRights(AciEvalContext evalCtx) {
+ if(evalCtx.hasRights(ACI_WRITE) &&
+ evalCtx.hasRights(ACI_SELF))
+ return ACI_SELF;
+ else if(evalCtx.hasRights(ACI_COMPARE))
+ return ACI_COMPARE;
+ else if(evalCtx.hasRights(ACI_SEARCH))
+ return ACI_SEARCH;
+ else if(evalCtx.hasRights(ACI_READ))
+ return ACI_READ;
+ else if(evalCtx.hasRights(ACI_DELETE))
+ return ACI_DELETE;
+ else if(evalCtx.hasRights(ACI_ADD))
+ return ACI_ADD;
+ else if(evalCtx.hasRights(ACI_WRITE))
+ return ACI_WRITE;
+ else if(evalCtx.hasRights(ACI_PROXY))
+ return ACI_PROXY;
+ else if(evalCtx.hasRights(ACI_IMPORT))
+ return ACI_IMPORT;
+ else if(evalCtx.hasRights(ACI_EXPORT))
+ return ACI_EXPORT;
+ return ACI_NULL;
+ }
}
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
index 2ef9ad7..d37ec3a 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciEffectiveRights.java
@@ -105,6 +105,12 @@
//related to the "aclRightsInfo" attribute can be performed.
private static AttributeType aclRightsInfo = null;
+ //Attribute type used in the geteffectiverights selfwrite evaluation.
+ private static AttributeType dnAttributeType=null;
+
+ //The distinguishedName string.
+ private static final String dnAttrStr = "distinguishedname";
+
//String used to fill in the summary status field when access was allowed.
private static String ALLOWED="access allowed";
@@ -192,10 +198,12 @@
int attrMask=ACI_NULL;
if(aclRights == null)
aclRights =
- DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase());
+ DirectoryServer.getAttributeType(aclRightsAttrStr.toLowerCase());
if(aclRightsInfo == null)
aclRightsInfo =
DirectoryServer.getAttributeType(aclRightsInfoAttrStr.toLowerCase());
+ if(dnAttributeType == null)
+ dnAttributeType = DirectoryServer.getAttributeType(dnAttrStr);
//Check if the attributes aclRights and aclRightsInfo were requested and
//add attributes less those two attributes to a new list of attribute types.
for(String a : searchAttributes) {
@@ -227,13 +235,13 @@
//return the specific attribute rights if they exist.
if(nonRightsAttrs.isEmpty()) {
e=addAttributeLevelRights(container,handler,attrMask,e,
- container.getSpecificAttributes(), skipCheck);
+ container.getSpecificAttributes(), skipCheck, true);
e=addEntryLevelRights(container,handler,attrMask,e, skipCheck);
} else {
e=addAttributeLevelRights(container,handler,attrMask,e,
- nonRightsAttrs,skipCheck);
+ nonRightsAttrs, skipCheck, false);
e=addAttributeLevelRights(container,handler,attrMask,e,
- container.getSpecificAttributes(), skipCheck);
+ container.getSpecificAttributes(), skipCheck, true);
e=addEntryLevelRights(container,handler,attrMask,e,skipCheck);
}
return e;
@@ -267,6 +275,8 @@
* @param attrList The list of attribute types to iterate over.
* @param skipCheck True if ACI evaluation was skipped because bypass-acl
* privilege was found.
+ * @param specificAttr True if this evaluation is result of specific
+ * attributes sent in the request.
* @return A SearchResultEntry with geteffectiverights attribute level
* information added to it.
*/
@@ -275,7 +285,8 @@
AciHandler handler, int mask,
SearchResultEntry retEntry,
List<AttributeType> attrList,
- boolean skipCheck) {
+ boolean skipCheck,
+ boolean specificAttr) {
//The attribute list might be null.
if(attrList == null)
@@ -311,6 +322,8 @@
ByteString clientDNStr=
new ASN1OctetString(container.getClientDN().toString());
AttributeValue val1=new AttributeValue(a, clientDNStr);
+ if(!specificAttr)
+ container.setCurrentAttributeType(dnAttributeType);
container.setCurrentAttributeValue(val1);
container.setRights(ACI_WRITE_ADD | ACI_SKIP_PROXY_CHECK);
evalInfo.append(rightsString(container, handler, skipCheck,
@@ -322,6 +335,7 @@
"selfwrite_delete"));
addAttrLevelRightsInfo(container, mask, a, retEntry, "selfwrite_delete");
evalInfo.append(',');
+ container.setCurrentAttributeType(a);
container.setCurrentAttributeValue(null);
container.setRights(ACI_PROXY | ACI_SKIP_PROXY_CHECK);
evalInfo.append(rightsString(container, handler, skipCheck, "proxy"));
diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
index d7d212d..dc13132 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/AciTargets.java
@@ -452,7 +452,9 @@
* skiprights rights mask.
*/
public static boolean skipRightsHasRights(int rights) {
- return ((skipRights & rights) == rights);
+ //geteffectiverights sets this flag, turn it off before evaluating.
+ int tmpRights=rights & ~ACI_SKIP_PROXY_CHECK;
+ return ((skipRights & tmpRights) == tmpRights);
}
diff --git a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/GetEffectiveRightsTestCase.java b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/GetEffectiveRightsTestCase.java
index 80f36c2..18ca200 100644
--- a/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/GetEffectiveRightsTestCase.java
+++ b/opendj-sdk/opends/tests/unit-tests-testng/src/server/org/opends/server/authorization/dseecompat/GetEffectiveRightsTestCase.java
@@ -67,7 +67,7 @@
//Results for attributeLevel searches
private static final String srwMailAttrRights =
"search:1,read:1,compare:0,write:1," +
- "selfwrite_add:1,selfwrite_delete:1,proxy:0";
+ "selfwrite_add:0,selfwrite_delete:0,proxy:0";
private static final String srDescrptionAttrRights =
"search:1,read:1,compare:0,write:0," +
--
Gitblit v1.10.0