void ObjectAcl::validateOwner(AclValidationContext &ctx) { instantiateAcl(); ctx.init(this, mOwner.subject); if (mOwner.validate(ctx)) return; CssmError::throwMe(CSSM_ERRCODE_OPERATION_AUTH_DENIED); }
bool ObjectAcl::validates(AclValidationContext &ctx) { // make sure we are ready to go instantiateAcl(); IFDUMPING("acleval", Debug::dump("<<WANT(%d)<", ctx.authorization())); //@@@ should pre-screen based on requested auth, maybe? #if defined(ACL_OMNIPOTENT_OWNER) // try owner (owner can do anything) if (mOwner.validate(ctx)) return; #endif //ACL_OMNIPOTENT_OWNER // try applicable ACLs pair<EntryMap::const_iterator, EntryMap::const_iterator> range; if (getRange(ctx.s_credTag(), range) == 0) // no such tag CssmError::throwMe(CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND); // try each entry in turn for (EntryMap::const_iterator it = range.first; it != range.second; it++) { const AclEntry &slot = it->second; IFDUMPING("acleval", (Debug::dump(" EVAL["), slot.debugDump(), Debug::dump("]"))); if (slot.authorizes(ctx.authorization())) { ctx.init(this, slot.subject); ctx.entryTag(slot.tag); if (slot.validate(ctx)) { IFDUMPING("acleval", Debug::dump(">PASS>>\n")); return true; // passed } IFDUMPING("acleval", Debug::dump(" NO")); } } IFDUMPING("acleval", Debug::dump(">FAIL>>\n")); return false; // no joy }