1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.ldap.server.authz.support;
20
21 import java.util.Collection;
22 import java.util.Iterator;
23
24 import javax.naming.Name;
25 import javax.naming.NamingException;
26 import javax.naming.directory.Attribute;
27 import javax.naming.directory.Attributes;
28
29 import org.apache.ldap.common.aci.ACITuple;
30 import org.apache.ldap.common.aci.AuthenticationLevel;
31 import org.apache.ldap.common.aci.ProtectedItem;
32 import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem;
33 import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem;
34 import org.apache.ldap.server.event.Evaluator;
35 import org.apache.ldap.server.schema.AttributeTypeRegistry;
36 import org.apache.ldap.server.subtree.RefinementEvaluator;
37 import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
38
39
40 /***
41 * An {@link ACITupleFilter} that discards all tuples whose {@link ProtectedItem}s
42 * are not related with the operation. (18.8.3.2, X.501)
43 *
44 * @author The Apache Directory Project
45 * @version $Rev: 326422 $, $Date: 2005-10-19 03:07:55 -0400 (Wed, 19 Oct 2005) $
46 */
47 public class RelatedProtectedItemFilter implements ACITupleFilter
48 {
49 private final AttributeTypeRegistry attrTypeRegistry;
50 private final RefinementEvaluator refinementEvaluator;
51 private final Evaluator entryEvaluator;
52
53 public RelatedProtectedItemFilter(
54 AttributeTypeRegistry attrTypeRegistry,
55 RefinementEvaluator refinementEvaluator, Evaluator entryEvaluator )
56 {
57 this.attrTypeRegistry = attrTypeRegistry;
58 this.refinementEvaluator = refinementEvaluator;
59 this.entryEvaluator = entryEvaluator;
60 }
61
62 public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
63 {
64 if( tuples.size() == 0 )
65 {
66 return tuples;
67 }
68
69 for( Iterator i = tuples.iterator(); i.hasNext(); )
70 {
71 ACITuple tuple = ( ACITuple ) i.next();
72 if( !isRelated( tuple, scope, userName, entryName, attrId, attrValue, entry ) )
73 {
74 i.remove();
75 }
76 }
77
78 return tuples;
79 }
80
81 private boolean isRelated( ACITuple tuple, OperationScope scope, Name userName, Name entryName, String attrId, Object attrValue, Attributes entry ) throws NamingException, InternalError
82 {
83 for( Iterator i = tuple.getProtectedItems().iterator(); i.hasNext(); )
84 {
85 ProtectedItem item = ( ProtectedItem ) i.next();
86 if( item == ProtectedItem.ENTRY )
87 {
88 if( scope == OperationScope.ENTRY )
89 {
90 return true;
91 }
92 }
93 else if( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES )
94 {
95 if( scope != OperationScope.ATTRIBUTE_TYPE &&
96 scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
97 {
98 continue;
99 }
100
101 if( isUserAttribute( attrId ) )
102 {
103 return true;
104 }
105 }
106 else if( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES_AND_VALUES )
107 {
108 if( scope != OperationScope.ATTRIBUTE_TYPE &&
109 scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
110 {
111 continue;
112 }
113
114 if( isUserAttribute( attrId ) )
115 {
116 return true;
117 }
118 }
119 else if( item instanceof ProtectedItem.AllAttributeValues )
120 {
121 if( scope != OperationScope.ATTRIBUTE_TYPE &&
122 scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
123 {
124 continue;
125 }
126
127 ProtectedItem.AllAttributeValues aav = ( ProtectedItem.AllAttributeValues ) item;
128 for( Iterator j = aav.iterator(); j.hasNext(); )
129 {
130 if( attrId.equalsIgnoreCase( ( String ) j.next() ) )
131 {
132 return true;
133 }
134 }
135 }
136 else if( item instanceof ProtectedItem.AttributeType )
137 {
138 if( scope != OperationScope.ATTRIBUTE_TYPE )
139 {
140 continue;
141 }
142
143 ProtectedItem.AttributeType at = ( ProtectedItem.AttributeType ) item;
144 for( Iterator j = at.iterator(); j.hasNext(); )
145 {
146 if( attrId.equalsIgnoreCase( ( String ) j.next() ) )
147 {
148 return true;
149 }
150 }
151 }
152 else if( item instanceof ProtectedItem.AttributeValue )
153 {
154 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
155 {
156 continue;
157 }
158
159 ProtectedItem.AttributeValue av = ( ProtectedItem.AttributeValue ) item;
160 for( Iterator j = av.iterator(); j.hasNext(); )
161 {
162 Attribute attr = ( Attribute ) j.next();
163 if( attrId.equalsIgnoreCase( attr.getID() ) &&
164 attr.contains( attrValue ) )
165 {
166 return true;
167 }
168 }
169 }
170 else if( item instanceof ProtectedItem.Classes )
171 {
172 ProtectedItem.Classes c = ( ProtectedItem.Classes ) item;
173 if( refinementEvaluator.evaluate(
174 c.getClasses(), entry.get( "objectClass" ) ) )
175 {
176 return true;
177 }
178 }
179 else if( item instanceof ProtectedItem.MaxImmSub )
180 {
181 return true;
182 }
183 else if( item instanceof ProtectedItem.MaxValueCount )
184 {
185 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
186 {
187 continue;
188 }
189
190 ProtectedItem.MaxValueCount mvc = ( ProtectedItem.MaxValueCount ) item;
191 for( Iterator j = mvc.iterator(); j.hasNext(); )
192 {
193 MaxValueCountItem mvcItem = ( MaxValueCountItem ) j.next();
194 if( attrId.equalsIgnoreCase( mvcItem.getAttributeType() ) )
195 {
196 return true;
197 }
198 }
199 }
200 else if( item instanceof ProtectedItem.RangeOfValues )
201 {
202 ProtectedItem.RangeOfValues rov = ( ProtectedItem.RangeOfValues ) item;
203 if( entryEvaluator.evaluate( rov.getFilter(), entryName.toString(), entry ) )
204 {
205 return true;
206 }
207 }
208 else if( item instanceof ProtectedItem.RestrictedBy )
209 {
210 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
211 {
212 continue;
213 }
214
215 ProtectedItem.RestrictedBy rb = ( ProtectedItem.RestrictedBy ) item;
216 for( Iterator j = rb.iterator(); j.hasNext(); )
217 {
218 RestrictedByItem rbItem = ( RestrictedByItem ) j.next();
219 if( attrId.equalsIgnoreCase( rbItem.getAttributeType() ) )
220 {
221 return true;
222 }
223 }
224 }
225 else if( item instanceof ProtectedItem.SelfValue )
226 {
227 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE &&
228 scope != OperationScope.ATTRIBUTE_TYPE )
229 {
230 continue;
231 }
232
233 ProtectedItem.SelfValue sv = ( ProtectedItem.SelfValue ) item;
234 for( Iterator j = sv.iterator(); j.hasNext(); )
235 {
236 String svItem = String.valueOf( j.next() );
237 if( svItem.equalsIgnoreCase( attrId ) )
238 {
239 Attribute attr = entry.get( attrId );
240 if( attr != null && ( attr.contains( userName ) || attr.contains( userName.toString() ) ) )
241 {
242 return true;
243 }
244 }
245 }
246 }
247 else
248 {
249 throw new InternalError( "Unexpected protectedItem: " + item.getClass().getName() );
250 }
251 }
252
253 return false;
254 }
255
256 private final boolean isUserAttribute( String attrId )
257 {
258
259 return true;
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277 }
278 }