View Javadoc

1   /*
2    *   @(#) $Id: RelatedProtectedItemFilter.java 326422 2005-10-19 07:07:55Z trustin $
3    *   
4    *   Copyright 2004 The Apache Software Foundation
5    *
6    *   Licensed under the Apache License, Version 2.0 (the "License");
7    *   you may not use this file except in compliance with the License.
8    *   You may obtain a copy of the License at
9    *
10   *       http://www.apache.org/licenses/LICENSE-2.0
11   *
12   *   Unless required by applicable law or agreed to in writing, software
13   *   distributed under the License is distributed on an "AS IS" BASIS,
14   *   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15   *   See the License for the specific language governing permissions and
16   *   limitations under the License.
17   *
18   */
19  package org.apache.ldap.server.authz.support;
20  
21  import java.util.Collection;
22  import java.util.Iterator;
23  
24  import javax.naming.Name;
25  import javax.naming.NamingException;
26  import javax.naming.directory.Attribute;
27  import javax.naming.directory.Attributes;
28  
29  import org.apache.ldap.common.aci.ACITuple;
30  import org.apache.ldap.common.aci.AuthenticationLevel;
31  import org.apache.ldap.common.aci.ProtectedItem;
32  import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem;
33  import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem;
34  import org.apache.ldap.server.event.Evaluator;
35  import org.apache.ldap.server.schema.AttributeTypeRegistry;
36  import org.apache.ldap.server.subtree.RefinementEvaluator;
37  import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
38  
39  
40  /***
41   * An {@link ACITupleFilter} that discards all tuples whose {@link ProtectedItem}s
42   * are not related with the operation. (18.8.3.2, X.501)
43   *
44   * @author The Apache Directory Project
45   * @version $Rev: 326422 $, $Date: 2005-10-19 03:07:55 -0400 (Wed, 19 Oct 2005) $
46   */
47  public class RelatedProtectedItemFilter implements ACITupleFilter
48  {
49      private final AttributeTypeRegistry attrTypeRegistry;
50      private final RefinementEvaluator refinementEvaluator;
51      private final Evaluator entryEvaluator;
52  
53      public RelatedProtectedItemFilter(
54              AttributeTypeRegistry attrTypeRegistry,
55              RefinementEvaluator refinementEvaluator, Evaluator entryEvaluator )
56      {
57          this.attrTypeRegistry = attrTypeRegistry;
58          this.refinementEvaluator = refinementEvaluator;
59          this.entryEvaluator = entryEvaluator;
60      }
61  
62      public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
63      {
64          if( tuples.size() == 0 )
65          {
66              return tuples;
67          }
68  
69          for( Iterator i = tuples.iterator(); i.hasNext(); )
70          {
71              ACITuple tuple = ( ACITuple ) i.next();
72              if( !isRelated( tuple, scope, userName, entryName, attrId, attrValue, entry ) )
73              {
74                  i.remove();
75              }
76          }
77  
78          return tuples;
79      }
80  
81      private boolean isRelated( ACITuple tuple, OperationScope scope, Name userName, Name entryName, String attrId, Object attrValue, Attributes entry ) throws NamingException, InternalError
82      {
83          for( Iterator i = tuple.getProtectedItems().iterator(); i.hasNext(); )
84          {
85              ProtectedItem item = ( ProtectedItem ) i.next();
86              if( item == ProtectedItem.ENTRY )
87              {
88                  if( scope == OperationScope.ENTRY )
89                  {
90                      return true;
91                  }
92              }
93              else if( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES )
94              {
95                  if( scope != OperationScope.ATTRIBUTE_TYPE &&
96                      scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
97                  {
98                      continue;
99                  }
100 
101                 if( isUserAttribute( attrId ) )
102                 {
103                     return true;
104                 }
105             }
106             else if( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES_AND_VALUES )
107             {
108                 if( scope != OperationScope.ATTRIBUTE_TYPE &&
109                     scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
110                 {
111                     continue;
112                 }
113 
114                 if( isUserAttribute( attrId ) )
115                 {
116                     return true;
117                 }
118             }
119             else if( item instanceof ProtectedItem.AllAttributeValues )
120             {
121                 if( scope != OperationScope.ATTRIBUTE_TYPE &&
122                     scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
123                 {
124                     continue;
125                 }
126 
127                 ProtectedItem.AllAttributeValues aav = ( ProtectedItem.AllAttributeValues ) item;
128                 for( Iterator j = aav.iterator(); j.hasNext(); )
129                 {
130                     if( attrId.equalsIgnoreCase( ( String ) j.next() ) )
131                     {
132                         return true;
133                     }
134                 }
135             }
136             else if( item instanceof ProtectedItem.AttributeType )
137             {
138                 if( scope != OperationScope.ATTRIBUTE_TYPE )
139                 {
140                     continue;
141                 }
142 
143                 ProtectedItem.AttributeType at = ( ProtectedItem.AttributeType ) item;
144                 for( Iterator j = at.iterator(); j.hasNext(); )
145                 {
146                     if( attrId.equalsIgnoreCase( ( String ) j.next() ) )
147                     {
148                         return true;
149                     }
150                 }
151             }
152             else if( item instanceof ProtectedItem.AttributeValue )
153             {
154                 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
155                 {
156                     continue;
157                 }
158 
159                 ProtectedItem.AttributeValue av = ( ProtectedItem.AttributeValue ) item;
160                 for( Iterator j = av.iterator(); j.hasNext(); )
161                 {
162                     Attribute attr = ( Attribute ) j.next();
163                     if( attrId.equalsIgnoreCase( attr.getID() ) &&
164                             attr.contains( attrValue ) )
165                     {
166                         return true;
167                     }
168                 }
169             }
170             else if( item instanceof ProtectedItem.Classes )
171             {
172                 ProtectedItem.Classes c = ( ProtectedItem.Classes ) item;
173                 if( refinementEvaluator.evaluate(
174                         c.getClasses(), entry.get( "objectClass" ) ) )
175                 {
176                     return true;
177                 }
178             }
179             else if( item instanceof ProtectedItem.MaxImmSub )
180             {
181                 return true;
182             }
183             else if( item instanceof ProtectedItem.MaxValueCount )
184             {
185                 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
186                 {
187                     continue;
188                 }
189 
190                 ProtectedItem.MaxValueCount mvc = ( ProtectedItem.MaxValueCount ) item;
191                 for( Iterator j = mvc.iterator(); j.hasNext(); )
192                 {
193                     MaxValueCountItem mvcItem = ( MaxValueCountItem ) j.next();
194                     if( attrId.equalsIgnoreCase( mvcItem.getAttributeType() ) )
195                     {
196                         return true;
197                     }
198                 }
199             }
200             else if( item instanceof ProtectedItem.RangeOfValues )
201             {
202                 ProtectedItem.RangeOfValues rov = ( ProtectedItem.RangeOfValues ) item;
203                 if( entryEvaluator.evaluate( rov.getFilter(), entryName.toString(), entry ) )
204                 {
205                     return true;
206                 }
207             }
208             else if( item instanceof ProtectedItem.RestrictedBy )
209             {
210                 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
211                 {
212                     continue;
213                 }
214 
215                 ProtectedItem.RestrictedBy rb = ( ProtectedItem.RestrictedBy ) item;
216                 for( Iterator j = rb.iterator(); j.hasNext(); )
217                 {
218                     RestrictedByItem rbItem = ( RestrictedByItem ) j.next();
219                     if( attrId.equalsIgnoreCase( rbItem.getAttributeType() ) )
220                     {
221                         return true;
222                     }
223                 }
224             }
225             else if( item instanceof ProtectedItem.SelfValue )
226             {
227                 if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE &&
228                     scope != OperationScope.ATTRIBUTE_TYPE )
229                 {
230                     continue;
231                 }
232 
233                 ProtectedItem.SelfValue sv = ( ProtectedItem.SelfValue ) item;
234                 for( Iterator j = sv.iterator(); j.hasNext(); )
235                 {
236                     String svItem = String.valueOf( j.next() );
237                     if( svItem.equalsIgnoreCase( attrId ) )
238                     {
239                         Attribute attr = entry.get( attrId );
240                         if( attr != null && ( attr.contains( userName ) || attr.contains( userName.toString() ) ) )
241                         {
242                             return true;
243                         }
244                     }
245                 }
246             }
247             else
248             {
249                 throw new InternalError( "Unexpected protectedItem: " + item.getClass().getName() );
250             }
251         }
252 
253         return false;
254     }
255 
256     private final boolean isUserAttribute( String attrId )
257     {
258         /* Not used anymore.  Just retaining in case of resurrection. */
259         return true;
260 
261         /*
262         try
263         {
264             AttributeType type = attrTypeRegistry.lookup( attrId );
265             if( type != null && type.isCanUserModify() )
266             {
267                 return true;
268             }
269         }
270         catch( NamingException e )
271         {
272             // Ignore
273         }
274 
275         return false;
276         */
277     }
278 }