You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by tr...@apache.org on 2005/09/21 10:27:26 UTC
svn commit: r290651 -
/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
Author: trustin
Date: Wed Sep 21 01:27:23 2005
New Revision: 290651
URL: http://svn.apache.org/viewcvs?rev=290651&view=rev
Log:
Implemented filtering protected items in ACDF.
Modified:
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java?rev=290651&r1=290650&r2=290651&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java Wed Sep 21 01:27:23 2005
@@ -20,8 +20,12 @@
import java.util.Iterator;
import javax.naming.Name;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
+import org.apache.ldap.common.acl.ProtectedItem.MaxValueCountItem;
+import org.apache.ldap.common.acl.ProtectedItem.RestrictedByItem;
import org.apache.ldap.common.exception.LdapNoPermissionException;
public class ACDFEngine
@@ -67,7 +71,7 @@
* if the user doesn't have any permission to perform the specified grants.
*
* @param userGroupName the DN of the group of the user who is trying to access the resource
- * @param username the DN of the user who is trying to access the resource
+ * @param userName the DN of the user who is trying to access the resource
* @param entryName the DN of the entry the user is trying to access
* @param attrId the attribute type of the attribute the user is trying to access.
* <tt>null</tt> if the user is not accessing a specific attribute type.
@@ -78,18 +82,18 @@
* @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
*/
public boolean hasPermission(
- Name userGroupName, Name username, AuthenticationLevel authenticationLevel,
+ Name userGroupName, Name userName, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue, Attributes entry,
Collection microOperations, Collection aciTuples )
{
aciTuples = filterUserClasses(
- userGroupName, username, authenticationLevel, entryName, aciTuples );
- //aciTuples = filterProtectedItems();
+ userGroupName, userName, authenticationLevel, entryName, aciTuples );
+ aciTuples = filterProtectedItems( userName, entryName, attrId, attrValue, entry, aciTuples );
return true;
}
private Collection filterUserClasses(
- Name userGroupName, Name username, AuthenticationLevel authenticationLevel,
+ Name userGroupName, Name userName, AuthenticationLevel authenticationLevel,
Name entryName, Collection aciTuples )
{
Collection filteredTuples = new ArrayList( aciTuples );
@@ -98,7 +102,7 @@
ACITuple tuple = ( ACITuple ) i.next();
if( tuple.isGrant() )
{
- if( !matchUserClass( userGroupName, username, entryName, tuple.getUserClasses() ) ||
+ if( !matchUserClass( userGroupName, userName, entryName, tuple.getUserClasses() ) ||
authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) < 0 )
{
i.remove();
@@ -106,7 +110,7 @@
}
else // Denials
{
- if( !matchUserClass( userGroupName, username, entryName, tuple.getUserClasses() ) &&
+ if( !matchUserClass( userGroupName, userName, entryName, tuple.getUserClasses() ) &&
authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) >= 0 )
{
i.remove();
@@ -117,6 +121,24 @@
return filteredTuples;
}
+ private Collection filterProtectedItems(
+ Name userName,
+ Name entryName, String attrId, Object attrValue, Attributes entry,
+ Collection aciTuples )
+ {
+ Collection filteredTuples = new ArrayList();
+ for( Iterator i = aciTuples.iterator(); i.hasNext(); )
+ {
+ ACITuple tuple = ( ACITuple ) i.next();
+ if( matchProtectedItem( userName, entryName, attrId, attrValue, entry, tuple.getProtectedItems() ) )
+ {
+ filteredTuples.add( tuple );
+ }
+ }
+
+ return filteredTuples;
+ }
+
private boolean matchUserClass( Name userGroupName, Name username, Name entryName, Collection userClasses )
{
for( Iterator i = userClasses.iterator(); i.hasNext(); )
@@ -153,8 +175,169 @@
{
// FIXME I don't know what to do in case of subtree userClass.
}
+ else
+ {
+ throw new InternalError( "Unexpected userClass: " + userClass.getClass().getName() );
+ }
}
+ return false;
+ }
+
+ private boolean matchProtectedItem(
+ Name userName,
+ Name entryName, String attrId, Object attrValue, Attributes entry,
+ Collection protectedItems )
+ {
+ for( Iterator i = protectedItems.iterator(); i.hasNext(); )
+ {
+ ProtectedItem item = ( ProtectedItem ) i.next();
+ if( item == ProtectedItem.ENTRY )
+ {
+ if( attrId == null )
+ {
+ return true;
+ }
+ }
+ else if( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES )
+ {
+ if( attrId != null )
+ {
+ return true;
+ }
+ }
+ else if( item == ProtectedItem.ALL_USER_ATTRIBUTE_TYPES_AND_VALUES )
+ {
+ if( attrId != null && attrValue != null )
+ {
+ return true;
+ }
+ }
+ else if( item instanceof ProtectedItem.AllAttributeValues )
+ {
+ if( attrId == null )
+ {
+ continue;
+ }
+
+ ProtectedItem.AllAttributeValues aav = ( ProtectedItem.AllAttributeValues ) item;
+ for( Iterator j = aav.iterator(); j.hasNext(); )
+ {
+ if( attrId.equalsIgnoreCase( ( String ) j.next() ) )
+ {
+ return true;
+ }
+ }
+ }
+ else if( item instanceof ProtectedItem.AttributeType )
+ {
+ if( attrId == null )
+ {
+ continue;
+ }
+
+ ProtectedItem.AttributeType at = ( ProtectedItem.AttributeType ) item;
+ for( Iterator j = at.iterator(); j.hasNext(); )
+ {
+ if( attrId.equalsIgnoreCase( ( String ) j.next() ) )
+ {
+ return true;
+ }
+ }
+ }
+ else if( item instanceof ProtectedItem.AttributeValue )
+ {
+ if( attrId == null || attrValue == null )
+ {
+ continue;
+ }
+
+ ProtectedItem.AttributeValue av = ( ProtectedItem.AttributeValue ) item;
+ for( Iterator j = av.iterator(); j.hasNext(); )
+ {
+ Attribute attr = ( Attribute ) j.next();
+ if( attrId.equalsIgnoreCase( attr.getID() ) &&
+ attr.contains( attrValue ) )
+ {
+ return true;
+ }
+ }
+ }
+ else if( item instanceof ProtectedItem.Classes )
+ {
+ ProtectedItem.Classes c = ( ProtectedItem.Classes ) item;
+ // FIXME I don't know what to do yet
+ }
+ else if( item instanceof ProtectedItem.MaxImmSub )
+ {
+ ProtectedItem.MaxImmSub mis = ( ProtectedItem.MaxImmSub ) item;
+ if( attrId == null )
+ {
+ return true;
+ }
+ }
+ else if( item instanceof ProtectedItem.MaxValueCount )
+ {
+ if( attrId == null )
+ {
+ continue;
+ }
+
+ ProtectedItem.MaxValueCount mvc = ( ProtectedItem.MaxValueCount ) item;
+ for( Iterator j = mvc.iterator(); j.hasNext(); )
+ {
+ MaxValueCountItem mvcItem = ( MaxValueCountItem ) j.next();
+ if( attrId.equalsIgnoreCase( mvcItem.getAttributeType() ) )
+ {
+ return true;
+ }
+ }
+ }
+ else if( item instanceof ProtectedItem.RangeOfValues )
+ {
+ ProtectedItem.RangeOfValues rov = ( ProtectedItem.RangeOfValues ) item;
+ // FIXME I don't know what to do yet.
+ }
+ else if( item instanceof ProtectedItem.RestrictedBy )
+ {
+ if( attrId == null )
+ {
+ continue;
+ }
+
+ ProtectedItem.RestrictedBy rb = ( ProtectedItem.RestrictedBy ) item;
+ for( Iterator j = rb.iterator(); j.hasNext(); )
+ {
+ RestrictedByItem rbItem = ( RestrictedByItem ) j.next();
+ if( attrId.equalsIgnoreCase( rbItem.getAttributeType() ) )
+ {
+ return true;
+ }
+ }
+ }
+ else if( item instanceof ProtectedItem.SelfValue )
+ {
+ if( attrId == null || attrValue == null )
+ {
+ continue;
+ }
+
+ ProtectedItem.SelfValue sv = ( ProtectedItem.SelfValue ) item;
+ for( Iterator j = sv.iterator(); j.hasNext(); )
+ {
+ Attribute attr = entry.get( String.valueOf( j.next() ) );
+ if( attr.contains( userName ) || attr.contains( userName.toString() ) )
+ {
+ return true;
+ }
+ }
+ }
+ else
+ {
+ throw new InternalError( "Unexpected protectedItem: " + item.getClass().getName() );
+ }
+ }
+
return false;
}
}