You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2010/07/05 15:18:54 UTC
svn commit: r960593 [1/2] - in /directory/apacheds/trunk:
core-integ/src/test/java/org/apache/directory/server/core/authz/
core/src/main/java/org/apache/directory/server/core/authz/
core/src/main/java/org/apache/directory/server/core/authz/support/ cor...
Author: elecharny
Date: Mon Jul 5 13:18:53 2010
New Revision: 960593
URL: http://svn.apache.org/viewvc?rev=960593&view=rev
Log:
o Added a test for Lookup with authz
o Added a AciContext structure to be used for filter() checkPermission() and hasPermission() methods
o Replaced the methods taking 10 parameters by methods taking a structure (ACDFEngine and others)
o Fixed the code and tests accordingly
Added:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java
Modified:
directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MaxValueCountFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MicroOperationFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RestrictedByFilterTest.java
Added: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java?rev=960593&view=auto
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java (added)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java Mon Jul 5 13:18:53 2010
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.core.authz;
+
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.name.DN;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Test the lookup operation
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith ( FrameworkRunner.class )
+@ApplyLdifs( {
+ // Entry # 1
+ "dn: cn=test,ou=system",
+ "objectClass: person",
+ "cn: test",
+ "sn: sn_test"
+})
+public class LookupAuthorizationIT extends AbstractLdapTestUnit
+{
+ @Before
+ public void init()
+ {
+ AutzIntegUtils.service = service;
+ }
+
+
+ /**
+ * Test a lookup( DN ) operation with the ACI subsystem enabled
+ */
+ @Test
+ public void testLookupACIEnabled() throws Exception
+ {
+ service.setAccessControlEnabled( true );
+
+ createAccessControlSubentry(
+ "anybodySearch",
+ "{ " +
+ " identificationTag \"searchAci\", " +
+ " precedence 14, " +
+ " authenticationLevel none, " +
+ " itemOrUserFirst userFirst: " +
+ " { " +
+ " userClasses { allUsers }, " +
+ " userPermissions " +
+ " { " +
+ " { " +
+ " protectedItems {entry, allUserAttributeTypesAndValues}, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " } " +
+ " } " +
+ " } " +
+ "}" );
+
+ DN dn = new DN( "cn=test,ou=system" );
+ Entry entry = service.getSession().lookup( dn );
+
+ assertNotNull( entry );
+
+ // We should have 8 attributes
+ assertEquals( 8, entry.size() );
+
+ // Check that all the user attributes are present
+ assertEquals( "test", entry.get( "cn" ).getString() );
+ assertEquals( "sn_test", entry.get( "sn" ).getString() );
+ assertTrue( entry.contains( "objectClass", "top", "person" ) );
+ }
+
+}
Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Mon Jul 5 13:18:53 2010
@@ -1219,7 +1219,11 @@ public class SearchAuthorizationIT exten
" userPermissions " +
" { " +
" { " +
- " protectedItems { entry, rangeOfValues (cn=billyd) }, " +
+ " protectedItems { entry }, " +
+ " grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+ " }, " +
+ " { " +
+ " protectedItems { rangeOfValues (cn=billyd) }, " +
" grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
" } " +
" } " +
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Mon Jul 5 13:18:53 2010
@@ -36,6 +36,7 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.LdapPrincipal;
import org.apache.directory.server.core.authz.support.ACDFEngine;
+import org.apache.directory.server.core.authz.support.AciContext;
import org.apache.directory.server.core.entry.ClonedServerEntry;
import org.apache.directory.server.core.entry.ServerEntryUtils;
import org.apache.directory.server.core.filtering.EntryFilter;
@@ -100,7 +101,6 @@ public class AciAuthorizationInterceptor
private static final Collection<MicroOperation> SEARCH_ENTRY_PERMS;
private static final Collection<MicroOperation> SEARCH_ATTRVAL_PERMS;
private static final Collection<MicroOperation> REMOVE_PERMS;
- private static final Collection<MicroOperation> MATCHEDNAME_PERMS;
private static final Collection<MicroOperation> BROWSE_PERMS;
private static final Collection<MicroOperation> LOOKUP_PERMS;
private static final Collection<MicroOperation> REPLACE_PERMS;
@@ -136,7 +136,6 @@ public class AciAuthorizationInterceptor
READ_PERMS = Collections.singleton( MicroOperation.READ );
COMPARE_PERMS = Collections.singleton( MicroOperation.COMPARE );
REMOVE_PERMS = Collections.singleton( MicroOperation.REMOVE );
- MATCHEDNAME_PERMS = Collections.singleton( MicroOperation.DISCLOSE_ON_ERROR );
BROWSE_PERMS = Collections.singleton( MicroOperation.BROWSE );
RENAME_PERMS = Collections.singleton( MicroOperation.RENAME );
EXPORT_PERMS = Collections.singleton( MicroOperation.EXPORT );
@@ -447,11 +446,11 @@ public class AciAuthorizationInterceptor
// perform checks below here for all non-admin users
SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class
.getName() );
- Entry subentryAttrs = subentryInterceptor.getSubentryAttributes( dn, serverEntry );
+ Entry subentry = subentryInterceptor.getSubentryAttributes( dn, serverEntry );
for ( EntryAttribute attribute : serverEntry )
{
- subentryAttrs.put( attribute );
+ subentry.put( attribute );
}
// Assemble all the information required to make an access control decision
@@ -460,20 +459,38 @@ public class AciAuthorizationInterceptor
// Build the total collection of tuples to be considered for add rights
// NOTE: entryACI are NOT considered in adds (it would be a security breech)
- addPerscriptiveAciTuples( addContext, tuples, dn, subentryAttrs );
- addSubentryAciTuples( addContext, tuples, dn, subentryAttrs );
+ addPerscriptiveAciTuples( addContext, tuples, dn, subentry );
+ addSubentryAciTuples( addContext, tuples, dn, subentry );
// check if entry scope permission is granted
- engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal.getAuthenticationLevel(),
- dn, null, null, ADD_PERMS, tuples, subentryAttrs, null );
+ AciContext entryAciCtx = new AciContext( schemaManager, addContext );
+ entryAciCtx.setUserGroupNames( userGroups );
+ entryAciCtx.setUserDn( principalDn );
+ entryAciCtx.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ entryAciCtx.setEntryDn( dn );
+ entryAciCtx.setMicroOperations( ADD_PERMS );
+ entryAciCtx.setAciTuples( tuples );
+ entryAciCtx.setEntry( subentry );
+
+ engine.checkPermission( entryAciCtx );
// now we must check if attribute type and value scope permission is granted
for ( EntryAttribute attribute : serverEntry )
{
for ( Value<?> value : attribute )
{
- engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, ADD_PERMS, tuples, serverEntry, null );
+ AciContext attrAciContext = new AciContext( schemaManager, addContext );
+ attrAciContext.setUserGroupNames( userGroups );
+ attrAciContext.setUserDn( principalDn );
+ attrAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ attrAciContext.setEntryDn( dn );
+ attrAciContext.setAttributeType( attribute.getAttributeType() );
+ attrAciContext.setAttrValue( value );
+ attrAciContext.setMicroOperations( ADD_PERMS );
+ attrAciContext.setAciTuples( tuples );
+ attrAciContext.setEntry( serverEntry );
+
+ engine.checkPermission( attrAciContext );
}
}
@@ -529,8 +546,16 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( deleteContext, tuples, dn, entry );
- engine.checkPermission( schemaManager, deleteContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), dn, null, null, REMOVE_PERMS, tuples, entry, null );
+ AciContext aciContext = new AciContext( schemaManager, deleteContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setMicroOperations( REMOVE_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
next.delete( deleteContext );
@@ -580,8 +605,16 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( modifyContext, tuples, dn, entry );
- engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal.getAuthenticationLevel(),
- dn, null, null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
+ AciContext entryAciContext = new AciContext( schemaManager, modifyContext );
+ entryAciContext.setUserGroupNames( userGroups );
+ entryAciContext.setUserDn( principalDn );
+ entryAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ entryAciContext.setEntryDn( dn );
+ entryAciContext.setMicroOperations( Collections.singleton( MicroOperation.MODIFY ) );
+ entryAciContext.setAciTuples( tuples );
+ entryAciContext.setEntry( entry );
+
+ engine.checkPermission( entryAciContext );
Collection<MicroOperation> perms = null;
Entry entryView = ( Entry ) entry.clone();
@@ -598,9 +631,18 @@ public class AciAuthorizationInterceptor
// If the attribute is being created with an initial value ...
if ( entry.get( attr.getId() ) == null )
{
+ AciContext attrAciContext = new AciContext( schemaManager, modifyContext );
+ attrAciContext.setUserGroupNames( userGroups );
+ attrAciContext.setUserDn( principalDn );
+ attrAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ attrAciContext.setEntryDn( dn );
+ attrAciContext.setAttributeType( attr.getAttributeType() );
+ attrAciContext.setMicroOperations( perms );
+ attrAciContext.setAciTuples( tuples );
+ attrAciContext.setEntry( entry );
+
// ... we also need to check if adding the attribute is permitted
- engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), dn, attr.getAttributeType(), null, perms, tuples, entry, null );
+ engine.checkPermission( attrAciContext );
}
break;
@@ -615,8 +657,17 @@ public class AciAuthorizationInterceptor
if ( entryAttr.size() == 1 )
{
// ... we also need to check if removing the attribute at all is permitted
- engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), dn, attr.getAttributeType(), null, perms, tuples, entry, null );
+ AciContext aciContext = new AciContext( schemaManager, modifyContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setAttributeType( attr.getAttributeType() );
+ aciContext.setMicroOperations( perms );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
}
}
@@ -644,8 +695,19 @@ public class AciAuthorizationInterceptor
for ( Value<?> value : attr )
{
- engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), dn, attr.getAttributeType(), value, perms, tuples, entry, entryView );
+ AciContext aciContext = new AciContext( schemaManager, modifyContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setAttributeType( attr.getAttributeType() );
+ aciContext.setAttrValue( value );
+ aciContext.setMicroOperations( perms );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+ aciContext.setEntryView( entryView );
+
+ engine.checkPermission( aciContext );
}
}
@@ -695,9 +757,16 @@ public class AciAuthorizationInterceptor
addSubentryAciTuples( hasEntryContext, tuples, dn, ( ( ClonedServerEntry ) entry ).getOriginalEntry() );
// check that we have browse access to the entry
- engine.checkPermission( schemaManager, hasEntryContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), dn, null, null, BROWSE_PERMS, tuples, ( ( ClonedServerEntry ) entry )
- .getOriginalEntry(), null );
+ AciContext aciContext = new AciContext( schemaManager, hasEntryContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setMicroOperations( BROWSE_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( ((ClonedServerEntry)entry).getOriginalEntry() );
+
+ engine.checkPermission( aciContext );
return next.hasEntry( hasEntryContext );
}
@@ -737,8 +806,16 @@ public class AciAuthorizationInterceptor
addSubentryAciTuples( lookupContext, tuples, dn, entry );
// check that we have read access to the entry
- engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(),
- dn, null, null, LOOKUP_PERMS, tuples, entry, null );
+ AciContext aciContext = new AciContext( schemaManager, lookupContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( userName );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setMicroOperations( LOOKUP_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
// check that we have read access to every attribute type and value
for ( EntryAttribute attribute : entry )
@@ -746,9 +823,18 @@ public class AciAuthorizationInterceptor
for ( Value<?> value : attribute )
{
- engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal
- .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, READ_PERMS, tuples,
- entry, null );
+ AciContext valueAciContext = new AciContext( schemaManager, lookupContext );
+ valueAciContext.setUserGroupNames( userGroups );
+ valueAciContext.setUserDn( userName );
+ valueAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ valueAciContext.setEntryDn( dn );
+ valueAciContext.setAttributeType( attribute.getAttributeType() );
+ valueAciContext.setAttrValue( value );
+ valueAciContext.setMicroOperations( READ_PERMS );
+ valueAciContext.setAciTuples( tuples );
+ valueAciContext.setEntry( entry );
+
+ engine.checkPermission( valueAciContext );
}
}
}
@@ -826,8 +912,16 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, originalEntry );
addSubentryAciTuples( renameContext, tuples, oldName, originalEntry );
- engine.checkPermission( schemaManager, renameContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), oldName, null, null, RENAME_PERMS, tuples, originalEntry, null );
+ AciContext aciContext = new AciContext( schemaManager, renameContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( oldName );
+ aciContext.setMicroOperations( RENAME_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( originalEntry );
+
+ engine.checkPermission( aciContext );
next.rename( renameContext );
tupleCache.subentryRenamed( oldName, newName );
@@ -870,8 +964,16 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( moveAndRenameContext, tuples, oldDn, entry );
- engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), oldDn, null, null, MOVERENAME_PERMS, tuples, entry, null );
+ AciContext aciContext = new AciContext( schemaManager, moveAndRenameContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( oldDn );
+ aciContext.setMicroOperations( MOVERENAME_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
// Get the entry again without operational attributes
// because access control subentry operational attributes
@@ -899,10 +1001,19 @@ public class AciAuthorizationInterceptor
Collection<ACITuple> destTuples = new HashSet<ACITuple>();
// Import permission is only valid for prescriptive ACIs
addPerscriptiveAciTuples( moveAndRenameContext, destTuples, newDn, subentryAttrs );
+
// Evaluate the target context to see whether it
// allows an entry named newName to be imported as a subordinate.
- engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, principal
- .getAuthenticationLevel(), newDn, null, null, IMPORT_PERMS, destTuples, subentryAttrs, null );
+ aciContext = new AciContext( schemaManager, moveAndRenameContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( newDn );
+ aciContext.setMicroOperations( IMPORT_PERMS );
+ aciContext.setAciTuples( destTuples );
+ aciContext.setEntry( subentryAttrs );
+
+ engine.checkPermission( aciContext );
next.moveAndRename( moveAndRenameContext );
tupleCache.subentryRenamed( oldDn, newDn );
@@ -949,8 +1060,16 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( moveContext, tuples, oriChildName, entry );
- engine.checkPermission( schemaManager, moveContext, userGroups, principalDn,
- principal.getAuthenticationLevel(), oriChildName, null, null, EXPORT_PERMS, tuples, entry, null );
+ AciContext aciContext = new AciContext( schemaManager, moveContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( oriChildName );
+ aciContext.setMicroOperations( EXPORT_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
// Get the entry again without operational attributes
// because access control subentry operational attributes
@@ -976,10 +1095,19 @@ public class AciAuthorizationInterceptor
Collection<ACITuple> destTuples = new HashSet<ACITuple>();
// Import permission is only valid for prescriptive ACIs
addPerscriptiveAciTuples( moveContext, destTuples, newDn, subentryAttrs );
+
// Evaluate the target context to see whether it
// allows an entry named newName to be imported as a subordinate.
- engine.checkPermission( schemaManager, moveContext, userGroups, principalDn,
- principal.getAuthenticationLevel(), newDn, null, null, IMPORT_PERMS, destTuples, subentryAttrs, null );
+ aciContext = new AciContext( schemaManager, moveContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( newDn );
+ aciContext.setMicroOperations( IMPORT_PERMS );
+ aciContext.setAciTuples( destTuples );
+ aciContext.setEntry( subentryAttrs );
+
+ engine.checkPermission( aciContext );
next.move( moveContext );
tupleCache.subentryRenamed( oriChildName, newDn );
@@ -1059,12 +1187,30 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( compareContext, tuples, dn, entry );
- engine.checkPermission( schemaManager, compareContext, userGroups, principalDn, principal.getAuthenticationLevel(),
- dn, null, null, READ_PERMS, tuples, entry, null );
+ AciContext aciContext = new AciContext( schemaManager, compareContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setMicroOperations( READ_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
AttributeType attributeType = schemaManager.lookupAttributeTypeRegistry( oid );
- engine.checkPermission( schemaManager, compareContext, userGroups, principalDn, principal.getAuthenticationLevel(),
- dn, attributeType, value, COMPARE_PERMS, tuples, entry, null );
+
+ aciContext = new AciContext( schemaManager, compareContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( principalDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( dn );
+ aciContext.setAttributeType( attributeType );
+ aciContext.setMicroOperations( COMPARE_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( entry );
+
+ engine.checkPermission( aciContext );
return next.compare( compareContext );
}
@@ -1092,8 +1238,16 @@ public class AciAuthorizationInterceptor
addEntryAciTuples( tuples, clonedEntry.getOriginalEntry() );
addSubentryAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() );
- if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal.getAuthenticationLevel(),
- normName, null, null, SEARCH_ENTRY_PERMS, tuples, clonedEntry.getOriginalEntry(), null ) )
+ AciContext aciContext = new AciContext( schemaManager, opContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( userDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( normName );
+ aciContext.setMicroOperations( SEARCH_ENTRY_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( clonedEntry.getOriginalEntry() );
+
+ if ( !engine.hasPermission( aciContext ) )
{
return false;
}
@@ -1112,8 +1266,17 @@ public class AciAuthorizationInterceptor
// if attribute type scope access is not allowed then remove the attribute and continue
EntryAttribute attr = clonedEntry.get( attributeType );
- if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal
- .getAuthenticationLevel(), normName, attributeType, null, SEARCH_ATTRVAL_PERMS, tuples, clonedEntry, null ) )
+ aciContext = new AciContext( schemaManager, opContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( userDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( normName );
+ aciContext.setAttributeType( attributeType );
+ aciContext.setMicroOperations( SEARCH_ATTRVAL_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( clonedEntry );
+
+ if ( !engine.hasPermission( aciContext ) )
{
attributeToRemove.add( attributeType );
@@ -1125,9 +1288,18 @@ public class AciAuthorizationInterceptor
// attribute type scope is ok now let's determine value level scope
for ( Value<?> value : attr )
{
- if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal
- .getAuthenticationLevel(), normName, attr.getAttributeType(), value, SEARCH_ATTRVAL_PERMS, tuples,
- clonedEntry, null ) )
+ aciContext = new AciContext( schemaManager, opContext );
+ aciContext.setUserGroupNames( userGroups );
+ aciContext.setUserDn( userDn );
+ aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+ aciContext.setEntryDn( normName );
+ aciContext.setAttributeType( attr.getAttributeType() );
+ aciContext.setAttrValue( value );
+ aciContext.setMicroOperations( SEARCH_ATTRVAL_PERMS );
+ aciContext.setAciTuples( tuples );
+ aciContext.setEntry( clonedEntry );
+
+ if ( !engine.hasPermission( aciContext ) )
{
valueToRemove.add( value );
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Mon Jul 5 13:18:53 2010
@@ -31,7 +31,6 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.event.Evaluator;
import org.apache.directory.server.core.event.EventInterceptor;
import org.apache.directory.server.core.event.ExpressionEvaluator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.normalization.NormalizationInterceptor;
import org.apache.directory.server.core.operational.OperationalAttributeInterceptor;
import org.apache.directory.server.core.schema.SchemaInterceptor;
@@ -41,14 +40,9 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.subtree.SubtreeEvaluator;
import org.apache.directory.server.core.trigger.TriggerInterceptor;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.SchemaManager;
@@ -124,22 +118,9 @@ public class ACDFEngine
* @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
* @throws LdapException if failed to evaluate ACI items
*/
- public void checkPermission(
- SchemaManager schemaManager,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN username,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Collection<MicroOperation> microOperations,
- Collection<ACITuple> aciTuples,
- Entry entry,
- Entry entryView ) throws LdapException
+ public void checkPermission( AciContext aciContext )throws LdapException
{
- if ( !hasPermission( schemaManager, opContext, userGroupNames, username, authenticationLevel, entryName,
- attributeType, attrValue, microOperations, aciTuples, entry, entryView ) )
+ if ( !hasPermission( aciContext ) )
{
throw new LdapNoPermissionException();
}
@@ -182,35 +163,23 @@ public class ACDFEngine
* @param aciTuples {@link org.apache.directory.shared.ldap.aci.ACITuple}s translated from {@link org.apache.directory.shared.ldap.aci.ACIItem}s in the subtree entries
* @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
*/
- public boolean hasPermission(
- SchemaManager schemaManager,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Collection<MicroOperation> microOperations,
- Collection<ACITuple> aciTuples,
- Entry entry,
- Entry entryView ) throws LdapException
+ public boolean hasPermission( AciContext aciContext ) throws LdapException
{
- if ( entryName == null )
+ if ( aciContext.getEntryDn() == null )
{
throw new IllegalArgumentException( "entryName" );
}
- Entry userEntry = opContext.lookup( userName, USER_LOOKUP_BYPASS );
+ Entry userEntry = aciContext.getOperationContext().lookup( aciContext.getUserDn(), USER_LOOKUP_BYPASS );
// Determine the scope of the requested operation.
OperationScope scope;
- if ( attributeType == null )
+ if ( aciContext.getAttributeType() == null )
{
scope = OperationScope.ENTRY;
}
- else if ( attrValue == null )
+ else if ( aciContext.getAttrValue() == null )
{
scope = OperationScope.ATTRIBUTE_TYPE;
}
@@ -220,45 +189,29 @@ public class ACDFEngine
}
// Clone aciTuples in case it is unmodifiable.
- aciTuples = new ArrayList<ACITuple>( aciTuples );
+ aciContext.setAciTuples( new ArrayList<ACITuple>( aciContext.getAciTuples() ) );
-
-
// Filter unrelated and invalid tuples
for ( ACITupleFilter filter : filters )
{
- if ( aciTuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
// No need to continue filtering
return false;
}
- aciTuples = filter.filter(
- schemaManager,
- aciTuples,
- scope,
- opContext,
- userGroupNames,
- userName,
- userEntry,
- authenticationLevel,
- entryName,
- attributeType,
- attrValue,
- entry,
- microOperations,
- entryView );
+ aciContext.setAciTuples( filter.filter( aciContext, scope, userEntry ) );
}
// Deny access if no tuples left.
- if ( aciTuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
return false;
}
// Grant access if and only if one or more tuples remain and
// all grant access. Otherwise deny access.
- for ( ACITuple tuple : aciTuples )
+ for ( ACITuple tuple : aciContext.getAciTuples() )
{
if ( !tuple.isGrant() )
{
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Mon Jul 5 13:18:53 2010
@@ -22,17 +22,12 @@ package org.apache.directory.server.core
import java.util.Collection;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.Loggers;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -69,20 +64,5 @@ public interface ACITupleFilter
* @return the collection of filtered tuples
* @throws LdapException if failed to filter the specific tuples
*/
- Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException;
+ Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException;
}
Added: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java?rev=960593&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java (added)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java Mon Jul 5 13:18:53 2010
@@ -0,0 +1,282 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.server.core.authz.support;
+
+import java.util.Collection;
+
+import org.apache.directory.server.core.interceptor.context.OperationContext;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.Value;
+import org.apache.directory.shared.ldap.name.DN;
+import org.apache.directory.shared.ldap.schema.AttributeType;
+import org.apache.directory.shared.ldap.schema.SchemaManager;
+
+/**
+ * A container used to pass parameters to the ACDF engine
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class AciContext
+{
+ /** The schema manager */
+ private SchemaManager schemaManager;
+
+ /** The operation context */
+ private OperationContext operationContext;
+
+ /** The Users belonging to a group */
+ private Collection<DN> userGroupNames;
+
+ /** The user's DN */
+ private DN userDn;
+
+ /** The requested Authentication level (default to NONE) */
+ private AuthenticationLevel authenticationLevel = AuthenticationLevel.NONE;
+
+ /** the entry's DN */
+ private DN entryDn;
+
+ /** The AttributeType */
+ private AttributeType attributeType;
+
+ /** The attribute's values */
+ private Value<?> attrValue;
+
+ /** The allowed operations */
+ private Collection<MicroOperation> microOperations;
+
+ /** The resulting tuples */
+ private Collection<ACITuple> aciTuples;
+
+ /** The entry */
+ private Entry entry;
+
+ /** ??? */
+ private Entry entryView;
+
+ /**
+ * Creates a new instance of AciContext.
+ *
+ * @param schemaManager The SchemaManager instance
+ * @param operationContext The OperationContext instance
+ */
+ public AciContext( SchemaManager schemaManager, OperationContext operationContext )
+ {
+ this.schemaManager = schemaManager;
+ this.operationContext = operationContext;
+ }
+
+
+ /**
+ * @return the schemaManager
+ */
+ public SchemaManager getSchemaManager()
+ {
+ return schemaManager;
+ }
+
+ /**
+ * @param schemaManager the schemaManager to set
+ */
+ public void setSchemaManager( SchemaManager schemaManager )
+ {
+ this.schemaManager = schemaManager;
+ }
+
+ /**
+ * @return the operationContext
+ */
+ public OperationContext getOperationContext()
+ {
+ return operationContext;
+ }
+
+ /**
+ * @param operationContext the operationContext to set
+ */
+ public void setOperationContext( OperationContext operationContext )
+ {
+ this.operationContext = operationContext;
+ }
+
+ /**
+ * @return the userGroupNames
+ */
+ public Collection<DN> getUserGroupNames()
+ {
+ return userGroupNames;
+ }
+
+ /**
+ * @param userGroupNames the userGroupNames to set
+ */
+ public void setUserGroupNames( Collection<DN> userGroupNames )
+ {
+ this.userGroupNames = userGroupNames;
+ }
+
+ /**
+ * @return the user DN
+ */
+ public DN getUserDn()
+ {
+ return userDn;
+ }
+
+ /**
+ * @param username the user DN to set
+ */
+ public void setUserDn( DN userDn )
+ {
+ this.userDn = userDn;
+ }
+
+ /**
+ * @return the authenticationLevel
+ */
+ public AuthenticationLevel getAuthenticationLevel()
+ {
+ return authenticationLevel;
+ }
+
+ /**
+ * @param authenticationLevel the authenticationLevel to set
+ */
+ public void setAuthenticationLevel( AuthenticationLevel authenticationLevel )
+ {
+ this.authenticationLevel = authenticationLevel;
+ }
+
+ /**
+ * @return the entry DN
+ */
+ public DN getEntryDn()
+ {
+ return entryDn;
+ }
+
+ /**
+ * @param entryDn the entry DN to set
+ */
+ public void setEntryDn( DN entryDn )
+ {
+ this.entryDn = entryDn;
+ }
+
+ /**
+ * @return the attributeType
+ */
+ public AttributeType getAttributeType()
+ {
+ return attributeType;
+ }
+
+ /**
+ * @param attributeType the attributeType to set
+ */
+ public void setAttributeType( AttributeType attributeType )
+ {
+ this.attributeType = attributeType;
+ }
+
+ /**
+ * @return the attrValue
+ */
+ public Value<?> getAttrValue()
+ {
+ return attrValue;
+ }
+
+ /**
+ * @param attrValue the attrValue to set
+ */
+ public void setAttrValue( Value<?> attrValue )
+ {
+ this.attrValue = attrValue;
+ }
+
+ /**
+ * @return the microOperations
+ */
+ public Collection<MicroOperation> getMicroOperations()
+ {
+ return microOperations;
+ }
+
+ /**
+ * @param microOperations the microOperations to set
+ */
+ public void setMicroOperations( Collection<MicroOperation> microOperations )
+ {
+ this.microOperations = microOperations;
+ }
+
+ /**
+ * @return the aciTuples
+ */
+ public Collection<ACITuple> getAciTuples()
+ {
+ return aciTuples;
+ }
+
+ /**
+ * @param aciTuples the aciTuples to set
+ */
+ public void setAciTuples( Collection<ACITuple> aciTuples )
+ {
+ this.aciTuples = aciTuples;
+ }
+
+ /**
+ * @return the entry
+ */
+ public Entry getEntry()
+ {
+ return entry;
+ }
+
+ /**
+ * @param entry the entry to set
+ */
+ public void setEntry( Entry entry )
+ {
+ this.entry = entry;
+ }
+
+ /**
+ * @return the entryView
+ */
+ public Entry getEntryView()
+ {
+ return entryView;
+ }
+
+ /**
+ * @param entryView the entryView to set
+ */
+ public void setEntryView( Entry entryView )
+ {
+ this.entryView = entryView;
+ }
+}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Mon Jul 5 13:18:53 2010
@@ -23,16 +23,9 @@ package org.apache.directory.server.core
import java.util.Collection;
import java.util.Iterator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
/**
@@ -43,44 +36,30 @@ import org.apache.directory.shared.ldap.
*/
public class HighestPrecedenceFilter implements ACITupleFilter
{
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
throws LdapException
{
ACI_LOG.debug( "Filtering HighestPrecedence..." );
- if ( tuples.size() <= 1 )
+ if ( aciContext.getAciTuples().size() <= 1 )
{
ACI_LOG.debug( "HighestPrecedence : nothing to do" );
- return tuples;
+ return aciContext.getAciTuples();
}
int maxPrecedence = -1;
// Find the maximum precedence for all tuples.
- for ( ACITuple tuple:tuples )
+ for ( ACITuple tuple:aciContext.getAciTuples() )
{
- if ( ( tuple.getPrecedence() != null ) && (tuple.getPrecedence() > maxPrecedence ) )
+ if ( ( tuple.getPrecedence() != null ) && ( tuple.getPrecedence() > maxPrecedence ) )
{
maxPrecedence = tuple.getPrecedence();
}
}
// Remove all tuples whose precedences are not the maximum one.
- for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
{
ACITuple tuple = i.next();
@@ -90,6 +69,6 @@ public class HighestPrecedenceFilter imp
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java Mon Jul 5 13:18:53 2010
@@ -39,13 +39,10 @@ import org.apache.directory.server.core.
import org.apache.directory.server.core.schema.SchemaInterceptor;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.ProtectedItem;
import org.apache.directory.shared.ldap.aci.protectedItem.MaxImmSubItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.exception.LdapOperationException;
import org.apache.directory.shared.ldap.exception.LdapOtherException;
@@ -53,8 +50,6 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.filter.PresenceNode;
import org.apache.directory.shared.ldap.message.AliasDerefMode;
import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
@@ -78,45 +73,32 @@ public class MaxImmSubFilter implements
}
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
throws LdapException
{
ACI_LOG.debug( "Filtering MaxImmSub..." );
- if ( entryName.size() == 0 )
+ if ( aciContext.getEntryDn().isRootDSE() )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- if ( tuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
if ( scope != OperationScope.ENTRY )
{
- return tuples;
+ return aciContext.getAciTuples();
}
int immSubCount = -1;
- for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
{
ACITuple tuple = i.next();
+
if ( !tuple.isGrant() )
{
continue;
@@ -128,7 +110,7 @@ public class MaxImmSubFilter implements
{
if ( immSubCount < 0 )
{
- immSubCount = getImmSubCount( opContext, entryName );
+ immSubCount = getImmSubCount( aciContext.getOperationContext(), aciContext.getEntryDn() );
}
MaxImmSubItem mis = ( MaxImmSubItem ) item;
@@ -142,7 +124,7 @@ public class MaxImmSubFilter implements
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
public static final Collection<String> SEARCH_BYPASS;
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java Mon Jul 5 13:18:53 2010
@@ -23,20 +23,14 @@ package org.apache.directory.server.core
import java.util.Collection;
import java.util.Iterator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.ProtectedItem;
import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountElem;
import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
/**
@@ -47,34 +41,19 @@ import org.apache.directory.shared.ldap.
*/
public class MaxValueCountFilter implements ACITupleFilter
{
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- if ( tuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
{
ACITuple tuple = i.next();
@@ -91,7 +70,7 @@ public class MaxValueCountFilter impleme
{
MaxValueCountItem mvc = ( MaxValueCountItem ) item;
- if ( isRemovable( mvc, attributeType, entryView ) )
+ if ( isRemovable( mvc, aciContext.getAttributeType(), aciContext.getEntryView() ) )
{
i.remove();
break;
@@ -100,7 +79,7 @@ public class MaxValueCountFilter impleme
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java Mon Jul 5 13:18:53 2010
@@ -23,16 +23,10 @@ package org.apache.directory.server.core
import java.util.Collection;
import java.util.Iterator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
/**
@@ -44,29 +38,14 @@ import org.apache.directory.shared.ldap.
*/
public class MicroOperationFilter implements ACITupleFilter
{
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
- if ( tuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
{
ACITuple tuple = i.next();
@@ -78,7 +57,7 @@ public class MicroOperationFilter implem
boolean retain = true;
- for ( MicroOperation microOp:microOperations )
+ for ( MicroOperation microOp:aciContext.getMicroOperations() )
{
if ( !tuple.getMicroOperations().contains( microOp ) )
{
@@ -93,7 +72,7 @@ public class MicroOperationFilter implem
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java Mon Jul 5 13:18:53 2010
@@ -23,22 +23,15 @@ package org.apache.directory.server.core
import java.util.ArrayList;
import java.util.Collection;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.ProtectedItem;
import org.apache.directory.shared.ldap.aci.protectedItem.AllAttributeValuesItem;
import org.apache.directory.shared.ldap.aci.protectedItem.AttributeTypeItem;
import org.apache.directory.shared.ldap.aci.protectedItem.AttributeValueItem;
import org.apache.directory.shared.ldap.aci.protectedItem.RangeOfValuesItem;
import org.apache.directory.shared.ldap.aci.protectedItem.SelfValueItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
/**
@@ -57,33 +50,18 @@ import org.apache.directory.shared.ldap.
*/
public class MostSpecificProtectedItemFilter implements ACITupleFilter
{
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
- if ( tuples.size() <= 1 )
+ if ( aciContext.getAciTuples().size() <= 1 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
// If the protected item is an attribute and there are tuples that
// specify the attribute type explicitly, discard all other tuples.
- for ( ACITuple tuple:tuples )
+ for ( ACITuple tuple:aciContext.getAciTuples() )
{
for ( ProtectedItem item:tuple.getProtectedItems() )
{
@@ -105,7 +83,7 @@ public class MostSpecificProtectedItemFi
// that specify the attribute value explicitly, discard all other tuples.
// A protected item which is a rangeOfValues is to be treated as
// specifying an attribute value explicitly.
- for ( ACITuple tuple:tuples )
+ for ( ACITuple tuple:aciContext.getAciTuples() )
{
for ( ProtectedItem item:tuple.getProtectedItems() )
{
@@ -121,6 +99,6 @@ public class MostSpecificProtectedItemFi
return filteredTuples;
}
- return tuples;
+ return aciContext.getAciTuples();
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java Mon Jul 5 13:18:53 2010
@@ -23,17 +23,10 @@ package org.apache.directory.server.core
import java.util.ArrayList;
import java.util.Collection;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.UserClass;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
/**
@@ -50,33 +43,18 @@ import org.apache.directory.shared.ldap.
*/
public class MostSpecificUserClassFilter implements ACITupleFilter
{
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
- if ( tuples.size() <= 1 )
+ if ( aciContext.getAciTuples().size() <= 1 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
// If there are any tuples matching the requestor with UserClasses
// element name or thisEntry, discard all other tuples.
- for ( ACITuple tuple:tuples )
+ for ( ACITuple tuple:aciContext.getAciTuples() )
{
for ( UserClass userClass:tuple.getUserClasses() )
{
@@ -95,7 +73,7 @@ public class MostSpecificUserClassFilter
// Otherwise if there are any tuples matching UserGroup,
// discard all other tuples.
- for ( ACITuple tuple:tuples )
+ for ( ACITuple tuple:aciContext.getAciTuples() )
{
for ( UserClass userClass:tuple.getUserClasses() )
{
@@ -114,7 +92,7 @@ public class MostSpecificUserClassFilter
// Otherwise if there are any tuples matching subtree,
// discard all other tuples.
- for ( ACITuple tuple:tuples )
+ for ( ACITuple tuple:aciContext.getAciTuples() )
{
for ( UserClass userClass:tuple.getUserClasses() )
{
@@ -131,7 +109,7 @@ public class MostSpecificUserClassFilter
return filteredTuples;
}
- return tuples;
+ return aciContext.getAciTuples();
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java Mon Jul 5 13:18:53 2010
@@ -24,11 +24,9 @@ import java.util.Collection;
import java.util.Iterator;
import org.apache.directory.server.core.event.Evaluator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.subtree.RefinementEvaluator;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.ProtectedItem;
import org.apache.directory.shared.ldap.aci.protectedItem.AllAttributeValuesItem;
import org.apache.directory.shared.ldap.aci.protectedItem.AttributeTypeItem;
@@ -41,7 +39,6 @@ import org.apache.directory.shared.ldap.
import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByElem;
import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem;
import org.apache.directory.shared.ldap.aci.protectedItem.SelfValueItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
@@ -73,39 +70,24 @@ public class RelatedProtectedItemFilter
}
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
- if ( tuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+ for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
{
ACITuple tuple = i.next();
- if ( !isRelated( tuple, scope, userName, entryName, attributeType, attrValue, entry ) )
+ if ( !isRelated( tuple, scope, aciContext.getUserDn(), aciContext.getEntryDn(), aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
{
i.remove();
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java Mon Jul 5 13:18:53 2010
@@ -24,19 +24,13 @@ import java.util.Collection;
import java.util.Iterator;
import java.util.Set;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.server.core.subtree.SubtreeEvaluator;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.UserClass;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
import org.apache.directory.shared.ldap.subtree.SubtreeSpecification;
@@ -59,40 +53,25 @@ public class RelatedUserClassFilter impl
}
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
- if ( tuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- for ( Iterator<ACITuple> ii = tuples.iterator(); ii.hasNext(); )
+ for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); )
{
ACITuple tuple = ii.next();
if ( tuple.isGrant() )
{
- if ( !isRelated( userGroupNames,
- userName,
+ if ( !isRelated( aciContext.getUserGroupNames(),
+ aciContext.getUserDn(),
userEntry,
- entryName,
+ aciContext.getEntryDn(),
tuple.getUserClasses() )
- || authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) < 0 )
+ || aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) < 0 )
{
ii.remove();
}
@@ -100,19 +79,19 @@ public class RelatedUserClassFilter impl
else
// Denials
{
- if ( !isRelated( userGroupNames,
- userName,
+ if ( !isRelated( aciContext.getUserGroupNames(),
+ aciContext.getUserDn(),
userEntry,
- entryName,
+ aciContext.getEntryDn(),
tuple.getUserClasses() )
- && authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) >= 0 )
+ && aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) >= 0 )
{
ii.remove();
}
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java Mon Jul 5 13:18:53 2010
@@ -23,20 +23,15 @@ package org.apache.directory.server.core
import java.util.Collection;
import java.util.Iterator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.aci.ProtectedItem;
import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByElem;
import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.entry.Entry;
import org.apache.directory.shared.ldap.entry.EntryAttribute;
import org.apache.directory.shared.ldap.entry.Value;
import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
/**
@@ -47,34 +42,19 @@ import org.apache.directory.shared.ldap.
*/
public class RestrictedByFilter implements ACITupleFilter
{
- public Collection<ACITuple> filter(
- SchemaManager schemaManager,
- Collection<ACITuple> tuples,
- OperationScope scope,
- OperationContext opContext,
- Collection<DN> userGroupNames,
- DN userName,
- Entry userEntry,
- AuthenticationLevel authenticationLevel,
- DN entryName,
- AttributeType attributeType,
- Value<?> attrValue,
- Entry entry,
- Collection<MicroOperation> microOperations,
- Entry entryView )
- throws LdapException
+ public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
{
if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- if ( tuples.size() == 0 )
+ if ( aciContext.getAciTuples().size() == 0 )
{
- return tuples;
+ return aciContext.getAciTuples();
}
- for ( Iterator<ACITuple> ii = tuples.iterator() ; ii.hasNext(); )
+ for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator() ; ii.hasNext(); )
{
ACITuple tuple = ii.next();
@@ -83,13 +63,13 @@ public class RestrictedByFilter implemen
continue;
}
- if ( isRemovable( tuple, attributeType, attrValue, entry ) )
+ if ( isRemovable( tuple, aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
{
ii.remove();
}
}
- return tuples;
+ return aciContext.getAciTuples();
}
Modified: directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java (original)
+++ directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java Mon Jul 5 13:18:53 2010
@@ -60,8 +60,10 @@ public class HighestPrecedenceFilterTest
public void testZeroTuple() throws Exception
{
HighestPrecedenceFilter filter = new HighestPrecedenceFilter();
- assertEquals( 0, filter.filter( null, AT_EMPTY_COLLECTION, null, null, null, null, null, null, null, null, null,
- null, null, null ).size() );
+ AciContext aciContext = new AciContext( null, null );
+ aciContext.setAciTuples( AT_EMPTY_COLLECTION );
+
+ assertEquals( 0, filter.filter( aciContext, null, null ).size() );
}
@@ -74,8 +76,10 @@ public class HighestPrecedenceFilterTest
tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true, 10 ) );
tuples = Collections.unmodifiableCollection( tuples );
- assertEquals( tuples, filter.filter( null, tuples, null, null, null, null, null, null, null, null, null, null,
- null, null ) );
+ AciContext aciContext = new AciContext( null, null );
+ aciContext.setAciTuples( tuples );
+
+ assertEquals( tuples, filter.filter( aciContext, null, null ) );
}
@@ -95,7 +99,10 @@ public class HighestPrecedenceFilterTest
tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true,
MAX_PRECEDENCE / 3 ) );
- tuples = filter.filter( null, tuples, null, null, null, null, null, null, null, null, null, null, null, null );
+ AciContext aciContext = new AciContext( null, null );
+ aciContext.setAciTuples( tuples );
+
+ tuples = filter.filter( aciContext, null, null );
for ( ACITuple tuple:tuples )
{