You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by ak...@apache.org on 2005/10/18 10:19:35 UTC
svn commit: r326050 - in /directory/apacheds/trunk/core/src:
main/java/org/apache/ldap/server/authz/
main/java/org/apache/ldap/server/authz/support/
main/java/org/apache/ldap/server/jndi/
test/org/apache/ldap/server/authz/support/
Author: akarasulu
Date: Tue Oct 18 01:19:14 2005
New Revision: 326050
URL: http://svn.apache.org/viewcvs?rev=326050&view=rev
Log:
changes ...
o started using new APIs on the Nexus proxy
o retrofited nextInterceptor calls with calls to proxy
o modified authz support classes to now take the proxy as their argument
rather than passing in NextInterceptor
o fixed test cases accordingly
o might be a problem but I exposed access to the nexus proxy from the
ServerContext. This could potentially be a major security flaw
since users can now bypass security in embedded mode and within
stored procedures. We have to find a way around this or to protect
access to this resource via a security manager.
o calls on the nexus proxy made by authz support classes now bypass
the authz service to avoid possible infinate recursion
todos ...
o perhaps we could pass the Invocation object to the filter instead of
the JNDI context so that we do not need to expose access to the Nexus
proxy from the JNDI context
o all calls to the proxy in the authz supporting classes need to be
reviewed to make them more efficient perhaps bypassing more interceptors
o need to replace all nextInterceptor.xxxx() calls with calls to the
nexus proxy with bypass instructions
o need to replace calls directly to the nexus with calls to the proxy
while bypassing interceptors
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/jndi/ServerContext.java
directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/support/MaxImmSubFilterTest.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java Tue Oct 18 01:19:14 2005
@@ -27,8 +27,10 @@
import org.apache.ldap.server.jndi.ServerLdapContext;
import org.apache.ldap.server.configuration.InterceptorConfiguration;
import org.apache.ldap.server.partition.DirectoryPartitionNexus;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
import org.apache.ldap.server.authz.support.ACDFEngine;
import org.apache.ldap.server.invocation.InvocationStack;
+import org.apache.ldap.server.invocation.Invocation;
import org.apache.ldap.server.authn.LdapPrincipal;
import org.apache.ldap.server.schema.ConcreteNameComponentNormalizer;
import org.apache.ldap.server.schema.AttributeTypeRegistry;
@@ -268,7 +270,8 @@
public void add( NextInterceptor next, String upName, Name normName, Attributes entry ) throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
next.add( upName, normName, entry );
@@ -297,7 +300,8 @@
Collection perms = Collections.singleton( MicroOperation.ADD );
// check if entry scope permission is granted
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
normName, null, null, perms, tuples, subentryAttrs );
// now we must check if attribute type and value scope permission is granted
@@ -307,7 +311,7 @@
Attribute attr = ( Attribute ) attributeList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( next, userGroups, user.getJndiName(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(),
user.getAuthenticationLevel(), normName, attr.getID(),
attr.get( ii ), perms, tuples, entry );
}
@@ -327,7 +331,8 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
next.delete( name );
@@ -337,12 +342,13 @@
}
Set userGroups = groupCache.getGroups( user.getName() );
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, name, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.REMOVE ), tuples, entry );
next.delete( name );
@@ -355,7 +361,8 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
next.modify( name, modOp, mods );
@@ -364,13 +371,14 @@
return;
}
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, name, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
NamingEnumeration attrList = mods.getAll();
@@ -395,7 +403,7 @@
Attribute attr = ( Attribute ) attrList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, attr.getID(), attr.get( ii ), perms, tuples, entry );
}
}
@@ -410,7 +418,8 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
next.modify( name, mods );
@@ -419,13 +428,14 @@
return;
}
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, name, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry );
Collection perms = null;
@@ -453,7 +463,7 @@
Attribute attr = mods[ii].getAttribute();
for ( int jj = 0; jj < attr.size(); jj++ )
{
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
name, attr.getID(), attr.get( jj ), perms, tuples, entry );
}
}
@@ -467,13 +477,15 @@
public boolean hasEntry( NextInterceptor next, Name name ) throws NamingException
{
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.hasEntry( name );
}
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, name, entry );
@@ -481,7 +493,7 @@
addSubentryAciTuples( tuples, name, entry );
// check that we have browse access to the entry
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.BROWSE ), tuples, entry );
return next.hasEntry( name );
@@ -498,15 +510,15 @@
* perms to attributes and their values results in their removal when returning
* the entry.
*
- * @param next the next interceptor to call in the chain
* @param user the user associated with the call
* @param dn the name of the entry being looked up
* @param entry the raw entry pulled from the nexus
* @throws NamingException
*/
- private void checkLookupAccess( NextInterceptor next, LdapPrincipal user, Name dn, Attributes entry )
+ private void checkLookupAccess( LdapPrincipal user, Name dn, Attributes entry )
throws NamingException
{
+ DirectoryPartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, dn, entry );
@@ -518,7 +530,7 @@
perms.add( MicroOperation.BROWSE );
// check that we have read access to the entry
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), dn, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), dn, null,
null, perms, tuples, entry );
// check that we have read access to every attribute type and value
@@ -529,7 +541,7 @@
Attribute attr = ( Attribute ) attributeList.next();
for ( int ii = 0; ii < attr.size(); ii++ )
{
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), dn,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), dn,
attr.getID(), attr.get( ii ), perms, tuples, entry );
}
}
@@ -539,14 +551,15 @@
public Attributes lookup( NextInterceptor next, Name dn, String[] attrIds ) throws NamingException
{
Attributes entry = nexus.lookup( dn );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.lookup( dn, attrIds );
}
- checkLookupAccess( next, user, dn, entry );
+ checkLookupAccess( user, dn, entry );
return next.lookup( dn, attrIds );
}
@@ -555,14 +568,15 @@
public Attributes lookup( NextInterceptor next, Name name ) throws NamingException
{
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.lookup( name );
}
- checkLookupAccess( next, user, name, entry );
+ checkLookupAccess( user, name, entry );
return next.lookup( name );
}
@@ -572,7 +586,8 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name newName = ( Name ) name.clone();
newName.remove( name.size() - 1 );
newName.add( newRn );
@@ -584,13 +599,14 @@
return;
}
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, name, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.RENAME ), tuples, entry );
// if ( deleteOldRn )
@@ -631,7 +647,8 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
Attributes entry = nexus.lookup( oriChildName );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ Invocation invocation = InvocationStack.getInstance().peek();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
Name newName = ( Name ) newParentName.clone();
newName.add( newRn );
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
@@ -642,6 +659,7 @@
return;
}
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Set userGroups = groupCache.getGroups( user.getName() );
Collection tuples = new HashSet();
addPerscriptiveAciTuples( tuples, oriChildName, entry );
@@ -652,14 +670,14 @@
perms.add( MicroOperation.IMPORT );
perms.add( MicroOperation.EXPORT );
perms.add( MicroOperation.RENAME );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, perms, tuples, entry );
Collection destTuples = new HashSet();
addPerscriptiveAciTuples( destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
addSubentryAciTuples( destTuples, oriChildName, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, Collections.singleton( MicroOperation.IMPORT ), tuples, entry );
// if ( deleteOldRn )
@@ -698,10 +716,12 @@
public void move( NextInterceptor next, Name oriChildName, Name newParentName ) throws NamingException
{
// Access the principal requesting the operation, and bypass checks if it is the admin
+ Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = nexus.lookup( oriChildName );
Name newName = ( Name ) newParentName.clone();
newName.add( oriChildName.get( oriChildName.size() - 1 ) );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
next.move( oriChildName, newParentName );
@@ -716,14 +736,14 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, oriChildName, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, Collections.singleton( MicroOperation.EXPORT ), tuples, entry );
Collection destTuples = new HashSet();
addPerscriptiveAciTuples( destTuples, oriChildName, entry );
addEntryAciTuples( destTuples, entry );
addSubentryAciTuples( destTuples, oriChildName, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(),
oriChildName, null, null, Collections.singleton( MicroOperation.IMPORT ), tuples, entry );
next.move( oriChildName, newParentName );
@@ -767,8 +787,10 @@
{
// Access the principal requesting the operation, and bypass checks if it is the admin
+ Invocation invocation = InvocationStack.getInstance().peek();
+ DirectoryPartitionNexusProxy proxy = invocation.getProxy();
Attributes entry = nexus.lookup( name );
- LdapPrincipal user = ( ( ServerContext ) InvocationStack.getInstance().peek().getCaller() ).getPrincipal();
+ LdapPrincipal user = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
if ( user.getName().equalsIgnoreCase( DirectoryPartitionNexus.ADMIN_PRINCIPAL ) || ! enabled )
{
return next.compare( name, oid, value );
@@ -780,9 +802,9 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, name, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, null,
null, Collections.singleton( MicroOperation.READ ), tuples, entry );
- engine.checkPermission( next, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, oid,
+ engine.checkPermission( proxy, userGroups, user.getJndiName(), user.getAuthenticationLevel(), name, oid,
value, Collections.singleton( MicroOperation.COMPARE ), tuples, entry );
return next.compare( name, oid, value );
@@ -814,8 +836,6 @@
* tests. If we hasPermission() returns false we immediately short the
* process and return false.
*/
-// NextInterceptor next = chain.getNext( "authorizationService" );
- NextInterceptor next = null;//chain.getNext( "authorizationService" );
Attributes entry = nexus.lookup( normName );
Name userDn = ctx.getPrincipal().getJndiName();
Set userGroups = groupCache.getGroups( userDn.toString() );
@@ -824,7 +844,8 @@
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( tuples, normName, entry );
- if ( ! engine.hasPermission( next, userGroups, userDn, ctx.getPrincipal().getAuthenticationLevel(),
+ if ( ! engine.hasPermission( ctx.getNexusProxy(), userGroups, userDn,
+ ctx.getPrincipal().getAuthenticationLevel(),
normName, null, null, SEARCH_ENTRY_PERMS, tuples, entry ) )
{
return false;
@@ -842,8 +863,9 @@
{
// if attribute type scope access is not allowed then remove the attribute and continue
Attribute attr = ( Attribute ) attributeList.next();
- if ( ! engine.hasPermission( next, userGroups, userDn, ctx.getPrincipal().getAuthenticationLevel(),
- normName, attr.getID(), null, SEARCH_ATTRVAL_PERMS, tuples, entry ) )
+ if ( ! engine.hasPermission( ctx.getNexusProxy(), userGroups, userDn,
+ ctx.getPrincipal().getAuthenticationLevel(),
+ normName, attr.getID(), null, SEARCH_ATTRVAL_PERMS, tuples, entry ) )
{
result.getAttributes().remove( attr.getID() );
@@ -857,7 +879,7 @@
// attribute type scope is ok now let's determine value level scope
for ( int ii = 0; ii < attr.size(); ii++ )
{
- if ( ! engine.hasPermission( next, userGroups, userDn,
+ if ( ! engine.hasPermission( ctx.getNexusProxy(), userGroups, userDn,
ctx.getPrincipal().getAuthenticationLevel(), normName,
attr.getID(), attr.get( ii ), SEARCH_ATTRVAL_PERMS, tuples, entry ) )
{
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java Tue Oct 18 01:19:14 2005
@@ -21,6 +21,7 @@
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
+import java.util.Collections;
import javax.naming.Name;
import javax.naming.NamingException;
@@ -33,12 +34,13 @@
import org.apache.ldap.common.exception.LdapNoPermissionException;
import org.apache.ldap.server.event.Evaluator;
import org.apache.ldap.server.event.ExpressionEvaluator;
-import org.apache.ldap.server.interceptor.NextInterceptor;
import org.apache.ldap.server.schema.AttributeTypeRegistry;
import org.apache.ldap.server.schema.OidRegistry;
import org.apache.ldap.server.subtree.RefinementEvaluator;
import org.apache.ldap.server.subtree.RefinementLeafEvaluator;
import org.apache.ldap.server.subtree.SubtreeEvaluator;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An implementation of Access Control Decision Function (18.8, X.501).
@@ -66,7 +68,7 @@
public class ACDFEngine
{
private final ACITupleFilter[] filters;
-
+
/**
* Creates a new instance.
*
@@ -81,7 +83,7 @@
SubtreeEvaluator subtreeEvaluator = new SubtreeEvaluator( oidRegistry );
RefinementEvaluator refinementEvaluator = new RefinementEvaluator(
new RefinementLeafEvaluator( oidRegistry ) );
-
+
filters = new ACITupleFilter[] {
new RelatedUserClassFilter( subtreeEvaluator ),
new RelatedProtectedItemFilter( attrTypeRegistry, refinementEvaluator, entryEvaluator ),
@@ -94,13 +96,13 @@
new MostSpecificProtectedItemFilter(),
};
}
-
+
/**
* Checks the user with the specified name can access the specified resource
* (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
* if the user doesn't have any permission to perform the specified grants.
*
- * @param next the next interceptor to the current interceptor
+ * @param proxy the proxy to the partition nexus
* @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
* @param username the DN of the user who is trying to access the resource
* @param entryName the DN of the entry the user is trying to access
@@ -113,13 +115,13 @@
* @throws NamingException if failed to evaluate ACI items
*/
public void checkPermission(
- NextInterceptor next,
+ DirectoryPartitionNexusProxy proxy,
Collection userGroupNames, Name username, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue,
Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
{
if( !hasPermission(
- next,
+ proxy,
userGroupNames, username, authenticationLevel,
entryName, attrId, attrValue,
microOperations, aciTuples, entry ) )
@@ -127,13 +129,13 @@
throw new LdapNoPermissionException();
}
}
-
+
/**
* Returns <tt>true</tt> if the user with the specified name can access the specified resource
* (entry, attribute type, or attribute value) and throws {@link LdapNoPermissionException}
* if the user doesn't have any permission to perform the specified grants.
*
- * @param next the next interceptor to the current interceptor
+ * @param proxy the proxy to the partition nexus
* @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs
* @param userName the DN of the user who is trying to access the resource
* @param entryName the DN of the entry the user is trying to access
@@ -145,7 +147,7 @@
* @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
*/
public boolean hasPermission(
- NextInterceptor next,
+ DirectoryPartitionNexusProxy proxy,
Collection userGroupNames, Name userName, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue,
Collection microOperations, Collection aciTuples, Attributes entry ) throws NamingException
@@ -154,8 +156,8 @@
{
throw new NullPointerException( "entryName" );
}
-
- Attributes userEntry = next.lookup( userName );
+
+ Attributes userEntry = proxy.lookup( userName, Collections.singleton( "authorizationService" ) );
// Determine the scope of the requested operation.
OperationScope scope;
@@ -171,7 +173,7 @@
{
scope = OperationScope.ATTRIBUTE_TYPE_AND_VALUE;
}
-
+
// Clone aciTuples in case it is unmodifiable.
aciTuples = new ArrayList( aciTuples );
@@ -180,11 +182,11 @@
{
ACITupleFilter filter = filters[ i ];
aciTuples = filter.filter(
- aciTuples, scope, next,
+ aciTuples, scope, proxy,
userGroupNames, userName, userEntry, authenticationLevel,
entryName, attrId, attrValue, entry, microOperations );
}
-
+
// Deny access if no tuples left.
if( aciTuples.size() == 0 )
{
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java Tue Oct 18 01:19:14 2005
@@ -26,7 +26,8 @@
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.MicroOperation;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An interface that filters the specified collection of tuples using the
@@ -44,7 +45,7 @@
*
* @param tuples the collection of tuples to filter
* @param scope the scope of the operation to be performed
- * @param next the next interceptor for this filter to access the DIT
+ * @param proxy the proxy interceptor for this filter to access the DIT
* @param userGroupNames the collection of group ({@link Name})s which the current user belongs to
* @param userName the {@link Name} of the current user
* @param userEntry the {@link Attributes} of the current user entry in the DIT
@@ -59,7 +60,7 @@
* @throws NamingException if failed to filter the specifiec tuples
*/
Collection filter(
- Collection tuples, OperationScope scope, NextInterceptor next,
+ Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
Collection userGroupNames, Name userName, Attributes userEntry,
AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue, Attributes entry,
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java Tue Oct 18 01:19:14 2005
@@ -27,7 +27,8 @@
import org.apache.ldap.common.aci.ACITuple;
import org.apache.ldap.common.aci.AuthenticationLevel;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discards all tuples having a precedence less
@@ -38,7 +39,7 @@
*/
public class HighestPrecedenceFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( tuples.size() <= 1 )
{
@@ -46,27 +47,27 @@
}
int maxPrecedence = -1;
-
+
// Find the maximum precedence for all tuples.
for( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( tuple.getPrecedence() > maxPrecedence )
+ if( tuple.getPrecedence() > maxPrecedence )
{
maxPrecedence = tuple.getPrecedence();
}
}
-
+
// Remove all tuples whose precedences are not the maximum one.
for( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( tuple.getPrecedence() != maxPrecedence )
+ if( tuple.getPrecedence() != maxPrecedence )
{
i.remove();
- }
+ }
}
-
+
return tuples;
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java Tue Oct 18 01:19:14 2005
@@ -21,6 +21,7 @@
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
+import java.util.Collections;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
@@ -33,7 +34,8 @@
import org.apache.ldap.common.aci.ProtectedItem;
import org.apache.ldap.common.filter.ExprNode;
import org.apache.ldap.common.filter.PresenceNode;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
@@ -53,26 +55,26 @@
childrenSearchControls = new SearchControls();
childrenSearchControls.setSearchScope( SearchControls.ONELEVEL_SCOPE );
}
-
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( entryName.size() == 0 )
{
return tuples;
}
-
+
if( tuples.size() == 0 )
{
return tuples;
}
-
+
if( scope != OperationScope.ENTRY )
{
return tuples;
}
int immSubCount = -1;
-
+
for( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
@@ -80,7 +82,7 @@
{
continue;
}
-
+
for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
{
ProtectedItem item = ( ProtectedItem ) j.next();
@@ -88,9 +90,9 @@
{
if( immSubCount < 0 )
{
- immSubCount = getImmSubCount( next, entryName );
+ immSubCount = getImmSubCount( proxy, entryName );
}
-
+
ProtectedItem.MaxImmSub mis = ( ProtectedItem.MaxImmSub ) item;
if( immSubCount >= mis.getValue() )
{
@@ -100,26 +102,26 @@
}
}
}
-
+
return tuples;
}
-
- private int getImmSubCount( NextInterceptor next, Name entryName ) throws NamingException
+
+ private int getImmSubCount( DirectoryPartitionNexusProxy proxy, Name entryName ) throws NamingException
{
int cnt = 0;
NamingEnumeration e = null;
try
{
- e = next.search(
+ e = proxy.search(
entryName.getPrefix( 1 ), new HashMap(),
- childrenFilter, childrenSearchControls );
-
+ childrenFilter, childrenSearchControls, Collections.singleton( "authorizationService" ) );
+
while( e.hasMore() )
{
e.next();
cnt ++;
}
-
+
}
finally
{
@@ -128,7 +130,7 @@
e.close();
}
}
-
+
return cnt;
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java Tue Oct 18 01:19:14 2005
@@ -30,7 +30,8 @@
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.ProtectedItem;
import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
@@ -41,13 +42,13 @@
*/
public class MaxValueCountFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
{
return tuples;
}
-
+
if( tuples.size() == 0 )
{
return tuples;
@@ -75,7 +76,7 @@
}
}
}
-
+
return tuples;
}
@@ -94,7 +95,7 @@
}
}
}
-
+
return false;
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java Tue Oct 18 01:19:14 2005
@@ -28,7 +28,8 @@
import org.apache.ldap.common.aci.ACITuple;
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.MicroOperation;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discard tuples which doesn't contain any
@@ -40,7 +41,7 @@
*/
public class MicroOperationFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next,
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy,
Collection userGroupNames, Name userName, Attributes userEntry,
AuthenticationLevel authenticationLevel, Name entryName, String attrId,
Object attrValue, Attributes entry, Collection microOperations )
@@ -71,13 +72,13 @@
break;
}
}
-
+
if( !retain )
{
i.remove();
}
}
-
+
return tuples;
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java Tue Oct 18 01:19:14 2005
@@ -29,7 +29,8 @@
import org.apache.ldap.common.aci.ACITuple;
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.ProtectedItem;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that chooses the tuples with the most specific
@@ -48,7 +49,7 @@
*/
public class MostSpecificProtectedItemFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( tuples.size() <= 1 )
{
@@ -56,7 +57,7 @@
}
Collection filteredTuples = new ArrayList();
-
+
// If the protected item is an attribute and there are tuples that
// specify the attribute type explicitly, discard all other tuples.
for( Iterator i = tuples.iterator(); i.hasNext(); )
@@ -75,7 +76,7 @@
}
}
}
-
+
if( filteredTuples.size() > 0 )
{
return filteredTuples;
@@ -102,7 +103,7 @@
{
return filteredTuples;
}
-
+
return tuples;
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java Tue Oct 18 01:19:14 2005
@@ -29,7 +29,8 @@
import org.apache.ldap.common.aci.ACITuple;
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.UserClass;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that chooses the tuples with the most specific user
@@ -46,7 +47,7 @@
*/
public class MostSpecificUserClassFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( tuples.size() <= 1 )
{
@@ -54,7 +55,7 @@
}
Collection filteredTuples = new ArrayList();
-
+
// If there are any tuples matching the requestor with UserClasses
// element name or thisEntry, discard all other tuples.
for( Iterator i = tuples.iterator(); i.hasNext(); )
@@ -71,12 +72,12 @@
}
}
}
-
+
if( filteredTuples.size() > 0 )
{
return filteredTuples;
}
-
+
// Otherwise if there are any tuples matching UserGroup,
// discard all other tuples.
for( Iterator i = tuples.iterator(); i.hasNext(); )
@@ -92,7 +93,7 @@
}
}
}
-
+
if( filteredTuples.size() > 0 )
{
return filteredTuples;
@@ -113,12 +114,12 @@
}
}
}
-
+
if( filteredTuples.size() > 0 )
{
return filteredTuples;
}
-
+
return tuples;
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java Tue Oct 18 01:19:14 2005
@@ -32,9 +32,10 @@
import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem;
import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem;
import org.apache.ldap.server.event.Evaluator;
-import org.apache.ldap.server.interceptor.NextInterceptor;
import org.apache.ldap.server.schema.AttributeTypeRegistry;
import org.apache.ldap.server.subtree.RefinementEvaluator;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discards all tuples whose {@link ProtectedItem}s
@@ -58,7 +59,7 @@
this.entryEvaluator = entryEvaluator;
}
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( tuples.size() == 0 )
{
@@ -73,7 +74,7 @@
i.remove();
}
}
-
+
return tuples;
}
@@ -96,7 +97,7 @@
{
continue;
}
-
+
if( isUserAttribute( attrId ) )
{
return true;
@@ -139,7 +140,7 @@
{
continue;
}
-
+
ProtectedItem.AttributeType at = ( ProtectedItem.AttributeType ) item;
for( Iterator j = at.iterator(); j.hasNext(); )
{
@@ -155,7 +156,7 @@
{
continue;
}
-
+
ProtectedItem.AttributeValue av = ( ProtectedItem.AttributeValue ) item;
for( Iterator j = av.iterator(); j.hasNext(); )
{
@@ -229,7 +230,7 @@
{
continue;
}
-
+
ProtectedItem.SelfValue sv = ( ProtectedItem.SelfValue ) item;
for( Iterator j = sv.iterator(); j.hasNext(); )
{
@@ -249,15 +250,15 @@
throw new InternalError( "Unexpected protectedItem: " + item.getClass().getName() );
}
}
-
+
return false;
}
-
+
private final boolean isUserAttribute( String attrId )
{
/* Not used anymore. Just retaining in case of resurrection. */
return true;
-
+
/*
try
{
@@ -271,7 +272,7 @@
{
// Ignore
}
-
+
return false;
*/
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java Tue Oct 18 01:19:14 2005
@@ -30,8 +30,9 @@
import org.apache.ldap.common.aci.UserClass;
import org.apache.ldap.common.name.LdapName;
import org.apache.ldap.common.subtree.SubtreeSpecification;
-import org.apache.ldap.server.interceptor.NextInterceptor;
import org.apache.ldap.server.subtree.SubtreeEvaluator;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discards all tuples whose {@link UserClass}es
@@ -50,8 +51,8 @@
{
this.subtreeEvaluator = subtreeEvaluator;
}
-
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( tuples.size() == 0 )
{
@@ -78,10 +79,10 @@
}
}
}
-
+
return tuples;
}
-
+
private boolean isRelated( Collection userGroupNames, Name userName, Attributes userEntry, Name entryName, Collection userClasses ) throws NamingException
{
for( Iterator i = userClasses.iterator(); i.hasNext(); )
@@ -134,7 +135,7 @@
return false;
}
-
+
private boolean matchUserClassSubtree( Name userName, Attributes userEntry, UserClass.Subtree subtree ) throws NamingException
{
for( Iterator i = subtree.getSubtreeSpecifications().iterator();
@@ -147,7 +148,7 @@
return true;
}
}
-
+
return false;
}
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java Tue Oct 18 01:19:14 2005
@@ -30,7 +30,8 @@
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.ProtectedItem;
import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+
/**
* An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
@@ -41,7 +42,7 @@
*/
public class RestrictedByFilter implements ACITupleFilter
{
- public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
+ public Collection filter( Collection tuples, OperationScope scope, DirectoryPartitionNexusProxy proxy, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException
{
if( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
{
@@ -52,7 +53,7 @@
{
return tuples;
}
-
+
for( Iterator i = tuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
@@ -66,7 +67,7 @@
i.remove();
}
}
-
+
return tuples;
}
@@ -92,7 +93,7 @@
}
}
}
-
+
return false;
}
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/jndi/ServerContext.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/jndi/ServerContext.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/jndi/ServerContext.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/jndi/ServerContext.java Tue Oct 18 01:19:14 2005
@@ -194,22 +194,22 @@
}
- // ------------------------------------------------------------------------
- // Protected Accessor Methods
- // ------------------------------------------------------------------------
-
-
/**
* Gets the RootNexus proxy.
- *
+ *
* @return the proxy to the backend nexus.
*/
- protected DirectoryPartitionNexus getNexusProxy()
+ public DirectoryPartitionNexusProxy getNexusProxy()
{
- return nexusProxy ;
+ return ( DirectoryPartitionNexusProxy ) nexusProxy ;
}
-
-
+
+
+ // ------------------------------------------------------------------------
+ // Protected Accessor Methods
+ // ------------------------------------------------------------------------
+
+
/**
* Gets the distinguished name of the entry associated with this Context.
*
@@ -578,7 +578,7 @@
*/
public Object lookup( Name name ) throws NamingException
{
- Object obj = null;
+ Object obj;
LdapName target = buildTarget( name );
@@ -756,7 +756,7 @@
while ( fqn.size() > 0 )
{
// match found end loop
- if ( ( ( String ) fqn.get( 0 ) ).equalsIgnoreCase( head ) )
+ if ( fqn.get( 0 ).equalsIgnoreCase( head ) )
{
return fqn;
}
Modified: directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/support/MaxImmSubFilterTest.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/support/MaxImmSubFilterTest.java?rev=326050&r1=326049&r2=326050&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/support/MaxImmSubFilterTest.java (original)
+++ directory/apacheds/trunk/core/src/test/org/apache/ldap/server/authz/support/MaxImmSubFilterTest.java Tue Oct 18 01:19:14 2005
@@ -18,21 +18,14 @@
*/
package org.apache.ldap.server.authz.support;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
import javax.naming.Name;
-import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
+import javax.naming.Context;
+import javax.naming.NamingEnumeration;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttributes;
-import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import junit.framework.Assert;
@@ -41,10 +34,14 @@
import org.apache.ldap.common.aci.ACITuple;
import org.apache.ldap.common.aci.AuthenticationLevel;
import org.apache.ldap.common.aci.ProtectedItem;
-import org.apache.ldap.common.filter.ExprNode;
import org.apache.ldap.common.name.LdapName;
-import org.apache.ldap.server.configuration.DirectoryPartitionConfiguration;
-import org.apache.ldap.server.interceptor.NextInterceptor;
+import org.apache.ldap.common.filter.ExprNode;
+import org.apache.ldap.server.partition.DirectoryPartitionNexusProxy;
+import org.apache.ldap.server.DirectoryService;
+import org.apache.ldap.server.DirectoryServiceListener;
+import org.apache.ldap.server.DirectoryServiceConfiguration;
+import org.apache.ldap.server.jndi.DeadContext;
+
/**
* Tests {@link MaxImmSubFilter}.
@@ -58,15 +55,13 @@
Collections.unmodifiableCollection( new ArrayList() );
private static final Set EMPTY_SET =
Collections.unmodifiableSet( new HashSet() );
-
+
private static final Name ROOTDSE_NAME = new LdapName();
private static final Name ENTRY_NAME;
private static final Collection PROTECTED_ITEMS = new ArrayList();
private static final Attributes ENTRY = new BasicAttributes();
- private static final NextInterceptor NEXT_INTERCEPTOR_A = new NextInterceptorImpl( 1 );
- private static final NextInterceptor NEXT_INTERCEPTOR_B = new NextInterceptorImpl( 2 );
-
-
+
+
static
{
try
@@ -80,7 +75,7 @@
PROTECTED_ITEMS.add( new ProtectedItem.MaxImmSub( 2 ) );
}
-
+
public void testWrongScope() throws Exception
{
MaxImmSubFilter filter = new MaxImmSubFilter();
@@ -88,47 +83,47 @@
tuples.add( new ACITuple(
EMPTY_COLLECTION, AuthenticationLevel.NONE, EMPTY_COLLECTION,
EMPTY_SET, true, 0 ) );
-
+
tuples = Collections.unmodifiableCollection( tuples );
-
+
Assert.assertEquals(
tuples, filter.filter(
- tuples, OperationScope.ATTRIBUTE_TYPE, NEXT_INTERCEPTOR_A, null, null,
+ tuples, OperationScope.ATTRIBUTE_TYPE, null, null, null,
null, null, ENTRY_NAME, null, null, ENTRY, null ) );
Assert.assertEquals(
tuples, filter.filter(
- tuples, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, NEXT_INTERCEPTOR_A,
+ tuples, OperationScope.ATTRIBUTE_TYPE_AND_VALUE, null,
null, null, null, null, ENTRY_NAME, null, null, ENTRY, null ) );
}
-
+
public void testRootDSE() throws Exception
{
MaxImmSubFilter filter = new MaxImmSubFilter();
-
+
Collection tuples = new ArrayList();
tuples.add( new ACITuple(
EMPTY_COLLECTION, AuthenticationLevel.NONE, EMPTY_COLLECTION,
EMPTY_SET, true, 0 ) );
-
+
tuples = Collections.unmodifiableCollection( tuples );
Assert.assertEquals(
tuples, filter.filter(
tuples, OperationScope.ENTRY,
- NEXT_INTERCEPTOR_A, null, null, null, null, ROOTDSE_NAME, null, null, ENTRY, null ) );
+ null, null, null, null, null, ROOTDSE_NAME, null, null, ENTRY, null ) );
}
-
+
public void testZeroTuple() throws Exception
{
MaxImmSubFilter filter = new MaxImmSubFilter();
-
+
Assert.assertEquals(
0, filter.filter(
EMPTY_COLLECTION, OperationScope.ENTRY,
- NEXT_INTERCEPTOR_A, null, null, null, null, ENTRY_NAME, null, null, ENTRY, null ).size() );
+ null, null, null, null, null, ENTRY_NAME, null, null, ENTRY, null ).size() );
}
-
+
public void testDenialTuple() throws Exception
{
MaxImmSubFilter filter = new MaxImmSubFilter();
@@ -136,12 +131,12 @@
tuples.add( new ACITuple(
EMPTY_COLLECTION, AuthenticationLevel.NONE, PROTECTED_ITEMS,
EMPTY_SET, false, 0 ) );
-
+
tuples = Collections.unmodifiableCollection( tuples );
-
+
Assert.assertEquals(
tuples, filter.filter(
- tuples, OperationScope.ENTRY, NEXT_INTERCEPTOR_A, null, null,
+ tuples, OperationScope.ENTRY, null, null, null,
null, null, ENTRY_NAME, null, null, ENTRY, null ) );
}
@@ -153,148 +148,138 @@
tuples.add( new ACITuple(
EMPTY_COLLECTION, AuthenticationLevel.NONE, PROTECTED_ITEMS,
EMPTY_SET, true, 0 ) );
-
+
Assert.assertEquals(
1, filter.filter(
- tuples, OperationScope.ENTRY, NEXT_INTERCEPTOR_A, null, null,
+ tuples, OperationScope.ENTRY, new MockProxy(1), null, null,
null, null, ENTRY_NAME, null, null, ENTRY, null ).size() );
Assert.assertEquals(
0, filter.filter(
- tuples, OperationScope.ENTRY, NEXT_INTERCEPTOR_B, null, null,
+ tuples, OperationScope.ENTRY, new MockProxy(3), null, null,
null, null, ENTRY_NAME, null, null, ENTRY, null ).size() );
}
-
- private static class NextInterceptorImpl implements NextInterceptor
+
+
+ class MockProxy extends DirectoryPartitionNexusProxy
{
- private final List list;
+ final int count;
- public NextInterceptorImpl( int count )
+ public MockProxy( int count )
{
- list = new ArrayList();
- for( int i = 0; i < count; i++ )
- {
- list.add( new Object() );
- }
+ super( new DeadContext(), new MockDirectoryService() );
+ this.count = count;
}
- public boolean compare( Name name, String oid, Object value ) throws NamingException
- {
- return false;
- }
- public Attributes getRootDSE() throws NamingException
+ public NamingEnumeration search( Name base, Map env, ExprNode filter, SearchControls searchCtls ) throws NamingException
{
- return null;
+ return new BogusEnumeration( count );
}
- public Name getMatchedName( Name name, boolean normalized ) throws NamingException
- {
- return null;
- }
- public Name getSuffix( Name name, boolean normalized ) throws NamingException
+ public NamingEnumeration search( Name base, Map env, ExprNode filter, SearchControls searchCtls, Collection bypass ) throws NamingException
{
- return null;
+ return new BogusEnumeration( count );
}
+ }
- public Iterator listSuffixes( boolean normalized ) throws NamingException
+ class MockDirectoryService extends DirectoryService
+ {
+ public void startup( DirectoryServiceListener listener, Hashtable environment ) throws NamingException
{
- return null;
+ //To change body of implemented methods use File | Settings | File Templates.
}
- public void addContextPartition( DirectoryPartitionConfiguration cfg ) throws NamingException
- {
- }
- public void removeContextPartition( Name suffix ) throws NamingException
+ public void shutdown() throws NamingException
{
+ //To change body of implemented methods use File | Settings | File Templates.
}
- public void delete( Name name ) throws NamingException
- {
- }
- public void add( String userProvidedName, Name normalizedName, Attributes entry ) throws NamingException
+ public void sync() throws NamingException
{
+ //To change body of implemented methods use File | Settings | File Templates.
}
- public void modify( Name name, int modOp, Attributes attributes ) throws NamingException
- {
- }
- public void modify( Name name, ModificationItem[] items ) throws NamingException
+ public boolean isStarted()
{
+ return true;
}
- public NamingEnumeration list( Name baseName ) throws NamingException
+
+ public DirectoryServiceConfiguration getConfiguration()
{
- return null;
+ return null; //To change body of implemented methods use File | Settings | File Templates.
}
- public NamingEnumeration search( Name baseName, Map environment, ExprNode filter, SearchControls searchControls ) throws NamingException
+
+ public Context getJndiContext( String baseName ) throws NamingException
{
- final Iterator i = list.iterator();
-
- return new NamingEnumeration()
- {
+ return null; //To change body of implemented methods use File | Settings | File Templates.
+ }
- public Object next() throws NamingException
- {
- return i.next();
- }
- public boolean hasMore() throws NamingException
- {
- return i.hasNext();
- }
+ public Context getJndiContext( String principal, byte[] credential, String authentication, String baseName ) throws NamingException
+ {
+ return null; //To change body of implemented methods use File | Settings | File Templates.
+ }
+ }
- public void close() throws NamingException
- {
- }
- public boolean hasMoreElements()
- {
- return i.hasNext();
- }
+ class BogusEnumeration implements NamingEnumeration
+ {
+ final int count;
+ int ii;
- public Object nextElement()
- {
- return i.next();
- }
- };
- }
- public Attributes lookup( Name name ) throws NamingException
+ public BogusEnumeration( int count )
{
- return null;
+ this.count = count;
}
- public Attributes lookup( Name name, String[] attrIds ) throws NamingException
- {
- return null;
- }
- public boolean hasEntry( Name name ) throws NamingException
+ public Object next() throws NamingException
{
- return false;
+ if ( ii >= count )
+ {
+ throw new NoSuchElementException();
+ }
+
+ ii++;
+ return new Object();
}
- public boolean isSuffix( Name name ) throws NamingException
+
+ public boolean hasMore() throws NamingException
{
- return false;
+ return ii < count;
}
- public void modifyRn( Name name, String newRn, boolean deleteOldRn ) throws NamingException
+
+ public void close() throws NamingException
{
+ ii = count;
}
- public void move( Name oldName, Name newParentName ) throws NamingException
+
+ public boolean hasMoreElements()
{
+ return ii < count;
}
- public void move( Name oldName, Name newParentName, String newRn, boolean deleteOldRn ) throws NamingException
+
+ public Object nextElement()
{
+ if ( ii >= count )
+ {
+ throw new NoSuchElementException();
+ }
+
+ ii++;
+ return new Object();
}
}
}