You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by tr...@apache.org on 2005/09/22 15:56:24 UTC
svn commit: r290946 -
/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
Author: trustin
Date: Thu Sep 22 06:56:21 2005
New Revision: 290946
URL: http://svn.apache.org/viewcvs?rev=290946&view=rev
Log:
Implemented most part of ACDF algorithm as specified in X.501 specification.
Modified:
directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
Modified: directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java?rev=290946&r1=290945&r2=290946&view=diff
==============================================================================
--- directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java (original)
+++ directory/shared/ldap/trunk/common/src/java/org/apache/ldap/common/acl/ACDFEngine.java Thu Sep 22 06:56:21 2005
@@ -20,7 +20,6 @@
import java.util.Iterator;
import javax.naming.Name;
-import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
@@ -97,18 +96,20 @@
aciTuples = removeTuplesWithoutRelatedMicroOperation( microOperations, aciTuples );
aciTuples = getTuplesWithHighestPrecedence( aciTuples );
- if( aciTuples.size() > 1 )
+ aciTuples = getTuplesWithMostSpecificUserClasses( aciTuples );
+ aciTuples = getTuplesWithMostSpecificProtectedItems( attrId, attrValue, aciTuples );
+
+ // Grant access if and only if one or more tuples remain and
+ // all grant access. Otherwise deny access.
+ for( Iterator i = aciTuples.iterator(); i.hasNext(); )
{
- aciTuples = getTuplesWithMostSpecificUserClasses( aciTuples );
- if( aciTuples.size() > 1 )
+ ACITuple tuple = ( ACITuple ) i.next();
+ if( !tuple.isGrant() )
{
- aciTuples = getTuplesWithMostSpecificProtectedItems( aciTuples );
+ return false;
}
+
}
-
- // TODO: Grant access if and only if one or more tuples remain and
- // all grant access. Otherwise deny access.
-
return true;
}
@@ -215,28 +216,175 @@
private Collection getTuplesWithMostSpecificUserClasses( Collection aciTuples )
{
+ if( aciTuples.size() <= 1 )
+ {
+ return aciTuples;
+ }
+
+ Collection filteredTuples = new ArrayList();
+
+ // If there are any tuples matching the requestor with UserClasses
+ // element name or thisEntry, discard all other tuples.
for( Iterator i = aciTuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
for( Iterator j = tuple.getUserClasses().iterator(); j.hasNext(); )
{
-
+ UserClass userClass = ( UserClass ) j.next();
+ if( userClass instanceof UserClass.Name ||
+ userClass instanceof UserClass.ThisEntry )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
}
}
- return null;
+
+ if( filteredTuples.size() > 0 )
+ {
+ return filteredTuples;
+ }
+
+ // Otherwise if there are any tuples matching UserGroup,
+ // discard all other tuples.
+ for( Iterator i = aciTuples.iterator(); i.hasNext(); )
+ {
+ ACITuple tuple = ( ACITuple ) i.next();
+ for( Iterator j = tuple.getUserClasses().iterator(); j.hasNext(); )
+ {
+ UserClass userClass = ( UserClass ) j.next();
+ if( userClass instanceof UserClass.UserGroup )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
+ }
+ }
+
+ if( filteredTuples.size() > 0 )
+ {
+ return filteredTuples;
+ }
+
+ // Otherwise if there are any tuples matching subtree,
+ // discard all other tuples.
+ for( Iterator i = aciTuples.iterator(); i.hasNext(); )
+ {
+ ACITuple tuple = ( ACITuple ) i.next();
+ for( Iterator j = tuple.getUserClasses().iterator(); j.hasNext(); )
+ {
+ UserClass userClass = ( UserClass ) j.next();
+ if( userClass instanceof UserClass.Subtree )
+ {
+ // FIXME I don't know what to do with this.
+ break;
+ }
+ }
+ }
+
+ if( filteredTuples.size() > 0 )
+ {
+ return filteredTuples;
+ }
+
+ return aciTuples;
}
- private Collection getTuplesWithMostSpecificProtectedItems( Collection aciTuples )
+ private Collection getTuplesWithMostSpecificProtectedItems( String attrId, Object attrValue, Collection aciTuples )
{
+ if( aciTuples.size() <= 1 )
+ {
+ return aciTuples;
+ }
+
+ Collection filteredTuples = new ArrayList();
+
+ // If the protected item is an attribute and there are tuples that
+ // specify the attribute type explicitly, discard all other tuples.
for( Iterator i = aciTuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- for( Iterator j = tuple.getUserClasses().iterator(); j.hasNext(); )
+ itemLoop: for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
{
-
+ ProtectedItem item = ( ProtectedItem ) j.next();
+ if( item instanceof ProtectedItem.AttributeType )
+ {
+ if( contains( attrId, ( ( ProtectedItem.AttributeType ) item ).iterator() ) )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
+ }
+ else if( item instanceof ProtectedItem.AllAttributeValues )
+ {
+ if( contains( attrId, ( ( ProtectedItem.AllAttributeValues ) item ).iterator() ) )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
+ }
+ else if( item instanceof ProtectedItem.SelfValue )
+ {
+ if( contains( attrId, ( ( ProtectedItem.SelfValue ) item ).iterator() ) )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
+ }
+ else if( item instanceof ProtectedItem.SelfValue )
+ {
+ if( contains( attrId, ( ( ProtectedItem.SelfValue ) item ).iterator() ) )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
+ }
+ else if( item instanceof ProtectedItem.AttributeValue )
+ {
+ ProtectedItem.AttributeValue av = ( ProtectedItem.AttributeValue ) item;
+ for( Iterator k = av.iterator(); k.hasNext(); )
+ {
+ Attribute attr = ( Attribute ) k.next();
+ if( attr.getID().equalsIgnoreCase( attrId ) )
+ {
+ filteredTuples.add( tuple );
+ break itemLoop;
+ }
+ }
+ }
}
}
- return null;
+
+ if( filteredTuples.size() > 0 )
+ {
+ return filteredTuples;
+ }
+
+ // If the protected item is an attribute value, and there are tuples
+ // that specify the attribute value explicitly, discard all other tuples.
+ // A protected item which is a rangeOfValues is to be treated as
+ // specifying an attribute value explicitly.
+ for( Iterator i = aciTuples.iterator(); i.hasNext(); )
+ {
+ ACITuple tuple = ( ACITuple ) i.next();
+ itemLoop: for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
+ {
+ ProtectedItem item = ( ProtectedItem ) j.next();
+ if( item instanceof ProtectedItem.RangeOfValues )
+ {
+ ProtectedItem.RangeOfValues rov = ( ProtectedItem.RangeOfValues ) item;
+ // FIXME I don't know what to do with this ExprNode.
+ break;
+ }
+ }
+ }
+
+ if( filteredTuples.size() > 0 )
+ {
+ return filteredTuples;
+ }
+
+ return aciTuples;
}
@@ -436,6 +584,24 @@
else
{
throw new InternalError( "Unexpected protectedItem: " + item.getClass().getName() );
+ }
+ }
+
+ return false;
+ }
+
+ private static boolean contains( Object needle, Iterator haystack )
+ {
+ if( needle == null )
+ {
+ return false;
+ }
+
+ while( haystack.hasNext() )
+ {
+ if( haystack.next().equals( needle ) )
+ {
+ return true;
}
}