You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by tr...@apache.org on 2005/09/23 15:12:15 UTC
svn commit: r291115 - in
/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server:
authz/ACDFEngine.java authz/TupleCache.java event/Evaluator.java
Author: trustin
Date: Fri Sep 23 06:12:08 2005
New Revision: 291115
URL: http://svn.apache.org/viewcvs?rev=291115&view=rev
Log:
ACDFEngine now supports ProtectedItem.RangeOfValues and UserClass.Classes.
Modified:
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/ACDFEngine.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/TupleCache.java
directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/event/Evaluator.java
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/ACDFEngine.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/ACDFEngine.java?rev=291115&r1=291114&r2=291115&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/ACDFEngine.java Fri Sep 23 06:12:08 2005
@@ -20,22 +20,38 @@
import java.util.Iterator;
import javax.naming.Name;
+import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
-import org.apache.ldap.common.acl.ACITuple;
-import org.apache.ldap.common.acl.AuthenticationLevel;
-import org.apache.ldap.common.acl.MicroOperation;
-import org.apache.ldap.common.acl.ProtectedItem;
-import org.apache.ldap.common.acl.UserClass;
-import org.apache.ldap.common.acl.ProtectedItem.MaxValueCountItem;
-import org.apache.ldap.common.acl.ProtectedItem.RestrictedByItem;
+import org.apache.ldap.common.aci.ACITuple;
+import org.apache.ldap.common.aci.AuthenticationLevel;
+import org.apache.ldap.common.aci.MicroOperation;
+import org.apache.ldap.common.aci.ProtectedItem;
+import org.apache.ldap.common.aci.UserClass;
+import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem;
+import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem;
import org.apache.ldap.common.exception.LdapNoPermissionException;
+import org.apache.ldap.server.event.Evaluator;
+import org.apache.ldap.server.event.ExpressionEvaluator;
+import org.apache.ldap.server.schema.AttributeTypeRegistry;
+import org.apache.ldap.server.schema.OidRegistry;
+import org.apache.ldap.server.subtree.RefinementEvaluator;
+import org.apache.ldap.server.subtree.RefinementLeafEvaluator;
+import org.apache.ldap.server.subtree.SubtreeEvaluator;
public class ACDFEngine
{
- public ACDFEngine()
+ private final Evaluator entryEvaluator;
+ private final SubtreeEvaluator subtreeEvaluator;
+ private final RefinementEvaluator refinementEvaluator;
+
+ public ACDFEngine( OidRegistry oidRegistry, AttributeTypeRegistry attrTypeRegistry ) throws NamingException
{
+ entryEvaluator = new ExpressionEvaluator( oidRegistry, attrTypeRegistry );
+ subtreeEvaluator = new SubtreeEvaluator( oidRegistry );
+ refinementEvaluator = new RefinementEvaluator(
+ new RefinementLeafEvaluator( oidRegistry ) );
}
/**
@@ -53,12 +69,12 @@
* @param entry the attributes of the entry
* @param microOperations the {@link MicroOperation}s to perform
* @param aciTuples {@link ACITuple}s translated from {@link ACIItem}s in the subtree entries
- * @throws LdapNoPermissionException if user don't have enough permission to perform the operation
+ * @throws NamingException if failed to evaluate ACI items
*/
public void checkPermission(
Name userGroupName, Name username, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection microOperations, Collection aciTuples ) throws LdapNoPermissionException
+ Collection microOperations, Collection aciTuples ) throws NamingException
{
if( !hasPermission(
userGroupName, username, authenticationLevel,
@@ -88,7 +104,7 @@
public boolean hasPermission(
Name userGroupName, Name userName, AuthenticationLevel authenticationLevel,
Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection microOperations, Collection aciTuples )
+ Collection microOperations, Collection aciTuples ) throws NamingException
{
aciTuples = removeTuplesWithoutRelatedUserClasses(
userGroupName, userName, authenticationLevel, entryName, aciTuples );
@@ -102,7 +118,7 @@
aciTuples = getTuplesWithHighestPrecedence( aciTuples );
aciTuples = getTuplesWithMostSpecificUserClasses( aciTuples );
- aciTuples = getTuplesWithMostSpecificProtectedItems( attrId, attrValue, aciTuples );
+ aciTuples = getTuplesWithMostSpecificProtectedItems( entryName, attrId, attrValue, entry, aciTuples );
// Grant access if and only if one or more tuples remain and
// all grant access. Otherwise deny access.
@@ -113,7 +129,6 @@
{
return false;
}
-
}
return true;
}
@@ -150,13 +165,14 @@
private Collection removeTuplesWithoutRelatedProtectedItems(
Name userName,
Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection aciTuples )
+ Collection aciTuples ) throws NamingException
{
Collection filteredTuples = new ArrayList();
for( Iterator i = aciTuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- if( matchProtectedItem( userName, entryName, attrId, attrValue, entry, tuple.getProtectedItems() ) )
+ if( matchProtectedItem(
+ userName, entryName, attrId, attrValue, entry, tuple.getProtectedItems() ) )
{
filteredTuples.add( tuple );
}
@@ -276,13 +292,23 @@
for( Iterator i = aciTuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- for( Iterator j = tuple.getUserClasses().iterator(); j.hasNext(); )
+ userClassLoop: for( Iterator j = tuple.getUserClasses().iterator(); j.hasNext(); )
{
UserClass userClass = ( UserClass ) j.next();
if( userClass instanceof UserClass.Subtree )
{
- // FIXME I don't know what to do with this.
- break;
+// FIXME Find out how to evaluate this
+// UserClass.Subtree subtree = ( UserClass.Subtree ) userClass;
+// for( Iterator k = subtree.getSubtreeSpecifications().iterator();
+// k.hasNext(); )
+// {
+// SubtreeSpecification subtreeSpec = ( SubtreeSpecification ) k.next();
+// if( subtreeEvaluator.evaluate( subtreeSpec, ...) ) )
+// {
+// filteredTuples.add( tuple );
+// break userClassLoop;
+// }
+// }
}
}
}
@@ -295,7 +321,7 @@
return aciTuples;
}
- private Collection getTuplesWithMostSpecificProtectedItems( String attrId, Object attrValue, Collection aciTuples )
+ private Collection getTuplesWithMostSpecificProtectedItems( Name entryName, String attrId, Object attrValue, Attributes entry, Collection aciTuples ) throws NamingException
{
if( aciTuples.size() <= 1 )
{
@@ -336,21 +362,19 @@
break;
}
}
- else if( item instanceof ProtectedItem.SelfValue )
+ else if( item instanceof ProtectedItem.AttributeValue )
{
- if( contains( attrId, ( ( ProtectedItem.SelfValue ) item ).iterator() ) )
+ if( attrId == null || attrValue == null )
{
- filteredTuples.add( tuple );
- break;
+ continue;
}
- }
- else if( item instanceof ProtectedItem.AttributeValue )
- {
+
ProtectedItem.AttributeValue av = ( ProtectedItem.AttributeValue ) item;
for( Iterator k = av.iterator(); k.hasNext(); )
{
Attribute attr = ( Attribute ) k.next();
- if( attr.getID().equalsIgnoreCase( attrId ) )
+ if( attr.getID().equalsIgnoreCase( attrId ) &&
+ attr.contains( attrValue ) )
{
filteredTuples.add( tuple );
break itemLoop;
@@ -372,14 +396,17 @@
for( Iterator i = aciTuples.iterator(); i.hasNext(); )
{
ACITuple tuple = ( ACITuple ) i.next();
- itemLoop: for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
+ for( Iterator j = tuple.getProtectedItems().iterator(); j.hasNext(); )
{
ProtectedItem item = ( ProtectedItem ) j.next();
if( item instanceof ProtectedItem.RangeOfValues )
{
ProtectedItem.RangeOfValues rov = ( ProtectedItem.RangeOfValues ) item;
- // FIXME I don't know what to do with this ExprNode.
- break;
+ if( entryEvaluator.evaluate( rov.getFilter(), entryName.toString(), entry ) )
+ {
+ filteredTuples.add( tuple );
+ break;
+ }
}
}
}
@@ -441,7 +468,7 @@
private boolean matchProtectedItem(
Name userName,
Name entryName, String attrId, Object attrValue, Attributes entry,
- Collection protectedItems )
+ Collection protectedItems ) throws NamingException
{
for( Iterator i = protectedItems.iterator(); i.hasNext(); )
{
@@ -520,7 +547,11 @@
else if( item instanceof ProtectedItem.Classes )
{
ProtectedItem.Classes c = ( ProtectedItem.Classes ) item;
- // FIXME I don't know what to do yet
+ if( refinementEvaluator.evaluate(
+ c.getClasses(), entry.get( "objectClass" ) ) )
+ {
+ return true;
+ }
}
else if( item instanceof ProtectedItem.MaxImmSub )
{
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/TupleCache.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/TupleCache.java?rev=291115&r1=291114&r2=291115&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/TupleCache.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/TupleCache.java Fri Sep 23 06:12:08 2005
@@ -17,26 +17,36 @@
package org.apache.ldap.server.authz;
-import org.apache.ldap.server.partition.ContextPartitionNexus;
-import org.apache.ldap.server.schema.ConcreteNameComponentNormalizer;
-import org.apache.ldap.server.jndi.ContextFactoryConfiguration;
-import org.apache.ldap.common.exception.LdapSchemaViolationException;
+import java.text.ParseException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import javax.naming.Name;
+import javax.naming.NamingEnumeration;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.ModificationItem;
+import javax.naming.directory.SearchControls;
+import javax.naming.directory.SearchResult;
+
+import org.apache.ldap.common.aci.ACIItem;
+import org.apache.ldap.common.aci.ACIItemParser;
import org.apache.ldap.common.exception.LdapInvalidAttributeValueException;
-import org.apache.ldap.common.message.ResultCodeEnum;
-import org.apache.ldap.common.acl.ACIItemParser;
-import org.apache.ldap.common.acl.ACIItem;
-import org.apache.ldap.common.name.LdapName;
+import org.apache.ldap.common.exception.LdapSchemaViolationException;
import org.apache.ldap.common.filter.ExprNode;
import org.apache.ldap.common.filter.SimpleNode;
+import org.apache.ldap.common.message.ResultCodeEnum;
+import org.apache.ldap.common.name.LdapName;
+import org.apache.ldap.server.jndi.ContextFactoryConfiguration;
+import org.apache.ldap.server.partition.ContextPartitionNexus;
+import org.apache.ldap.server.schema.ConcreteNameComponentNormalizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
-import javax.naming.directory.*;
-import javax.naming.Name;
-import javax.naming.NamingException;
-import javax.naming.NamingEnumeration;
-import java.util.*;
-import java.text.ParseException;
/**
Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/event/Evaluator.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/event/Evaluator.java?rev=291115&r1=291114&r2=291115&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/event/Evaluator.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/event/Evaluator.java Fri Sep 23 06:12:08 2005
@@ -21,7 +21,6 @@
import javax.naming.directory.Attributes;
import org.apache.ldap.common.filter.ExprNode;
-import org.apache.ldap.server.partition.impl.btree.IndexRecord;
/**