001 /* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020 package org.apache.directory.server.core.authz.support; 021 022 023 import java.util.Collection; 024 import java.util.Iterator; 025 026 import javax.naming.NamingException; 027 028 import org.apache.directory.server.core.interceptor.context.OperationContext; 029 import org.apache.directory.shared.ldap.aci.ACITuple; 030 import org.apache.directory.shared.ldap.aci.MicroOperation; 031 import org.apache.directory.shared.ldap.aci.ProtectedItem; 032 import org.apache.directory.shared.ldap.aci.ProtectedItem.RestrictedByItem; 033 import org.apache.directory.shared.ldap.constants.AuthenticationLevel; 034 import org.apache.directory.shared.ldap.entry.EntryAttribute; 035 import org.apache.directory.shared.ldap.entry.ServerEntry; 036 import org.apache.directory.shared.ldap.entry.Value; 037 import org.apache.directory.shared.ldap.name.DN; 038 import org.apache.directory.shared.ldap.schema.SchemaManager; 039 040 041 /** 042 * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy 043 * {@link org.apache.directory.shared.ldap.aci.ProtectedItem.RestrictedBy} constraint if available. (18.8.3.3, X.501) 044 * 045 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 046 * @version $Rev: 927146 $, $Date: 2010-03-24 19:39:54 +0100 (Wed, 24 Mar 2010) $ 047 */ 048 public class RestrictedByFilter implements ACITupleFilter 049 { 050 public Collection<ACITuple> filter( 051 SchemaManager schemaManager, 052 Collection<ACITuple> tuples, 053 OperationScope scope, 054 OperationContext opContext, 055 Collection<DN> userGroupNames, 056 DN userName, 057 ServerEntry userEntry, 058 AuthenticationLevel authenticationLevel, 059 DN entryName, 060 String attrId, 061 Value<?> attrValue, 062 ServerEntry entry, 063 Collection<MicroOperation> microOperations, 064 ServerEntry entryView ) 065 throws NamingException 066 { 067 if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE ) 068 { 069 return tuples; 070 } 071 072 if ( tuples.size() == 0 ) 073 { 074 return tuples; 075 } 076 077 for ( Iterator<ACITuple> ii = tuples.iterator() ; ii.hasNext(); ) 078 { 079 ACITuple tuple = ii.next(); 080 081 if ( !tuple.isGrant() ) 082 { 083 continue; 084 } 085 086 if ( isRemovable( tuple, attrId, attrValue, entry ) ) 087 { 088 ii.remove(); 089 } 090 } 091 092 return tuples; 093 } 094 095 096 public boolean isRemovable( ACITuple tuple, String attrId, Value<?> attrValue, ServerEntry entry ) throws NamingException 097 { 098 for ( ProtectedItem item : tuple.getProtectedItems() ) 099 { 100 if ( item instanceof ProtectedItem.RestrictedBy ) 101 { 102 ProtectedItem.RestrictedBy rb = ( ProtectedItem.RestrictedBy ) item; 103 104 for ( Iterator<RestrictedByItem> k = rb.iterator(); k.hasNext(); ) 105 { 106 RestrictedByItem rbItem = k.next(); 107 108 // TODO Fix DIRSEVER-832 109 if ( attrId.equalsIgnoreCase( rbItem.getAttributeType() ) ) 110 { 111 EntryAttribute attr = entry.get( rbItem.getValuesIn() ); 112 113 // TODO Fix DIRSEVER-832 114 if ( ( attr == null ) || !attr.contains( attrValue ) ) 115 { 116 return true; 117 } 118 } 119 } 120 } 121 } 122 123 return false; 124 } 125 }