View Javadoc

1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.core.authz.support;
21  
22  
23  import java.util.ArrayList;
24  import java.util.Collection;
25  
26  import javax.naming.NamingException;
27  
28  import org.apache.directory.server.core.entry.ServerEntry;
29  import org.apache.directory.server.core.interceptor.context.OperationContext;
30  import org.apache.directory.server.schema.registries.Registries;
31  import org.apache.directory.shared.ldap.aci.ACITuple;
32  import org.apache.directory.shared.ldap.aci.MicroOperation;
33  import org.apache.directory.shared.ldap.aci.UserClass;
34  import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
35  import org.apache.directory.shared.ldap.entry.Value;
36  import org.apache.directory.shared.ldap.name.LdapDN;
37  
38  
39  /**
40   * An {@link ACITupleFilter} that chooses the tuples with the most specific user
41   * class. (18.8.4.2)
42   * <p>
43   * If more than one tuple remains, choose the tuples with the most specific user
44   * class. If there are any tuples matching the requestor with UserClasses element
45   * name or thisEntry, discard all other tuples. Otherwise if there are any tuples
46   * matching UserGroup, discard all other tuples. Otherwise if there are any tuples
47   * matching subtree, discard all other tuples.
48   *
49   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
50   * @version $Rev: 662440 $, $Date: 2008-06-02 16:00:23 +0200 (Mo, 02 Jun 2008) $
51   */
52  public class MostSpecificUserClassFilter implements ACITupleFilter
53  {
54      public Collection<ACITuple> filter( 
55              Registries registries, 
56              Collection<ACITuple> tuples, 
57              OperationScope scope, 
58              OperationContext opContext,
59              Collection<LdapDN> userGroupNames, 
60              LdapDN userName, 
61              ServerEntry userEntry, 
62              AuthenticationLevel authenticationLevel,
63              LdapDN entryName, 
64              String attrId, 
65              Value<?> attrValue, 
66              ServerEntry entry, 
67              Collection<MicroOperation> microOperations,
68              ServerEntry entryView )
69          throws NamingException
70      {
71          if ( tuples.size() <= 1 )
72          {
73              return tuples;
74          }
75  
76          Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
77  
78          // If there are any tuples matching the requestor with UserClasses
79          // element name or thisEntry, discard all other tuples.
80          for ( ACITuple tuple:tuples )
81          {
82              for ( UserClass userClass:tuple.getUserClasses() )
83              {
84                  if ( userClass instanceof UserClass.Name || userClass instanceof UserClass.ThisEntry )
85                  {
86                      filteredTuples.add( tuple );
87                      break;
88                  }
89              }
90          }
91  
92          if ( filteredTuples.size() > 0 )
93          {
94              return filteredTuples;
95          }
96  
97          // Otherwise if there are any tuples matching UserGroup,
98          // discard all other tuples.
99          for ( ACITuple tuple:tuples )
100         {
101             for ( UserClass userClass:tuple.getUserClasses() )
102             {
103                 if ( userClass instanceof UserClass.UserGroup )
104                 {
105                     filteredTuples.add( tuple );
106                     break;
107                 }
108             }
109         }
110 
111         if ( filteredTuples.size() > 0 )
112         {
113             return filteredTuples;
114         }
115 
116         // Otherwise if there are any tuples matching subtree,
117         // discard all other tuples.
118         for ( ACITuple tuple:tuples )
119         {
120             for ( UserClass userClass:tuple.getUserClasses() )
121             {
122                 if ( userClass instanceof UserClass.Subtree )
123                 {
124                     filteredTuples.add( tuple );
125                     break;
126                 }
127             }
128         }
129 
130         if ( filteredTuples.size() > 0 )
131         {
132             return filteredTuples;
133         }
134 
135         return tuples;
136     }
137 
138 }