View Javadoc

1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.core.authz.support;
21  
22  
23  import java.util.ArrayList;
24  import java.util.Collection;
25  
26  import javax.naming.NamingException;
27  
28  import org.apache.directory.server.core.entry.ServerEntry;
29  import org.apache.directory.server.core.interceptor.context.OperationContext;
30  import org.apache.directory.server.schema.registries.Registries;
31  import org.apache.directory.shared.ldap.aci.ACITuple;
32  import org.apache.directory.shared.ldap.aci.MicroOperation;
33  import org.apache.directory.shared.ldap.aci.ProtectedItem;
34  import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
35  import org.apache.directory.shared.ldap.entry.Value;
36  import org.apache.directory.shared.ldap.name.LdapDN;
37  
38  
39  /**
40   * An {@link ACITupleFilter} that chooses the tuples with the most specific
41   * protected item. (18.8.4.3, X.501)
42   * <p>
43   * If more than one tuple remains, choose the tuples with the most specific
44   * protected item. If the protected item is an attribute and there are tuples 
45   * that specify the attribute type explicitly, discard all other tuples. If
46   * the protected item is an attribute value, and there are tuples that specify
47   * the attribute value explicitly, discard all other tuples. A protected item
48   * which is a rangeOfValues is to be treated as specifying an attribute value
49   * explicitly.
50   * 
51   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
52   * @version $Rev: 662440 $, $Date: 2008-06-02 16:00:23 +0200 (Mo, 02 Jun 2008) $
53   */
54  public class MostSpecificProtectedItemFilter implements ACITupleFilter
55  {
56      public Collection<ACITuple> filter( 
57              Registries registries, 
58              Collection<ACITuple> tuples, 
59              OperationScope scope, 
60              OperationContext opContext,
61              Collection<LdapDN> userGroupNames, 
62              LdapDN userName, 
63              ServerEntry userEntry, 
64              AuthenticationLevel authenticationLevel,
65              LdapDN entryName, 
66              String attrId, 
67              Value<?> attrValue, 
68              ServerEntry entry, 
69              Collection<MicroOperation> microOperations,
70              ServerEntry entryView )
71          throws NamingException
72      {
73          if ( tuples.size() <= 1 )
74          {
75              return tuples;
76          }
77  
78          Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
79  
80          // If the protected item is an attribute and there are tuples that
81          // specify the attribute type explicitly, discard all other tuples.
82          for ( ACITuple tuple:tuples )
83          {
84              for ( ProtectedItem item:tuple.getProtectedItems() )
85              {
86                  if ( item instanceof ProtectedItem.AttributeType || item instanceof ProtectedItem.AllAttributeValues
87                      || item instanceof ProtectedItem.SelfValue || item instanceof ProtectedItem.AttributeValue )
88                  {
89                      filteredTuples.add( tuple );
90                      break;
91                  }
92              }
93          }
94  
95          if ( filteredTuples.size() > 0 )
96          {
97              return filteredTuples;
98          }
99  
100         // If the protected item is an attribute value, and there are tuples
101         // that specify the attribute value explicitly, discard all other tuples.
102         // A protected item which is a rangeOfValues is to be treated as
103         // specifying an attribute value explicitly. 
104         for ( ACITuple tuple:tuples )
105         {
106             for ( ProtectedItem item:tuple.getProtectedItems() )
107             {
108                 if ( item instanceof ProtectedItem.RangeOfValues )
109                 {
110                     filteredTuples.add( tuple );
111                 }
112             }
113         }
114 
115         if ( filteredTuples.size() > 0 )
116         {
117             return filteredTuples;
118         }
119 
120         return tuples;
121     }
122 }