001 /* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020 package org.apache.directory.shared.ldap.aci; 021 022 023 import java.io.Serializable; 024 import java.util.ArrayList; 025 import java.util.Collection; 026 import java.util.Collections; 027 import java.util.Iterator; 028 029 import javax.naming.NamingException; 030 import javax.naming.directory.Attribute; 031 032 import org.apache.directory.shared.ldap.filter.ExprNode; 033 034 035 /** 036 * Defines the items to which the access controls apply. 037 * 038 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 039 * @version $Rev: 664290 $, $Date: 2008-06-07 08:28:06 +0200 (Sat, 07 Jun 2008) $ 040 */ 041 public abstract class ProtectedItem implements Serializable 042 { 043 /** 044 * The entry contents as a whole. In case of a family member, it also means 045 * the entry content of each subordinate family member within the same 046 * compound attribute. It does not necessarily include the information in 047 * these entries. This element shall be ignored if the classes element is 048 * present, since this latter element selects protected entries (and 049 * subordinate family members) on the basis of their object class. 050 */ 051 public static final Entry ENTRY = new Entry(); 052 053 /** 054 * All user attribute type information associated with the entry, but not 055 * values associated with those attributes. 056 */ 057 public static final AllUserAttributeTypes ALL_USER_ATTRIBUTE_TYPES = new AllUserAttributeTypes(); 058 059 /** 060 * All user attribute information associated with the entry, including all 061 * values of all user attributes. 062 */ 063 public static final AllUserAttributeTypesAndValues ALL_USER_ATTRIBUTE_TYPES_AND_VALUES = new AllUserAttributeTypesAndValues(); 064 065 066 /** 067 * Creates a new instance. 068 */ 069 protected ProtectedItem() 070 { 071 } 072 073 074 /** 075 * The contents of entries (possibly a family member) which are restricted 076 * to those that have object class values that satisfy the predicate defined 077 * by Refinement (see 12.3.5), together (in the case of an ancestor or other 078 * family member) with the entry contents as a whole of each subordinate 079 * family member entry; it does not necessarily include the information in 080 * these entries. 081 */ 082 public static class Classes extends ProtectedItem 083 { 084 private static final long serialVersionUID = -8553151906617285325L; 085 086 private final ExprNode classes; 087 088 089 /** 090 * Creates a new instance. 091 * 092 * @param classes 093 * refinement 094 */ 095 public Classes(ExprNode classes) 096 { 097 this.classes = classes; 098 } 099 100 101 public ExprNode getClasses() 102 { 103 return classes; 104 } 105 106 107 public boolean equals( Object o ) 108 { 109 if ( this == o ) 110 { 111 return true; 112 } 113 114 if ( o instanceof Classes ) 115 { 116 Classes that = ( Classes ) o; 117 return this.classes.equals( that.classes ); 118 } 119 120 return false; 121 } 122 123 124 /** 125 * @see Object#toString() 126 */ 127 public String toString() 128 { 129 StringBuilder buf = new StringBuilder(); 130 131 buf.append( "classes " ); 132 classes.printRefinementToBuffer( buf ); 133 134 return buf.toString(); 135 } 136 } 137 138 /** 139 * The entry contents as a whole. In case of a family member, it also means 140 * the entry content of each subordinate family member within the same 141 * compound attribute. It does not necessarily include the information in 142 * these entries. This element shall be ignored if the classes element is 143 * present, since this latter element selects protected entries (and 144 * subordinate family members) on the basis of their object class. 145 */ 146 public static class Entry extends ProtectedItem 147 { 148 private static final long serialVersionUID = -6971482229815999874L; 149 150 151 private Entry() 152 { 153 } 154 155 156 public String toString() 157 { 158 return "entry"; 159 } 160 } 161 162 /** 163 * All user attribute type information associated with the entry, but not 164 * values associated with those attributes. 165 */ 166 public static class AllUserAttributeTypes extends ProtectedItem 167 { 168 private static final long serialVersionUID = 3728652941148931359L; 169 170 171 private AllUserAttributeTypes() 172 { 173 } 174 175 176 public String toString() 177 { 178 return "allUserAttributeTypes"; 179 } 180 } 181 182 /** 183 * All user attribute information associated with the entry, including all 184 * values of all user attributes. 185 */ 186 public static class AllUserAttributeTypesAndValues extends ProtectedItem 187 { 188 private static final long serialVersionUID = 7250988885983604442L; 189 190 191 private AllUserAttributeTypesAndValues() 192 { 193 } 194 195 196 public String toString() 197 { 198 return "allUserAttributeTypesAndValues"; 199 } 200 } 201 202 /** 203 * A base class for all items which protects attribute types (or its values) 204 */ 205 private abstract static class AttributeTypeProtectedItem extends ProtectedItem 206 { 207 protected final Collection<String> attributeTypes; 208 209 210 /** 211 * Creates a new instance. 212 * 213 * @param attributeTypes the collection of attirbute IDs 214 */ 215 protected AttributeTypeProtectedItem( Collection<String> attributeTypes ) 216 { 217 this.attributeTypes = Collections.unmodifiableCollection( attributeTypes ); 218 } 219 220 221 /** 222 * Returns an iterator of all attribute IDs. 223 */ 224 public Iterator<String> iterator() 225 { 226 return attributeTypes.iterator(); 227 } 228 229 230 public boolean equals( Object o ) 231 { 232 if ( this == o ) 233 { 234 return true; 235 } 236 237 if ( o == null ) 238 { 239 return false; 240 } 241 242 if ( getClass().isAssignableFrom( o.getClass() ) ) 243 { 244 AttributeTypeProtectedItem that = ( AttributeTypeProtectedItem ) o; 245 return this.attributeTypes.equals( that.attributeTypes ); 246 } 247 248 return false; 249 } 250 251 252 /** 253 * @see Object#toString() 254 */ 255 public String toString() 256 { 257 StringBuilder buf = new StringBuilder(); 258 259 buf.append( "{ " ); 260 boolean isFirst = true; 261 262 for ( String attributeType:attributeTypes ) 263 { 264 if ( isFirst ) 265 { 266 isFirst = false; 267 } 268 else 269 { 270 buf.append( ", " ); 271 } 272 273 buf.append( attributeType ); 274 } 275 276 buf.append( " }" ); 277 278 return buf.toString(); 279 } 280 } 281 282 /** 283 * Attribute type information pertaining to specific attributes but not 284 * values associated with the type. 285 */ 286 public static class AttributeType extends AttributeTypeProtectedItem 287 { 288 private static final long serialVersionUID = -9039274739078220203L; 289 290 291 /** 292 * Creates a new instance. 293 * 294 * @param attributeTypes 295 * the collection of attribute IDs. 296 */ 297 public AttributeType( Collection<String> attributeTypes ) 298 { 299 super( attributeTypes ); 300 } 301 302 303 public String toString() 304 { 305 return "attributeType " + super.toString(); 306 } 307 } 308 309 /** 310 * All attribute value information pertaining to specific attributes. 311 */ 312 public static class AllAttributeValues extends AttributeTypeProtectedItem 313 { 314 private static final long serialVersionUID = -9039274739078220203L; 315 316 317 /** 318 * Creates a new instance. 319 * 320 * @param attributeTypes 321 * the collection of attribute IDs. 322 */ 323 public AllAttributeValues( Collection<String> attributeTypes ) 324 { 325 super( attributeTypes ); 326 } 327 328 329 public String toString() 330 { 331 return "allAttributeValues " + super.toString(); 332 } 333 } 334 335 /** 336 * The attribute value assertion corresponding to the current requestor. The 337 * protected item selfValue applies only when the access controls are to be 338 * applied with respect to a specific authenticated user. It can only apply 339 * in the specific case where the attribute specified is of DN and the 340 * attribute value within the specified attribute matches the DN of the 341 * originator of the operation. 342 */ 343 public static class SelfValue extends AttributeTypeProtectedItem 344 { 345 private static final long serialVersionUID = -7788463918070206609L; 346 347 348 /** 349 * Creates a new instance. 350 * 351 * @param attributeTypes the collection of attribute IDs. 352 */ 353 public SelfValue( Collection<String> attributeTypes ) 354 { 355 super( attributeTypes ); 356 } 357 358 359 public String toString() 360 { 361 return "selfValue " + super.toString(); 362 } 363 } 364 365 /** 366 * A specific value of specific attributes. 367 */ 368 public static class AttributeValue extends ProtectedItem 369 { 370 private static final long serialVersionUID = -258318397837951363L; 371 private final Collection<Attribute> attributes; 372 373 374 /** 375 * Creates a new instance. 376 * 377 * @param attributes 378 * the collection of {@link Attribute}s. 379 */ 380 public AttributeValue( Collection<Attribute> attributes ) 381 { 382 this.attributes = Collections.unmodifiableCollection( attributes ); 383 } 384 385 386 /** 387 * Returns an iterator of all {@link Attribute}s. 388 */ 389 public Iterator<Attribute> iterator() 390 { 391 return attributes.iterator(); 392 } 393 394 395 public boolean equals( Object o ) 396 { 397 if ( !super.equals( o ) ) 398 { 399 return false; 400 } 401 402 if ( o instanceof AttributeValue ) 403 { 404 AttributeValue that = ( AttributeValue ) o; 405 return this.attributes.equals( that.attributes ); 406 } 407 408 return false; 409 } 410 411 412 public String toString() 413 { 414 StringBuilder buf = new StringBuilder(); 415 416 buf.append( "attributeValue {" ); 417 418 for ( Iterator<Attribute> it = attributes.iterator(); it.hasNext(); ) 419 { 420 Attribute attribute = it.next(); 421 buf.append( attribute.getID() ); 422 buf.append( '=' ); 423 424 try 425 { 426 buf.append( attribute.get( 0 ) ); 427 } 428 catch ( NamingException e ) 429 { 430 // doesn't occur here, it is an Attribute 431 } 432 433 if ( it.hasNext() ) 434 { 435 buf.append( ", " ); 436 } 437 } 438 439 buf.append( " }" ); 440 441 return buf.toString(); 442 } 443 } 444 445 /** 446 * Restricts the maximum number of attribute values allowed for a specified 447 * attribute type. It is examined if the protected item is an attribute 448 * value of the specified type and the permission sought is add. Values of 449 * that attribute in the entry are counted without regard to context or 450 * access control and as though the operation which adds the values were 451 * successful. If the number of values in the attribute exceeds maxCount, 452 * the ACI item is treated as not granting add access. 453 */ 454 public static class MaxValueCount extends ProtectedItem 455 { 456 private static final long serialVersionUID = 5261651541488944572L; 457 458 private final Collection<ProtectedItem.MaxValueCountItem> items; 459 460 461 /** 462 * Creates a new instance. 463 * 464 * @param items 465 * the collection of {@link MaxValueCountItem}s. 466 */ 467 public MaxValueCount( Collection<MaxValueCountItem> items ) 468 { 469 this.items = Collections.unmodifiableCollection( new ArrayList<MaxValueCountItem>( items ) ); 470 } 471 472 473 /** 474 * Returns an iterator of all {@link MaxValueCountItem}s. 475 */ 476 public Iterator<MaxValueCountItem> iterator() 477 { 478 return items.iterator(); 479 } 480 481 482 public boolean equals( Object o ) 483 { 484 if ( !super.equals( o ) ) 485 { 486 return false; 487 } 488 489 if ( o instanceof MaxValueCount ) 490 { 491 MaxValueCount that = ( MaxValueCount ) o; 492 return this.items.equals( that.items ); 493 } 494 495 return false; 496 } 497 498 499 public String toString() 500 { 501 StringBuilder buf = new StringBuilder(); 502 503 buf.append( "maxValueCount {" ); 504 505 boolean isFirst = true; 506 507 for ( MaxValueCountItem item:items ) 508 { 509 if ( isFirst ) 510 { 511 isFirst = false; 512 } 513 else 514 { 515 buf.append( ", " ); 516 } 517 518 buf.append( item.toString() ); 519 } 520 521 buf.append( "}" ); 522 523 return buf.toString(); 524 } 525 } 526 527 /** 528 * Any attribute value which matches the specified filter, i.e. for which 529 * the specified filter evaluated on that attribute value would return TRUE. 530 */ 531 public static class RangeOfValues extends ProtectedItem 532 { 533 private static final long serialVersionUID = -8553151906617285325L; 534 535 private final ExprNode filter; 536 537 538 /** 539 * Creates a new instance. 540 * 541 * @param filter 542 * the expression 543 */ 544 public RangeOfValues(ExprNode filter) 545 { 546 if ( filter == null ) 547 { 548 throw new NullPointerException( "filter" ); 549 } 550 551 this.filter = filter; 552 } 553 554 555 /** 556 * Returns the expression. 557 */ 558 public ExprNode getFilter() 559 { 560 return filter; 561 } 562 563 564 public boolean equals( Object o ) 565 { 566 if ( this == o ) 567 { 568 return true; 569 } 570 571 if ( o instanceof RangeOfValues ) 572 { 573 RangeOfValues that = ( RangeOfValues ) o; 574 return this.filter.equals( that.filter ); 575 } 576 577 return false; 578 } 579 580 581 public String toString() 582 { 583 StringBuilder buf = new StringBuilder(); 584 585 buf.append( "rangeOfValues " ); 586 buf.append( filter.toString() ); 587 588 return buf.toString(); 589 } 590 } 591 592 /** 593 * Restricts the maximum number of immediate subordinates of the superior 594 * entry to an entry being added or imported. It is examined if the 595 * protected item is an entry, the permission sought is add or import, and 596 * the immediate superior entry is in the same DSA as the entry being added 597 * or imported. Immediate subordinates of the superior entry are counted 598 * without regard to context or access control as though the entry addition 599 * or importing were successful. If the number of subordinates exceeds 600 * maxImmSub, the ACI item is treated as not granting add or import access. 601 */ 602 public static class MaxImmSub extends ProtectedItem 603 { 604 private static final long serialVersionUID = -8553151906617285325L; 605 606 private final int value; 607 608 609 /** 610 * Creates a new instance. 611 * 612 * @param value 613 * The maximum number of immediate subordinates 614 */ 615 public MaxImmSub(int value) 616 { 617 this.value = value; 618 } 619 620 621 /** 622 * Returns the maximum number of immediate subordinates. 623 */ 624 public int getValue() 625 { 626 return value; 627 } 628 629 630 public boolean equals( Object o ) 631 { 632 if ( this == o ) 633 { 634 return true; 635 } 636 637 if ( o instanceof MaxImmSub ) 638 { 639 MaxImmSub that = ( MaxImmSub ) o; 640 return this.value == that.value; 641 } 642 643 return false; 644 } 645 646 647 public String toString() 648 { 649 return "maxImmSub " + value; 650 } 651 } 652 653 /** 654 * Restricts values added to the attribute type to being values that are 655 * already present in the same entry as values of the attribute valuesIn. It 656 * is examined if the protected item is an attribute value of the specified 657 * type and the permission sought is add. Values of the valuesIn attribute 658 * are checked without regard to context or access control and as though the 659 * operation which adds the values were successful. If the value to be added 660 * is not present in valuesIn the ACI item is treated as not granting add 661 * access. 662 */ 663 public static class RestrictedBy extends ProtectedItem 664 { 665 private static final long serialVersionUID = -8157637446588058799L; 666 private final Collection<RestrictedByItem> items; 667 668 669 /** 670 * Creates a new instance. 671 * 672 * @param items the collection of {@link RestrictedByItem}s. 673 */ 674 public RestrictedBy( Collection<RestrictedByItem> items) 675 { 676 this.items = Collections.unmodifiableCollection( items ); 677 } 678 679 680 /** 681 * Returns an iterator of all {@link RestrictedByItem}s. 682 */ 683 public Iterator<RestrictedByItem> iterator() 684 { 685 return items.iterator(); 686 } 687 688 689 public boolean equals( Object o ) 690 { 691 if ( !super.equals( o ) ) 692 { 693 return false; 694 } 695 696 if ( o instanceof RestrictedBy ) 697 { 698 RestrictedBy that = ( RestrictedBy ) o; 699 return this.items.equals( that.items ); 700 } 701 702 return false; 703 } 704 705 706 public String toString() 707 { 708 StringBuilder buf = new StringBuilder(); 709 710 buf.append( "restrictedBy {" ); 711 712 boolean isFirst = true; 713 714 for ( RestrictedByItem item:items ) 715 { 716 if ( isFirst ) 717 { 718 isFirst = false; 719 } 720 else 721 { 722 buf.append( ", " ); 723 } 724 725 buf.append( item.toString() ); 726 } 727 728 buf.append( '}' ); 729 730 return buf.toString(); 731 } 732 } 733 734 /** 735 * An element of {@link MaxValueCount}. 736 */ 737 public static class MaxValueCountItem implements Serializable 738 { 739 private static final long serialVersionUID = 43697038363452113L; 740 741 private String attributeType; 742 743 private int maxCount; 744 745 746 /** 747 * Creates a new instance. 748 * 749 * @param attributeType 750 * the attribute ID to limit the maximum count 751 * @param maxCount 752 * the maximum count of the attribute allowed 753 */ 754 755 public MaxValueCountItem(String attributeType, int maxCount) 756 { 757 this.attributeType = attributeType; 758 this.maxCount = maxCount; 759 } 760 761 762 /** 763 * Returns the attribute ID to limit the maximum count. 764 */ 765 public String getAttributeType() 766 { 767 return attributeType; 768 } 769 770 771 /** 772 * Returns the maximum count of the attribute allowed. 773 */ 774 public int getMaxCount() 775 { 776 return maxCount; 777 } 778 779 780 public String toString() 781 { 782 return "{ type " + attributeType + ", maxCount " + maxCount + " }"; 783 } 784 } 785 786 /** 787 * An element of {@link RestrictedBy}. 788 */ 789 public static class RestrictedByItem implements Serializable 790 { 791 private static final long serialVersionUID = 4319052153538757099L; 792 793 private String attributeType; 794 795 private String valuesIn; 796 797 798 /** 799 * Creates a new instance. 800 * 801 * @param attributeType 802 * the attribute type to restrict 803 * @param valuesIn 804 * the attribute type only whose values are allowed in 805 * <tt>attributeType</tt>. 806 */ 807 public RestrictedByItem(String attributeType, String valuesIn) 808 { 809 this.attributeType = attributeType; 810 this.valuesIn = valuesIn; 811 } 812 813 814 /** 815 * Returns the attribute type to restrict. 816 */ 817 public String getAttributeType() 818 { 819 return attributeType; 820 } 821 822 823 /** 824 * Returns the attribute type only whose values are allowed in 825 * <tt>attributeType</tt>. 826 */ 827 public String getValuesIn() 828 { 829 return valuesIn; 830 } 831 832 833 public String toString() 834 { 835 return "{ type " + attributeType + ", valuesIn " + valuesIn + " }"; 836 } 837 } 838 }