1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 package org.apache.directory.server.core.authz.support;
21
22
23 import java.util.ArrayList;
24 import java.util.Collection;
25
26 import org.apache.directory.api.ldap.aci.ACITuple;
27 import org.apache.directory.api.ldap.model.constants.SchemaConstants;
28 import org.apache.directory.api.ldap.model.entry.Entry;
29 import org.apache.directory.api.ldap.model.exception.LdapException;
30 import org.apache.directory.api.ldap.model.exception.LdapNoPermissionException;
31 import org.apache.directory.api.ldap.model.schema.SchemaManager;
32 import org.apache.directory.server.core.api.CoreSession;
33 import org.apache.directory.server.core.api.event.Evaluator;
34 import org.apache.directory.server.core.api.event.ExpressionEvaluator;
35 import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
36 import org.apache.directory.server.core.api.subtree.SubtreeEvaluator;
37 import org.apache.directory.server.core.api.subtree.RefinementEvaluator;
38 import org.apache.directory.server.core.api.subtree.RefinementLeafEvaluator;
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63 public class ACDFEngine
64 {
65 private final ACITupleFilter[] filters;
66
67
68
69
70
71
72
73 public ACDFEngine( SchemaManager schemaManager )
74 {
75 Evaluator entryEvaluator = new ExpressionEvaluator( schemaManager );
76 SubtreeEvaluatorbtree/SubtreeEvaluator.html#SubtreeEvaluator">SubtreeEvaluator subtreeEvaluator = new SubtreeEvaluator( schemaManager );
77 RefinementEvaluatorRefinementEvaluator.html#RefinementEvaluator">RefinementEvaluator refinementEvaluator = new RefinementEvaluator( new RefinementLeafEvaluator( schemaManager ) );
78
79 filters = new ACITupleFilter[]
80 {
81 new RelatedUserClassFilter( subtreeEvaluator ),
82 new RelatedProtectedItemFilter( refinementEvaluator, entryEvaluator, schemaManager ),
83 new MaxValueCountFilter(),
84 new MaxImmSubFilter( schemaManager ),
85 new RestrictedByFilter(),
86 new MicroOperationFilter(),
87 new HighestPrecedenceFilter(),
88 new MostSpecificUserClassFilter(),
89 new MostSpecificProtectedItemFilter() };
90 }
91
92
93
94
95
96
97
98
99
100
101 public void checkPermission( AciContext aciContext ) throws LdapException
102 {
103 if ( !hasPermission( aciContext ) )
104 {
105 throw new LdapNoPermissionException();
106 }
107 }
108
109
110
111
112
113
114
115
116
117
118
119 public boolean hasPermission( AciContext aciContext ) throws LdapException
120 {
121 if ( aciContext.getEntryDn() == null )
122 {
123 throw new IllegalArgumentException( "entryName" );
124 }
125
126 CoreSession session = aciContext.getOperationContext().getSession();
127 LookupOperationContextceptor/context/LookupOperationContext.html#LookupOperationContext">LookupOperationContext lookupContext = new LookupOperationContext( session, aciContext.getUserDn(),
128 SchemaConstants.ALL_ATTRIBUTES_ARRAY );
129 lookupContext.setPartition( aciContext.getOperationContext().getPartition() );
130 lookupContext.setTransaction( aciContext.getOperationContext().getTransaction() );
131
132 Entry userEntry = session.getDirectoryService().getPartitionNexus().lookup( lookupContext );
133
134
135 OperationScope scope;
136
137 if ( aciContext.getAttributeType() == null )
138 {
139 scope = OperationScope.ENTRY;
140 }
141 else if ( aciContext.getAttrValue() == null )
142 {
143 scope = OperationScope.ATTRIBUTE_TYPE;
144 }
145 else
146 {
147 scope = OperationScope.ATTRIBUTE_TYPE_AND_VALUE;
148 }
149
150
151 aciContext.setAciTuples( new ArrayList<ACITuple>( aciContext.getAciTuples() ) );
152
153
154 for ( ACITupleFilter filter : filters )
155 {
156 if ( aciContext.getAciTuples().isEmpty() )
157 {
158
159 return false;
160 }
161
162 Collection<ACITuple> aciTuples = filter.filter( aciContext, scope, userEntry );
163 aciContext.setAciTuples( aciTuples );
164 }
165
166
167 if ( aciContext.getAciTuples().isEmpty() )
168 {
169 return false;
170 }
171
172
173
174 for ( ACITuple tuple : aciContext.getAciTuples() )
175 {
176 if ( !tuple.isGrant() )
177 {
178 return false;
179 }
180 }
181
182 return true;
183 }
184 }