1 /*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 *
19 */
20 package org.apache.directory.server.core.authz.support;
21
22
23 import java.util.ArrayList;
24 import java.util.Collection;
25
26 import org.apache.directory.api.ldap.aci.ACITuple;
27 import org.apache.directory.api.ldap.aci.ProtectedItem;
28 import org.apache.directory.api.ldap.aci.protectedItem.AllAttributeValuesItem;
29 import org.apache.directory.api.ldap.aci.protectedItem.AttributeTypeItem;
30 import org.apache.directory.api.ldap.aci.protectedItem.AttributeValueItem;
31 import org.apache.directory.api.ldap.aci.protectedItem.RangeOfValuesItem;
32 import org.apache.directory.api.ldap.aci.protectedItem.SelfValueItem;
33 import org.apache.directory.api.ldap.model.entry.Entry;
34 import org.apache.directory.api.ldap.model.exception.LdapException;
35
36
37 /**
38 * An {@link ACITupleFilter} that chooses the tuples with the most specific
39 * protected item. (18.8.4.3, X.501)
40 * <p>
41 * If more than one tuple remains, choose the tuples with the most specific
42 * protected item. If the protected item is an attribute and there are tuples
43 * that specify the attribute type explicitly, discard all other tuples. If
44 * the protected item is an attribute value, and there are tuples that specify
45 * the attribute value explicitly, discard all other tuples. A protected item
46 * which is a rangeOfValues is to be treated as specifying an attribute value
47 * explicitly.
48 *
49 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
50 */
51 public class MostSpecificProtectedItemFilter implements ACITupleFilter
52 {
53 /**
54 * {@inheritDoc}
55 */
56 @Override
57 public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
58 throws LdapException
59 {
60 if ( aciContext.getAciTuples().size() <= 1 )
61 {
62 return aciContext.getAciTuples();
63 }
64
65 Collection<ACITuple> filteredTuples = new ArrayList<>();
66
67 // If the protected item is an attribute and there are tuples that
68 // specify the attribute type explicitly, discard all other tuples.
69 for ( ACITuple tuple : aciContext.getAciTuples() )
70 {
71 for ( ProtectedItem item : tuple.getProtectedItems() )
72 {
73 if ( item instanceof AttributeTypeItem || item instanceof AllAttributeValuesItem
74 || item instanceof SelfValueItem || item instanceof AttributeValueItem )
75 {
76 filteredTuples.add( tuple );
77 break;
78 }
79 }
80 }
81
82 if ( !filteredTuples.isEmpty() )
83 {
84 return filteredTuples;
85 }
86
87 // If the protected item is an attribute value, and there are tuples
88 // that specify the attribute value explicitly, discard all other tuples.
89 // A protected item which is a rangeOfValues is to be treated as
90 // specifying an attribute value explicitly.
91 for ( ACITuple tuple : aciContext.getAciTuples() )
92 {
93 for ( ProtectedItem item : tuple.getProtectedItems() )
94 {
95 if ( item instanceof RangeOfValuesItem )
96 {
97 filteredTuples.add( tuple );
98 }
99 }
100 }
101
102 if ( !filteredTuples.isEmpty() )
103 {
104 return filteredTuples;
105 }
106
107 return aciContext.getAciTuples();
108 }
109 }