View Javadoc
1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.core.authz.support;
21  
22  
23  import java.util.Collection;
24  import java.util.Iterator;
25  import java.util.Set;
26  
27  import org.apache.directory.api.ldap.aci.ACITuple;
28  import org.apache.directory.api.ldap.aci.UserClass;
29  import org.apache.directory.api.ldap.model.entry.Entry;
30  import org.apache.directory.api.ldap.model.exception.LdapException;
31  import org.apache.directory.api.ldap.model.name.Dn;
32  import org.apache.directory.api.ldap.model.subtree.SubtreeSpecification;
33  import org.apache.directory.server.core.api.subtree.SubtreeEvaluator;
34  import org.apache.directory.server.i18n.I18n;
35  
36  
37  /**
38   * An {@link ACITupleFilter} that discards all tuples whose {@link UserClass}es
39   * are not related with the current user. (18.8.3.1, X.501)
40   *
41   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
42   */
43  public class RelatedUserClassFilter implements ACITupleFilter
44  {
45      private final SubtreeEvaluator subtreeEvaluator;
46  
47  
48      public RelatedUserClassFilter( SubtreeEvaluator subtreeEvaluator )
49      {
50          this.subtreeEvaluator = subtreeEvaluator;
51      }
52  
53  
54      /**
55       * {@inheritDoc}
56       */
57      @Override
58      public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
59          throws LdapException
60      {
61          if ( aciContext.getAciTuples().isEmpty() )
62          {
63              return aciContext.getAciTuples();
64          }
65  
66          for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); )
67          {
68              ACITuple tuple = ii.next();
69  
70              if ( tuple.isGrant() )
71              {
72                  if ( !isRelated( aciContext.getUserGroupNames(),
73                      aciContext.getUserDn(),
74                      userEntry,
75                      aciContext.getEntryDn(),
76                      tuple.getUserClasses() )
77                      || aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) < 0 )
78                  {
79                      ii.remove();
80                  }
81              }
82              else
83              // Denials
84              {
85                  if ( !isRelated( aciContext.getUserGroupNames(),
86                      aciContext.getUserDn(),
87                      userEntry,
88                      aciContext.getEntryDn(),
89                      tuple.getUserClasses() )
90                      && aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) >= 0 )
91                  {
92                      ii.remove();
93                  }
94              }
95          }
96  
97          return aciContext.getAciTuples();
98      }
99  
100 
101     private boolean isRelated( Collection<String> userGroupNames, Dn userName, Entry userEntry,
102         Dn entryName, Collection<UserClass> userClasses ) throws LdapException
103     {
104         for ( UserClass userClass : userClasses )
105         {
106             if ( userClass == UserClass.ALL_USERS )
107             {
108                 return true;
109             }
110             else if ( userClass == UserClass.THIS_ENTRY )
111             {
112                 if ( userName.equals( entryName ) )
113                 {
114                     return true;
115                 }
116             }
117             else if ( userClass == UserClass.PARENT_OF_ENTRY )
118             {
119                 if ( entryName.isDescendantOf( userName ) )
120                 {
121                     return true;
122                 }
123             }
124             else if ( userClass instanceof UserClass.Name )
125             {
126                 UserClass.Name nameUserClass = ( UserClass.Name ) userClass;
127                 
128                 if ( ( userName != null ) && nameUserClass.getNames().contains( userName.getNormName() ) )
129                 {
130                     return true;
131                 }
132             }
133             else if ( userClass instanceof UserClass.UserGroup )
134             {
135                 UserClass.UserGroup userGroupUserClass = ( UserClass.UserGroup ) userClass;
136 
137                 for ( String userGroupName : userGroupNames )
138                 {
139                     Set<String> dns = userGroupUserClass.getNames();
140 
141                     if ( userGroupName != null )
142                     {
143                         for ( String dn : dns )
144                         {
145                             if ( userGroupName.equals( dn ) )
146                             {
147                                 return true;
148                             }
149                         }
150                     }
151                 }
152             }
153             else if ( userClass instanceof UserClass.Subtree )
154             {
155                 UserClass.Subtree subtree = ( UserClass.Subtree ) userClass;
156                 if ( matchUserClassSubtree( userName, userEntry, subtree ) )
157                 {
158                     return true;
159                 }
160             }
161             else
162             {
163                 throw new InternalError( I18n.err( I18n.ERR_233, userClass.getClass().getName() ) );
164             }
165         }
166 
167         return false;
168     }
169 
170 
171     private boolean matchUserClassSubtree( Dn userName, Entry userEntry, UserClass.Subtree subtree )
172         throws LdapException
173     {
174         for ( SubtreeSpecification subtreeSpec : subtree.getSubtreeSpecifications() )
175         {
176             if ( subtreeEvaluator.evaluate( subtreeSpec, Dn.ROOT_DSE, userName, userEntry ) )
177             {
178                 return true;
179             }
180         }
181 
182         return false;
183     }
184 }