View Javadoc
1   /*
2    *  Licensed to the Apache Software Foundation (ASF) under one
3    *  or more contributor license agreements.  See the NOTICE file
4    *  distributed with this work for additional information
5    *  regarding copyright ownership.  The ASF licenses this file
6    *  to you under the Apache License, Version 2.0 (the
7    *  "License"); you may not use this file except in compliance
8    *  with the License.  You may obtain a copy of the License at
9    *  
10   *    http://www.apache.org/licenses/LICENSE-2.0
11   *  
12   *  Unless required by applicable law or agreed to in writing,
13   *  software distributed under the License is distributed on an
14   *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   *  KIND, either express or implied.  See the License for the
16   *  specific language governing permissions and limitations
17   *  under the License. 
18   *  
19   */
20  package org.apache.directory.server.core.authz.support;
21  
22  
23  import java.util.Collection;
24  import java.util.Iterator;
25  
26  import org.apache.directory.api.ldap.aci.ACITuple;
27  import org.apache.directory.api.ldap.aci.ProtectedItem;
28  import org.apache.directory.api.ldap.aci.protectedItem.RestrictedByElem;
29  import org.apache.directory.api.ldap.aci.protectedItem.RestrictedByItem;
30  import org.apache.directory.api.ldap.model.entry.Attribute;
31  import org.apache.directory.api.ldap.model.entry.Entry;
32  import org.apache.directory.api.ldap.model.entry.Value;
33  import org.apache.directory.api.ldap.model.exception.LdapException;
34  import org.apache.directory.api.ldap.model.schema.AttributeType;
35  
36  
37  /**
38   * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
39   * {@link org.apache.directory.api.ldap.aci.protectedItem.RestrictedByItem} constraint if available. (18.8.3.3, X.501)
40   *
41   * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
42   */
43  public class RestrictedByFilter implements ACITupleFilter
44  {
45      public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
46          throws LdapException
47      {
48          if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
49          {
50              return aciContext.getAciTuples();
51          }
52  
53          if ( aciContext.getAciTuples().isEmpty() )
54          {
55              return aciContext.getAciTuples();
56          }
57  
58          for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); )
59          {
60              ACITuple tuple = ii.next();
61  
62              if ( !tuple.isGrant() )
63              {
64                  continue;
65              }
66  
67              if ( isRemovable( tuple, aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
68              {
69                  ii.remove();
70              }
71          }
72  
73          return aciContext.getAciTuples();
74      }
75  
76  
77      public boolean isRemovable( ACITuple tuple, AttributeType attributeType, Value attrValue, Entry entry )
78      {
79          for ( ProtectedItem item : tuple.getProtectedItems() )
80          {
81              if ( item instanceof RestrictedByItem )
82              {
83                  RestrictedByItem rb = ( RestrictedByItem ) item;
84  
85                  for ( Iterator<RestrictedByElem> k = rb.iterator(); k.hasNext(); )
86                  {
87                      RestrictedByElem rbItem = k.next();
88  
89                      // TODO Fix DIRSEVER-832 
90                      if ( attributeType.equals( rbItem.getAttributeType() ) )
91                      {
92                          Attribute attr = entry.get( rbItem.getValuesIn() );
93  
94                          // TODO Fix DIRSEVER-832
95                          if ( ( attr == null ) || !attr.contains( attrValue ) )
96                          {
97                              return true;
98                          }
99                      }
100                 }
101             }
102         }
103 
104         return false;
105     }
106 }