001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.core.authz.support; 021 022 023import java.util.ArrayList; 024import java.util.Collection; 025 026import org.apache.directory.api.ldap.aci.ACITuple; 027import org.apache.directory.api.ldap.aci.ProtectedItem; 028import org.apache.directory.api.ldap.aci.protectedItem.AllAttributeValuesItem; 029import org.apache.directory.api.ldap.aci.protectedItem.AttributeTypeItem; 030import org.apache.directory.api.ldap.aci.protectedItem.AttributeValueItem; 031import org.apache.directory.api.ldap.aci.protectedItem.RangeOfValuesItem; 032import org.apache.directory.api.ldap.aci.protectedItem.SelfValueItem; 033import org.apache.directory.api.ldap.model.entry.Entry; 034import org.apache.directory.api.ldap.model.exception.LdapException; 035 036 037/** 038 * An {@link ACITupleFilter} that chooses the tuples with the most specific 039 * protected item. (18.8.4.3, X.501) 040 * <p> 041 * If more than one tuple remains, choose the tuples with the most specific 042 * protected item. If the protected item is an attribute and there are tuples 043 * that specify the attribute type explicitly, discard all other tuples. If 044 * the protected item is an attribute value, and there are tuples that specify 045 * the attribute value explicitly, discard all other tuples. A protected item 046 * which is a rangeOfValues is to be treated as specifying an attribute value 047 * explicitly. 048 * 049 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 050 */ 051public class MostSpecificProtectedItemFilter implements ACITupleFilter 052{ 053 /** 054 * {@inheritDoc} 055 */ 056 @Override 057 public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) 058 throws LdapException 059 { 060 if ( aciContext.getAciTuples().size() <= 1 ) 061 { 062 return aciContext.getAciTuples(); 063 } 064 065 Collection<ACITuple> filteredTuples = new ArrayList<>(); 066 067 // If the protected item is an attribute and there are tuples that 068 // specify the attribute type explicitly, discard all other tuples. 069 for ( ACITuple tuple : aciContext.getAciTuples() ) 070 { 071 for ( ProtectedItem item : tuple.getProtectedItems() ) 072 { 073 if ( item instanceof AttributeTypeItem || item instanceof AllAttributeValuesItem 074 || item instanceof SelfValueItem || item instanceof AttributeValueItem ) 075 { 076 filteredTuples.add( tuple ); 077 break; 078 } 079 } 080 } 081 082 if ( !filteredTuples.isEmpty() ) 083 { 084 return filteredTuples; 085 } 086 087 // If the protected item is an attribute value, and there are tuples 088 // that specify the attribute value explicitly, discard all other tuples. 089 // A protected item which is a rangeOfValues is to be treated as 090 // specifying an attribute value explicitly. 091 for ( ACITuple tuple : aciContext.getAciTuples() ) 092 { 093 for ( ProtectedItem item : tuple.getProtectedItems() ) 094 { 095 if ( item instanceof RangeOfValuesItem ) 096 { 097 filteredTuples.add( tuple ); 098 } 099 } 100 } 101 102 if ( !filteredTuples.isEmpty() ) 103 { 104 return filteredTuples; 105 } 106 107 return aciContext.getAciTuples(); 108 } 109}