001/* 002 * Licensed to the Apache Software Foundation (ASF) under one 003 * or more contributor license agreements. See the NOTICE file 004 * distributed with this work for additional information 005 * regarding copyright ownership. The ASF licenses this file 006 * to you under the Apache License, Version 2.0 (the 007 * "License"); you may not use this file except in compliance 008 * with the License. You may obtain a copy of the License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, 013 * software distributed under the License is distributed on an 014 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 015 * KIND, either express or implied. See the License for the 016 * specific language governing permissions and limitations 017 * under the License. 018 * 019 */ 020package org.apache.directory.server.core.authz.support; 021 022 023import java.util.Collection; 024import java.util.Iterator; 025 026import org.apache.directory.api.ldap.aci.ACITuple; 027import org.apache.directory.api.ldap.aci.ProtectedItem; 028import org.apache.directory.api.ldap.aci.protectedItem.RestrictedByElem; 029import org.apache.directory.api.ldap.aci.protectedItem.RestrictedByItem; 030import org.apache.directory.api.ldap.model.entry.Attribute; 031import org.apache.directory.api.ldap.model.entry.Entry; 032import org.apache.directory.api.ldap.model.entry.Value; 033import org.apache.directory.api.ldap.model.exception.LdapException; 034import org.apache.directory.api.ldap.model.schema.AttributeType; 035 036 037/** 038 * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy 039 * {@link org.apache.directory.api.ldap.aci.protectedItem.RestrictedByItem} constraint if available. (18.8.3.3, X.501) 040 * 041 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 042 */ 043public class RestrictedByFilter implements ACITupleFilter 044{ 045 public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) 046 throws LdapException 047 { 048 if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE ) 049 { 050 return aciContext.getAciTuples(); 051 } 052 053 if ( aciContext.getAciTuples().isEmpty() ) 054 { 055 return aciContext.getAciTuples(); 056 } 057 058 for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); ) 059 { 060 ACITuple tuple = ii.next(); 061 062 if ( !tuple.isGrant() ) 063 { 064 continue; 065 } 066 067 if ( isRemovable( tuple, aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) ) 068 { 069 ii.remove(); 070 } 071 } 072 073 return aciContext.getAciTuples(); 074 } 075 076 077 public boolean isRemovable( ACITuple tuple, AttributeType attributeType, Value attrValue, Entry entry ) 078 { 079 for ( ProtectedItem item : tuple.getProtectedItems() ) 080 { 081 if ( item instanceof RestrictedByItem ) 082 { 083 RestrictedByItem rb = ( RestrictedByItem ) item; 084 085 for ( Iterator<RestrictedByElem> k = rb.iterator(); k.hasNext(); ) 086 { 087 RestrictedByElem rbItem = k.next(); 088 089 // TODO Fix DIRSEVER-832 090 if ( attributeType.equals( rbItem.getAttributeType() ) ) 091 { 092 Attribute attr = entry.get( rbItem.getValuesIn() ); 093 094 // TODO Fix DIRSEVER-832 095 if ( ( attr == null ) || !attr.contains( attrValue ) ) 096 { 097 return true; 098 } 099 } 100 } 101 } 102 } 103 104 return false; 105 } 106}