Source code

001/*
002 *  Licensed to the Apache Software Foundation (ASF) under one
003 *  or more contributor license agreements.  See the NOTICE file
004 *  distributed with this work for additional information
005 *  regarding copyright ownership.  The ASF licenses this file
006 *  to you under the Apache License, Version 2.0 (the
007 *  "License"); you may not use this file except in compliance
008 *  with the License.  You may obtain a copy of the License at
009 *  
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *  
012 *  Unless required by applicable law or agreed to in writing,
013 *  software distributed under the License is distributed on an
014 *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015 *  KIND, either express or implied.  See the License for the
016 *  specific language governing permissions and limitations
017 *  under the License. 
018 *  
019 */
020package org.apache.directory.server.core.authz.support;
021
022
023import java.util.Collection;
024import java.util.Iterator;
025
026import org.apache.directory.api.ldap.aci.ACITuple;
027import org.apache.directory.api.ldap.aci.ProtectedItem;
028import org.apache.directory.api.ldap.aci.protectedItem.RestrictedByElem;
029import org.apache.directory.api.ldap.aci.protectedItem.RestrictedByItem;
030import org.apache.directory.api.ldap.model.entry.Attribute;
031import org.apache.directory.api.ldap.model.entry.Entry;
032import org.apache.directory.api.ldap.model.entry.Value;
033import org.apache.directory.api.ldap.model.exception.LdapException;
034import org.apache.directory.api.ldap.model.schema.AttributeType;
035
036
037/**
038 * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy
039 * {@link org.apache.directory.api.ldap.aci.protectedItem.RestrictedByItem} constraint if available. (18.8.3.3, X.501)
040 *
041 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
042 */
043public class RestrictedByFilter implements ACITupleFilter
044{
045    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
046        throws LdapException
047    {
048        if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
049        {
050            return aciContext.getAciTuples();
051        }
052
053        if ( aciContext.getAciTuples().isEmpty() )
054        {
055            return aciContext.getAciTuples();
056        }
057
058        for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); )
059        {
060            ACITuple tuple = ii.next();
061
062            if ( !tuple.isGrant() )
063            {
064                continue;
065            }
066
067            if ( isRemovable( tuple, aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
068            {
069                ii.remove();
070            }
071        }
072
073        return aciContext.getAciTuples();
074    }
075
076
077    public boolean isRemovable( ACITuple tuple, AttributeType attributeType, Value attrValue, Entry entry )
078    {
079        for ( ProtectedItem item : tuple.getProtectedItems() )
080        {
081            if ( item instanceof RestrictedByItem )
082            {
083                RestrictedByItem rb = ( RestrictedByItem ) item;
084
085                for ( Iterator<RestrictedByElem> k = rb.iterator(); k.hasNext(); )
086                {
087                    RestrictedByElem rbItem = k.next();
088
089                    // TODO Fix DIRSEVER-832 
090                    if ( attributeType.equals( rbItem.getAttributeType() ) )
091                    {
092                        Attribute attr = entry.get( rbItem.getValuesIn() );
093
094                        // TODO Fix DIRSEVER-832
095                        if ( ( attr == null ) || !attr.contains( attrValue ) )
096                        {
097                            return true;
098                        }
099                    }
100                }
101            }
102        }
103
104        return false;
105    }
106}