directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From akaras...@apache.org
Subject svn commit: r293136 - in /directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server: authn/AbstractAuthenticator.java authn/LdapPrincipal.java authn/SimpleAuthenticator.java authz/AuthorizationService.java schema/SchemaService.java
Date Sun, 02 Oct 2005 16:37:04 GMT
Author: akarasulu
Date: Sun Oct  2 09:36:58 2005
New Revision: 293136

URL: http://svn.apache.org/viewcvs?rev=293136&view=rev
Log:
changes ...

 o added new groups and auth level property to the LdapPrincipal for use 
   with authorization 
 o fixed elusive error message in schema service

todos ...

 o need to make authentication modules populate the LdapPrincipal with the 
   correct set of groups 


Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/AbstractAuthenticator.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/LdapPrincipal.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/SimpleAuthenticator.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
    directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/schema/SchemaService.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/AbstractAuthenticator.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/AbstractAuthenticator.java?rev=293136&r1=293135&r2=293136&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/AbstractAuthenticator.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/AbstractAuthenticator.java
Sun Oct  2 09:36:58 2005
@@ -20,7 +20,6 @@
 import javax.naming.NamingException;
 import javax.naming.spi.InitialContextFactory;
 
-import org.apache.ldap.common.name.LdapName;
 import org.apache.ldap.server.configuration.AuthenticatorConfiguration;
 import org.apache.ldap.server.jndi.ContextFactoryConfiguration;
 import org.apache.ldap.server.jndi.ServerContext;
@@ -128,12 +127,14 @@
      * <tt>name</tt>.
      *
      * @param name the distinguished name of the X.500 principal
+     * @param authenticationLeve
      * @return the principal for the <tt>name</tt>
      * @throws NamingException if there is a problem parsing <tt>name</tt>
      */
-    protected static LdapPrincipal createLdapPrincipal( String name ) throws NamingException
-    {
-        LdapName principalDn = new LdapName( name );
-        return new LdapPrincipal( principalDn );
-    }
+    // does not seem to be used
+//    protected static LdapPrincipal createLdapPrincipal( String name, AuthenticationLevel
authenticationLeve ) throws NamingException
+//    {
+//        LdapName principalDn = new LdapName( name );
+//        return new LdapPrincipal( principalDn, AuthenticationLevel.SIMPLE );
+//    }
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/LdapPrincipal.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/LdapPrincipal.java?rev=293136&r1=293135&r2=293136&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/LdapPrincipal.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/LdapPrincipal.java
Sun Oct  2 09:36:58 2005
@@ -19,10 +19,13 @@
 
 import java.io.Serializable;
 import java.security.Principal;
+import java.util.Set;
+import java.util.Collections;
 
 import javax.naming.Name;
 
 import org.apache.ldap.common.name.LdapName;
+import org.apache.ldap.common.aci.AuthenticationLevel;
 
 
 /**
@@ -42,16 +45,42 @@
     /** the no name anonymous user whose DN is the empty String */
     public static final LdapPrincipal ANONYMOUS = new LdapPrincipal();
 
+    /** the authentication level for this principal */
+    private final AuthenticationLevel authenticationLevel;
+
+    /** the set of groups this user is a member of */
+    private final Set userGroupNames;
+
+
+    /**
+     * Creates a new LDAP/X500 principal without any group associations.  Keep
+     * this package friendly so only code in the package can create a
+     * trusted principal.
+     *
+     * @param name the normalized distinguished name of the principal
+     * @param authenticationLevel
+     */
+    LdapPrincipal( Name name, AuthenticationLevel authenticationLevel, Set userGroupNames
)
+    {
+        this.name = name;
+        this.authenticationLevel = authenticationLevel;
+        this.userGroupNames = userGroupNames;
+    }
+
 
     /**
-     * Creates a new LDAP/X500 principal.  Keep this package friendly so only code
-     * in the package can create a trusted principal.
+     * Creates a new LDAP/X500 principal without any group associations.  Keep
+     * this package friendly so only code in the package can create a
+     * trusted principal.
      *
      * @param name the normalized distinguished name of the principal
+     * @param authenticationLevel
      */
-    LdapPrincipal( Name name )
+    LdapPrincipal( Name name, AuthenticationLevel authenticationLevel )
     {
         this.name = name;
+        this.authenticationLevel = authenticationLevel;
+        this.userGroupNames = Collections.EMPTY_SET;
     }
 
 
@@ -62,6 +91,8 @@
     private LdapPrincipal()
     {
         this.name = new LdapName();
+        this.authenticationLevel = AuthenticationLevel.NONE;
+        this.userGroupNames = Collections.EMPTY_SET;
     }
 
 
@@ -84,7 +115,31 @@
     {
         return name.toString();
     }
-    
+
+
+    /**
+     * Gets the authentication level associated with this LDAP principle.
+     *
+     * @return the authentication level
+     */
+    public AuthenticationLevel getAuthenticationLevel()
+    {
+        return authenticationLevel;
+    }
+
+
+    /**
+     * Gets a set containing LDAP distinguished names, {@link LdapName}s,
+     * representing the groups this user is a member of.
+     *
+     * @return the Set of LdapName objects with the DN of the group entry
+     */
+    public Set getUserGroupNames()
+    {
+        return Collections.unmodifiableSet( this.userGroupNames );
+    }
+
+
     /**
      * Returns string representation of the normalized distinguished name
      * of this principal.

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/SimpleAuthenticator.java?rev=293136&r1=293135&r2=293136&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/SimpleAuthenticator.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authn/SimpleAuthenticator.java
Sun Oct  2 09:36:58 2005
@@ -25,6 +25,7 @@
 import org.apache.ldap.common.exception.LdapAuthenticationException;
 import org.apache.ldap.common.name.LdapName;
 import org.apache.ldap.common.util.ArrayUtils;
+import org.apache.ldap.common.aci.AuthenticationLevel;
 import org.apache.ldap.server.jndi.ServerContext;
 import org.apache.ldap.server.partition.ContextPartitionNexus;
 
@@ -129,6 +130,6 @@
             throw new LdapAuthenticationException();
         }
 
-        return new LdapPrincipal( principalDn );
+        return new LdapPrincipal( principalDn, AuthenticationLevel.SIMPLE );
     }
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java?rev=293136&r1=293135&r2=293136&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/AuthorizationService.java
Sun Oct  2 09:36:58 2005
@@ -20,13 +20,19 @@
 import org.apache.ldap.server.interceptor.BaseInterceptor;
 import org.apache.ldap.server.interceptor.NextInterceptor;
 import org.apache.ldap.server.jndi.ContextFactoryConfiguration;
+import org.apache.ldap.server.jndi.ServerContext;
 import org.apache.ldap.server.configuration.InterceptorConfiguration;
 import org.apache.ldap.server.partition.ContextPartitionNexus;
+import org.apache.ldap.server.authz.support.ACDFEngine;
+import org.apache.ldap.server.invocation.InvocationStack;
+import org.apache.ldap.server.authn.LdapPrincipal;
 import org.apache.ldap.common.filter.ExprNode;
+import org.apache.ldap.common.aci.AuthenticationLevel;
 
 import javax.naming.Name;
 import javax.naming.NamingException;
 import javax.naming.NamingEnumeration;
+import javax.naming.Context;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.ModificationItem;
 import javax.naming.directory.SearchControls;
@@ -46,6 +52,8 @@
     private ContextPartitionNexus nexus;
     /** a cache that responds to add, delete, and modify attempts */
     private TupleCache cache;
+    /** use and instance of the ACDF engine */
+    private ACDFEngine engine;
 
 
     public void init( ContextFactoryConfiguration factoryCfg, InterceptorConfiguration cfg
) throws NamingException
@@ -54,13 +62,37 @@
 
         nexus = factoryCfg.getPartitionNexus();
         cache = new TupleCache( factoryCfg );
+        engine = new ACDFEngine( factoryCfg.getGlobalRegistries().getOidRegistry(),
+                factoryCfg.getGlobalRegistries().getAttributeTypeRegistry() );
     }
 
 
+    /*
+     * Within every access controled interceptor method we must retrieve the ACITuple
+     * set for all the perscriptiveACIs that apply to the candidate, the target entry
+     * operated upon.  This ACITuple set is gotten from the TupleCache by looking up
+     * the subentries referenced by the accessControlSubentries operational attribute
+     * within the target entry.
+     *
+     * Then the entry is inspected for an entryACI.  If present a set of ACITuples
+     * are generated for all the entryACIs within the entry.  This set is combined
+     * with the ACITuples cached for the perscriptiveACI affecting the target entry.
+     *
+     * The union of ACITuples are fed into the engine along with other parameters
+     * to decide where permission is granted or rejected for the specific operation.
+     */
+
     public void add( NextInterceptor next, String upName, Name normName, Attributes entry
) throws NamingException
     {
         next.add( upName, normName, entry );
         cache.subentryAdded( upName, normName, entry );
+
+        ServerContext ctx = ( ServerContext ) InvocationStack.getInstance().peek().getCaller();
+        LdapPrincipal user = ctx.getPrincipal();
+        Name userGroupName = null;
+
+//        engine.checkPermission( next, userGroupName, user.getName(), user.getAuthenticationLevel(),
normName, null,
+//                null, ADD_OPS, aciTuples );
     }
 
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/schema/SchemaService.java
URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/schema/SchemaService.java?rev=293136&r1=293135&r2=293136&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/schema/SchemaService.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/schema/SchemaService.java
Sun Oct  2 09:36:58 2005
@@ -517,7 +517,7 @@
 
             if ( ! atRegistry.hasAttributeType( change.getID() ) && ! objectClass.contains(
"extensibleObject" ) )
             {
-                throw new LdapInvalidAttributeIdentifierException();
+                throw new LdapInvalidAttributeIdentifierException( "unrecognized attributeID
" + change.getID() );
             }
 
             if ( modOp == DirContext.REMOVE_ATTRIBUTE && entry.get( change.getID()
) == null )



Mime
View raw message