Return-Path: Delivered-To: apmail-directory-commits-archive@www.apache.org Received: (qmail 18424 invoked from network); 1 Oct 2005 08:05:35 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Oct 2005 08:05:35 -0000 Received: (qmail 35842 invoked by uid 500); 1 Oct 2005 08:05:34 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 35817 invoked by uid 500); 1 Oct 2005 08:05:33 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 35802 invoked by uid 99); 1 Oct 2005 08:05:33 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 01 Oct 2005 01:05:33 -0700 X-ASF-Spam-Status: No, hits=-9.8 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.29) with SMTP; Sat, 01 Oct 2005 01:05:38 -0700 Received: (qmail 18359 invoked by uid 65534); 1 Oct 2005 08:05:12 -0000 Message-ID: <20051001080512.18358.qmail@minotaur.apache.org> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r292940 - /directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ Date: Sat, 01 Oct 2005 08:05:09 -0000 To: commits@directory.apache.org From: trustin@apache.org X-Mailer: svnmailer-1.0.5 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Author: trustin Date: Sat Oct 1 01:05:01 2005 New Revision: 292940 URL: http://svn.apache.org/viewcvs?rev=292940&view=rev Log: Added JavaDoc for ACDFEngine and its support classes. Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACDFEngine.java Sat Oct 1 01:05:01 2005 @@ -40,10 +40,41 @@ import org.apache.ldap.server.subtree.RefinementLeafEvaluator; import org.apache.ldap.server.subtree.SubtreeEvaluator; +/** + * An implementation of Access Control Decision Function (18.8, X.501). + *

+ * This engine simply filters the collection of tuples using the following + * {@link ACITupleFilter}s sequentially: + *

    + *
  1. {@link RelatedUserClassFilter}
    2. + *
  2. {@link RelatedProtectedItemFilter}
    3. + *
  3. {@link MaxValueCountFilter}
    4. + *
  4. {@link MaxImmSubFilter}
    5. + *
  5. {@link RestrictedByFilter}
    6. + *
  6. {@link MicroOperationFilter}
    7. + *
  7. {@link HighestPrecedenceFilter}
    8. + *
  8. {@link MostSpecificUserClassFilter}
    9. + *
  9. {@link MostSpecificProtectedItemFilter}
    10. + *
+ *

+ * Operation is determined to be permitted if and only if there is at least one + * tuple left and all of them grants the access. (18.8.4. X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class ACDFEngine { private final ACITupleFilter[] filters; + /** + * Creates a new instance. + * + * @param oidRegistry an OID registry to be used by internal components + * @param attrTypeRegistry an attribute type registry to be used by internal components + * + * @throws NamingException if failed to initialize internal components + */ public ACDFEngine( OidRegistry oidRegistry, AttributeTypeRegistry attrTypeRegistry ) throws NamingException { Evaluator entryEvaluator = new ExpressionEvaluator( oidRegistry, attrTypeRegistry ); @@ -70,7 +101,7 @@ * if the user doesn't have any permission to perform the specified grants. * * @param next the next interceptor to the current interceptor - * @param userGroupNames the DN of the group of the user who is trying to access the resource + * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs * @param username the DN of the user who is trying to access the resource * @param entryName the DN of the entry the user is trying to access * @param attrId the attribute type of the attribute the user is trying to access. @@ -103,7 +134,7 @@ * if the user doesn't have any permission to perform the specified grants. * * @param next the next interceptor to the current interceptor - * @param userGroupNames the DN of the group of the user who is trying to access the resource + * @param userGroupNames the collection of the group DNs the user who is trying to access the resource belongs * @param userName the DN of the user who is trying to access the resource * @param entryName the DN of the entry the user is trying to access * @param attrId the attribute type of the attribute the user is trying to access. Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/ACITupleFilter.java Sat Oct 1 01:05:01 2005 @@ -25,10 +25,39 @@ import javax.naming.directory.Attributes; import org.apache.ldap.common.aci.AuthenticationLevel; +import org.apache.ldap.common.aci.MicroOperation; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An interface that filters the specified collection of tuples using the + * specified extra information. + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + * + */ public interface ACITupleFilter { + /** + * Returns the collection of the filtered tuples using the specified + * extra information. + * + * @param tuples the collection of tuples to filter + * @param scope the scope of the operation to be performed + * @param next the next interceptor for this filter to access the DIT + * @param userGroupNames the collection of group ({@link Name})s which the current user belongs to + * @param userName the {@link Name} of the current user + * @param userEntry the {@link Attributes} of the current user entry in the DIT + * @param authenticationLevel the level of authentication of the current user + * @param entryName the {@link Name} of the entry the current user accesses + * @param attrId the attribute ID the current user accesses + * @param attrValue the value of the attribute the current user accesses + * @param entry the {@link Attributes} of the entry the current user accesses + * @param microOperations the set of {@link MicroOperation}s the current user will perform + * + * @return the collection of filtered tuples + * @throws NamingException if failed to filter the specifiec tuples + */ Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/HighestPrecedenceFilter.java Sat Oct 1 01:05:01 2005 @@ -29,6 +29,13 @@ import org.apache.ldap.common.aci.AuthenticationLevel; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that discards all tuples having a precedence less + * than the highest remaining precedence. (18.8.4.1, X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class HighestPrecedenceFilter implements ACITupleFilter { public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxImmSubFilter.java Sat Oct 1 01:05:01 2005 @@ -35,6 +35,13 @@ import org.apache.ldap.common.filter.PresenceNode; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy + * {@link ProtectedItem.MaxImmSub} constraint if available. (18.8.3.3, X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class MaxImmSubFilter implements ACITupleFilter { private final ExprNode childrenFilter; Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MaxValueCountFilter.java Sat Oct 1 01:05:01 2005 @@ -32,6 +32,13 @@ import org.apache.ldap.common.aci.ProtectedItem.MaxValueCountItem; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy + * {@link ProtectedItem.MaxValueCount} constraint if available. (18.8.3.3, X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class MaxValueCountFilter implements ACITupleFilter { public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MicroOperationFilter.java Sat Oct 1 01:05:01 2005 @@ -30,6 +30,14 @@ import org.apache.ldap.common.aci.MicroOperation; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that discard tuples which doesn't contain any + * related {@link MicroOperation}s. (18.8.3.4, X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + * + */ public class MicroOperationFilter implements ACITupleFilter { public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificProtectedItemFilter.java Sat Oct 1 01:05:01 2005 @@ -31,6 +31,21 @@ import org.apache.ldap.common.aci.ProtectedItem; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that chooses the tuples with the most specific + * protected item. (18.8.4.3, X.501) + *

+ * If more than one tuple remains, choose the tuples with the most specific + * protected item. If the protected item is an attribute and there are tuples + * that specify the attribute type explicitly, discard all other tuples. If + * the protected item is an attribute value, and there are tuples that specify + * the attribute value explicitly, discard all other tuples. A protected item + * which is a rangeOfValues is to be treated as specifying an attribute value + * explicitly. + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class MostSpecificProtectedItemFilter implements ACITupleFilter { public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/MostSpecificUserClassFilter.java Sat Oct 1 01:05:01 2005 @@ -31,6 +31,19 @@ import org.apache.ldap.common.aci.UserClass; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that chooses the tuples with the most specific user + * class. (18.8.4.2) + *

+ * If more than one tuple remains, choose the tuples with the most specific user + * class. If there are any tuples matching the requestor with UserClasses element + * name or thisEntry, discard all other tuples. Otherwise if there are any tuples + * matching UserGroup, discard all other tuples. Otherwise if there are any tuples + * matching subtree, discard all other tuples. + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class MostSpecificUserClassFilter implements ACITupleFilter { public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/OperationScope.java Sat Oct 1 01:05:01 2005 @@ -18,10 +18,27 @@ */ package org.apache.ldap.server.authz.support; +/** + * An enumeration that represents the scope of user operation. + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class OperationScope { + /** + * An operation that affects the whole entry. + */ public static final OperationScope ENTRY = new OperationScope( "Entry" ); + + /** + * An operation that affects all values in an attribute type. + */ public static final OperationScope ATTRIBUTE_TYPE = new OperationScope( "Attribute Type" ); + + /** + * An operation that affects the specific value in an attribute type. + */ public static final OperationScope ATTRIBUTE_TYPE_AND_VALUE = new OperationScope( "Attribute Type & Value" ); private final String name; @@ -31,11 +48,17 @@ this.name = name; } + /** + * Return the name of this scope. + */ public String getName() { return name; } - + + /** + * Returns the name of this scope. + */ public String toString() { return name; Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedProtectedItemFilter.java Sat Oct 1 01:05:01 2005 @@ -37,6 +37,13 @@ import org.apache.ldap.server.schema.AttributeTypeRegistry; import org.apache.ldap.server.subtree.RefinementEvaluator; +/** + * An {@link ACITupleFilter} that discards all tuples whose {@link ProtectedItem}s + * are not related with the operation. (18.8.3.2, X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class RelatedProtectedItemFilter implements ACITupleFilter { private final AttributeTypeRegistry attrTypeRegistry; Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RelatedUserClassFilter.java Sat Oct 1 01:05:01 2005 @@ -33,6 +33,13 @@ import org.apache.ldap.server.interceptor.NextInterceptor; import org.apache.ldap.server.subtree.SubtreeEvaluator; +/** + * An {@link ACITupleFilter} that discards all tuples whose {@link UserClass}es + * are not related with the current user. (18.8.3.1, X.501) + * + * @author The Apache Directory Project + * @version $Rev$, $Date$ + */ public class RelatedUserClassFilter implements ACITupleFilter { private static final LdapName ROOTDSE_NAME = new LdapName(); Modified: directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java URL: http://svn.apache.org/viewcvs/directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java?rev=292940&r1=292939&r2=292940&view=diff ============================================================================== --- directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java (original) +++ directory/apacheds/trunk/core/src/main/java/org/apache/ldap/server/authz/support/RestrictedByFilter.java Sat Oct 1 01:05:01 2005 @@ -32,6 +32,13 @@ import org.apache.ldap.common.aci.ProtectedItem.RestrictedByItem; import org.apache.ldap.server.interceptor.NextInterceptor; +/** + * An {@link ACITupleFilter} that discards all tuples that doesn't satisfy + * {@link ProtectedItem.RestrictedBy} constraint if available. (18.8.3.3, X.501) + * + * @author The Apache Directory Proejct + * @version $Rev$, $Date$ + */ public class RestrictedByFilter implements ACITupleFilter { public Collection filter( Collection tuples, OperationScope scope, NextInterceptor next, Collection userGroupNames, Name userName, Attributes userEntry, AuthenticationLevel authenticationLevel, Name entryName, String attrId, Object attrValue, Attributes entry, Collection microOperations ) throws NamingException