directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r532059 - /directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
Date Tue, 24 Apr 2007 19:55:50 GMT
Author: elecharny
Date: Tue Apr 24 12:55:49 2007
New Revision: 532059

URL: http://svn.apache.org/viewvc?view=rev&rev=532059
Log:
Removed useless declaration
Used AttributeUtils.getAttribute() everywhere
Added some logs
Used some more constants

Modified:
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java?view=diff&rev=532059&r1=532058&r2=532059
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
(original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java
Tue Apr 24 12:55:49 2007
@@ -48,9 +48,15 @@
 import org.apache.directory.server.core.invocation.InvocationStack;
 import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
+import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
+import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
 import org.apache.directory.shared.ldap.name.LdapDN;
+import org.apache.directory.shared.ldap.schema.AttributeType;
 import org.apache.directory.shared.ldap.schema.OidNormalizer;
+import org.apache.directory.shared.ldap.util.AttributeUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
 /**
@@ -64,6 +70,9 @@
  */
 public class DefaultAuthorizationService extends BaseInterceptor
 {
+    /** the logger for this class */
+    private static final Logger log = LoggerFactory.getLogger( DefaultAuthorizationService.class
);
+    
     /** The service name */
     public static final String NAME = "defaultAuthorizationService";
 
@@ -71,19 +80,16 @@
      * the base distinguished {@link Name} for all users
      */
     private static LdapDN USER_BASE_DN;
-    private static LdapDN USER_BASE_DN_NORMALIZED;
 
     /**
      * the base distinguished {@link Name} for all groups
      */
     private static LdapDN GROUP_BASE_DN;
-    private static LdapDN GROUP_BASE_DN_NORMALIZED;
 
     /**
      * the distinguished {@link Name} for the administrator group
      */
     private static LdapDN ADMIN_GROUP_DN;
-    private static LdapDN ADMIN_GROUP_DN_NORMALIZED;
 
     /**
      * the name parser used by this service
@@ -96,6 +102,13 @@
     private Map<String, OidNormalizer> normalizerMapping;
     
     private PartitionNexus nexus;
+    
+    /** attribute type registry */
+    private AttributeTypeRegistry attrRegistry;
+
+    /** A starage for the uniqueMember attributeType */
+    private AttributeType uniqueMemberAT;
+
 
     /**
      * Creates a new instance.
@@ -114,14 +127,18 @@
         enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();
         
         USER_BASE_DN = PartitionNexus.getUsersBaseName();
-        USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN, normalizerMapping );
+        USER_BASE_DN.normalize( normalizerMapping );
         
         GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
-        GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN, normalizerMapping );
+        GROUP_BASE_DN.normalize( normalizerMapping );
      
         ADMIN_GROUP_DN = new LdapDN( "cn=Administrators,ou=groups,ou=system" );
-        ADMIN_GROUP_DN_NORMALIZED = ( LdapDN ) ADMIN_GROUP_DN.clone();
-        ADMIN_GROUP_DN_NORMALIZED.normalize( normalizerMapping );
+        ADMIN_GROUP_DN.normalize( normalizerMapping );
+        
+        attrRegistry = factoryCfg.getRegistries().getAttributeTypeRegistry();
+        
+        uniqueMemberAT = attrRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
+        
         loadAdministrators();
     }
     
@@ -130,20 +147,22 @@
     {
         // read in the administrators and cache their normalized names
         Set<String> newAdministrators = new HashSet<String>( 2 );
-        Attributes adminGroup = nexus.lookup( new LookupOperationContext( ADMIN_GROUP_DN_NORMALIZED
) );
+        Attributes adminGroup = nexus.lookup( new LookupOperationContext( ADMIN_GROUP_DN
) );
         
         if ( adminGroup == null )
         {
             return;
         }
         
-        Attribute uniqueMember = adminGroup.get( "uniqueMember" );
+        Attribute uniqueMember = AttributeUtils.getAttribute( adminGroup, uniqueMemberAT
);
+        
         for ( int ii = 0; ii < uniqueMember.size(); ii++ )
         {
             LdapDN memberDn = new LdapDN( ( String ) uniqueMember.get( ii ) );
             memberDn.normalize( normalizerMapping );
-            newAdministrators.add( memberDn.toNormName() );
+            newAdministrators.add( memberDn.getNormName() );
         }
+        
         administrators = newAdministrators;
     }
 
@@ -164,40 +183,51 @@
 
         LdapDN principalDn = getPrincipal().getJndiName();
 
-        if ( name.toString().equals( "" ) )
+        if ( name.isEmpty() )
         {
             String msg = "The rootDSE cannot be deleted!";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+        if ( name.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
         {
             String msg = "The Administrators group cannot be deleted!";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
         if ( isTheAdministrator( name ) )
         {
-            String msg = "User " + principalDn;
+            String msg = "User " + principalDn.getUpName();
             msg += " does not have permission to delete the admin account.";
             msg += " No one not even the admin can delete this account!";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !isAnAdministrator(
principalDn ) )
+        if ( name.size() > 2 )
         {
-            String msg = "User " + principalDn;
-            msg += " does not have permission to delete the user account: ";
-            msg += name + ". Only the admin can delete user accounts.";
-            throw new LdapNoPermissionException( msg );
-        }
-
-        if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !isAnAdministrator(
principalDn ) )
-        {
-            String msg = "User " + principalDn;
-            msg += " does not have permission to delete the group entry: ";
-            msg += name + ". Only the admin can delete groups.";
-            throw new LdapNoPermissionException( msg );
+            if ( !isAnAdministrator( principalDn ) )
+            {
+                if ( name.startsWith( USER_BASE_DN ) )
+                {
+                    String msg = "User " + principalDn.getUpName();
+                    msg += " does not have permission to delete the user account: ";
+                    msg += name.getUpName() + ". Only the admin can delete user accounts.";
+                    log.error( msg );
+                    throw new LdapNoPermissionException( msg );
+                }
+        
+                if ( name.startsWith( GROUP_BASE_DN ) )
+                {
+                    String msg = "User " + principalDn.getUpName();
+                    msg += " does not have permission to delete the group entry: ";
+                    msg += name.getUpName() + ". Only the admin can delete groups.";
+                    log.error( msg );
+                    throw new LdapNoPermissionException( msg );
+                }
+            }
         }
 
         nextInterceptor.delete( opContext );
@@ -206,19 +236,18 @@
     
     private final boolean isTheAdministrator( LdapDN normalizedDn )
     {
-        return normalizedDn.toNormName() == PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ||

-             normalizedDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED
);
+        return normalizedDn.getNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED
);
     }
     
     
-    private final boolean isAnAdministrator( LdapDN normalizedDn ) throws NamingException
+    private final boolean isAnAdministrator( LdapDN normalizedDn )
     {
         if ( isTheAdministrator( normalizedDn ) )
         {
             return true;
         }
         
-        return administrators.contains( normalizedDn.toNormName() );
+        return administrators.contains( normalizedDn.getNormName() );
     }
     
 
@@ -237,19 +266,21 @@
     {
         if ( enabled )
         {
-            protectModifyAlterations( opContext.getDn() );
+            LdapDN dn = opContext.getDn();
+            
+            protectModifyAlterations( dn );
             nextInterceptor.modify( opContext );
 
             // update administrators if we change administrators group
-            if ( opContext.getDn().getNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName()
) )
+            if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
             {
                 loadAdministrators();
             }
-            
-            return;
         }
-
-        nextInterceptor.modify( opContext );
+        else
+        {
+            nextInterceptor.modify( opContext );
+        }
     }
 
 
@@ -257,44 +288,51 @@
     {
         LdapDN principalDn = getPrincipal().getJndiName();
 
-        if ( dn.size() == 0 )
+        if ( dn.isEmpty() )
         {
             String msg = "The rootDSE cannot be modified!";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
         if ( ! isAnAdministrator( principalDn ) )
         {
             // allow self modifications 
-            if ( dn.toNormName().equals( getPrincipal().getJndiName().toNormName() ) )
+            if ( dn.getNormName().equals( getPrincipal().getJndiName().getNormName() ) )
             {
                 return;
             }
             
-            if ( dn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
+            if ( dn.getNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
             {
-                String msg = "User " + principalDn;
+                String msg = "User " + principalDn.getUpName();
                 msg += " does not have permission to modify the account of the";
                 msg += " admin user.";
+                log.error( msg );
                 throw new LdapNoPermissionException( msg );
             }
 
-            if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) )
-            {
-                String msg = "User " + principalDn;
-                msg += " does not have permission to modify the account of the";
-                msg += " user " + dn + ".\nEven the owner of an account cannot";
-                msg += " modify it.\nUser accounts can only be modified by the";
-                msg += " administrator.";
-                throw new LdapNoPermissionException( msg );
-            }
-
-            if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
-            {
-                String msg = "User " + principalDn;
-                msg += " does not have permission to modify the group entry ";
-                msg += dn.getUpName() + ".\nGroups can only be modified by the admin.";
-                throw new LdapNoPermissionException( msg );
+            if ( dn.size() > 2 ) 
+                {
+                if ( dn.startsWith( USER_BASE_DN ) )
+                {
+                    String msg = "User " + principalDn.getUpName();
+                    msg += " does not have permission to modify the account of the";
+                    msg += " user " + dn.getUpName() + ".\nEven the owner of an account cannot";
+                    msg += " modify it.\nUser accounts can only be modified by the";
+                    msg += " administrator.";
+                    log.error( msg );
+                    throw new LdapNoPermissionException( msg );
+                }
+    
+                if ( dn.startsWith( GROUP_BASE_DN ) )
+                {
+                    String msg = "User " + principalDn.getUpName();
+                    msg += " does not have permission to modify the group entry ";
+                    msg += dn.getUpName() + ".\nGroups can only be modified by the admin.";
+                    log.error( msg );
+                    throw new LdapNoPermissionException( msg );
+                }
             }
         }
     }
@@ -347,15 +385,18 @@
     {
         LdapDN principalDn = getPrincipal().getJndiName();
 
-        if ( dn.toString().equals( "" ) )
+        if ( dn.isEmpty() )
         {
             String msg = "The rootDSE cannot be moved or renamed!";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( dn.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
+        if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
         {
-            throw new LdapNoPermissionException( "The Administrators group cannot be moved
or renamed!" );
+            String msg = "The Administrators group cannot be moved or renamed!";
+            log.error( msg );
+            throw new LdapNoPermissionException( msg );
         }
         
         if ( isTheAdministrator( dn ) )
@@ -363,24 +404,26 @@
             String msg = "User '" + principalDn.getUpName();
             msg += "' does not have permission to move or rename the admin";
             msg += " account.  No one not even the admin can move or";
-            msg += " rename " + dn + "!";
+            msg += " rename " + dn.getUpName() + "!";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) &&
!isAnAdministrator( principalDn ) )
+        if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN ) && !isAnAdministrator(
principalDn ) )
         {
-            String msg = "User '" + principalDn;
+            String msg = "User '" + principalDn.getUpName();
             msg += "' does not have permission to move or rename the user";
-            msg += " account: " + dn + ". Only the admin can move or";
+            msg += " account: " + dn.getUpName() + ". Only the admin can move or";
             msg += " rename user accounts.";
+            log.error( msg );
             throw new LdapNoPermissionException( msg );
         }
 
-        if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) &&
!isAnAdministrator( principalDn ) )
+        if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN ) && !isAnAdministrator(
principalDn ) )
         {
-            String msg = "User " + principalDn;
+            String msg = "User " + principalDn.getUpName();
             msg += " does not have permission to move or rename the group entry ";
-            msg += dn + ".\nGroups can only be moved or renamed by the admin.";
+            msg += dn.getUpName() + ".\nGroups can only be moved or renamed by the admin.";
             throw new LdapNoPermissionException( msg );
         }
     }
@@ -390,7 +433,7 @@
     {
         Attributes attributes = nextInterceptor.lookup( opContext );
         
-        if ( !enabled || attributes == null )
+        if ( !enabled || ( attributes == null ) )
         {
             return attributes;
         }
@@ -404,34 +447,40 @@
     {
         LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
         LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
+        
         if ( !isAnAdministrator( principalDn ) )
         {
-            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN_NORMALIZED
) )
+            if ( normalizedDn.size() > 2 )
             {
-                // allow for self reads
-                if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+                if( normalizedDn.startsWith( USER_BASE_DN ) )
                 {
-                    return;
+                    // allow for self reads
+                    if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+                    {
+                        return;
+                    }
+    
+                    String msg = "Access to user account '" + normalizedDn.getUpName() +
"' not permitted";
+                    msg += " for user '" + principalDn.getUpName() + "'.  Only the admin
can";
+                    msg += " access user account information";
+                    log.error( msg );
+                    throw new LdapNoPermissionException( msg );
                 }
 
-                String msg = "Access to user account '" + normalizedDn + "' not permitted";
-                msg += " for user '" + principalDn + "'.  Only the admin can";
-                msg += " access user account information";
-                throw new LdapNoPermissionException( msg );
-            }
-
-            if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN_NORMALIZED
) )
-            {
-                // allow for self reads
-                if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+                if ( normalizedDn.startsWith( GROUP_BASE_DN ) )
                 {
-                    return;
+                    // allow for self reads
+                    if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
+                    {
+                        return;
+                    }
+    
+                    String msg = "Access to group '" + normalizedDn.getUpName() + "' not
permitted";
+                    msg += " for user '" + principalDn.getUpName() + "'.  Only the admin
can";
+                    msg += " access group information";
+                    log.error( msg );
+                    throw new LdapNoPermissionException( msg );
                 }
-
-                String msg = "Access to group '" + normalizedDn + "' not permitted";
-                msg += " for user '" + principalDn + "'.  Only the admin can";
-                msg += " access group information";
-                throw new LdapNoPermissionException( msg );
             }
 
             if ( isTheAdministrator( normalizedDn ) )
@@ -443,8 +492,9 @@
                 }
 
                 String msg = "Access to admin account not permitted for user '";
-                msg += principalDn + "'.  Only the admin can";
+                msg += principalDn.getUpName() + "'.  Only the admin can";
                 msg += " access admin account information";
+                log.error( msg );
                 throw new LdapNoPermissionException( msg );
             }
         }
@@ -509,7 +559,8 @@
         }
         
         // Users reading their own entries should be allowed to see all
-        boolean isSelfRead = dn.toNormName().equals( principalDn.toNormName() );
+        boolean isSelfRead = dn.getNormName().equals( principalDn.getNormName() );
+        
         if ( isSelfRead )
         {
             return true;
@@ -521,8 +572,8 @@
             // stuff this if in here instead of up in outer if to prevent 
             // constant needless reexecution for all entries in other depths
             
-            if ( dn.toNormName().endsWith( USER_BASE_DN_NORMALIZED.toNormName() ) 
-                || dn.toNormName().endsWith( GROUP_BASE_DN_NORMALIZED.toNormName() ) )
+            if ( dn.getNormName().endsWith( USER_BASE_DN.getNormName() ) 
+                || dn.getNormName().endsWith( GROUP_BASE_DN.getNormName() ) )
             {
                 return false;
             }



Mime
View raw message