Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/AuthenticationInterceptor.java Sun Jan 20 08:59:10 2008
@@ -30,6 +30,7 @@
import java.util.Set;
import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.entry.ServerEntry;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
import org.apache.directory.server.core.interceptor.Interceptor;
import org.apache.directory.server.core.interceptor.NextInterceptor;
@@ -54,7 +55,6 @@
import org.apache.directory.shared.ldap.exception.LdapAuthenticationException;
import org.apache.directory.shared.ldap.message.MessageTypeEnum;
import org.apache.directory.shared.ldap.name.LdapDN;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
import org.apache.directory.shared.ldap.util.StringTools;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -197,7 +197,7 @@
if ( IS_DEBUG )
{
LOG.debug( "Adding the entry " +
- AttributeUtils.toString( opContext.getEntry() ) +
+ opContext.getEntry() +
" for DN = '" + opContext.getDn().getUpName() + "'" );
}
@@ -231,7 +231,7 @@
}
- public Attributes getRootDSE( NextInterceptor next, GetRootDSEOperationContext opContext ) throws NamingException
+ public ServerEntry getRootDSE( NextInterceptor next, GetRootDSEOperationContext opContext ) throws NamingException
{
if ( IS_DEBUG )
{
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/LdapPrincipal.java Sun Jan 20 08:59:10 2008
@@ -23,8 +23,6 @@
import java.io.Serializable;
import java.security.Principal;
-import javax.naming.Name;
-
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.util.StringTools;
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authn/SimpleAuthenticator.java Sun Jan 20 08:59:10 2008
@@ -32,8 +32,6 @@
import javax.naming.Context;
import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
import org.apache.commons.collections.map.LRUMap;
import org.apache.directory.server.core.interceptor.context.LookupOperationContext;
@@ -50,8 +48,14 @@
import org.apache.directory.server.core.schema.SchemaInterceptor;
import org.apache.directory.server.core.subtree.SubentryInterceptor;
import org.apache.directory.server.core.collective.CollectiveAttributeInterceptor;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerStringValue;
+import org.apache.directory.server.core.entry.ServerValue;
import org.apache.directory.server.core.event.EventInterceptor;
import org.apache.directory.server.core.trigger.TriggerInterceptor;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
import org.apache.directory.shared.ldap.constants.LdapSecurityConstants;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
@@ -185,7 +189,7 @@
* @return A byte array which can be empty if the password was not found
* @throws NamingException If we have a problem during the lookup operation
*/
- private LdapPrincipal getStoredPassword( LdapDN principalDN ) throws NamingException
+ private LdapPrincipal getStoredPassword( Registries registries, LdapDN principalDN ) throws NamingException
{
LdapPrincipal principal;
String principalNorm = principalDN.getNormName();
@@ -201,7 +205,7 @@
{
// Not found in the cache
// Get the user password from the backend
- storedPassword = lookupUserPassword( principalDN );
+ storedPassword = lookupUserPassword( registries, principalDN );
// Deal with the special case where the user didn't enter a password
@@ -304,7 +308,7 @@
// ---- extract password from JNDI environment
byte[] credentials = getCredentials( ctx );
- LdapPrincipal principal = getStoredPassword( principalDn );
+ LdapPrincipal principal = getStoredPassword( getDirectoryService().getRegistries(), principalDn );
// Get the stored password, either from cache or from backend
byte[] storedPassword = principal.getUserPassword();
@@ -573,19 +577,22 @@
* @return the credentials from the backend
* @throws NamingException if there are problems accessing backend
*/
- private byte[] lookupUserPassword( LdapDN principalDn ) throws NamingException
+ private byte[] lookupUserPassword( Registries registries, LdapDN principalDn ) throws NamingException
{
// ---- lookup the principal entry's userPassword attribute
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes userEntry;
+ ServerEntry userEntry;
try
{
- LookupOperationContext lookupContex = new LookupOperationContext( new String[] { SchemaConstants.USER_PASSWORD_AT } );
+ LookupOperationContext lookupContex = new LookupOperationContext( registries, new String[] { SchemaConstants.USER_PASSWORD_AT } );
lookupContex.setDn( principalDn );
- userEntry = proxy.lookup( lookupContex, USERLOOKUP_BYPASS );
+ userEntry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( lookupContex, USERLOOKUP_BYPASS ),
+ principalDn,
+ registries );
if ( userEntry == null )
{
@@ -600,26 +607,28 @@
throw e;
}
- Object userPassword;
+ ServerValue<?> userPassword;
- Attribute userPasswordAttr = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
+ ServerAttribute userPasswordAttr = userEntry.get( SchemaConstants.USER_PASSWORD_AT );
// ---- assert that credentials match
if ( userPasswordAttr == null )
{
- userPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
+ return StringTools.EMPTY_BYTES;
}
else
{
userPassword = userPasswordAttr.get();
- if ( userPassword instanceof String )
+ if ( userPassword instanceof ServerStringValue )
{
- userPassword = StringTools.getBytesUtf8( ( String ) userPassword );
+ return StringTools.getBytesUtf8( (String)userPassword.get() );
+ }
+ else
+ {
+ return (byte[])userPassword.get();
}
}
-
- return ( byte[] ) userPassword;
}
/**
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Sun Jan 20 08:59:10 2008
@@ -24,6 +24,10 @@
import org.apache.directory.server.core.DirectoryService;
import org.apache.directory.server.core.authn.LdapPrincipal;
import org.apache.directory.server.core.authz.support.ACDFEngine;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerValue;
import org.apache.directory.server.core.enumeration.SearchResultFilter;
import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
import org.apache.directory.server.core.interceptor.BaseInterceptor;
@@ -50,6 +54,7 @@
import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
import org.apache.directory.server.schema.registries.OidRegistry;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.aci.ACIItem;
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -61,12 +66,9 @@
import org.apache.directory.shared.ldap.message.ResultCodeEnum;
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaUtils;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
@@ -76,6 +78,7 @@
import javax.naming.directory.SearchResult;
import java.text.ParseException;
+import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
@@ -166,8 +169,11 @@
/** interceptor chain */
private InterceptorChain chain;
+ /** Global registries */
+ private Registries registries;
+
/** attribute type registry */
- private AttributeTypeRegistry attrRegistry;
+ private AttributeTypeRegistry atRegistry;
/** whether or not this interceptor is activated */
private boolean enabled;
@@ -201,29 +207,30 @@
tupleCache = new TupleCache( directoryService );
groupCache = new GroupCache( directoryService );
- attrRegistry = directoryService.getRegistries().getAttributeTypeRegistry();
- OidRegistry oidRegistry = directoryService.getRegistries().getOidRegistry();
+ registries = directoryService.getRegistries();
+ atRegistry = registries.getAttributeTypeRegistry();
+ OidRegistry oidRegistry = registries.getOidRegistry();
// look up some constant information
String objectClassOid = oidRegistry.getOid( SchemaConstants.OBJECT_CLASS_AT );
subentryOid = oidRegistry.getOid( SchemaConstants.SUBENTRY_OC );
String acSubentryOid = oidRegistry.getOid( AC_SUBENTRY_ATTR );
- objectClassType = attrRegistry.lookup( objectClassOid );
- acSubentryType = attrRegistry.lookup( acSubentryOid );
- entryAciType = attrRegistry.lookup( SchemaConstants.ENTRY_ACI_AT_OID );
- subentryAciType = attrRegistry.lookup( SchemaConstants.SUBENTRY_ACI_AT_OID );
+ objectClassType = atRegistry.lookup( objectClassOid );
+ acSubentryType = atRegistry.lookup( acSubentryOid );
+ entryAciType = atRegistry.lookup( SchemaConstants.ENTRY_ACI_AT_OID );
+ subentryAciType = atRegistry.lookup( SchemaConstants.SUBENTRY_ACI_AT_OID );
- aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( attrRegistry, oidRegistry ), attrRegistry.getNormalizerMapping() );
- engine = new ACDFEngine( directoryService.getRegistries().getOidRegistry(), attrRegistry );
+ aciParser = new ACIItemParser( new ConcreteNameComponentNormalizer( atRegistry, oidRegistry ), atRegistry.getNormalizerMapping() );
+ engine = new ACDFEngine( registries.getOidRegistry(), atRegistry );
chain = directoryService.getInterceptorChain();
enabled = directoryService.isAccessControlEnabled();
// stuff for dealing with subentries (garbage for now)
- String subschemaSubentry =
- ( String ) directoryService.getPartitionNexus().getRootDSE( null ).
+ ServerValue<?> subschemaSubentry =
+ directoryService.getPartitionNexus().getRootDSE( null ).
get( SchemaConstants.SUBSCHEMA_SUBENTRY_AT ).get();
- LdapDN subschemaSubentryDnName = new LdapDN( subschemaSubentry );
- subschemaSubentryDnName.normalize( attrRegistry.getNormalizerMapping() );
+ LdapDN subschemaSubentryDnName = new LdapDN( (String)(subschemaSubentry.get()) );
+ subschemaSubentryDnName.normalize( atRegistry.getNormalizerMapping() );
subschemaSubentryDn = subschemaSubentryDnName.toNormName();
}
@@ -254,7 +261,7 @@
private LdapDN parseNormalized( String name ) throws NamingException
{
LdapDN dn = new LdapDN( name );
- dn.normalize( attrRegistry.getNormalizerMapping() );
+ dn.normalize( atRegistry.getNormalizerMapping() );
return dn;
}
@@ -274,9 +281,9 @@
* @param proxy the partition nexus proxy object
*/
private void addPerscriptiveAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn,
- Attributes entry ) throws NamingException
+ ServerEntry entry ) throws NamingException
{
- Attribute oc = AttributeUtils.getAttribute( entry, objectClassType );
+ ServerAttribute oc = entry.get( objectClassType );
/*
* If the protected entry is a subentry, then the entry being evaluated
@@ -287,24 +294,26 @@
* to be in the same naming context as their access point so the subentries
* effecting their parent entry applies to them as well.
*/
- if ( AttributeUtils.containsValue( oc, SchemaConstants.SUBENTRY_OC, objectClassType ) ||
- AttributeUtils.containsValue( oc, subentryOid, objectClassType ) )
+ if ( oc.contains( SchemaConstants.SUBENTRY_OC ) || oc.contains( subentryOid ) )
{
LdapDN parentDn = ( LdapDN ) dn.clone();
parentDn.remove( dn.size() - 1 );
- entry = proxy.lookup( new LookupOperationContext( parentDn), PartitionNexusProxy.LOOKUP_BYPASS );
+ entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, parentDn), PartitionNexusProxy.LOOKUP_BYPASS ),
+ parentDn,
+ registries );
}
- Attribute subentries = AttributeUtils.getAttribute( entry, acSubentryType );
+ ServerAttribute subentries = entry.get( acSubentryType );
if ( subentries == null )
{
return;
}
- for ( int ii = 0; ii < subentries.size(); ii++ )
+ for ( ServerValue<?> value:subentries )
{
- String subentryDn = ( String ) subentries.get( ii );
+ String subentryDn = ( String ) value.get();
tuples.addAll( tupleCache.getACITuples( subentryDn ) );
}
}
@@ -318,18 +327,18 @@
* @param entry the target entry that access to is being regulated
* @throws NamingException if there are problems accessing attribute values
*/
- private void addEntryAciTuples( Collection<ACITuple> tuples, Attributes entry ) throws NamingException
+ private void addEntryAciTuples( Collection<ACITuple> tuples, ServerEntry entry ) throws NamingException
{
- Attribute entryAci = AttributeUtils.getAttribute( entry, entryAciType );
+ ServerAttribute entryAci = entry.get( entryAciType );
if ( entryAci == null )
{
return;
}
- for ( int ii = 0; ii < entryAci.size(); ii++ )
+ for ( ServerValue<?> value:entryAci )
{
- String aciString = ( String ) entryAci.get( ii );
+ String aciString = ( String ) value.get();
ACIItem item;
try
@@ -358,11 +367,11 @@
* @throws NamingException if there are problems accessing attribute values
* @param proxy the partition nexus proxy object
*/
- private void addSubentryAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn, Attributes entry )
+ private void addSubentryAciTuples( PartitionNexusProxy proxy, Collection<ACITuple> tuples, LdapDN dn, ServerEntry entry )
throws NamingException
{
// only perform this for subentries
- if ( !AttributeUtils.containsValueCaseIgnore( entry.get( SchemaConstants.OBJECT_CLASS_AT ), SchemaConstants.SUBENTRY_OC ) )
+ if ( !entry.contains( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.SUBENTRY_OC ) )
{
return;
}
@@ -371,19 +380,23 @@
// will contain the subentryACI attributes that effect subentries
LdapDN parentDn = ( LdapDN ) dn.clone();
parentDn.remove( dn.size() - 1 );
- Attributes administrativeEntry = proxy.lookup(
- new LookupOperationContext( parentDn, new String[]
- { SchemaConstants.SUBENTRY_ACI_AT }) , PartitionNexusProxy.LOOKUP_BYPASS );
- Attribute subentryAci = AttributeUtils.getAttribute( administrativeEntry, subentryAciType );
+ ServerEntry administrativeEntry = ServerEntryUtils.toServerEntry(
+ proxy.lookup(
+ new LookupOperationContext( registries, parentDn, new String[]
+ { SchemaConstants.SUBENTRY_ACI_AT }) , PartitionNexusProxy.LOOKUP_BYPASS ),
+ parentDn,
+ registries );
+
+ ServerAttribute subentryAci = administrativeEntry.get( subentryAciType );
if ( subentryAci == null )
{
return;
}
- for ( int ii = 0; ii < subentryAci.size(); ii++ )
+ for ( ServerValue<?> value:subentryAci )
{
- String aciString = ( String ) subentryAci.get( ii );
+ String aciString = ( String ) value.get();
ACIItem item;
try
@@ -430,7 +443,9 @@
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
- Attributes entry = addContext.getEntry();
+ ServerEntry serverEntry = addContext.getEntry();
+ //Attributes entry = ServerEntryUtils.toAttributesImpl( serverEntry );
+
LdapDN name = addContext.getDn();
// bypass authz code if we are disabled
@@ -444,23 +459,22 @@
if ( isPrincipalAnAdministrator( principalDn ) )
{
next.add( addContext );
- tupleCache.subentryAdded( name, entry );
- groupCache.groupAdded( name, entry );
+ tupleCache.subentryAdded( name, serverEntry );
+ groupCache.groupAdded( name, serverEntry );
return;
}
// perform checks below here for all non-admin users
SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
- Attributes subentryAttrs = subentryInterceptor.getSubentryAttributes( name, entry );
- NamingEnumeration<? extends Attribute> attrList = entry.getAll();
+ ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( name, serverEntry );
- while ( attrList.hasMore() )
+ for ( ServerAttribute attribute:serverEntry )
{
- subentryAttrs.put( attrList.next() );
+ subentryAttrs.put( attribute );
}
// Assemble all the information required to make an access control decision
- Set<Name> userGroups = groupCache.getGroups( principalDn.toNormName() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
// Build the total collection of tuples to be considered for add rights
@@ -470,20 +484,16 @@
// check if entry scope permission is granted
PartitionNexusProxy proxy = invocation.getProxy();
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
ADD_PERMS, tuples, subentryAttrs, null );
// now we must check if attribute type and value scope permission is granted
- NamingEnumeration<? extends Attribute> attributeList = entry.getAll();
-
- while ( attributeList.hasMore() )
+ for ( ServerAttribute attribute:serverEntry )
{
- Attribute attr = attributeList.next();
-
- for ( int ii = 0; ii < attr.size(); ii++ )
+ for ( ServerValue<?> value:attribute )
{
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attr
- .getID(), attr.get( ii ), ADD_PERMS, tuples, entry, null );
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, attribute
+ .getUpId(), value.get(), ADD_PERMS, tuples, serverEntry, null );
}
}
@@ -492,8 +502,8 @@
// if the entry added is a subentry or a groupOf[Unique]Names we must
// update the ACITuple cache and the groups cache to keep them in sync
- tupleCache.subentryAdded( name, entry );
- groupCache.groupAdded( name, entry );
+ tupleCache.subentryAdded( name, serverEntry );
+ groupCache.groupAdded( name, serverEntry );
}
@@ -510,7 +520,11 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup( new LookupOperationContext( name ) , PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, name ) , PartitionNexusProxy.LOOKUP_BYPASS ),
+ name,
+ registries );
+
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
@@ -532,13 +546,13 @@
return;
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
REMOVE_PERMS, tuples, entry, null );
next.delete( deleteContext );
@@ -555,7 +569,11 @@
LdapDN name = opContext.getDn();
// Access the principal requesting the operation, and bypass checks if it is the admin
- Attributes entry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS ),
+ name,
+ registries );
+
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
@@ -575,23 +593,23 @@
/**
* @TODO: A virtual entry can be created here for not hitting the backend again.
*/
- Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
- tupleCache.subentryModified( name, mods, modifiedEntry );
- groupCache.groupModified( name, mods, entry );
+ Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ tupleCache.subentryModified( name, mods, ServerEntryUtils.toServerEntry( modifiedEntry, name, registries ) );
+ groupCache.groupModified( name, mods, entry, registries );
return;
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
Collection<MicroOperation> perms = null;
- Attributes entryView = ( Attributes ) entry.clone();
+ ServerEntry entryView = ( ServerEntry ) entry.clone();
for ( ModificationItemImpl mod : mods )
{
@@ -606,7 +624,7 @@
if ( entry.get( attr.getID() ) == null )
{
// ... we also need to check if adding the attribute is permitted
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
attr.getID(), null, perms, tuples, entry, null );
}
@@ -614,7 +632,7 @@
case ( DirContext.REMOVE_ATTRIBUTE ):
perms = REMOVE_PERMS;
- Attribute entryAttr = entry.get( attr.getID() );
+ ServerAttribute entryAttr = entry.get( attr.getID() );
if ( entryAttr != null )
{
@@ -622,7 +640,7 @@
if ( entryAttr.size() == 1 )
{
// ... we also need to check if removing the attribute at all is permitted
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
attr.getID(), null, perms, tuples, entry, null );
}
}
@@ -647,11 +665,11 @@
* not the individual Value Additions) we just handle this when the first value of an
* attribute is being checked for relevant permissions below.
*/
- entryView = SchemaUtils.getTargetEntry( mod, entryView );
+ entryView = ServerEntryUtils.getTargetEntry( mod, entryView, registries );
for ( int jj = 0; jj < attr.size(); jj++ )
{
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name,
attr.getID(), attr.get( jj ), perms, tuples, entry, entryView );
}
}
@@ -662,9 +680,9 @@
/**
* @TODO: A virtual entry can be created here for not hitting the backend again.
*/
- Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
- tupleCache.subentryModified( name, mods, modifiedEntry );
- groupCache.groupModified( name, mods, entry );
+ Attributes modifiedEntry = proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS );
+ tupleCache.subentryModified( name, mods, ServerEntryUtils.toServerEntry( modifiedEntry, name, registries ) );
+ groupCache.groupModified( name, mods, entry, registries );
}
public boolean hasEntry( NextInterceptor next, EntryOperationContext entryContext ) throws NamingException
@@ -672,7 +690,12 @@
LdapDN name = entryContext.getDn();
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
+
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS ),
+ name,
+ registries );
+
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
@@ -682,14 +705,14 @@
return name.size() == 0 || next.hasEntry( entryContext );
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toNormName() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
// check that we have browse access to the entry
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
BROWSE_PERMS, tuples, entry, null );
return next.hasEntry( entryContext );
@@ -711,7 +734,7 @@
* @param entry the raw entry pulled from the nexus
* @throws NamingException if undlying access to the DIT fails
*/
- private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, Attributes entry ) throws NamingException
+ private void checkLookupAccess( LdapPrincipal principal, LdapDN dn, ServerEntry entry ) throws NamingException
{
// no permissions checks on the RootDSE
if ( dn.toString().trim().equals( "" ) )
@@ -721,25 +744,35 @@
PartitionNexusProxy proxy = InvocationStack.getInstance().peek().getProxy();
LdapDN userName = principal.getJndiName();
- Set<Name> userGroups = groupCache.getGroups( userName.toNormName() );
+ Set<LdapDN> userGroups = groupCache.getGroups( userName.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, dn, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, dn, entry );
// check that we have read access to the entry
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
+ engine.checkPermission( registries, proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, null, null,
LOOKUP_PERMS, tuples, entry, null );
// check that we have read access to every attribute type and value
- NamingEnumeration<? extends Attribute> attributeList = entry.getAll();
- while ( attributeList.hasMore() )
+ for ( ServerAttribute attribute:entry )
{
- Attribute attr = attributeList.next();
- for ( int ii = 0; ii < attr.size(); ii++ )
+
+ for ( ServerValue<?> value:attribute )
{
- engine.checkPermission( proxy, userGroups, userName, principal.getAuthenticationLevel(), dn, attr
- .getID(), attr.get( ii ), READ_PERMS, tuples, entry, null );
+ engine.checkPermission(
+ registries,
+ proxy,
+ userGroups,
+ userName,
+ principal.getAuthenticationLevel(),
+ dn,
+ attribute.getUpId(),
+ value.get(),
+ READ_PERMS,
+ tuples,
+ entry,
+ null );
}
}
}
@@ -753,7 +786,7 @@
if ( !principalDn.isNormalized() )
{
- principalDn.normalize( attrRegistry.getNormalizerMapping() );
+ principalDn.normalize( atRegistry.getNormalizerMapping() );
}
if ( isPrincipalAnAdministrator( principalDn ) || !enabled )
@@ -762,7 +795,10 @@
}
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup( lookupContext, PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( lookupContext, PartitionNexusProxy.LOOKUP_BYPASS ),
+ lookupContext.getDn(),
+ registries );
checkLookupAccess( principal, lookupContext.getDn(), entry );
return next.lookup( lookupContext );
}
@@ -774,7 +810,12 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup( new LookupOperationContext( name ), PartitionNexusProxy.LOOKUP_BYPASS );
+
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, name ), PartitionNexusProxy.LOOKUP_BYPASS ),
+ name,
+ registries );
+
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
LdapDN newName = ( LdapDN ) name.clone();
@@ -803,13 +844,13 @@
return;
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
RENAME_PERMS, tuples, entry, null );
next.rename( renameContext );
@@ -827,8 +868,13 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup( new LookupOperationContext( oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
- LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
+
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS ),
+ oriChildName,
+ registries );
+
+ LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
LdapDN newName = ( LdapDN ) newParentName.clone();
newName.add( moveAndRenameContext.getNewRdn().getUpName() );
@@ -851,13 +897,13 @@
return;
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
null, MOVERENAME_PERMS, tuples, entry, null );
// Get the entry again without operational attributes
@@ -865,8 +911,12 @@
// will not be valid at the new location.
// This will certainly be fixed by the SubentryInterceptor,
// but after this service.
- Attributes importedEntry = proxy.lookup( new LookupOperationContext( oriChildName ),
- PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+ ServerEntry importedEntry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, oriChildName ),
+ PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ),
+ oriChildName,
+ registries );
+
// As the target entry does not exist yet and so
// its subentry operational attributes are not there,
@@ -874,12 +924,11 @@
// at least with minimal requirements which are object class
// and access control subentry operational attributes.
SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
- Attributes subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
- NamingEnumeration<? extends Attribute> attrList = importedEntry.getAll();
+ ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
- while ( attrList.hasMore() )
+ for ( ServerAttribute attribute:importedEntry )
{
- subentryAttrs.put( attrList.next() );
+ subentryAttrs.put( attribute );
}
Collection<ACITuple> destTuples = new HashSet<ACITuple>();
@@ -887,7 +936,7 @@
addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
// Evaluate the target context to see whether it
// allows an entry named newName to be imported as a subordinate.
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
null, IMPORT_PERMS, destTuples, subentryAttrs, null );
@@ -905,7 +954,11 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup( new LookupOperationContext( oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, oriChildName ), PartitionNexusProxy.LOOKUP_BYPASS ),
+ oriChildName,
+ registries );
+
LdapDN newName = ( LdapDN ) newParentName.clone();
newName.add( oriChildName.get( oriChildName.size() - 1 ) );
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
@@ -929,13 +982,13 @@
return;
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, oriChildName, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, oriChildName, entry );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), oriChildName, null,
null, EXPORT_PERMS, tuples, entry, null );
// Get the entry again without operational attributes
@@ -943,20 +996,23 @@
// will not be valid at the new location.
// This will certainly be fixed by the SubentryInterceptor,
// but after this service.
- Attributes importedEntry = proxy.lookup( new LookupOperationContext( oriChildName ),
- PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
+ ServerEntry importedEntry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, oriChildName ),
+ PartitionNexusProxy.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS ),
+ oriChildName,
+ registries );
+
// As the target entry does not exist yet and so
// its subentry operational attributes are not there,
// we need to construct an entry to represent it
// at least with minimal requirements which are object class
// and access control subentry operational attributes.
SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
- Attributes subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
- NamingEnumeration<? extends Attribute> attrList = importedEntry.getAll();
+ ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
- while ( attrList.hasMore() )
+ for ( ServerAttribute attribute:importedEntry )
{
- subentryAttrs.put( attrList.next() );
+ subentryAttrs.put( attribute );
}
Collection<ACITuple> destTuples = new HashSet<ACITuple>();
@@ -964,7 +1020,7 @@
addPerscriptiveAciTuples( proxy, destTuples, newName, subentryAttrs );
// Evaluate the target context to see whether it
// allows an entry named newName to be imported as a subordinate.
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), newName, null,
null, IMPORT_PERMS, destTuples, subentryAttrs, null );
next.move( moveContext );
@@ -1027,9 +1083,12 @@
// Access the principal requesting the operation, and bypass checks if it is the admin
Invocation invocation = InvocationStack.getInstance().peek();
PartitionNexusProxy proxy = invocation.getProxy();
- Attributes entry = proxy.lookup(
- new LookupOperationContext( name ),
- PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup(
+ new LookupOperationContext( registries, name ),
+ PartitionNexusProxy.LOOKUP_BYPASS ),
+ name,
+ registries );
LdapPrincipal principal = ( ( ServerContext ) invocation.getCaller() ).getPrincipal();
LdapDN principalDn = principal.getJndiName();
@@ -1039,15 +1098,15 @@
return next.compare( opContext );
}
- Set<Name> userGroups = groupCache.getGroups( principalDn.toNormName() );
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, name, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, name, entry );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
READ_PERMS, tuples, entry, null );
- engine.checkPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
+ engine.checkPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), name, oid, value,
COMPARE_PERMS, tuples, entry, null );
return next.compare( opContext );
@@ -1068,7 +1127,7 @@
}
// get the present matched name
- Attributes entry;
+ ServerEntry entry;
LdapDN matched = next.getMatchedName( opContext );
// check if we have disclose on error permission for the entry at the matched dn
@@ -1076,14 +1135,18 @@
// that but if permission is granted then short the process and return the dn
while ( matched.size() > 0 )
{
- entry = proxy.lookup( new LookupOperationContext( matched ), PartitionNexusProxy.GETMATCHEDDN_BYPASS );
- Set<Name> userGroups = groupCache.getGroups( principalDn.toString() );
+ entry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, matched ), PartitionNexusProxy.GETMATCHEDDN_BYPASS ),
+ matched,
+ registries );
+
+ Set<LdapDN> userGroups = groupCache.getGroups( principalDn.toString() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( proxy, tuples, matched, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( proxy, tuples, matched, entry );
- if ( engine.hasPermission( proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
+ if ( engine.hasPermission( registries, proxy, userGroups, principalDn, principal.getAuthenticationLevel(), matched, null,
null, MATCHEDNAME_PERMS, tuples, entry, null ) )
{
return matched;
@@ -1096,7 +1159,7 @@
}
- public void cacheNewGroup( LdapDN name, Attributes entry ) throws NamingException
+ public void cacheNewGroup( LdapDN name, ServerEntry entry ) throws NamingException
{
groupCache.groupAdded( name, entry );
}
@@ -1104,22 +1167,40 @@
private boolean filter( Invocation invocation, LdapDN normName, SearchResult result ) throws NamingException
{
+ ServerEntry resultEntry = ServerEntryUtils.toServerEntry( result.getAttributes(), new LdapDN( result.getName() ) , registries );
+
/*
* First call hasPermission() for entry level "Browse" and "ReturnDN" perm
* tests. If we hasPermission() returns false we immediately short the
* process and return false.
*/
- Attributes entry = invocation.getProxy().lookup( new LookupOperationContext( normName ), PartitionNexusProxy.LOOKUP_BYPASS );
+ ServerEntry entry = ServerEntryUtils.toServerEntry(
+ invocation.getProxy().lookup(
+ new LookupOperationContext( registries, normName ), PartitionNexusProxy.LOOKUP_BYPASS ),
+ normName,
+ registries );
+
ServerLdapContext ctx = ( ServerLdapContext ) invocation.getCaller();
LdapDN userDn = ctx.getPrincipal().getJndiName();
- Set<Name> userGroups = groupCache.getGroups( userDn.toNormName() );
+ Set<LdapDN> userGroups = groupCache.getGroups( userDn.toNormName() );
Collection<ACITuple> tuples = new HashSet<ACITuple>();
addPerscriptiveAciTuples( invocation.getProxy(), tuples, normName, entry );
addEntryAciTuples( tuples, entry );
addSubentryAciTuples( invocation.getProxy(), tuples, normName, entry );
- if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
- .getAuthenticationLevel(), normName, null, null, SEARCH_ENTRY_PERMS, tuples, entry, null ) )
+ if ( !engine.hasPermission(
+ registries,
+ invocation.getProxy(),
+ userGroups,
+ userDn,
+ ctx.getPrincipal().getAuthenticationLevel(),
+ normName,
+ null,
+ null,
+ SEARCH_ENTRY_PERMS,
+ tuples,
+ entry,
+ null ) )
{
return false;
}
@@ -1131,43 +1212,74 @@
* not allowed are removed from the attribute. If the attribute has no more
* values remaining then the entire attribute is removed.
*/
- NamingEnumeration<String> idList = result.getAttributes().getIDs();
-
- while ( idList.hasMore() )
+ //NamingEnumeration<String> idList = result.getAttributes().getIDs();
+ List<AttributeType> attributeToRemove = new ArrayList<AttributeType>();
+
+ for ( AttributeType attributeType:resultEntry.getAttributeTypes() )
{
// if attribute type scope access is not allowed then remove the attribute and continue
- String id = idList.next();
- Attribute attr = result.getAttributes().get( id );
+ String id = attributeType.getName();
+ ServerAttribute attr = resultEntry.get( attributeType );
- if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
- .getAuthenticationLevel(), normName, attr.getID(), null, SEARCH_ATTRVAL_PERMS, tuples, entry, null ) )
+ if ( !engine.hasPermission(
+ registries,
+ invocation.getProxy(),
+ userGroups,
+ userDn,
+ ctx.getPrincipal().getAuthenticationLevel(),
+ normName,
+ id,
+ null,
+ SEARCH_ATTRVAL_PERMS,
+ tuples,
+ entry,
+ null ) )
{
- result.getAttributes().remove( attr.getID() );
-
- if ( attr.size() == 0 )
- {
- result.getAttributes().remove( attr.getID() );
- }
+ attributeToRemove.add( attributeType );
+
continue;
}
+ List<ServerValue<?>> valueToRemove = new ArrayList<ServerValue<?>>();
+
// attribute type scope is ok now let's determine value level scope
- for ( int ii = 0; ii < attr.size(); ii++ )
+ for ( ServerValue<?> value:attr )
{
- if ( !engine.hasPermission( invocation.getProxy(), userGroups, userDn, ctx.getPrincipal()
- .getAuthenticationLevel(), normName, attr.getID(), attr.get( ii ), SEARCH_ATTRVAL_PERMS, tuples,
- entry, null ) )
+ if ( !engine.hasPermission(
+ registries,
+ invocation.getProxy(),
+ userGroups,
+ userDn,
+ ctx.getPrincipal().getAuthenticationLevel(),
+ normName,
+ attr.getUpId(),
+ value.get(),
+ SEARCH_ATTRVAL_PERMS,
+ tuples,
+ entry,
+ null ) )
{
- attr.remove( ii );
-
- if ( ii > 0 )
- {
- ii--;
- }
+ valueToRemove.add( value );
}
}
+
+ for ( ServerValue<?> value:valueToRemove )
+ {
+ attr.remove( value );
+ }
+
+ if ( attr.size() == 0 )
+ {
+ attributeToRemove.add( attributeType );
+ }
+ }
+
+ for ( AttributeType attributeType:attributeToRemove )
+ {
+ resultEntry.remove( attributeType );
}
+ result.setAttributes( ServerEntryUtils.toAttributesImpl( resultEntry ) );
return true;
}
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationInterceptor.java Sun Jan 20 08:59:10 2008
@@ -40,6 +40,7 @@
import org.apache.directory.server.core.jndi.ServerContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
import org.apache.directory.shared.ldap.message.ServerSearchResult;
@@ -140,15 +141,15 @@
uniqueMemberAT = attrRegistry.lookup( SchemaConstants.UNIQUE_MEMBER_AT_OID );
- loadAdministrators();
+ loadAdministrators( directoryService.getRegistries() );
}
- private void loadAdministrators() throws NamingException
+ private void loadAdministrators( Registries registries ) throws NamingException
{
// read in the administrators and cache their normalized names
Set<String> newAdministrators = new HashSet<String>( 2 );
- Attributes adminGroup = nexus.lookup( new LookupOperationContext( ADMIN_GROUP_DN ) );
+ Attributes adminGroup = nexus.lookup( new LookupOperationContext( registries, ADMIN_GROUP_DN ) );
if ( adminGroup == null )
{
@@ -271,7 +272,7 @@
// update administrators if we change administrators group
if ( dn.getNormName().equals( ADMIN_GROUP_DN.getNormName() ) )
{
- loadAdministrators();
+ loadAdministrators( opContext.getRegistries() );
}
}
else
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/GroupCache.java Sun Jan 20 08:59:10 2008
@@ -28,9 +28,14 @@
import org.apache.directory.server.constants.ServerDNConstants;
import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerValue;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.constants.SchemaConstants;
import org.apache.directory.shared.ldap.filter.BranchNode;
import org.apache.directory.shared.ldap.filter.EqualityNode;
@@ -40,15 +45,11 @@
import org.apache.directory.shared.ldap.name.LdapDN;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.OidNormalizer;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
@@ -89,7 +90,7 @@
/** the normalized dn of the administrators group */
private LdapDN administratorsGroupDn;
- private static final Set<Name> EMPTY_GROUPS = new HashSet<Name>();
+ private static final Set<LdapDN> EMPTY_GROUPS = new HashSet<LdapDN>();
/**
* Creates a static group cache.
@@ -109,7 +110,7 @@
// stuff for dealing with the admin group
administratorsGroupDn = parseNormalized( ServerDNConstants.ADMINISTRATORS_GROUP_DN );
- initialize();
+ initialize( directoryService.getRegistries() );
}
@@ -121,7 +122,7 @@
}
- private void initialize() throws NamingException
+ private void initialize( Registries registries ) throws NamingException
{
// search all naming contexts for static groups and generate
// normalized sets of members to cache within the map
@@ -139,13 +140,14 @@
SearchControls ctls = new SearchControls();
ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
NamingEnumeration<SearchResult> results = nexus.search(
- new SearchOperationContext( baseDn, AliasDerefMode.DEREF_ALWAYS, filter, ctls ) );
+ new SearchOperationContext( registries, baseDn, AliasDerefMode.DEREF_ALWAYS, filter, ctls ) );
while ( results.hasMore() )
{
SearchResult result = results.next();
LdapDN groupDn = parseNormalized( result.getName() );
- Attribute members = getMemberAttribute( result.getAttributes() );
+ ServerAttribute members = getMemberAttribute(
+ ServerEntryUtils.toServerEntry( result.getAttributes(), groupDn, registries ) );
if ( members != null )
{
@@ -176,20 +178,20 @@
* @param entry the entry inspected for member attributes
* @return the member attribute
*/
- private Attribute getMemberAttribute( Attributes entry )
+ private ServerAttribute getMemberAttribute( ServerEntry entry ) throws NamingException
{
- Attribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
+ ServerAttribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
if ( oc == null )
{
- Attribute member = AttributeUtils.getAttribute( entry, memberAT );
+ ServerAttribute member = entry.get( memberAT );
if ( member != null )
{
return member;
}
- Attribute uniqueMember = AttributeUtils.getAttribute(entry, uniqueMemberAT );
+ ServerAttribute uniqueMember = entry.get( uniqueMemberAT );
if ( uniqueMember != null )
{
@@ -199,16 +201,16 @@
return null;
}
- if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC ) ||
- AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC_OID ) )
+ if ( oc.contains( SchemaConstants.GROUP_OF_NAMES_OC ) ||
+ oc.contains( SchemaConstants.GROUP_OF_NAMES_OC_OID ) )
{
- return AttributeUtils.getAttribute( entry, memberAT );
+ return entry.get( memberAT );
}
- if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ||
- AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ))
+ if ( oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ||
+ oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ))
{
- return AttributeUtils.getAttribute(entry, uniqueMemberAT );
+ return entry.get( uniqueMemberAT );
}
return null;
@@ -222,12 +224,13 @@
* @param members the member attribute values being added
* @throws NamingException if there are problems accessing the attr values
*/
- private void addMembers( Set<String> memberSet, Attribute members ) throws NamingException
+ private void addMembers( Set<String> memberSet, ServerAttribute members ) throws NamingException
{
- for ( int ii = 0; ii < members.size(); ii++ )
+ for ( ServerValue<?> value:members )
{
+
// get and normalize the DN of the member
- String memberDn = ( String ) members.get( ii );
+ String memberDn = (String)value.get();
try
{
@@ -250,12 +253,12 @@
* @param members the set of member values
* @throws NamingException if there are problems accessing the attr values
*/
- private void removeMembers( Set<String> memberSet, Attribute members ) throws NamingException
+ private void removeMembers( Set<String> memberSet, ServerAttribute members ) throws NamingException
{
- for ( int ii = 0; ii < members.size(); ii++ )
+ for ( ServerValue<?> value:members )
{
// get and normalize the DN of the member
- String memberDn = ( String ) members.get( ii );
+ String memberDn = (String)value.get();
try
{
@@ -279,9 +282,9 @@
* @param entry the group entry's attributes
* @throws NamingException if there are problems accessing the attr values
*/
- public void groupAdded( LdapDN name, Attributes entry ) throws NamingException
+ public void groupAdded( LdapDN name, ServerEntry entry ) throws NamingException
{
- Attribute members = getMemberAttribute( entry );
+ ServerAttribute members = getMemberAttribute( entry );
if ( members == null )
{
@@ -306,9 +309,9 @@
* @param name the normalized DN of the group entry
* @param entry the attributes of entry being deleted
*/
- public void groupDeleted( LdapDN name, Attributes entry )
+ public void groupDeleted( LdapDN name, ServerEntry entry ) throws NamingException
{
- Attribute members = getMemberAttribute( entry );
+ ServerAttribute members = getMemberAttribute( entry );
if ( members == null )
{
@@ -333,7 +336,7 @@
* @param members the members being added, removed or replaced
* @throws NamingException if there are problems accessing attribute values
*/
- private void modify( Set<String> memberSet, int modOp, Attribute members ) throws NamingException
+ private void modify( Set<String> memberSet, int modOp, ServerAttribute members ) throws NamingException
{
switch ( modOp )
@@ -370,23 +373,23 @@
* @param entry the group entry being modified
* @throws NamingException if there are problems accessing attribute values
*/
- public void groupModified( LdapDN name, List<ModificationItemImpl> mods, Attributes entry ) throws NamingException
+ public void groupModified( LdapDN name, List<ModificationItemImpl> mods, ServerEntry entry, Registries registries ) throws NamingException
{
- Attribute members = null;
+ ServerAttribute members = null;
String memberAttrId = null;
- Attribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
+ ServerAttribute oc = entry.get( SchemaConstants.OBJECT_CLASS_AT );
- if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC ) ||
- AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_NAMES_OC_OID ))
+ if ( oc.contains( SchemaConstants.GROUP_OF_NAMES_OC ) ||
+ oc.contains( SchemaConstants.GROUP_OF_NAMES_OC_OID ))
{
- members = AttributeUtils.getAttribute( entry, memberAT );
+ members = entry.get( memberAT );
memberAttrId = SchemaConstants.MEMBER_AT;
}
- if ( AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ||
- AttributeUtils.containsValueCaseIgnore( oc, SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ) )
+ if ( oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC ) ||
+ oc.contains( SchemaConstants.GROUP_OF_UNIQUE_NAMES_OC_OID ) )
{
- members = AttributeUtils.getAttribute(entry, uniqueMemberAT );
+ members = entry.get( uniqueMemberAT );
memberAttrId = SchemaConstants.UNIQUE_MEMBER_AT;
}
@@ -403,7 +406,12 @@
if ( memberSet != null )
{
- modify( memberSet, modification.getModificationOp(), modification.getAttribute() );
+ modify(
+ memberSet,
+ modification.getModificationOp(),
+ ServerEntryUtils.toServerAttribute(
+ modification.getAttribute(),
+ registries.getAttributeTypeRegistry().lookup( modification.getAttribute().getID() ) ) );
}
break;
@@ -426,9 +434,9 @@
* @param mods the modifications being performed
* @throws NamingException if there are problems accessing attribute values
*/
- public void groupModified( LdapDN name, int modOp, Attributes mods ) throws NamingException
+ public void groupModified( LdapDN name, int modOp, ServerEntry mods ) throws NamingException
{
- Attribute members = getMemberAttribute( mods );
+ ServerAttribute members = getMemberAttribute( mods );
if ( members == null )
{
@@ -483,7 +491,7 @@
* @return a Set of Name objects representing the groups
* @throws NamingException if there are problems accessing attribute values
*/
- public Set<Name> getGroups( String member ) throws NamingException
+ public Set<LdapDN> getGroups( String member ) throws NamingException
{
LdapDN normMember;
@@ -497,7 +505,7 @@
return EMPTY_GROUPS;
}
- Set<Name> memberGroups = null;
+ Set<LdapDN> memberGroups = null;
for ( String group:groups.keySet() )
{
@@ -512,7 +520,7 @@
{
if ( memberGroups == null )
{
- memberGroups = new HashSet<Name>();
+ memberGroups = new HashSet<LdapDN>();
}
memberGroups.add( parseNormalized( group ) );
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/TupleCache.java Sun Jan 20 08:59:10 2008
@@ -20,11 +20,16 @@
package org.apache.directory.server.core.authz;
import org.apache.directory.server.core.DirectoryService;
+import org.apache.directory.server.core.entry.ServerAttribute;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
+import org.apache.directory.server.core.entry.ServerValue;
import org.apache.directory.server.core.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.partition.PartitionNexus;
import org.apache.directory.server.schema.ConcreteNameComponentNormalizer;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
import org.apache.directory.server.schema.registries.OidRegistry;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.aci.ACIItem;
import org.apache.directory.shared.ldap.aci.ACIItemParser;
import org.apache.directory.shared.ldap.aci.ACITuple;
@@ -39,15 +44,12 @@
import org.apache.directory.shared.ldap.name.NameComponentNormalizer;
import org.apache.directory.shared.ldap.schema.AttributeType;
import org.apache.directory.shared.ldap.schema.OidNormalizer;
-import org.apache.directory.shared.ldap.util.AttributeUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.naming.Name;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
-import javax.naming.directory.Attribute;
-import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import java.text.ParseException;
@@ -104,7 +106,7 @@
NameComponentNormalizer ncn = new ConcreteNameComponentNormalizer( attributeTypeRegistry, oidRegistry );
aciParser = new ACIItemParser( ncn, normalizerMap );
prescriptiveAciAT = attributeTypeRegistry.lookup( SchemaConstants.PRESCRIPTIVE_ACI_AT );
- initialize();
+ initialize( directoryService.getRegistries() );
}
@@ -116,7 +118,7 @@
}
- private void initialize() throws NamingException
+ private void initialize( Registries registries ) throws NamingException
{
// search all naming contexts for access control subentenries
// generate ACITuple Arrays for each subentry
@@ -131,14 +133,16 @@
SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC );
SearchControls ctls = new SearchControls();
ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
- NamingEnumeration<SearchResult> results = nexus.search( new SearchOperationContext( baseDn,
+ NamingEnumeration<SearchResult> results = nexus.search(
+ new SearchOperationContext( registries, baseDn,
AliasDerefMode.NEVER_DEREF_ALIASES, filter, ctls ) );
while ( results.hasMore() )
{
SearchResult result = results.next();
- String subentryDn = result.getName();
- Attribute aci = AttributeUtils.getAttribute( result.getAttributes(), prescriptiveAciAT );
+ LdapDN subentryDn = new LdapDN( result.getName() ).normalize( normalizerMap );
+ ServerEntry serverEntry = ServerEntryUtils.toServerEntry( result.getAttributes(), subentryDn, registries );
+ ServerAttribute aci = serverEntry.get( prescriptiveAciAT );
if ( aci == null )
{
@@ -147,8 +151,7 @@
continue;
}
- LdapDN normName = parseNormalized( subentryDn );
- subentryAdded( normName, result.getAttributes() );
+ subentryAdded( subentryDn, serverEntry );
}
results.close();
@@ -156,15 +159,15 @@
}
- private boolean hasPrescriptiveACI( Attributes entry ) throws NamingException
+ private boolean hasPrescriptiveACI( ServerEntry entry ) throws NamingException
{
// only do something if the entry contains prescriptiveACI
- Attribute aci = AttributeUtils.getAttribute( entry, prescriptiveAciAT );
+ ServerAttribute aci = entry.get( prescriptiveAciAT );
if ( aci == null )
{
- if ( AttributeUtils.containsValueCaseIgnore( entry.get( SchemaConstants.OBJECT_CLASS_AT ), SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) ||
- AttributeUtils.containsValueCaseIgnore( entry.get( SchemaConstants.OBJECT_CLASS_AT ), SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC_OID ))
+ if ( entry.contains( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC ) ||
+ entry.contains( SchemaConstants.OBJECT_CLASS_AT, SchemaConstants.ACCESS_CONTROL_SUBENTRY_OC_OID ) )
{
// should not be necessary because of schema interceptor but schema checking
// can be turned off and in this case we must protect against being able to
@@ -181,10 +184,10 @@
}
- public void subentryAdded( LdapDN normName, Attributes entry ) throws NamingException
+ public void subentryAdded( LdapDN normName, ServerEntry entry ) throws NamingException
{
// only do something if the entry contains prescriptiveACI
- Attribute aci = AttributeUtils.getAttribute( entry, prescriptiveAciAT );
+ ServerAttribute aciAttr = entry.get( prescriptiveAciAT );
if ( !hasPrescriptiveACI( entry ) )
{
@@ -193,14 +196,14 @@
List<ACITuple> entryTuples = new ArrayList<ACITuple>();
- for ( int ii = 0; ii < aci.size(); ii++ )
+ for ( ServerValue<?> value:aciAttr )
{
+ String aci = (String)value.get();
ACIItem item = null;
- String aciStr = ( String ) aci.get( ii );
try
{
- item = aciParser.parse( aciStr );
+ item = aciParser.parse( aci );
entryTuples.addAll( item.toTuples() );
}
catch ( ParseException e )
@@ -220,9 +223,9 @@
}
- public void subentryDeleted( Name normName, Attributes entry ) throws NamingException
+ public void subentryDeleted( LdapDN normName, ServerEntry entry ) throws NamingException
{
- if ( !hasPrescriptiveACI( entry ) )
+ if ( !hasPrescriptiveACI(entry ) )
{
return;
}
@@ -231,7 +234,7 @@
}
- public void subentryModified( LdapDN normName, List<ModificationItemImpl> mods, Attributes entry ) throws NamingException
+ public void subentryModified( LdapDN normName, List<ModificationItemImpl> mods, ServerEntry entry ) throws NamingException
{
if ( !hasPrescriptiveACI( entry ) )
{
@@ -241,6 +244,7 @@
for ( ModificationItemImpl mod : mods )
{
String attrID = mod.getAttribute().getID();
+
if ( attrID.equalsIgnoreCase( SchemaConstants.PRESCRIPTIVE_ACI_AT ) ||
attrID.equalsIgnoreCase( SchemaConstants.PRESCRIPTIVE_ACI_AT_OID ) )
{
@@ -251,14 +255,14 @@
}
- public void subentryModified( LdapDN normName, Attributes mods, Attributes entry ) throws NamingException
+ public void subentryModified( LdapDN normName, ServerEntry mods, ServerEntry entry ) throws NamingException
{
if ( !hasPrescriptiveACI( entry ) )
{
return;
}
- if ( AttributeUtils.getAttribute( mods, prescriptiveAciAT ) != null )
+ if ( mods.get( prescriptiveAciAT ) != null )
{
subentryDeleted( normName, entry );
subentryAdded( normName, entry );
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Sun Jan 20 08:59:10 2008
@@ -25,13 +25,13 @@
import java.util.Collections;
import java.util.HashSet;
-import javax.naming.Name;
import javax.naming.NamingException;
-import javax.naming.directory.Attributes;
import org.apache.directory.server.core.authn.AuthenticationInterceptor;
import org.apache.directory.server.core.authz.AciAuthorizationInterceptor;
import org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor;
+import org.apache.directory.server.core.entry.ServerEntry;
+import org.apache.directory.server.core.entry.ServerEntryUtils;
import org.apache.directory.server.core.event.Evaluator;
import org.apache.directory.server.core.event.EventInterceptor;
import org.apache.directory.server.core.event.ExpressionEvaluator;
@@ -47,6 +47,7 @@
import org.apache.directory.server.core.trigger.TriggerInterceptor;
import org.apache.directory.server.schema.registries.AttributeTypeRegistry;
import org.apache.directory.server.schema.registries.OidRegistry;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
@@ -127,11 +128,21 @@
* @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
* @throws NamingException if failed to evaluate ACI items
*/
- public void checkPermission( PartitionNexusProxy proxy, Collection<Name> userGroupNames, LdapDN username,
- AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId, Object attrValue,
- Collection<MicroOperation> microOperations, Collection<ACITuple> aciTuples, Attributes entry, Attributes entryView ) throws NamingException
+ public void checkPermission(
+ Registries registries,
+ PartitionNexusProxy proxy,
+ Collection<LdapDN> userGroupNames,
+ LdapDN username,
+ AuthenticationLevel authenticationLevel,
+ LdapDN entryName,
+ String attrId,
+ Object attrValue,
+ Collection<MicroOperation> microOperations,
+ Collection<ACITuple> aciTuples,
+ ServerEntry entry,
+ ServerEntry entryView ) throws NamingException
{
- if ( !hasPermission( proxy, userGroupNames, username, authenticationLevel, entryName, attrId, attrValue,
+ if ( !hasPermission( registries, proxy, userGroupNames, username, authenticationLevel, entryName, attrId, attrValue,
microOperations, aciTuples, entry, entryView ) )
{
throw new LdapNoPermissionException();
@@ -175,16 +186,29 @@
* @param aciTuples {@link org.apache.directory.shared.ldap.aci.ACITuple}s translated from {@link org.apache.directory.shared.ldap.aci.ACIItem}s in the subtree entries
* @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
*/
- public boolean hasPermission( PartitionNexusProxy proxy, Collection<Name> userGroupNames, LdapDN userName,
- AuthenticationLevel authenticationLevel, LdapDN entryName, String attrId, Object attrValue,
- Collection<MicroOperation> microOperations, Collection<ACITuple> aciTuples, Attributes entry, Attributes entryView ) throws NamingException
+ public boolean hasPermission(
+ Registries registries,
+ PartitionNexusProxy proxy,
+ Collection<LdapDN> userGroupNames,
+ LdapDN userName,
+ AuthenticationLevel authenticationLevel,
+ LdapDN entryName,
+ String attrId,
+ Object attrValue,
+ Collection<MicroOperation> microOperations,
+ Collection<ACITuple> aciTuples,
+ ServerEntry entry,
+ ServerEntry entryView ) throws NamingException
{
if ( entryName == null )
{
throw new NullPointerException( "entryName" );
}
- Attributes userEntry = proxy.lookup( new LookupOperationContext( userName ), USER_LOOKUP_BYPASS );
+ ServerEntry userEntry = ServerEntryUtils.toServerEntry(
+ proxy.lookup( new LookupOperationContext( registries, userName ), USER_LOOKUP_BYPASS ),
+ userName,
+ registries );
// Determine the scope of the requested operation.
OperationScope scope;
@@ -208,8 +232,21 @@
// Filter unrelated and invalid tuples
for ( ACITupleFilter filter : filters )
{
- aciTuples = filter.filter( aciTuples, scope, proxy, userGroupNames, userName, userEntry,
- authenticationLevel, entryName, attrId, attrValue, entry, microOperations, entryView );
+ aciTuples = filter.filter(
+ registries,
+ aciTuples,
+ scope,
+ proxy,
+ userGroupNames,
+ userName,
+ ServerEntryUtils.toAttributesImpl( userEntry ),
+ authenticationLevel,
+ entryName,
+ attrId,
+ attrValue,
+ ServerEntryUtils.toAttributesImpl( entry ),
+ microOperations,
+ ServerEntryUtils.toAttributesImpl( entryView ) );
}
// Deny access if no tuples left.
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Sun Jan 20 08:59:10 2008
@@ -22,11 +22,11 @@
import java.util.Collection;
-import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
@@ -64,10 +64,11 @@
* @throws NamingException if failed to filter the specific tuples
*/
Collection<ACITuple> filter(
+ Registries registries,
Collection<ACITuple> tuples,
OperationScope scope,
PartitionNexusProxy proxy,
- Collection<Name> userGroupNames,
+ Collection<LdapDN> userGroupNames,
LdapDN userName,
Attributes userEntry,
AuthenticationLevel authenticationLevel,
Modified: directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=613608&r1=613607&r2=613608&view=diff
==============================================================================
--- directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/sandbox/akarasulu/bigbang/apacheds/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Sun Jan 20 08:59:10 2008
@@ -23,11 +23,11 @@
import java.util.Collection;
import java.util.Iterator;
-import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import org.apache.directory.server.core.partition.PartitionNexusProxy;
+import org.apache.directory.server.schema.registries.Registries;
import org.apache.directory.shared.ldap.aci.ACITuple;
import org.apache.directory.shared.ldap.aci.MicroOperation;
import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
@@ -44,10 +44,11 @@
public class HighestPrecedenceFilter implements ACITupleFilter
{
public Collection<ACITuple> filter(
+ Registries registries,
Collection<ACITuple> tuples,
OperationScope scope,
PartitionNexusProxy proxy,
- Collection<Name> userGroupNames,
+ Collection<LdapDN> userGroupNames,
LdapDN userName,
Attributes userEntry,
AuthenticationLevel authenticationLevel,
|