directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From elecha...@apache.org
Subject svn commit: r960593 [1/2] - in /directory/apacheds/trunk: core-integ/src/test/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/ core/src/main/java/org/apache/directory/server/core/authz/support/ cor...
Date Mon, 05 Jul 2010 13:18:54 GMT
Author: elecharny
Date: Mon Jul  5 13:18:53 2010
New Revision: 960593

URL: http://svn.apache.org/viewvc?rev=960593&view=rev
Log:
o Added a test for Lookup with authz
o Added a AciContext structure to be used for filter() checkPermission() and hasPermission() methods
o Replaced the methods taking 10 parameters by methods taking a structure (ACDFEngine and others)
o Fixed the code and tests accordingly


Added:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java
Modified:
    directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
    directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MaxImmSubFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MaxValueCountFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MicroOperationFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilterTest.java
    directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/RestrictedByFilterTest.java

Added: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java?rev=960593&view=auto
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java (added)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/LookupAuthorizationIT.java Mon Jul  5 13:18:53 2010
@@ -0,0 +1,100 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License.
+ *
+ */
+package org.apache.directory.server.core.authz;
+
+import static org.apache.directory.server.core.authz.AutzIntegUtils.createAccessControlSubentry;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import org.apache.directory.server.core.annotations.ApplyLdifs;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.name.DN;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+
+/**
+ * Test the lookup operation
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+@RunWith ( FrameworkRunner.class )
+@ApplyLdifs( {
+    // Entry # 1
+    "dn: cn=test,ou=system",
+    "objectClass: person",
+    "cn: test",
+    "sn: sn_test" 
+})
+public class LookupAuthorizationIT extends AbstractLdapTestUnit
+{
+    @Before
+    public void init()
+    {
+        AutzIntegUtils.service = service;
+    }
+
+    
+    /**
+     * Test a lookup( DN ) operation with the ACI subsystem enabled
+     */
+    @Test
+    public void testLookupACIEnabled() throws Exception
+    {
+        service.setAccessControlEnabled( true );
+        
+        createAccessControlSubentry( 
+            "anybodySearch", 
+            "{ " + 
+            "  identificationTag \"searchAci\", " + 
+            "  precedence 14, " +
+            "  authenticationLevel none, " + 
+            "  itemOrUserFirst userFirst: " +
+            "  { " + 
+            "    userClasses { allUsers }, " +
+            "    userPermissions " +
+            "    { " +
+            "      { " + 
+            "        protectedItems {entry, allUserAttributeTypesAndValues}, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      } " +
+            "    } " +
+            "  } " +
+            "}" );
+        
+        DN dn = new DN( "cn=test,ou=system" );
+        Entry entry = service.getSession().lookup( dn );
+        
+        assertNotNull( entry );
+        
+        // We should have 8 attributes
+        assertEquals( 8, entry.size() ); 
+
+        // Check that all the user attributes are present
+        assertEquals( "test", entry.get( "cn" ).getString() );
+        assertEquals( "sn_test", entry.get( "sn" ).getString() );
+        assertTrue( entry.contains( "objectClass", "top", "person" ) );
+    }
+
+}

Modified: directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java (original)
+++ directory/apacheds/trunk/core-integ/src/test/java/org/apache/directory/server/core/authz/SearchAuthorizationIT.java Mon Jul  5 13:18:53 2010
@@ -1219,7 +1219,11 @@ public class SearchAuthorizationIT exten
             "    userPermissions " +
             "    { " +
             "      { " +
-            "        protectedItems { entry, rangeOfValues (cn=billyd) }, " +
+            "        protectedItems { entry }, " +
+            "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
+            "      }, " +
+            "      { " +
+            "        protectedItems { rangeOfValues (cn=billyd) }, " +
             "        grantsAndDenials { grantRead, grantReturnDN, grantBrowse } " +
             "      } " +
             "    } " +

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/AciAuthorizationInterceptor.java Mon Jul  5 13:18:53 2010
@@ -36,6 +36,7 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.DirectoryService;
 import org.apache.directory.server.core.LdapPrincipal;
 import org.apache.directory.server.core.authz.support.ACDFEngine;
+import org.apache.directory.server.core.authz.support.AciContext;
 import org.apache.directory.server.core.entry.ClonedServerEntry;
 import org.apache.directory.server.core.entry.ServerEntryUtils;
 import org.apache.directory.server.core.filtering.EntryFilter;
@@ -100,7 +101,6 @@ public class AciAuthorizationInterceptor
     private static final Collection<MicroOperation> SEARCH_ENTRY_PERMS;
     private static final Collection<MicroOperation> SEARCH_ATTRVAL_PERMS;
     private static final Collection<MicroOperation> REMOVE_PERMS;
-    private static final Collection<MicroOperation> MATCHEDNAME_PERMS;
     private static final Collection<MicroOperation> BROWSE_PERMS;
     private static final Collection<MicroOperation> LOOKUP_PERMS;
     private static final Collection<MicroOperation> REPLACE_PERMS;
@@ -136,7 +136,6 @@ public class AciAuthorizationInterceptor
         READ_PERMS = Collections.singleton( MicroOperation.READ );
         COMPARE_PERMS = Collections.singleton( MicroOperation.COMPARE );
         REMOVE_PERMS = Collections.singleton( MicroOperation.REMOVE );
-        MATCHEDNAME_PERMS = Collections.singleton( MicroOperation.DISCLOSE_ON_ERROR );
         BROWSE_PERMS = Collections.singleton( MicroOperation.BROWSE );
         RENAME_PERMS = Collections.singleton( MicroOperation.RENAME );
         EXPORT_PERMS = Collections.singleton( MicroOperation.EXPORT );
@@ -447,11 +446,11 @@ public class AciAuthorizationInterceptor
         // perform checks below here for all non-admin users
         SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class
             .getName() );
-        Entry subentryAttrs = subentryInterceptor.getSubentryAttributes( dn, serverEntry );
+        Entry subentry = subentryInterceptor.getSubentryAttributes( dn, serverEntry );
 
         for ( EntryAttribute attribute : serverEntry )
         {
-            subentryAttrs.put( attribute );
+            subentry.put( attribute );
         }
 
         // Assemble all the information required to make an access control decision
@@ -460,20 +459,38 @@ public class AciAuthorizationInterceptor
 
         // Build the total collection of tuples to be considered for add rights
         // NOTE: entryACI are NOT considered in adds (it would be a security breech)
-        addPerscriptiveAciTuples( addContext, tuples, dn, subentryAttrs );
-        addSubentryAciTuples( addContext, tuples, dn, subentryAttrs );
+        addPerscriptiveAciTuples( addContext, tuples, dn, subentry );
+        addSubentryAciTuples( addContext, tuples, dn, subentry );
 
         // check if entry scope permission is granted
-        engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal.getAuthenticationLevel(),
-            dn, null, null, ADD_PERMS, tuples, subentryAttrs, null );
+        AciContext entryAciCtx = new AciContext( schemaManager, addContext );
+        entryAciCtx.setUserGroupNames( userGroups );
+        entryAciCtx.setUserDn( principalDn );
+        entryAciCtx.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        entryAciCtx.setEntryDn( dn );
+        entryAciCtx.setMicroOperations( ADD_PERMS );
+        entryAciCtx.setAciTuples( tuples );
+        entryAciCtx.setEntry( subentry );
+        
+        engine.checkPermission( entryAciCtx );
 
         // now we must check if attribute type and value scope permission is granted
         for ( EntryAttribute attribute : serverEntry )
         {
             for ( Value<?> value : attribute )
             {
-                engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal
-                    .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, ADD_PERMS, tuples, serverEntry, null );
+                AciContext attrAciContext = new AciContext( schemaManager, addContext );
+                attrAciContext.setUserGroupNames( userGroups );
+                attrAciContext.setUserDn( principalDn );
+                attrAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+                attrAciContext.setEntryDn( dn );
+                attrAciContext.setAttributeType( attribute.getAttributeType() );
+                attrAciContext.setAttrValue( value );
+                attrAciContext.setMicroOperations( ADD_PERMS );
+                attrAciContext.setAciTuples( tuples );
+                attrAciContext.setEntry( serverEntry );
+
+                engine.checkPermission( attrAciContext );
             }
         }
 
@@ -529,8 +546,16 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( deleteContext, tuples, dn, entry );
 
-        engine.checkPermission( schemaManager, deleteContext, userGroups, principalDn, principal
-            .getAuthenticationLevel(), dn, null, null, REMOVE_PERMS, tuples, entry, null );
+        AciContext aciContext = new AciContext( schemaManager, deleteContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( dn );
+        aciContext.setMicroOperations( REMOVE_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( entry );
+
+        engine.checkPermission( aciContext );
 
         next.delete( deleteContext );
 
@@ -580,8 +605,16 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( modifyContext, tuples, dn, entry );
 
-        engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal.getAuthenticationLevel(),
-            dn, null, null, Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );
+        AciContext entryAciContext = new AciContext( schemaManager, modifyContext );
+        entryAciContext.setUserGroupNames( userGroups );
+        entryAciContext.setUserDn( principalDn );
+        entryAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        entryAciContext.setEntryDn( dn );
+        entryAciContext.setMicroOperations( Collections.singleton( MicroOperation.MODIFY ) );
+        entryAciContext.setAciTuples( tuples );
+        entryAciContext.setEntry( entry );
+
+        engine.checkPermission( entryAciContext );
 
         Collection<MicroOperation> perms = null;
         Entry entryView = ( Entry ) entry.clone();
@@ -598,9 +631,18 @@ public class AciAuthorizationInterceptor
                     // If the attribute is being created with an initial value ...
                     if ( entry.get( attr.getId() ) == null )
                     {
+                        AciContext attrAciContext = new AciContext( schemaManager, modifyContext );
+                        attrAciContext.setUserGroupNames( userGroups );
+                        attrAciContext.setUserDn( principalDn );
+                        attrAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+                        attrAciContext.setEntryDn( dn );
+                        attrAciContext.setAttributeType( attr.getAttributeType() );
+                        attrAciContext.setMicroOperations( perms );
+                        attrAciContext.setAciTuples( tuples );
+                        attrAciContext.setEntry( entry );
+
                         // ... we also need to check if adding the attribute is permitted
-                        engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal
-                            .getAuthenticationLevel(), dn, attr.getAttributeType(), null, perms, tuples, entry, null );
+                        engine.checkPermission( attrAciContext );
                     }
 
                     break;
@@ -615,8 +657,17 @@ public class AciAuthorizationInterceptor
                         if ( entryAttr.size() == 1 )
                         {
                             // ... we also need to check if removing the attribute at all is permitted
-                            engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal
-                                .getAuthenticationLevel(), dn, attr.getAttributeType(), null, perms, tuples, entry, null );
+                            AciContext aciContext = new AciContext( schemaManager, modifyContext );
+                            aciContext.setUserGroupNames( userGroups );
+                            aciContext.setUserDn( principalDn );
+                            aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+                            aciContext.setEntryDn( dn );
+                            aciContext.setAttributeType( attr.getAttributeType() );
+                            aciContext.setMicroOperations( perms );
+                            aciContext.setAciTuples( tuples );
+                            aciContext.setEntry( entry );
+
+                            engine.checkPermission( aciContext );
                         }
                     }
 
@@ -644,8 +695,19 @@ public class AciAuthorizationInterceptor
 
             for ( Value<?> value : attr )
             {
-                engine.checkPermission( schemaManager, modifyContext, userGroups, principalDn, principal
-                    .getAuthenticationLevel(), dn, attr.getAttributeType(), value, perms, tuples, entry, entryView );
+                AciContext aciContext = new AciContext( schemaManager, modifyContext );
+                aciContext.setUserGroupNames( userGroups );
+                aciContext.setUserDn( principalDn );
+                aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+                aciContext.setEntryDn( dn );
+                aciContext.setAttributeType( attr.getAttributeType() );
+                aciContext.setAttrValue( value );
+                aciContext.setMicroOperations( perms );
+                aciContext.setAciTuples( tuples );
+                aciContext.setEntry( entry );
+                aciContext.setEntryView( entryView );
+                
+                engine.checkPermission( aciContext );
             }
         }
 
@@ -695,9 +757,16 @@ public class AciAuthorizationInterceptor
         addSubentryAciTuples( hasEntryContext, tuples, dn, ( ( ClonedServerEntry ) entry ).getOriginalEntry() );
 
         // check that we have browse access to the entry
-        engine.checkPermission( schemaManager, hasEntryContext, userGroups, principalDn, principal
-            .getAuthenticationLevel(), dn, null, null, BROWSE_PERMS, tuples, ( ( ClonedServerEntry ) entry )
-            .getOriginalEntry(), null );
+        AciContext aciContext = new AciContext( schemaManager, hasEntryContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( dn );
+        aciContext.setMicroOperations( BROWSE_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( ((ClonedServerEntry)entry).getOriginalEntry() );
+
+        engine.checkPermission( aciContext );
 
         return next.hasEntry( hasEntryContext );
     }
@@ -737,8 +806,16 @@ public class AciAuthorizationInterceptor
         addSubentryAciTuples( lookupContext, tuples, dn, entry );
 
         // check that we have read access to the entry
-        engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(),
-            dn, null, null, LOOKUP_PERMS, tuples, entry, null );
+        AciContext aciContext = new AciContext( schemaManager, lookupContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( userName );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( dn );
+        aciContext.setMicroOperations( LOOKUP_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( entry );
+
+        engine.checkPermission( aciContext );
 
         // check that we have read access to every attribute type and value
         for ( EntryAttribute attribute : entry )
@@ -746,9 +823,18 @@ public class AciAuthorizationInterceptor
 
             for ( Value<?> value : attribute )
             {
-                engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal
-                    .getAuthenticationLevel(), dn, attribute.getAttributeType(), value, READ_PERMS, tuples,
-                    entry, null );
+                AciContext valueAciContext = new AciContext( schemaManager, lookupContext );
+                valueAciContext.setUserGroupNames( userGroups );
+                valueAciContext.setUserDn( userName );
+                valueAciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+                valueAciContext.setEntryDn( dn );
+                valueAciContext.setAttributeType( attribute.getAttributeType() );
+                valueAciContext.setAttrValue( value );
+                valueAciContext.setMicroOperations( READ_PERMS );
+                valueAciContext.setAciTuples( tuples );
+                valueAciContext.setEntry( entry );
+                
+                engine.checkPermission( valueAciContext );
             }
         }
     }
@@ -826,8 +912,16 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, originalEntry );
         addSubentryAciTuples( renameContext, tuples, oldName, originalEntry );
 
-        engine.checkPermission( schemaManager, renameContext, userGroups, principalDn, principal
-            .getAuthenticationLevel(), oldName, null, null, RENAME_PERMS, tuples, originalEntry, null );
+        AciContext aciContext = new AciContext( schemaManager, renameContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( oldName );
+        aciContext.setMicroOperations( RENAME_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( originalEntry );
+
+        engine.checkPermission( aciContext );
 
         next.rename( renameContext );
         tupleCache.subentryRenamed( oldName, newName );
@@ -870,8 +964,16 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( moveAndRenameContext, tuples, oldDn, entry );
 
-        engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, principal
-            .getAuthenticationLevel(), oldDn, null, null, MOVERENAME_PERMS, tuples, entry, null );
+        AciContext aciContext = new AciContext( schemaManager, moveAndRenameContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( oldDn );
+        aciContext.setMicroOperations( MOVERENAME_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( entry );
+
+        engine.checkPermission( aciContext );
 
         // Get the entry again without operational attributes
         // because access control subentry operational attributes
@@ -899,10 +1001,19 @@ public class AciAuthorizationInterceptor
         Collection<ACITuple> destTuples = new HashSet<ACITuple>();
         // Import permission is only valid for prescriptive ACIs
         addPerscriptiveAciTuples( moveAndRenameContext, destTuples, newDn, subentryAttrs );
+
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn, principal
-            .getAuthenticationLevel(), newDn, null, null, IMPORT_PERMS, destTuples, subentryAttrs, null );
+        aciContext = new AciContext( schemaManager, moveAndRenameContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( newDn );
+        aciContext.setMicroOperations( IMPORT_PERMS );
+        aciContext.setAciTuples( destTuples );
+        aciContext.setEntry( subentryAttrs );
+
+        engine.checkPermission( aciContext );
 
         next.moveAndRename( moveAndRenameContext );
         tupleCache.subentryRenamed( oldDn, newDn );
@@ -949,8 +1060,16 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( moveContext, tuples, oriChildName, entry );
 
-        engine.checkPermission( schemaManager, moveContext, userGroups, principalDn,
-            principal.getAuthenticationLevel(), oriChildName, null, null, EXPORT_PERMS, tuples, entry, null );
+        AciContext aciContext = new AciContext( schemaManager, moveContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( oriChildName );
+        aciContext.setMicroOperations( EXPORT_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( entry );
+
+        engine.checkPermission( aciContext );
 
         // Get the entry again without operational attributes
         // because access control subentry operational attributes
@@ -976,10 +1095,19 @@ public class AciAuthorizationInterceptor
         Collection<ACITuple> destTuples = new HashSet<ACITuple>();
         // Import permission is only valid for prescriptive ACIs
         addPerscriptiveAciTuples( moveContext, destTuples, newDn, subentryAttrs );
+
         // Evaluate the target context to see whether it
         // allows an entry named newName to be imported as a subordinate.
-        engine.checkPermission( schemaManager, moveContext, userGroups, principalDn,
-            principal.getAuthenticationLevel(), newDn, null, null, IMPORT_PERMS, destTuples, subentryAttrs, null );
+        aciContext = new AciContext( schemaManager, moveContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( newDn );
+        aciContext.setMicroOperations( IMPORT_PERMS );
+        aciContext.setAciTuples( destTuples );
+        aciContext.setEntry( subentryAttrs );
+
+        engine.checkPermission( aciContext );
 
         next.move( moveContext );
         tupleCache.subentryRenamed( oriChildName, newDn );
@@ -1059,12 +1187,30 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, entry );
         addSubentryAciTuples( compareContext, tuples, dn, entry );
 
-        engine.checkPermission( schemaManager, compareContext, userGroups, principalDn, principal.getAuthenticationLevel(),
-            dn, null, null, READ_PERMS, tuples, entry, null );
+        AciContext aciContext = new AciContext( schemaManager, compareContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( dn );
+        aciContext.setMicroOperations( READ_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( entry );
+
+        engine.checkPermission( aciContext );
         
         AttributeType attributeType = schemaManager.lookupAttributeTypeRegistry( oid );
-        engine.checkPermission( schemaManager, compareContext, userGroups, principalDn, principal.getAuthenticationLevel(),
-            dn, attributeType, value, COMPARE_PERMS, tuples, entry, null );
+        
+        aciContext = new AciContext( schemaManager, compareContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( principalDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( dn );
+        aciContext.setAttributeType( attributeType );
+        aciContext.setMicroOperations( COMPARE_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( entry );
+
+        engine.checkPermission( aciContext );
 
         return next.compare( compareContext );
     }
@@ -1092,8 +1238,16 @@ public class AciAuthorizationInterceptor
         addEntryAciTuples( tuples, clonedEntry.getOriginalEntry() );
         addSubentryAciTuples( opContext, tuples, normName, clonedEntry.getOriginalEntry() );
 
-        if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal.getAuthenticationLevel(),
-            normName, null, null, SEARCH_ENTRY_PERMS, tuples, clonedEntry.getOriginalEntry(), null ) )
+        AciContext aciContext = new AciContext( schemaManager, opContext );
+        aciContext.setUserGroupNames( userGroups );
+        aciContext.setUserDn( userDn );
+        aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+        aciContext.setEntryDn( normName );
+        aciContext.setMicroOperations( SEARCH_ENTRY_PERMS );
+        aciContext.setAciTuples( tuples );
+        aciContext.setEntry( clonedEntry.getOriginalEntry() );
+
+        if ( !engine.hasPermission( aciContext ) )
         {
             return false;
         }
@@ -1112,8 +1266,17 @@ public class AciAuthorizationInterceptor
             // if attribute type scope access is not allowed then remove the attribute and continue
             EntryAttribute attr = clonedEntry.get( attributeType );
 
-            if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal
-                .getAuthenticationLevel(), normName, attributeType, null, SEARCH_ATTRVAL_PERMS, tuples, clonedEntry, null ) )
+            aciContext = new AciContext( schemaManager, opContext );
+            aciContext.setUserGroupNames( userGroups );
+            aciContext.setUserDn( userDn );
+            aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+            aciContext.setEntryDn( normName );
+            aciContext.setAttributeType( attributeType );
+            aciContext.setMicroOperations( SEARCH_ATTRVAL_PERMS );
+            aciContext.setAciTuples( tuples );
+            aciContext.setEntry( clonedEntry );
+
+            if ( !engine.hasPermission( aciContext ) )
             {
                 attributeToRemove.add( attributeType );
 
@@ -1125,9 +1288,18 @@ public class AciAuthorizationInterceptor
             // attribute type scope is ok now let's determine value level scope
             for ( Value<?> value : attr )
             {
-                if ( !engine.hasPermission( schemaManager, opContext, userGroups, userDn, principal
-                    .getAuthenticationLevel(), normName, attr.getAttributeType(), value, SEARCH_ATTRVAL_PERMS, tuples,
-                    clonedEntry, null ) )
+                aciContext = new AciContext( schemaManager, opContext );
+                aciContext.setUserGroupNames( userGroups );
+                aciContext.setUserDn( userDn );
+                aciContext.setAuthenticationLevel( principal.getAuthenticationLevel() );
+                aciContext.setEntryDn( normName );
+                aciContext.setAttributeType( attr.getAttributeType() );
+                aciContext.setAttrValue( value );
+                aciContext.setMicroOperations( SEARCH_ATTRVAL_PERMS );
+                aciContext.setAciTuples( tuples );
+                aciContext.setEntry( clonedEntry );
+
+                if ( !engine.hasPermission( aciContext ) )
                 {
                     valueToRemove.add( value );
                 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACDFEngine.java Mon Jul  5 13:18:53 2010
@@ -31,7 +31,6 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.event.Evaluator;
 import org.apache.directory.server.core.event.EventInterceptor;
 import org.apache.directory.server.core.event.ExpressionEvaluator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.normalization.NormalizationInterceptor;
 import org.apache.directory.server.core.operational.OperationalAttributeInterceptor;
 import org.apache.directory.server.core.schema.SchemaInterceptor;
@@ -41,14 +40,9 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.subtree.SubtreeEvaluator;
 import org.apache.directory.server.core.trigger.TriggerInterceptor;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
 import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
@@ -124,22 +118,9 @@ public class ACDFEngine
      * @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
      * @throws LdapException if failed to evaluate ACI items
      */
-    public void checkPermission( 
-        SchemaManager schemaManager, 
-        OperationContext opContext, 
-        Collection<DN> userGroupNames, 
-        DN username,
-        AuthenticationLevel authenticationLevel, 
-        DN entryName, 
-        AttributeType attributeType, 
-        Value<?> attrValue, 
-        Collection<MicroOperation> microOperations, 
-        Collection<ACITuple> aciTuples, 
-        Entry entry, 
-        Entry entryView ) throws LdapException
+    public void checkPermission( AciContext aciContext )throws LdapException
     {
-        if ( !hasPermission( schemaManager, opContext, userGroupNames, username, authenticationLevel, entryName, 
-            attributeType, attrValue, microOperations, aciTuples, entry, entryView ) )
+        if ( !hasPermission( aciContext ) )
         {
             throw new LdapNoPermissionException();
         }
@@ -182,35 +163,23 @@ public class ACDFEngine
      * @param aciTuples {@link org.apache.directory.shared.ldap.aci.ACITuple}s translated from {@link org.apache.directory.shared.ldap.aci.ACIItem}s in the subtree entries
      * @param entryView in case of a Modify operation, view of the entry being modified as if the modification permitted and completed
      */
-    public boolean hasPermission( 
-        SchemaManager schemaManager, 
-        OperationContext opContext, 
-        Collection<DN> userGroupNames, 
-        DN userName,
-        AuthenticationLevel authenticationLevel, 
-        DN entryName, 
-        AttributeType attributeType, 
-        Value<?> attrValue, 
-        Collection<MicroOperation> microOperations, 
-        Collection<ACITuple> aciTuples, 
-        Entry entry, 
-        Entry entryView ) throws LdapException
+    public boolean hasPermission( AciContext aciContext ) throws LdapException
     {
-        if ( entryName == null )
+        if ( aciContext.getEntryDn() == null )
         {
             throw new IllegalArgumentException( "entryName" );
         }
 
-        Entry userEntry = opContext.lookup( userName, USER_LOOKUP_BYPASS );
+        Entry userEntry = aciContext.getOperationContext().lookup( aciContext.getUserDn(), USER_LOOKUP_BYPASS );
 
         // Determine the scope of the requested operation.
         OperationScope scope;
         
-        if ( attributeType == null )
+        if ( aciContext.getAttributeType() == null )
         {
             scope = OperationScope.ENTRY;
         }
-        else if ( attrValue == null )
+        else if ( aciContext.getAttrValue() == null )
         {
             scope = OperationScope.ATTRIBUTE_TYPE;
         }
@@ -220,45 +189,29 @@ public class ACDFEngine
         }
 
         // Clone aciTuples in case it is unmodifiable.
-        aciTuples = new ArrayList<ACITuple>( aciTuples );
+        aciContext.setAciTuples( new ArrayList<ACITuple>( aciContext.getAciTuples() ) );
         
-        
-
         // Filter unrelated and invalid tuples
         for ( ACITupleFilter filter : filters )
         {
-            if ( aciTuples.size() == 0 )
+            if ( aciContext.getAciTuples().size() == 0 )
             {
                 // No need to continue filtering
                 return false;
             }
             
-            aciTuples = filter.filter( 
-                schemaManager, 
-                aciTuples, 
-                scope, 
-                opContext, 
-                userGroupNames, 
-                userName, 
-                userEntry,
-                authenticationLevel, 
-                entryName, 
-                attributeType, 
-                attrValue, 
-                entry, 
-                microOperations, 
-                entryView );
+            aciContext.setAciTuples( filter.filter( aciContext, scope, userEntry ) );
         }
 
         // Deny access if no tuples left.
-        if ( aciTuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
             return false;
         }
 
         // Grant access if and only if one or more tuples remain and
         // all grant access. Otherwise deny access.
-        for ( ACITuple tuple : aciTuples )
+        for ( ACITuple tuple : aciContext.getAciTuples() )
         {
             if ( !tuple.isGrant() )
             {

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/ACITupleFilter.java Mon Jul  5 13:18:53 2010
@@ -22,17 +22,12 @@ package org.apache.directory.server.core
 
 import java.util.Collection;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.Loggers;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -69,20 +64,5 @@ public interface ACITupleFilter
      * @return the collection of filtered tuples
      * @throws LdapException if failed to filter the specific tuples
      */
-    Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry,
-            AuthenticationLevel authenticationLevel, 
-            DN entryName, 
-            AttributeType attributeType,
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException;
+    Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException;
 }

Added: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java?rev=960593&view=auto
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java (added)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/AciContext.java Mon Jul  5 13:18:53 2010
@@ -0,0 +1,282 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one
+ *  or more contributor license agreements.  See the NOTICE file
+ *  distributed with this work for additional information
+ *  regarding copyright ownership.  The ASF licenses this file
+ *  to you under the Apache License, Version 2.0 (the
+ *  "License"); you may not use this file except in compliance
+ *  with the License.  You may obtain a copy of the License at
+ *  
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *  
+ *  Unless required by applicable law or agreed to in writing,
+ *  software distributed under the License is distributed on an
+ *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *  KIND, either express or implied.  See the License for the
+ *  specific language governing permissions and limitations
+ *  under the License. 
+ *  
+ */
+package org.apache.directory.server.core.authz.support;
+
+import java.util.Collection;
+
+import org.apache.directory.server.core.interceptor.context.OperationContext;
+import org.apache.directory.shared.ldap.aci.ACITuple;
+import org.apache.directory.shared.ldap.aci.MicroOperation;
+import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
+import org.apache.directory.shared.ldap.entry.Entry;
+import org.apache.directory.shared.ldap.entry.Value;
+import org.apache.directory.shared.ldap.name.DN;
+import org.apache.directory.shared.ldap.schema.AttributeType;
+import org.apache.directory.shared.ldap.schema.SchemaManager;
+
+/**
+ * A container used to pass parameters to the ACDF engine
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ * @version $Rev$, $Date$
+ */
+public class AciContext
+{
+    /** The schema manager */
+    private SchemaManager schemaManager;
+    
+    /** The operation context */
+    private OperationContext operationContext;
+    
+    /** The Users belonging to a group */
+    private Collection<DN> userGroupNames; 
+
+    /** The user's DN */
+    private DN userDn;
+    
+    /** The requested Authentication level (default to NONE) */
+    private AuthenticationLevel authenticationLevel = AuthenticationLevel.NONE;
+    
+    /** the entry's DN */
+    private DN entryDn;
+    
+    /** The AttributeType */
+    private AttributeType attributeType;
+    
+    /** The attribute's values */
+    private Value<?> attrValue;
+    
+    /** The allowed operations */
+    private Collection<MicroOperation> microOperations;
+    
+    /** The resulting tuples */
+    private Collection<ACITuple> aciTuples;
+    
+    /** The entry */
+    private Entry entry;
+    
+    /** ??? */
+    private Entry entryView;
+    
+    /**
+     * Creates a new instance of AciContext.
+     *
+     * @param schemaManager The SchemaManager instance
+     * @param operationContext The OperationContext instance
+     */
+    public AciContext( SchemaManager schemaManager, OperationContext operationContext )
+    {
+        this.schemaManager = schemaManager;
+        this.operationContext = operationContext;
+    }
+    
+    
+    /**
+     * @return the schemaManager
+     */
+    public SchemaManager getSchemaManager()
+    {
+        return schemaManager;
+    }
+
+    /**
+     * @param schemaManager the schemaManager to set
+     */
+    public void setSchemaManager( SchemaManager schemaManager )
+    {
+        this.schemaManager = schemaManager;
+    }
+
+    /**
+     * @return the operationContext
+     */
+    public OperationContext getOperationContext()
+    {
+        return operationContext;
+    }
+
+    /**
+     * @param operationContext the operationContext to set
+     */
+    public void setOperationContext( OperationContext operationContext )
+    {
+        this.operationContext = operationContext;
+    }
+
+    /**
+     * @return the userGroupNames
+     */
+    public Collection<DN> getUserGroupNames()
+    {
+        return userGroupNames;
+    }
+
+    /**
+     * @param userGroupNames the userGroupNames to set
+     */
+    public void setUserGroupNames( Collection<DN> userGroupNames )
+    {
+        this.userGroupNames = userGroupNames;
+    }
+
+    /**
+     * @return the user DN
+     */
+    public DN getUserDn()
+    {
+        return userDn;
+    }
+
+    /**
+     * @param username the user DN to set
+     */
+    public void setUserDn( DN userDn )
+    {
+        this.userDn = userDn;
+    }
+
+    /**
+     * @return the authenticationLevel
+     */
+    public AuthenticationLevel getAuthenticationLevel()
+    {
+        return authenticationLevel;
+    }
+
+    /**
+     * @param authenticationLevel the authenticationLevel to set
+     */
+    public void setAuthenticationLevel( AuthenticationLevel authenticationLevel )
+    {
+        this.authenticationLevel = authenticationLevel;
+    }
+
+    /**
+     * @return the entry DN
+     */
+    public DN getEntryDn()
+    {
+        return entryDn;
+    }
+
+    /**
+     * @param entryDn the entry DN to set
+     */
+    public void setEntryDn( DN entryDn )
+    {
+        this.entryDn = entryDn;
+    }
+
+    /**
+     * @return the attributeType
+     */
+    public AttributeType getAttributeType()
+    {
+        return attributeType;
+    }
+
+    /**
+     * @param attributeType the attributeType to set
+     */
+    public void setAttributeType( AttributeType attributeType )
+    {
+        this.attributeType = attributeType;
+    }
+
+    /**
+     * @return the attrValue
+     */
+    public Value<?> getAttrValue()
+    {
+        return attrValue;
+    }
+
+    /**
+     * @param attrValue the attrValue to set
+     */
+    public void setAttrValue( Value<?> attrValue )
+    {
+        this.attrValue = attrValue;
+    }
+
+    /**
+     * @return the microOperations
+     */
+    public Collection<MicroOperation> getMicroOperations()
+    {
+        return microOperations;
+    }
+
+    /**
+     * @param microOperations the microOperations to set
+     */
+    public void setMicroOperations( Collection<MicroOperation> microOperations )
+    {
+        this.microOperations = microOperations;
+    }
+
+    /**
+     * @return the aciTuples
+     */
+    public Collection<ACITuple> getAciTuples()
+    {
+        return aciTuples;
+    }
+
+    /**
+     * @param aciTuples the aciTuples to set
+     */
+    public void setAciTuples( Collection<ACITuple> aciTuples )
+    {
+        this.aciTuples = aciTuples;
+    }
+
+    /**
+     * @return the entry
+     */
+    public Entry getEntry()
+    {
+        return entry;
+    }
+
+    /**
+     * @param entry the entry to set
+     */
+    public void setEntry( Entry entry )
+    {
+        this.entry = entry;
+    }
+
+    /**
+     * @return the entryView
+     */
+    public Entry getEntryView()
+    {
+        return entryView;
+    }
+
+    /**
+     * @param entryView the entryView to set
+     */
+    public void setEntryView( Entry entryView )
+    {
+        this.entryView = entryView;
+    }
+}

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilter.java Mon Jul  5 13:18:53 2010
@@ -23,16 +23,9 @@ package org.apache.directory.server.core
 import java.util.Collection;
 import java.util.Iterator;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 /**
@@ -43,44 +36,30 @@ import org.apache.directory.shared.ldap.
  */
 public class HighestPrecedenceFilter implements ACITupleFilter
 {
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
         throws LdapException
     {
         ACI_LOG.debug( "Filtering HighestPrecedence..." );
         
-        if ( tuples.size() <= 1 )
+        if ( aciContext.getAciTuples().size() <= 1 )
         {
             ACI_LOG.debug( "HighestPrecedence : nothing to do" );
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
         int maxPrecedence = -1;
 
         // Find the maximum precedence for all tuples.
-        for ( ACITuple tuple:tuples )
+        for ( ACITuple tuple:aciContext.getAciTuples() )
         {
-            if ( ( tuple.getPrecedence() != null ) && (tuple.getPrecedence() > maxPrecedence ) )
+            if ( ( tuple.getPrecedence() != null ) && ( tuple.getPrecedence() > maxPrecedence ) )
             {
                 maxPrecedence = tuple.getPrecedence();
             }
         }
 
         // Remove all tuples whose precedences are not the maximum one.
-        for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
         {
             ACITuple tuple = i.next();
             
@@ -90,6 +69,6 @@ public class HighestPrecedenceFilter imp
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxImmSubFilter.java Mon Jul  5 13:18:53 2010
@@ -39,13 +39,10 @@ import org.apache.directory.server.core.
 import org.apache.directory.server.core.schema.SchemaInterceptor;
 import org.apache.directory.server.core.subtree.SubentryInterceptor;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.MaxImmSubItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.exception.LdapOperationException;
 import org.apache.directory.shared.ldap.exception.LdapOtherException;
@@ -53,8 +50,6 @@ import org.apache.directory.shared.ldap.
 import org.apache.directory.shared.ldap.filter.PresenceNode;
 import org.apache.directory.shared.ldap.message.AliasDerefMode;
 import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 
@@ -78,45 +73,32 @@ public class MaxImmSubFilter implements 
     }
 
 
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry )
         throws LdapException
     {
         ACI_LOG.debug( "Filtering MaxImmSub..." );
 
-        if ( entryName.size() == 0 )
+        if ( aciContext.getEntryDn().isRootDSE() )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        if ( tuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
         if ( scope != OperationScope.ENTRY )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
         int immSubCount = -1;
 
-        for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
         {
             ACITuple tuple = i.next();
+            
             if ( !tuple.isGrant() )
             {
                 continue;
@@ -128,7 +110,7 @@ public class MaxImmSubFilter implements 
                 {
                     if ( immSubCount < 0 )
                     {
-                        immSubCount = getImmSubCount( opContext, entryName );
+                        immSubCount = getImmSubCount( aciContext.getOperationContext(), aciContext.getEntryDn() );
                     }
 
                     MaxImmSubItem mis = ( MaxImmSubItem ) item;
@@ -142,7 +124,7 @@ public class MaxImmSubFilter implements 
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
     public static final Collection<String> SEARCH_BYPASS;

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MaxValueCountFilter.java Mon Jul  5 13:18:53 2010
@@ -23,20 +23,14 @@ package org.apache.directory.server.core
 import java.util.Collection;
 import java.util.Iterator;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountElem;
 import org.apache.directory.shared.ldap.aci.protectedItem.MaxValueCountItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
 import org.apache.directory.shared.ldap.entry.EntryAttribute;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
 import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 /**
@@ -47,34 +41,19 @@ import org.apache.directory.shared.ldap.
  */
 public class MaxValueCountFilter implements ACITupleFilter
 {
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
         if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        if ( tuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
         {
             ACITuple tuple = i.next();
             
@@ -91,7 +70,7 @@ public class MaxValueCountFilter impleme
                 {
                     MaxValueCountItem mvc = ( MaxValueCountItem ) item;
                     
-                    if ( isRemovable( mvc, attributeType, entryView ) )
+                    if ( isRemovable( mvc, aciContext.getAttributeType(), aciContext.getEntryView() ) )
                     {
                         i.remove();
                         break;
@@ -100,7 +79,7 @@ public class MaxValueCountFilter impleme
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MicroOperationFilter.java Mon Jul  5 13:18:53 2010
@@ -23,16 +23,10 @@ package org.apache.directory.server.core
 import java.util.Collection;
 import java.util.Iterator;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
 import org.apache.directory.shared.ldap.aci.MicroOperation;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 /**
@@ -44,29 +38,14 @@ import org.apache.directory.shared.ldap.
  */
 public class MicroOperationFilter implements ACITupleFilter
 {
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
-        if ( tuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
         {
             ACITuple tuple = i.next();
 
@@ -78,7 +57,7 @@ public class MicroOperationFilter implem
 
             boolean retain = true;
             
-            for ( MicroOperation microOp:microOperations )
+            for ( MicroOperation microOp:aciContext.getMicroOperations() )
             {
                 if ( !tuple.getMicroOperations().contains( microOp ) )
                 {
@@ -93,7 +72,7 @@ public class MicroOperationFilter implem
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificProtectedItemFilter.java Mon Jul  5 13:18:53 2010
@@ -23,22 +23,15 @@ package org.apache.directory.server.core
 import java.util.ArrayList;
 import java.util.Collection;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.AllAttributeValuesItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.AttributeTypeItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.AttributeValueItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.RangeOfValuesItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.SelfValueItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 /**
@@ -57,33 +50,18 @@ import org.apache.directory.shared.ldap.
  */
 public class MostSpecificProtectedItemFilter implements ACITupleFilter
 {
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
-        if ( tuples.size() <= 1 )
+        if ( aciContext.getAciTuples().size() <= 1 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
         Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
 
         // If the protected item is an attribute and there are tuples that
         // specify the attribute type explicitly, discard all other tuples.
-        for ( ACITuple tuple:tuples )
+        for ( ACITuple tuple:aciContext.getAciTuples() )
         {
             for ( ProtectedItem item:tuple.getProtectedItems() )
             {
@@ -105,7 +83,7 @@ public class MostSpecificProtectedItemFi
         // that specify the attribute value explicitly, discard all other tuples.
         // A protected item which is a rangeOfValues is to be treated as
         // specifying an attribute value explicitly. 
-        for ( ACITuple tuple:tuples )
+        for ( ACITuple tuple:aciContext.getAciTuples() )
         {
             for ( ProtectedItem item:tuple.getProtectedItems() )
             {
@@ -121,6 +99,6 @@ public class MostSpecificProtectedItemFi
             return filteredTuples;
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/MostSpecificUserClassFilter.java Mon Jul  5 13:18:53 2010
@@ -23,17 +23,10 @@ package org.apache.directory.server.core
 import java.util.ArrayList;
 import java.util.Collection;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.UserClass;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 /**
@@ -50,33 +43,18 @@ import org.apache.directory.shared.ldap.
  */
 public class MostSpecificUserClassFilter implements ACITupleFilter
 {
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
-        if ( tuples.size() <= 1 )
+        if ( aciContext.getAciTuples().size() <= 1 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
         Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
 
         // If there are any tuples matching the requestor with UserClasses
         // element name or thisEntry, discard all other tuples.
-        for ( ACITuple tuple:tuples )
+        for ( ACITuple tuple:aciContext.getAciTuples() )
         {
             for ( UserClass userClass:tuple.getUserClasses() )
             {
@@ -95,7 +73,7 @@ public class MostSpecificUserClassFilter
 
         // Otherwise if there are any tuples matching UserGroup,
         // discard all other tuples.
-        for ( ACITuple tuple:tuples )
+        for ( ACITuple tuple:aciContext.getAciTuples() )
         {
             for ( UserClass userClass:tuple.getUserClasses() )
             {
@@ -114,7 +92,7 @@ public class MostSpecificUserClassFilter
 
         // Otherwise if there are any tuples matching subtree,
         // discard all other tuples.
-        for ( ACITuple tuple:tuples )
+        for ( ACITuple tuple:aciContext.getAciTuples() )
         {
             for ( UserClass userClass:tuple.getUserClasses() )
             {
@@ -131,7 +109,7 @@ public class MostSpecificUserClassFilter
             return filteredTuples;
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
 }

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedProtectedItemFilter.java Mon Jul  5 13:18:53 2010
@@ -24,11 +24,9 @@ import java.util.Collection;
 import java.util.Iterator;
 
 import org.apache.directory.server.core.event.Evaluator;
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.subtree.RefinementEvaluator;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.AllAttributeValuesItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.AttributeTypeItem;
@@ -41,7 +39,6 @@ import org.apache.directory.shared.ldap.
 import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByElem;
 import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.SelfValueItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.constants.SchemaConstants;
 import org.apache.directory.shared.ldap.entry.Entry;
 import org.apache.directory.shared.ldap.entry.EntryAttribute;
@@ -73,39 +70,24 @@ public class RelatedProtectedItemFilter 
     }
 
 
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry,
-            AuthenticationLevel authenticationLevel, 
-            DN entryName, 
-            AttributeType attributeType,
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
-        if ( tuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        for ( Iterator<ACITuple> i = tuples.iterator(); i.hasNext(); )
+        for ( Iterator<ACITuple> i = aciContext.getAciTuples().iterator(); i.hasNext(); )
         {
             ACITuple tuple = i.next();
             
-            if ( !isRelated( tuple, scope, userName, entryName, attributeType, attrValue, entry ) )
+            if ( !isRelated( tuple, scope, aciContext.getUserDn(), aciContext.getEntryDn(), aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
             {
                 i.remove();
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RelatedUserClassFilter.java Mon Jul  5 13:18:53 2010
@@ -24,19 +24,13 @@ import java.util.Collection;
 import java.util.Iterator;
 import java.util.Set;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.server.core.subtree.SubtreeEvaluator;
 import org.apache.directory.server.i18n.I18n;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.UserClass;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
-import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
 import org.apache.directory.shared.ldap.name.DN;
-import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 import org.apache.directory.shared.ldap.subtree.SubtreeSpecification;
 
 
@@ -59,40 +53,25 @@ public class RelatedUserClassFilter impl
     }
 
 
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
-        if ( tuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        for ( Iterator<ACITuple> ii = tuples.iterator(); ii.hasNext(); )
+        for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator(); ii.hasNext(); )
         {
             ACITuple tuple = ii.next();
             
             if ( tuple.isGrant() )
             {
-                if ( !isRelated( userGroupNames, 
-                                 userName, 
+                if ( !isRelated( aciContext.getUserGroupNames(), 
+                                 aciContext.getUserDn(), 
                                  userEntry, 
-                                 entryName, 
+                                 aciContext.getEntryDn(), 
                                  tuple.getUserClasses() )
-                    || authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) < 0 )
+                    || aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) < 0 )
                 {
                     ii.remove();
                 }
@@ -100,19 +79,19 @@ public class RelatedUserClassFilter impl
             else
             // Denials
             {
-                if ( !isRelated( userGroupNames, 
-                                 userName, 
+                if ( !isRelated( aciContext.getUserGroupNames(), 
+                                 aciContext.getUserDn(), 
                                  userEntry, 
-                                 entryName, 
+                                 aciContext.getEntryDn(), 
                                  tuple.getUserClasses() )
-                    && authenticationLevel.compareTo( tuple.getAuthenticationLevel() ) >= 0 )
+                    && aciContext.getAuthenticationLevel().compareTo( tuple.getAuthenticationLevel() ) >= 0 )
                 {
                     ii.remove();
                 }
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
 

Modified: directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java (original)
+++ directory/apacheds/trunk/core/src/main/java/org/apache/directory/server/core/authz/support/RestrictedByFilter.java Mon Jul  5 13:18:53 2010
@@ -23,20 +23,15 @@ package org.apache.directory.server.core
 import java.util.Collection;
 import java.util.Iterator;
 
-import org.apache.directory.server.core.interceptor.context.OperationContext;
 import org.apache.directory.shared.ldap.aci.ACITuple;
-import org.apache.directory.shared.ldap.aci.MicroOperation;
 import org.apache.directory.shared.ldap.aci.ProtectedItem;
 import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByElem;
 import org.apache.directory.shared.ldap.aci.protectedItem.RestrictedByItem;
-import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
 import org.apache.directory.shared.ldap.entry.Entry;
 import org.apache.directory.shared.ldap.entry.EntryAttribute;
 import org.apache.directory.shared.ldap.entry.Value;
 import org.apache.directory.shared.ldap.exception.LdapException;
-import org.apache.directory.shared.ldap.name.DN;
 import org.apache.directory.shared.ldap.schema.AttributeType;
-import org.apache.directory.shared.ldap.schema.SchemaManager;
 
 
 /**
@@ -47,34 +42,19 @@ import org.apache.directory.shared.ldap.
  */
 public class RestrictedByFilter implements ACITupleFilter
 {
-    public Collection<ACITuple> filter( 
-            SchemaManager schemaManager, 
-            Collection<ACITuple> tuples, 
-            OperationScope scope, 
-            OperationContext opContext,
-            Collection<DN> userGroupNames, 
-            DN userName, 
-            Entry userEntry, 
-            AuthenticationLevel authenticationLevel,
-            DN entryName, 
-            AttributeType attributeType, 
-            Value<?> attrValue, 
-            Entry entry, 
-            Collection<MicroOperation> microOperations,
-            Entry entryView )
-        throws LdapException
+    public Collection<ACITuple> filter( AciContext aciContext, OperationScope scope, Entry userEntry ) throws LdapException
     {
         if ( scope != OperationScope.ATTRIBUTE_TYPE_AND_VALUE )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        if ( tuples.size() == 0 )
+        if ( aciContext.getAciTuples().size() == 0 )
         {
-            return tuples;
+            return aciContext.getAciTuples();
         }
 
-        for ( Iterator<ACITuple> ii = tuples.iterator() ; ii.hasNext(); )
+        for ( Iterator<ACITuple> ii = aciContext.getAciTuples().iterator() ; ii.hasNext(); )
         {
             ACITuple tuple = ii.next();
             
@@ -83,13 +63,13 @@ public class RestrictedByFilter implemen
                 continue;
             }
 
-            if ( isRemovable( tuple, attributeType, attrValue, entry ) )
+            if ( isRemovable( tuple, aciContext.getAttributeType(), aciContext.getAttrValue(), aciContext.getEntry() ) )
             {
                 ii.remove();
             }
         }
 
-        return tuples;
+        return aciContext.getAciTuples();
     }
 
 

Modified: directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java
URL: http://svn.apache.org/viewvc/directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java?rev=960593&r1=960592&r2=960593&view=diff
==============================================================================
--- directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java (original)
+++ directory/apacheds/trunk/core/src/test/java/org/apache/directory/server/core/authz/support/HighestPrecedenceFilterTest.java Mon Jul  5 13:18:53 2010
@@ -60,8 +60,10 @@ public class HighestPrecedenceFilterTest
     public void testZeroTuple() throws Exception
     {
         HighestPrecedenceFilter filter = new HighestPrecedenceFilter();
-        assertEquals( 0, filter.filter( null, AT_EMPTY_COLLECTION, null, null, null, null, null, null, null, null, null,
-            null, null, null ).size() );
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( AT_EMPTY_COLLECTION );
+
+        assertEquals( 0, filter.filter( aciContext, null, null ).size() );
     }
 
 
@@ -74,8 +76,10 @@ public class HighestPrecedenceFilterTest
         tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true, 10 ) );
         tuples = Collections.unmodifiableCollection( tuples );
         
-        assertEquals( tuples, filter.filter( null, tuples, null, null, null, null, null, null, null, null, null, null,
-            null, null ) );
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( tuples );
+
+        assertEquals( tuples, filter.filter( aciContext, null, null ) );
     }
 
 
@@ -95,7 +99,10 @@ public class HighestPrecedenceFilterTest
         tuples.add( new ACITuple( UC_EMPTY_COLLECTION, AuthenticationLevel.NONE, PI_EMPTY_COLLECTION, MO_EMPTY_SET, true,
             MAX_PRECEDENCE / 3 ) );
 
-        tuples = filter.filter( null, tuples, null, null, null, null, null, null, null, null, null, null, null, null );
+        AciContext aciContext = new AciContext( null, null );
+        aciContext.setAciTuples( tuples );
+
+        tuples = filter.filter( aciContext, null, null );
 
         for ( ACITuple tuple:tuples )
         {



Mime
View raw message