001    /*
002     *  Licensed to the Apache Software Foundation (ASF) under one
003     *  or more contributor license agreements.  See the NOTICE file
004     *  distributed with this work for additional information
005     *  regarding copyright ownership.  The ASF licenses this file
006     *  to you under the Apache License, Version 2.0 (the
007     *  "License"); you may not use this file except in compliance
008     *  with the License.  You may obtain a copy of the License at
009     *  
010     *    http://www.apache.org/licenses/LICENSE-2.0
011     *  
012     *  Unless required by applicable law or agreed to in writing,
013     *  software distributed under the License is distributed on an
014     *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     *  KIND, either express or implied.  See the License for the
016     *  specific language governing permissions and limitations
017     *  under the License. 
018     *  
019     */
020    package org.apache.directory.server.core.authz.support;
021    
022    
023    import java.util.ArrayList;
024    import java.util.Collection;
025    
026    import javax.naming.NamingException;
027    
028    import org.apache.directory.server.core.interceptor.context.OperationContext;
029    import org.apache.directory.shared.ldap.aci.ACITuple;
030    import org.apache.directory.shared.ldap.aci.MicroOperation;
031    import org.apache.directory.shared.ldap.aci.UserClass;
032    import org.apache.directory.shared.ldap.constants.AuthenticationLevel;
033    import org.apache.directory.shared.ldap.entry.ServerEntry;
034    import org.apache.directory.shared.ldap.entry.Value;
035    import org.apache.directory.shared.ldap.name.DN;
036    import org.apache.directory.shared.ldap.schema.SchemaManager;
037    
038    
039    /**
040     * An {@link ACITupleFilter} that chooses the tuples with the most specific user
041     * class. (18.8.4.2)
042     * <p>
043     * If more than one tuple remains, choose the tuples with the most specific user
044     * class. If there are any tuples matching the requestor with UserClasses element
045     * name or thisEntry, discard all other tuples. Otherwise if there are any tuples
046     * matching UserGroup, discard all other tuples. Otherwise if there are any tuples
047     * matching subtree, discard all other tuples.
048     *
049     * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
050     * @version $Rev: 927146 $, $Date: 2010-03-24 20:39:54 +0200 (Wed, 24 Mar 2010) $
051     */
052    public class MostSpecificUserClassFilter implements ACITupleFilter
053    {
054        public Collection<ACITuple> filter( 
055                SchemaManager schemaManager, 
056                Collection<ACITuple> tuples, 
057                OperationScope scope, 
058                OperationContext opContext,
059                Collection<DN> userGroupNames, 
060                DN userName, 
061                ServerEntry userEntry, 
062                AuthenticationLevel authenticationLevel,
063                DN entryName, 
064                String attrId, 
065                Value<?> attrValue, 
066                ServerEntry entry, 
067                Collection<MicroOperation> microOperations,
068                ServerEntry entryView )
069            throws NamingException
070        {
071            if ( tuples.size() <= 1 )
072            {
073                return tuples;
074            }
075    
076            Collection<ACITuple> filteredTuples = new ArrayList<ACITuple>();
077    
078            // If there are any tuples matching the requestor with UserClasses
079            // element name or thisEntry, discard all other tuples.
080            for ( ACITuple tuple:tuples )
081            {
082                for ( UserClass userClass:tuple.getUserClasses() )
083                {
084                    if ( userClass instanceof UserClass.Name || userClass instanceof UserClass.ThisEntry )
085                    {
086                        filteredTuples.add( tuple );
087                        break;
088                    }
089                }
090            }
091    
092            if ( filteredTuples.size() > 0 )
093            {
094                return filteredTuples;
095            }
096    
097            // Otherwise if there are any tuples matching UserGroup,
098            // discard all other tuples.
099            for ( ACITuple tuple:tuples )
100            {
101                for ( UserClass userClass:tuple.getUserClasses() )
102                {
103                    if ( userClass instanceof UserClass.UserGroup )
104                    {
105                        filteredTuples.add( tuple );
106                        break;
107                    }
108                }
109            }
110    
111            if ( filteredTuples.size() > 0 )
112            {
113                return filteredTuples;
114            }
115    
116            // Otherwise if there are any tuples matching subtree,
117            // discard all other tuples.
118            for ( ACITuple tuple:tuples )
119            {
120                for ( UserClass userClass:tuple.getUserClasses() )
121                {
122                    if ( userClass instanceof UserClass.Subtree )
123                    {
124                        filteredTuples.add( tuple );
125                        break;
126                    }
127                }
128            }
129    
130            if ( filteredTuples.size() > 0 )
131            {
132                return filteredTuples;
133            }
134    
135            return tuples;
136        }
137    
138    }