/*
|
* CDDL HEADER START
|
*
|
* The contents of this file are subject to the terms of the
|
* Common Development and Distribution License, Version 1.0 only
|
* (the "License"). You may not use this file except in compliance
|
* with the License.
|
*
|
* You can obtain a copy of the license at
|
* trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
* or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
* See the License for the specific language governing permissions
|
* and limitations under the License.
|
*
|
* When distributing Covered Code, include this CDDL HEADER in each
|
* file and include the License file at
|
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
* add the following below this CDDL HEADER, with the fields enclosed
|
* by brackets "[]" replaced with your own identifying information:
|
* Portions Copyright [yyyy] [name of copyright owner]
|
*
|
* CDDL HEADER END
|
*
|
*
|
* Portions Copyright 2007 Sun Microsystems, Inc.
|
*/
|
|
package org.opends.server.authorization.dseecompat;
|
|
import static org.opends.server.authorization.dseecompat.AciMessages.*;
|
import static org.opends.server.messages.MessageHandler.getMessage;
|
import java.util.ArrayList;
|
import java.util.LinkedHashSet;
|
import java.util.regex.Pattern;
|
import org.opends.server.core.DirectoryServer;
|
import org.opends.server.types.Attribute;
|
import org.opends.server.types.AttributeType;
|
import org.opends.server.types.AttributeValue;
|
import org.opends.server.types.DN;
|
import org.opends.server.types.DirectoryException;
|
import org.opends.server.types.Entry;
|
import org.opends.server.types.LDAPURL;
|
import org.opends.server.types.SearchFilter;
|
|
/**
|
* A class representing an ACI target keyword.
|
*/
|
public class Target
|
{
|
private EnumTargetOperator operator = EnumTargetOperator.EQUALITY;
|
private LDAPURL targetURL = null;
|
private DN urlDN=null;
|
private boolean isPattern=false;
|
private SearchFilter filter=null;
|
private AttributeType targetType;
|
|
|
/*
|
* TODO Save aciDN parameter and use it in matchesPattern re-write.
|
*
|
* Should the aciDN argument provided to the constructor be stored so that
|
* it can be used in the matchesPattern() method? The DN should only be
|
* considered a potential match if it is at or below the entry containing
|
* the ACI.
|
*
|
* TODO Evaluate re-writing pattern (substring) determination code. The
|
* current code is similar to current DS6 implementation.
|
*
|
* I'm confused by the part of the constructor that generates a search
|
* filter. First, there is no substring matching rule defined for the
|
* DN syntax in the official standard, so technically trying to perform
|
* substring matching against DNs is illegal. Although we do try to use
|
* the caseIgnoreSubstringsMatch rule, it is extremely unreliable for DNs
|
* because it's just not possible to do substring matching correctly in all
|
* cases for them. Also, the logic in place there will only generate a
|
* filter if the DN contains a wildcard, and if it starts with a wildcard
|
* (which is handled by the targetDN.startsWith("*") clause), then you'll
|
* end up with something like "(target=**dc=example,dc=com)", which isn't
|
* legal.
|
*/
|
/**
|
* This constructor parses the target string.
|
* @param operator An enumeration of the operation of this target.
|
* @param target A string representation of the target.
|
* @param aciDN The dn of the ACI entry used for a descendant check.
|
* @throws AciException If the target string is invalid.
|
*/
|
private Target(EnumTargetOperator operator, String target, DN aciDN)
|
throws AciException {
|
this.operator = operator;
|
try {
|
String ldapURLRegex = "\\s*(ldap:///[^\\|]+)";
|
if (!Pattern.matches(ldapURLRegex, target)) {
|
int msgID = MSGID_ACI_SYNTAX_INVALID_TARGETKEYWORD_EXPRESSION;
|
String message = getMessage(msgID, target);
|
throw new AciException(msgID, message);
|
}
|
targetURL = LDAPURL.decode(target, false);
|
urlDN=targetURL.getBaseDN();
|
String targetDN=urlDN.toNormalizedString();
|
if((targetDN.startsWith("*")) ||
|
(targetDN.indexOf("*") != -1)) {
|
this.isPattern=true;
|
String pattern="target=*"+targetDN;
|
filter=SearchFilter.createFilterFromString(pattern);
|
targetType = DirectoryServer.getAttributeType("target");
|
if (targetType == null)
|
targetType =
|
DirectoryServer.getDefaultAttributeType("target");
|
} else {
|
if(!urlDN.isDescendantOf(aciDN)) {
|
int msgID = MSGID_ACI_SYNTAX_TARGET_DN_NOT_DESCENDENTOF;
|
String message = getMessage(msgID,
|
urlDN.toNormalizedString(),
|
aciDN.toNormalizedString());
|
throw new AciException(msgID, message);
|
}
|
}
|
}
|
catch (DirectoryException e){
|
int msgID = MSGID_ACI_SYNTAX_INVALID_TARGETKEYWORD_EXPRESSION;
|
String message = getMessage(msgID, target);
|
throw new AciException(msgID, message);
|
}
|
}
|
|
/**
|
* Decode an expression string representing a target keyword expression.
|
* @param operator An enumeration of the operation of this target.
|
* @param expr A string representation of the target.
|
* @param aciDN The DN of the ACI entry used for a descendant check.
|
* @return A Target class representing this target.
|
* @throws AciException If the expression string is invalid.
|
*/
|
public static Target decode(EnumTargetOperator operator,
|
String expr, DN aciDN)
|
throws AciException {
|
return new Target(operator, expr, aciDN);
|
}
|
|
/**
|
* Returns the operator of this expression.
|
* @return An enumeration of the operation value.
|
*/
|
public EnumTargetOperator getOperator() {
|
return operator;
|
}
|
|
/**
|
* Returns the URL DN of the expression.
|
* @return A DN of the URL.
|
*/
|
public DN getDN() {
|
return urlDN;
|
}
|
|
/**
|
* Returns boolean if a pattern was seen during parsing.
|
* @return True if the DN is a wild-card.
|
*/
|
public boolean isPattern() {
|
return isPattern;
|
}
|
|
/*
|
* TODO Evaluate re-writing this method.
|
*
|
* The matchesPattern() method really needs to be rewritten. It's using a
|
* very inefficient and very error-prone method to make the determination.
|
* If you're really going to attempt pattern matching on a DN, then I'd
|
* suggest trying a regular expression against the normalized DN rather
|
* than a filter.
|
*/
|
/**
|
* This method tries to match a pattern against a DN. It builds an entry
|
* with a target attribute containing the pattern and then matches against
|
* it.
|
* @param dn The DN to try an match.
|
* @return True if the pattern matches.
|
*/
|
public boolean matchesPattern(DN dn) {
|
boolean ret;
|
String targetDN=dn.toNormalizedString();
|
LinkedHashSet<AttributeValue> values =
|
new LinkedHashSet<AttributeValue>();
|
values.add(new AttributeValue(targetType, targetDN));
|
Attribute attr = new Attribute(targetType, "target", values);
|
Entry e = new Entry(DN.nullDN(), null, null, null);
|
e.addAttribute(attr,new ArrayList<AttributeValue>());
|
try {
|
ret=filter.matchesEntry(e);
|
} catch (DirectoryException ex) {
|
//TODO information message?
|
return false;
|
}
|
return ret;
|
}
|
}
|
