From 9e9d53db8853ebf62a6e579c2ec9915bcce00ad1 Mon Sep 17 00:00:00 2001
From: coulbeck <coulbeck@localhost>
Date: Mon, 26 Mar 2007 19:34:02 +0000
Subject: [PATCH] These refactoring changes move the ACI DN pattern matching into a separate class called PatternDN.  This will make it easier to rewrite the pattern matching to actually fix the related TODOs.  I also have added unit tests for the DN wildcard examples in the DSEE documentation (three of which fail and are commented out for the time being).

---
 opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Target.java |  106 ++++++++++-------------------------------------------
 1 files changed, 20 insertions(+), 86 deletions(-)

diff --git a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Target.java b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Target.java
index 6efe719..509aaaf 100644
--- a/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Target.java
+++ b/opendj-sdk/opends/src/server/org/opends/server/authorization/dseecompat/Target.java
@@ -30,57 +30,38 @@
 import static org.opends.server.messages.AciMessages.*;
 import static org.opends.server.authorization.dseecompat.Aci.*;
 import static org.opends.server.messages.MessageHandler.getMessage;
-import java.util.ArrayList;
-import java.util.LinkedHashSet;
 import java.util.regex.Pattern;
-import org.opends.server.core.DirectoryServer;
-import org.opends.server.types.Attribute;
-import org.opends.server.types.AttributeType;
-import org.opends.server.types.AttributeValue;
 import org.opends.server.types.DN;
 import org.opends.server.types.DirectoryException;
-import org.opends.server.types.Entry;
 import org.opends.server.types.LDAPURL;
-import org.opends.server.types.SearchFilter;
 
 /**
  * A class representing an ACI target keyword.
  */
 public class Target
 {
-    /*
+    /**
      * Enumeration representing the target operator.
      */
     private EnumTargetOperator operator = EnumTargetOperator.EQUALITY;
 
-    /*
-     * The target URL.
-     */
-    private LDAPURL targetURL = null;
-
-    /*
-     * The DN of the above URL.
-     */
-    private DN urlDN=null;
-
-    /*
-     * True of a wild-card pattern was seen.
+    /**
+     * True if the URL contained a DN wild-card pattern.
      */
     private boolean isPattern=false;
 
-    /*
-     * Filter used to apply to an dummy entry when a wild-card pattern is
-     * used.
+    /**
+     * The target DN from the URL or null if it was a wild-card pattern.
      */
-    private SearchFilter filter=null;
+    private DN urlDN=null;
+
+    /**
+     * The pattern matcher for a wild-card pattern or null if the URL
+     * contained an ordinary DN.
+     */
+    private PatternDN patternDN =null;
 
     /*
-     * Attribute type that is used to create the pattern attribute.
-     *  See matchesPattern method.
-     */
-    private AttributeType targetType;
-
-      /*
      * TODO Save aciDN parameter and use it in matchesPattern re-write.
      *
      * Should the aciDN argument provided to the constructor be stored so that
@@ -88,20 +69,6 @@
      * considered a potential match if it is at or below the entry containing
      * the ACI.
      *
-     * TODO Evaluate re-writing pattern (substring) determination code. The
-     * current code is similar to current DS6 implementation.
-     *
-     * I'm confused by the part of the constructor that generates a search
-     * filter. First, there is no substring matching rule defined for the
-     * DN syntax in the official standard, so technically trying to perform
-     * substring matching against DNs is illegal.  Although we do try to use
-     * the caseIgnoreSubstringsMatch rule, it is extremely unreliable for DNs
-     * because it's just not possible to do substring matching correctly in all
-     * cases for them.  Also, the logic in place there will only generate a
-     * filter if the DN contains a wildcard, and if it starts with a wildcard
-     * (which is handled by the targetDN.startsWith("*") clause), then you'll
-     * end up with something like "(target=**dc=example,dc=com)", which isn't
-     *  legal.
      */
     /**
      * This constructor parses the target string.
@@ -119,19 +86,12 @@
               String message = getMessage(msgID, target);
               throw new AciException(msgID, message);
           }
-          targetURL =  LDAPURL.decode(target, false);
-          urlDN=targetURL.getBaseDN();
-          String targetDN=urlDN.toNormalizedString();
-          if((targetDN.startsWith("*")) ||
-             (targetDN.indexOf("*") != -1)) {
+          LDAPURL targetURL =  LDAPURL.decode(target, false);
+          if(targetURL.getRawBaseDN().indexOf("*") != -1) {
               this.isPattern=true;
-              String pattern="target=*"+targetDN;
-              filter=SearchFilter.createFilterFromString(pattern);
-              targetType = DirectoryServer.getAttributeType("target");
-              if (targetType == null)
-                  targetType =
-                          DirectoryServer.getDefaultAttributeType("target");
+              patternDN = PatternDN.decode(targetURL.getRawBaseDN());
           } else {
+              urlDN=targetURL.getBaseDN();
               if(!urlDN.isDescendantOf(aciDN)) {
                   int msgID = MSGID_ACI_SYNTAX_TARGET_DN_NOT_DESCENDENTOF;
                   String message = getMessage(msgID,
@@ -172,7 +132,7 @@
 
     /**
      * Returns the URL DN of the expression.
-     * @return A DN of the URL.
+     * @return A DN of the URL or null if the URL contained a DN pattern.
      */
     public DN getDN() {
         return urlDN;
@@ -180,44 +140,18 @@
 
     /**
      * Returns boolean if a pattern was seen during parsing.
-     * @return  True if the DN is a wild-card.
+     * @return  True if the URL contained a DN pattern.
      */
     public boolean isPattern() {
         return isPattern;
     }
 
-    /*
-     * TODO Evaluate re-writing this method. Evaluate if we want to dis-allow
-     * wild-card matching in the suffix part of the dn.
-     *
-     * The matchesPattern() method really needs to be rewritten.  It's using a
-     * very inefficient and very error-prone method to make the determination.
-     * If you're really going to attempt pattern matching on a DN, then I'd
-     * suggest trying a regular expression against the normalized DN rather
-     * than a filter.
-     */
     /**
-     * This method tries to match a pattern against a DN. It builds an entry
-     * with a target attribute containing the pattern and then matches against
-     * it.
+     * This method tries to match a pattern against a DN.
      * @param dn  The DN to try an match.
      * @return True if the pattern matches.
      */
     public boolean matchesPattern(DN dn) {
-        boolean ret;
-        String targetDN=dn.toNormalizedString();
-        LinkedHashSet<AttributeValue> values =
-            new LinkedHashSet<AttributeValue>();
-        values.add(new AttributeValue(targetType, targetDN));
-        Attribute attr = new Attribute(targetType, "target", values);
-        Entry e = new Entry(DN.nullDN(), null, null, null);
-        e.addAttribute(attr,new ArrayList<AttributeValue>());
-        try {
-            ret=filter.matchesEntry(e);
-        } catch (DirectoryException ex) {
-            //TODO information message?
-            return false;
-        }
-        return  ret;
+        return patternDN.matchesDN(dn);
     }
 }

--
Gitblit v1.10.0