TargAttrFilters.java revision 917eb33ca3ffb73a34c0f733227d8f2215f9d978
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008 Sun Microsystems, Inc.
* Portions Copyright 2013-2015 ForgeRock AS
*/
/**
* The TargAttrFilters class represents a targattrfilters rule of an ACI.
*/
public class TargAttrFilters {
/**
* A valid targattrfilters rule may have two TargFilterlist parts -- the
* first one is required.
*/
private TargAttrFilterList firstFilterList;
private TargAttrFilterList secondFilterList;
/**
* Regular expression group position for the first operation value.
*/
private static final int firstOpPos = 1;
/**
* Regular expression group position for the rest of an partially parsed
* rule.
*/
private static final int restOfExpressionPos=2;
/**
* Regular expression used to match the operation group (either add or del).
*/
/**
* Regular expression used to check for valid expression separator.
*/
private static final
/**
* Regular expression used to match the second operation of the filter list.
* If the first was "add" this must be "del", if the first was "del" this
* must be "add".
*/
/**
* Regular expression used to match the first targFilterList, it must exist
* or an exception is thrown.
*/
/**
* Regular expression used to group the remainder of a partially parsed
* rule. Any character one or more times.
*/
/**
* Regular expression used to match the first operation keyword and the
* rest of the expression.
*/
/**
* The enumeration representing the operation.
*/
private EnumTargetOperator op;
/**
* A mask used to denote if the rule has add, del or both operations in the
* composite TargFilterList parts.
*/
private int operationMask;
/**
* Represents an targattrfilters keyword rule.
* @param op The enumeration representing the operation type.
*
* @param firstFilterList The first filter list class parsed from the rule.
* This one is required.
*
* @param secondFilterList The second filter list class parsed from the
* rule. This one is optional.
*/
if(secondFilterList != null) {
//Add the second filter list mask to the mask.
}
}
/**
* Decode an targattrfilter rule.
* @param type The enumeration representing the type of this rule. Defaults
* to equality for this target.
*
* @param expression The string expression to be decoded.
* @return A TargAttrFilters class representing the decode expression.
* @throws AciException If the expression string contains errors and
* cannot be decoded.
*/
//First match for overall correctness and to get the first operation.
throw new AciException(message);
}
//This pattern is built dynamically and is used to see if the operations
//in the two filter list parts (if the second exists) are equal. See
//comment below.
"[,]{1}" + ZERO_OR_MORE_WHITESPACE +
/**
* Check that the initial list operation is not equal to the second.
* For example: Matcher find
*
* "add:cn:(cn=foo), add:cn:(cn=bar)"
*
* This is invalid.
*/
throw new AciException(message);
}
/**
* Check that there are not too many filter lists. There can only
* be either one or two.
*/
//Check if the there is something like ") , deel=". A bad token
//that the regular expression didn't pick up.
}
//This check catches the case where there might not be a
//',' character between the first filter list and the second.
}
}
//First filter list must end in an ')' character.
}
//Handle the second filter list if there is one.
//Second filter list must start with a '='.
}
//Assume the first op is an "add" so this has to be a "del".
//If the first op is a "del", the second has to be an "add".
}
}
/**
* If the passed in op is an "add", then return "del"; Otherwise If the passed
* in op is an "del", then return "add".
*/
{
return "add";
return "del";
}
/**
* Return the mask corresponding to the specified string.
*
* @param op The op string.
* @return The mask corresponding to the operation string.
*/
return TARGATTRFILTERS_ADD;
return TARGATTRFILTERS_DELETE;
}
/**
* Gets the TargFilterList corresponding to the mask value.
* @param matchCtx The target match context containing the rights to
* match against.
* @return A TargAttrFilterList matching both the rights of the target
* match context and the mask of the TargFilterAttrList. May return null.
*/
public TargAttrFilterList
//Set up the wanted mask by evaluating both the target match
//context's rights and the mask.
//Check the first list first, it always has to be there. If it doesn't
//match then check the second if it exists.
return firstFilterList;
else if((secondFilterList != null) &&
return secondFilterList;
return null;
}
/**
* Check if this TargAttrFilters object is applicable to the target
* specified match context. This check is only used for the LDAP modify
* operation.
* @param matchCtx The target match context containing the information
* needed to match.
* @param aci The ACI currently being evaluated for a target match.
* @return True if this TargAttrFitlers object is applicable to this
* target match context.
*/
//Get the targFitlerList corresponding to this context's rights.
//If the list is empty return true and go on to the targattr check
//in AciTargets.isApplicable().
if(attrFilterList == null)
return true;
boolean attrMatched=true;
//If the filter list contains the current attribute type; check
//the attribute types value(s) against the corresponding filter.
// If the filter list does not contain the attribute type skip the
// attribute type.
//This flag causes any targattr checks to be bypassed in AciTargets.
matchCtx.setTargAttrFiltersMatch(true);
//Doing a geteffectiverights eval, save the ACI and the name
//in the context.
if(matchCtx.isGetEffectiveRightsEval()) {
}
}
return attrMatched;
}
boolean result)
{
return !result;
return result;
}
/**
* Check if this TargAttrFilters object is applicable to the specified
* target match context. This check is only used for either LDAP add or
* delete operations.
* @param matchCtx The target match context containing the information
* needed to match.
* @return True if this TargAttrFilters object is applicable to this
* target match context.
*/
//List didn't match current operation return true.
if(attrFilterList == null)
return true;
//Iterate through each attribute type in the filter list checking
//the resource entry to see if it has that attribute type. If not
//go to the next attribute type. If it is found, then check the entries
//attribute type values against the filter.
SearchFilter f=e.getValue();
return revertForInequalityOperator(op, false);
}
}
return revertForInequalityOperator(op, true);
}
{
{
// Found a match in the entry, iterate over each attribute
// type in the entry and check its values against the filter.
{
if (!matchFilterAttributeValues(a, attrType, f))
{
return false;
}
}
}
return true;
}
/**
* Iterate over each attribute type attribute and compare the values
* against the provided filter.
* @param a The attribute from the resource entry.
* @param attrType The attribute type currently working on.
* @param filter The filter to evaluate the values against.
* @return True if all of the values matched the filter.
*/
private boolean matchFilterAttributeValues(Attribute a,
//Iterate through each value and apply the filter against it.
for (ByteString value : a) {
return false;
}
}
return true;
}
/**
* Matches an specified attribute value against a specified filter. A dummy
* entry is created with only a single attribute containing the value The
* filter is applied against that entry.
*
* @param attrType The attribute type currently being evaluated.
* @param value The value to match the filter against.
* @param filter The filter to match.
* @return True if the value matches the filter.
*/
try {
return filter.matchesEntry(e);
} catch(DirectoryException ex) {
return false;
}
}
/**
* Return true if the TargAttrFilters mask contains the specified mask.
* @param mask The mask to check for.
* @return True if the mask matches.
*/
}
}