UserAttr.java revision 040cba63ba4af5bed76846f0edb63c853b009da9
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008 Sun Microsystems, Inc.
* Portions Copyright 2011-2014 ForgeRock AS
*/
/*
* TODO Evaluate making this class more efficient.
*
* This class isn't as efficient as it could be. For example, the evalVAL()
* method should be able to use cached versions of the attribute type and
* filter. The evalURL() and evalDN() methods should also be able to use a
* cached version of the attribute type.
*/
/**
* This class implements the userattr bind rule keyword.
*/
public class UserAttr implements KeywordBindRule {
/**
* This enumeration is the various types the userattr can have after
* the "#" token.
*/
private enum UserAttrType {
return UserAttrType.USERDN;
return UserAttrType.GROUPDN;
return UserAttrType.ROLEDN;
return UserAttrType.URL;
}
return UserAttrType.VALUE;
}
}
/**
* Used to create an attribute type that can compare the value below in
* an entry returned from an internal search.
*/
/**
* Used to compare a attribute value returned from a search against this
* value which might have been defined in the ACI userattr rule.
*/
/** Contains the type of the userattr, one of the above enumerations. */
private UserAttrType userAttrType;
/** An enumeration representing the bind rule type. */
private EnumBindRuleType type;
/** The class used to hold the parent inheritance information. */
private ParentInheritance parentInheritance;
/**
* Create an non-USERDN/GROUPDN instance of the userattr keyword class.
* @param attrStr The attribute name in string form. Kept in string form
* until processing.
* @param attrVal The attribute value in string form -- used in the USERDN
* evaluation for the parent hierarchy expression.
* @param userAttrType The userattr type of the rule
* "USERDN, GROUPDN, ...".
* @param type The bind rule type "=, !=".
*/
this.userAttrType=userAttrType;
}
/**
* Create an USERDN or GROUPDN instance of the userattr keyword class.
* @param userAttrType The userattr type of the rule (USERDN or GROUPDN)
* only.
* @param type The bind rule type "=, !=".
* @param parentInheritance The parent inheritance class to use for parent
* inheritance checks if any.
*/
this.userAttrType=userAttrType;
}
/**
* Decode an string containing the userattr bind rule expression.
* @param expression The expression string.
* @param type The bind rule type.
* @return A class suitable for evaluating a userattr bind rule.
* @throws AciException If the string contains an invalid expression.
*/
throws AciException {
throw new AciException(message);
}
switch (userAttrType) {
case GROUPDN:
case USERDN: {
}
case ROLEDN: {
//The roledn keyword is not supported. Throw an exception with
//a message if it is seen in the expression.
}
}
}
/**
* Evaluate the expression using an evaluation context.
* @param evalCtx The evaluation context to use in the evaluation of the
* userattr expression.
* @return An enumeration containing the result of the evaluation.
*/
//The working resource entry might be filtered and not have an
//attribute type that is needed to perform these evaluations. The
//evalCtx has a copy of the non-filtered entry, switch to it for these
//evaluations.
switch(userAttrType) {
case ROLEDN:
case GROUPDN:
case USERDN: {
break;
}
case URL: {
break;
}
default:
}
return matched;
}
/** Evaluate a VALUE userattr type. Look in client entry for an
* attribute value and in the resource entry for the same
* value. If both entries have the same value than return true.
* @param evalCtx The evaluation context to use.
* @return An enumeration containing the result of the
* evaluation.
*/
boolean undefined=false;
}
{
}
}
}
}
/**
* Evaluate an URL userattr type. Look into the resource entry for the
* specified attribute and values. Assume it is an URL. Decode it an try
* and match it against the client entry attribute.
* @param evalCtx The evaluation context to evaluate with.
* @return An enumeration containing a result of the URL evaluation.
*/
boolean undefined=false;
}
for(ByteString v : a) {
try {
} catch (DirectoryException e) {
break;
}
{
break;
}
}
{
break;
}
{
undefined=true;
break;
}
}
}
}
/**
* Evaluate the DN type userattr keywords. These are roledn, userdn and
* groupdn. The processing is the same for all three, although roledn is
* a slightly different. For the roledn userattr keyword, a very simple
* parent inheritance class was created. The rest of the processing is the
* same for all three keywords.
*
* @param evalCtx The evaluation context to evaluate with.
* @return An enumeration containing a result of the USERDN evaluation.
*/
}
} else {
//The ROLEDN keyword will always enter this statement. The others
//might. For the add operation, the resource itself (level 0)
//must never be allowed to give access.
if(levels[i] == 0) {
if(evalCtx.isAddOperation()) {
undefined=true;
matched =
stop=true;
}
}
} else {
continue;
}
if(e.hasAttribute(attrType)) {
stop=true;
}
}
}
}
}
}
}
/**
* This method returns a parent DN based on the level. Not very
* sophisticated but it works.
* @param l The level.
* @param dn The DN to get the parent of.
* @return Parent DN based on the level or null if the level is greater
* than the rdn count.
*/
if(l > rdns) {
return null;
}
for(int i=0; i < l;i++) {
}
return theDN;
}
/**
* This method evaluates the user attribute type and calls the correct
* evalaution method. The three user attribute types that can be selected
* are USERDN or GROUPDN.
*
* @param e The entry to use in the evaluation.
* @param evalCtx The evaluation context to use in the evaluation.
* @param attributeType The attribute type to use in the evaluation.
* @return The result of the evaluation routine.
*/
switch (userAttrType) {
case USERDN: {
break;
}
case GROUPDN: {
break;
}
}
return result;
}
/** {@inheritDoc} */
{
}
/** {@inheritDoc} */
{
}
}