UserDN.java revision 917eb33ca3ffb73a34c0f733227d8f2215f9d978
809N/A * The contents of this file are subject to the terms of the 809N/A * Common Development and Distribution License, Version 1.0 only 809N/A * (the "License"). You may not use this file except in compliance 809N/A * See the License for the specific language governing permissions 809N/A * and limitations under the License. 809N/A * When distributing Covered Code, include this CDDL HEADER in each 809N/A * If applicable, add the following below this CDDL HEADER, with the 809N/A * fields enclosed by brackets "[]" replaced with your own identifying 2362N/A * Portions Copyright [yyyy] [name of copyright owner] 809N/A * Copyright 2008 Sun Microsystems, Inc. 809N/A * Portions Copyright 2013-2015 ForgeRock AS 809N/A * This class represents the userdn keyword in a bind rule. 809N/A * A dummy URL for invalid URLs such as: all, parent, anyone, self. 809N/A * This list holds a list of objects representing a EnumUserDNType 809N/A /** Enumeration of the userdn operation type. */ 809N/A * Constructor that creates the userdn class. It also sets up an attribute 809N/A * type ("userdn") needed for wild-card matching. 809N/A * @param type The type of operation. 809N/A * @param urlList A list of enumerations containing the URL type and URL 4014N/A * object that can be retrieved at evaluation time. 809N/A * Decodes an expression string representing a userdn bind rule. 809N/A * @param expression The string representation of the userdn bind rule 809N/A * @param type An enumeration of the type of the bind rule. 809N/A * @return A KeywordBindRule class that represents the bind rule. 809N/A * @throws AciException If the expression failed to LDAP URL decode. 809N/A * TODO Evaluate using a wild-card in the dn portion of LDAP url. 809N/A * The current implementation (DS6) does not treat a "*" 809N/A * Is it allowed to have a full LDAP URL (i.e., including a base, 809N/A * scope, and filter) in which the base DN contains asterisks to 809N/A * make it a wildcard? If so, then I don't think that the current * implementation handles that correctly. It will probably fail * when attempting to create the LDAP URL because the base DN isn't a * This method determines the type of the DN (suffix in URL terms) * part of a URL, by examining the full URL itself for known strings * such as (corresponding type shown in parenthesis) * "ldap:///anyone" (EnumUserDNType.ANYONE) * "ldap:///parent" (EnumUserDNType.PARENT) * "ldap:///all" (EnumUserDNType.ALL) * "ldap:///self" (EnumUserDNType.SELF) * If one of the four above are found, the URL is replaced with a dummy * pattern "ldap:///". This is done because the above four are invalid * URLs; but the syntax is valid for an userdn keyword expression. The * dummy URLs are never used. * If none of the above are found, it determine if the URL DN is a * substring pattern, such as: * "ldap:///uid=*, dc=example, dc=com" (EnumUserDNType.PATTERN) * If none of the above are determined, it checks if the URL * is a complete URL with scope and filter defined: * "ldap:///uid=test,dc=example,dc=com??sub?(cn=j*)" (EnumUserDNType.URL) * If none of these those types can be identified, it defaults to * @param bldr A string representation of the URL that can be modified. * @return The user DN type of the URL. * Performs the evaluation of a userdn bind rule based on the * evaluation context passed to it. The evaluation stops when there * are no more UserDNTypeURLs to evaluate or if an UserDNTypeURL * @param evalCtx The evaluation context to evaluate with. * @return An evaluation result enumeration containing the result //Handle anonymous checks here * Performs an evaluation of a single UserDNTypeURL of a userdn bind * rule using the evaluation context provided. This method is called * for the non-anonymous user case. * @param evalCtx The evaluation context to evaluate with. * @param dnTypeURL The URL dn type mapping to evaluate. * @return An evaluation result enumeration containing the result //This code handles the case where a root dn entry does //not have bypass-acl privilege and the ACI bind rule //userdn DN possible is an alternate root DN. * This method evaluates a DN pattern userdn expression. * @param evalCtx The evaluation context to use. * @param url The LDAP URL containing the pattern. * @return An enumeration evaluation result. * This method evaluates an URL userdn expression. Something like: * ldap:///suffix??sub?(filter). It also searches for the client DN * entry and saves it in the evaluation context for repeat evaluations * that might come later in processing. * @param evalCtx The evaluation context to use. * @param url URL containing the URL to use in the evaluation. * @return An enumeration of the evaluation result. * TODO Evaluate making this method more efficient. * The evalDNEntryAttr method isn't as efficient as it could be. * It would probably be faster to to convert the clientDN to a ByteString * and see if the entry has that value than to decode each value as a DN * and see if it matches the clientDN. * This method searches an entry for an attribute value that is * treated as a DN. That DN is then compared against the client * @param e The entry to get the attribute type from. * @param clientDN The client authorization DN to check for. * @param attrType The attribute type from the bind rule. * @return An enumeration with the result.