UserDN.java revision f71f7a61dec7c9089378d14493ad564a1dedf0b5
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at
* trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
* add the following below this CDDL HEADER, with the fields enclosed
* by brackets "[]" replaced with your own identifying information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Portions Copyright 2007 Sun Microsystems, Inc.
*/
/**
* This class represents the userdn keyword in a bind rule.
*/
public class UserDN implements KeywordBindRule {
/*
* A dummy URL for invalid URLs such as: all, parent, anyone, self.
*/
/**
* This list holds a list of objects representing a EnumUserDNType
* URL mapping.
*/
private AttributeType userDNAttrType;
/**
* Constructor that creates the userdn class. It also sets up an attribute
* type ("userdn") needed for wild-card matching.
* @param type The type of operation.
* @param urlList A list of enumerations containing the URL type and URL
* object that can be retrieved at evaluation time.
*/
if (userDNAttrType == null)
}
/**
* Decodes an expression string representing a userdn bind rule.
* @param expression The string representation of the userdn bind rule
* expression.
* @param type An enumeration of the type of the bind rule.
* @return A KeywordBindRule class that represents the bind rule.
* @throws AciException If the expression failed to LDAP URL decode.
*/
{
/*
* TODO Evaluate using a wild-card in the dn portion of LDAP url.
* The current implementation (DS6) does not treat a "*"
* as a wild-card.
*
* Is it allowed to have a full LDAP URL (i.e., including a base,
* scope, and filter) in which the base DN contains asterisks to
* make it a wildcard? If so, then I don't think that the current
* implementation handles that correctly. It will probably fail
* when attempting to create the LDAP URL because the base DN isn't a
* valid DN.
*/
try {
} catch (DirectoryException de) {
}
}
}
/**
* This method determines the type of the DN (suffix in URL terms)
* part of a URL, by examining the full URL itself for known strings
* such as (corresponding type shown in parenthesis)
*
* "ldap:///anyone" (EnumUserDNType.ANYONE)
* "ldap:///parent" (EnumUserDNType.PARENT)
* "ldap:///all" (EnumUserDNType.ALL)
* "ldap:///self" (EnumUserDNType.SELF)
*
* If one of the four above are found, the URL is replaced with a dummy
* pattern "ldap:///". This is done because the above four are invalid
* URLs; but the syntax is valid for an userdn keyword expression. The
* dummy URLs are never used.
*
* If none of the above are found, it determine if the URL DN is a
* substring pattern, such as:
*
* "ldap:///uid=*, dc=example, dc=com" (EnumUserDNType.PATTERN)
*
* If none of the above are determined, it checks if the URL
* is a complete URL with scope and filter defined:
*
* "ldap:///uid=test,dc=example,dc=com??sub?(cn=j*)" (EnumUserDNType.URL)
*
* If none of these those types can be identified, it defaults to
* EnumUserDNType.DN.
*
* @param bldr A string representation of the URL that can be modified.
* @return The user DN type of the URL.
*/
} else {
}
return type;
}
/**
* Performs the evaluation of a userdn bind rule based on the
* evaluation context passed to it. The evaluation stops when there
* are no more UserDNTypeURLs to evaluate or if an UserDNTypeURL
* evaluates to true.
* @param evalCtx The evaluation context to evaluate with.
* @return An evaluation result enumeration containing the result
* of the evaluation.
*/
boolean undefined=false;
//Handle anonymous checks here
if(isAnonUser) {
} else
}
}
/**
* Performs an evaluation of a single UserDNTypeURL of a userdn bind
* rule using the evaluation context provided. This method is called
* for the non-anonymous user case.
* @param evalCtx The evaluation context to evaluate with.
* @param dnTypeURL The URL dn type mapping to evaluate.
* @return An evaluation result enumeration containing the result
* of the evaluation.
*/
switch (type) {
case URL:
{
break;
}
case ANYONE:
{
break;
}
case SELF:
{
break;
}
case PARENT:
{
break;
}
case ALL:
{
break;
}
case DNPATTERN:
{
break;
}
case DN:
{
try
{
} catch (DirectoryException ex) {
//TODO add message
}
}
}
return matched;
}
/*
* TODO Evaluate making this more efficient.
*
* The evalDNPattern() method looks like it suffers from the
* same problem as the matchesPattern() method in the Target
* class. Creating a dummy entry and attempting to do substring
* matching on a DN is a pretty expensive and error-prone approach.
* Using a regular expression would likely be much more efficient and
* should be simpler.
*/
/**
* This method evaluates a DN pattern userdn expression. It creates a
* dummy entry and a substring filter and applies the filter to the
* entry.
* @param evalCtx The evaluation context to use.
* @param url The LDAP URL containing the pattern.
* @return An enumeration evaluation result.
*/
boolean rc;
try {
} catch (DirectoryException ex) {
return EnumEvalResult.FALSE;
}
new LinkedHashSet<AttributeValue>();
try {
} catch (DirectoryException ex) {
return EnumEvalResult.FALSE;
}
if(!rc)
return ret;
}
/**
* This method evaluates an URL userdn expression. Something like:
* ldap:///suffix??sub?(filter). It also searches for the client DN
* entry and saves it in the evaluation context for repeat evaluations
* that might come later in processing.
*
* @param evalCtx The evaluation context to use.
* @param url URL containing the URL to use in the evaluation.
* @return An enumeration of the evaluation result.
*/
try {
} catch (DirectoryException ex) {
return EnumEvalResult.FALSE;
}
return EnumEvalResult.FALSE;
return EnumEvalResult.FALSE;
} else {
return EnumEvalResult.FALSE;
}
try {
} catch (DirectoryException ex) {
return EnumEvalResult.FALSE;
}
return ret;
}
/*
* TODO Evaluate making this method more efficient.
*
* The evalDNEntryAttr method isn't as efficient as it could be. It would
* probably be faster to to convert the clientDN to an AttributeValue and
* see if the entry has that value than to decode each value as a DN and
* see if it matches the clientDN.
*/
/**
* This method searches an entry for an attribute value that is
* treated as a DN. That DN is then compared against the client
* DN.
* @param e The entry to get the attribute type from.
* @param clientDN The client authorization DN to check for.
* @param attrType The attribute type from the bind rule.
* @return An enumeration with the result.
*/
for(AttributeValue v : vals) {
try {
break;
}
} catch (DirectoryException ex) {
break;
}
}
return matched;
}
}