org.apache.directory.server.core.authz

Class AciAuthorizationInterceptor

java.lang.Object

org.apache.directory.server.core.api.interceptor.BaseInterceptor

org.apache.directory.server.core.authz.AciAuthorizationInterceptor

All Implemented Interfaces:

Interceptor

public class AciAuthorizationInterceptor
extends BaseInterceptor

An ACI based authorization service.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
private class	AciAuthorizationInterceptor.AuthorizationFilter WARNING: create one of these filters fresh every time for each new search.

Field Summary

Fields

Modifier and Type	Field and Description
private static org.slf4j.Logger	ACI_LOG the dedicated logger for ACI
private org.apache.directory.api.ldap.aci.ACIItemParser	aciParser a normalizing ACIItem parser
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	ADD_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	BROWSE_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	COMPARE_PERMS
static javax.naming.directory.SearchControls	DEFAULT_SEARCH_CONTROLS
private ACDFEngine	engine use and instance of the ACDF engine
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	EXPORT_PERMS
private GroupCache	groupCache a groupCache that responds to add, delete, and modify attempts
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	IMPORT_PERMS
private static org.slf4j.Logger	LOG the logger for this class
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	LOOKUP_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	MOVERENAME_PERMS
private PartitionNexus	nexus A reference to the nexus for direct backend operations
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	READ_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	REMOVE_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	RENAME_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	REPLACE_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	SEARCH_ATTRVAL_PERMS
private static java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation>	SEARCH_ENTRY_PERMS
private static SubentryUtils	subentryUtils The SubentryUtils instance
private java.lang.String	subschemaSubentryDn the system wide subschemaSubentryDn
private TupleCache	tupleCache a tupleCache that responds to add, delete, and modify attempts

Fields inherited from class org.apache.directory.server.core.api.interceptor.BaseInterceptor

directoryService, dnFactory, PWD_POLICY_STATE_ATTRIBUTE_TYPES, schemaManager

Constructor Summary

Constructors

Constructor and Description
AciAuthorizationInterceptor() Create a AciAuthorizationInterceptor instance

Method Summary

Modifier and Type	Method and Description
void	add(AddOperationContext addContext) Filters Partition#add( AddOperationContext ) call.
private void	addEntryAciTuples(java.util.Collection<org.apache.directory.api.ldap.aci.ACITuple> tuples, org.apache.directory.api.ldap.model.entry.Entry entry) Adds the set of entryACI tuples to a collection of tuples.
private void	addPerscriptiveAciTuples(OperationContext opContext, java.util.Collection<org.apache.directory.api.ldap.aci.ACITuple> tuples, org.apache.directory.api.ldap.model.name.Dn dn, org.apache.directory.api.ldap.model.entry.Entry entry) Adds perscriptiveACI tuples to a collection of tuples by accessing the tupleCache.
private void	addSubentryAciTuples(OperationContext opContext, java.util.Collection<org.apache.directory.api.ldap.aci.ACITuple> tuples, org.apache.directory.api.ldap.model.name.Dn dn, org.apache.directory.api.ldap.model.entry.Entry entry) Adds the set of subentryACI tuples to a collection of tuples.
void	cacheNewGroup(org.apache.directory.api.ldap.model.name.Dn name, org.apache.directory.api.ldap.model.entry.Entry entry)
private void	checkLookupAccess(LookupOperationContext lookupContext, org.apache.directory.api.ldap.model.entry.Entry entry) Checks if the READ permissions exist to the entry and to each attribute type and value.
boolean	compare(CompareOperationContext compareContext) Filters DefaultPartitionNexus#compare( CompareOperationContext ) call.
void	delete(DeleteOperationContext deleteContext) Filters Partition#delete( DeleteOperationContext ) call.
private boolean	filter(OperationContext opContext, org.apache.directory.api.ldap.model.name.Dn normName, org.apache.directory.api.ldap.model.entry.Entry clonedEntry)
boolean	hasEntry(HasEntryOperationContext hasEntryContext) Filters Partition#hasEntry( HasEntryOperationContext ) call.
void	init(DirectoryService directoryService) Initializes this interceptor based service by getting a handle on the nexus, setting up the tuple and group membership caches, the ACIItem parser and the ACDF engine.
private void	initGroupCache() Load the Groups into the cache
private void	initTupleCache() Load the Tuples into the cache
boolean	isPrincipalAnAdministrator(org.apache.directory.api.ldap.model.name.Dn principalDn)
private boolean	isTheAdministrator(org.apache.directory.api.ldap.model.name.Dn normalizedDn)
org.apache.directory.api.ldap.model.entry.Entry	lookup(LookupOperationContext lookupContext) Filters Partition#lookup( LookupOperationContext ) call.
void	modify(ModifyOperationContext modifyContext) Filters Partition#modify( ModifyOperationContext ) call.
void	move(MoveOperationContext moveContext) Filters Partition#move( MoveOperationContext ) call.
void	moveAndRename(MoveAndRenameOperationContext moveAndRenameContext) Filters Partition#moveAndRename( MoveAndRenameOperationContext) call.
private void	protectCriticalEntries(OperationContext opCtx, org.apache.directory.api.ldap.model.name.Dn dn)
void	rename(RenameOperationContext renameContext) Filters Partition#rename( RenameOperationContext ) call.
EntryFilteringCursor	search(SearchOperationContext searchContext) Filters Partition#search( SearchOperationContext ) call.

Methods inherited from class org.apache.directory.server.core.api.interceptor.BaseInterceptor

bind, destroy, getName, getNextInterceptor, getPrincipal, getRootDse, next, next, next, next, next, next, next, next, next, next, next, next, next, unbind

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

LOG

private static final org.slf4j.Logger LOG

the logger for this class

ACI_LOG

private static final org.slf4j.Logger ACI_LOG

the dedicated logger for ACI

ADD_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> ADD_PERMS

READ_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> READ_PERMS

COMPARE_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> COMPARE_PERMS

SEARCH_ENTRY_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> SEARCH_ENTRY_PERMS

SEARCH_ATTRVAL_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> SEARCH_ATTRVAL_PERMS

REMOVE_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> REMOVE_PERMS

BROWSE_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> BROWSE_PERMS

LOOKUP_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> LOOKUP_PERMS

REPLACE_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> REPLACE_PERMS

RENAME_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> RENAME_PERMS

EXPORT_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> EXPORT_PERMS

IMPORT_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> IMPORT_PERMS

MOVERENAME_PERMS

private static final java.util.Collection<org.apache.directory.api.ldap.aci.MicroOperation> MOVERENAME_PERMS

tupleCache

private TupleCache tupleCache

a tupleCache that responds to add, delete, and modify attempts

groupCache

private GroupCache groupCache

a groupCache that responds to add, delete, and modify attempts

aciParser

private org.apache.directory.api.ldap.aci.ACIItemParser aciParser

a normalizing ACIItem parser

engine

private ACDFEngine engine

use and instance of the ACDF engine

subschemaSubentryDn

private java.lang.String subschemaSubentryDn

the system wide subschemaSubentryDn

nexus

private PartitionNexus nexus

A reference to the nexus for direct backend operations

DEFAULT_SEARCH_CONTROLS

public static final javax.naming.directory.SearchControls DEFAULT_SEARCH_CONTROLS

subentryUtils

private static SubentryUtils subentryUtils

The SubentryUtils instance

Constructor Detail

AciAuthorizationInterceptor

public AciAuthorizationInterceptor()

Create a AciAuthorizationInterceptor instance

Method Detail

initTupleCache

private void initTupleCache()
                     throws org.apache.directory.api.ldap.model.exception.LdapException

Load the Tuples into the cache

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

initGroupCache

private void initGroupCache()
                     throws org.apache.directory.api.ldap.model.exception.LdapException

Load the Groups into the cache

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

init

public void init(DirectoryService directoryService)
          throws org.apache.directory.api.ldap.model.exception.LdapException

Initializes this interceptor based service by getting a handle on the nexus, setting up the tuple and group membership caches, the ACIItem parser and the ACDF engine.

Specified by:

init in interface Interceptor

Overrides:

init in class BaseInterceptor

Parameters:

directoryService - the directory service core

Throws:

java.lang.Exception - if there are problems during initialization

org.apache.directory.api.ldap.model.exception.LdapException

protectCriticalEntries

private void protectCriticalEntries(OperationContext opCtx,
                                    org.apache.directory.api.ldap.model.name.Dn dn)
                             throws org.apache.directory.api.ldap.model.exception.LdapException

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

addPerscriptiveAciTuples

private void addPerscriptiveAciTuples(OperationContext opContext,
                                      java.util.Collection<org.apache.directory.api.ldap.aci.ACITuple> tuples,
                                      org.apache.directory.api.ldap.model.name.Dn dn,
                                      org.apache.directory.api.ldap.model.entry.Entry entry)
                               throws org.apache.directory.api.ldap.model.exception.LdapException

Adds perscriptiveACI tuples to a collection of tuples by accessing the tupleCache. The tuple cache is accessed for each A/C subentry associated with the protected entry. Note that subentries are handled differently: their parent, the administrative entry is accessed to determine the perscriptiveACIs effecting the AP and hence the subentry which is considered to be in the same context.

Parameters:

tuples - the collection of tuples to add to

dn - the normalized distinguished name of the protected entry

entry - the target entry whose access is being controlled

proxy - the partition nexus proxy object

Throws:

java.lang.Exception - if there are problems accessing attribute values

org.apache.directory.api.ldap.model.exception.LdapException

addEntryAciTuples

private void addEntryAciTuples(java.util.Collection<org.apache.directory.api.ldap.aci.ACITuple> tuples,
                               org.apache.directory.api.ldap.model.entry.Entry entry)
                        throws org.apache.directory.api.ldap.model.exception.LdapException

Adds the set of entryACI tuples to a collection of tuples. The entryACI is parsed and tuples are generated on they fly then added to the collection.

Parameters:

tuples - the collection of tuples to add to

entry - the target entry that access to is being regulated

Throws:

java.lang.Exception - if there are problems accessing attribute values

org.apache.directory.api.ldap.model.exception.LdapException

addSubentryAciTuples

private void addSubentryAciTuples(OperationContext opContext,
                                  java.util.Collection<org.apache.directory.api.ldap.aci.ACITuple> tuples,
                                  org.apache.directory.api.ldap.model.name.Dn dn,
                                  org.apache.directory.api.ldap.model.entry.Entry entry)
                           throws org.apache.directory.api.ldap.model.exception.LdapException

Adds the set of subentryACI tuples to a collection of tuples. The subentryACI is parsed and tuples are generated on the fly then added to the collection.

Parameters:

tuples - the collection of tuples to add to

dn - the normalized distinguished name of the protected entry

entry - the target entry that access to is being regulated

proxy - the partition nexus proxy object

Throws:

java.lang.Exception - if there are problems accessing attribute values

org.apache.directory.api.ldap.model.exception.LdapException

add

public void add(AddOperationContext addContext)
         throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#add( AddOperationContext ) call.

Specified by:

add in interface Interceptor

Overrides:

add in class BaseInterceptor

Parameters:

addContext - The AddOperationContext instance

Throws:

org.apache.directory.api.ldap.model.exception.LdapException - If we had some error while processing the Add operation

compare

public boolean compare(CompareOperationContext compareContext)
                throws org.apache.directory.api.ldap.model.exception.LdapException

Filters DefaultPartitionNexus#compare( CompareOperationContext ) call.

Specified by:

compare in interface Interceptor

Overrides:

compare in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

delete

public void delete(DeleteOperationContext deleteContext)
            throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#delete( DeleteOperationContext ) call.

Specified by:

delete in interface Interceptor

Overrides:

delete in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

hasEntry

public boolean hasEntry(HasEntryOperationContext hasEntryContext)
                 throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#hasEntry( HasEntryOperationContext ) call.

Specified by:

hasEntry in interface Interceptor

Overrides:

hasEntry in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

lookup

public org.apache.directory.api.ldap.model.entry.Entry lookup(LookupOperationContext lookupContext)
                                                       throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#lookup( LookupOperationContext ) call.

Specified by:

lookup in interface Interceptor

Overrides:

lookup in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

modify

public void modify(ModifyOperationContext modifyContext)
            throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#modify( ModifyOperationContext ) call.

Specified by:

modify in interface Interceptor

Overrides:

modify in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

move

public void move(MoveOperationContext moveContext)
          throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#move( MoveOperationContext ) call.

Specified by:

move in interface Interceptor

Overrides:

move in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

moveAndRename

public void moveAndRename(MoveAndRenameOperationContext moveAndRenameContext)
                   throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#moveAndRename( MoveAndRenameOperationContext) call.

Specified by:

moveAndRename in interface Interceptor

Overrides:

moveAndRename in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

rename

public void rename(RenameOperationContext renameContext)
            throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#rename( RenameOperationContext ) call.

Specified by:

rename in interface Interceptor

Overrides:

rename in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

search

public EntryFilteringCursor search(SearchOperationContext searchContext)
                            throws org.apache.directory.api.ldap.model.exception.LdapException

Filters Partition#search( SearchOperationContext ) call.

Specified by:

search in interface Interceptor

Overrides:

search in class BaseInterceptor

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

checkLookupAccess

private void checkLookupAccess(LookupOperationContext lookupContext,
                               org.apache.directory.api.ldap.model.entry.Entry entry)
                        throws org.apache.directory.api.ldap.model.exception.LdapException

Checks if the READ permissions exist to the entry and to each attribute type and value.

Parameters:

principal - the user associated with the call

dn - the name of the entry being looked up

entry - the raw entry pulled from the nexus

Throws:

java.lang.Exception - if undlying access to the DIT fails

org.apache.directory.api.ldap.model.exception.LdapException

isPrincipalAnAdministrator

public final boolean isPrincipalAnAdministrator(org.apache.directory.api.ldap.model.name.Dn principalDn)

cacheNewGroup

public void cacheNewGroup(org.apache.directory.api.ldap.model.name.Dn name,
                          org.apache.directory.api.ldap.model.entry.Entry entry)
                   throws java.lang.Exception

Throws:

java.lang.Exception

filter

private boolean filter(OperationContext opContext,
                       org.apache.directory.api.ldap.model.name.Dn normName,
                       org.apache.directory.api.ldap.model.entry.Entry clonedEntry)
                throws org.apache.directory.api.ldap.model.exception.LdapException

Throws:

org.apache.directory.api.ldap.model.exception.LdapException

isTheAdministrator

private boolean isTheAdministrator(org.apache.directory.api.ldap.model.name.Dn normalizedDn)