Package org.apache.directory.server.core

Examples of org.apache.directory.server.core.LdapPrincipal


     */

    public void add( NextInterceptor next, AddOperationContext addContext ) throws Exception
    {
        // Access the principal requesting the operation, and bypass checks if it is the admin
        LdapPrincipal principal = addContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();
       
        ServerEntry serverEntry = addContext.getEntry();
        //Attributes entry = ServerEntryUtils.toAttributesImpl( serverEntry );

        DN name = addContext.getDn();

        // bypass authz code if we are disabled
        if ( !addContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            next.add( addContext );
            return;
        }

        // bypass authz code but manage caches if operation is performed by the admin
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            next.add( addContext );
            tupleCache.subentryAdded( name, serverEntry );
            groupCache.groupAdded( name, serverEntry );
            return;
        }

        // perform checks below here for all non-admin users
        SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
        ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( name, serverEntry );
       
        for ( EntryAttribute attribute:serverEntry )
        {
            subentryAttrs.put( attribute );
        }

        // Assemble all the information required to make an access control decision
        Set<DN> userGroups = groupCache.getGroups( principalDn.toNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();

        // Build the total collection of tuples to be considered for add rights
        // NOTE: entryACI are NOT considered in adds (it would be a security breech)
        addPerscriptiveAciTuples( addContext, tuples, name, subentryAttrs );
        addSubentryAciTuples( addContext, tuples, name, subentryAttrs );

        // check if entry scope permission is granted
        engine.checkPermission( schemaManager, addContext, userGroups, principalDn, principal.getAuthenticationLevel(), name, null, null,
            ADD_PERMS, tuples, subentryAttrs, null );

        // now we must check if attribute type and value scope permission is granted
        for ( EntryAttribute attribute:serverEntry )
        {
            for ( Value<?> value:attribute )
            {
                engine.checkPermission( schemaManager, addContext, userGroups, principalDn,
                    principal.getAuthenticationLevel(), name, attribute.getUpId(), value,
                    ADD_PERMS, tuples, serverEntry, null );
            }
        }

        // if we've gotten this far then access has been granted
View Full Code Here


            ClonedServerEntry entry = null;
           
            while ( cursor.next() )
            {
                entry = cursor.get();
                LdapPrincipal ldapPrincipal = new LdapPrincipal(
                    entry.getDn(),
                    AuthenticationLevel.STRONG,
                    entry.get( SchemaConstants.USER_PASSWORD_AT ).getBytes() );
                ldapSession.putSaslProperty( SaslConstants.SASL_AUTHENT_USER, ldapPrincipal );
            }
View Full Code Here

    public void delete( NextInterceptor next, DeleteOperationContext deleteContext ) throws Exception
    {
        DN name = deleteContext.getDn();
       
        LdapPrincipal principal = deleteContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();

        // bypass authz code if we are disabled
        if ( ! deleteContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            next.delete( deleteContext );
            return;
        }

        ClonedServerEntry entry = deleteContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );

        protectCriticalEntries( name );

        // bypass authz code but manage caches if operation is performed by the admin
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            next.delete( deleteContext );
            tupleCache.subentryDeleted( name, entry );
            groupCache.groupDeleted( name, entry );
            return;
        }

        Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( deleteContext, tuples, name, entry.getOriginalEntry() );
        addEntryAciTuples( tuples, entry );
        addSubentryAciTuples( deleteContext, tuples, name, entry );

        engine.checkPermission( schemaManager, deleteContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), name, null, null, REMOVE_PERMS, tuples, entry, null );

        next.delete( deleteContext );
        tupleCache.subentryDeleted( name, entry );
        groupCache.groupDeleted( name, entry );
    }
View Full Code Here

        DN name = opContext.getDn();

        // Access the principal requesting the operation, and bypass checks if it is the admin
        ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
       
        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();

        // bypass authz code if we are disabled
        if ( !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            next.modify( opContext );
            return;
        }

        List<Modification> mods = opContext.getModItems();

        // bypass authz code but manage caches if operation is performed by the admin
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            next.modify( opContext );
            /**
             * @TODO: A virtual entry can be created here for not hitting the backend again.
             */
            ServerEntry modifiedEntry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );
            tupleCache.subentryModified( name, mods, modifiedEntry );
            groupCache.groupModified( name, mods, entry, schemaManager );
            return;
        }

        Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( opContext, tuples, name, entry.getOriginalEntry() );
        addEntryAciTuples( tuples, entry );
        addSubentryAciTuples( opContext, tuples, name, entry );

        engine.checkPermission( schemaManager, opContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), name, null, null,
            Collections.singleton( MicroOperation.MODIFY ), tuples, entry, null );

        Collection<MicroOperation> perms = null;
        ServerEntry entryView = ( ServerEntry ) entry.clone();
       
        for ( Modification mod : mods )
        {
            ServerAttribute attr = (ServerAttribute)mod.getAttribute();

            switch ( mod.getOperation() )
            {
                case ADD_ATTRIBUTE :
                    perms = ADD_PERMS;
               
                    // If the attribute is being created with an initial value ...
                    if ( entry.get( attr.getId() ) == null )
                    {
                        // ... we also need to check if adding the attribute is permitted
                        engine.checkPermission( schemaManager, opContext, userGroups, principalDn, principal.getAuthenticationLevel(), name,
                                attr.getId(), null, perms, tuples, entry, null );
                    }
                   
                    break;

                case REMOVE_ATTRIBUTE :
                    perms = REMOVE_PERMS;
                    EntryAttribute entryAttr = entry.get( attr.getId() );

                    if ( entryAttr != null )
                    {
                        // If there is only one value remaining in the attribute ...
                        if ( entryAttr.size() == 1 )
                        {
                            // ... we also need to check if removing the attribute at all is permitted
                            engine.checkPermission( schemaManager, opContext, userGroups, principalDn,
                                principal.getAuthenticationLevel(), name, attr.getId(),
                                null, perms, tuples, entry, null );
                        }
                    }
                   
                    break;

                case REPLACE_ATTRIBUTE :
                    perms = REPLACE_PERMS;
                    break;
            }

            /**
             * Update the entry view as the current modification is applied to the original entry.
             * This is especially required for handling the MaxValueCount protected item. Number of
             * values for an attribute after a modification should be known in advance in order to
             * check permissions for MaxValueCount protected item. So during addition of the first
             * value of an attribute it can be rejected if the permission denied due the the
             * MaxValueCount protected item. This is not the perfect implementation as required by
             * the specification because the system should reject the addition exactly on the right
             * value of the attribute. However as we do not have that much granularity in our
             * implementation (we consider an Attribute Addition itself a Micro Operation,
             * not the individual Value Additions) we just handle this when the first value of an
             * attribute is being checked for relevant permissions below.
             */
            entryView = ServerEntryUtils.getTargetEntry( mod, entryView, schemaManager );
           
            for ( Value<?> value:attr )
            {               
                engine.checkPermission( schemaManager, opContext, userGroups, principalDn,
                    principal.getAuthenticationLevel(), name, attr.getId(), value,
                    perms, tuples, entry, entryView );
            }
        }

       
View Full Code Here


        public MockOperation( int count ) throws Exception
        {
            this.count = count;
            this.session = new DefaultCoreSession( new LdapPrincipal( new DN(), AuthenticationLevel.STRONG ),
                new MockDirectoryService( count ) );
        }
View Full Code Here

            // It's the rootDSE, and it exists !
            return answer;
        }
       
        // TODO - eventually replace this with a check on session.isAnAdministrator()
        LdapPrincipal principal = entryContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            return answer;
        }

        ClonedServerEntry entry = entryContext.lookup( name, ByPassConstants.HAS_ENTRY_BYPASS );
        Set<DN> userGroups = groupCache.getGroups( principalDn.toNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( entryContext, tuples, name, entry.getOriginalEntry() );
        addEntryAciTuples( tuples, entry.getOriginalEntry() );
        addSubentryAciTuples( entryContext, tuples, name, entry.getOriginalEntry() );

        // check that we have browse access to the entry
        engine.checkPermission( schemaManager, entryContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), name, null, null,
            BROWSE_PERMS, tuples, entry.getOriginalEntry(), null );

        return next.hasEntry( entryContext );
    }
View Full Code Here

        if ( lookupContext.getDn().getNormName().trim().equals( "" ) )
        {
            return;
        }

        LdapPrincipal principal = lookupContext.getSession().getEffectivePrincipal();
        DN userName = principal.getClonedName();
        Set<DN> userGroups = groupCache.getGroups( userName.toNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );
        addEntryAciTuples( tuples, entry );
        addSubentryAciTuples( lookupContext, tuples, lookupContext.getDn(), entry );

        // check that we have read access to the entry
        engine.checkPermission( schemaManager, lookupContext, userGroups, userName, principal.getAuthenticationLevel(),
            lookupContext.getDn(), null, null,
            LOOKUP_PERMS, tuples, entry, null );

        // check that we have read access to every attribute type and value
        for ( EntryAttribute attribute:entry )
        {
           
            for ( Value<?> value:attribute )
            {
                engine.checkPermission(
                    schemaManager,
                    lookupContext,
                    userGroups,
                    userName,
                    principal.getAuthenticationLevel(),
                    lookupContext.getDn(),
                    attribute.getUpId(),
                    value,
                    READ_PERMS,
                    tuples,
View Full Code Here

    }


    public ClonedServerEntry lookup( NextInterceptor next, LookupOperationContext lookupContext ) throws Exception
    {
        LdapPrincipal principal = lookupContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();
       
        if ( !principalDn.isNormalized() )
        {
            principalDn.normalize( schemaManager.getNormalizerMapping() );
        }
View Full Code Here

        if ( renameContext.getEntry() != null )
        {
            originalEntry = renameContext.getEntry().getOriginalEntry();
        }
       
        LdapPrincipal principal = renameContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();
        DN newName = renameContext.getNewDn();

        // bypass authz code if we are disabled
        if ( !renameContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            next.rename( renameContext );
            return;
        }

        protectCriticalEntries( oldName );

        // bypass authz code but manage caches if operation is performed by the admin
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            next.rename( renameContext );
            tupleCache.subentryRenamed( oldName, newName );
           
            // TODO : this method returns a boolean : what should we do with the result ?
            groupCache.groupRenamed( oldName, newName );

            return;
        }

        Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( renameContext, tuples, oldName, originalEntry );
        addEntryAciTuples( tuples, originalEntry );
        addSubentryAciTuples( renameContext, tuples, oldName, originalEntry );

        engine.checkPermission( schemaManager, renameContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), oldName, null, null,
            RENAME_PERMS, tuples, originalEntry, null );

        next.rename( renameContext );
        tupleCache.subentryRenamed( oldName, newName );
        groupCache.groupRenamed( oldName, newName );
View Full Code Here

        DN oriChildName = moveAndRenameContext.getDn();
        DN newParentName = moveAndRenameContext.getParent();

        ClonedServerEntry entry = moveAndRenameContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS );
       
        LdapPrincipal principal = moveAndRenameContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();
        DN newName = ( DN ) newParentName.clone();
        newName.add( moveAndRenameContext.getNewRdn().getUpName() );

        // bypass authz code if we are disabled
        if ( !moveAndRenameContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            next.moveAndRename( moveAndRenameContext );
            return;
        }

        protectCriticalEntries( oriChildName );

        // bypass authz code but manage caches if operation is performed by the admin
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            next.moveAndRename( moveAndRenameContext );
            tupleCache.subentryRenamed( oriChildName, newName );
            groupCache.groupRenamed( oriChildName, newName );
            return;
        }

        Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( moveAndRenameContext, tuples, oriChildName, entry.getOriginalEntry() );
        addEntryAciTuples( tuples, entry );
        addSubentryAciTuples( moveAndRenameContext, tuples, oriChildName, entry );

        engine.checkPermission( schemaManager, moveAndRenameContext, userGroups,
            principalDn, principal.getAuthenticationLevel(), oriChildName, null,
            null, MOVERENAME_PERMS, tuples, entry, null );

        // Get the entry again without operational attributes
        // because access control subentry operational attributes
        // will not be valid at the new location.
        // This will certainly be fixed by the SubentryInterceptor,
        // but after this service.
       
        ClonedServerEntry importedEntry = moveAndRenameContext.lookup( oriChildName,
            ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );
       
        // As the target entry does not exist yet and so
        // its subentry operational attributes are not there,
        // we need to construct an entry to represent it
        // at least with minimal requirements which are object class
        // and access control subentry operational attributes.
        SubentryInterceptor subentryInterceptor = ( SubentryInterceptor ) chain.get( SubentryInterceptor.class.getName() );
        ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );
       
        for ( EntryAttribute attribute:importedEntry )
        {
            subentryAttrs.put( attribute );
        }
       
        Collection<ACITuple> destTuples = new HashSet<ACITuple>();
        // Import permission is only valid for prescriptive ACIs
        addPerscriptiveAciTuples( moveAndRenameContext, destTuples, newName, subentryAttrs );
        // Evaluate the target context to see whether it
        // allows an entry named newName to be imported as a subordinate.
        engine.checkPermission( schemaManager, moveAndRenameContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), newName, null,
            null, IMPORT_PERMS, destTuples, subentryAttrs, null );


        next.moveAndRename( moveAndRenameContext );
        tupleCache.subentryRenamed( oriChildName, newName );
View Full Code Here

TOP

Related Classes of org.apache.directory.server.core.LdapPrincipal

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.