Examples of org.apache.directory.server.core.LdapPrincipal

• org.apache.directory.server.core.LdapPrincipal
  An alternative X500 user implementation that has access to the distinguished name of the principal as well as the String representation. @author Apache Directory Project @version $Rev: 918766 $

        // Access the principal requesting the operation, and bypass checks if it is the admin
        ClonedServerEntry entry = moveContext.lookup( oriChildName, ByPassConstants.LOOKUP_BYPASS );

        DN newName = ( DN ) newParentName.clone();
        newName.add( oriChildName.get( oriChildName.size() - 1 ) );
        LdapPrincipal principal = moveContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();

        // bypass authz code if we are disabled
        if ( !moveContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            next.move( moveContext );
            return;
        }

        protectCriticalEntries( oriChildName);

        // bypass authz code but manage caches if operation is performed by the admin
        if ( isPrincipalAnAdministrator( principalDn ) )
        {
            next.move( moveContext );
            tupleCache.subentryRenamed( oriChildName, newName );
            groupCache.groupRenamed( oriChildName, newName );
            return;
        }

        Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( moveContext, tuples, oriChildName, entry.getOriginalEntry() );
        addEntryAciTuples( tuples, entry );
        addSubentryAciTuples( moveContext, tuples, oriChildName, entry );

        engine.checkPermission( schemaManager, moveContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), oriChildName, null,
            null, EXPORT_PERMS, tuples, entry, null );

        // Get the entry again without operational attributes
        // because access control subentry operational attributes
        // will not be valid at the new location.
        // This will certainly be fixed by the SubentryInterceptor,
        // but after this service.
        ServerEntry importedEntry = moveContext.lookup( oriChildName,
            ByPassConstants.LOOKUP_EXCLUDING_OPR_ATTRS_BYPASS );

        // As the target entry does not exist yet and so
        // its subentry operational attributes are not there,
        // we need to construct an entry to represent it
        // at least with minimal requirements which are object class
        // and access control subentry operational attributes.
        SubentryInterceptor subentryInterceptor = ( SubentryInterceptor )
            chain.get( SubentryInterceptor.class.getName() );
        ServerEntry subentryAttrs = subentryInterceptor.getSubentryAttributes( newName, importedEntry );

        for ( EntryAttribute attribute:importedEntry )
        {
            subentryAttrs.put( attribute );
        }

        Collection<ACITuple> destTuples = new HashSet<ACITuple>();
        // Import permission is only valid for prescriptive ACIs
        addPerscriptiveAciTuples( moveContext, destTuples, newName, subentryAttrs );
        // Evaluate the target context to see whether it
        // allows an entry named newName to be imported as a subordinate.
        engine.checkPermission( schemaManager, moveContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), newName, null,
            null, IMPORT_PERMS, destTuples, subentryAttrs, null );

        next.move( moveContext );
        tupleCache.subentryRenamed( oriChildName, newName );
        groupCache.groupRenamed( oriChildName, newName );

    }


    public EntryFilteringCursor list( NextInterceptor next, ListOperationContext opContext ) throws Exception
    {
        LdapPrincipal user = opContext.getSession().getEffectivePrincipal();
        EntryFilteringCursor cursor = next.list( opContext );

        if ( isPrincipalAnAdministrator( user.getClonedName() ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            return cursor;
        }

        AuthorizationFilter authzFilter = new AuthorizationFilter();

    }


    public EntryFilteringCursor search( NextInterceptor next, SearchOperationContext opContext ) throws Exception
    {
        LdapPrincipal user = opContext.getSession().getEffectivePrincipal();
        DN principalDn = user.getClonedName();
        EntryFilteringCursor cursor = next.search( opContext );

        boolean isSubschemaSubentryLookup = subschemaSubentryDn.equals( opContext.getDn().getNormName() );
        SearchControls searchCtls = opContext.getSearchControls();
        boolean isRootDSELookup = opContext.getDn().size() == 0 && searchCtls.getSearchScope() == SearchControls.OBJECT_SCOPE;

        String oid = opContext.getOid();
        Value<?> value = ( Value<?> ) opContext.getValue();

        ClonedServerEntry entry = opContext.lookup( name, ByPassConstants.LOOKUP_BYPASS );

        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();

        if ( isPrincipalAnAdministrator( principalDn ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            return next.compare( opContext );
        }

        Set<DN> userGroups = groupCache.getGroups( principalDn.toNormName() );
        Collection<ACITuple> tuples = new HashSet<ACITuple>();
        addPerscriptiveAciTuples( opContext, tuples, name, entry.getOriginalEntry() );
        addEntryAciTuples( tuples, entry );
        addSubentryAciTuples( opContext, tuples, name, entry );

        engine.checkPermission( schemaManager, opContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), name, null, null,
            READ_PERMS, tuples, entry, null );
        engine.checkPermission( schemaManager, opContext, userGroups, principalDn,
            principal.getAuthenticationLevel(), name, oid, value,
            COMPARE_PERMS, tuples, entry, null );

        return next.compare( opContext );
    }

    public DN getMatchedName ( NextInterceptor next, GetMatchedNameOperationContext opContext ) throws Exception
    {
        // Access the principal requesting the operation, and bypass checks if it is the admin
        LdapPrincipal principal = opContext.getSession().getEffectivePrincipal();
        DN principalDn = principal.getClonedName();

        if ( isPrincipalAnAdministrator( principalDn ) || !opContext.getSession().getDirectoryService().isAccessControlEnabled() )
        {
            return next.getMatchedName( opContext );
        }

        // get the present matched name
        ClonedServerEntry entry;
        DN matched = next.getMatchedName( opContext );

        // check if we have disclose on error permission for the entry at the matched dn
        // if not remove rdn and check that until nothing is left in the name and return
        // that but if permission is granted then short the process and return the dn
        while ( matched.size() > 0 )
        {
            entry = opContext.lookup( matched, ByPassConstants.GETMATCHEDDN_BYPASS );

            Set<DN> userGroups = groupCache.getGroups( principalDn.getNormName() );
            Collection<ACITuple> tuples = new HashSet<ACITuple>();
            addPerscriptiveAciTuples( opContext, tuples, matched, entry.getOriginalEntry() );
            addEntryAciTuples( tuples, entry );
            addSubentryAciTuples( opContext, tuples, matched, entry );

            if ( engine.hasPermission( schemaManager, opContext, userGroups, principalDn,
                principal.getAuthenticationLevel(), matched, null,
                null, MATCHEDNAME_PERMS, tuples, entry, null ) )
            {
                return matched;
            }

        forward.setChangeType( ChangeType.Add );
        forward.putAttribute( "objectClass", "organizationalUnit" );
        forward.putAttribute( "ou", "system" );

        LdifEntry reverse = LdifRevertor.reverseAdd( new DN( forward.getDn() ) );
        assertEquals( 1, store.log( new LdapPrincipal(), forward, reverse ).getRevision() );
        assertEquals( 1, store.getCurrentRevision() );
    }

        LdifEntry reverse = LdifRevertor.reverseAdd( reverseDn );

        String zuluTime = DateUtils.getGeneralizedTime();
        long revision = 1L;

        LdapPrincipal principal = new LdapPrincipal( adminDn, AuthenticationLevel.SIMPLE, StringTools.getBytesUtf8( "secret"  ) );
        ChangeLogEvent event = new ChangeLogEvent( revision, zuluTime, principal, forward, reverse );

        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream( baos );

        out.writeObject( event );

        byte[] data = baos.toByteArray();
        ObjectInputStream in = new ObjectInputStream( new ByteArrayInputStream( data ) );

        ChangeLogEvent read = (ChangeLogEvent)in.readObject();

        // The read event should not be equal to the written event, as
        // the principal's password has not been stored
        assertNotSame( event, read );

        LdapPrincipal readPrincipal = read.getCommitterPrincipal();

        assertEquals( principal.getAuthenticationLevel(), readPrincipal.getAuthenticationLevel() );
        assertEquals( principal.getName(), readPrincipal.getName() );
        assertEquals( principal.getClonedName(), readPrincipal.getClonedName() );
        assertNull( readPrincipal.getUserPassword() );

        assertEquals( zuluTime, read.getZuluTime() );
        assertEquals( revision, read.getRevision() );
        assertEquals( forward, read.getForwardLdif() );
        assertEquals( reverse, read.getReverseLdifs().get( 0 ) );

        // read in the administrators and cache their normalized names
        Set<String> newAdministrators = new HashSet<String>( 2 );
        DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN_NORMALIZED );
        adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() );
        CoreSession adminSession = new DefaultCoreSession(
            new LdapPrincipal( adminDn, AuthenticationLevel.STRONG ), directoryService );

        ServerEntry adminGroup = nexus.lookup( new LookupOperationContext( adminSession, ADMIN_GROUP_DN ) );

        if ( adminGroup == null )
        {

    private ServerEntry getTlsEntry() throws Exception
    {
        DN adminDn = new DN( ServerDNConstants.ADMIN_SYSTEM_DN );
        adminDn.normalize( directoryService.getSchemaManager().getNormalizerMapping() );
        LdapPrincipal principal = new LdapPrincipal( adminDn, AuthenticationLevel.SIMPLE );
        CoreSession session = directoryService.getSession( principal );
        return session.lookup( adminDn );
    }

     * @return A byte array which can be empty if the password was not found
     * @throws NamingException If we have a problem during the lookup operation
     */
    private LdapPrincipal getStoredPassword( BindOperationContext opContext ) throws Exception
    {
        LdapPrincipal principal = null;

        synchronized ( credentialCache )
        {
            principal = ( LdapPrincipal ) credentialCache.get( opContext.getDn().getNormName() );
        }

        byte[] storedPassword;

        if ( principal == null )
        {
            // Not found in the cache
            // Get the user password from the backend
            storedPassword = lookupUserPassword( opContext );

            // Deal with the special case where the user didn't enter a password
            // We will compare the empty array with the credentials. Sometime,
            // a user does not set a password. This is bad, but there is nothing
            // we can do against that, except education ...
            if ( storedPassword == null )
            {
                storedPassword = ArrayUtils.EMPTY_BYTE_ARRAY;
            }

            // Create the new principal before storing it in the cache
            principal = new LdapPrincipal( opContext.getDn(), AuthenticationLevel.SIMPLE, storedPassword );

            // Now, update the local cache.
            synchronized ( credentialCache )
            {
                credentialCache.put( opContext.getDn().getNormName(), principal );