core/src/main/java/org/apache/directory/server/core/authz/DefaultAuthorizationService.java - directory-server - Git at Google

 /*
  *  Licensed to the Apache Software Foundation (ASF) under one
  *  or more contributor license agreements.  See the NOTICE file
  *  distributed with this work for additional information
  *  regarding copyright ownership.  The ASF licenses this file
  *  to you under the Apache License, Version 2.0 (the
  *  "License"); you may not use this file except in compliance
  *  with the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  *  Unless required by applicable law or agreed to in writing,
  *  software distributed under the License is distributed on an
  *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *  KIND, either express or implied.  See the License for the
  *  specific language governing permissions and limitations
  *  under the License.
  *
  */
 package org.apache.directory.server.core.authz;


 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;

 import javax.naming.Name;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.NoPermissionException;
 import javax.naming.directory.Attribute;
 import javax.naming.directory.Attributes;
 import javax.naming.directory.SearchControls;
 import javax.naming.directory.SearchResult;
 import javax.naming.ldap.LdapContext;

 import org.apache.directory.server.core.DirectoryServiceConfiguration;
 import org.apache.directory.server.core.configuration.InterceptorConfiguration;
 import org.apache.directory.server.core.enumeration.SearchResultFilter;
 import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
 import org.apache.directory.server.core.interceptor.BaseInterceptor;
 import org.apache.directory.server.core.interceptor.Interceptor;
 import org.apache.directory.server.core.interceptor.NextInterceptor;
 import org.apache.directory.server.core.invocation.Invocation;
 import org.apache.directory.server.core.invocation.InvocationStack;
 import org.apache.directory.server.core.jndi.ServerContext;
 import org.apache.directory.server.core.partition.PartitionNexus;
 import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
 import org.apache.directory.shared.ldap.filter.ExprNode;
 import org.apache.directory.shared.ldap.message.ModificationItemImpl;
 import org.apache.directory.shared.ldap.name.LdapDN;


 /**
  * An {@link Interceptor} that controls access to {@link PartitionNexus}.
  * If a user tries to perform any operations that requires
  * permission he or she doesn't have, {@link NoPermissionException} will be
  * thrown and therefore the current invocation chain will terminate.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @version $Rev$, $Date$
  */
 public class DefaultAuthorizationService extends BaseInterceptor
 {
     /**
      * the base distinguished {@link Name} for all users
      */
     private static LdapDN USER_BASE_DN;
     private static LdapDN USER_BASE_DN_NORMALIZED;

     /**
      * the base distinguished {@link Name} for all groups
      */
     private static LdapDN GROUP_BASE_DN;
     private static LdapDN GROUP_BASE_DN_NORMALIZED;

     /**
      * the distinguished {@link Name} for the administrator group
      */
     private static LdapDN ADMIN_GROUP_DN;
     private static LdapDN ADMIN_GROUP_DN_NORMALIZED;

     /**
      * the name parser used by this service
      */
     private boolean enabled = true;

     private Set administrators = new HashSet(2);

     private Map normalizerMapping;

     private PartitionNexus nexus;

     /**
      * Creates a new instance.
      */
     public DefaultAuthorizationService()
     {
     }


     public void init( DirectoryServiceConfiguration factoryCfg, InterceptorConfiguration cfg ) throws NamingException
     {
         nexus = factoryCfg.getPartitionNexus();
         normalizerMapping = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry().getNormalizerMapping();

         // disable this static module if basic access control mechanisms are enabled
         enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();

         USER_BASE_DN = PartitionNexus.getUsersBaseName();
         USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN, normalizerMapping );

         GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
         GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN, normalizerMapping );

         ADMIN_GROUP_DN = new LdapDN( "cn=Administrators,ou=groups,ou=system" );
         ADMIN_GROUP_DN_NORMALIZED = ( LdapDN ) ADMIN_GROUP_DN.clone();
         ADMIN_GROUP_DN_NORMALIZED.normalize( normalizerMapping );
         loadAdministrators();
     }


     private void loadAdministrators() throws NamingException
     {
         // read in the administrators and cache their normalized names
         Set newAdministrators = new HashSet( 2 );
         Attributes adminGroup = nexus.lookup( ADMIN_GROUP_DN_NORMALIZED );

         if ( adminGroup == null )
         {
             return;
         }

         Attribute uniqueMember = adminGroup.get( "uniqueMember" );
         for ( int ii = 0; ii < uniqueMember.size(); ii++ )
         {
             LdapDN memberDn = new LdapDN( ( String ) uniqueMember.get( ii ) );
             memberDn.normalize( normalizerMapping );
             newAdministrators.add( memberDn.toNormName() );
         }
         administrators = newAdministrators;
     }


     // Note:
     //    Lookup, search and list operations need to be handled using a filter
     // and so we need access to the filter service.

     public void delete( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
     {
         if ( !enabled )
         {
             nextInterceptor.delete( name );
             return;
         }

         LdapDN principalDn = getPrincipal().getJndiName();

         if ( name.toString().equals( "" ) )
         {
             String msg = "The rootDSE cannot be deleted!";
             throw new LdapNoPermissionException( msg );
         }

         if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
         {
             String msg = "The Administrators group cannot be deleted!";
             throw new LdapNoPermissionException( msg );
         }

         if ( isTheAdministrator( name ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to delete the admin account.";
             msg += " No one not even the admin can delete this account!";
             throw new LdapNoPermissionException( msg );
         }

         if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to delete the user account: ";
             msg += name + ". Only the admin can delete user accounts.";
             throw new LdapNoPermissionException( msg );
         }

         if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to delete the group entry: ";
             msg += name + ". Only the admin can delete groups.";
             throw new LdapNoPermissionException( msg );
         }

         nextInterceptor.delete( name );
     }


     private final boolean isTheAdministrator( LdapDN normalizedDn )
     {
         return normalizedDn.toNormName() == PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ||
              normalizedDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
     }


     private final boolean isAnAdministrator( LdapDN normalizedDn ) throws NamingException
     {
         if ( isTheAdministrator( normalizedDn ) )
         {
             return true;
         }

         return administrators.contains( normalizedDn.toNormName() );
     }


     /**
      * Note that we do nothing here. First because this is not an externally
      * exposed function via the JNDI interfaces.  It is used internally by
      * the provider for optimization purposes so there is no reason for us to
      * start to constrain it.
      */
     public boolean hasEntry( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
     {
         return super.hasEntry( nextInterceptor, name );
     }


     // ------------------------------------------------------------------------
     // Entry Modification Operations
     // ------------------------------------------------------------------------

     /**
      * This policy needs to be really tight too because some attributes may take
      * part in giving the user permissions to protected resources.  We do not want
      * users to self access these resources.  As far as we're concerned no one but
      * the admin needs access.
      */
     public void modify( NextInterceptor nextInterceptor, LdapDN name, int modOp, Attributes attrs )
         throws NamingException
     {
         if ( enabled )
         {
             protectModifyAlterations( name );
             nextInterceptor.modify( name, modOp, attrs );

             // update administrators if we change administrators group
             if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
             {
                 loadAdministrators();
             }
             return;
         }

         nextInterceptor.modify( name, modOp, attrs );
     }


     /**
      * This policy needs to be really tight too because some attributes may take part
      * in giving the user permissions to protected resources.  We do not want users to
      * self access these resources.  As far as we're concerned no one but the admin
      * needs access.
      */
     public void modify( NextInterceptor nextInterceptor, LdapDN name, ModificationItemImpl[] items ) throws NamingException
     {
         if ( enabled )
         {
             protectModifyAlterations( name );
             nextInterceptor.modify( name, items );

             // update administrators if we change administrators group
             if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
             {
                 loadAdministrators();
             }
             return;
         }

         nextInterceptor.modify( name, items );
     }


     private void protectModifyAlterations( LdapDN dn ) throws NamingException
     {
         LdapDN principalDn = getPrincipal().getJndiName();

         if ( dn.size() == 0 )
         {
             String msg = "The rootDSE cannot be modified!";
             throw new LdapNoPermissionException( msg );
         }

         if ( ! isAnAdministrator( principalDn ) )
         {
             // allow self modifications
             if ( dn.toNormName().equals( getPrincipal().getJndiName().toNormName() ) )
             {
                 return;
             }

             if ( dn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the account of the";
                 msg += " admin user.";
                 throw new LdapNoPermissionException( msg );
             }

             if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the account of the";
                 msg += " user " + dn + ".\nEven the owner of an account cannot";
                 msg += " modify it.\nUser accounts can only be modified by the";
                 msg += " administrator.";
                 throw new LdapNoPermissionException( msg );
             }

             if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
             {
                 String msg = "User " + principalDn;
                 msg += " does not have permission to modify the group entry ";
                 msg += dn.getUpName() + ".\nGroups can only be modified by the admin.";
                 throw new LdapNoPermissionException( msg );
             }
         }
     }


     // ------------------------------------------------------------------------
     // DN altering operations are a no no for any user entry.  Basically here
     // are the rules of conduct to follow:
     //
     //  o No user should have the ability to move or rename their entry
     //  o Only the administrator can move or rename non-admin user entries
     //  o The administrator entry cannot be moved or renamed by anyone
     // ------------------------------------------------------------------------

     public void modifyRn( NextInterceptor nextInterceptor, LdapDN name, String newRn, boolean deleteOldRn )
         throws NamingException
     {
         if ( enabled )
         {
             protectDnAlterations( name );
         }
         nextInterceptor.modifyRn( name, newRn, deleteOldRn );
     }


     public void move( NextInterceptor nextInterceptor, LdapDN oriChildName, LdapDN newParentName ) throws NamingException
     {
         if ( enabled )
         {
             protectDnAlterations( oriChildName );
         }
         nextInterceptor.move( oriChildName, newParentName );
     }


     public void move( NextInterceptor nextInterceptor, LdapDN oriChildName, LdapDN newParentName, String newRn,
                       boolean deleteOldRn ) throws NamingException
     {
         if ( enabled )
         {
             protectDnAlterations( oriChildName );
         }
         nextInterceptor.move( oriChildName, newParentName, newRn, deleteOldRn );
     }


     private void protectDnAlterations( LdapDN dn ) throws NamingException
     {
         LdapDN principalDn = getPrincipal().getJndiName();

         if ( dn.toString().equals( "" ) )
         {
             String msg = "The rootDSE cannot be moved or renamed!";
             throw new LdapNoPermissionException( msg );
         }

         if ( dn.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
         {
             throw new LdapNoPermissionException( "The Administrators group cannot be moved or renamed!" );
         }

         if ( isTheAdministrator( dn ) )
         {
             String msg = "User '" + principalDn.getUpName();
             msg += "' does not have permission to move or rename the admin";
             msg += " account.  No one not even the admin can move or";
             msg += " rename " + dn + "!";
             throw new LdapNoPermissionException( msg );
         }

         if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User '" + principalDn;
             msg += "' does not have permission to move or rename the user";
             msg += " account: " + dn + ". Only the admin can move or";
             msg += " rename user accounts.";
             throw new LdapNoPermissionException( msg );
         }

         if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
         {
             String msg = "User " + principalDn;
             msg += " does not have permission to move or rename the group entry ";
             msg += dn + ".\nGroups can only be moved or renamed by the admin.";
             throw new LdapNoPermissionException( msg );
         }
     }


     public Attributes lookup( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
     {
         Attributes attributes = nextInterceptor.lookup( name );
         if ( !enabled || attributes == null )
         {
             return attributes;
         }

         protectLookUp( name );
         return attributes;
     }


     public Attributes lookup( NextInterceptor nextInterceptor, LdapDN name, String[] attrIds ) throws NamingException
     {
         Attributes attributes = nextInterceptor.lookup( name, attrIds );
         if ( !enabled || attributes == null )
         {
             return attributes;
         }

         protectLookUp( name );
         return attributes;
     }


     private void protectLookUp( LdapDN normalizedDn ) throws NamingException
     {
         LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
         LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
         if ( !isAnAdministrator( principalDn ) )
         {
             if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN_NORMALIZED ) )
             {
                 // allow for self reads
                 if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
                 {
                     return;
                 }

                 String msg = "Access to user account '" + normalizedDn + "' not permitted";
                 msg += " for user '" + principalDn + "'.  Only the admin can";
                 msg += " access user account information";
                 throw new LdapNoPermissionException( msg );
             }

             if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
             {
                 // allow for self reads
                 if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
                 {
                     return;
                 }

                 String msg = "Access to group '" + normalizedDn + "' not permitted";
                 msg += " for user '" + principalDn + "'.  Only the admin can";
                 msg += " access group information";
                 throw new LdapNoPermissionException( msg );
             }

             if ( isTheAdministrator( normalizedDn ) )
             {
                 // allow for self reads
                 if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
                 {
                     return;
                 }

                 String msg = "Access to admin account not permitted for user '";
                 msg += principalDn + "'.  Only the admin can";
                 msg += " access admin account information";
                 throw new LdapNoPermissionException( msg );
             }
         }
     }


     public NamingEnumeration search( NextInterceptor nextInterceptor, LdapDN base, Map env, ExprNode filter,
                                      SearchControls searchCtls ) throws NamingException
     {
         NamingEnumeration e = nextInterceptor.search( base, env, filter, searchCtls );
         if ( !enabled )
         {
             return e;
         }
         //if ( searchCtls.getReturningAttributes() != null )
         //{
         //    return null;
         //}

         Invocation invocation = InvocationStack.getInstance().peek();
         return new SearchResultFilteringEnumeration( e, searchCtls, invocation, new SearchResultFilter()
         {
             public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
                 throws NamingException
             {
                 return DefaultAuthorizationService.this.isSearchable( invocation, result );
             }
         } );
     }


     public NamingEnumeration list( NextInterceptor nextInterceptor, LdapDN base ) throws NamingException
     {
         NamingEnumeration e = nextInterceptor.list( base );
         if ( !enabled )
         {
             return e;
         }

         Invocation invocation = InvocationStack.getInstance().peek();
         return new SearchResultFilteringEnumeration( e, null, invocation, new SearchResultFilter()
         {
             public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
                 throws NamingException
             {
                 return DefaultAuthorizationService.this.isSearchable( invocation, result );
             }
         } );
     }


     private boolean isSearchable( Invocation invocation, SearchResult result ) throws NamingException
     {
         LdapDN principalDn = ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
         LdapDN dn;
         dn = new LdapDN( result.getName() );
         dn.normalize( normalizerMapping );

         // Admin users gets full access to all entries
         if ( isAnAdministrator( principalDn ) )
         {
             return true;
         }

         // Users reading their own entries should be allowed to see all
         boolean isSelfRead = dn.toNormName().equals( principalDn.toNormName() );
         if ( isSelfRead )
         {
             return true;
         }

         // Block off reads to anything under ou=users and ou=groups if not a self read
         if ( dn.size() > 2 )
         {
             // stuff this if in here instead of up in outer if to prevent
             // constant needless reexecution for all entries in other depths

             if ( dn.toNormName().endsWith( USER_BASE_DN_NORMALIZED.toNormName() )
                 || dn.toNormName().endsWith( GROUP_BASE_DN_NORMALIZED.toNormName() ) )
             {
                 return false;
             }
         }

         // Non-admin users cannot read the admin entry
         if ( isTheAdministrator( dn ) )
         {
             return false;
         }

         return true;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.server.core.authz;


	import java.util.HashSet;
	import java.util.Map;
	import java.util.Set;

	import javax.naming.Name;
	import javax.naming.NamingEnumeration;
	import javax.naming.NamingException;
	import javax.naming.NoPermissionException;
	import javax.naming.directory.Attribute;
	import javax.naming.directory.Attributes;
	import javax.naming.directory.SearchControls;
	import javax.naming.directory.SearchResult;
	import javax.naming.ldap.LdapContext;

	import org.apache.directory.server.core.DirectoryServiceConfiguration;
	import org.apache.directory.server.core.configuration.InterceptorConfiguration;
	import org.apache.directory.server.core.enumeration.SearchResultFilter;
	import org.apache.directory.server.core.enumeration.SearchResultFilteringEnumeration;
	import org.apache.directory.server.core.interceptor.BaseInterceptor;
	import org.apache.directory.server.core.interceptor.Interceptor;
	import org.apache.directory.server.core.interceptor.NextInterceptor;
	import org.apache.directory.server.core.invocation.Invocation;
	import org.apache.directory.server.core.invocation.InvocationStack;
	import org.apache.directory.server.core.jndi.ServerContext;
	import org.apache.directory.server.core.partition.PartitionNexus;
	import org.apache.directory.shared.ldap.exception.LdapNoPermissionException;
	import org.apache.directory.shared.ldap.filter.ExprNode;
	import org.apache.directory.shared.ldap.message.ModificationItemImpl;
	import org.apache.directory.shared.ldap.name.LdapDN;


	/**
	* An {@link Interceptor} that controls access to {@link PartitionNexus}.
	* If a user tries to perform any operations that requires
	* permission he or she doesn't have, {@link NoPermissionException} will be
	* thrown and therefore the current invocation chain will terminate.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	* @version $Rev$, $Date$
	*/
	public class DefaultAuthorizationService extends BaseInterceptor
	{
	/**
	* the base distinguished {@link Name} for all users
	*/
	private static LdapDN USER_BASE_DN;
	private static LdapDN USER_BASE_DN_NORMALIZED;

	/**
	* the base distinguished {@link Name} for all groups
	*/
	private static LdapDN GROUP_BASE_DN;
	private static LdapDN GROUP_BASE_DN_NORMALIZED;

	/**
	* the distinguished {@link Name} for the administrator group
	*/
	private static LdapDN ADMIN_GROUP_DN;
	private static LdapDN ADMIN_GROUP_DN_NORMALIZED;

	/**
	* the name parser used by this service
	*/
	private boolean enabled = true;

	private Set administrators = new HashSet(2);

	private Map normalizerMapping;

	private PartitionNexus nexus;

	/**
	* Creates a new instance.
	*/
	public DefaultAuthorizationService()
	{
	}


	public void init( DirectoryServiceConfiguration factoryCfg, InterceptorConfiguration cfg ) throws NamingException
	{
	nexus = factoryCfg.getPartitionNexus();
	normalizerMapping = factoryCfg.getGlobalRegistries().getAttributeTypeRegistry().getNormalizerMapping();

	// disable this static module if basic access control mechanisms are enabled
	enabled = !factoryCfg.getStartupConfiguration().isAccessControlEnabled();

	USER_BASE_DN = PartitionNexus.getUsersBaseName();
	USER_BASE_DN_NORMALIZED = LdapDN.normalize( USER_BASE_DN, normalizerMapping );

	GROUP_BASE_DN = PartitionNexus.getGroupsBaseName();
	GROUP_BASE_DN_NORMALIZED = LdapDN.normalize( GROUP_BASE_DN, normalizerMapping );

	ADMIN_GROUP_DN = new LdapDN( "cn=Administrators,ou=groups,ou=system" );
	ADMIN_GROUP_DN_NORMALIZED = ( LdapDN ) ADMIN_GROUP_DN.clone();
	ADMIN_GROUP_DN_NORMALIZED.normalize( normalizerMapping );
	loadAdministrators();
	}


	private void loadAdministrators() throws NamingException
	{
	// read in the administrators and cache their normalized names
	Set newAdministrators = new HashSet( 2 );
	Attributes adminGroup = nexus.lookup( ADMIN_GROUP_DN_NORMALIZED );

	if ( adminGroup == null )
	{
	return;
	}

	Attribute uniqueMember = adminGroup.get( "uniqueMember" );
	for ( int ii = 0; ii < uniqueMember.size(); ii++ )
	{
	LdapDN memberDn = new LdapDN( ( String ) uniqueMember.get( ii ) );
	memberDn.normalize( normalizerMapping );
	newAdministrators.add( memberDn.toNormName() );
	}
	administrators = newAdministrators;
	}


	// Note:
	// Lookup, search and list operations need to be handled using a filter
	// and so we need access to the filter service.

	public void delete( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
	{
	if ( !enabled )
	{
	nextInterceptor.delete( name );
	return;
	}

	LdapDN principalDn = getPrincipal().getJndiName();

	if ( name.toString().equals( "" ) )
	{
	String msg = "The rootDSE cannot be deleted!";
	throw new LdapNoPermissionException( msg );
	}

	if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
	{
	String msg = "The Administrators group cannot be deleted!";
	throw new LdapNoPermissionException( msg );
	}

	if ( isTheAdministrator( name ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to delete the admin account.";
	msg += " No one not even the admin can delete this account!";
	throw new LdapNoPermissionException( msg );
	}

	if ( name.size() > 2 && name.startsWith( USER_BASE_DN ) && !isAnAdministrator( principalDn ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to delete the user account: ";
	msg += name + ". Only the admin can delete user accounts.";
	throw new LdapNoPermissionException( msg );
	}

	if ( name.size() > 2 && name.startsWith( GROUP_BASE_DN ) && !isAnAdministrator( principalDn ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to delete the group entry: ";
	msg += name + ". Only the admin can delete groups.";
	throw new LdapNoPermissionException( msg );
	}

	nextInterceptor.delete( name );
	}


	private final boolean isTheAdministrator( LdapDN normalizedDn )
	{
	return normalizedDn.toNormName() == PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED \|\|
	normalizedDn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED );
	}


	private final boolean isAnAdministrator( LdapDN normalizedDn ) throws NamingException
	{
	if ( isTheAdministrator( normalizedDn ) )
	{
	return true;
	}

	return administrators.contains( normalizedDn.toNormName() );
	}


	/**
	* Note that we do nothing here. First because this is not an externally
	* exposed function via the JNDI interfaces. It is used internally by
	* the provider for optimization purposes so there is no reason for us to
	* start to constrain it.
	*/
	public boolean hasEntry( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
	{
	return super.hasEntry( nextInterceptor, name );
	}


	// ------------------------------------------------------------------------
	// Entry Modification Operations
	// ------------------------------------------------------------------------

	/**
	* This policy needs to be really tight too because some attributes may take
	* part in giving the user permissions to protected resources. We do not want
	* users to self access these resources. As far as we're concerned no one but
	* the admin needs access.
	*/
	public void modify( NextInterceptor nextInterceptor, LdapDN name, int modOp, Attributes attrs )
	throws NamingException
	{
	if ( enabled )
	{
	protectModifyAlterations( name );
	nextInterceptor.modify( name, modOp, attrs );

	// update administrators if we change administrators group
	if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
	{
	loadAdministrators();
	}
	return;
	}

	nextInterceptor.modify( name, modOp, attrs );
	}


	/**
	* This policy needs to be really tight too because some attributes may take part
	* in giving the user permissions to protected resources. We do not want users to
	* self access these resources. As far as we're concerned no one but the admin
	* needs access.
	*/
	public void modify( NextInterceptor nextInterceptor, LdapDN name, ModificationItemImpl[] items ) throws NamingException
	{
	if ( enabled )
	{
	protectModifyAlterations( name );
	nextInterceptor.modify( name, items );

	// update administrators if we change administrators group
	if ( name.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
	{
	loadAdministrators();
	}
	return;
	}

	nextInterceptor.modify( name, items );
	}


	private void protectModifyAlterations( LdapDN dn ) throws NamingException
	{
	LdapDN principalDn = getPrincipal().getJndiName();

	if ( dn.size() == 0 )
	{
	String msg = "The rootDSE cannot be modified!";
	throw new LdapNoPermissionException( msg );
	}

	if ( ! isAnAdministrator( principalDn ) )
	{
	// allow self modifications
	if ( dn.toNormName().equals( getPrincipal().getJndiName().toNormName() ) )
	{
	return;
	}

	if ( dn.toNormName().equals( PartitionNexus.ADMIN_PRINCIPAL_NORMALIZED ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to modify the account of the";
	msg += " admin user.";
	throw new LdapNoPermissionException( msg );
	}

	if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to modify the account of the";
	msg += " user " + dn + ".\nEven the owner of an account cannot";
	msg += " modify it.\nUser accounts can only be modified by the";
	msg += " administrator.";
	throw new LdapNoPermissionException( msg );
	}

	if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to modify the group entry ";
	msg += dn.getUpName() + ".\nGroups can only be modified by the admin.";
	throw new LdapNoPermissionException( msg );
	}
	}
	}


	// ------------------------------------------------------------------------
	// DN altering operations are a no no for any user entry. Basically here
	// are the rules of conduct to follow:
	//
	// o No user should have the ability to move or rename their entry
	// o Only the administrator can move or rename non-admin user entries
	// o The administrator entry cannot be moved or renamed by anyone
	// ------------------------------------------------------------------------

	public void modifyRn( NextInterceptor nextInterceptor, LdapDN name, String newRn, boolean deleteOldRn )
	throws NamingException
	{
	if ( enabled )
	{
	protectDnAlterations( name );
	}
	nextInterceptor.modifyRn( name, newRn, deleteOldRn );
	}


	public void move( NextInterceptor nextInterceptor, LdapDN oriChildName, LdapDN newParentName ) throws NamingException
	{
	if ( enabled )
	{
	protectDnAlterations( oriChildName );
	}
	nextInterceptor.move( oriChildName, newParentName );
	}


	public void move( NextInterceptor nextInterceptor, LdapDN oriChildName, LdapDN newParentName, String newRn,
	boolean deleteOldRn ) throws NamingException
	{
	if ( enabled )
	{
	protectDnAlterations( oriChildName );
	}
	nextInterceptor.move( oriChildName, newParentName, newRn, deleteOldRn );
	}


	private void protectDnAlterations( LdapDN dn ) throws NamingException
	{
	LdapDN principalDn = getPrincipal().getJndiName();

	if ( dn.toString().equals( "" ) )
	{
	String msg = "The rootDSE cannot be moved or renamed!";
	throw new LdapNoPermissionException( msg );
	}

	if ( dn.toNormName().equals( ADMIN_GROUP_DN_NORMALIZED.toNormName() ) )
	{
	throw new LdapNoPermissionException( "The Administrators group cannot be moved or renamed!" );
	}

	if ( isTheAdministrator( dn ) )
	{
	String msg = "User '" + principalDn.getUpName();
	msg += "' does not have permission to move or rename the admin";
	msg += " account. No one not even the admin can move or";
	msg += " rename " + dn + "!";
	throw new LdapNoPermissionException( msg );
	}

	if ( dn.size() > 2 && dn.startsWith( USER_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
	{
	String msg = "User '" + principalDn;
	msg += "' does not have permission to move or rename the user";
	msg += " account: " + dn + ". Only the admin can move or";
	msg += " rename user accounts.";
	throw new LdapNoPermissionException( msg );
	}

	if ( dn.size() > 2 && dn.startsWith( GROUP_BASE_DN_NORMALIZED ) && !isAnAdministrator( principalDn ) )
	{
	String msg = "User " + principalDn;
	msg += " does not have permission to move or rename the group entry ";
	msg += dn + ".\nGroups can only be moved or renamed by the admin.";
	throw new LdapNoPermissionException( msg );
	}
	}


	public Attributes lookup( NextInterceptor nextInterceptor, LdapDN name ) throws NamingException
	{
	Attributes attributes = nextInterceptor.lookup( name );
	if ( !enabled \|\| attributes == null )
	{
	return attributes;
	}

	protectLookUp( name );
	return attributes;
	}


	public Attributes lookup( NextInterceptor nextInterceptor, LdapDN name, String[] attrIds ) throws NamingException
	{
	Attributes attributes = nextInterceptor.lookup( name, attrIds );
	if ( !enabled \|\| attributes == null )
	{
	return attributes;
	}

	protectLookUp( name );
	return attributes;
	}


	private void protectLookUp( LdapDN normalizedDn ) throws NamingException
	{
	LdapContext ctx = ( LdapContext ) InvocationStack.getInstance().peek().getCaller();
	LdapDN principalDn = ( ( ServerContext ) ctx ).getPrincipal().getJndiName();
	if ( !isAnAdministrator( principalDn ) )
	{
	if ( normalizedDn.size() > 2 && normalizedDn.startsWith( USER_BASE_DN_NORMALIZED ) )
	{
	// allow for self reads
	if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
	{
	return;
	}

	String msg = "Access to user account '" + normalizedDn + "' not permitted";
	msg += " for user '" + principalDn + "'. Only the admin can";
	msg += " access user account information";
	throw new LdapNoPermissionException( msg );
	}

	if ( normalizedDn.size() > 2 && normalizedDn.startsWith( GROUP_BASE_DN_NORMALIZED ) )
	{
	// allow for self reads
	if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
	{
	return;
	}

	String msg = "Access to group '" + normalizedDn + "' not permitted";
	msg += " for user '" + principalDn + "'. Only the admin can";
	msg += " access group information";
	throw new LdapNoPermissionException( msg );
	}

	if ( isTheAdministrator( normalizedDn ) )
	{
	// allow for self reads
	if ( normalizedDn.getNormName().equals( principalDn.getNormName() ) )
	{
	return;
	}

	String msg = "Access to admin account not permitted for user '";
	msg += principalDn + "'. Only the admin can";
	msg += " access admin account information";
	throw new LdapNoPermissionException( msg );
	}
	}
	}


	public NamingEnumeration search( NextInterceptor nextInterceptor, LdapDN base, Map env, ExprNode filter,
	SearchControls searchCtls ) throws NamingException
	{
	NamingEnumeration e = nextInterceptor.search( base, env, filter, searchCtls );
	if ( !enabled )
	{
	return e;
	}
	//if ( searchCtls.getReturningAttributes() != null )
	//{
	// return null;
	//}

	Invocation invocation = InvocationStack.getInstance().peek();
	return new SearchResultFilteringEnumeration( e, searchCtls, invocation, new SearchResultFilter()
	{
	public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
	throws NamingException
	{
	return DefaultAuthorizationService.this.isSearchable( invocation, result );
	}
	} );
	}


	public NamingEnumeration list( NextInterceptor nextInterceptor, LdapDN base ) throws NamingException
	{
	NamingEnumeration e = nextInterceptor.list( base );
	if ( !enabled )
	{
	return e;
	}

	Invocation invocation = InvocationStack.getInstance().peek();
	return new SearchResultFilteringEnumeration( e, null, invocation, new SearchResultFilter()
	{
	public boolean accept( Invocation invocation, SearchResult result, SearchControls controls )
	throws NamingException
	{
	return DefaultAuthorizationService.this.isSearchable( invocation, result );
	}
	} );
	}


	private boolean isSearchable( Invocation invocation, SearchResult result ) throws NamingException
	{
	LdapDN principalDn = ( ( ServerContext ) invocation.getCaller() ).getPrincipal().getJndiName();
	LdapDN dn;
	dn = new LdapDN( result.getName() );
	dn.normalize( normalizerMapping );

	// Admin users gets full access to all entries
	if ( isAnAdministrator( principalDn ) )
	{
	return true;
	}

	// Users reading their own entries should be allowed to see all
	boolean isSelfRead = dn.toNormName().equals( principalDn.toNormName() );
	if ( isSelfRead )
	{
	return true;
	}

	// Block off reads to anything under ou=users and ou=groups if not a self read
	if ( dn.size() > 2 )
	{
	// stuff this if in here instead of up in outer if to prevent
	// constant needless reexecution for all entries in other depths

	if ( dn.toNormName().endsWith( USER_BASE_DN_NORMALIZED.toNormName() )
	\|\| dn.toNormName().endsWith( GROUP_BASE_DN_NORMALIZED.toNormName() ) )
	{
	return false;
	}
	}

	// Non-admin users cannot read the admin entry
	if ( isTheAdministrator( dn ) )
	{
	return false;
	}

	return true;
	}
	}