return attributes;
}
-
+
/**
* Returns all of the constraint specifications associated with this Rule.
*
* @return the constraints
*/
-
+
public Collection<Constraint> getConstraints() {
-
+
return constraints;
}
descriptionNode.appendChild(placeHolder.createTextNode(description));
ruleNode.appendChild(descriptionNode);
}
-
- for (Constraint constraint: constraints) {
+
+ for (Constraint constraint : constraints) {
ruleNode.appendChild(placeHolder.importNode(constraint.unmarshall(), true));
}
-
+
ruleNode.appendChild(placeHolder.importNode(target.unmarshall(), true));
Iterator attrIterator = attributes.iterator();
while (attrIterator.hasNext()) {
constraint.marshall((Element) constraintNodes.item(i));
constraints.add(constraint);
}
-
+
// Create the Target
NodeList targetNodes = element.getElementsByTagNameNS(Arp.arpNamespace, "Target");
if (targetNodes.getLength() != 1) {
// the only time we won't have attributes should be when listing possible attributes
// to be released -- ArpEngine.listPossibleReleaseAttributes()
if (attributes != null) {
- for(Constraint constraint : constraints) {
+ for (Constraint constraint : constraints) {
if (!constraint.allowed(attributes)) { return false; }
}
}
-
+
if (target.matchesAny()) { return true; }
if (requester == null) { return false; }
this.value = value;
}
}
-
- /**
- * ARP Rule Constraints define attribute-based limits on which user a given rule applies to.
- *
- * @author Will Norris (wnorris@usc.edu)
- */
+
+ /**
+ * ARP Rule Constraints define attribute-based limits on which user a given rule applies to.
+ *
+ * @author Will Norris (wnorris@usc.edu)
+ */
class Constraint {
private URI attributeName;
private URI matchFunctionIdentifier;
private String matches;
private String value;
-
+
URI getAttributeName() {
+
return attributeName;
}
Text textNode = placeHolder.createTextNode(value);
constraintNode.appendChild(textNode);
-
+
return constraintNode;
} catch (ParserConfigurationException e) {
* Creates an ARP Rule Constraint from an xml representation.
*
* @param element
- * the xml <code>Element</code> containing the ARP Rule Constraint.
+ * the xml <code>Element</code> containing the ARP Rule Constraint.
*/
void marshall(Element element) throws ArpMarshallingException {
if (element.hasAttribute("matchFunction")) {
matchFunctionIdentifier = new URI(element.getAttribute("matchFunction"));
} else {
- log.error("Constraint matchFunction identifier not specified.");
- throw new ArpMarshallingException("Constraint matchFunction identifier not specified.");
+ this.matchFunctionIdentifier = new URI("urn:mace:shibboleth:arp:matchFunction:stringMatch");
}
} catch (URISyntaxException e) {
log.error("Constraint attribute name not identified by a proper URI: " + e);
throw new ArpMarshallingException("Constraint attribute name not identified by a proper URI.");
}
-
+
// Get the matches value
if (element.hasAttribute("matches")) {
matches = element.getAttribute("matches");
} else {
- log.error("Constraint matches value not specified.");
- throw new ArpMarshallingException("Constraint matches value not specified.");
+ matches = "any";
}
-
+
// Get the element value
if (element.hasChildNodes() && element.getFirstChild().getNodeType() == Node.TEXT_NODE) {
value = ((CharacterData) element.getFirstChild()).getData();
}
-
+
}
-
+
boolean allowed(Collection<? extends ArpAttribute> arpAttributes) {
+
boolean allowed;
-
+
if (matches.equalsIgnoreCase("none")) {
allowed = true;
} else {
allowed = false;
}
-
+
for (ArpAttribute attribute : arpAttributes) {
if (attribute.getName().equals(attributeName.toString())) {
-
+
Iterator iterator = attribute.getValues();
while (iterator.hasNext()) {
Object attributeValue = iterator.next();
-
+
MatchFunction resourceFunction;
try {
resourceFunction = ArpEngine.lookupMatchFunction(matchFunctionIdentifier);
return false;
}
} catch (ArpException e) {
- log.error("Error while attempting to find referenced matching function for ARP constraint: " + e);
+ log.error("Error while attempting to find referenced matching "
+ + "function for ARP constraint: " + e);
return false;
}
-
+
+ // TODO this would be better as an enum switch
try {
if (matches.equalsIgnoreCase("any")) {
if (resourceFunction.match(value, attributeValue)) {
}
}
}
-
+
return allowed;
}
}