org.opends.server.authorization.dseecompat

Class Aci

java.lang.Object

org.opends.server.authorization.dseecompat.Aci

All Implemented Interfaces:

Comparable<Aci>

public final class Aci
extends Object
implements Comparable<Aci>

The Aci class represents ACI strings.

Field Summary

Fields

Modifier and Type	Field and Description
static int	ACI_ADD ACI_ADD is used to set the container rights for a LDAP add operation.
static int	ACI_EXT_OP Used by the extended operation access check.
static int	ACI_PROXY ACI_PROXY is used for the PROXY right.
static int	ACI_SELF ACI_SELF is used for the SELFWRITE right.
static int	ACI_SKIP_PROXY_CHECK ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check.
static String	ACI_STATEMENT_SEPARATOR Regular expression matching a ACL statement separator.
static int	ACI_WRITE_DELETE ACI_WRITE_DELETE is used by the LDAP modify operation.
static String	ALL_OP_ATTRS_WILD_CARD Regular expression the matches "+".
static String	ALL_USER_ATTRS_WILD_CARD Regular expression the matches "*".
static String	LDAP_URL Regular expression matching a LDAP URL.
static String	NULL_LDAP_URL String used to check for NULL ldap URL.
static String	SUPPORTED_VERSION Version that we support.
static String	WORD_GROUP Regular expression matching a word group.
static String	ZERO_OR_MORE_WHITESPACE Regular expression matching a white space.
static String	ZERO_OR_MORE_WHITESPACE_START_PATTERN Regular expression matching a white space at the start of a pattern.

Method Summary

Modifier and Type	Method and Description
int	compareTo(Aci aci) Compares this Aci with the provided Aci based on a natural order.
static Aci	decode(String aciString, Dn dn) Decode an ACI byte string.
static Set<String>	decodeOID(String expr, LocalizableMessage msg) Decode an OIDs expression string.
Dn	getDN() Return the DN of the entry containing the ACI.
String	getName() Returns the name string of this ACI.
AciTargets	getTargets() Returns the targets of the ACI.
boolean	hasAccessType(org.opends.server.authorization.dseecompat.EnumAccessType accessType) Re-direct has access type to the body's hasAccessType method.
boolean	hasRights(int rights) Check if the body of the ACI matches the rights specified.
boolean	isApplicable(AciTargetMatchContext matchCtx) Test if the given ACI is applicable using the target match information provided.
String	toString() Return the string representation of the ACI.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

SUPPORTED_VERSION

public static final String SUPPORTED_VERSION

Version that we support.

See Also:

Constant Field Values

WORD_GROUP

public static final String WORD_GROUP

Regular expression matching a word group.

See Also:

Constant Field Values

ZERO_OR_MORE_WHITESPACE

public static final String ZERO_OR_MORE_WHITESPACE

Regular expression matching a white space.

See Also:

Constant Field Values

ZERO_OR_MORE_WHITESPACE_START_PATTERN

public static final String ZERO_OR_MORE_WHITESPACE_START_PATTERN

Regular expression matching a white space at the start of a pattern.

See Also:

Constant Field Values

ACI_STATEMENT_SEPARATOR

public static final String ACI_STATEMENT_SEPARATOR

Regular expression matching a ACL statement separator.

See Also:

Constant Field Values

LDAP_URL

public static final String LDAP_URL

Regular expression matching a LDAP URL.

See Also:

Constant Field Values

NULL_LDAP_URL

public static final String NULL_LDAP_URL

String used to check for NULL ldap URL.

See Also:

Constant Field Values

ALL_USER_ATTRS_WILD_CARD

public static final String ALL_USER_ATTRS_WILD_CARD

Regular expression the matches "*".

See Also:

Constant Field Values

ALL_OP_ATTRS_WILD_CARD

public static final String ALL_OP_ATTRS_WILD_CARD

Regular expression the matches "+".

See Also:

Constant Field Values

ACI_ADD

public static final int ACI_ADD

ACI_ADD is used to set the container rights for a LDAP add operation.

See Also:

Constant Field Values

ACI_SELF

public static final int ACI_SELF

ACI_SELF is used for the SELFWRITE right.

See Also:

Constant Field Values

ACI_PROXY

public static final int ACI_PROXY

ACI_PROXY is used for the PROXY right.

See Also:

Constant Field Values

ACI_WRITE_DELETE

public static final int ACI_WRITE_DELETE

ACI_WRITE_DELETE is used by the LDAP modify operation.

See Also:

Constant Field Values

ACI_SKIP_PROXY_CHECK

public static final int ACI_SKIP_PROXY_CHECK

ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check.

See Also:

Constant Field Values

ACI_EXT_OP

public static final int ACI_EXT_OP

Used by the extended operation access check.

See Also:

Constant Field Values

Method Detail

decode

public static Aci decode(String aciString,
                         Dn dn)
                  throws AciException

Decode an ACI byte string.

Parameters:

aciString - The ACI string.

dn - DN of the ACI entry.

Returns:

Returns a decoded ACI representing the string argument.

Throws:

AciException - If the parsing of the ACI string fails.

toString

public String toString()

Return the string representation of the ACI. This was the string that was used to create the Aci class.

Overrides:

toString in class Object

Returns:

A string representation of the ACI.

getTargets

public AciTargets getTargets()

Returns the targets of the ACI.

Returns:

Any AciTargets of the ACI. There may be no targets so this might be null.

getDN

public Dn getDN()

Return the DN of the entry containing the ACI.

Returns:

The DN of the entry containing the ACI.

isApplicable

public boolean isApplicable(AciTargetMatchContext matchCtx)

Test if the given ACI is applicable using the target match information provided. The ACI target can have seven keywords at this time:

These two base decision on the resource entry DN:

1. target - checked in isTargetApplicable.

2. targetscope - checked in isTargetApplicable.

These three base decision on resource entry attributes:

3. targetfilter - checked in isTargetFilterApplicable.

4. targetattr - checked in isTargetAttrApplicable.

5. targattrfilters - checked in isTargAttrFiltersApplicable.

These two base decisions on a resource entry built by the ACI handler that only contains a DN:

6. targetcontrol - check in isTargetControlApplicable.

7. extop - check in isExtOpApplicable.

Six and seven are specific to the check being done: targetcontrol when a control is being evaluated and extop when an extended operation is evaluated. None of the attribute based keywords should be checked when a control or extended op is being evaluated, because one of those attribute keywords rule might incorrectly make an ACI applicable that shouldn't be. This can happen by erroneously basing their decision on the ACI handler generated stub resource entry. For example, a "(targetattr != userpassword)" rule would match the generated stub resource entry, even though a control or extended op might be denied. What is allowed is the target and targetscope keywords, since the DN is known, so they are checked along with the correct method for the access check (isTargetControlApplicable for control and isTExtOpApplicable for extended operations). See comments in code where these checks are done.

Parameters:

matchCtx - The target matching context containing all the info needed to match ACI targets.

Returns:

True if this ACI targets are applicable or match.

hasRights

public boolean hasRights(int rights)

Check if the body of the ACI matches the rights specified.

Parameters:

rights - Bit mask representing the rights to match.

Returns:

True if the body's rights match one of the rights specified.

hasAccessType

public boolean hasAccessType(org.opends.server.authorization.dseecompat.EnumAccessType accessType)

Re-direct has access type to the body's hasAccessType method.

Parameters:

accessType - The access type to match.

Returns:

True if the body's hasAccessType determines a permission contains this access type (allow or deny are valid types).

getName

public String getName()

Returns the name string of this ACI.

Returns:

The name string.

decodeOID

public static Set<String> decodeOID(String expr,
                                    LocalizableMessage msg)
                             throws AciException

Decode an OIDs expression string.

Parameters:

expr - A string representing the OID expression.

msg - A message to be used if there is an exception.

Returns:

Return a hash set of verified OID strings parsed from the OID expression.

Throws:

AciException - If the specified expression string is invalid.

compareTo

public int compareTo(Aci aci)

Compares this Aci with the provided Aci based on a natural order. This order will be first hierarchical (ancestors will come before descendants) and then alphabetical by attribute name(s) and value(s).

Specified by:

compareTo in interface Comparable<Aci>

Parameters:

aci - The Aci against which to compare this Aci.

Returns:

A negative integer if this Aci should come before the provided Aci, a positive integer if this Aci should come after the provided Aci, or zero if there is no difference with regard to ordering.