org.opends.server.authorization.dseecompat

Class AciEffectiveRights

java.lang.Object

org.opends.server.authorization.dseecompat.AciEffectiveRights

public final class AciEffectiveRights
extends Object

This class implements the dseecompat geteffectiverights evaluation.

Method Summary

Modifier and Type	Method and Description
static void	addRightsToEntry(AciHandler handler, Set<String> searchAttributes, AciLDAPOperationContainer container, Entry e, boolean skipCheck) Attempts to add the geteffectiverights asked for in the search to the entry being returned.
static String	createSummary(AciEvalContext evalCtx, boolean evalRet) Create the summary string used in the aclRightsInfo log string.
static void	finalizeOnShutdown() Finalizes static variables on shutdown so that we release the memory associated with them (for the unit tests) and get fresh copies if we're doing an in-core restart.
static boolean	setTargAttrAci(AciEvalContext evalCtx, Aci aci, boolean denyAci) If the specified ACI is in the targattrfilters hashtable contained in the evaluation context, set the evaluation context's targattrfilters match variable to either ACL_TARGATTR_DENY_MATCH or ACL_TARGATTR_ALLOW_MATCH depending on the value of the variable denyAci.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

addRightsToEntry

public static void addRightsToEntry(AciHandler handler,
                                    Set<String> searchAttributes,
                                    AciLDAPOperationContainer container,
                                    Entry e,
                                    boolean skipCheck)

Attempts to add the geteffectiverights asked for in the search to the entry being returned. The two geteffectiverights attributes that can be requested are: aclRights and aclRightsInfo. The aclRightsInfo attribute will return a summary string describing in human readable form, a summary of each requested evaluation result. Here is a sample aclRightsInfo summary:

 
 acl_summary(main): access_not_allowed(proxy) on entry/attr(uid=proxieduser,ou=acis,dc=example,dc=com, NULL)
 to (uid=superuser,ou=acis,dc=example,dc=com) (not proxied) (reason: no acis matched the resource )
 
 

The aclRights attribute will return a simple string with the following format:

 
 add:0,delete:0,read:1,write:?,proxy:0
 
 

A 0 represents access denied, 1 access allowed and ? that evaluation depends on a value of an attribute (targattrfilter keyword present in ACI).

There are two levels of rights information:

1. entryLevel - entry level rights information
2. attributeLevel - attribute level rights information

The attribute type names are built up using subtypes:

aclRights;entryLevel

aclRights entry level presentation

aclRightsInfo;log;entryLevel;{right}

aclRightsInfo entry level presentation for each type of right (proxy, read, write, add, delete).

aclRights;attributeLevel;{attributeType name}

aclRights attribute level presentation for each attribute type requested.

aclRights;attributeLevel;logs;{right};{attributeType name}

aclRightsInfo attribute level presentation for each attribute type requested.

Parameters:

handler - The ACI handler to use in the evaluation.

searchAttributes - The attributes requested in the search.

container - The LDAP operation container to use in the evaluations.

e - The entry to add the rights attributes to.

skipCheck - True if ACI evaluation was skipped because bypass-acl privilege was found.

createSummary

public static String createSummary(AciEvalContext evalCtx,
                                   boolean evalRet)

Create the summary string used in the aclRightsInfo log string.

Parameters:

evalCtx - The evaluation context to gather information from.

evalRet - The value returned from the access evaluation.

Returns:

A summary of the ACI evaluation

setTargAttrAci

public static boolean setTargAttrAci(AciEvalContext evalCtx,
                                     Aci aci,
                                     boolean denyAci)

If the specified ACI is in the targattrfilters hashtable contained in the evaluation context, set the evaluation context's targattrfilters match variable to either ACL_TARGATTR_DENY_MATCH or ACL_TARGATTR_ALLOW_MATCH depending on the value of the variable denyAci.

Parameters:

evalCtx - The evaluation context to evaluate and save information to.

aci - The ACI to match.

denyAci - True if the evaluation was a allow, false if the evaluation was an deny or the ACI is not in the table.

Returns:

True if the ACI was found in the hashtable.

finalizeOnShutdown

public static void finalizeOnShutdown()

Finalizes static variables on shutdown so that we release the memory associated with them (for the unit tests) and get fresh copies if we're doing an in-core restart.