public class AciLDAPOperationContainer extends Object
Constructor and Description |
---|
AciLDAPOperationContainer(AddOperation operation,
int rights)
Constructor interface for the add operation.
|
AciLDAPOperationContainer(CompareOperation operation,
int rights)
Constructor interface for the compare operation.
|
AciLDAPOperationContainer(DeleteOperation operation,
int rights)
Constructor interface for the delete operation.
|
AciLDAPOperationContainer(ExtendedOperation operation,
Entry e,
int rights)
Constructor interface for evaluation of the extended operation.
|
AciLDAPOperationContainer(ModifyDnOperation operation,
int rights,
Entry entry)
Constructor interface for the modify DN operation.
|
AciLDAPOperationContainer(ModifyOperation operation,
int rights)
Constructor interface for the modify operation.
|
AciLDAPOperationContainer(Operation operation,
Entry e,
AuthenticationInfo authInfo,
int rights)
Constructor interface for evaluation general purpose Operation, entry and rights..
|
AciLDAPOperationContainer(Operation operation,
Entry e,
Control c,
int rights)
Constructor interface for evaluation of a control.
|
AciLDAPOperationContainer(Operation operation,
int rights,
Entry entry)
Constructor interface for all currently supported LDAP operations.
|
Modifier and Type | Method and Description |
---|---|
void |
addTargAttrFiltersMatchAci(Aci aci)
Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched.
|
void |
clearEvalAttributes(int v)
Used to clear the mask used to detect if access checking needs to be performed on individual attributes types.
|
List<Aci> |
getAllowList()
Get the list allow ACIs.
|
Dn |
getClientDN()
Get client DN.
|
Entry |
getClientEntry()
Get the client entry.
|
String |
getControlOID()
Return the OID (Object Identifier) string of the control being evaluated.
|
AttributeType |
getCurrentAttributeType()
Get the current attribute type being evaluated.
|
ByteString |
getCurrentAttributeValue()
The current attribute type value being evaluated.
|
int |
getCurrentSSF()
Return the current SSF (Security Strength Factor) of the underlying connection.
|
String |
getDecidingAciName()
Return the name of the ACI that decided the last access evaluation.
|
List<Aci> |
getDenyList()
Get the list of deny ACIs.
|
EnumEvalReason |
getEvalReason()
Return the reason the last access evaluation was evaluated the way it was.
|
String |
getEvalSummary()
Return the access evaluation summary string.
|
String |
getExtOpOID()
Return The OID (Object Identifier) string of the extended operation being evaluated.
|
String |
getHostName()
Get the hostname of the bound connection.
|
InetAddress |
getRemoteAddress()
Get the address of the bound connection.
|
Dn |
getResourceDN()
Get the resource DN.
|
Entry |
getResourceEntry()
Get the entry being evaluated.
|
int |
getRights()
Return the rights for this container's LDAP operation.
|
Collection<AttributeType> |
getSpecificAttributes()
Return the list of additional attributes specified in the geteffectiverights control.
|
String |
getTargAttrFiltersAciName()
Return the name of the ACI that last matched a targattrfilters rule.
|
boolean |
getTargAttrFiltersMatch()
Return the value of the targAttrFiltersMatch variable.
|
boolean |
hasAllOpAttributes()
Return true if the evaluating ACI contained a targetattr all operational attributes rule match.
|
boolean |
hasAllUserAttributes()
Return true if the evaluating ACI contained a targetattr all user attributes rule match.
|
boolean |
hasAuthenticationMethod(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod,
String saslMech)
Determine whether the client connection has been authenticated using a specified authentication method.
|
boolean |
hasEntryTestRule()
True if an entry test rule was found.
|
boolean |
hasEvalOpAttributes()
Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a
targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined
targetattr target rule matched.
|
boolean |
hasEvalUserAttributes()
Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr
target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule
matched.
|
boolean |
hasGetEffectiveRightsControl()
Return true if the container is being used in a geteffectiverights evaluation.
|
boolean |
hasRights(int rights)
Checks if the container's rights has the specified rights.
|
boolean |
hasTargAttrFiltersMatchAci(Aci aci)
The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation.
|
boolean |
hasTargAttrFiltersMatchOp(int flag)
Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword.
|
boolean |
isAddOperation()
Return true if this is an add operation needed by the userattr USERDN parent inheritance level 0 processing.
|
boolean |
isAnonymousUser()
Check if the remote client is bound anonymously.
|
boolean |
isAuthzidAuthorizationDN()
Returns true if the geteffectiverights control's authZid DN is equal to the authorization entry's DN.
|
boolean |
isDenyEval()
Returns true if the deny list is being evaluated.
|
boolean |
isFirstAttribute()
True if the first attribute of the resource entry is being evaluated.
|
boolean |
isGetEffectiveRightsEval()
Returns true of a match context is performing a geteffectiverights evaluation.
|
boolean |
isMemberOf(Group<?> group)
Return true if the operation associated with this evaluation context is a member of the specified group.
|
boolean |
isTargAttrFilterMatchAciEmpty()
Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty.
|
void |
resetEffectiveRightsParams()
Reset the values used by the geteffectiverights evaluation to original values.
|
String |
rightToString()
Return a string representation of the current right being evaluated.
|
void |
setAllowList(List<Aci> allows)
Set the allow ACI list.
|
protected void |
setControlOID(String oid)
Set the the controlOID value to the specified oid string.
|
void |
setCurrentAttributeType(AttributeType type)
Set the attribute type to be evaluated.
|
void |
setCurrentAttributeValue(ByteString value)
Set the attribute value to be evaluated.
|
void |
setDenyList(List<Aci> denys)
Set the deny ACI list.
|
void |
setEntryTestRule(boolean val)
True if the target matching code found an entry test rule.
|
void |
setEvalOpAttributes(int v)
This method toggles a mask that indicates that access checking of individual operational attributes may or may
not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule
(targetattr="+").
|
void |
setEvalSummary(String summary)
Set the value of the summary string to the specified string.
|
void |
setEvaluationResult(EnumEvalReason reason,
Aci decidingAci)
Set the reason and the ACI that decided why the last access evaluation was evaluated the way it was.
|
void |
setEvalUserAttributes(int v)
This method toggles a mask that indicates that access checking of individual user attributes may or may not be
skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*").
|
protected void |
setExtOpOID(String oid)
Set the extended operation OID value to the specified oid string.
|
void |
setGetEffectiveRightsEval()
The container is going to be used in a geteffectiverights evaluation, set the flag isGetEffectiveRightsEval to
true.
|
void |
setIsFirstAttribute(boolean val)
Set to true if the first attribute of the resource entry is being evaluated.
|
void |
setRights(int rights)
Set the rights of the container to the specified rights.
|
void |
setTargAttrFiltersAciName(String name)
Save the name of the last ACI that matched a targattrfilters rule.
|
void |
setTargAttrFiltersMatch(boolean v)
Set to true if the ACI had a targattrfilter rule that matched.
|
void |
setTargAttrFiltersMatchOp(int flag)
Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword.
|
String |
toString() |
void |
useAuthzid(boolean v)
Use the DN from the geteffectiverights control's authzId as the client DN, rather than the authorization entry's
DN.
|
public AciLDAPOperationContainer(Operation operation, int rights, Entry entry)
operation
- The compare operation to evaluate.rights
- The rights of a compare operation.entry
- The entry for evaluation.public AciLDAPOperationContainer(CompareOperation operation, int rights)
operation
- The compare operation to evaluate.rights
- The rights of a compare operation.public AciLDAPOperationContainer(Operation operation, Entry e, AuthenticationInfo authInfo, int rights)
operation
- The operation to use in the evaluation.e
- The entry for evaluation.authInfo
- The authentication information to use in the evaluation.rights
- The rights of the operation.public AciLDAPOperationContainer(Operation operation, Entry e, Control c, int rights)
operation
- The operation to use in the evaluation.e
- An entry built especially for evaluation.c
- The control to evaluate.rights
- The rights of a control.public AciLDAPOperationContainer(ExtendedOperation operation, Entry e, int rights)
operation
- The extended operation to evaluate.e
- An entry built especially for evaluation.rights
- The rights of a extended operation.public AciLDAPOperationContainer(AddOperation operation, int rights)
operation
- The add operation to evaluate.rights
- The rights of an add operation.public AciLDAPOperationContainer(DeleteOperation operation, int rights)
operation
- The add operation to evaluate.rights
- The rights of a delete operation.public AciLDAPOperationContainer(ModifyOperation operation, int rights)
rights
- The rights of modify operation.operation
- The add operation to evaluate.public AciLDAPOperationContainer(ModifyDnOperation operation, int rights, Entry entry)
operation
- The modify DN operation.rights
- The rights of the modify DN operation.entry
- The entry to evaluated for this modify DN.public boolean isGetEffectiveRightsEval()
AciTargetMatchContext
isGetEffectiveRightsEval
in interface AciEvalContext
isGetEffectiveRightsEval
in interface AciTargetMatchContext
public void setGetEffectiveRightsEval()
public boolean hasGetEffectiveRightsControl()
public void useAuthzid(boolean v)
v
- The valued to set the useAuthzid to.public Collection<AttributeType> getSpecificAttributes()
public void addTargAttrFiltersMatchAci(Aci aci)
AciTargetMatchContext
addTargAttrFiltersMatchAci
in interface AciTargetMatchContext
aci
- The ACI to save.public boolean hasTargAttrFiltersMatchAci(Aci aci)
AciEvalContext
hasTargAttrFiltersMatchAci
in interface AciEvalContext
aci
- The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.true
if a specified ACI matched targattrfilters evaluation.public boolean isTargAttrFilterMatchAciEmpty()
AciEvalContext
isTargAttrFilterMatchAciEmpty
in interface AciEvalContext
true
if there were not any ACIs that matched targattrfilters keyword evaluation.public void resetEffectiveRightsParams()
public void setTargAttrFiltersAciName(String name)
AciTargetMatchContext
setTargAttrFiltersAciName
in interface AciEvalContext
setTargAttrFiltersAciName
in interface AciTargetMatchContext
name
- The ACI's name to save.public String getTargAttrFiltersAciName()
AciEvalContext
getTargAttrFiltersAciName
in interface AciEvalContext
public void setTargAttrFiltersMatchOp(int flag)
AciEvalContext
setTargAttrFiltersMatchOp
in interface AciEvalContext
flag
- Either the integer value representing an allow or a deny, but not both.public boolean hasTargAttrFiltersMatchOp(int flag)
AciEvalContext
hasTargAttrFiltersMatchOp
in interface AciEvalContext
flag
- The integer value specifying either a deny or allow, but not both.true
if the ACI has an targattrfilters keyword.public String getDecidingAciName()
AciEvalContext
getDecidingAciName
in interface AciEvalContext
public void setEvaluationResult(EnumEvalReason reason, Aci decidingAci)
AciEvalContext
setEvaluationResult
in interface AciEvalContext
reason
- The enumeration representing the reason of the last access evaluation.decidingAci
- The ACI that decided the last access evaluation.public EnumEvalReason getEvalReason()
AciEvalContext
getEvalReason
in interface AciEvalContext
public void setEvalSummary(String summary)
AciEvalContext
setEvalSummary
in interface AciEvalContext
summary
- The string to set the summary string topublic String getEvalSummary()
AciEvalContext
getEvalSummary
in interface AciEvalContext
public boolean isAuthzidAuthorizationDN()
public void setDenyList(List<Aci> denys)
AciTargetMatchContext
setDenyList
in interface AciTargetMatchContext
denys
- The deny ACI list.public void setAllowList(List<Aci> allows)
AciTargetMatchContext
setAllowList
in interface AciTargetMatchContext
allows
- The list of allow ACIs.public AttributeType getCurrentAttributeType()
AciTargetMatchContext
getCurrentAttributeType
in interface AciEvalContext
getCurrentAttributeType
in interface AciTargetMatchContext
public ByteString getCurrentAttributeValue()
AciTargetMatchContext
getCurrentAttributeValue
in interface AciTargetMatchContext
public void setCurrentAttributeType(AttributeType type)
AciTargetMatchContext
setCurrentAttributeType
in interface AciTargetMatchContext
type
- The attribute type to set to.public void setCurrentAttributeValue(ByteString value)
AciTargetMatchContext
setCurrentAttributeValue
in interface AciTargetMatchContext
value
- The current attribute value to set to.public boolean isFirstAttribute()
AciTargetMatchContext
isFirstAttribute
in interface AciTargetMatchContext
public void setIsFirstAttribute(boolean val)
AciTargetMatchContext
setIsFirstAttribute
in interface AciTargetMatchContext
val
- True if this is the first attribute of the resource entry being evaluated.public boolean hasEntryTestRule()
AciTargetMatchContext
hasEntryTestRule
in interface AciTargetMatchContext
public void setEntryTestRule(boolean val)
AciTargetMatchContext
setEntryTestRule
in interface AciTargetMatchContext
val
- True if an entry test rule was found.public Entry getResourceEntry()
AciTargetMatchContext
getResourceEntry
in interface AciEvalContext
getResourceEntry
in interface AciTargetMatchContext
public Entry getClientEntry()
AciEvalContext
getClientEntry
in interface AciEvalContext
public List<Aci> getDenyList()
AciEvalContext
getDenyList
in interface AciEvalContext
public List<Aci> getAllowList()
AciEvalContext
getAllowList
in interface AciEvalContext
public boolean isDenyEval()
AciEvalContext
isDenyEval
in interface AciEvalContext
public boolean isAnonymousUser()
AciEvalContext
isAnonymousUser
in interface AciEvalContext
true
if client is bound anonymously.public Dn getClientDN()
AciEvalContext
getClientDN
in interface AciEvalContext
public Dn getResourceDN()
AciEvalContext
getResourceDN
in interface AciEvalContext
public boolean hasRights(int rights)
JNR: I find the implementation in this method dubious.
hasRights
in interface AciEvalContext
hasRights
in interface AciTargetMatchContext
rights
- The rights to check for.EnumRight.hasRights(int, int)
public int getRights()
AciTargetMatchContext
getRights
in interface AciEvalContext
getRights
in interface AciTargetMatchContext
public void setRights(int rights)
AciTargetMatchContext
setRights
in interface AciTargetMatchContext
rights
- The rights to set the container's rights to.public String getHostName()
AciEvalContext
getHostName
in interface AciEvalContext
public InetAddress getRemoteAddress()
AciEvalContext
getRemoteAddress
in interface AciEvalContext
public boolean isAddOperation()
AciEvalContext
isAddOperation
in interface AciEvalContext
true
if this is an add operation.public void setTargAttrFiltersMatch(boolean v)
AciTargetMatchContext
setTargAttrFiltersMatch
in interface AciTargetMatchContext
v
- The value to use.public boolean getTargAttrFiltersMatch()
AciTargetMatchContext
getTargAttrFiltersMatch
in interface AciTargetMatchContext
public String getControlOID()
AciTargetMatchContext
getControlOID
in interface AciTargetMatchContext
public String getExtOpOID()
AciTargetMatchContext
getExtOpOID
in interface AciTargetMatchContext
protected void setControlOID(String oid)
oid
- The control oid string.protected void setExtOpOID(String oid)
oid
- The extended operation oid string.public boolean hasAuthenticationMethod(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod, String saslMech)
AciEvalContext
hasAuthenticationMethod
in interface AciEvalContext
authMethod
- The required authentication method.saslMech
- The required SASL mechanism if the authentication method is SASL.public boolean isMemberOf(Group<?> group)
AciEvalContext
isMemberOf
in interface AciEvalContext
group
- The group to check membership in.true
if the authorization DN of the operation is a member of the specified group.public String rightToString()
JNR: I find the implementation in this method dubious.
rightToString
in interface AciEvalContext
EnumRight.getEnumRight(int)
public void setEvalUserAttributes(int v)
AciTargetMatchContext
setEvalUserAttributes
in interface AciTargetMatchContext
v
- The mask to this value.public void setEvalOpAttributes(int v)
AciTargetMatchContext
setEvalOpAttributes
in interface AciTargetMatchContext
v
- The mask to this value.public boolean hasEvalUserAttributes()
AciTargetMatchContext
hasEvalUserAttributes
in interface AciTargetMatchContext
public boolean hasEvalOpAttributes()
AciTargetMatchContext
hasEvalOpAttributes
in interface AciTargetMatchContext
public boolean hasAllUserAttributes()
public boolean hasAllOpAttributes()
public void clearEvalAttributes(int v)
AciTargetMatchContext
clearEvalAttributes
in interface AciTargetMatchContext
v
- The flag to clear or 0 to set the mask to 0.public int getCurrentSSF()
AciEvalContext
getCurrentSSF
in interface AciEvalContext
Copyright 2010-2022 ForgeRock AS.