org.opends.server.authorization.dseecompat

Interface AciTargetMatchContext

All Known Implementing Classes:

AciLDAPOperationContainer

public interface AciTargetMatchContext

The AciTargetMatchContext interface provides a view of an AciContainer that exposes information to be used by the Aci.isApplicable() method to determine if an ACI is applicable (targets matched) to the LDAP operation, operation rights and entry and attributes having access checked on.

Method Summary

Modifier and Type	Method and Description
void	addTargAttrFiltersMatchAci(Aci aci) Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched.
void	clearEvalAttributes(int v) Used to clear the mask used to detect if access checking needs to be performed on individual attributes types.
String	getControlOID() Return the OID (Object Identifier) string of the control being evaluated.
AttributeType	getCurrentAttributeType() Get the current attribute type being evaluated.
ByteString	getCurrentAttributeValue() The current attribute type value being evaluated.
String	getExtOpOID() Return The OID (Object Identifier) string of the extended operation being evaluated.
Entry	getResourceEntry() Get the entry being evaluated.
int	getRights() Return the rights for this container's LDAP operation.
boolean	getTargAttrFiltersMatch() Return the value of the targAttrFiltersMatch variable.
boolean	hasEntryTestRule() True if an entry test rule was found.
boolean	hasEvalOpAttributes() Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
boolean	hasEvalUserAttributes() Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
boolean	hasRights(int rights) Checks if the container's rights has the specified rights.
boolean	isFirstAttribute() True if the first attribute of the resource entry is being evaluated.
boolean	isGetEffectiveRightsEval() Returns true of a match context is performing a geteffectiverights evaluation.
void	setAllowList(List<Aci> allowList) Set the allow ACI list.
void	setCurrentAttributeType(AttributeType type) Set the attribute type to be evaluated.
void	setCurrentAttributeValue(ByteString v) Set the attribute value to be evaluated.
void	setDenyList(List<Aci> denyList) Set the deny ACI list.
void	setEntryTestRule(boolean val) True if the target matching code found an entry test rule.
void	setEvalOpAttributes(int v) This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+").
void	setEvalUserAttributes(int v) This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*").
void	setIsFirstAttribute(boolean isFirst) Set to true if the first attribute of the resource entry is being evaluated.
void	setRights(int rights) Set the rights of the container to the specified rights.
void	setTargAttrFiltersAciName(String name) Save the name of the last ACI that matched a targattrfilters rule.
void	setTargAttrFiltersMatch(boolean v) Set to true if the ACI had a targattrfilter rule that matched.

Method Detail

setDenyList

void setDenyList(List<Aci> denyList)

Set the deny ACI list.

Parameters:

denyList - The deny ACI list.

setAllowList

void setAllowList(List<Aci> allowList)

Set the allow ACI list.

Parameters:

allowList - The list of allow ACIs.

getResourceEntry

Entry getResourceEntry()

Get the entry being evaluated. This is known as the resource entry.

Returns:

The entry being evaluated.

getCurrentAttributeType

AttributeType getCurrentAttributeType()

Get the current attribute type being evaluated.

Returns:

The attribute type being evaluated.

getCurrentAttributeValue

ByteString getCurrentAttributeValue()

The current attribute type value being evaluated.

Returns:

The current attribute type value being evaluated.

isFirstAttribute

boolean isFirstAttribute()

True if the first attribute of the resource entry is being evaluated.

Returns:

True if this is the first attribute.

setIsFirstAttribute

void setIsFirstAttribute(boolean isFirst)

Set to true if the first attribute of the resource entry is being evaluated.

Parameters:

isFirst - True if this is the first attribute of the resource entry being evaluated.

setCurrentAttributeType

void setCurrentAttributeType(AttributeType type)

Set the attribute type to be evaluated.

Parameters:

type - The attribute type to set to.

setCurrentAttributeValue

void setCurrentAttributeValue(ByteString v)

Set the attribute value to be evaluated.

Parameters:

v - The current attribute value to set to.

setEntryTestRule

void setEntryTestRule(boolean val)

True if the target matching code found an entry test rule. An entry test rule is an ACI without a targetattr target rule.

Parameters:

val - True if an entry test rule was found.

hasEntryTestRule

boolean hasEntryTestRule()

True if an entry test rule was found.

Returns:

True if an entry test rule was found.

getRights

int getRights()

Return the rights for this container's LDAP operation.

Returns:

The rights for the container's LDAP operation.

getControlOID

String getControlOID()

Return the OID (Object Identifier) string of the control being evaluated.

Returns:

The OID string of the control being evaluated.

getExtOpOID

String getExtOpOID()

Return The OID (Object Identifier) string of the extended operation being evaluated.

Returns:

The OID string of the extended operation being evaluated.

hasRights

boolean hasRights(int rights)

Checks if the container's rights has the specified rights.

Parameters:

rights - The rights to check for.

Returns:

True if the container's rights has the specified rights.

setRights

void setRights(int rights)

Set the rights of the container to the specified rights.

Parameters:

rights - The rights to set the container's rights to.

setTargAttrFiltersMatch

void setTargAttrFiltersMatch(boolean v)

Set to true if the ACI had a targattrfilter rule that matched.

Parameters:

v - The value to use.

getTargAttrFiltersMatch

boolean getTargAttrFiltersMatch()

Return the value of the targAttrFiltersMatch variable. This is set to true if the ACI had a targattrfilter rule that matched.

Returns:

True if the ACI had a targattrfilter rule that matched.

addTargAttrFiltersMatchAci

void addTargAttrFiltersMatchAci(Aci aci)

Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched. This is used by geteffectiverights to determine the rights of an attribute that possibly might evaluate to true.

Parameters:

aci - The ACI to save.

setTargAttrFiltersAciName

void setTargAttrFiltersAciName(String name)

Save the name of the last ACI that matched a targattrfilters rule. This is used by geteffectiverights evaluation.

Parameters:

name - The ACI's name to save.

isGetEffectiveRightsEval

boolean isGetEffectiveRightsEval()

Returns true of a match context is performing a geteffectiverights evaluation.

Returns:

True if a match context is evaluating geteffectiverights.

setEvalUserAttributes

void setEvalUserAttributes(int v)

This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*"). The only case where individual user attribute access checking can be skipped, is when a single ACI matched using a targetattr all user attributes rule and the attribute type being check is not operational.

Parameters:

v - The mask to this value.

setEvalOpAttributes

void setEvalOpAttributes(int v)

This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+"). The only case where individual operational attribute access checking can be skipped, is when a single ACI matched using a targetattr all operational attributes rule and the attribute type being check is operational.

Parameters:

v - The mask to this value.

hasEvalUserAttributes

boolean hasEvalUserAttributes()

Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.

Returns:

True if the above condition was seen.

hasEvalOpAttributes

boolean hasEvalOpAttributes()

Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.

Returns:

True if the above condition was seen.

clearEvalAttributes

void clearEvalAttributes(int v)

Used to clear the mask used to detect if access checking needs to be performed on individual attributes types. The specified value is cleared from the mask or if the value equals 0 the mask is completely cleared.

Parameters:

v - The flag to clear or 0 to set the mask to 0.