Package org.opends.server.authorization.dseecompat

Class Aci

    • Field Detail

      • ZERO_OR_MORE_WHITESPACE

        public static final String ZERO_OR_MORE_WHITESPACE
        Regular expression matching a white space.
        See Also:
        Constant Field Values

      • ZERO_OR_MORE_WHITESPACE_START_PATTERN

        public static final String ZERO_OR_MORE_WHITESPACE_START_PATTERN
        Regular expression matching a white space at the start of a pattern.
        See Also:
        Constant Field Values

      • ACI_STATEMENT_SEPARATOR

        public static final String ACI_STATEMENT_SEPARATOR
        Regular expression matching a ACL statement separator.
        See Also:
        Constant Field Values

      • ALL_USER_ATTRS_WILD_CARD

        public static final String ALL_USER_ATTRS_WILD_CARD
        Regular expression the matches "*".
        See Also:
        Constant Field Values

      • ALL_OP_ATTRS_WILD_CARD

        public static final String ALL_OP_ATTRS_WILD_CARD
        Regular expression the matches "+".
        See Also:
        Constant Field Values

      • ACI_ADD

        public static final int ACI_ADD
        ACI_ADD is used to set the container rights for a LDAP add operation.
        See Also:
        Constant Field Values

      • ACI_SELF

        public static final int ACI_SELF
        ACI_SELF is used for the SELFWRITE right.
        See Also:
        Constant Field Values

      • ACI_PROXY

        public static final int ACI_PROXY
        ACI_PROXY is used for the PROXY right.
        See Also:
        Constant Field Values

      • ACI_WRITE_DELETE

        public static final int ACI_WRITE_DELETE
        ACI_WRITE_DELETE is used by the LDAP modify operation.
        See Also:
        Constant Field Values

      • ACI_SKIP_PROXY_CHECK

        public static final int ACI_SKIP_PROXY_CHECK
        ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check.
        See Also:
        Constant Field Values

      • ACI_EXT_OP

        public static final int ACI_EXT_OP
        Used by the extended operation access check.
        See Also:
        Constant Field Values

    • Method Detail

      • decode

        public static Aci decode​(String aciString,
                         Dn dn)
                  throws AciException
        Decode an ACI byte string.
        Parameters:
        aciString - The ACI string.
        dn - DN of the ACI entry.
        Returns:
        Returns a decoded ACI representing the string argument.
        Throws:
        AciException - If the parsing of the ACI string fails.

      • toString

        public String toString()
        Return the string representation of the ACI. This was the string that was used to create the Aci class.
        Overrides:
        toString in class Object
        Returns:
        A string representation of the ACI.

      • getTargets

        public AciTargets getTargets()
        Returns the targets of the ACI.
        Returns:
        Any AciTargets of the ACI. There may be no targets so this might be null.

      • getDN

        public Dn getDN()
        Return the DN of the entry containing the ACI.
        Returns:
        The DN of the entry containing the ACI.

      • isApplicable

        public boolean isApplicable​(AciTargetMatchContext matchCtx)
        Test if the given ACI is applicable using the target match information provided. The ACI target can have seven keywords at this time:

        These two base decision on the resource entry DN:

        1. target - checked in isTargetApplicable.

        2. targetscope - checked in isTargetApplicable.

        These three base decision on resource entry attributes:

        3. targetfilter - checked in isTargetFilterApplicable.

        4. targetattr - checked in isTargetAttrApplicable.

        5. targattrfilters - checked in isTargAttrFiltersApplicable.

        These two base decisions on a resource entry built by the ACI handler that only contains a DN:

        6. targetcontrol - check in isTargetControlApplicable.

        7. extop - check in isExtOpApplicable.

        Six and seven are specific to the check being done: targetcontrol when a control is being evaluated and extop when an extended operation is evaluated. None of the attribute based keywords should be checked when a control or extended op is being evaluated, because one of those attribute keywords rule might incorrectly make an ACI applicable that shouldn't be. This can happen by erroneously basing their decision on the ACI handler generated stub resource entry. For example, a "(targetattr != userpassword)" rule would match the generated stub resource entry, even though a control or extended op might be denied. What is allowed is the target and targetscope keywords, since the DN is known, so they are checked along with the correct method for the access check (isTargetControlApplicable for control and isTExtOpApplicable for extended operations). See comments in code where these checks are done.

        Parameters:
        matchCtx - The target matching context containing all the info needed to match ACI targets.
        Returns:
        True if this ACI targets are applicable or match.

      • hasRights

        public boolean hasRights​(int rights)
        Check if the body of the ACI matches the rights specified.
        Parameters:
        rights - Bit mask representing the rights to match.
        Returns:
        True if the body's rights match one of the rights specified.

      • hasAccessType

        public boolean hasAccessType​(org.opends.server.authorization.dseecompat.EnumAccessType accessType)
        Re-direct has access type to the body's hasAccessType method.
        Parameters:
        accessType - The access type to match.
        Returns:
        True if the body's hasAccessType determines a permission contains this access type (allow or deny are valid types).

      • getName

        public String getName()
        Returns the name string of this ACI.
        Returns:
        The name string.

      • compareTo

        public int compareTo​(Aci aci)
        Compares this Aci with the provided Aci based on a natural order. This order will be first hierarchical (ancestors will come before descendants) and then alphabetical by attribute name(s) and value(s).
        Specified by:
        compareTo in interface Comparable<Aci>
        Parameters:
        aci - The Aci against which to compare this Aci.
        Returns:
        A negative integer if this Aci should come before the provided Aci, a positive integer if this Aci should come after the provided Aci, or zero if there is no difference with regard to ordering.