Package org.opends.server.authorization.dseecompat

Class AciLDAPOperationContainer

  • All Implemented Interfaces:
    AciEvalContext, AciTargetMatchContext
    public class AciLDAPOperationContainer
extends Object
    The AciLDAPOperationContainer is an AciContainer extended class that wraps each LDAP operation being evaluated or tested for target matched of an ACI.

    • Constructor Detail

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(Operation operation,
                                 int rights,
                                 Entry entry)
        Constructor interface for all currently supported LDAP operations.
        Parameters:
        operation - The compare operation to evaluate.
        rights - The rights of a compare operation.
        entry - The entry for evaluation.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(CompareOperation operation,
                                 int rights)
        Constructor interface for the compare operation.
        Parameters:
        operation - The compare operation to evaluate.
        rights - The rights of a compare operation.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(Operation operation,
                                 Entry e,
                                 AuthenticationInfo authInfo,
                                 int rights)
        Constructor interface for evaluation general purpose Operation, entry and rights..
        Parameters:
        operation - The operation to use in the evaluation.
        e - The entry for evaluation.
        authInfo - The authentication information to use in the evaluation.
        rights - The rights of the operation.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(Operation operation,
                                 Entry e,
                                 Control c,
                                 int rights)
        Constructor interface for evaluation of a control.
        Parameters:
        operation - The operation to use in the evaluation.
        e - An entry built especially for evaluation.
        c - The control to evaluate.
        rights - The rights of a control.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(ExtendedOperation operation,
                                 Entry e,
                                 int rights)
        Constructor interface for evaluation of the extended operation.
        Parameters:
        operation - The extended operation to evaluate.
        e - An entry built especially for evaluation.
        rights - The rights of a extended operation.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(AddOperation operation,
                                 int rights)
        Constructor interface for the add operation.
        Parameters:
        operation - The add operation to evaluate.
        rights - The rights of an add operation.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(DeleteOperation operation,
                                 int rights)
        Constructor interface for the delete operation.
        Parameters:
        operation - The add operation to evaluate.
        rights - The rights of a delete operation.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(ModifyOperation operation,
                                 int rights)
        Constructor interface for the modify operation.
        Parameters:
        rights - The rights of modify operation.
        operation - The add operation to evaluate.

      • AciLDAPOperationContainer

        public AciLDAPOperationContainer​(ModifyDnOperation operation,
                                 int rights,
                                 Entry entry)
        Constructor interface for the modify DN operation.
        Parameters:
        operation - The modify DN operation.
        rights - The rights of the modify DN operation.
        entry - The entry to evaluated for this modify DN.

    • Method Detail

      • setGetEffectiveRightsEval

        public void setGetEffectiveRightsEval()
        The container is going to be used in a geteffectiverights evaluation, set the flag isGetEffectiveRightsEval to true.

      • hasGetEffectiveRightsControl

        public boolean hasGetEffectiveRightsControl()
        Return true if the container is being used in a geteffectiverights evaluation.
        Returns:
        True if the container is being used in a geteffectiverights evaluation.

      • useAuthzid

        public void useAuthzid​(boolean v)
        Use the DN from the geteffectiverights control's authzId as the client DN, rather than the authorization entry's DN.
        Parameters:
        v - The valued to set the useAuthzid to.

      • getSpecificAttributes

        public Collection<AttributeType> getSpecificAttributes()
        Return the list of additional attributes specified in the geteffectiverights control.
        Returns:
        The list of attributes to return rights information about in the entry.

      • addTargAttrFiltersMatchAci

        public void addTargAttrFiltersMatchAci​(Aci aci)
        Description copied from interface: AciTargetMatchContext
        Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched. This is used by geteffectiverights to determine the rights of an attribute that possibly might evaluate to true.
        Specified by:
        addTargAttrFiltersMatchAci in interface AciTargetMatchContext
        Parameters:
        aci - The ACI to save.

      • hasTargAttrFiltersMatchAci

        public boolean hasTargAttrFiltersMatchAci​(Aci aci)
        Description copied from interface: AciEvalContext
        The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if the specified ACI is contained in that hashtable. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Specified by:
        hasTargAttrFiltersMatchAci in interface AciEvalContext
        Parameters:
        aci - The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.
        Returns:
        true if a specified ACI matched targattrfilters evaluation.

      • isTargAttrFilterMatchAciEmpty

        public boolean isTargAttrFilterMatchAciEmpty()
        Description copied from interface: AciEvalContext
        Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Specified by:
        isTargAttrFilterMatchAciEmpty in interface AciEvalContext
        Returns:
        true if there were not any ACIs that matched targattrfilters keyword evaluation.

      • resetEffectiveRightsParams

        public void resetEffectiveRightsParams()
        Reset the values used by the geteffectiverights evaluation to original values. The geteffectiverights evaluation uses the same container repeatedly for different rights evaluations (read, write, proxy,...) and this method resets variables that are specific to a single evaluation.

      • getTargAttrFiltersAciName

        public String getTargAttrFiltersAciName()
        Description copied from interface: AciEvalContext
        Return the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights control evaluation.
        Specified by:
        getTargAttrFiltersAciName in interface AciEvalContext
        Returns:
        The name of the ACI that last matched a targattrfilters rule.

      • setTargAttrFiltersMatchOp

        public void setTargAttrFiltersMatchOp​(int flag)
        Description copied from interface: AciEvalContext
        Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Specified by:
        setTargAttrFiltersMatchOp in interface AciEvalContext
        Parameters:
        flag - Either the integer value representing an allow or a deny, but not both.

      • hasTargAttrFiltersMatchOp

        public boolean hasTargAttrFiltersMatchOp​(int flag)
        Description copied from interface: AciEvalContext
        Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Specified by:
        hasTargAttrFiltersMatchOp in interface AciEvalContext
        Parameters:
        flag - The integer value specifying either a deny or allow, but not both.
        Returns:
        true if the ACI has an targattrfilters keyword.

      • getDecidingAciName

        public String getDecidingAciName()
        Description copied from interface: AciEvalContext
        Return the name of the ACI that decided the last access evaluation. Used by geteffectiverights control evaluation to build the summary string.
        Specified by:
        getDecidingAciName in interface AciEvalContext
        Returns:
        The name of the ACI that decided the last access evaluation.

      • setEvaluationResult

        public void setEvaluationResult​(EnumEvalReason reason,
                                Aci decidingAci)
        Description copied from interface: AciEvalContext
        Set the reason and the ACI that decided why the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to eventually build the summary string.
        Specified by:
        setEvaluationResult in interface AciEvalContext
        Parameters:
        reason - The enumeration representing the reason of the last access evaluation.
        decidingAci - The ACI that decided the last access evaluation.

      • getEvalReason

        public EnumEvalReason getEvalReason()
        Description copied from interface: AciEvalContext
        Return the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to build the summary string.
        Specified by:
        getEvalReason in interface AciEvalContext
        Returns:
        The enumeration representing the reason of the last access evaluation.

      • setEvalSummary

        public void setEvalSummary​(String summary)
        Description copied from interface: AciEvalContext
        Set the value of the summary string to the specified string. Used in get effective rights evaluation to build summary string.
        Specified by:
        setEvalSummary in interface AciEvalContext
        Parameters:
        summary - The string to set the summary string to

      • getEvalSummary

        public String getEvalSummary()
        Description copied from interface: AciEvalContext
        Return the access evaluation summary string. Used in a geteffectiverights control evaluation when an aclRightsInfo attribute was specified in a search request.
        Specified by:
        getEvalSummary in interface AciEvalContext
        Returns:
        The string describing the access evaluation.

      • isAuthzidAuthorizationDN

        public boolean isAuthzidAuthorizationDN()
        Returns true if the geteffectiverights control's authZid DN is equal to the authorization entry's DN.
        Returns:
        True if the authZid is equal to the authorization entry's DN.

      • isFirstAttribute

        public boolean isFirstAttribute()
        Description copied from interface: AciTargetMatchContext
        True if the first attribute of the resource entry is being evaluated.
        Specified by:
        isFirstAttribute in interface AciTargetMatchContext
        Returns:
        True if this is the first attribute.

      • setIsFirstAttribute

        public void setIsFirstAttribute​(boolean val)
        Description copied from interface: AciTargetMatchContext
        Set to true if the first attribute of the resource entry is being evaluated.
        Specified by:
        setIsFirstAttribute in interface AciTargetMatchContext
        Parameters:
        val - True if this is the first attribute of the resource entry being evaluated.

      • setEntryTestRule

        public void setEntryTestRule​(boolean val)
        Description copied from interface: AciTargetMatchContext
        True if the target matching code found an entry test rule. An entry test rule is an ACI without a targetattr target rule.
        Specified by:
        setEntryTestRule in interface AciTargetMatchContext
        Parameters:
        val - True if an entry test rule was found.

      • getClientEntry

        public Entry getClientEntry()
        Description copied from interface: AciEvalContext
        Get the client entry. The client entry is the entry that corresponds to the client DN.
        Specified by:
        getClientEntry in interface AciEvalContext
        Returns:
        The client entry corresponding to the client DN.

      • isDenyEval

        public boolean isDenyEval()
        Description copied from interface: AciEvalContext
        Returns true if the deny list is being evaluated.
        Specified by:
        isDenyEval in interface AciEvalContext
        Returns:
        True if the deny list is being evaluated.

      • isAnonymousUser

        public boolean isAnonymousUser()
        Description copied from interface: AciEvalContext
        Check if the remote client is bound anonymously.
        Specified by:
        isAnonymousUser in interface AciEvalContext
        Returns:
        true if client is bound anonymously.

      • getClientDN

        public Dn getClientDN()
        Description copied from interface: AciEvalContext
        Get client DN. The client DN is the authorization DN.
        Specified by:
        getClientDN in interface AciEvalContext
        Returns:
        The client DN.

      • getResourceDN

        public Dn getResourceDN()
        Description copied from interface: AciEvalContext
        Get the resource DN. The resource DN is the DN of the entry being evaluated.
        Specified by:
        getResourceDN in interface AciEvalContext
        Returns:
        The resource DN.

      • hasRights

        public boolean hasRights​(int rights)
        Checks if the container's rights has the specified rights.

        JNR: I find the implementation in this method dubious.

        Specified by:
        hasRights in interface AciEvalContext
        Specified by:
        hasRights in interface AciTargetMatchContext
        Parameters:
        rights - The rights to check for.
        Returns:
        True if the container's rights has the specified rights.
        See Also:
        EnumRight.hasRights(int, int)

      • setRights

        public void setRights​(int rights)
        Description copied from interface: AciTargetMatchContext
        Set the rights of the container to the specified rights.
        Specified by:
        setRights in interface AciTargetMatchContext
        Parameters:
        rights - The rights to set the container's rights to.

      • getHostName

        public String getHostName()
        Description copied from interface: AciEvalContext
        Get the hostname of the bound connection.
        Specified by:
        getHostName in interface AciEvalContext
        Returns:
        The hostname of the connection.

      • isAddOperation

        public boolean isAddOperation()
        Description copied from interface: AciEvalContext
        Return true if this is an add operation needed by the userattr USERDN parent inheritance level 0 processing.
        Specified by:
        isAddOperation in interface AciEvalContext
        Returns:
        true if this is an add operation.

      • getTargAttrFiltersMatch

        public boolean getTargAttrFiltersMatch()
        Description copied from interface: AciTargetMatchContext
        Return the value of the targAttrFiltersMatch variable. This is set to true if the ACI had a targattrfilter rule that matched.
        Specified by:
        getTargAttrFiltersMatch in interface AciTargetMatchContext
        Returns:
        True if the ACI had a targattrfilter rule that matched.

      • getExtOpOID

        public String getExtOpOID()
        Description copied from interface: AciTargetMatchContext
        Return The OID (Object Identifier) string of the extended operation being evaluated.
        Specified by:
        getExtOpOID in interface AciTargetMatchContext
        Returns:
        The OID string of the extended operation being evaluated.

      • setControlOID

        protected void setControlOID​(String oid)
        Set the the controlOID value to the specified oid string.
        Parameters:
        oid - The control oid string.

      • setExtOpOID

        protected void setExtOpOID​(String oid)
        Set the extended operation OID value to the specified oid string.
        Parameters:
        oid - The extended operation oid string.

      • hasAuthenticationMethod

        public boolean hasAuthenticationMethod​(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod,
                                       String saslMech)
        Description copied from interface: AciEvalContext
        Determine whether the client connection has been authenticated using a specified authentication method. This method is used for the authmethod bind rule keyword.
        Specified by:
        hasAuthenticationMethod in interface AciEvalContext
        Parameters:
        authMethod - The required authentication method.
        saslMech - The required SASL mechanism if the authentication method is SASL.
        Returns:
        An evaluation result indicating whether the client connection has been authenticated using the required authentication method.

      • isMemberOf

        public boolean isMemberOf​(Group<?> group)
        Description copied from interface: AciEvalContext
        Return true if the operation associated with this evaluation context is a member of the specified group. Calls the ClientConnection.isMemberOf() method, which checks authorization DN membership in the specified group.
        Specified by:
        isMemberOf in interface AciEvalContext
        Parameters:
        group - The group to check membership in.
        Returns:
        true if the authorization DN of the operation is a member of the specified group.

      • rightToString

        public String rightToString()
        Return a string representation of the current right being evaluated. Used in geteffectiverights control evaluation to build summary string.

        JNR: I find the implementation in this method dubious.

        Specified by:
        rightToString in interface AciEvalContext
        Returns:
        String representation of the current right being evaluated.
        See Also:
        EnumRight.getEnumRight(int)

      • setEvalUserAttributes

        public void setEvalUserAttributes​(int v)
        Description copied from interface: AciTargetMatchContext
        This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*"). The only case where individual user attribute access checking can be skipped, is when a single ACI matched using a targetattr all user attributes rule and the attribute type being check is not operational.
        Specified by:
        setEvalUserAttributes in interface AciTargetMatchContext
        Parameters:
        v - The mask to this value.

      • setEvalOpAttributes

        public void setEvalOpAttributes​(int v)
        Description copied from interface: AciTargetMatchContext
        This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+"). The only case where individual operational attribute access checking can be skipped, is when a single ACI matched using a targetattr all operational attributes rule and the attribute type being check is operational.
        Specified by:
        setEvalOpAttributes in interface AciTargetMatchContext
        Parameters:
        v - The mask to this value.

      • hasEvalUserAttributes

        public boolean hasEvalUserAttributes()
        Description copied from interface: AciTargetMatchContext
        Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
        Specified by:
        hasEvalUserAttributes in interface AciTargetMatchContext
        Returns:
        True if the above condition was seen.

      • hasEvalOpAttributes

        public boolean hasEvalOpAttributes()
        Description copied from interface: AciTargetMatchContext
        Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
        Specified by:
        hasEvalOpAttributes in interface AciTargetMatchContext
        Returns:
        True if the above condition was seen.

      • hasAllUserAttributes

        public boolean hasAllUserAttributes()
        Return true if the evaluating ACI contained a targetattr all user attributes rule match.
        Returns:
        True if the above condition was seen.

      • hasAllOpAttributes

        public boolean hasAllOpAttributes()
        Return true if the evaluating ACI contained a targetattr all operational attributes rule match.
        Returns:
        True if the above condition was seen.

      • clearEvalAttributes

        public void clearEvalAttributes​(int v)
        Description copied from interface: AciTargetMatchContext
        Used to clear the mask used to detect if access checking needs to be performed on individual attributes types. The specified value is cleared from the mask or if the value equals 0 the mask is completely cleared.
        Specified by:
        clearEvalAttributes in interface AciTargetMatchContext
        Parameters:
        v - The flag to clear or 0 to set the mask to 0.

      • getCurrentSSF

        public int getCurrentSSF()
        Description copied from interface: AciEvalContext
        Return the current SSF (Security Strength Factor) of the underlying connection.
        Specified by:
        getCurrentSSF in interface AciEvalContext
        Returns:
        The current SSF of the connection.