org.opends.server.authorization.dseecompat
Interface AciEvalContext

All Known Implementing Classes:
AciContainer, AciLDAPOperationContainer

public interface AciEvalContext

Interface that provides a view of the AciContainer that is used by the ACI evaluation code to evaluate an ACI.


Method Summary
 java.util.LinkedList<Aci> getAllowList()
          Get the list allow ACIs.
 DN getClientDN()
          Get client DN.
 Entry getClientEntry()
          Get the client entry.
 AttributeType getCurrentAttributeType()
          Get the current attribute type being evaluated.
 java.lang.String getDecidingAciName()
          Return the name of the ACI that decided the last access evaluation.
 java.util.LinkedList<Aci> getDenyList()
          Get the list of deny ACIs.
 EnumEvalReason getEvalReason()
          Return the reason the last access evaluation was evaluated the way it was.
 java.lang.String getEvalSummary()
          Return the access evaluation summary string.
 java.lang.String getHostName()
          Get the hostname of the bound connection.
 java.net.InetAddress getRemoteAddress()
          Get the address of the bound connection.
 DN getResourceDN()
          Get the resource DN.
 Entry getResourceEntry()
          Return the entry being evaluated .
 int getRights()
          Return the rights set for this container's LDAP operation.
 java.lang.String getTargAttrFiltersAciName()
          Return the name of the ACI that last matched a targattrfilters rule.
 EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, java.lang.String saslMech)
          Determine whether the client connection has been authenticated using a specified authentication method.
 boolean hasRights(int rights)
          Check if an evaluation context contains a set of access rights.
 boolean hasTargAttrFiltersMatchAci(Aci aci)
          The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation.
 boolean hasTargAttrFiltersMatchOp(int flag)
          Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword.
 boolean isAddOperation()
          Return true if this is an add operation, needed by the userattr USERDN parent inheritance level 0 processing.
 boolean isAnonymousUser()
          Check if the remote client is bound anonymously.
 boolean isDenyEval()
          Returns true if the deny list is being evaluated.
 boolean isGetEffectiveRightsEval()
          Returns true if the evaluation context is being used in a geteffectiverights evaluation.
 boolean isMemberOf(Group group)
          Return true if the operation associated with this evaluation context is a member of the specified group.
 boolean isProxiedAuthorization()
          Return true if a evaluation context is being used in proxied authorization evaluation.
 boolean isTargAttrFilterMatchAciEmpty()
          Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty.
 java.lang.String rightToString()
          Return a string representation of the current right being evaluated.
 void setDecidingAci(Aci aci)
          Set the ACI that decided that last access evaluation.
 void setDenyEval(boolean v)
          Set when the deny list is being evaluated.
 void setEvalReason(EnumEvalReason reason)
          Set the reason the last access evaluation was evaluated the way it was.
 void setEvalSummary(java.lang.String summary)
          Set the value of the summary string to the specified string.
 void setTargAttrFiltersAciName(java.lang.String name)
          Set the name of the ACI that last matched a targattrfilters rule.
 void setTargAttrFiltersMatchOp(int flag)
          Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword.
 void useFullResourceEntry(boolean val)
          The full entry with all of the attributes was saved in the operation's attachment mechanism when the container was created during the SearchOperation read evaluation.
 

Method Detail

getClientDN

DN getClientDN()
Get client DN. The client DN is the authorization DN.

Returns:
The client DN.

getClientEntry

Entry getClientEntry()
Get the client entry. The client entry is the entry that corresponds to the client DN.

Returns:
The client entry corresponding to the client DN.

getResourceDN

DN getResourceDN()
Get the resource DN. The resource DN is the DN of the entry being evaluated.

Returns:
The resource DN.

getDenyList

java.util.LinkedList<Aci> getDenyList()
Get the list of deny ACIs.

Returns:
The deny ACI list.

getAllowList

java.util.LinkedList<Aci> getAllowList()
Get the list allow ACIs.

Returns:
The allow ACI list.

setDenyEval

void setDenyEval(boolean v)
Set when the deny list is being evaluated.

Parameters:
v - True if deny's are being evaluated.

isDenyEval

boolean isDenyEval()
Returns true if the deny list is being evaluated.

Returns:
True if the deny list is being evaluated.

isAnonymousUser

boolean isAnonymousUser()
Check if the remote client is bound anonymously.

Returns:
True if client is bound anonymously.

getRights

int getRights()
Return the rights set for this container's LDAP operation.

Returns:
The rights set for the container's LDAP operation.

getResourceEntry

Entry getResourceEntry()
Return the entry being evaluated .

Returns:
The evaluation entry.

getHostName

java.lang.String getHostName()
Get the hostname of the bound connection.

Returns:
The hostname of the connection.

hasAuthenticationMethod

EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
                                       java.lang.String saslMech)
Determine whether the client connection has been authenticated using a specified authentication method. This method is used for the authmethod bind rule keyword.

Parameters:
authMethod - The required authentication method.
saslMech - The required SASL mechanism if the authentication method is SASL.
Returns:
An evaluation result indicating whether the client connection has been authenticated using the required authentication method.

getRemoteAddress

java.net.InetAddress getRemoteAddress()
Get the address of the bound connection.

Returns:
The address of the bound connection.

isAddOperation

boolean isAddOperation()
Return true if this is an add operation, needed by the userattr USERDN parent inheritance level 0 processing.

Returns:
True if this is an add operation.

isMemberOf

boolean isMemberOf(Group group)
Return true if the operation associated with this evaluation context is a member of the specified group. Calls the ClientConnection.isMemberOf() method, which checks authorization DN membership in the specified group.

Parameters:
group - The group to check membership in.
Returns:
True if the authorization DN of the operation is a member of the specified group.

isTargAttrFilterMatchAciEmpty

boolean isTargAttrFilterMatchAciEmpty()
Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Returns:
True if there were not any ACIs that matched targattrfilters keyword evaluation.

hasTargAttrFiltersMatchAci

boolean hasTargAttrFiltersMatchAci(Aci aci)
The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if the specified ACI is contained in that hashtable. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Parameters:
aci - The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.
Returns:
True if a specified ACI matched targattrfilters evaluation.

hasTargAttrFiltersMatchOp

boolean hasTargAttrFiltersMatchOp(int flag)
Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Parameters:
flag - The integer value specifying either a deny or allow, but not both.
Returns:
True if the ACI that evaluated to

isGetEffectiveRightsEval

boolean isGetEffectiveRightsEval()
Returns true if the evaluation context is being used in a geteffectiverights evaluation.

Returns:
True if the evaluation context is being used in a geteffectiverights evaluation.

setTargAttrFiltersAciName

void setTargAttrFiltersAciName(java.lang.String name)
Set the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights targattrfilters "write" rights evaluation.

Parameters:
name - The ACI name string matching the targattrfilters rule.

setTargAttrFiltersMatchOp

void setTargAttrFiltersMatchOp(int flag)
Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Parameters:
flag - Either the integer value representing an allow or a deny, but not both.

setEvalReason

void setEvalReason(EnumEvalReason reason)
Set the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights evaluation to eventually build the summary string.

Parameters:
reason - The enumeration representing the reason of the last access evaluation.

getEvalReason

EnumEvalReason getEvalReason()
Return the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights evaluation to build the summary string.

Returns:
The enumeration representing the reason of the last access evaluation.

setDecidingAci

void setDecidingAci(Aci aci)
Set the ACI that decided that last access evaluation. Used by geteffectiverights evaluation to the build summary string.

Parameters:
aci - The ACI that decided the last access evaluation.

hasRights

boolean hasRights(int rights)
Check if an evaluation context contains a set of access rights.

Parameters:
rights - The rights mask to check.
Returns:
True if the evaluation context contains a access right set.

getDecidingAciName

java.lang.String getDecidingAciName()
Return the name of the ACI that decided the last access evaluation. Used by geteffectiverights evaluation to build the summmary string.

Returns:
The name of the ACI that decided the last access evaluation.

isProxiedAuthorization

boolean isProxiedAuthorization()
Return true if a evaluation context is being used in proxied authorization evaluation.

Returns:
True if evaluation context is being used in proxied authorization evaluation.

getCurrentAttributeType

AttributeType getCurrentAttributeType()
Get the current attribute type being evaluated.

Returns:
The attribute type currently being evaluated.

setEvalSummary

void setEvalSummary(java.lang.String summary)
Set the value of the summary string to the specified string. Used in geteffectiverights evaluation to build summary string.

Parameters:
summary - The string to set the summary string to

getEvalSummary

java.lang.String getEvalSummary()
Return the access evaluation summary string. Used by the geteffectiverights evaluation when a aclRightsInfo attribute was specified in a search.

Returns:
The string describing the access evaluation.

rightToString

java.lang.String rightToString()
Return a string representation of the current right being evaluated. Used in geteffectiverights evaluation to build summary string.

Returns:
String representation of the current right being evaluated.

getTargAttrFiltersAciName

java.lang.String getTargAttrFiltersAciName()
Return the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights evaluation.

Returns:
The name of the ACI that last matched a targattrfilters rule.

useFullResourceEntry

void useFullResourceEntry(boolean val)
The full entry with all of the attributes was saved in the operation's attachment mechanism when the container was created during the SearchOperation read evaluation. Some operations need the full entry and not the filtered entry to perform their evaluations, because they might depend attribute types and values filtered out. This method is used to replace the current resource entry with that saved entry and back.

Parameters:
val - Specifies if the saved entry should be used or not. True if it should be used, false if the original resource entry should be used.