org.opends.server.authorization.dseecompat
Class Aci

java.lang.Object
  extended by org.opends.server.authorization.dseecompat.Aci

public class Aci
extends java.lang.Object

The Aci class represents ACI strings.


Field Summary
static int ACI_ADD
          ACI_ADD is used to set the container rights for a LDAP add operation.
static int ACI_ALL
          ACI_ALL is used to as a mask for all of the above.
static int ACI_COMPARE
          ACI_COMPARE is used to set the container rights for a LDAP compare operation.
static int ACI_CONTROL
          Used by the control evaluation access check.
static int ACI_DELETE
          ACI_DELETE is used to set the container rights for a LDAP delete operation.
static int ACI_EXPORT
          ACI_EXPORT is used to set the container rights for a LDAP modify dn operation.
static int ACI_EXT_OP
          Used by the extended operation access check.
static int ACI_FOUND_OP_ATTR_RULE
          ACI_FOUND_OP_ATTR_RULE is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr specific operational attribute expression (targetattr="some operational attribute type") target match.
static int ACI_FOUND_USER_ATTR_RULE
          ACI_FOUND_USER_ATTR_RULE is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr specific user attribute expression (targetattr="some user attribute type") target match.
static int ACI_IMPORT
          ACI_IMPORT is used to set the container rights for a LDAP modify dn operation.
static int ACI_NULL
          ACI_NULL is used to set the container rights to all zeros.
static int ACI_OP_ATTR_PLUS_MATCHED
          ACI_OP_ATTR_PLUS_MATCHED is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr all operational attributes expression (targetattr="+") target match.
static int ACI_PROXY
          ACI_PROXY is used for the PROXY right.
static int ACI_READ
          ACI_READ is used to set the container rights for a LDAP search operation.
static int ACI_SEARCH
          ACI_SEARCH is used to set the container rights a LDAP search operation.
static int ACI_SELF
          ACI_SELF is used for the SELFWRITE right.
static int ACI_SKIP_PROXY_CHECK
          ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check.
static java.lang.String ACI_STATEMENT_SEPARATOR
          Regular expression matching a ACL statement separator.
static int ACI_USER_ATTR_STAR_MATCHED
          ACI_ATTR_STAR_MATCHED is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr all attributes expression (targetattr="*") target match.
static int ACI_WRITE
          ACI_WRITE is used to set the container rights for a LDAP modify operation.
static int ACI_WRITE_ADD
          ACI_WRITE_ADD is used by the LDAP modify operation.
static int ACI_WRITE_DELETE
          ACI_WRITE_DELETE is used by the LDAP modify operation.
static java.lang.String ALL_OP_ATTRS_WILD_CARD
          Regular expression the matches "+".
static java.lang.String ALL_USER_ATTRS_WILD_CARD
          Regular expression the matches "*".
static java.lang.String ATTR_NAME
          Regular expression that graciously matches an attribute type name.
static java.lang.String CLOSED_PAREN
          Regular expression used to match a closed parenthesis.
static java.lang.String EQUAL_SIGN
          Regular expression used to match a single equal sign.
static java.lang.String LDAP_URL
          Regular expression matching a LDAP URL.
static java.lang.String LOGICAL_OR
          Regular expression used to match token that joins expressions (||).
static java.lang.String NULL_LDAP_URL
          String used to check for NULL ldap URL.
static java.lang.String OPEN_PAREN
          Regular expression used to match an open parenthesis.
static java.lang.String supportedVersion
          Version that we support.
static int TARGATTRFILTERS_ADD
          TARGATTRFILTER_ADD is used to specify that a targattrfilters ADD operation was seen in the ACI.
static int TARGATTRFILTERS_DELETE
          TARGATTRFILTER_DELETE is used to specify that a targattrfilters DELETE operation was seen in the ACI.
static java.lang.String WORD_GROUP
          Regular expression matching a word group.
static java.lang.String WORD_GROUP_START_PATTERN
          Regular expression matching a word group at the start of a pattern.
static java.lang.String ZERO_OR_MORE_WHITESPACE
          Regular expression matching a white space.
static java.lang.String ZERO_OR_MORE_WHITESPACE_START_PATTERN
          Regular expression matching a white space at the start of a pattern.
 
Method Summary
static Aci decode(ByteString byteString, DN dn)
          Decode an ACI byte string.
static java.util.HashSet<java.lang.String> decodeOID(java.lang.String expr, Message msg)
          Decode an OIDs expression string.
static EnumEvalResult evaluate(AciEvalContext evalCtx, Aci aci)
          Static class used to evaluate an ACI and evaluation context.
 DN getDN()
          Return the DN of the entry containing the ACI.
 java.lang.String getName()
          Returns the name string of this ACI.
 AciTargets getTargets()
          Returns the targets of the ACI.
 boolean hasAccessType(EnumAccessType accessType)
          Re-direct has access type to the body's hasAccessType method.
 boolean hasRights(int rights)
          Check if the body of the ACI matches the rights specified.
static boolean isApplicable(Aci aci, AciTargetMatchContext matchCtx)
          Test if the given ACI is applicable using the target match information provided.
 java.lang.String toString()
          Return the string representation of the ACI.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
 

Field Detail

supportedVersion

public static final java.lang.String supportedVersion
Version that we support.

See Also:
Constant Field Values

WORD_GROUP

public static final java.lang.String WORD_GROUP
Regular expression matching a word group.

See Also:
Constant Field Values

WORD_GROUP_START_PATTERN

public static final java.lang.String WORD_GROUP_START_PATTERN
Regular expression matching a word group at the start of a pattern.

See Also:
Constant Field Values

ZERO_OR_MORE_WHITESPACE

public static final java.lang.String ZERO_OR_MORE_WHITESPACE
Regular expression matching a white space.

See Also:
Constant Field Values

ZERO_OR_MORE_WHITESPACE_START_PATTERN

public static final java.lang.String ZERO_OR_MORE_WHITESPACE_START_PATTERN
Regular expression matching a white space at the start of a pattern.

See Also:
Constant Field Values

ACI_STATEMENT_SEPARATOR

public static final java.lang.String ACI_STATEMENT_SEPARATOR
Regular expression matching a ACL statement separator.

See Also:
Constant Field Values

ATTR_NAME

public static final java.lang.String ATTR_NAME
Regular expression that graciously matches an attribute type name. Must begin with an ASCII letter or digit, and contain only ASCII letters, digit characters, hyphens, semi-colons and underscores. It also allows the special shorthand characters "*" for all user attributes and "+" for all operational attributes.

See Also:
Constant Field Values

LDAP_URL

public static final java.lang.String LDAP_URL
Regular expression matching a LDAP URL.

See Also:
Constant Field Values

NULL_LDAP_URL

public static final java.lang.String NULL_LDAP_URL
String used to check for NULL ldap URL.

See Also:
Constant Field Values

LOGICAL_OR

public static final java.lang.String LOGICAL_OR
Regular expression used to match token that joins expressions (||).

See Also:
Constant Field Values

OPEN_PAREN

public static final java.lang.String OPEN_PAREN
Regular expression used to match an open parenthesis.

See Also:
Constant Field Values

CLOSED_PAREN

public static final java.lang.String CLOSED_PAREN
Regular expression used to match a closed parenthesis.

See Also:
Constant Field Values

EQUAL_SIGN

public static final java.lang.String EQUAL_SIGN
Regular expression used to match a single equal sign.

See Also:
Constant Field Values

ALL_USER_ATTRS_WILD_CARD

public static final java.lang.String ALL_USER_ATTRS_WILD_CARD
Regular expression the matches "*".

See Also:
Constant Field Values

ALL_OP_ATTRS_WILD_CARD

public static final java.lang.String ALL_OP_ATTRS_WILD_CARD
Regular expression the matches "+".

See Also:
Constant Field Values

ACI_ADD

public static final int ACI_ADD
ACI_ADD is used to set the container rights for a LDAP add operation.

See Also:
Constant Field Values

ACI_DELETE

public static final int ACI_DELETE
ACI_DELETE is used to set the container rights for a LDAP delete operation.

See Also:
Constant Field Values

ACI_READ

public static final int ACI_READ
ACI_READ is used to set the container rights for a LDAP search operation.

See Also:
Constant Field Values

ACI_WRITE

public static final int ACI_WRITE
ACI_WRITE is used to set the container rights for a LDAP modify operation.

See Also:
Constant Field Values

ACI_COMPARE

public static final int ACI_COMPARE
ACI_COMPARE is used to set the container rights for a LDAP compare operation.

See Also:
Constant Field Values

ACI_SEARCH

public static final int ACI_SEARCH
ACI_SEARCH is used to set the container rights a LDAP search operation.

See Also:
Constant Field Values

ACI_SELF

public static final int ACI_SELF
ACI_SELF is used for the SELFWRITE right.

See Also:
Constant Field Values

ACI_ALL

public static final int ACI_ALL
ACI_ALL is used to as a mask for all of the above. These six below are not masked by the ACI_ALL.

See Also:
Constant Field Values

ACI_PROXY

public static final int ACI_PROXY
ACI_PROXY is used for the PROXY right.

See Also:
Constant Field Values

ACI_IMPORT

public static final int ACI_IMPORT
ACI_IMPORT is used to set the container rights for a LDAP modify dn operation.

See Also:
Constant Field Values

ACI_EXPORT

public static final int ACI_EXPORT
ACI_EXPORT is used to set the container rights for a LDAP modify dn operation.

See Also:
Constant Field Values

ACI_WRITE_ADD

public static final int ACI_WRITE_ADD
ACI_WRITE_ADD is used by the LDAP modify operation.

See Also:
Constant Field Values

ACI_WRITE_DELETE

public static final int ACI_WRITE_DELETE
ACI_WRITE_DELETE is used by the LDAP modify operation.

See Also:
Constant Field Values

ACI_SKIP_PROXY_CHECK

public static final int ACI_SKIP_PROXY_CHECK
ACI_SKIP_PROXY_CHECK is used to bypass the proxy access check.

See Also:
Constant Field Values

TARGATTRFILTERS_ADD

public static final int TARGATTRFILTERS_ADD
TARGATTRFILTER_ADD is used to specify that a targattrfilters ADD operation was seen in the ACI. For example, given an ACI with: (targattrfilters="add=mail:(mail=*@example.com)") The TARGATTRFILTERS_ADD flag would be set during ACI parsing in the TargAttrFilters class.

See Also:
Constant Field Values

TARGATTRFILTERS_DELETE

public static final int TARGATTRFILTERS_DELETE
TARGATTRFILTER_DELETE is used to specify that a targattrfilters DELETE operation was seen in the ACI. For example, given an ACI with: (targattrfilters="del=mail:(mail=*@example.com)") The TARGATTRFILTERS_DELETE flag would be set during ACI parsing in the TargAttrFilters class.

See Also:
Constant Field Values

ACI_CONTROL

public static final int ACI_CONTROL
Used by the control evaluation access check.

See Also:
Constant Field Values

ACI_EXT_OP

public static final int ACI_EXT_OP
Used by the extended operation access check.

See Also:
Constant Field Values

ACI_USER_ATTR_STAR_MATCHED

public static final int ACI_USER_ATTR_STAR_MATCHED
ACI_ATTR_STAR_MATCHED is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr all attributes expression (targetattr="*") target match. For this flag to be set, there must be only one ACI matching. This flag and ACI_FOUND_ATTR_RULE are used in the AciHandler.filterEntry.accessAllowedAttrs method to skip access evaluation if the flag is ACI_ATTR_STAR_MATCHED (all attributes match) and the attribute type is not operational.

See Also:
Constant Field Values

ACI_FOUND_USER_ATTR_RULE

public static final int ACI_FOUND_USER_ATTR_RULE
ACI_FOUND_USER_ATTR_RULE is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr specific user attribute expression (targetattr="some user attribute type") target match.

See Also:
Constant Field Values

ACI_OP_ATTR_PLUS_MATCHED

public static final int ACI_OP_ATTR_PLUS_MATCHED
ACI_OP_ATTR_PLUS_MATCHED is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr all operational attributes expression (targetattr="+") target match. For this flag to be set, there must be only one ACI matching. This flag and ACI_FOUND_OP_ATTR_RULE are used in the AciHandler.filterEntry.accessAllowedAttrs method to skip access evaluation if the flag is ACI_OP_ATTR_PLUS_MATCHED (all operational attributes match) and the attribute type is operational.

See Also:
Constant Field Values

ACI_FOUND_OP_ATTR_RULE

public static final int ACI_FOUND_OP_ATTR_RULE
ACI_FOUND_OP_ATTR_RULE is the flag set when the evaluation reason of a AciHandler.maysend ACI_READ access evaluation was the result of an ACI targetattr specific operational attribute expression (targetattr="some operational attribute type") target match.

See Also:
Constant Field Values

ACI_NULL

public static final int ACI_NULL
ACI_NULL is used to set the container rights to all zeros. Used by LDAP modify.

See Also:
Constant Field Values
Method Detail

decode

public static Aci decode(ByteString byteString,
                         DN dn)
                  throws AciException
Decode an ACI byte string.

Parameters:
byteString - The ByteString containing the ACI string.
dn - DN of the ACI entry.
Returns:
Returns a decoded ACI representing the string argument.
Throws:
AciException - If the parsing of the ACI string fails.

toString

public java.lang.String toString()
Return the string representation of the ACI. This was the string that was used to create the Aci class.

Overrides:
toString in class java.lang.Object
Returns:
A string representation of the ACI.

getTargets

public AciTargets getTargets()
Returns the targets of the ACI.

Returns:
Any AciTargets of the ACI. There may be no targets so this might be null.

getDN

public DN getDN()
Return the DN of the entry containing the ACI.

Returns:
The DN of the entry containing the ACI.

isApplicable

public static boolean isApplicable(Aci aci,
                                   AciTargetMatchContext matchCtx)
Test if the given ACI is applicable using the target match information provided. The ACI target can have seven keywords at this time: These two base decision on the resource entry DN: 1. target - checked in isTargetApplicable. 2. targetscope - checked in isTargetApplicable. These three base decision on resource entry attributes: 3. targetfilter - checked in isTargetFilterApplicable. 4. targetattr - checked in isTargetAttrApplicable. 5. targattrfilters - checked in isTargAttrFiltersApplicable. These two base decisions on a resource entry built by the ACI handler that only contains a DN: 6. targetcontrol - check in isTargetControlApplicable. 7. extop - check in isExtOpApplicable. Six and seven are specific to the check being done: targetcontrol when a control is being evaluated and extop when an extended operation is evaluated. None of the attribute based keywords should be checked when a control or extended op is being evaluated, because one of those attribute keywords rule might incorrectly make an ACI applicable that shouldn't be. This can happen by erroneously basing their decision on the ACI handler generated stub resource entry. For example, a "(targetattr != userpassword)" rule would match the generated stub resource entry, even though a control or extended op might be denied. What is allowed is the target and targetscope keywords, since the DN is known, so they are checked along with the correct method for the access check (isTargetControlApplicable for control and isTExtOpApplicable for extended operations). See comments in code where these checks are done.

Parameters:
aci - The ACI to test.
matchCtx - The target matching context containing all the info needed to match ACI targets.
Returns:
True if this ACI targets are applicable or match.

hasRights

public boolean hasRights(int rights)
Check if the body of the ACI matches the rights specified.

Parameters:
rights - Bit mask representing the rights to match.
Returns:
True if the body's rights match one of the rights specified.

hasAccessType

public boolean hasAccessType(EnumAccessType accessType)
Re-direct has access type to the body's hasAccessType method.

Parameters:
accessType - The access type to match.
Returns:
True if the body's hasAccessType determines a permission contains this access type (allow or deny are valid types).

evaluate

public static EnumEvalResult evaluate(AciEvalContext evalCtx,
                                      Aci aci)
Static class used to evaluate an ACI and evaluation context.

Parameters:
evalCtx - The context to evaluate with.
aci - The ACI to evaluate.
Returns:
EnumEvalResult that contains the evaluation result of the aci evaluation.

getName

public java.lang.String getName()
Returns the name string of this ACI.

Returns:
The name string.

decodeOID

public static java.util.HashSet<java.lang.String> decodeOID(java.lang.String expr,
                                                            Message msg)
                                                     throws AciException
Decode an OIDs expression string.

Parameters:
expr - A string representing the OID expression.
msg - A message to be used if there is an exception.
Returns:
Return a hash set of verfied OID strings parsed from the OID expression.
Throws:
AciException - If the specified expression string is invalid.