001 /* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at 010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE 011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE. 012 * See the License for the specific language governing permissions 013 * and limitations under the License. 014 * 015 * When distributing Covered Code, include this CDDL HEADER in each 016 * file and include the License file at 017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, 018 * add the following below this CDDL HEADER, with the fields enclosed 019 * by brackets "[]" replaced with your own identifying information: 020 * Portions Copyright [yyyy] [name of copyright owner] 021 * 022 * CDDL HEADER END 023 * 024 * 025 * Copyright 2008 Sun Microsystems, Inc. 026 */ 027 028 package org.opends.server.authorization.dseecompat; 029 030 import org.opends.server.types.DN; 031 import org.opends.server.types.Entry; 032 import org.opends.server.types.AttributeType; 033 import org.opends.server.api.Group; 034 035 import java.net.InetAddress; 036 import java.util.LinkedList; 037 038 /** 039 * Interface that provides a view of the AciContainer that is 040 * used by the ACI evaluation code to evaluate an ACI. 041 */ 042 public interface AciEvalContext 043 { 044 /** 045 * Get client DN. The client DN is the authorization DN. 046 * @return The client DN. 047 */ 048 public DN getClientDN(); 049 050 /** 051 * Get the client entry. The client entry is the entry that corresponds 052 * to the client DN. 053 * @return The client entry corresponding to the client DN. 054 */ 055 public Entry getClientEntry(); 056 057 /** 058 * Get the resource DN. The resource DN is the DN of the entry being 059 * evaluated. 060 * @return The resource DN. 061 */ 062 public DN getResourceDN(); 063 064 /** 065 * Get the list of deny ACIs. 066 * @return The deny ACI list. 067 */ 068 public LinkedList<Aci> getDenyList(); 069 070 /** 071 * Get the list allow ACIs. 072 * @return The allow ACI list. 073 */ 074 public LinkedList<Aci> getAllowList(); 075 076 /** 077 * Set when the deny list is being evaluated. 078 * @param v True if deny's are being evaluated. 079 */ 080 public void setDenyEval(boolean v); 081 082 /** 083 * Returns true if the deny list is being evaluated. 084 * @return True if the deny list is being evaluated. 085 */ 086 public boolean isDenyEval(); 087 088 /** 089 * Check if the remote client is bound anonymously. 090 * @return True if client is bound anonymously. 091 */ 092 public boolean isAnonymousUser(); 093 094 /** 095 * Return the rights set for this container's LDAP operation. 096 * @return The rights set for the container's LDAP operation. 097 */ 098 public int getRights(); 099 100 /** 101 * Return the entry being evaluated 102 * . 103 * @return The evaluation entry. 104 */ 105 public Entry getResourceEntry(); 106 107 /** 108 * Get the hostname of the bound connection. 109 * @return The hostname of the connection. 110 */ 111 public String getHostName(); 112 113 /** 114 * Determine whether the client connection has been authenticated using 115 * a specified authentication method. This method is used for the 116 * authmethod bind rule keyword. 117 * 118 * @param authMethod The required authentication method. 119 * @param saslMech The required SASL mechanism if the authentication method 120 * is SASL. 121 * @return An evaluation result indicating whether the client connection 122 * has been authenticated using the required authentication method. 123 */ 124 public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, 125 String saslMech); 126 127 /** 128 * Get the address of the bound connection. 129 * @return The address of the bound connection. 130 */ 131 public InetAddress getRemoteAddress(); 132 133 /** 134 * Return true if this is an add operation, needed by the userattr 135 * USERDN parent inheritance level 0 processing. 136 * @return True if this is an add operation. 137 */ 138 public boolean isAddOperation(); 139 140 /** 141 * Return true if the operation associated with this evaluation 142 * context is a member of the specified group. Calls the 143 * ClientConnection.isMemberOf() method, which checks authorization 144 * DN membership in the specified group. 145 * @param group The group to check membership in. 146 * @return True if the authorization DN of the operation is a 147 * member of the specified group. 148 */ 149 public boolean isMemberOf(Group group); 150 151 /** 152 * Returns true if the hashtable of ACIs that matched the targattrfilters 153 * keyword evaluation is empty. Used by geteffectiverights evaluation to 154 * determine the access value to put in the "write" rights evaluation field. 155 * 156 * @return True if there were not any ACIs that matched targattrfilters 157 * keyword evaluation. 158 */ 159 public boolean isTargAttrFilterMatchAciEmpty(); 160 161 /** 162 * The context maintains a hashtable of ACIs that matched the targattrfilters 163 * keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if 164 * the specified ACI is contained in that hashtable. Used by 165 * geteffectiverights evaluation to determine the access value to put in the 166 * "write" rights evaluation field. 167 * 168 * @param aci The ACI that to evaluate if it contains a match during 169 * targattrfilters keyword evaluation. 170 * 171 * @return True if a specified ACI matched targattrfilters evaluation. 172 */ 173 public boolean hasTargAttrFiltersMatchAci(Aci aci); 174 175 /** 176 * Return true if an ACI that evaluated to deny or allow has an 177 * targattrfilters keyword. Used by geteffectiverights 178 * evaluation to determine the access value to put in the "write" rights 179 * evaluation field. 180 * 181 * @param flag The integer value specifying either a deny or allow, but not 182 * both. 183 * 184 * @return True if the ACI that evaluated to 185 */ 186 public boolean hasTargAttrFiltersMatchOp(int flag); 187 188 /** 189 * Returns true if the evaluation context is being used in a 190 * geteffectiverights evaluation. 191 * 192 * @return True if the evaluation context is being used in a 193 * geteffectiverights evaluation. 194 */ 195 public boolean isGetEffectiveRightsEval(); 196 197 /** 198 * Set the name of the ACI that last matched a targattrfilters rule. Used 199 * in geteffectiverights targattrfilters "write" rights evaluation. 200 * 201 * @param name The ACI name string matching the targattrfilters rule. 202 */ 203 public void setTargAttrFiltersAciName(String name); 204 205 /** 206 * Set a flag that specifies that a ACI that evaluated to either deny or 207 * allow contains a targattrfilters keyword. Used by geteffectiverights 208 * evaluation to determine the access value to put in the "write" rights 209 * evaluation field. 210 * 211 * @param flag Either the integer value representing an allow or a deny, 212 * but not both. 213 */ 214 public void setTargAttrFiltersMatchOp(int flag); 215 216 /** 217 * Set the reason the last access evaluation was evaluated the way it 218 * was. Used by geteffectiverights evaluation to eventually build the 219 * summary string. 220 * 221 * @param reason The enumeration representing the reason of the last access 222 * evaluation. 223 */ 224 public void setEvalReason(EnumEvalReason reason); 225 226 /** 227 * Return the reason the last access evaluation was evaluated the way it 228 * was. Used by geteffectiverights evaluation to build the summary string. 229 * 230 * @return The enumeration representing the reason of the last access 231 * evaluation. 232 */ 233 public EnumEvalReason getEvalReason(); 234 235 /** 236 * Set the ACI that decided that last access evaluation. Used by 237 * geteffectiverights evaluation to the build summary string. 238 * 239 * @param aci The ACI that decided the last access evaluation. 240 */ 241 public void setDecidingAci(Aci aci); 242 243 /** 244 * Check if an evaluation context contains a set of access rights. 245 * 246 * @param rights The rights mask to check. 247 * 248 * @return True if the evaluation context contains a access right set. 249 */ 250 public boolean hasRights(int rights); 251 252 /** 253 * Return the name of the ACI that decided the last access evaluation. Used 254 * by geteffectiverights evaluation to build the summmary string. 255 * 256 * @return The name of the ACI that decided the last access evaluation. 257 */ 258 public String getDecidingAciName(); 259 260 /** 261 * Return true if a evaluation context is being used in proxied authorization 262 * evaluation. 263 * 264 * @return True if evaluation context is being used in proxied authorization 265 * evaluation. 266 */ 267 public boolean isProxiedAuthorization(); 268 269 /** 270 * Get the current attribute type being evaluated. 271 * 272 * @return The attribute type currently being evaluated. 273 */ 274 public AttributeType getCurrentAttributeType(); 275 276 /** 277 * Set the value of the summary string to the specified string. 278 * Used in geteffectiverights evaluation to build summary string. 279 * 280 * @param summary The string to set the summary string to 281 */ 282 public void setEvalSummary(String summary); 283 284 /** 285 * Return the access evaluation summary string. Used by the geteffectiverights 286 * evaluation when a aclRightsInfo attribute was specified in a search. 287 * 288 * @return The string describing the access evaluation. 289 */ 290 public String getEvalSummary(); 291 292 /** 293 * Return a string representation of the current right being evaluated. 294 * Used in geteffectiverights evaluation to build summary string. 295 * 296 * @return String representation of the current right being evaluated. 297 */ 298 public String rightToString(); 299 300 /** 301 * Return the name of the ACI that last matched a targattrfilters rule. Used 302 * in geteffectiverights evaluation. 303 * 304 * @return The name of the ACI that last matched a targattrfilters rule. 305 */ 306 public String getTargAttrFiltersAciName(); 307 308 /** 309 * The full entry with all of the attributes was saved 310 * in the operation's attachment mechanism when the container was created 311 * during the SearchOperation read evaluation. Some operations need the full 312 * entry and not the filtered entry to perform their evaluations, because they 313 * might depend attribute types and values filtered out. 314 * 315 * This method is used to replace the current resource entry with that saved 316 * entry and back. 317 * 318 * @param val Specifies if the saved entry should be used or not. True if it 319 * should be used, false if the original resource entry should be used. 320 * 321 */ 322 public void useFullResourceEntry(boolean val); 323 }