001    /*
002     * CDDL HEADER START
003     *
004     * The contents of this file are subject to the terms of the
005     * Common Development and Distribution License, Version 1.0 only
006     * (the "License").  You may not use this file except in compliance
007     * with the License.
008     *
009     * You can obtain a copy of the license at
010     * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011     * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012     * See the License for the specific language governing permissions
013     * and limitations under the License.
014     *
015     * When distributing Covered Code, include this CDDL HEADER in each
016     * file and include the License file at
017     * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
018     * add the following below this CDDL HEADER, with the fields enclosed
019     * by brackets "[]" replaced with your own identifying information:
020     *      Portions Copyright [yyyy] [name of copyright owner]
021     *
022     * CDDL HEADER END
023     *
024     *
025     *      Copyright 2008 Sun Microsystems, Inc.
026     */
027    
028    package org.opends.server.authorization.dseecompat;
029    
030    import org.opends.server.types.AttributeType;
031    import org.opends.server.types.AttributeValue;
032    import org.opends.server.types.Entry;
033    import java.util.LinkedList;
034    
035    /**
036     * The AciTargetMatchContext interface provides a
037     * view of an AciContainer that exposes information to be
038     * used by the Aci.isApplicable() method to determine if
039     * an ACI is applicable (targets matched) to the LDAP operation,
040     * operation rights and entry and attributes having access
041     * checked on.
042     */
043    public interface AciTargetMatchContext {
044    
045        /**
046         * Set the deny ACI list.
047         * @param denyList The deny ACI list.
048         */
049        public void setDenyList(LinkedList<Aci> denyList);
050    
051        /**
052         * Set the allow ACI list.
053         * @param allowList The list of allow ACIs.
054         */
055        public void setAllowList(LinkedList<Aci> allowList);
056    
057        /**
058         * Get the entry being evaluated. This is known as the
059         * resource entry.
060         * @return The entry being evaluated.
061         */
062        public Entry getResourceEntry();
063    
064        /**
065         * Get the current attribute type being evaluated.
066         * @return  The attribute type being evaluated.
067         */
068        public AttributeType getCurrentAttributeType();
069    
070        /**
071         * The current attribute type value being evaluated.
072         * @return The current attribute type value being evaluated.
073         */
074        public AttributeValue getCurrentAttributeValue();
075    
076        /**
077         * True if the first attribute of the resource entry is being evaluated.
078         * @return True if this is the first attribute.
079         */
080        public boolean isFirstAttribute();
081    
082        /**
083         * Set to true if the first attribute of the resource entry is
084         * being evaluated.
085         * @param isFirst  True if this is the first attribute of the
086         * resource entry being evaluated.
087         */
088        public void setIsFirstAttribute(boolean isFirst);
089    
090        /**
091         * Set the attribute type to be evaluated.
092         * @param type  The attribute type to set to.
093         */
094        public void setCurrentAttributeType(AttributeType type);
095    
096        /**
097         * Set the attribute value to be evaluated.
098         * @param v The current attribute value to set to.
099         */
100        public void setCurrentAttributeValue(AttributeValue v);
101    
102        /**
103         * True if the target matching code found an entry test rule. An
104         * entry test rule is an ACI without a targetattr target rule.
105         * @param val True if an entry test rule was found.
106         */
107        public void setEntryTestRule(boolean val);
108    
109        /**
110         * True if an entry test rule was found.
111         * @return True if an entry test rule was found.
112         */
113        public boolean hasEntryTestRule();
114    
115        /**
116         * Return the rights for this container's LDAP operation.
117         * @return  The rights for the container's LDAP operation.
118         */
119        public int getRights();
120    
121        /**
122         * Return the OID (Object Identifier) string of the control being evaluated.
123         *
124         * @return The OID string of the control being evaluated.
125         */
126          public String getControlOID();
127    
128    
129       /**
130        * Return The OID (Object Identifier) string of the extended operation being
131        *        evaluated.
132        *
133        * @return The OID string of the extended operation being evaluated.
134        */
135        public String getExtOpOID();
136    
137        /**
138         * Checks if the container's rights has the specified rights.
139         * @param  rights The rights to check for.
140         * @return True if the container's rights has the specified rights.
141         */
142        public boolean hasRights(int rights);
143    
144        /**
145         * Set the rights of the container to the specified rights.
146         * @param rights The rights to set the container's rights to.
147         */
148        public void setRights(int rights);
149    
150        /**
151         * Set to true  if the ACI had a targattrfilter rule that matched.
152         * @param v  The value to use.
153         */
154        public void setTargAttrFiltersMatch(boolean v);
155    
156        /**
157         * Return the value of the targAttrFiltersMatch variable. This is set to
158         * true if the ACI had a targattrfilter rule that matched.
159         * @return  True if the ACI had a targattrfilter rule that matched.
160         */
161        public boolean getTargAttrFiltersMatch();
162    
163        /**
164         * Add the specified ACI to a list of ACIs that have a targattrfilters rule
165         * that matched. This is used by geteffectiverights to determine the rights
166         * of an attribute that possibly might evaluate to true.
167         * @param aci The ACI to save.
168         */
169        public void addTargAttrFiltersMatchAci(Aci aci);
170    
171        /**
172         * Save the name of the last ACI that matched a targattrfilters rule. This
173         * is used by geteffectiverights evaluation.
174         * @param name The ACI's name to save.
175         */
176        void setTargAttrFiltersAciName(String name);
177    
178        /**
179         * Returns true of a match context is performing a geteffectiverights
180         * evaluation.
181         * @return  True if a match context is evaluating geteffectiverights.
182         */
183        boolean isGetEffectiveRightsEval();
184    
185      /**
186       * This method toggles a mask that indicates that access checking of
187       * individual user attributes may or may not be skipped depending
188       * on if there is a single ACI containing a targetattr all user
189       * attributes rule (targetattr="*").
190       *
191       * The only case where individual user attribute access checking
192       * can be skipped, is when a single ACI matched using a targetattr
193       * all user attributes rule and the attribute type being check is not
194       * operational.
195       *
196       * @param v  The mask to this value.
197       */
198      void setEvalUserAttributes(int v);
199    
200      /**
201       * This method toggles a mask that indicates that access checking of
202       * individual operational attributes may or may not be skipped depending
203       * on if there is a single ACI containing a targetattr all operational
204       * attributes rule (targetattr="+").
205       *
206       * The only case where individual operational attribute access checking
207       * can be skipped, is when a single ACI matched using a targetattr
208       * all operational attributes rule and the attribute type being check is
209       * operational.
210       *
211       * @param v  The mask to this value.
212       */
213      void setEvalOpAttributes(int v);
214    
215      /**
216       * Return true if the evaluating ACI either contained an explicitly defined
217       * user attribute type in a targeattr target rule or both a targetattr all
218       * user attributes rule matched and a explictly defined targetattr target rule
219       * matched.
220       *
221       * @return  True if the above condition was seen.
222       */
223        boolean hasEvalUserAttributes();
224    
225      /**
226       * Return true if the evaluating ACI either contained an explicitly defined
227       * operational attribute type in a targeattr target rule or both a targetattr
228       * all operational attributes rule matched and a explictly defined targetattr
229       * target rule matched.
230       *
231       * @return  True if the above condition was seen.
232       */
233        boolean hasEvalOpAttributes();
234    
235    
236      /**
237       * Used to clear the mask used to detect if access checking needs to be
238       * performed on individual attributes types. The specified
239       * value is cleared from the mask or if the value equals 0 the mask is
240       * completely cleared.
241       *
242       * @param v  The flag to clear or 0 to set the mask to 0.
243       */
244        public void clearEvalAttributes(int v);
245    }
246    
247