001    /*
002     * CDDL HEADER START
003     *
004     * The contents of this file are subject to the terms of the
005     * Common Development and Distribution License, Version 1.0 only
006     * (the "License").  You may not use this file except in compliance
007     * with the License.
008     *
009     * You can obtain a copy of the license at
010     * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011     * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012     * See the License for the specific language governing permissions
013     * and limitations under the License.
014     *
015     * When distributing Covered Code, include this CDDL HEADER in each
016     * file and include the License file at
017     * trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
018     * add the following below this CDDL HEADER, with the fields enclosed
019     * by brackets "[]" replaced with your own identifying information:
020     *      Portions Copyright [yyyy] [name of copyright owner]
021     *
022     * CDDL HEADER END
023     *
024     *
025     *      Copyright 2008 Sun Microsystems, Inc.
026     */
027    
028    package org.opends.server.authorization.dseecompat;
029    
030    import org.opends.server.types.DN;
031    import org.opends.server.types.Entry;
032    import org.opends.server.types.AttributeType;
033    import org.opends.server.api.Group;
034    
035    import java.net.InetAddress;
036    import java.util.LinkedList;
037    
038    /**
039     * Interface that provides a view of the AciContainer that is
040     * used by the ACI evaluation code to evaluate an ACI.
041     */
042    public interface AciEvalContext
043    {
044        /**
045         * Get client DN. The client DN is the authorization DN.
046         * @return   The client DN.
047         */
048        public DN getClientDN();
049    
050        /**
051         * Get the client entry. The client entry is the entry that corresponds
052         * to the client DN.
053         * @return The client entry corresponding to the client DN.
054         */
055        public Entry getClientEntry();
056    
057        /**
058         * Get the resource DN. The resource DN is the DN of the entry being
059         * evaluated.
060         * @return   The resource DN.
061         */
062        public DN getResourceDN();
063    
064        /**
065         * Get the list of deny ACIs.
066         * @return The deny ACI list.
067         */
068        public LinkedList<Aci> getDenyList();
069    
070        /**
071         * Get the list allow ACIs.
072         * @return The allow ACI list.
073         */
074        public LinkedList<Aci> getAllowList();
075    
076        /**
077         * Set when the deny list is being evaluated.
078         * @param v True if deny's are being evaluated.
079         */
080        public void setDenyEval(boolean v);
081    
082        /**
083         * Returns true if the deny list is being evaluated.
084         * @return True if the deny list is being evaluated.
085         */
086        public boolean isDenyEval();
087    
088        /**
089         * Check if the remote client is bound anonymously.
090         * @return True if client is bound anonymously.
091         */
092        public boolean isAnonymousUser();
093    
094        /**
095         * Return the rights set for this container's LDAP operation.
096         * @return  The rights set for the container's LDAP operation.
097         */
098        public int getRights();
099    
100        /**
101         * Return the entry being evaluated
102         * .
103         * @return The evaluation entry.
104         */
105        public Entry getResourceEntry();
106    
107        /**
108         * Get the hostname of the bound connection.
109         * @return The hostname of the connection.
110         */
111        public String getHostName();
112    
113        /**
114         * Determine whether the client connection has been authenticated using
115         * a specified authentication method.  This method is used for the
116         * authmethod bind rule keyword.
117         *
118         * @param authMethod The required authentication method.
119         * @param saslMech The required SASL mechanism if the authentication method
120         * is SASL.
121         * @return An evaluation result indicating whether the client connection
122         * has been authenticated using the required authentication method.
123         */
124        public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
125                                                      String saslMech);
126    
127        /**
128         * Get the  address of the bound connection.
129         * @return The  address of the bound connection.
130         */
131        public InetAddress getRemoteAddress();
132    
133        /**
134         * Return true if this is an add operation, needed by the userattr
135         * USERDN parent inheritance level 0 processing.
136         * @return True if this is an add operation.
137         */
138        public boolean isAddOperation();
139    
140        /**
141         * Return true if the operation associated with this evaluation
142         * context is a member of the specified group. Calls the
143         * ClientConnection.isMemberOf() method, which checks authorization
144         * DN membership in the specified group.
145         * @param group The group to check membership in.
146         * @return True if the authorization DN of the operation is a
147         * member of the specified group.
148         */
149        public boolean isMemberOf(Group group);
150    
151      /**
152       * Returns true if the hashtable of ACIs that matched the targattrfilters
153       * keyword evaluation is empty.  Used by geteffectiverights evaluation to
154       * determine the access value to put in the "write" rights evaluation field.
155       *
156       * @return True if there were not any ACIs that matched targattrfilters
157       *         keyword evaluation.
158       */
159        public boolean isTargAttrFilterMatchAciEmpty();
160    
161      /**
162       * The context maintains a hashtable of ACIs that matched the targattrfilters
163       * keyword evaluation.  The hasTargAttrFiltersMatchAci method returns true if
164       * the specified ACI is contained in that hashtable. Used by
165       * geteffectiverights evaluation to determine the access value to put in the
166       * "write" rights evaluation field.
167       *
168       * @param aci The ACI that to evaluate if it contains a match during
169       *            targattrfilters keyword evaluation.
170       *
171       * @return True if a specified ACI matched targattrfilters evaluation.
172       */
173        public boolean hasTargAttrFiltersMatchAci(Aci aci);
174    
175      /**
176       * Return true if an ACI that evaluated to deny or allow has an
177       * targattrfilters keyword. Used by geteffectiverights
178       * evaluation to determine the access value to put in the "write" rights
179       * evaluation field.
180       *
181       * @param flag  The integer value specifying either a deny or allow, but not
182       * both.
183       *
184       * @return   True if the ACI that evaluated to
185       */
186        public boolean hasTargAttrFiltersMatchOp(int flag);
187    
188      /**
189       * Returns true if the evaluation context is being used in a
190       * geteffectiverights evaluation.
191       *
192       * @return  True if the evaluation context is being used in a
193       * geteffectiverights evaluation.
194       */
195        public boolean isGetEffectiveRightsEval();
196    
197      /**
198       * Set the name of the ACI that last matched a targattrfilters rule. Used
199       * in geteffectiverights targattrfilters "write" rights evaluation.
200       *
201       * @param name The ACI name string matching the targattrfilters rule.
202       */
203        public void setTargAttrFiltersAciName(String name);
204    
205      /**
206       * Set a flag that specifies that a ACI that evaluated to either deny or
207       * allow contains a targattrfilters keyword. Used by geteffectiverights
208       * evaluation to determine the access value to put in the "write" rights
209       * evaluation field.
210       *
211       * @param flag Either the integer value representing an allow or a deny,
212       *             but not both.
213       */
214        public void setTargAttrFiltersMatchOp(int flag);
215    
216      /**
217       * Set the reason the last access evaluation was evaluated the way it
218       * was. Used by geteffectiverights evaluation to eventually build the
219       * summary string.
220       *
221       * @param reason  The enumeration representing the reason of the last access
222       * evaluation.
223       */
224        public void setEvalReason(EnumEvalReason reason);
225    
226      /**
227       * Return the reason the last access evaluation was evaluated the way it
228       * was. Used by geteffectiverights evaluation to build the summary string.
229       *
230       * @return The enumeration representing the reason of the last access
231       * evaluation.
232       */
233        public EnumEvalReason getEvalReason();
234    
235      /**
236       * Set the ACI that decided that last access evaluation. Used by
237       * geteffectiverights evaluation to the build summary string.
238       *
239       * @param aci The ACI that decided the last access evaluation.
240       */
241        public void setDecidingAci(Aci aci);
242    
243      /**
244       * Check if an evaluation context contains a set of access rights.
245       *
246       * @param rights The rights mask to check.
247       *
248       * @return True if the evaluation context contains a access right set.
249       */
250        public boolean hasRights(int rights);
251    
252      /**
253       * Return the name of the ACI that decided the last access evaluation. Used
254       * by geteffectiverights evaluation to build the summmary string.
255       *
256       * @return The name of the ACI that decided the last access evaluation.
257       */
258        public String getDecidingAciName();
259    
260      /**
261       * Return true if a evaluation context is being used in proxied authorization
262       * evaluation.
263       *
264       * @return  True if evaluation context is being used in proxied authorization
265       * evaluation.
266       */
267        public boolean isProxiedAuthorization();
268    
269        /**
270         * Get the current attribute type being evaluated.
271         *
272         * @return  The attribute type currently being evaluated.
273         */
274        public AttributeType getCurrentAttributeType();
275    
276      /**
277       * Set the value of the summary string to the specified string.
278       * Used in geteffectiverights evaluation to build summary string.
279       *
280       * @param summary The string to set the summary string to
281       */
282        public void setEvalSummary(String summary);
283    
284      /**
285       * Return the access evaluation summary string. Used by the geteffectiverights
286       * evaluation when a aclRightsInfo attribute was specified in a search.
287       *
288       * @return   The string describing the access evaluation.
289       */
290        public String getEvalSummary();
291    
292      /**
293       * Return a string representation of the current right being evaluated.
294       * Used in geteffectiverights evaluation to build summary string.
295       *
296       * @return  String representation of the current right being evaluated.
297       */
298        public String rightToString();
299    
300        /**
301       * Return the name of the ACI that last matched a targattrfilters rule. Used
302       * in geteffectiverights evaluation.
303       *
304       * @return   The name of the ACI that last matched a targattrfilters rule.
305       */
306        public String getTargAttrFiltersAciName();
307    
308      /**
309       * The full entry with all of the attributes was saved
310       * in the operation's attachment mechanism when the container was created
311       * during the SearchOperation read evaluation. Some operations need the full
312       * entry and not the filtered entry to perform their evaluations, because they
313       * might depend attribute types and values filtered out.
314       *
315       * This method is used to replace the current resource entry with that saved
316       * entry and back.
317       *
318       * @param val Specifies if the saved entry should be used or not. True if it
319       * should be used, false if the original resource entry should be used.
320       *
321       */
322        public void useFullResourceEntry(boolean val);
323    }