001 /* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at 010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE 011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE. 012 * See the License for the specific language governing permissions 013 * and limitations under the License. 014 * 015 * When distributing Covered Code, include this CDDL HEADER in each 016 * file and include the License file at 017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable, 018 * add the following below this CDDL HEADER, with the fields enclosed 019 * by brackets "[]" replaced with your own identifying information: 020 * Portions Copyright [yyyy] [name of copyright owner] 021 * 022 * CDDL HEADER END 023 * 024 * 025 * Copyright 2008 Sun Microsystems, Inc. 026 */ 027 028 package org.opends.server.authorization.dseecompat; 029 030 import org.opends.server.types.AttributeType; 031 import org.opends.server.types.AttributeValue; 032 import org.opends.server.types.Entry; 033 import java.util.LinkedList; 034 035 /** 036 * The AciTargetMatchContext interface provides a 037 * view of an AciContainer that exposes information to be 038 * used by the Aci.isApplicable() method to determine if 039 * an ACI is applicable (targets matched) to the LDAP operation, 040 * operation rights and entry and attributes having access 041 * checked on. 042 */ 043 public interface AciTargetMatchContext { 044 045 /** 046 * Set the deny ACI list. 047 * @param denyList The deny ACI list. 048 */ 049 public void setDenyList(LinkedList<Aci> denyList); 050 051 /** 052 * Set the allow ACI list. 053 * @param allowList The list of allow ACIs. 054 */ 055 public void setAllowList(LinkedList<Aci> allowList); 056 057 /** 058 * Get the entry being evaluated. This is known as the 059 * resource entry. 060 * @return The entry being evaluated. 061 */ 062 public Entry getResourceEntry(); 063 064 /** 065 * Get the current attribute type being evaluated. 066 * @return The attribute type being evaluated. 067 */ 068 public AttributeType getCurrentAttributeType(); 069 070 /** 071 * The current attribute type value being evaluated. 072 * @return The current attribute type value being evaluated. 073 */ 074 public AttributeValue getCurrentAttributeValue(); 075 076 /** 077 * True if the first attribute of the resource entry is being evaluated. 078 * @return True if this is the first attribute. 079 */ 080 public boolean isFirstAttribute(); 081 082 /** 083 * Set to true if the first attribute of the resource entry is 084 * being evaluated. 085 * @param isFirst True if this is the first attribute of the 086 * resource entry being evaluated. 087 */ 088 public void setIsFirstAttribute(boolean isFirst); 089 090 /** 091 * Set the attribute type to be evaluated. 092 * @param type The attribute type to set to. 093 */ 094 public void setCurrentAttributeType(AttributeType type); 095 096 /** 097 * Set the attribute value to be evaluated. 098 * @param v The current attribute value to set to. 099 */ 100 public void setCurrentAttributeValue(AttributeValue v); 101 102 /** 103 * True if the target matching code found an entry test rule. An 104 * entry test rule is an ACI without a targetattr target rule. 105 * @param val True if an entry test rule was found. 106 */ 107 public void setEntryTestRule(boolean val); 108 109 /** 110 * True if an entry test rule was found. 111 * @return True if an entry test rule was found. 112 */ 113 public boolean hasEntryTestRule(); 114 115 /** 116 * Return the rights for this container's LDAP operation. 117 * @return The rights for the container's LDAP operation. 118 */ 119 public int getRights(); 120 121 /** 122 * Return the OID (Object Identifier) string of the control being evaluated. 123 * 124 * @return The OID string of the control being evaluated. 125 */ 126 public String getControlOID(); 127 128 129 /** 130 * Return The OID (Object Identifier) string of the extended operation being 131 * evaluated. 132 * 133 * @return The OID string of the extended operation being evaluated. 134 */ 135 public String getExtOpOID(); 136 137 /** 138 * Checks if the container's rights has the specified rights. 139 * @param rights The rights to check for. 140 * @return True if the container's rights has the specified rights. 141 */ 142 public boolean hasRights(int rights); 143 144 /** 145 * Set the rights of the container to the specified rights. 146 * @param rights The rights to set the container's rights to. 147 */ 148 public void setRights(int rights); 149 150 /** 151 * Set to true if the ACI had a targattrfilter rule that matched. 152 * @param v The value to use. 153 */ 154 public void setTargAttrFiltersMatch(boolean v); 155 156 /** 157 * Return the value of the targAttrFiltersMatch variable. This is set to 158 * true if the ACI had a targattrfilter rule that matched. 159 * @return True if the ACI had a targattrfilter rule that matched. 160 */ 161 public boolean getTargAttrFiltersMatch(); 162 163 /** 164 * Add the specified ACI to a list of ACIs that have a targattrfilters rule 165 * that matched. This is used by geteffectiverights to determine the rights 166 * of an attribute that possibly might evaluate to true. 167 * @param aci The ACI to save. 168 */ 169 public void addTargAttrFiltersMatchAci(Aci aci); 170 171 /** 172 * Save the name of the last ACI that matched a targattrfilters rule. This 173 * is used by geteffectiverights evaluation. 174 * @param name The ACI's name to save. 175 */ 176 void setTargAttrFiltersAciName(String name); 177 178 /** 179 * Returns true of a match context is performing a geteffectiverights 180 * evaluation. 181 * @return True if a match context is evaluating geteffectiverights. 182 */ 183 boolean isGetEffectiveRightsEval(); 184 185 /** 186 * This method toggles a mask that indicates that access checking of 187 * individual user attributes may or may not be skipped depending 188 * on if there is a single ACI containing a targetattr all user 189 * attributes rule (targetattr="*"). 190 * 191 * The only case where individual user attribute access checking 192 * can be skipped, is when a single ACI matched using a targetattr 193 * all user attributes rule and the attribute type being check is not 194 * operational. 195 * 196 * @param v The mask to this value. 197 */ 198 void setEvalUserAttributes(int v); 199 200 /** 201 * This method toggles a mask that indicates that access checking of 202 * individual operational attributes may or may not be skipped depending 203 * on if there is a single ACI containing a targetattr all operational 204 * attributes rule (targetattr="+"). 205 * 206 * The only case where individual operational attribute access checking 207 * can be skipped, is when a single ACI matched using a targetattr 208 * all operational attributes rule and the attribute type being check is 209 * operational. 210 * 211 * @param v The mask to this value. 212 */ 213 void setEvalOpAttributes(int v); 214 215 /** 216 * Return true if the evaluating ACI either contained an explicitly defined 217 * user attribute type in a targeattr target rule or both a targetattr all 218 * user attributes rule matched and a explictly defined targetattr target rule 219 * matched. 220 * 221 * @return True if the above condition was seen. 222 */ 223 boolean hasEvalUserAttributes(); 224 225 /** 226 * Return true if the evaluating ACI either contained an explicitly defined 227 * operational attribute type in a targeattr target rule or both a targetattr 228 * all operational attributes rule matched and a explictly defined targetattr 229 * target rule matched. 230 * 231 * @return True if the above condition was seen. 232 */ 233 boolean hasEvalOpAttributes(); 234 235 236 /** 237 * Used to clear the mask used to detect if access checking needs to be 238 * performed on individual attributes types. The specified 239 * value is cleared from the mask or if the value equals 0 the mask is 240 * completely cleared. 241 * 242 * @param v The flag to clear or 0 to set the mask to 0. 243 */ 244 public void clearEvalAttributes(int v); 245 } 246 247