Package org.opends.server.authorization.dseecompat

Interface AciEvalContext

  • public interface AciEvalContext
    Interface that provides a view of the AciContainer that is used by the ACI evaluation code to evaluate an ACI.

    • Method Detail

      • getClientDN

        Dn getClientDN()
        Get client DN. The client DN is the authorization DN.
        Returns:
        The client DN.

      • getClientEntry

        Entry getClientEntry()
        Get the client entry. The client entry is the entry that corresponds to the client DN.
        Returns:
        The client entry corresponding to the client DN.

      • getResourceDN

        Dn getResourceDN()
        Get the resource DN. The resource DN is the DN of the entry being evaluated.
        Returns:
        The resource DN.

      • getDenyList

        List<Aci> getDenyList()
        Get the list of deny ACIs.
        Returns:
        The deny ACI list.

      • getAllowList

        List<Aci> getAllowList()
        Get the list allow ACIs.
        Returns:
        The allow ACI list.

      • isDenyEval

        boolean isDenyEval()
        Returns true if the deny list is being evaluated.
        Returns:
        True if the deny list is being evaluated.

      • isAnonymousUser

        boolean isAnonymousUser()
        Check if the remote client is bound anonymously.
        Returns:
        true if client is bound anonymously.

      • getRights

        int getRights()
        Return the rights set for this container's LDAP operation.
        Returns:
        The rights set for the container's LDAP operation.

      • getResourceEntry

        Entry getResourceEntry()
        Return the entry being evaluated .
        Returns:
        The evaluation entry.

      • getHostName

        String getHostName()
        Get the hostname of the bound connection.
        Returns:
        The hostname of the connection.

      • hasAuthenticationMethod

        boolean hasAuthenticationMethod​(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod,
                                String saslMech)
        Determine whether the client connection has been authenticated using a specified authentication method. This method is used for the authmethod bind rule keyword.
        Parameters:
        authMethod - The required authentication method.
        saslMech - The required SASL mechanism if the authentication method is SASL.
        Returns:
        An evaluation result indicating whether the client connection has been authenticated using the required authentication method.

      • getRemoteAddress

        InetAddress getRemoteAddress()
        Get the address of the bound connection.
        Returns:
        The address of the bound connection.

      • isAddOperation

        boolean isAddOperation()
        Return true if this is an add operation needed by the userattr USERDN parent inheritance level 0 processing.
        Returns:
        true if this is an add operation.

      • isMemberOf

        boolean isMemberOf​(Group group)
        Return true if the operation associated with this evaluation context is a member of the specified group. Calls the ClientConnection.isMemberOf() method, which checks authorization DN membership in the specified group.
        Parameters:
        group - The group to check membership in.
        Returns:
        true if the authorization DN of the operation is a member of the specified group.

      • isTargAttrFilterMatchAciEmpty

        boolean isTargAttrFilterMatchAciEmpty()
        Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Returns:
        true if there were not any ACIs that matched targattrfilters keyword evaluation.

      • hasTargAttrFiltersMatchAci

        boolean hasTargAttrFiltersMatchAci​(Aci aci)
        The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if the specified ACI is contained in that hashtable. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Parameters:
        aci - The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.
        Returns:
        true if a specified ACI matched targattrfilters evaluation.

      • hasTargAttrFiltersMatchOp

        boolean hasTargAttrFiltersMatchOp​(int flag)
        Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Parameters:
        flag - The integer value specifying either a deny or allow, but not both.
        Returns:
        true if the ACI has an targattrfilters keyword.

      • isGetEffectiveRightsEval

        boolean isGetEffectiveRightsEval()
        Returns true if the evaluation context is being used in a geteffectiverights control evaluation.
        Returns:
        true if the evaluation context is being used in a geteffectiverights control evaluation.

      • setTargAttrFiltersAciName

        void setTargAttrFiltersAciName​(String name)
        Set the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights control targattrfilters "write" evaluation.
        Parameters:
        name - The ACI name string matching the targattrfilters rule.

      • setTargAttrFiltersMatchOp

        void setTargAttrFiltersMatchOp​(int flag)
        Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
        Parameters:
        flag - Either the integer value representing an allow or a deny, but not both.

      • setEvaluationResult

        void setEvaluationResult​(EnumEvalReason reason,
                         Aci decidingAci)
        Set the reason and the ACI that decided why the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to eventually build the summary string.
        Parameters:
        reason - The enumeration representing the reason of the last access evaluation.
        decidingAci - The ACI that decided the last access evaluation.

      • getEvalReason

        EnumEvalReason getEvalReason()
        Return the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to build the summary string.
        Returns:
        The enumeration representing the reason of the last access evaluation.

      • hasRights

        boolean hasRights​(int rights)
        Check if an evaluation context contains a set of access rights.
        Parameters:
        rights - The rights mask to check.
        Returns:
        true if the evaluation context contains a access right set.

      • getDecidingAciName

        String getDecidingAciName()
        Return the name of the ACI that decided the last access evaluation. Used by geteffectiverights control evaluation to build the summary string.
        Returns:
        The name of the ACI that decided the last access evaluation.

      • getCurrentAttributeType

        AttributeType getCurrentAttributeType()
        Get the current attribute type being evaluated.
        Returns:
        The attribute type currently being evaluated.

      • setEvalSummary

        void setEvalSummary​(String summary)
        Set the value of the summary string to the specified string. Used in get effective rights evaluation to build summary string.
        Parameters:
        summary - The string to set the summary string to

      • getEvalSummary

        String getEvalSummary()
        Return the access evaluation summary string. Used in a geteffectiverights control evaluation when an aclRightsInfo attribute was specified in a search request.
        Returns:
        The string describing the access evaluation.

      • rightToString

        String rightToString()
        Return a string representation of the current right being evaluated. Used in geteffectiverights control evaluation to build summary string.
        Returns:
        String representation of the current right being evaluated.

      • getTargAttrFiltersAciName

        String getTargAttrFiltersAciName()
        Return the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights control evaluation.
        Returns:
        The name of the ACI that last matched a targattrfilters rule.

      • getCurrentSSF

        int getCurrentSSF()
        Return the current SSF (Security Strength Factor) of the underlying connection.
        Returns:
        The current SSF of the connection.

      • getServerContext

        ServerContext getServerContext()
        Return the server context.
        Returns:
        the server context