Package org.opends.server.authorization.dseecompat

Interface AciTargetMatchContext

  • public interface AciTargetMatchContext
    The AciTargetMatchContext interface provides a view of an AciContainer that exposes information to be used by the Aci.isApplicable() method to determine if an ACI is applicable (targets matched) to the LDAP operation, operation rights and entry and attributes having access checked on.

    • Method Summary

      All Methods Instance Methods Abstract Methods 
      Modifier and Type Method Description
      void addTargAttrFiltersMatchAci​(Aci aci)
      Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched.
      void clearEvalAttributes​(int v)
      Used to clear the mask used to detect if access checking needs to be performed on individual attributes types.
      String getControlOID()
      Return the OID (Object Identifier) string of the control being evaluated.
      AttributeType getCurrentAttributeType()
      Get the current attribute type being evaluated.
      ByteString getCurrentAttributeValue()
      The current attribute type value being evaluated.
      String getExtOpOID()
      Return The OID (Object Identifier) string of the extended operation being evaluated.
      Entry getResourceEntry()
      Get the entry being evaluated.
      int getRights()
      Return the rights for this container's LDAP operation.
      ServerContext getServerContext()
      Return the server context.
      boolean getTargAttrFiltersMatch()
      Return the value of the targAttrFiltersMatch variable.
      boolean hasEntryTestRule()
      True if an entry test rule was found.
      boolean hasEvalOpAttributes()
      Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
      boolean hasEvalUserAttributes()
      Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
      boolean hasRights​(int rights)
      Checks if the container's rights has the specified rights.
      boolean isFirstAttribute()
      True if the first attribute of the resource entry is being evaluated.
      boolean isGetEffectiveRightsEval()
      Returns true of a match context is performing a geteffectiverights evaluation.
      void setAllowList​(List<Aci> allowList)
      Set the allow ACI list.
      void setCurrentAttributeType​(AttributeType type)
      Set the attribute type to be evaluated.
      void setCurrentAttributeValue​(ByteString v)
      Set the attribute value to be evaluated.
      void setDenyList​(List<Aci> denyList)
      Set the deny ACI list.
      void setEntryTestRule​(boolean val)
      True if the target matching code found an entry test rule.
      void setEvalOpAttributes​(int v)
      This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+").
      void setEvalUserAttributes​(int v)
      This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*").
      void setIsFirstAttribute​(boolean isFirst)
      Set to true if the first attribute of the resource entry is being evaluated.
      void setRights​(int rights)
      Set the rights of the container to the specified rights.
      void setTargAttrFiltersAciName​(String name)
      Save the name of the last ACI that matched a targattrfilters rule.
      void setTargAttrFiltersMatch​(boolean v)
      Set to true if the ACI had a targattrfilter rule that matched.

    • Method Detail

      • setDenyList

        void setDenyList​(List<Aci> denyList)
        Set the deny ACI list.
        Parameters:
        denyList - The deny ACI list.

      • setAllowList

        void setAllowList​(List<Aci> allowList)
        Set the allow ACI list.
        Parameters:
        allowList - The list of allow ACIs.

      • getResourceEntry

        Entry getResourceEntry()
        Get the entry being evaluated. This is known as the resource entry.
        Returns:
        The entry being evaluated.

      • getCurrentAttributeType

        AttributeType getCurrentAttributeType()
        Get the current attribute type being evaluated.
        Returns:
        The attribute type being evaluated.

      • getCurrentAttributeValue

        ByteString getCurrentAttributeValue()
        The current attribute type value being evaluated.
        Returns:
        The current attribute type value being evaluated.

      • isFirstAttribute

        boolean isFirstAttribute()
        True if the first attribute of the resource entry is being evaluated.
        Returns:
        True if this is the first attribute.

      • setIsFirstAttribute

        void setIsFirstAttribute​(boolean isFirst)
        Set to true if the first attribute of the resource entry is being evaluated.
        Parameters:
        isFirst - True if this is the first attribute of the resource entry being evaluated.

      • setCurrentAttributeType

        void setCurrentAttributeType​(AttributeType type)
        Set the attribute type to be evaluated.
        Parameters:
        type - The attribute type to set to.

      • setCurrentAttributeValue

        void setCurrentAttributeValue​(ByteString v)
        Set the attribute value to be evaluated.
        Parameters:
        v - The current attribute value to set to.

      • setEntryTestRule

        void setEntryTestRule​(boolean val)
        True if the target matching code found an entry test rule. An entry test rule is an ACI without a targetattr target rule.
        Parameters:
        val - True if an entry test rule was found.

      • hasEntryTestRule

        boolean hasEntryTestRule()
        True if an entry test rule was found.
        Returns:
        True if an entry test rule was found.

      • getRights

        int getRights()
        Return the rights for this container's LDAP operation.
        Returns:
        The rights for the container's LDAP operation.

      • getControlOID

        String getControlOID()
        Return the OID (Object Identifier) string of the control being evaluated.
        Returns:
        The OID string of the control being evaluated.

      • getExtOpOID

        String getExtOpOID()
        Return The OID (Object Identifier) string of the extended operation being evaluated.
        Returns:
        The OID string of the extended operation being evaluated.

      • hasRights

        boolean hasRights​(int rights)
        Checks if the container's rights has the specified rights.
        Parameters:
        rights - The rights to check for.
        Returns:
        True if the container's rights has the specified rights.

      • setRights

        void setRights​(int rights)
        Set the rights of the container to the specified rights.
        Parameters:
        rights - The rights to set the container's rights to.

      • setTargAttrFiltersMatch

        void setTargAttrFiltersMatch​(boolean v)
        Set to true if the ACI had a targattrfilter rule that matched.
        Parameters:
        v - The value to use.

      • getTargAttrFiltersMatch

        boolean getTargAttrFiltersMatch()
        Return the value of the targAttrFiltersMatch variable. This is set to true if the ACI had a targattrfilter rule that matched.
        Returns:
        True if the ACI had a targattrfilter rule that matched.

      • addTargAttrFiltersMatchAci

        void addTargAttrFiltersMatchAci​(Aci aci)
        Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched. This is used by geteffectiverights to determine the rights of an attribute that possibly might evaluate to true.
        Parameters:
        aci - The ACI to save.

      • setTargAttrFiltersAciName

        void setTargAttrFiltersAciName​(String name)
        Save the name of the last ACI that matched a targattrfilters rule. This is used by geteffectiverights evaluation.
        Parameters:
        name - The ACI's name to save.

      • isGetEffectiveRightsEval

        boolean isGetEffectiveRightsEval()
        Returns true of a match context is performing a geteffectiverights evaluation.
        Returns:
        True if a match context is evaluating geteffectiverights.

      • setEvalUserAttributes

        void setEvalUserAttributes​(int v)
        This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*"). The only case where individual user attribute access checking can be skipped, is when a single ACI matched using a targetattr all user attributes rule and the attribute type being check is not operational.
        Parameters:
        v - The mask to this value.

      • setEvalOpAttributes

        void setEvalOpAttributes​(int v)
        This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+"). The only case where individual operational attribute access checking can be skipped, is when a single ACI matched using a targetattr all operational attributes rule and the attribute type being check is operational.
        Parameters:
        v - The mask to this value.

      • hasEvalUserAttributes

        boolean hasEvalUserAttributes()
        Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
        Returns:
        True if the above condition was seen.

      • hasEvalOpAttributes

        boolean hasEvalOpAttributes()
        Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
        Returns:
        True if the above condition was seen.

      • clearEvalAttributes

        void clearEvalAttributes​(int v)
        Used to clear the mask used to detect if access checking needs to be performed on individual attributes types. The specified value is cleared from the mask or if the value equals 0 the mask is completely cleared.
        Parameters:
        v - The flag to clear or 0 to set the mask to 0.

      • getServerContext

        ServerContext getServerContext()
        Return the server context.
        Returns:
        the server context