Package org.opends.server.authorization.dseecompat

Class AciEffectiveRights

  • public final class AciEffectiveRights
extends Object
    This class implements the dseecompat geteffectiverights evaluation.

    • Method Detail

      • addRightsToEntry

        public static void addRightsToEntry​(AciHandler handler,
                                    Set<String> searchAttributes,
                                    org.opends.server.authorization.dseecompat.AciLDAPOperationContainer container,
                                    Entry e,
                                    boolean skipCheck,
                                    Schema schema)
        Attempts to add the geteffectiverights asked for in the search to the entry being returned. The two geteffectiverights attributes that can be requested are: aclRights and aclRightsInfo. The aclRightsInfo attribute will return a summary string describing in human readable form, a summary of each requested evaluation result. Here is a sample aclRightsInfo summary: 
         
 acl_summary(main): access_not_allowed(proxy) on entry/attr(uid=proxieduser,ou=acis,dc=example,dc=com, NULL)
 to (uid=superuser,ou=acis,dc=example,dc=com) (not proxied) (reason: no acis matched the resource )
        The aclRights attribute will return a simple string with the following format: 
         
 add:0,delete:0,read:1,write:?,proxy:0
        A 0 represents access denied, 1 access allowed and ? that evaluation depends on a value of an attribute (targattrfilter keyword present in ACI).

        There are two levels of rights information:

        1. entryLevel - entry level rights information
        2. attributeLevel - attribute level rights information
        The attribute type names are built up using subtypes:
        aclRights;entryLevel
        aclRights entry level presentation
        aclRightsInfo;log;entryLevel;{right}
        aclRightsInfo entry level presentation for each type of right (proxy, read, write, add, delete).
        aclRights;attributeLevel;{attributeType name}
        aclRights attribute level presentation for each attribute type requested.
        aclRights;attributeLevel;logs;{right};{attributeType name}
        aclRightsInfo attribute level presentation for each attribute type requested.
        Parameters:
        handler - The ACI handler to use in the evaluation.
        searchAttributes - The attributes requested in the search.
        container - The LDAP operation container to use in the evaluations.
        e - The entry to add the rights attributes to.
        skipCheck - True if ACI evaluation was skipped because bypass-acl privilege was found.
        schema - The schema to use

      • createSummary

        public static String createSummary​(AciEvalContext evalCtx,
                                   boolean evalRet)
        Create the summary string used in the aclRightsInfo log string.
        Parameters:
        evalCtx - The evaluation context to gather information from.
        evalRet - The value returned from the access evaluation.
        Returns:
        A summary of the ACI evaluation

      • setTargAttrAci

        public static boolean setTargAttrAci​(AciEvalContext evalCtx,
                                     Aci aci,
                                     boolean denyAci)
        If the specified ACI is in the targattrfilters hashtable contained in the evaluation context, set the evaluation context's targattrfilters match variable to either ACL_TARGATTR_DENY_MATCH or ACL_TARGATTR_ALLOW_MATCH depending on the value of the variable denyAci.
        Parameters:
        evalCtx - The evaluation context to evaluate and save information to.
        aci - The ACI to match.
        denyAci - True if the evaluation was a allow, false if the evaluation was an deny or the ACI is not in the table.
        Returns:
        True if the ACI was found in the hashtable.

      • finalizeOnShutdown

        public static void finalizeOnShutdown()
        Finalizes static variables on shutdown so that we release the memory associated with them (for the unit tests) and get fresh copies if we're doing an in-core restart.