Class PolicyBasedAccessControlHandler
- java.lang.Object
-
- org.opends.server.api.AccessControlHandler<PolicyBasedAccessControlHandlerCfg>
-
- org.opends.server.authorization.policy.PolicyBasedAccessControlHandler
-
- All Implemented Interfaces:
RequestFilter
public final class PolicyBasedAccessControlHandler extends AccessControlHandler<PolicyBasedAccessControlHandlerCfg> implements RequestFilter
Provides coarse grained access control for all operations, regardless of whether they are destined for local or proxy backends. This class is responsible for managing the global access control policy configuration. Access control decisions are the responsibility of theAccessController
.Implementation notes: this class provides two policy enforcement points. Firstly, it inserts itself in the global router filter chain by invoking
PolicyBasedAccessControlRequestFilter.enable(RequestFilter)
, where it is able to intercept all requests before they are processed by the global router. Secondly, as a side-effect of implementing theAccessControlHandler
interface, it is also invoked at the local backend layer, after the router. However, there is no additional access control performed.
-
-
Constructor Summary
Constructors Constructor Description PolicyBasedAccessControlHandler()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
canDiscloseInformation(Entry entry, Dn entryDN, Operation operation)
Checks whether the ACIs prevent sending information about the provided entry, or entryDN if entry is null.Flowable<Response>
filter(org.forgerock.services.context.Context context, Request request, RequestHandler next)
Filters the request and/or response of an exchange.void
finalizeAccessControlHandler()
Performs any necessary finalization for the access control handler implementation.void
initializeAccessControlHandler(PolicyBasedAccessControlHandlerCfg configuration, ServerContext serverContext)
Initializes the access control handler implementation based on the information in the provided configuration entry.boolean
isAllowed(Dn dn, Operation op, Control control)
Indicates whether the provided control is allowed based on the access control configuration and the specified operation.boolean
isAllowed(AddOperation addOperation)
Indicates whether the provided add operation is allowed based on the access control configuration.boolean
isAllowed(BindOperation bindOperation)
Indicates whether the provided bind operation is allowed based on the access control configuration.boolean
isAllowed(CompareOperation compareOperation)
Indicates whether the provided compare operation is allowed based on the access control configuration.boolean
isAllowed(DeleteOperation deleteOperation)
Indicates whether the provided delete operation is allowed based on the access control configuration.boolean
isAllowed(ExtendedOperation extendedOperation)
Indicates whether the provided extended operation is allowed based on the access control configuration.boolean
isAllowed(ModifyDnOperation modifyDnOperation)
Indicates whether the provided modify DN operation is allowed based on the access control configuration.boolean
isAllowed(ModifyOperation modifyOperation)
Indicates whether the provided modify operation is allowed based on the access control configuration.boolean
isAllowed(SearchOperation searchOperation)
Indicates whether the provided search operation is allowed based on the access control configuration.boolean
isAllowed(Operation operation, Entry entry, Filter filter)
Indicates whether the provided operation search filter is allowed based on the access control configuration.boolean
isConfigurationAcceptable(PolicyBasedAccessControlHandlerCfg configuration, List<LocalizableMessage> unacceptableReasons, ServerContext serverContext)
Indicates whether the provided configuration is acceptable for this access control handler.boolean
mayProxy(Entry proxyUser, Entry proxiedUser, Operation operation, ServerContext serverContext)
Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry.boolean
maySend(Dn dn, Operation operation, SearchResultReference searchReference)
Indicates whether the provided search result reference may be sent to the client based on the access control configuration.boolean
maySend(Operation operation, Entry unfilteredEntry)
Indicates whether the provided search result entry may be sent to the client.-
Methods inherited from class org.opends.server.api.AccessControlHandler
filterEntry, skipAccessCheck
-
-
-
-
Method Detail
-
initializeAccessControlHandler
public void initializeAccessControlHandler(PolicyBasedAccessControlHandlerCfg configuration, ServerContext serverContext) throws ConfigException
Description copied from class:AccessControlHandler
Initializes the access control handler implementation based on the information in the provided configuration entry.- Overrides:
initializeAccessControlHandler
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
configuration
- The configuration object that contains the information to use to initialize this access control handler.serverContext
- the server context for this Directory Server instance.- Throws:
ConfigException
- If an unrecoverable problem arises in the process of performing the initialization.
-
isConfigurationAcceptable
public boolean isConfigurationAcceptable(PolicyBasedAccessControlHandlerCfg configuration, List<LocalizableMessage> unacceptableReasons, ServerContext serverContext)
Description copied from class:AccessControlHandler
Indicates whether the provided configuration is acceptable for this access control handler. It should be possible to call this method on an uninitialized access control handler instance in order to determine whether the handler would be able to use the provided configuration.- Overrides:
isConfigurationAcceptable
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
configuration
- The access control handler configuration for which to make the determination.unacceptableReasons
- A list that may be used to hold the reasons that the provided configuration is not acceptable.serverContext
- the server context for this Directory Server instance.- Returns:
true
if the provided configuration is acceptable for this access control handler, orfalse
if not.
-
finalizeAccessControlHandler
public void finalizeAccessControlHandler()
Description copied from class:AccessControlHandler
Performs any necessary finalization for the access control handler implementation. This will be called just after the handler has been deregistered with the server but before it has been unloaded.- Overrides:
finalizeAccessControlHandler
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
-
filter
public Flowable<Response> filter(org.forgerock.services.context.Context context, Request request, RequestHandler next) throws Exception
Description copied from interface:RequestFilter
Filters the request and/or response of an exchange. To pass the request to the next filter or handler in the chain, the filter callsnext.handle(context, request)
.This method may elect not to pass the request to the next filter or handler, and instead handle the request itself. It can achieve this by merely avoiding a call to
next.handle(context, request)
and creating its own response object. The filter is also at liberty to replace a response with another of its own by intercepting the response returned by the next handler.- Specified by:
filter
in interfaceRequestFilter
- Parameters:
context
- The request context.request
- The request.next
- The next filter or handler in the chain to handle the request.- Returns:
- A
Flowable
representing the response to be returned to the client. - Throws:
Exception
- If an error occurred during the processing of the request.
-
canDiscloseInformation
public boolean canDiscloseInformation(Entry entry, Dn entryDN, Operation operation)
Description copied from class:AccessControlHandler
Checks whether the ACIs prevent sending information about the provided entry, or entryDN if entry is null.- Overrides:
canDiscloseInformation
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
entry
- the entry for which to check if ACIs prevent information disclosure, if null, then a fake entry will be created from the entryDN parameterentryDN
- the entry dn for which to check if ACIs prevent information disclosure. Only used if entry is null.operation
- the operation for which to check if ACIs prevent information disclosure- Returns:
- true if the information for this entry can be disclosed, false otherwise.
-
isAllowed
public boolean isAllowed(AddOperation addOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided add operation is allowed based on the access control configuration. This method should not alter the provided add operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
addOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(Dn dn, Operation op, Control control)
Description copied from class:AccessControlHandler
Indicates whether the provided control is allowed based on the access control configuration and the specified operation. This method should not alter the provided operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
dn
- A DN that can be used in the access determination.op
- The operation to use in the determination.control
- The control for which to make the determination.- Returns:
true
if the control should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(BindOperation bindOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided bind operation is allowed based on the access control configuration. This method should not alter the provided bind operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
bindOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(CompareOperation compareOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided compare operation is allowed based on the access control configuration. This method should not alter the provided compare operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
compareOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(DeleteOperation deleteOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided delete operation is allowed based on the access control configuration. This method should not alter the provided delete operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
deleteOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(ExtendedOperation extendedOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided extended operation is allowed based on the access control configuration. This method should not alter the provided extended operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
extendedOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(ModifyOperation modifyOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided modify operation is allowed based on the access control configuration. This method should not alter the provided modify operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
modifyOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(ModifyDnOperation modifyDnOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided modify DN operation is allowed based on the access control configuration. This method should not alter the provided modify DN operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
modifyDnOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(SearchOperation searchOperation)
Description copied from class:AccessControlHandler
Indicates whether the provided search operation is allowed based on the access control configuration. This method may only alter the provided search operation in order to add an opaque block of data to it that will be made available for use in determining whether matching search result entries or search result references may be allowed.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
searchOperation
- The operation for which to make the determination.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
isAllowed
public boolean isAllowed(Operation operation, Entry entry, Filter filter)
Description copied from class:AccessControlHandler
Indicates whether the provided operation search filter is allowed based on the access control configuration. This method should not alter the provided operation in any way.- Overrides:
isAllowed
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
operation
- The operation for which to make the determination.entry
- The entry for which to make the determination.filter
- The filter to check access on.- Returns:
true
if the operation should be allowed by the access control configuration, orfalse
if not.
-
maySend
public boolean maySend(Operation operation, Entry unfilteredEntry)
Description copied from class:AccessControlHandler
Indicates whether the provided search result entry may be sent to the client. Implementations must not under any circumstances modify the search entry in any way.- Overrides:
maySend
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
operation
- The operation currently being processed (this will usually be a search, but may be other types of operation when pre/post read controls are used).unfilteredEntry
- The result entry before any attribute filtering.- Returns:
true
if the access control configuration allows the entry to be returned to the client, orfalse
if not.
-
maySend
public boolean maySend(Dn dn, Operation operation, SearchResultReference searchReference)
Description copied from class:AccessControlHandler
Indicates whether the provided search result reference may be sent to the client based on the access control configuration.- Overrides:
maySend
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
dn
- A DN that can be used in the access determination.operation
- The operation with which the provided reference is associated.searchReference
- The search result reference for which to make the determination.- Returns:
true
if the access control configuration allows the reference to be returned to the client, orfalse
if not.
-
mayProxy
public boolean mayProxy(Entry proxyUser, Entry proxiedUser, Operation operation, ServerContext serverContext)
Description copied from class:AccessControlHandler
Indicates if the specified proxy user entry can proxy, or act on the behalf of the specified proxied user entry. The operation parameter is used in the evaluation.- Overrides:
mayProxy
in classAccessControlHandler<PolicyBasedAccessControlHandlerCfg>
- Parameters:
proxyUser
- The entry to use as the proxy user.proxiedUser
- The entry to be proxied by the proxy user.operation
- The operation to use in the evaluation.serverContext
- The server context.- Returns:
true
if the access control configuration allows the proxy user to proxy the proxied user, orfalse
if not.
-
-