Package org.opends.server.authorization.dseecompat

Interface AciEvalContext

public interface AciEvalContext
Interface that provides a view of the AciContainer that is used by the ACI evaluation code to evaluate an ACI.

  • Method Details

    • getClientDN

      Dn getClientDN()
      Get client DN. The client DN is the authorization DN.
      Returns:
      The client DN.

    • getClientEntry

      Entry getClientEntry()
      Get the client entry. The client entry is the entry that corresponds to the client DN.
      Returns:
      The client entry corresponding to the client DN.

    • getResourceDN

      Dn getResourceDN()
      Get the resource DN. The resource DN is the DN of the entry being evaluated.
      Returns:
      The resource DN.

    • getDenyList

      List<Aci> getDenyList()
      Get the list of deny ACIs.
      Returns:
      The deny ACI list.

    • getAllowList

      List<Aci> getAllowList()
      Get the list allow ACIs.
      Returns:
      The allow ACI list.

    • isDenyEval

      boolean isDenyEval()
      Returns true if the deny list is being evaluated.
      Returns:
      True if the deny list is being evaluated.

    • isAnonymousUser

      boolean isAnonymousUser()
      Check if the remote client is bound anonymously.
      Returns:
      true if client is bound anonymously.

    • getRights

      int getRights()
      Return the rights set for this container's LDAP operation.
      Returns:
      The rights set for the container's LDAP operation.

    • getResourceEntry

      Entry getResourceEntry()
      Return the entry being evaluated .
      Returns:
      The evaluation entry.

    • getHostName

      String getHostName()
      Get the hostname of the bound connection.
      Returns:
      The hostname of the connection.

    • hasAuthenticationMethod

      boolean hasAuthenticationMethod(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod, String saslMech)
      Determine whether the client connection has been authenticated using a specified authentication method. This method is used for the authmethod bind rule keyword.
      Parameters:
      authMethod - The required authentication method.
      saslMech - The required SASL mechanism if the authentication method is SASL.
      Returns:
      An evaluation result indicating whether the client connection has been authenticated using the required authentication method.

    • getRemoteAddress

      InetAddress getRemoteAddress()
      Get the address of the bound connection.
      Returns:
      The address of the bound connection.

    • isAddOperation

      boolean isAddOperation()
      Return true if this is an add operation needed by the userattr USERDN parent inheritance level 0 processing.
      Returns:
      true if this is an add operation.

    • isMemberOf

      boolean isMemberOf(Group group)
      Return true if the operation associated with this evaluation context is a member of the specified group. Calls the ClientConnection.isMemberOf() method, which checks authorization DN membership in the specified group.
      Parameters:
      group - The group to check membership in.
      Returns:
      true if the authorization DN of the operation is a member of the specified group.

    • isTargAttrFilterMatchAciEmpty

      boolean isTargAttrFilterMatchAciEmpty()
      Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
      Returns:
      true if there were not any ACIs that matched targattrfilters keyword evaluation.

    • hasTargAttrFiltersMatchAci

      boolean hasTargAttrFiltersMatchAci(Aci aci)
      The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if the specified ACI is contained in that hashtable. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
      Parameters:
      aci - The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.
      Returns:
      true if a specified ACI matched targattrfilters evaluation.

    • hasTargAttrFiltersMatchOp

      boolean hasTargAttrFiltersMatchOp(int flag)
      Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
      Parameters:
      flag - The integer value specifying either a deny or allow, but not both.
      Returns:
      true if the ACI has an targattrfilters keyword.

    • isGetEffectiveRightsEval

      boolean isGetEffectiveRightsEval()
      Returns true if the evaluation context is being used in a geteffectiverights control evaluation.
      Returns:
      true if the evaluation context is being used in a geteffectiverights control evaluation.

    • setTargAttrFiltersAciName

      void setTargAttrFiltersAciName(String name)
      Set the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights control targattrfilters "write" evaluation.
      Parameters:
      name - The ACI name string matching the targattrfilters rule.

    • setTargAttrFiltersMatchOp

      void setTargAttrFiltersMatchOp(int flag)
      Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.
      Parameters:
      flag - Either the integer value representing an allow or a deny, but not both.

    • setEvaluationResult

      void setEvaluationResult(EnumEvalReason reason, Aci decidingAci)
      Set the reason and the ACI that decided why the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to eventually build the summary string.
      Parameters:
      reason - The enumeration representing the reason of the last access evaluation.
      decidingAci - The ACI that decided the last access evaluation.

    • getEvalReason

      EnumEvalReason getEvalReason()
      Return the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to build the summary string.
      Returns:
      The enumeration representing the reason of the last access evaluation.

    • hasRights

      boolean hasRights(int rights)
      Check if an evaluation context contains a set of access rights.
      Parameters:
      rights - The rights mask to check.
      Returns:
      true if the evaluation context contains a access right set.

    • getDecidingAciName

      String getDecidingAciName()
      Return the name of the ACI that decided the last access evaluation. Used by geteffectiverights control evaluation to build the summary string.
      Returns:
      The name of the ACI that decided the last access evaluation.

    • getCurrentAttributeType

      AttributeType getCurrentAttributeType()
      Get the current attribute type being evaluated.
      Returns:
      The attribute type currently being evaluated.

    • setEvalSummary

      void setEvalSummary(String summary)
      Set the value of the summary string to the specified string. Used in get effective rights evaluation to build summary string.
      Parameters:
      summary - The string to set the summary string to

    • getEvalSummary

      String getEvalSummary()
      Return the access evaluation summary string. Used in a geteffectiverights control evaluation when an aclRightsInfo attribute was specified in a search request.
      Returns:
      The string describing the access evaluation.

    • rightToString

      String rightToString()
      Return a string representation of the current right being evaluated. Used in geteffectiverights control evaluation to build summary string.
      Returns:
      String representation of the current right being evaluated.

    • getTargAttrFiltersAciName

      String getTargAttrFiltersAciName()
      Return the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights control evaluation.
      Returns:
      The name of the ACI that last matched a targattrfilters rule.

    • getCurrentSSF

      int getCurrentSSF()
      Return the current SSF (Security Strength Factor) of the underlying connection.
      Returns:
      The current SSF of the connection.

    • getServerContext

      ServerContext getServerContext()
      Return the server context.
      Returns:
      the server context