Package org.opends.server.authorization.dseecompat

Interface AciTargetMatchContext

public interface AciTargetMatchContext
The AciTargetMatchContext interface provides a view of an AciContainer that exposes information to be used by the Aci.isApplicable() method to determine if an ACI is applicable (targets matched) to the LDAP operation, operation rights and entry and attributes having access checked on.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addTargAttrFiltersMatchAci(Aci aci)
    Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched.
    void
    clearEvalAttributes(int v)
    Used to clear the mask used to detect if access checking needs to be performed on individual attributes types.
    String
    getControlOID()
    Return the OID (Object Identifier) string of the control being evaluated.
    AttributeType
    getCurrentAttributeType()
    Get the current attribute type being evaluated.
    ByteString
    getCurrentAttributeValue()
    The current attribute type value being evaluated.
    String
    getExtOpOID()
    Return The OID (Object Identifier) string of the extended operation being evaluated.
    Entry
    getResourceEntry()
    Get the entry being evaluated.
    int
    getRights()
    Return the rights for this container's LDAP operation.
    ServerContext
    getServerContext()
    Return the server context.
    boolean
    getTargAttrFiltersMatch()
    Return the value of the targAttrFiltersMatch variable.
    boolean
    hasEntryTestRule()
    True if an entry test rule was found.
    boolean
    hasEvalOpAttributes()
    Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
    boolean
    hasEvalUserAttributes()
    Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
    boolean
    hasRights(int rights)
    Checks if the container's rights has the specified rights.
    boolean
    isFirstAttribute()
    True if the first attribute of the resource entry is being evaluated.
    boolean
    isGetEffectiveRightsEval()
    Returns true of a match context is performing a geteffectiverights evaluation.
    void
    setAllowList(List<Aci> allowList)
    Set the allow ACI list.
    void
    setCurrentAttributeType(AttributeType type)
    Set the attribute type to be evaluated.
    void
    setCurrentAttributeValue(ByteString v)
    Set the attribute value to be evaluated.
    void
    setDenyList(List<Aci> denyList)
    Set the deny ACI list.
    void
    setEntryTestRule(boolean val)
    True if the target matching code found an entry test rule.
    void
    setEvalOpAttributes(int v)
    This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+").
    void
    setEvalUserAttributes(int v)
    This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*").
    void
    setIsFirstAttribute(boolean isFirst)
    Set to true if the first attribute of the resource entry is being evaluated.
    void
    setRights(int rights)
    Set the rights of the container to the specified rights.
    void
    setTargAttrFiltersAciName(String name)
    Save the name of the last ACI that matched a targattrfilters rule.
    void
    setTargAttrFiltersMatch(boolean v)
    Set to true if the ACI had a targattrfilter rule that matched.

  • Method Details

    • setDenyList

      void setDenyList(List<Aci> denyList)
      Set the deny ACI list.
      Parameters:
      denyList - The deny ACI list.

    • setAllowList

      void setAllowList(List<Aci> allowList)
      Set the allow ACI list.
      Parameters:
      allowList - The list of allow ACIs.

    • getResourceEntry

      Entry getResourceEntry()
      Get the entry being evaluated. This is known as the resource entry.
      Returns:
      The entry being evaluated.

    • getCurrentAttributeType

      AttributeType getCurrentAttributeType()
      Get the current attribute type being evaluated.
      Returns:
      The attribute type being evaluated.

    • getCurrentAttributeValue

      ByteString getCurrentAttributeValue()
      The current attribute type value being evaluated.
      Returns:
      The current attribute type value being evaluated.

    • isFirstAttribute

      boolean isFirstAttribute()
      True if the first attribute of the resource entry is being evaluated.
      Returns:
      True if this is the first attribute.

    • setIsFirstAttribute

      void setIsFirstAttribute(boolean isFirst)
      Set to true if the first attribute of the resource entry is being evaluated.
      Parameters:
      isFirst - True if this is the first attribute of the resource entry being evaluated.

    • setCurrentAttributeType

      void setCurrentAttributeType(AttributeType type)
      Set the attribute type to be evaluated.
      Parameters:
      type - The attribute type to set to.

    • setCurrentAttributeValue

      void setCurrentAttributeValue(ByteString v)
      Set the attribute value to be evaluated.
      Parameters:
      v - The current attribute value to set to.

    • setEntryTestRule

      void setEntryTestRule(boolean val)
      True if the target matching code found an entry test rule. An entry test rule is an ACI without a targetattr target rule.
      Parameters:
      val - True if an entry test rule was found.

    • hasEntryTestRule

      boolean hasEntryTestRule()
      True if an entry test rule was found.
      Returns:
      True if an entry test rule was found.

    • getRights

      int getRights()
      Return the rights for this container's LDAP operation.
      Returns:
      The rights for the container's LDAP operation.

    • getControlOID

      String getControlOID()
      Return the OID (Object Identifier) string of the control being evaluated.
      Returns:
      The OID string of the control being evaluated.

    • getExtOpOID

      String getExtOpOID()
      Return The OID (Object Identifier) string of the extended operation being evaluated.
      Returns:
      The OID string of the extended operation being evaluated.

    • hasRights

      boolean hasRights(int rights)
      Checks if the container's rights has the specified rights.
      Parameters:
      rights - The rights to check for.
      Returns:
      True if the container's rights has the specified rights.

    • setRights

      void setRights(int rights)
      Set the rights of the container to the specified rights.
      Parameters:
      rights - The rights to set the container's rights to.

    • setTargAttrFiltersMatch

      void setTargAttrFiltersMatch(boolean v)
      Set to true if the ACI had a targattrfilter rule that matched.
      Parameters:
      v - The value to use.

    • getTargAttrFiltersMatch

      boolean getTargAttrFiltersMatch()
      Return the value of the targAttrFiltersMatch variable. This is set to true if the ACI had a targattrfilter rule that matched.
      Returns:
      True if the ACI had a targattrfilter rule that matched.

    • addTargAttrFiltersMatchAci

      void addTargAttrFiltersMatchAci(Aci aci)
      Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched. This is used by geteffectiverights to determine the rights of an attribute that possibly might evaluate to true.
      Parameters:
      aci - The ACI to save.

    • setTargAttrFiltersAciName

      void setTargAttrFiltersAciName(String name)
      Save the name of the last ACI that matched a targattrfilters rule. This is used by geteffectiverights evaluation.
      Parameters:
      name - The ACI's name to save.

    • isGetEffectiveRightsEval

      boolean isGetEffectiveRightsEval()
      Returns true of a match context is performing a geteffectiverights evaluation.
      Returns:
      True if a match context is evaluating geteffectiverights.

    • setEvalUserAttributes

      void setEvalUserAttributes(int v)
      This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*"). The only case where individual user attribute access checking can be skipped, is when a single ACI matched using a targetattr all user attributes rule and the attribute type being check is not operational.
      Parameters:
      v - The mask to this value.

    • setEvalOpAttributes

      void setEvalOpAttributes(int v)
      This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+"). The only case where individual operational attribute access checking can be skipped, is when a single ACI matched using a targetattr all operational attributes rule and the attribute type being check is operational.
      Parameters:
      v - The mask to this value.

    • hasEvalUserAttributes

      boolean hasEvalUserAttributes()
      Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
      Returns:
      True if the above condition was seen.

    • hasEvalOpAttributes

      boolean hasEvalOpAttributes()
      Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
      Returns:
      True if the above condition was seen.

    • clearEvalAttributes

      void clearEvalAttributes(int v)
      Used to clear the mask used to detect if access checking needs to be performed on individual attributes types. The specified value is cleared from the mask or if the value equals 0 the mask is completely cleared.
      Parameters:
      v - The flag to clear or 0 to set the mask to 0.

    • getServerContext

      ServerContext getServerContext()
      Return the server context.
      Returns:
      the server context