001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2008 Sun Microsystems, Inc. 015 * Portions Copyright 2014-2016 ForgeRock AS. 016 */ 017package org.opends.server.authorization.dseecompat; 018 019import org.forgerock.opendj.ldap.schema.AttributeType; 020import org.forgerock.opendj.ldap.ByteString; 021import org.opends.server.types.Entry; 022import java.util.List; 023 024/** 025 * The AciTargetMatchContext interface provides a 026 * view of an AciContainer that exposes information to be 027 * used by the Aci.isApplicable() method to determine if 028 * an ACI is applicable (targets matched) to the LDAP operation, 029 * operation rights and entry and attributes having access 030 * checked on. 031 */ 032public interface AciTargetMatchContext { 033 034 /** 035 * Set the deny ACI list. 036 * @param denyList The deny ACI list. 037 */ 038 void setDenyList(List<Aci> denyList); 039 040 /** 041 * Set the allow ACI list. 042 * @param allowList The list of allow ACIs. 043 */ 044 void setAllowList(List<Aci> allowList); 045 046 /** 047 * Get the entry being evaluated. This is known as the 048 * resource entry. 049 * @return The entry being evaluated. 050 */ 051 Entry getResourceEntry(); 052 053 /** 054 * Get the current attribute type being evaluated. 055 * @return The attribute type being evaluated. 056 */ 057 AttributeType getCurrentAttributeType(); 058 059 /** 060 * The current attribute type value being evaluated. 061 * @return The current attribute type value being evaluated. 062 */ 063 ByteString getCurrentAttributeValue(); 064 065 /** 066 * True if the first attribute of the resource entry is being evaluated. 067 * @return True if this is the first attribute. 068 */ 069 boolean isFirstAttribute(); 070 071 /** 072 * Set to true if the first attribute of the resource entry is 073 * being evaluated. 074 * @param isFirst True if this is the first attribute of the 075 * resource entry being evaluated. 076 */ 077 void setIsFirstAttribute(boolean isFirst); 078 079 /** 080 * Set the attribute type to be evaluated. 081 * @param type The attribute type to set to. 082 */ 083 void setCurrentAttributeType(AttributeType type); 084 085 /** 086 * Set the attribute value to be evaluated. 087 * @param v The current attribute value to set to. 088 */ 089 void setCurrentAttributeValue(ByteString v); 090 091 /** 092 * True if the target matching code found an entry test rule. An 093 * entry test rule is an ACI without a targetattr target rule. 094 * @param val True if an entry test rule was found. 095 */ 096 void setEntryTestRule(boolean val); 097 098 /** 099 * True if an entry test rule was found. 100 * @return True if an entry test rule was found. 101 */ 102 boolean hasEntryTestRule(); 103 104 /** 105 * Return the rights for this container's LDAP operation. 106 * @return The rights for the container's LDAP operation. 107 */ 108 int getRights(); 109 110 /** 111 * Return the OID (Object Identifier) string of the control being evaluated. 112 * 113 * @return The OID string of the control being evaluated. 114 */ 115 String getControlOID(); 116 117 118 /** 119 * Return The OID (Object Identifier) string of the extended operation being 120 * evaluated. 121 * 122 * @return The OID string of the extended operation being evaluated. 123 */ 124 String getExtOpOID(); 125 126 /** 127 * Checks if the container's rights has the specified rights. 128 * @param rights The rights to check for. 129 * @return True if the container's rights has the specified rights. 130 */ 131 boolean hasRights(int rights); 132 133 /** 134 * Set the rights of the container to the specified rights. 135 * @param rights The rights to set the container's rights to. 136 */ 137 void setRights(int rights); 138 139 /** 140 * Set to true if the ACI had a targattrfilter rule that matched. 141 * @param v The value to use. 142 */ 143 void setTargAttrFiltersMatch(boolean v); 144 145 /** 146 * Return the value of the targAttrFiltersMatch variable. This is set to 147 * true if the ACI had a targattrfilter rule that matched. 148 * @return True if the ACI had a targattrfilter rule that matched. 149 */ 150 boolean getTargAttrFiltersMatch(); 151 152 /** 153 * Add the specified ACI to a list of ACIs that have a targattrfilters rule 154 * that matched. This is used by geteffectiverights to determine the rights 155 * of an attribute that possibly might evaluate to true. 156 * @param aci The ACI to save. 157 */ 158 void addTargAttrFiltersMatchAci(Aci aci); 159 160 /** 161 * Save the name of the last ACI that matched a targattrfilters rule. This 162 * is used by geteffectiverights evaluation. 163 * @param name The ACI's name to save. 164 */ 165 void setTargAttrFiltersAciName(String name); 166 167 /** 168 * Returns true of a match context is performing a geteffectiverights 169 * evaluation. 170 * @return True if a match context is evaluating geteffectiverights. 171 */ 172 boolean isGetEffectiveRightsEval(); 173 174 /** 175 * This method toggles a mask that indicates that access checking of 176 * individual user attributes may or may not be skipped depending 177 * on if there is a single ACI containing a targetattr all user 178 * attributes rule (targetattr="*"). 179 * 180 * The only case where individual user attribute access checking 181 * can be skipped, is when a single ACI matched using a targetattr 182 * all user attributes rule and the attribute type being check is not 183 * operational. 184 * 185 * @param v The mask to this value. 186 */ 187 void setEvalUserAttributes(int v); 188 189 /** 190 * This method toggles a mask that indicates that access checking of 191 * individual operational attributes may or may not be skipped depending 192 * on if there is a single ACI containing a targetattr all operational 193 * attributes rule (targetattr="+"). 194 * 195 * The only case where individual operational attribute access checking 196 * can be skipped, is when a single ACI matched using a targetattr 197 * all operational attributes rule and the attribute type being check is 198 * operational. 199 * 200 * @param v The mask to this value. 201 */ 202 void setEvalOpAttributes(int v); 203 204 /** 205 * Return true if the evaluating ACI either contained an explicitly defined 206 * user attribute type in a targeattr target rule or both a targetattr all 207 * user attributes rule matched and a explicitly defined targetattr target rule 208 * matched. 209 * 210 * @return True if the above condition was seen. 211 */ 212 boolean hasEvalUserAttributes(); 213 214 /** 215 * Return true if the evaluating ACI either contained an explicitly defined 216 * operational attribute type in a targetattr target rule or both a targetattr 217 * all operational attributes rule matched and a explicitly defined targetattr 218 * target rule matched. 219 * 220 * @return True if the above condition was seen. 221 */ 222 boolean hasEvalOpAttributes(); 223 224 225 /** 226 * Used to clear the mask used to detect if access checking needs to be 227 * performed on individual attributes types. The specified 228 * value is cleared from the mask or if the value equals 0 the mask is 229 * completely cleared. 230 * 231 * @param v The flag to clear or 0 to set the mask to 0. 232 */ 233 void clearEvalAttributes(int v); 234} 235 236