001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyright [year] [name of copyright owner]".
013 *
014 * Copyright 2008 Sun Microsystems, Inc.
015 * Portions Copyright 2014-2016 ForgeRock AS.
016 */
017package org.opends.server.authorization.dseecompat;
018
019import org.forgerock.opendj.ldap.schema.AttributeType;
020import org.forgerock.opendj.ldap.ByteString;
021import org.opends.server.types.Entry;
022import java.util.List;
023
024/**
025 * The AciTargetMatchContext interface provides a
026 * view of an AciContainer that exposes information to be
027 * used by the Aci.isApplicable() method to determine if
028 * an ACI is applicable (targets matched) to the LDAP operation,
029 * operation rights and entry and attributes having access
030 * checked on.
031 */
032public interface AciTargetMatchContext {
033
034    /**
035     * Set the deny ACI list.
036     * @param denyList The deny ACI list.
037     */
038    void setDenyList(List<Aci> denyList);
039
040    /**
041     * Set the allow ACI list.
042     * @param allowList The list of allow ACIs.
043     */
044    void setAllowList(List<Aci> allowList);
045
046    /**
047     * Get the entry being evaluated. This is known as the
048     * resource entry.
049     * @return The entry being evaluated.
050     */
051    Entry getResourceEntry();
052
053    /**
054     * Get the current attribute type being evaluated.
055     * @return  The attribute type being evaluated.
056     */
057    AttributeType getCurrentAttributeType();
058
059    /**
060     * The current attribute type value being evaluated.
061     * @return The current attribute type value being evaluated.
062     */
063    ByteString getCurrentAttributeValue();
064
065    /**
066     * True if the first attribute of the resource entry is being evaluated.
067     * @return True if this is the first attribute.
068     */
069    boolean isFirstAttribute();
070
071    /**
072     * Set to true if the first attribute of the resource entry is
073     * being evaluated.
074     * @param isFirst  True if this is the first attribute of the
075     * resource entry being evaluated.
076     */
077    void setIsFirstAttribute(boolean isFirst);
078
079    /**
080     * Set the attribute type to be evaluated.
081     * @param type  The attribute type to set to.
082     */
083    void setCurrentAttributeType(AttributeType type);
084
085    /**
086     * Set the attribute value to be evaluated.
087     * @param v The current attribute value to set to.
088     */
089    void setCurrentAttributeValue(ByteString v);
090
091    /**
092     * True if the target matching code found an entry test rule. An
093     * entry test rule is an ACI without a targetattr target rule.
094     * @param val True if an entry test rule was found.
095     */
096    void setEntryTestRule(boolean val);
097
098    /**
099     * True if an entry test rule was found.
100     * @return True if an entry test rule was found.
101     */
102    boolean hasEntryTestRule();
103
104    /**
105     * Return the rights for this container's LDAP operation.
106     * @return  The rights for the container's LDAP operation.
107     */
108    int getRights();
109
110    /**
111     * Return the OID (Object Identifier) string of the control being evaluated.
112     *
113     * @return The OID string of the control being evaluated.
114     */
115    String getControlOID();
116
117
118   /**
119    * Return The OID (Object Identifier) string of the extended operation being
120    *        evaluated.
121    *
122    * @return The OID string of the extended operation being evaluated.
123    */
124    String getExtOpOID();
125
126    /**
127     * Checks if the container's rights has the specified rights.
128     * @param  rights The rights to check for.
129     * @return True if the container's rights has the specified rights.
130     */
131    boolean hasRights(int rights);
132
133    /**
134     * Set the rights of the container to the specified rights.
135     * @param rights The rights to set the container's rights to.
136     */
137    void setRights(int rights);
138
139    /**
140     * Set to true  if the ACI had a targattrfilter rule that matched.
141     * @param v  The value to use.
142     */
143    void setTargAttrFiltersMatch(boolean v);
144
145    /**
146     * Return the value of the targAttrFiltersMatch variable. This is set to
147     * true if the ACI had a targattrfilter rule that matched.
148     * @return  True if the ACI had a targattrfilter rule that matched.
149     */
150    boolean getTargAttrFiltersMatch();
151
152    /**
153     * Add the specified ACI to a list of ACIs that have a targattrfilters rule
154     * that matched. This is used by geteffectiverights to determine the rights
155     * of an attribute that possibly might evaluate to true.
156     * @param aci The ACI to save.
157     */
158    void addTargAttrFiltersMatchAci(Aci aci);
159
160    /**
161     * Save the name of the last ACI that matched a targattrfilters rule. This
162     * is used by geteffectiverights evaluation.
163     * @param name The ACI's name to save.
164     */
165    void setTargAttrFiltersAciName(String name);
166
167    /**
168     * Returns true of a match context is performing a geteffectiverights
169     * evaluation.
170     * @return  True if a match context is evaluating geteffectiverights.
171     */
172    boolean isGetEffectiveRightsEval();
173
174  /**
175   * This method toggles a mask that indicates that access checking of
176   * individual user attributes may or may not be skipped depending
177   * on if there is a single ACI containing a targetattr all user
178   * attributes rule (targetattr="*").
179   *
180   * The only case where individual user attribute access checking
181   * can be skipped, is when a single ACI matched using a targetattr
182   * all user attributes rule and the attribute type being check is not
183   * operational.
184   *
185   * @param v  The mask to this value.
186   */
187  void setEvalUserAttributes(int v);
188
189  /**
190   * This method toggles a mask that indicates that access checking of
191   * individual operational attributes may or may not be skipped depending
192   * on if there is a single ACI containing a targetattr all operational
193   * attributes rule (targetattr="+").
194   *
195   * The only case where individual operational attribute access checking
196   * can be skipped, is when a single ACI matched using a targetattr
197   * all operational attributes rule and the attribute type being check is
198   * operational.
199   *
200   * @param v  The mask to this value.
201   */
202  void setEvalOpAttributes(int v);
203
204  /**
205   * Return true if the evaluating ACI either contained an explicitly defined
206   * user attribute type in a targeattr target rule or both a targetattr all
207   * user attributes rule matched and a explicitly defined targetattr target rule
208   * matched.
209   *
210   * @return  True if the above condition was seen.
211   */
212    boolean hasEvalUserAttributes();
213
214  /**
215   * Return true if the evaluating ACI either contained an explicitly defined
216   * operational attribute type in a targetattr target rule or both a targetattr
217   * all operational attributes rule matched and a explicitly defined targetattr
218   * target rule matched.
219   *
220   * @return  True if the above condition was seen.
221   */
222    boolean hasEvalOpAttributes();
223
224
225  /**
226   * Used to clear the mask used to detect if access checking needs to be
227   * performed on individual attributes types. The specified
228   * value is cleared from the mask or if the value equals 0 the mask is
229   * completely cleared.
230   *
231   * @param v  The flag to clear or 0 to set the mask to 0.
232   */
233    void clearEvalAttributes(int v);
234}
235
236