001/* 002 * The contents of this file are subject to the terms of the Common Development and 003 * Distribution License (the License). You may not use this file except in compliance with the 004 * License. 005 * 006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the 007 * specific language governing permission and limitations under the License. 008 * 009 * When distributing Covered Software, include this CDDL Header Notice in each file and include 010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL 011 * Header, with the fields enclosed by brackets [] replaced by your own identifying 012 * information: "Portions Copyright [year] [name of copyright owner]". 013 * 014 * Copyright 2008-2010 Sun Microsystems, Inc. 015 * Portions Copyright 2011-2016 ForgeRock AS. 016 */ 017package org.opends.server.authorization.dseecompat; 018 019import org.forgerock.opendj.ldap.DN; 020import org.opends.server.types.Entry; 021import org.forgerock.opendj.ldap.schema.AttributeType; 022import org.opends.server.api.Group; 023 024import java.net.InetAddress; 025import java.util.List; 026 027/** 028 * Interface that provides a view of the AciContainer that is 029 * used by the ACI evaluation code to evaluate an ACI. 030 */ 031public interface AciEvalContext 032{ 033 /** 034 * Get client DN. The client DN is the authorization DN. 035 * @return The client DN. 036 */ 037 DN getClientDN(); 038 039 /** 040 * Get the client entry. The client entry is the entry that corresponds 041 * to the client DN. 042 * @return The client entry corresponding to the client DN. 043 */ 044 Entry getClientEntry(); 045 046 /** 047 * Get the resource DN. The resource DN is the DN of the entry being 048 * evaluated. 049 * @return The resource DN. 050 */ 051 DN getResourceDN(); 052 053 /** 054 * Get the list of deny ACIs. 055 * @return The deny ACI list. 056 */ 057 List<Aci> getDenyList(); 058 059 /** 060 * Get the list allow ACIs. 061 * @return The allow ACI list. 062 */ 063 List<Aci> getAllowList(); 064 065 /** 066 * Returns true if the deny list is being evaluated. 067 * @return True if the deny list is being evaluated. 068 */ 069 boolean isDenyEval(); 070 071 /** 072 * Check if the remote client is bound anonymously. 073 * @return {@code true} if client is bound anonymously. 074 */ 075 boolean isAnonymousUser(); 076 077 /** 078 * Return the rights set for this container's LDAP operation. 079 * @return The rights set for the container's LDAP operation. 080 */ 081 int getRights(); 082 083 /** 084 * Return the entry being evaluated 085 * . 086 * @return The evaluation entry. 087 */ 088 Entry getResourceEntry(); 089 090 /** 091 * Get the hostname of the bound connection. 092 * @return The hostname of the connection. 093 */ 094 String getHostName(); 095 096 /** 097 * Determine whether the client connection has been authenticated using 098 * a specified authentication method. This method is used for the 099 * authmethod bind rule keyword. 100 * 101 * @param authMethod The required authentication method. 102 * @param saslMech The required SASL mechanism if the authentication method 103 * is SASL. 104 * 105 * @return An evaluation result indicating whether the client connection 106 * has been authenticated using the required authentication method. 107 */ 108 EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, 109 String saslMech); 110 111 /** 112 * Get the address of the bound connection. 113 * @return The address of the bound connection. 114 */ 115 InetAddress getRemoteAddress(); 116 117 /** 118 * Return true if this is an add operation needed by the userattr 119 * USERDN parent inheritance level 0 processing. 120 * 121 * @return {@code true} if this is an add operation. 122 */ 123 boolean isAddOperation(); 124 125 /** 126 * Return true if the operation associated with this evaluation 127 * context is a member of the specified group. Calls the 128 * ClientConnection.isMemberOf() method, which checks authorization 129 * DN membership in the specified group. 130 * @param group The group to check membership in. 131 * @return {@code true} if the authorization DN of the operation is a 132 * member of the specified group. 133 */ 134 boolean isMemberOf(Group<?> group); 135 136 /** 137 * Returns true if the hashtable of ACIs that matched the targattrfilters 138 * keyword evaluation is empty. Used in a geteffectiverights control 139 * evaluation to determine the access value to put in the "write" rights 140 * evaluation field. 141 * 142 * @return {@code true} if there were not any ACIs that matched 143 * targattrfilters keyword evaluation. 144 */ 145 boolean isTargAttrFilterMatchAciEmpty(); 146 147 /** 148 * The context maintains a hashtable of ACIs that matched the targattrfilters 149 * keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if 150 * the specified ACI is contained in that hashtable. Used in a 151 * geteffectiverights control evaluation to determine the access value to put 152 * in the "write" rights evaluation field. 153 * 154 * @param aci The ACI that to evaluate if it contains a match during 155 * targattrfilters keyword evaluation. 156 * 157 * @return {@code true} if a specified ACI matched targattrfilters evaluation. 158 */ 159 boolean hasTargAttrFiltersMatchAci(Aci aci); 160 161 /** 162 * Return true if an ACI that evaluated to deny or allow has an 163 * targattrfilters keyword. Used by geteffectiverights control 164 * evaluation to determine the access value to put in the "write" rights 165 * evaluation field. 166 * 167 * @param flag The integer value specifying either a deny or allow, but not 168 * both. 169 * 170 * @return {@code true} if the ACI has an targattrfilters keyword. 171 */ 172 boolean hasTargAttrFiltersMatchOp(int flag); 173 174 /** 175 * Returns {@code true} if the evaluation context is being used in a 176 * geteffectiverights control evaluation. 177 * 178 * @return {@code true} if the evaluation context is being used in a 179 * geteffectiverights control evaluation. 180 */ 181 boolean isGetEffectiveRightsEval(); 182 183 /** 184 * Set the name of the ACI that last matched a targattrfilters rule. Used 185 * in geteffectiverights control targattrfilters "write" evaluation. 186 * 187 * @param name The ACI name string matching the targattrfilters rule. 188 */ 189 void setTargAttrFiltersAciName(String name); 190 191 /** 192 * Set a flag that specifies that a ACI that evaluated to either deny or 193 * allow contains a targattrfilters keyword. Used by geteffectiverights 194 * control evaluation to determine the access value to put in the "write" 195 * rights evaluation field. 196 * 197 * @param flag Either the integer value representing an allow or a deny, 198 * but not both. 199 */ 200 void setTargAttrFiltersMatchOp(int flag); 201 202 /** 203 * Set the reason and the ACI that decided why the last access evaluation was 204 * evaluated the way it was. Used by geteffectiverights control evaluation to 205 * eventually build the summary string. 206 * 207 * @param reason 208 * The enumeration representing the reason of the last access 209 * evaluation. 210 * @param decidingAci 211 * The ACI that decided the last access evaluation. 212 */ 213 void setEvaluationResult(EnumEvalReason reason, Aci decidingAci); 214 215 /** 216 * Return the reason the last access evaluation was evaluated the way it 217 * was. Used by geteffectiverights control evaluation to build the summary 218 * string. 219 * 220 * @return The enumeration representing the reason of the last access 221 * evaluation. 222 */ 223 EnumEvalReason getEvalReason(); 224 225 /** 226 * Check if an evaluation context contains a set of access rights. 227 * 228 * @param rights The rights mask to check. 229 * 230 * @return {@code true} if the evaluation context contains a access right set. 231 */ 232 boolean hasRights(int rights); 233 234 /** 235 * Return the name of the ACI that decided the last access evaluation. Used 236 * by geteffectiverights control evaluation to build the summary string. 237 * 238 * @return The name of the ACI that decided the last access evaluation. 239 */ 240 String getDecidingAciName(); 241 242 /** 243 * Return true if a evaluation context is being used in proxied authorization 244 * control evaluation. 245 * 246 * @return {@code true} if evaluation context is being used in proxied 247 * authorization control evaluation. 248 */ 249 boolean isProxiedAuthorization(); 250 251 /** 252 * Get the current attribute type being evaluated. 253 * 254 * @return The attribute type currently being evaluated. 255 */ 256 AttributeType getCurrentAttributeType(); 257 258 /** 259 * Set the value of the summary string to the specified string. 260 * Used in get effective rights evaluation to build summary string. 261 * 262 * @param summary The string to set the summary string to 263 */ 264 void setEvalSummary(String summary); 265 266 /** 267 * Return the access evaluation summary string. Used in a geteffectiverights 268 * control evaluation when an aclRightsInfo attribute was specified in a 269 * search request. 270 * 271 * @return The string describing the access evaluation. 272 */ 273 String getEvalSummary(); 274 275 /** 276 * Return a string representation of the current right being evaluated. 277 * Used in geteffectiverights control evaluation to build summary string. 278 * 279 * @return String representation of the current right being evaluated. 280 */ 281 String rightToString(); 282 283 /** 284 * Return the name of the ACI that last matched a targattrfilters rule. Used 285 * in geteffectiverights control evaluation. 286 * 287 * @return The name of the ACI that last matched a targattrfilters rule. 288 */ 289 String getTargAttrFiltersAciName(); 290 291 292 /** 293 * Return the current SSF (Security Strength Factor) of the underlying 294 * connection. 295 * 296 * @return The current SSF of the connection. 297 */ 298 int getCurrentSSF(); 299}