001/*
002 * The contents of this file are subject to the terms of the Common Development and
003 * Distribution License (the License). You may not use this file except in compliance with the
004 * License.
005 *
006 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
007 * specific language governing permission and limitations under the License.
008 *
009 * When distributing Covered Software, include this CDDL Header Notice in each file and include
010 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
011 * Header, with the fields enclosed by brackets [] replaced by your own identifying
012 * information: "Portions Copyright [year] [name of copyright owner]".
013 *
014 * Copyright 2008-2010 Sun Microsystems, Inc.
015 * Portions Copyright 2011-2016 ForgeRock AS.
016 */
017package org.opends.server.authorization.dseecompat;
018
019import org.forgerock.opendj.ldap.DN;
020import org.opends.server.types.Entry;
021import org.forgerock.opendj.ldap.schema.AttributeType;
022import org.opends.server.api.Group;
023
024import java.net.InetAddress;
025import java.util.List;
026
027/**
028 * Interface that provides a view of the AciContainer that is
029 * used by the ACI evaluation code to evaluate an ACI.
030 */
031public interface AciEvalContext
032{
033    /**
034     * Get client DN. The client DN is the authorization DN.
035     * @return   The client DN.
036     */
037    DN getClientDN();
038
039    /**
040     * Get the client entry. The client entry is the entry that corresponds
041     * to the client DN.
042     * @return The client entry corresponding to the client DN.
043     */
044    Entry getClientEntry();
045
046    /**
047     * Get the resource DN. The resource DN is the DN of the entry being
048     * evaluated.
049     * @return   The resource DN.
050     */
051    DN getResourceDN();
052
053    /**
054     * Get the list of deny ACIs.
055     * @return The deny ACI list.
056     */
057    List<Aci> getDenyList();
058
059    /**
060     * Get the list allow ACIs.
061     * @return The allow ACI list.
062     */
063    List<Aci> getAllowList();
064
065    /**
066     * Returns true if the deny list is being evaluated.
067     * @return True if the deny list is being evaluated.
068     */
069    boolean isDenyEval();
070
071    /**
072     * Check if the remote client is bound anonymously.
073     * @return {@code true} if client is bound anonymously.
074     */
075    boolean isAnonymousUser();
076
077    /**
078     * Return the rights set for this container's LDAP operation.
079     * @return  The rights set for the container's LDAP operation.
080     */
081    int getRights();
082
083    /**
084     * Return the entry being evaluated
085     * .
086     * @return The evaluation entry.
087     */
088    Entry getResourceEntry();
089
090    /**
091     * Get the hostname of the bound connection.
092     * @return The hostname of the connection.
093     */
094    String getHostName();
095
096    /**
097     * Determine whether the client connection has been authenticated using
098     * a specified authentication method.  This method is used for the
099     * authmethod bind rule keyword.
100     *
101     * @param authMethod The required authentication method.
102     * @param saslMech The required SASL mechanism if the authentication method
103     * is SASL.
104     *
105     * @return An evaluation result indicating whether the client connection
106     * has been authenticated using the required authentication method.
107     */
108    EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
109                                                  String saslMech);
110
111    /**
112     * Get the  address of the bound connection.
113     * @return The address of the bound connection.
114     */
115    InetAddress getRemoteAddress();
116
117    /**
118     * Return true if this is an add operation needed by the userattr
119     * USERDN parent inheritance level 0 processing.
120     *
121     * @return {@code true} if this is an add operation.
122     */
123    boolean isAddOperation();
124
125    /**
126     * Return true if the operation associated with this evaluation
127     * context is a member of the specified group. Calls the
128     * ClientConnection.isMemberOf() method, which checks authorization
129     * DN membership in the specified group.
130     * @param group The group to check membership in.
131     * @return {@code true} if the authorization DN of the operation is a
132     * member of the specified group.
133     */
134    boolean isMemberOf(Group<?> group);
135
136  /**
137   * Returns true if the hashtable of ACIs that matched the targattrfilters
138   * keyword evaluation is empty.  Used in a geteffectiverights control
139   * evaluation to determine the access value to put in the "write" rights
140   * evaluation field.
141   *
142   * @return {@code true} if there were not any ACIs that matched
143   *         targattrfilters keyword evaluation.
144   */
145    boolean isTargAttrFilterMatchAciEmpty();
146
147  /**
148   * The context maintains a hashtable of ACIs that matched the targattrfilters
149   * keyword evaluation.  The hasTargAttrFiltersMatchAci method returns true if
150   * the specified ACI is contained in that hashtable. Used in a
151   * geteffectiverights control evaluation to determine the access value to put
152   * in the "write" rights evaluation field.
153   *
154   * @param aci The ACI that to evaluate if it contains a match during
155   *            targattrfilters keyword evaluation.
156   *
157   * @return {@code true} if a specified ACI matched targattrfilters evaluation.
158   */
159    boolean hasTargAttrFiltersMatchAci(Aci aci);
160
161  /**
162   * Return true if an ACI that evaluated to deny or allow has an
163   * targattrfilters keyword. Used by geteffectiverights control
164   * evaluation to determine the access value to put in the "write" rights
165   * evaluation field.
166   *
167   * @param flag  The integer value specifying either a deny or allow, but not
168   * both.
169   *
170   * @return  {@code true} if the ACI has an targattrfilters keyword.
171   */
172    boolean hasTargAttrFiltersMatchOp(int flag);
173
174  /**
175   * Returns {@code true} if the evaluation context is being used in a
176   * geteffectiverights control evaluation.
177   *
178   * @return  {@code true} if the evaluation context is being used in a
179   * geteffectiverights control evaluation.
180   */
181    boolean isGetEffectiveRightsEval();
182
183  /**
184   * Set the name of the ACI that last matched a targattrfilters rule. Used
185   * in geteffectiverights control targattrfilters "write" evaluation.
186   *
187   * @param name The ACI name string matching the targattrfilters rule.
188   */
189    void setTargAttrFiltersAciName(String name);
190
191  /**
192   * Set a flag that specifies that a ACI that evaluated to either deny or
193   * allow contains a targattrfilters keyword. Used by geteffectiverights
194   * control evaluation to determine the access value to put in the "write"
195   * rights evaluation field.
196   *
197   * @param flag Either the integer value representing an allow or a deny,
198   *             but not both.
199   */
200    void setTargAttrFiltersMatchOp(int flag);
201
202  /**
203   * Set the reason and the ACI that decided why the last access evaluation was
204   * evaluated the way it was. Used by geteffectiverights control evaluation to
205   * eventually build the summary string.
206   *
207   * @param reason
208   *          The enumeration representing the reason of the last access
209   *          evaluation.
210   * @param decidingAci
211   *          The ACI that decided the last access evaluation.
212   */
213  void setEvaluationResult(EnumEvalReason reason, Aci decidingAci);
214
215  /**
216   * Return the reason the last access evaluation was evaluated the way it
217   * was. Used by geteffectiverights control evaluation to build the summary
218   * string.
219   *
220   * @return The enumeration representing the reason of the last access
221   * evaluation.
222   */
223    EnumEvalReason getEvalReason();
224
225  /**
226   * Check if an evaluation context contains a set of access rights.
227   *
228   * @param rights The rights mask to check.
229   *
230   * @return {@code true} if the evaluation context contains a access right set.
231   */
232    boolean hasRights(int rights);
233
234  /**
235   * Return the name of the ACI that decided the last access evaluation. Used
236   * by geteffectiverights control evaluation to build the summary string.
237   *
238   * @return The name of the ACI that decided the last access evaluation.
239   */
240    String getDecidingAciName();
241
242  /**
243   * Return true if a evaluation context is being used in proxied authorization
244   * control evaluation.
245   *
246   * @return  {@code true} if evaluation context is being used in proxied
247   *          authorization control evaluation.
248   */
249    boolean isProxiedAuthorization();
250
251    /**
252     * Get the current attribute type being evaluated.
253     *
254     * @return  The attribute type currently being evaluated.
255     */
256    AttributeType getCurrentAttributeType();
257
258  /**
259   * Set the value of the summary string to the specified string.
260   * Used in get effective rights evaluation to build summary string.
261   *
262   * @param summary The string to set the summary string to
263   */
264    void setEvalSummary(String summary);
265
266  /**
267   * Return the access evaluation summary string. Used in a geteffectiverights
268   * control evaluation when an aclRightsInfo attribute was specified in a
269   * search request.
270   *
271   * @return   The string describing the access evaluation.
272   */
273    String getEvalSummary();
274
275  /**
276   * Return a string representation of the current right being evaluated.
277   * Used in geteffectiverights control evaluation to build summary string.
278   *
279   * @return  String representation of the current right being evaluated.
280   */
281    String rightToString();
282
283    /**
284     * Return the name of the ACI that last matched a targattrfilters rule. Used
285     * in geteffectiverights control evaluation.
286     *
287     * @return The name of the ACI that last matched a targattrfilters rule.
288     */
289    String getTargAttrFiltersAciName();
290
291
292    /**
293     * Return the current SSF (Security Strength Factor) of the underlying
294     * connection.
295     *
296     * @return The current SSF of the connection.
297     */
298    int getCurrentSSF();
299}