org.opends.server.authorization.dseecompat

Class AciLDAPOperationContainer

java.lang.Object

org.opends.server.authorization.dseecompat.AciLDAPOperationContainer

All Implemented Interfaces:

AciEvalContext, AciTargetMatchContext

public class AciLDAPOperationContainer
extends Object

The AciLDAPOperationContainer is an AciContainer extended class that wraps each LDAP operation being evaluated or tested for target matched of an ACI.

Constructor Summary

Constructors

Constructor and Description
AciLDAPOperationContainer(ExtendedOperation operation, Entry e, int rights) Constructor interface for evaluation of the extended operation.
AciLDAPOperationContainer(LocalBackendAddOperation operation, int rights) Constructor interface for the add operation.
AciLDAPOperationContainer(LocalBackendCompareOperation operation, int rights) Constructor interface for the compare operation.
AciLDAPOperationContainer(LocalBackendDeleteOperation operation, int rights) Constructor interface for the delete operation.
AciLDAPOperationContainer(LocalBackendModifyOperation operation, int rights) Constructor interface for the modify operation.
AciLDAPOperationContainer(ModifyDNOperation operation, int rights, Entry entry) Constructor interface for the modify DN operation.
AciLDAPOperationContainer(Operation operation, Entry e, AuthenticationInfo authInfo, int rights) Constructor interface for evaluation general purpose Operation, entry and rights..
AciLDAPOperationContainer(Operation operation, Entry e, Control c, int rights) Constructor interface for evaluation of a control.
AciLDAPOperationContainer(Operation operation, int rights, Entry entry) Constructor interface for all currently supported LDAP operations.

Method Summary

Modifier and Type	Method and Description
void	addTargAttrFiltersMatchAci(Aci aci) Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched.
void	clearEvalAttributes(int v) Used to clear the mask used to detect if access checking needs to be performed on individual attributes types.
List<Aci>	getAllowList() Get the list allow ACIs.
org.forgerock.opendj.ldap.DN	getClientDN() Get client DN.
Entry	getClientEntry() Get the client entry.
String	getControlOID() Return the OID (Object Identifier) string of the control being evaluated.
org.forgerock.opendj.ldap.schema.AttributeType	getCurrentAttributeType() Get the current attribute type being evaluated.
org.forgerock.opendj.ldap.ByteString	getCurrentAttributeValue() The current attribute type value being evaluated.
int	getCurrentSSF() Return the current SSF (Security Strength Factor) of the underlying connection.
String	getDecidingAciName() Return the name of the ACI that decided the last access evaluation.
List<Aci>	getDenyList() Get the list of deny ACIs.
EnumEvalReason	getEvalReason() Return the reason the last access evaluation was evaluated the way it was.
String	getEvalSummary() Return the access evaluation summary string.
String	getExtOpOID() Return The OID (Object Identifier) string of the extended operation being evaluated.
String	getHostName() Get the hostname of the bound connection.
InetAddress	getRemoteAddress() Get the address of the bound connection.
org.forgerock.opendj.ldap.DN	getResourceDN() Get the resource DN.
Entry	getResourceEntry() Get the entry being evaluated.
int	getRights() Return the rights for this container's LDAP operation.
List<org.forgerock.opendj.ldap.schema.AttributeType>	getSpecificAttributes() Return the list of additional attributes specified in the geteffectiverights control.
String	getTargAttrFiltersAciName() Return the name of the ACI that last matched a targattrfilters rule.
boolean	getTargAttrFiltersMatch() Return the value of the targAttrFiltersMatch variable.
boolean	hasAllOpAttributes() Return true if the evaluating ACI contained a targetattr all operational attributes rule match.
boolean	hasAllUserAttributes() Return true if the evaluating ACI contained a targetattr all user attributes rule match.
EnumEvalResult	hasAuthenticationMethod(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod, String saslMech) Determine whether the client connection has been authenticated using a specified authentication method.
boolean	hasEntryTestRule() True if an entry test rule was found.
boolean	hasEvalOpAttributes() Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.
boolean	hasEvalUserAttributes() Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.
boolean	hasGetEffectiveRightsControl() Return true if the container is being used in a geteffectiverights evaluation.
boolean	hasRights(int rights) Checks if the container's rights has the specified rights.
boolean	hasSeenEntry() Returns true if an entry has already been processed by an access proxy check.
boolean	hasTargAttrFiltersMatchAci(Aci aci) The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation.
boolean	hasTargAttrFiltersMatchOp(int flag) Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword.
boolean	isAddOperation() Return true if this is an add operation needed by the userattr USERDN parent inheritance level 0 processing.
boolean	isAnonymousUser() Check if the remote client is bound anonymously.
boolean	isAuthzidAuthorizationDN() Returns true if the geteffectiverights control's authZid DN is equal to the authorization entry's DN.
boolean	isDenyEval() Returns true if the deny list is being evaluated.
boolean	isFirstAttribute() True if the first attribute of the resource entry is being evaluated.
boolean	isGetEffectiveRightsEval() Returns true of a match context is performing a geteffectiverights evaluation.
boolean	isMemberOf(Group<?> group) Return true if the operation associated with this evaluation context is a member of the specified group.
boolean	isProxiedAuthorization() Return true if a evaluation context is being used in proxied authorization control evaluation.
boolean	isTargAttrFilterMatchAciEmpty() Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty.
void	resetEffectiveRightsParams() Reset the values used by the geteffectiverights evaluation to original values.
String	rightToString() Return a string representation of the current right being evaluated.
void	setAllowList(List<Aci> allows) Set the allow ACI list.
protected void	setControlOID(String oid) Set the the controlOID value to the specified oid string.
void	setCurrentAttributeType(org.forgerock.opendj.ldap.schema.AttributeType type) Set the attribute type to be evaluated.
void	setCurrentAttributeValue(org.forgerock.opendj.ldap.ByteString value) Set the attribute value to be evaluated.
void	setDenyList(List<Aci> denys) Set the deny ACI list.
void	setEntryTestRule(boolean val) True if the target matching code found an entry test rule.
void	setEvalOpAttributes(int v) This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+").
void	setEvalSummary(String summary) Set the value of the summary string to the specified string.
void	setEvaluationResult(EnumEvalReason reason, Aci decidingAci) Set the reason and the ACI that decided why the last access evaluation was evaluated the way it was.
void	setEvalUserAttributes(int v) This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*").
protected void	setExtOpOID(String oid) Set the extended operation OID value to the specified oid string.
void	setGetEffectiveRightsEval() The container is going to be used in a geteffectiverights evaluation, set the flag isGetEffectiveRightsEval to true.
void	setIsFirstAttribute(boolean val) Set to true if the first attribute of the resource entry is being evaluated.
void	setRights(int rights) Set the rights of the container to the specified rights.
void	setSeenEntry(boolean val) Set to true if an entry has already been processed by an access proxy check.
void	setTargAttrFiltersAciName(String name) Save the name of the last ACI that matched a targattrfilters rule.
void	setTargAttrFiltersMatch(boolean v) Set to true if the ACI had a targattrfilter rule that matched.
void	setTargAttrFiltersMatchOp(int flag) Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword.
String	toString()
void	useAuthzid(boolean v) Use the DN from the geteffectiverights control's authzId as the client DN, rather than the authorization entry's DN.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

AciLDAPOperationContainer

public AciLDAPOperationContainer(Operation operation,
                                 int rights,
                                 Entry entry)

Constructor interface for all currently supported LDAP operations.

Parameters:

operation - The compare operation to evaluate.

rights - The rights of a compare operation.

entry - The entry for evaluation.

AciLDAPOperationContainer

public AciLDAPOperationContainer(LocalBackendCompareOperation operation,
                                 int rights)

Constructor interface for the compare operation.

Parameters:

operation - The compare operation to evaluate.

rights - The rights of a compare operation.

AciLDAPOperationContainer

public AciLDAPOperationContainer(Operation operation,
                                 Entry e,
                                 AuthenticationInfo authInfo,
                                 int rights)

Constructor interface for evaluation general purpose Operation, entry and rights..

Parameters:

operation - The operation to use in the evaluation.

e - The entry for evaluation.

authInfo - The authentication information to use in the evaluation.

rights - The rights of the operation.

AciLDAPOperationContainer

public AciLDAPOperationContainer(Operation operation,
                                 Entry e,
                                 Control c,
                                 int rights)

Constructor interface for evaluation of a control.

Parameters:

operation - The operation to use in the evaluation.

e - An entry built especially for evaluation.

c - The control to evaluate.

rights - The rights of a control.

AciLDAPOperationContainer

public AciLDAPOperationContainer(ExtendedOperation operation,
                                 Entry e,
                                 int rights)

Constructor interface for evaluation of the extended operation.

Parameters:

operation - The extended operation to evaluate.

e - An entry built especially for evaluation.

rights - The rights of a extended operation.

AciLDAPOperationContainer

public AciLDAPOperationContainer(LocalBackendAddOperation operation,
                                 int rights)

Constructor interface for the add operation.

Parameters:

operation - The add operation to evaluate.

rights - The rights of an add operation.

AciLDAPOperationContainer

public AciLDAPOperationContainer(LocalBackendDeleteOperation operation,
                                 int rights)

Constructor interface for the delete operation.

Parameters:

operation - The add operation to evaluate.

rights - The rights of a delete operation.

AciLDAPOperationContainer

public AciLDAPOperationContainer(LocalBackendModifyOperation operation,
                                 int rights)

Constructor interface for the modify operation.

Parameters:

rights - The rights of modify operation.

operation - The add operation to evaluate.

AciLDAPOperationContainer

public AciLDAPOperationContainer(ModifyDNOperation operation,
                                 int rights,
                                 Entry entry)

Constructor interface for the modify DN operation.

Parameters:

operation - The modify DN operation.

rights - The rights of the modify DN operation.

entry - The entry to evaluated for this modify DN.

Method Detail

hasSeenEntry

public boolean hasSeenEntry()

Returns true if an entry has already been processed by an access proxy check.

Returns:

True if an entry has already been processed by an access proxy check.

setSeenEntry

public void setSeenEntry(boolean val)

Set to true if an entry has already been processed by an access proxy check.

Parameters:

val - The value to set the seenEntry boolean to.

isProxiedAuthorization

public boolean isProxiedAuthorization()

Description copied from interface: AciEvalContext

Return true if a evaluation context is being used in proxied authorization control evaluation.

Specified by:

isProxiedAuthorization in interface AciEvalContext

Returns:

true if evaluation context is being used in proxied authorization control evaluation.

isGetEffectiveRightsEval

public boolean isGetEffectiveRightsEval()

Description copied from interface: AciTargetMatchContext

Returns true of a match context is performing a geteffectiverights evaluation.

Specified by:

isGetEffectiveRightsEval in interface AciEvalContext

Specified by:

isGetEffectiveRightsEval in interface AciTargetMatchContext

Returns:

True if a match context is evaluating geteffectiverights.

setGetEffectiveRightsEval

public void setGetEffectiveRightsEval()

The container is going to be used in a geteffectiverights evaluation, set the flag isGetEffectiveRightsEval to true.

hasGetEffectiveRightsControl

public boolean hasGetEffectiveRightsControl()

Return true if the container is being used in a geteffectiverights evaluation.

Returns:

True if the container is being used in a geteffectiverights evaluation.

useAuthzid

public void useAuthzid(boolean v)

Use the DN from the geteffectiverights control's authzId as the client DN, rather than the authorization entry's DN.

Parameters:

v - The valued to set the useAuthzid to.

getSpecificAttributes

public List<org.forgerock.opendj.ldap.schema.AttributeType> getSpecificAttributes()

Return the list of additional attributes specified in the geteffectiverights control.

Returns:

The list of attributes to return rights information about in the entry.

addTargAttrFiltersMatchAci

public void addTargAttrFiltersMatchAci(Aci aci)

Description copied from interface: AciTargetMatchContext

Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched. This is used by geteffectiverights to determine the rights of an attribute that possibly might evaluate to true.

Specified by:

addTargAttrFiltersMatchAci in interface AciTargetMatchContext

Parameters:

aci - The ACI to save.

hasTargAttrFiltersMatchAci

public boolean hasTargAttrFiltersMatchAci(Aci aci)

Description copied from interface: AciEvalContext

The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if the specified ACI is contained in that hashtable. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:

hasTargAttrFiltersMatchAci in interface AciEvalContext

Parameters:

aci - The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.

Returns:

true if a specified ACI matched targattrfilters evaluation.

isTargAttrFilterMatchAciEmpty

public boolean isTargAttrFilterMatchAciEmpty()

Description copied from interface: AciEvalContext

Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty. Used in a geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:

isTargAttrFilterMatchAciEmpty in interface AciEvalContext

Returns:

true if there were not any ACIs that matched targattrfilters keyword evaluation.

resetEffectiveRightsParams

public void resetEffectiveRightsParams()

Reset the values used by the geteffectiverights evaluation to original values. The geteffectiverights evaluation uses the same container repeatedly for different rights evaluations (read, write, proxy,...) and this method resets variables that are specific to a single evaluation.

setTargAttrFiltersAciName

public void setTargAttrFiltersAciName(String name)

Description copied from interface: AciTargetMatchContext

Save the name of the last ACI that matched a targattrfilters rule. This is used by geteffectiverights evaluation.

Specified by:

setTargAttrFiltersAciName in interface AciEvalContext

Specified by:

setTargAttrFiltersAciName in interface AciTargetMatchContext

Parameters:

name - The ACI's name to save.

getTargAttrFiltersAciName

public String getTargAttrFiltersAciName()

Description copied from interface: AciEvalContext

Return the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights control evaluation.

Specified by:

getTargAttrFiltersAciName in interface AciEvalContext

Returns:

The name of the ACI that last matched a targattrfilters rule.

setTargAttrFiltersMatchOp

public void setTargAttrFiltersMatchOp(int flag)

Description copied from interface: AciEvalContext

Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:

setTargAttrFiltersMatchOp in interface AciEvalContext

Parameters:

flag - Either the integer value representing an allow or a deny, but not both.

hasTargAttrFiltersMatchOp

public boolean hasTargAttrFiltersMatchOp(int flag)

Description copied from interface: AciEvalContext

Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword. Used by geteffectiverights control evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:

hasTargAttrFiltersMatchOp in interface AciEvalContext

Parameters:

flag - The integer value specifying either a deny or allow, but not both.

Returns:

true if the ACI has an targattrfilters keyword.

getDecidingAciName

public String getDecidingAciName()

Description copied from interface: AciEvalContext

Return the name of the ACI that decided the last access evaluation. Used by geteffectiverights control evaluation to build the summary string.

Specified by:

getDecidingAciName in interface AciEvalContext

Returns:

The name of the ACI that decided the last access evaluation.

setEvaluationResult

public void setEvaluationResult(EnumEvalReason reason,
                                Aci decidingAci)

Description copied from interface: AciEvalContext

Set the reason and the ACI that decided why the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to eventually build the summary string.

Specified by:

setEvaluationResult in interface AciEvalContext

Parameters:

reason - The enumeration representing the reason of the last access evaluation.

decidingAci - The ACI that decided the last access evaluation.

getEvalReason

public EnumEvalReason getEvalReason()

Description copied from interface: AciEvalContext

Return the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights control evaluation to build the summary string.

Specified by:

getEvalReason in interface AciEvalContext

Returns:

The enumeration representing the reason of the last access evaluation.

setEvalSummary

public void setEvalSummary(String summary)

Description copied from interface: AciEvalContext

Set the value of the summary string to the specified string. Used in get effective rights evaluation to build summary string.

Specified by:

setEvalSummary in interface AciEvalContext

Parameters:

summary - The string to set the summary string to

getEvalSummary

public String getEvalSummary()

Description copied from interface: AciEvalContext

Return the access evaluation summary string. Used in a geteffectiverights control evaluation when an aclRightsInfo attribute was specified in a search request.

Specified by:

getEvalSummary in interface AciEvalContext

Returns:

The string describing the access evaluation.

isAuthzidAuthorizationDN

public boolean isAuthzidAuthorizationDN()

Returns true if the geteffectiverights control's authZid DN is equal to the authorization entry's DN.

Returns:

True if the authZid is equal to the authorization entry's DN.

setDenyList

public void setDenyList(List<Aci> denys)

Description copied from interface: AciTargetMatchContext

Set the deny ACI list.

Specified by:

setDenyList in interface AciTargetMatchContext

Parameters:

denys - The deny ACI list.

setAllowList

public void setAllowList(List<Aci> allows)

Description copied from interface: AciTargetMatchContext

Set the allow ACI list.

Specified by:

setAllowList in interface AciTargetMatchContext

Parameters:

allows - The list of allow ACIs.

getCurrentAttributeType

public org.forgerock.opendj.ldap.schema.AttributeType getCurrentAttributeType()

Description copied from interface: AciTargetMatchContext

Get the current attribute type being evaluated.

Specified by:

getCurrentAttributeType in interface AciEvalContext

Specified by:

getCurrentAttributeType in interface AciTargetMatchContext

Returns:

The attribute type being evaluated.

getCurrentAttributeValue

public org.forgerock.opendj.ldap.ByteString getCurrentAttributeValue()

Description copied from interface: AciTargetMatchContext

The current attribute type value being evaluated.

Specified by:

getCurrentAttributeValue in interface AciTargetMatchContext

Returns:

The current attribute type value being evaluated.

setCurrentAttributeType

public void setCurrentAttributeType(org.forgerock.opendj.ldap.schema.AttributeType type)

Description copied from interface: AciTargetMatchContext

Set the attribute type to be evaluated.

Specified by:

setCurrentAttributeType in interface AciTargetMatchContext

Parameters:

type - The attribute type to set to.

setCurrentAttributeValue

public void setCurrentAttributeValue(org.forgerock.opendj.ldap.ByteString value)

Description copied from interface: AciTargetMatchContext

Set the attribute value to be evaluated.

Specified by:

setCurrentAttributeValue in interface AciTargetMatchContext

Parameters:

value - The current attribute value to set to.

isFirstAttribute

public boolean isFirstAttribute()

Description copied from interface: AciTargetMatchContext

True if the first attribute of the resource entry is being evaluated.

Specified by:

isFirstAttribute in interface AciTargetMatchContext

Returns:

True if this is the first attribute.

setIsFirstAttribute

public void setIsFirstAttribute(boolean val)

Description copied from interface: AciTargetMatchContext

Set to true if the first attribute of the resource entry is being evaluated.

Specified by:

setIsFirstAttribute in interface AciTargetMatchContext

Parameters:

val - True if this is the first attribute of the resource entry being evaluated.

hasEntryTestRule

public boolean hasEntryTestRule()

Description copied from interface: AciTargetMatchContext

True if an entry test rule was found.

Specified by:

hasEntryTestRule in interface AciTargetMatchContext

Returns:

True if an entry test rule was found.

setEntryTestRule

public void setEntryTestRule(boolean val)

Description copied from interface: AciTargetMatchContext

True if the target matching code found an entry test rule. An entry test rule is an ACI without a targetattr target rule.

Specified by:

setEntryTestRule in interface AciTargetMatchContext

Parameters:

val - True if an entry test rule was found.

getResourceEntry

public Entry getResourceEntry()

Description copied from interface: AciTargetMatchContext

Get the entry being evaluated. This is known as the resource entry.

Specified by:

getResourceEntry in interface AciEvalContext

Specified by:

getResourceEntry in interface AciTargetMatchContext

Returns:

The entry being evaluated.

getClientEntry

public Entry getClientEntry()

Description copied from interface: AciEvalContext

Get the client entry. The client entry is the entry that corresponds to the client DN.

Specified by:

getClientEntry in interface AciEvalContext

Returns:

The client entry corresponding to the client DN.

getDenyList

public List<Aci> getDenyList()

Description copied from interface: AciEvalContext

Get the list of deny ACIs.

Specified by:

getDenyList in interface AciEvalContext

Returns:

The deny ACI list.

getAllowList

public List<Aci> getAllowList()

Description copied from interface: AciEvalContext

Get the list allow ACIs.

Specified by:

getAllowList in interface AciEvalContext

Returns:

The allow ACI list.

isDenyEval

public boolean isDenyEval()

Description copied from interface: AciEvalContext

Returns true if the deny list is being evaluated.

Specified by:

isDenyEval in interface AciEvalContext

Returns:

True if the deny list is being evaluated.

isAnonymousUser

public boolean isAnonymousUser()

Description copied from interface: AciEvalContext

Check if the remote client is bound anonymously.

Specified by:

isAnonymousUser in interface AciEvalContext

Returns:

true if client is bound anonymously.

getClientDN

public org.forgerock.opendj.ldap.DN getClientDN()

Description copied from interface: AciEvalContext

Get client DN. The client DN is the authorization DN.

Specified by:

getClientDN in interface AciEvalContext

Returns:

The client DN.

getResourceDN

public org.forgerock.opendj.ldap.DN getResourceDN()

Description copied from interface: AciEvalContext

Get the resource DN. The resource DN is the DN of the entry being evaluated.

Specified by:

getResourceDN in interface AciEvalContext

Returns:

The resource DN.

hasRights

public boolean hasRights(int rights)

Checks if the container's rights has the specified rights.

JNR: I find the implementation in this method dubious.

Specified by:

hasRights in interface AciEvalContext

Specified by:

hasRights in interface AciTargetMatchContext

Parameters:

rights - The rights to check for.

Returns:

True if the container's rights has the specified rights.

See Also:

EnumRight.hasRights(int, int)

getRights

public int getRights()

Description copied from interface: AciTargetMatchContext

Return the rights for this container's LDAP operation.

Specified by:

getRights in interface AciEvalContext

Specified by:

getRights in interface AciTargetMatchContext

Returns:

The rights for the container's LDAP operation.

setRights

public void setRights(int rights)

Description copied from interface: AciTargetMatchContext

Set the rights of the container to the specified rights.

Specified by:

setRights in interface AciTargetMatchContext

Parameters:

rights - The rights to set the container's rights to.

getHostName

public String getHostName()

Description copied from interface: AciEvalContext

Get the hostname of the bound connection.

Specified by:

getHostName in interface AciEvalContext

Returns:

The hostname of the connection.

getRemoteAddress

public InetAddress getRemoteAddress()

Description copied from interface: AciEvalContext

Get the address of the bound connection.

Specified by:

getRemoteAddress in interface AciEvalContext

Returns:

The address of the bound connection.

isAddOperation

public boolean isAddOperation()

Description copied from interface: AciEvalContext

Return true if this is an add operation needed by the userattr USERDN parent inheritance level 0 processing.

Specified by:

isAddOperation in interface AciEvalContext

Returns:

true if this is an add operation.

setTargAttrFiltersMatch

public void setTargAttrFiltersMatch(boolean v)

Description copied from interface: AciTargetMatchContext

Set to true if the ACI had a targattrfilter rule that matched.

Specified by:

setTargAttrFiltersMatch in interface AciTargetMatchContext

Parameters:

v - The value to use.

getTargAttrFiltersMatch

public boolean getTargAttrFiltersMatch()

Description copied from interface: AciTargetMatchContext

Return the value of the targAttrFiltersMatch variable. This is set to true if the ACI had a targattrfilter rule that matched.

Specified by:

getTargAttrFiltersMatch in interface AciTargetMatchContext

Returns:

True if the ACI had a targattrfilter rule that matched.

getControlOID

public String getControlOID()

Description copied from interface: AciTargetMatchContext

Return the OID (Object Identifier) string of the control being evaluated.

Specified by:

getControlOID in interface AciTargetMatchContext

Returns:

The OID string of the control being evaluated.

getExtOpOID

public String getExtOpOID()

Description copied from interface: AciTargetMatchContext

Return The OID (Object Identifier) string of the extended operation being evaluated.

Specified by:

getExtOpOID in interface AciTargetMatchContext

Returns:

The OID string of the extended operation being evaluated.

setControlOID

protected void setControlOID(String oid)

Set the the controlOID value to the specified oid string.

Parameters:

oid - The control oid string.

setExtOpOID

protected void setExtOpOID(String oid)

Set the extended operation OID value to the specified oid string.

Parameters:

oid - The extended operation oid string.

hasAuthenticationMethod

public EnumEvalResult hasAuthenticationMethod(org.opends.server.authorization.dseecompat.EnumAuthMethod authMethod,
                                              String saslMech)

Description copied from interface: AciEvalContext

Determine whether the client connection has been authenticated using a specified authentication method. This method is used for the authmethod bind rule keyword.

Specified by:

hasAuthenticationMethod in interface AciEvalContext

Parameters:

authMethod - The required authentication method.

saslMech - The required SASL mechanism if the authentication method is SASL.

Returns:

An evaluation result indicating whether the client connection has been authenticated using the required authentication method.

isMemberOf

public boolean isMemberOf(Group<?> group)

Description copied from interface: AciEvalContext

Return true if the operation associated with this evaluation context is a member of the specified group. Calls the ClientConnection.isMemberOf() method, which checks authorization DN membership in the specified group.

Specified by:

isMemberOf in interface AciEvalContext

Parameters:

group - The group to check membership in.

Returns:

true if the authorization DN of the operation is a member of the specified group.

rightToString

public String rightToString()

Return a string representation of the current right being evaluated. Used in geteffectiverights control evaluation to build summary string.

JNR: I find the implementation in this method dubious.

Specified by:

rightToString in interface AciEvalContext

Returns:

String representation of the current right being evaluated.

See Also:

EnumRight.getEnumRight(int)

setEvalUserAttributes

public void setEvalUserAttributes(int v)

Description copied from interface: AciTargetMatchContext

This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*"). The only case where individual user attribute access checking can be skipped, is when a single ACI matched using a targetattr all user attributes rule and the attribute type being check is not operational.

Specified by:

setEvalUserAttributes in interface AciTargetMatchContext

Parameters:

v - The mask to this value.

setEvalOpAttributes

public void setEvalOpAttributes(int v)

Description copied from interface: AciTargetMatchContext

This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+"). The only case where individual operational attribute access checking can be skipped, is when a single ACI matched using a targetattr all operational attributes rule and the attribute type being check is operational.

Specified by:

setEvalOpAttributes in interface AciTargetMatchContext

Parameters:

v - The mask to this value.

hasEvalUserAttributes

public boolean hasEvalUserAttributes()

Description copied from interface: AciTargetMatchContext

Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explicitly defined targetattr target rule matched.

Specified by:

hasEvalUserAttributes in interface AciTargetMatchContext

Returns:

True if the above condition was seen.

hasEvalOpAttributes

public boolean hasEvalOpAttributes()

Description copied from interface: AciTargetMatchContext

Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targetattr target rule or both a targetattr all operational attributes rule matched and a explicitly defined targetattr target rule matched.

Specified by:

hasEvalOpAttributes in interface AciTargetMatchContext

Returns:

True if the above condition was seen.

hasAllUserAttributes

public boolean hasAllUserAttributes()

Return true if the evaluating ACI contained a targetattr all user attributes rule match.

Returns:

True if the above condition was seen.

hasAllOpAttributes

public boolean hasAllOpAttributes()

Return true if the evaluating ACI contained a targetattr all operational attributes rule match.

Returns:

True if the above condition was seen.

clearEvalAttributes

public void clearEvalAttributes(int v)

Description copied from interface: AciTargetMatchContext

Used to clear the mask used to detect if access checking needs to be performed on individual attributes types. The specified value is cleared from the mask or if the value equals 0 the mask is completely cleared.

Specified by:

clearEvalAttributes in interface AciTargetMatchContext

Parameters:

v - The flag to clear or 0 to set the mask to 0.

getCurrentSSF

public int getCurrentSSF()

Description copied from interface: AciEvalContext

Return the current SSF (Security Strength Factor) of the underlying connection.

Specified by:

getCurrentSSF in interface AciEvalContext

Returns:

The current SSF of the connection.

toString

public String toString()

Overrides:

toString in class Object