001 /*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License"). You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 * Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 * Copyright 2008 Sun Microsystems, Inc.
026 */
027
028 package org.opends.server.authorization.dseecompat;
029
030 import org.opends.server.types.DN;
031 import org.opends.server.types.Entry;
032 import org.opends.server.types.AttributeType;
033 import org.opends.server.api.Group;
034
035 import java.net.InetAddress;
036 import java.util.LinkedList;
037
038 /**
039 * Interface that provides a view of the AciContainer that is
040 * used by the ACI evaluation code to evaluate an ACI.
041 */
042 public interface AciEvalContext
043 {
044 /**
045 * Get client DN. The client DN is the authorization DN.
046 * @return The client DN.
047 */
048 public DN getClientDN();
049
050 /**
051 * Get the client entry. The client entry is the entry that corresponds
052 * to the client DN.
053 * @return The client entry corresponding to the client DN.
054 */
055 public Entry getClientEntry();
056
057 /**
058 * Get the resource DN. The resource DN is the DN of the entry being
059 * evaluated.
060 * @return The resource DN.
061 */
062 public DN getResourceDN();
063
064 /**
065 * Get the list of deny ACIs.
066 * @return The deny ACI list.
067 */
068 public LinkedList<Aci> getDenyList();
069
070 /**
071 * Get the list allow ACIs.
072 * @return The allow ACI list.
073 */
074 public LinkedList<Aci> getAllowList();
075
076 /**
077 * Set when the deny list is being evaluated.
078 * @param v True if deny's are being evaluated.
079 */
080 public void setDenyEval(boolean v);
081
082 /**
083 * Returns true if the deny list is being evaluated.
084 * @return True if the deny list is being evaluated.
085 */
086 public boolean isDenyEval();
087
088 /**
089 * Check if the remote client is bound anonymously.
090 * @return True if client is bound anonymously.
091 */
092 public boolean isAnonymousUser();
093
094 /**
095 * Return the rights set for this container's LDAP operation.
096 * @return The rights set for the container's LDAP operation.
097 */
098 public int getRights();
099
100 /**
101 * Return the entry being evaluated
102 * .
103 * @return The evaluation entry.
104 */
105 public Entry getResourceEntry();
106
107 /**
108 * Get the hostname of the bound connection.
109 * @return The hostname of the connection.
110 */
111 public String getHostName();
112
113 /**
114 * Determine whether the client connection has been authenticated using
115 * a specified authentication method. This method is used for the
116 * authmethod bind rule keyword.
117 *
118 * @param authMethod The required authentication method.
119 * @param saslMech The required SASL mechanism if the authentication method
120 * is SASL.
121 * @return An evaluation result indicating whether the client connection
122 * has been authenticated using the required authentication method.
123 */
124 public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
125 String saslMech);
126
127 /**
128 * Get the address of the bound connection.
129 * @return The address of the bound connection.
130 */
131 public InetAddress getRemoteAddress();
132
133 /**
134 * Return true if this is an add operation, needed by the userattr
135 * USERDN parent inheritance level 0 processing.
136 * @return True if this is an add operation.
137 */
138 public boolean isAddOperation();
139
140 /**
141 * Return true if the operation associated with this evaluation
142 * context is a member of the specified group. Calls the
143 * ClientConnection.isMemberOf() method, which checks authorization
144 * DN membership in the specified group.
145 * @param group The group to check membership in.
146 * @return True if the authorization DN of the operation is a
147 * member of the specified group.
148 */
149 public boolean isMemberOf(Group group);
150
151 /**
152 * Returns true if the hashtable of ACIs that matched the targattrfilters
153 * keyword evaluation is empty. Used by geteffectiverights evaluation to
154 * determine the access value to put in the "write" rights evaluation field.
155 *
156 * @return True if there were not any ACIs that matched targattrfilters
157 * keyword evaluation.
158 */
159 public boolean isTargAttrFilterMatchAciEmpty();
160
161 /**
162 * The context maintains a hashtable of ACIs that matched the targattrfilters
163 * keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if
164 * the specified ACI is contained in that hashtable. Used by
165 * geteffectiverights evaluation to determine the access value to put in the
166 * "write" rights evaluation field.
167 *
168 * @param aci The ACI that to evaluate if it contains a match during
169 * targattrfilters keyword evaluation.
170 *
171 * @return True if a specified ACI matched targattrfilters evaluation.
172 */
173 public boolean hasTargAttrFiltersMatchAci(Aci aci);
174
175 /**
176 * Return true if an ACI that evaluated to deny or allow has an
177 * targattrfilters keyword. Used by geteffectiverights
178 * evaluation to determine the access value to put in the "write" rights
179 * evaluation field.
180 *
181 * @param flag The integer value specifying either a deny or allow, but not
182 * both.
183 *
184 * @return True if the ACI that evaluated to
185 */
186 public boolean hasTargAttrFiltersMatchOp(int flag);
187
188 /**
189 * Returns true if the evaluation context is being used in a
190 * geteffectiverights evaluation.
191 *
192 * @return True if the evaluation context is being used in a
193 * geteffectiverights evaluation.
194 */
195 public boolean isGetEffectiveRightsEval();
196
197 /**
198 * Set the name of the ACI that last matched a targattrfilters rule. Used
199 * in geteffectiverights targattrfilters "write" rights evaluation.
200 *
201 * @param name The ACI name string matching the targattrfilters rule.
202 */
203 public void setTargAttrFiltersAciName(String name);
204
205 /**
206 * Set a flag that specifies that a ACI that evaluated to either deny or
207 * allow contains a targattrfilters keyword. Used by geteffectiverights
208 * evaluation to determine the access value to put in the "write" rights
209 * evaluation field.
210 *
211 * @param flag Either the integer value representing an allow or a deny,
212 * but not both.
213 */
214 public void setTargAttrFiltersMatchOp(int flag);
215
216 /**
217 * Set the reason the last access evaluation was evaluated the way it
218 * was. Used by geteffectiverights evaluation to eventually build the
219 * summary string.
220 *
221 * @param reason The enumeration representing the reason of the last access
222 * evaluation.
223 */
224 public void setEvalReason(EnumEvalReason reason);
225
226 /**
227 * Return the reason the last access evaluation was evaluated the way it
228 * was. Used by geteffectiverights evaluation to build the summary string.
229 *
230 * @return The enumeration representing the reason of the last access
231 * evaluation.
232 */
233 public EnumEvalReason getEvalReason();
234
235 /**
236 * Set the ACI that decided that last access evaluation. Used by
237 * geteffectiverights evaluation to the build summary string.
238 *
239 * @param aci The ACI that decided the last access evaluation.
240 */
241 public void setDecidingAci(Aci aci);
242
243 /**
244 * Check if an evaluation context contains a set of access rights.
245 *
246 * @param rights The rights mask to check.
247 *
248 * @return True if the evaluation context contains a access right set.
249 */
250 public boolean hasRights(int rights);
251
252 /**
253 * Return the name of the ACI that decided the last access evaluation. Used
254 * by geteffectiverights evaluation to build the summmary string.
255 *
256 * @return The name of the ACI that decided the last access evaluation.
257 */
258 public String getDecidingAciName();
259
260 /**
261 * Return true if a evaluation context is being used in proxied authorization
262 * evaluation.
263 *
264 * @return True if evaluation context is being used in proxied authorization
265 * evaluation.
266 */
267 public boolean isProxiedAuthorization();
268
269 /**
270 * Get the current attribute type being evaluated.
271 *
272 * @return The attribute type currently being evaluated.
273 */
274 public AttributeType getCurrentAttributeType();
275
276 /**
277 * Set the value of the summary string to the specified string.
278 * Used in geteffectiverights evaluation to build summary string.
279 *
280 * @param summary The string to set the summary string to
281 */
282 public void setEvalSummary(String summary);
283
284 /**
285 * Return the access evaluation summary string. Used by the geteffectiverights
286 * evaluation when a aclRightsInfo attribute was specified in a search.
287 *
288 * @return The string describing the access evaluation.
289 */
290 public String getEvalSummary();
291
292 /**
293 * Return a string representation of the current right being evaluated.
294 * Used in geteffectiverights evaluation to build summary string.
295 *
296 * @return String representation of the current right being evaluated.
297 */
298 public String rightToString();
299
300 /**
301 * Return the name of the ACI that last matched a targattrfilters rule. Used
302 * in geteffectiverights evaluation.
303 *
304 * @return The name of the ACI that last matched a targattrfilters rule.
305 */
306 public String getTargAttrFiltersAciName();
307
308 /**
309 * The full entry with all of the attributes was saved
310 * in the operation's attachment mechanism when the container was created
311 * during the SearchOperation read evaluation. Some operations need the full
312 * entry and not the filtered entry to perform their evaluations, because they
313 * might depend attribute types and values filtered out.
314 *
315 * This method is used to replace the current resource entry with that saved
316 * entry and back.
317 *
318 * @param val Specifies if the saved entry should be used or not. True if it
319 * should be used, false if the original resource entry should be used.
320 *
321 */
322 public void useFullResourceEntry(boolean val);
323 }