001 /*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License"). You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at
010 * trunk/opends/resource/legal-notices/OpenDS.LICENSE
011 * or https://OpenDS.dev.java.net/OpenDS.LICENSE.
012 * See the License for the specific language governing permissions
013 * and limitations under the License.
014 *
015 * When distributing Covered Code, include this CDDL HEADER in each
016 * file and include the License file at
017 * trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
018 * add the following below this CDDL HEADER, with the fields enclosed
019 * by brackets "[]" replaced with your own identifying information:
020 * Portions Copyright [yyyy] [name of copyright owner]
021 *
022 * CDDL HEADER END
023 *
024 *
025 * Copyright 2008 Sun Microsystems, Inc.
026 */
027
028 package org.opends.server.authorization.dseecompat;
029
030 import org.opends.server.types.AttributeType;
031 import org.opends.server.types.AttributeValue;
032 import org.opends.server.types.Entry;
033 import java.util.LinkedList;
034
035 /**
036 * The AciTargetMatchContext interface provides a
037 * view of an AciContainer that exposes information to be
038 * used by the Aci.isApplicable() method to determine if
039 * an ACI is applicable (targets matched) to the LDAP operation,
040 * operation rights and entry and attributes having access
041 * checked on.
042 */
043 public interface AciTargetMatchContext {
044
045 /**
046 * Set the deny ACI list.
047 * @param denyList The deny ACI list.
048 */
049 public void setDenyList(LinkedList<Aci> denyList);
050
051 /**
052 * Set the allow ACI list.
053 * @param allowList The list of allow ACIs.
054 */
055 public void setAllowList(LinkedList<Aci> allowList);
056
057 /**
058 * Get the entry being evaluated. This is known as the
059 * resource entry.
060 * @return The entry being evaluated.
061 */
062 public Entry getResourceEntry();
063
064 /**
065 * Get the current attribute type being evaluated.
066 * @return The attribute type being evaluated.
067 */
068 public AttributeType getCurrentAttributeType();
069
070 /**
071 * The current attribute type value being evaluated.
072 * @return The current attribute type value being evaluated.
073 */
074 public AttributeValue getCurrentAttributeValue();
075
076 /**
077 * True if the first attribute of the resource entry is being evaluated.
078 * @return True if this is the first attribute.
079 */
080 public boolean isFirstAttribute();
081
082 /**
083 * Set to true if the first attribute of the resource entry is
084 * being evaluated.
085 * @param isFirst True if this is the first attribute of the
086 * resource entry being evaluated.
087 */
088 public void setIsFirstAttribute(boolean isFirst);
089
090 /**
091 * Set the attribute type to be evaluated.
092 * @param type The attribute type to set to.
093 */
094 public void setCurrentAttributeType(AttributeType type);
095
096 /**
097 * Set the attribute value to be evaluated.
098 * @param v The current attribute value to set to.
099 */
100 public void setCurrentAttributeValue(AttributeValue v);
101
102 /**
103 * True if the target matching code found an entry test rule. An
104 * entry test rule is an ACI without a targetattr target rule.
105 * @param val True if an entry test rule was found.
106 */
107 public void setEntryTestRule(boolean val);
108
109 /**
110 * True if an entry test rule was found.
111 * @return True if an entry test rule was found.
112 */
113 public boolean hasEntryTestRule();
114
115 /**
116 * Return the rights for this container's LDAP operation.
117 * @return The rights for the container's LDAP operation.
118 */
119 public int getRights();
120
121 /**
122 * Return the OID (Object Identifier) string of the control being evaluated.
123 *
124 * @return The OID string of the control being evaluated.
125 */
126 public String getControlOID();
127
128
129 /**
130 * Return The OID (Object Identifier) string of the extended operation being
131 * evaluated.
132 *
133 * @return The OID string of the extended operation being evaluated.
134 */
135 public String getExtOpOID();
136
137 /**
138 * Checks if the container's rights has the specified rights.
139 * @param rights The rights to check for.
140 * @return True if the container's rights has the specified rights.
141 */
142 public boolean hasRights(int rights);
143
144 /**
145 * Set the rights of the container to the specified rights.
146 * @param rights The rights to set the container's rights to.
147 */
148 public void setRights(int rights);
149
150 /**
151 * Set to true if the ACI had a targattrfilter rule that matched.
152 * @param v The value to use.
153 */
154 public void setTargAttrFiltersMatch(boolean v);
155
156 /**
157 * Return the value of the targAttrFiltersMatch variable. This is set to
158 * true if the ACI had a targattrfilter rule that matched.
159 * @return True if the ACI had a targattrfilter rule that matched.
160 */
161 public boolean getTargAttrFiltersMatch();
162
163 /**
164 * Add the specified ACI to a list of ACIs that have a targattrfilters rule
165 * that matched. This is used by geteffectiverights to determine the rights
166 * of an attribute that possibly might evaluate to true.
167 * @param aci The ACI to save.
168 */
169 public void addTargAttrFiltersMatchAci(Aci aci);
170
171 /**
172 * Save the name of the last ACI that matched a targattrfilters rule. This
173 * is used by geteffectiverights evaluation.
174 * @param name The ACI's name to save.
175 */
176 void setTargAttrFiltersAciName(String name);
177
178 /**
179 * Returns true of a match context is performing a geteffectiverights
180 * evaluation.
181 * @return True if a match context is evaluating geteffectiverights.
182 */
183 boolean isGetEffectiveRightsEval();
184
185 /**
186 * This method toggles a mask that indicates that access checking of
187 * individual user attributes may or may not be skipped depending
188 * on if there is a single ACI containing a targetattr all user
189 * attributes rule (targetattr="*").
190 *
191 * The only case where individual user attribute access checking
192 * can be skipped, is when a single ACI matched using a targetattr
193 * all user attributes rule and the attribute type being check is not
194 * operational.
195 *
196 * @param v The mask to this value.
197 */
198 void setEvalUserAttributes(int v);
199
200 /**
201 * This method toggles a mask that indicates that access checking of
202 * individual operational attributes may or may not be skipped depending
203 * on if there is a single ACI containing a targetattr all operational
204 * attributes rule (targetattr="+").
205 *
206 * The only case where individual operational attribute access checking
207 * can be skipped, is when a single ACI matched using a targetattr
208 * all operational attributes rule and the attribute type being check is
209 * operational.
210 *
211 * @param v The mask to this value.
212 */
213 void setEvalOpAttributes(int v);
214
215 /**
216 * Return true if the evaluating ACI either contained an explicitly defined
217 * user attribute type in a targeattr target rule or both a targetattr all
218 * user attributes rule matched and a explictly defined targetattr target rule
219 * matched.
220 *
221 * @return True if the above condition was seen.
222 */
223 boolean hasEvalUserAttributes();
224
225 /**
226 * Return true if the evaluating ACI either contained an explicitly defined
227 * operational attribute type in a targeattr target rule or both a targetattr
228 * all operational attributes rule matched and a explictly defined targetattr
229 * target rule matched.
230 *
231 * @return True if the above condition was seen.
232 */
233 boolean hasEvalOpAttributes();
234
235
236 /**
237 * Used to clear the mask used to detect if access checking needs to be
238 * performed on individual attributes types. The specified
239 * value is cleared from the mask or if the value equals 0 the mask is
240 * completely cleared.
241 *
242 * @param v The flag to clear or 0 to set the mask to 0.
243 */
244 public void clearEvalAttributes(int v);
245 }
246
247