public abstract class AciContainer extends Object implements AciTargetMatchContext, AciEvalContext
Modifier | Constructor and Description |
---|---|
protected |
AciContainer(Operation operation,
Entry e,
AuthenticationInfo authInfo,
int rights)
This constructor is used by the generic access control check.
|
protected |
AciContainer(Operation operation,
int rights,
Entry entry)
This constructor is used by all currently supported LDAP operations
except the generic access control check that can be used by
plugins.
|
Modifier and Type | Method and Description |
---|---|
void |
addTargAttrFiltersMatchAci(Aci aci)
Add the specified ACI to a list of ACIs that have a targattrfilters rule
that matched.
|
void |
clearEvalAttributes(int v)
Used to clear the mask used to detect if access checking needs to be
performed on individual attributes types.
|
List<Aci> |
getAllowList()
Get the list allow ACIs.
|
DN |
getClientDN()
Get client DN.
|
Entry |
getClientEntry()
Get the client entry.
|
String |
getControlOID()
Return the OID (Object Identifier) string of the control being evaluated.
|
AttributeType |
getCurrentAttributeType()
Get the current attribute type being evaluated.
|
org.forgerock.opendj.ldap.ByteString |
getCurrentAttributeValue()
The current attribute type value being evaluated.
|
int |
getCurrentSSF()
Return the current SSF (Security Strength Factor) of the underlying
connection.
|
String |
getDecidingAciName()
Return the name of the ACI that decided the last access evaluation.
|
List<Aci> |
getDenyList()
Get the list of deny ACIs.
|
EnumEvalReason |
getEvalReason()
Return the reason the last access evaluation was evaluated the way it
was.
|
String |
getEvalSummary()
Return the access evaluation summary string.
|
String |
getExtOpOID()
Return The OID (Object Identifier) string of the extended operation being
evaluated.
|
String |
getHostName()
Get the hostname of the bound connection.
|
InetAddress |
getRemoteAddress()
Get the address of the bound connection.
|
DN |
getResourceDN()
Get the resource DN.
|
Entry |
getResourceEntry()
Get the entry being evaluated.
|
int |
getRights()
Return the rights for this container's LDAP operation.
|
List<AttributeType> |
getSpecificAttributes()
Return the list of additional attributes specified in the
geteffectiverights control.
|
String |
getTargAttrFiltersAciName()
Return the name of the ACI that last matched a targattrfilters rule.
|
boolean |
getTargAttrFiltersMatch()
Return the value of the targAttrFiltersMatch variable.
|
boolean |
hasAllOpAttributes()
Return true if the evaluating ACI contained a targetattr all
operational attributes rule match.
|
boolean |
hasAllUserAttributes()
Return true if the evaluating ACI contained a targetattr all
user attributes rule match.
|
EnumEvalResult |
hasAuthenticationMethod(EnumAuthMethod authMethod,
String saslMech)
Determine whether the client connection has been authenticated using
a specified authentication method.
|
boolean |
hasEntryTestRule()
True if an entry test rule was found.
|
boolean |
hasEvalOpAttributes()
Return true if the evaluating ACI either contained an explicitly defined
operational attribute type in a targetattr target rule or both a targetattr
all operational attributes rule matched and a explicitly defined targetattr
target rule matched.
|
boolean |
hasEvalUserAttributes()
Return true if the evaluating ACI either contained an explicitly defined
user attribute type in a targeattr target rule or both a targetattr all
user attributes rule matched and a explicitly defined targetattr target rule
matched.
|
boolean |
hasGetEffectiveRightsControl()
Return true if the container is being used in a geteffectiverights
evaluation.
|
boolean |
hasRights(int rights)
Checks if the container's rights has the specified rights.
|
boolean |
hasSeenEntry()
Returns true if an entry has already been processed by an access proxy
check.
|
boolean |
hasTargAttrFiltersMatchAci(Aci aci)
The context maintains a hashtable of ACIs that matched the targattrfilters
keyword evaluation.
|
boolean |
hasTargAttrFiltersMatchOp(int flag)
Return true if an ACI that evaluated to deny or allow has an
targattrfilters keyword.
|
boolean |
isAddOperation()
Return true if this is an add operation needed by the userattr
USERDN parent inheritance level 0 processing.
|
boolean |
isAnonymousUser()
Check if the remote client is bound anonymously.
|
boolean |
isAuthzidAuthorizationDN()
Returns true if the geteffectiverights control's authZid DN is equal to the
authorization entry's DN.
|
boolean |
isDenyEval()
Returns true if the deny list is being evaluated.
|
boolean |
isFirstAttribute()
True if the first attribute of the resource entry is being evaluated.
|
boolean |
isGetEffectiveRightsEval()
Returns true of a match context is performing a geteffectiverights
evaluation.
|
boolean |
isMemberOf(Group<?> group)
Return true if the operation associated with this evaluation
context is a member of the specified group.
|
boolean |
isProxiedAuthorization()
Return true if a evaluation context is being used in proxied authorization
control evaluation.
|
boolean |
isTargAttrFilterMatchAciEmpty()
Returns true if the hashtable of ACIs that matched the targattrfilters
keyword evaluation is empty.
|
void |
resetEffectiveRightsParams()
Reset the values used by the geteffectiverights evaluation to
original values.
|
String |
rightToString()
Return a string representation of the current right being evaluated.
|
void |
setAllowList(List<Aci> allows)
Set the allow ACI list.
|
protected void |
setControlOID(String oid)
Set the the controlOID value to the specified oid string.
|
void |
setCurrentAttributeType(AttributeType type)
Set the attribute type to be evaluated.
|
void |
setCurrentAttributeValue(org.forgerock.opendj.ldap.ByteString value)
Set the attribute value to be evaluated.
|
void |
setDenyList(List<Aci> denys)
Set the deny ACI list.
|
void |
setEntryTestRule(boolean val)
True if the target matching code found an entry test rule.
|
void |
setEvalOpAttributes(int v)
This method toggles a mask that indicates that access checking of
individual operational attributes may or may not be skipped depending
on if there is a single ACI containing a targetattr all operational
attributes rule (targetattr="+").
|
void |
setEvalSummary(String summary)
Set the value of the summary string to the specified string.
|
void |
setEvaluationResult(EnumEvalReason reason,
Aci decidingAci)
Set the reason and the ACI that decided why the last access evaluation was
evaluated the way it was.
|
void |
setEvalUserAttributes(int v)
This method toggles a mask that indicates that access checking of
individual user attributes may or may not be skipped depending
on if there is a single ACI containing a targetattr all user
attributes rule (targetattr="*").
|
protected void |
setExtOpOID(String oid)
Set the extended operation OID value to the specified oid string.
|
void |
setGetEffectiveRightsEval()
The container is going to be used in a geteffectiverights evaluation, set
the flag isGetEffectiveRightsEval to true.
|
void |
setIsFirstAttribute(boolean val)
Set to true if the first attribute of the resource entry is
being evaluated.
|
void |
setRights(int rights)
Set the rights of the container to the specified rights.
|
void |
setSeenEntry(boolean val)
Set to true if an entry has already been processed by an access proxy
check.
|
void |
setTargAttrFiltersAciName(String name)
Save the name of the last ACI that matched a targattrfilters rule.
|
void |
setTargAttrFiltersMatch(boolean v)
Set to true if the ACI had a targattrfilter rule that matched.
|
void |
setTargAttrFiltersMatchOp(int flag)
Set a flag that specifies that a ACI that evaluated to either deny or
allow contains a targattrfilters keyword.
|
String |
toString() |
void |
useAuthzid(boolean v)
Use the DN from the geteffectiverights control's authzId as the
client DN, rather than the authorization entry's DN.
|
protected AciContainer(Operation operation, int rights, Entry entry)
operation
- The Operation object being evaluated and target
matching.rights
- The rights array to use in evaluation and target matching.entry
- The current entry being evaluated and target matched.protected AciContainer(Operation operation, Entry e, AuthenticationInfo authInfo, int rights)
operation
- The operation to use in the access evaluation.e
- The entry to check access for.authInfo
- The authentication information to use in the evaluation.rights
- The rights to check access of.public boolean hasSeenEntry()
public void setSeenEntry(boolean val)
val
- The value to set the seenEntry boolean to.public boolean isProxiedAuthorization()
isProxiedAuthorization
in interface AciEvalContext
true
if evaluation context is being used in proxied
authorization control evaluation.public boolean isGetEffectiveRightsEval()
isGetEffectiveRightsEval
in interface AciEvalContext
isGetEffectiveRightsEval
in interface AciTargetMatchContext
public void setGetEffectiveRightsEval()
public boolean hasGetEffectiveRightsControl()
public void useAuthzid(boolean v)
v
- The valued to set the useAuthzid to.public List<AttributeType> getSpecificAttributes()
public void addTargAttrFiltersMatchAci(Aci aci)
addTargAttrFiltersMatchAci
in interface AciTargetMatchContext
aci
- The ACI to save.public boolean hasTargAttrFiltersMatchAci(Aci aci)
hasTargAttrFiltersMatchAci
in interface AciEvalContext
aci
- The ACI that to evaluate if it contains a match during
targattrfilters keyword evaluation.true
if a specified ACI matched targattrfilters evaluation.public boolean isTargAttrFilterMatchAciEmpty()
isTargAttrFilterMatchAciEmpty
in interface AciEvalContext
true
if there were not any ACIs that matched
targattrfilters keyword evaluation.public void resetEffectiveRightsParams()
public void setTargAttrFiltersAciName(String name)
setTargAttrFiltersAciName
in interface AciEvalContext
setTargAttrFiltersAciName
in interface AciTargetMatchContext
name
- The ACI's name to save.public String getTargAttrFiltersAciName()
getTargAttrFiltersAciName
in interface AciEvalContext
public void setTargAttrFiltersMatchOp(int flag)
setTargAttrFiltersMatchOp
in interface AciEvalContext
flag
- Either the integer value representing an allow or a deny,
but not both.public boolean hasTargAttrFiltersMatchOp(int flag)
hasTargAttrFiltersMatchOp
in interface AciEvalContext
flag
- The integer value specifying either a deny or allow, but not
both.true
if the ACI has an targattrfilters keyword.public String getDecidingAciName()
getDecidingAciName
in interface AciEvalContext
public void setEvaluationResult(EnumEvalReason reason, Aci decidingAci)
setEvaluationResult
in interface AciEvalContext
reason
- The enumeration representing the reason of the last access
evaluation.decidingAci
- The ACI that decided the last access evaluation.public EnumEvalReason getEvalReason()
getEvalReason
in interface AciEvalContext
public void setEvalSummary(String summary)
setEvalSummary
in interface AciEvalContext
summary
- The string to set the summary string topublic String getEvalSummary()
getEvalSummary
in interface AciEvalContext
public boolean isAuthzidAuthorizationDN()
public void setDenyList(List<Aci> denys)
setDenyList
in interface AciTargetMatchContext
denys
- The deny ACI list.public void setAllowList(List<Aci> allows)
setAllowList
in interface AciTargetMatchContext
allows
- The list of allow ACIs.public AttributeType getCurrentAttributeType()
getCurrentAttributeType
in interface AciEvalContext
getCurrentAttributeType
in interface AciTargetMatchContext
public org.forgerock.opendj.ldap.ByteString getCurrentAttributeValue()
getCurrentAttributeValue
in interface AciTargetMatchContext
public void setCurrentAttributeType(AttributeType type)
setCurrentAttributeType
in interface AciTargetMatchContext
type
- The attribute type to set to.public void setCurrentAttributeValue(org.forgerock.opendj.ldap.ByteString value)
setCurrentAttributeValue
in interface AciTargetMatchContext
value
- The current attribute value to set to.public boolean isFirstAttribute()
isFirstAttribute
in interface AciTargetMatchContext
public void setIsFirstAttribute(boolean val)
setIsFirstAttribute
in interface AciTargetMatchContext
val
- True if this is the first attribute of the
resource entry being evaluated.public boolean hasEntryTestRule()
hasEntryTestRule
in interface AciTargetMatchContext
public void setEntryTestRule(boolean val)
setEntryTestRule
in interface AciTargetMatchContext
val
- True if an entry test rule was found.public Entry getResourceEntry()
getResourceEntry
in interface AciEvalContext
getResourceEntry
in interface AciTargetMatchContext
public Entry getClientEntry()
getClientEntry
in interface AciEvalContext
public List<Aci> getDenyList()
getDenyList
in interface AciEvalContext
public List<Aci> getAllowList()
getAllowList
in interface AciEvalContext
public boolean isDenyEval()
isDenyEval
in interface AciEvalContext
public boolean isAnonymousUser()
isAnonymousUser
in interface AciEvalContext
true
if client is bound anonymously.public DN getClientDN()
getClientDN
in interface AciEvalContext
public DN getResourceDN()
getResourceDN
in interface AciEvalContext
public boolean hasRights(int rights)
JNR: I find the implementation in this method dubious.
hasRights
in interface AciEvalContext
hasRights
in interface AciTargetMatchContext
rights
- The rights to check for.EnumRight.hasRights(int, int)
public int getRights()
getRights
in interface AciEvalContext
getRights
in interface AciTargetMatchContext
public void setRights(int rights)
setRights
in interface AciTargetMatchContext
rights
- The rights to set the container's rights to.public String getHostName()
getHostName
in interface AciEvalContext
public InetAddress getRemoteAddress()
getRemoteAddress
in interface AciEvalContext
public boolean isAddOperation()
isAddOperation
in interface AciEvalContext
true
if this is an add operation.public void setTargAttrFiltersMatch(boolean v)
setTargAttrFiltersMatch
in interface AciTargetMatchContext
v
- The value to use.public boolean getTargAttrFiltersMatch()
getTargAttrFiltersMatch
in interface AciTargetMatchContext
public String getControlOID()
getControlOID
in interface AciTargetMatchContext
public String getExtOpOID()
getExtOpOID
in interface AciTargetMatchContext
protected void setControlOID(String oid)
oid
- The control oid string.protected void setExtOpOID(String oid)
oid
- The extended operation oid string.public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, String saslMech)
hasAuthenticationMethod
in interface AciEvalContext
authMethod
- The required authentication method.saslMech
- The required SASL mechanism if the authentication method
is SASL.public boolean isMemberOf(Group<?> group)
isMemberOf
in interface AciEvalContext
group
- The group to check membership in.true
if the authorization DN of the operation is a
member of the specified group.public String rightToString()
JNR: I find the implementation in this method dubious.
rightToString
in interface AciEvalContext
EnumRight.getEnumRight(int)
public void setEvalUserAttributes(int v)
setEvalUserAttributes
in interface AciTargetMatchContext
v
- The mask to this value.public void setEvalOpAttributes(int v)
setEvalOpAttributes
in interface AciTargetMatchContext
v
- The mask to this value.public boolean hasEvalUserAttributes()
hasEvalUserAttributes
in interface AciTargetMatchContext
public boolean hasEvalOpAttributes()
hasEvalOpAttributes
in interface AciTargetMatchContext
public boolean hasAllUserAttributes()
public boolean hasAllOpAttributes()
public void clearEvalAttributes(int v)
clearEvalAttributes
in interface AciTargetMatchContext
v
- The flag to clear or 0 to set the mask to 0.public int getCurrentSSF()
getCurrentSSF
in interface AciEvalContext
Copyright © 2010-2016 ForgeRock AS. All Rights Reserved.