001/* 002 * CDDL HEADER START 003 * 004 * The contents of this file are subject to the terms of the 005 * Common Development and Distribution License, Version 1.0 only 006 * (the "License"). You may not use this file except in compliance 007 * with the License. 008 * 009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt 010 * or http://forgerock.org/license/CDDLv1.0.html. 011 * See the License for the specific language governing permissions 012 * and limitations under the License. 013 * 014 * When distributing Covered Code, include this CDDL HEADER in each 015 * file and include the License file at legal-notices/CDDLv1_0.txt. 016 * If applicable, add the following below this CDDL HEADER, with the 017 * fields enclosed by brackets "[]" replaced with your own identifying 018 * information: 019 * Portions Copyright [yyyy] [name of copyright owner] 020 * 021 * CDDL HEADER END 022 * 023 * 024 * Copyright 2008-2010 Sun Microsystems, Inc. 025 * Portions Copyright 2011-2015 ForgeRock AS 026 */ 027package org.opends.server.authorization.dseecompat; 028 029import org.opends.server.types.DN; 030import org.opends.server.types.Entry; 031import org.opends.server.types.AttributeType; 032import org.opends.server.api.Group; 033 034import java.net.InetAddress; 035import java.util.List; 036 037/** 038 * Interface that provides a view of the AciContainer that is 039 * used by the ACI evaluation code to evaluate an ACI. 040 */ 041public interface AciEvalContext 042{ 043 /** 044 * Get client DN. The client DN is the authorization DN. 045 * @return The client DN. 046 */ 047 DN getClientDN(); 048 049 /** 050 * Get the client entry. The client entry is the entry that corresponds 051 * to the client DN. 052 * @return The client entry corresponding to the client DN. 053 */ 054 Entry getClientEntry(); 055 056 /** 057 * Get the resource DN. The resource DN is the DN of the entry being 058 * evaluated. 059 * @return The resource DN. 060 */ 061 DN getResourceDN(); 062 063 /** 064 * Get the list of deny ACIs. 065 * @return The deny ACI list. 066 */ 067 List<Aci> getDenyList(); 068 069 /** 070 * Get the list allow ACIs. 071 * @return The allow ACI list. 072 */ 073 List<Aci> getAllowList(); 074 075 /** 076 * Returns true if the deny list is being evaluated. 077 * @return True if the deny list is being evaluated. 078 */ 079 boolean isDenyEval(); 080 081 /** 082 * Check if the remote client is bound anonymously. 083 * @return {@code true} if client is bound anonymously. 084 */ 085 boolean isAnonymousUser(); 086 087 /** 088 * Return the rights set for this container's LDAP operation. 089 * @return The rights set for the container's LDAP operation. 090 */ 091 int getRights(); 092 093 /** 094 * Return the entry being evaluated 095 * . 096 * @return The evaluation entry. 097 */ 098 Entry getResourceEntry(); 099 100 /** 101 * Get the hostname of the bound connection. 102 * @return The hostname of the connection. 103 */ 104 String getHostName(); 105 106 /** 107 * Determine whether the client connection has been authenticated using 108 * a specified authentication method. This method is used for the 109 * authmethod bind rule keyword. 110 * 111 * @param authMethod The required authentication method. 112 * @param saslMech The required SASL mechanism if the authentication method 113 * is SASL. 114 * 115 * @return An evaluation result indicating whether the client connection 116 * has been authenticated using the required authentication method. 117 */ 118 EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, 119 String saslMech); 120 121 /** 122 * Get the address of the bound connection. 123 * @return The address of the bound connection. 124 */ 125 InetAddress getRemoteAddress(); 126 127 /** 128 * Return true if this is an add operation needed by the userattr 129 * USERDN parent inheritance level 0 processing. 130 * 131 * @return {@code true} if this is an add operation. 132 */ 133 boolean isAddOperation(); 134 135 /** 136 * Return true if the operation associated with this evaluation 137 * context is a member of the specified group. Calls the 138 * ClientConnection.isMemberOf() method, which checks authorization 139 * DN membership in the specified group. 140 * @param group The group to check membership in. 141 * @return {@code true} if the authorization DN of the operation is a 142 * member of the specified group. 143 */ 144 boolean isMemberOf(Group<?> group); 145 146 /** 147 * Returns true if the hashtable of ACIs that matched the targattrfilters 148 * keyword evaluation is empty. Used in a geteffectiverights control 149 * evaluation to determine the access value to put in the "write" rights 150 * evaluation field. 151 * 152 * @return {@code true} if there were not any ACIs that matched 153 * targattrfilters keyword evaluation. 154 */ 155 boolean isTargAttrFilterMatchAciEmpty(); 156 157 /** 158 * The context maintains a hashtable of ACIs that matched the targattrfilters 159 * keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if 160 * the specified ACI is contained in that hashtable. Used in a 161 * geteffectiverights control evaluation to determine the access value to put 162 * in the "write" rights evaluation field. 163 * 164 * @param aci The ACI that to evaluate if it contains a match during 165 * targattrfilters keyword evaluation. 166 * 167 * @return {@code true} if a specified ACI matched targattrfilters evaluation. 168 */ 169 boolean hasTargAttrFiltersMatchAci(Aci aci); 170 171 /** 172 * Return true if an ACI that evaluated to deny or allow has an 173 * targattrfilters keyword. Used by geteffectiverights control 174 * evaluation to determine the access value to put in the "write" rights 175 * evaluation field. 176 * 177 * @param flag The integer value specifying either a deny or allow, but not 178 * both. 179 * 180 * @return {@code true} if the ACI has an targattrfilters keyword. 181 */ 182 boolean hasTargAttrFiltersMatchOp(int flag); 183 184 /** 185 * Returns {@code true} if the evaluation context is being used in a 186 * geteffectiverights control evaluation. 187 * 188 * @return {@code true} if the evaluation context is being used in a 189 * geteffectiverights control evaluation. 190 */ 191 boolean isGetEffectiveRightsEval(); 192 193 /** 194 * Set the name of the ACI that last matched a targattrfilters rule. Used 195 * in geteffectiverights control targattrfilters "write" evaluation. 196 * 197 * @param name The ACI name string matching the targattrfilters rule. 198 */ 199 void setTargAttrFiltersAciName(String name); 200 201 /** 202 * Set a flag that specifies that a ACI that evaluated to either deny or 203 * allow contains a targattrfilters keyword. Used by geteffectiverights 204 * control evaluation to determine the access value to put in the "write" 205 * rights evaluation field. 206 * 207 * @param flag Either the integer value representing an allow or a deny, 208 * but not both. 209 */ 210 void setTargAttrFiltersMatchOp(int flag); 211 212 /** 213 * Set the reason and the ACI that decided why the last access evaluation was 214 * evaluated the way it was. Used by geteffectiverights control evaluation to 215 * eventually build the summary string. 216 * 217 * @param reason 218 * The enumeration representing the reason of the last access 219 * evaluation. 220 * @param decidingAci 221 * The ACI that decided the last access evaluation. 222 */ 223 void setEvaluationResult(EnumEvalReason reason, Aci decidingAci); 224 225 /** 226 * Return the reason the last access evaluation was evaluated the way it 227 * was. Used by geteffectiverights control evaluation to build the summary 228 * string. 229 * 230 * @return The enumeration representing the reason of the last access 231 * evaluation. 232 */ 233 EnumEvalReason getEvalReason(); 234 235 /** 236 * Check if an evaluation context contains a set of access rights. 237 * 238 * @param rights The rights mask to check. 239 * 240 * @return {@code true} if the evaluation context contains a access right set. 241 */ 242 boolean hasRights(int rights); 243 244 /** 245 * Return the name of the ACI that decided the last access evaluation. Used 246 * by geteffectiverights control evaluation to build the summary string. 247 * 248 * @return The name of the ACI that decided the last access evaluation. 249 */ 250 String getDecidingAciName(); 251 252 /** 253 * Return true if a evaluation context is being used in proxied authorization 254 * control evaluation. 255 * 256 * @return {@code true} if evaluation context is being used in proxied 257 * authorization control evaluation. 258 */ 259 boolean isProxiedAuthorization(); 260 261 /** 262 * Get the current attribute type being evaluated. 263 * 264 * @return The attribute type currently being evaluated. 265 */ 266 AttributeType getCurrentAttributeType(); 267 268 /** 269 * Set the value of the summary string to the specified string. 270 * Used in get effective rights evaluation to build summary string. 271 * 272 * @param summary The string to set the summary string to 273 */ 274 void setEvalSummary(String summary); 275 276 /** 277 * Return the access evaluation summary string. Used in a geteffectiverights 278 * control evaluation when an aclRightsInfo attribute was specified in a 279 * search request. 280 * 281 * @return The string describing the access evaluation. 282 */ 283 String getEvalSummary(); 284 285 /** 286 * Return a string representation of the current right being evaluated. 287 * Used in geteffectiverights control evaluation to build summary string. 288 * 289 * @return String representation of the current right being evaluated. 290 */ 291 String rightToString(); 292 293 /** 294 * Return the name of the ACI that last matched a targattrfilters rule. Used 295 * in geteffectiverights control evaluation. 296 * 297 * @return The name of the ACI that last matched a targattrfilters rule. 298 */ 299 String getTargAttrFiltersAciName(); 300 301 302 /** 303 * Return the current SSF (Security Strength Factor) of the underlying 304 * connection. 305 * 306 * @return The current SSF of the connection. 307 */ 308 int getCurrentSSF(); 309}