package org.exist.security;
/**
*
* http://tools.ietf.org/html/rfc3530#page-50
*
* @author Adam Retter <adam@exist-db.org>
*/
public class NFSv4ACL {
private static class nfs4ace {
int type;
int flag;
int access_mask;
String who;
}
public final static int ACL4_SUPPORT_ALLOW_ACL = 0x00000001;
public final static int ACL4_SUPPORT_DENY_ACL = 0x00000002;
public final static int ACL4_SUPPORT_AUDIT_ACL = 0x00000004;
public final static int ACL4_SUPPORT_ALARM_ACL = 0x00000008;
//TODO add support for ALARM_ACL
public final static int getaclsupport = ACL4_SUPPORT_ALLOW_ACL | ACL4_SUPPORT_DENY_ACL | ACL4_SUPPORT_AUDIT_ACL;
//nfs4ace.type
public final static int ACE4_ACCESS_ALLOWED_ACE_TYPE = 0x00000000;
public final static int ACE4_ACCESS_DENIED_ACE_TYPE = 0x00000001;
public final static int ACE4_SYSTEM_AUDIT_ACE_TYPE = 0x00000002;
public final static int ACE4_SYSTEM_ALARM_ACE_TYPE = 0x00000003;
/*
Clients should not attempt to set an ACE unless the server claims
support for that ACE type. If the server receives a request to set
an ACE that it cannot store, it MUST reject the request with
NFS4ERR_ATTRNOTSUPP. If the server receives a request to set an ACE
that it can store but cannot enforce, the server SHOULD reject the
request with NFS4ERR_ATTRNOTSUPP.
Example: suppose a server can enforce NFS ACLs for NFS access but
cannot enforce ACLs for local access. If arbitrary processes can run
on the server, then the server SHOULD NOT indicate ACL support. On
the other hand, if only trusted administrative programs run locally,
then the server may indicate ACL support.
*/
//NFS4ERR_ATTRNOTSUPP
//NFS4ERR_ATTRNOTSUPP
//nfs4ace.access_mask
public final static int ACE4_READ_DATA = 0x00000001;
public final static int ACE4_LIST_DIRECTORY = 0x00000001;
public final static int ACE4_WRITE_DATA = 0x00000002;
public final static int ACE4_ADD_FILE = 0x00000002;
public final static int ACE4_APPEND_DATA = 0x00000004;
public final static int ACE4_ADD_SUBDIRECTORY = 0x00000004;
public final static int ACE4_READ_NAMED_ATTRS = 0x00000008;
public final static int ACE4_WRITE_NAMED_ATTRS = 0x00000010;
public final static int ACE4_EXECUTE = 0x00000020;
public final static int ACE4_DELETE_CHILD = 0x00000040;
public final static int ACE4_READ_ATTRIBUTES = 0x00000080;
public final static int ACE4_WRITE_ATTRIBUTES = 0x00000100;
public final static int ACE4_DELETE = 0x00010000;
public final static int ACE4_READ_ACL = 0x00020000;
public final static int ACE4_WRITE_ACL = 0x00040000;
public final static int ACE4_WRITE_OWNER = 0x00080000;
public final static int ACE4_SYNCHRONIZE = 0x00100000;
//nfs4ace.flag
public final static int ACE4_FILE_INHERIT_ACE = 0x00000001;
public final static int ACE4_DIRECTORY_INHERIT_ACE = 0x00000002;
public final static int ACE4_NO_PROPAGATE_INHERIT_ACE = 0x00000004;
public final static int ACE4_INHERIT_ONLY_ACE = 0x00000008;
public final static int ACE4_SUCCESSFUL_ACCESS_ACE_FLAG = 0x00000010;
public final static int ACE4_FAILED_ACCESS_ACE_FLAG = 0x00000020;
public final static int ACE4_IDENTIFIER_GROUP = 0x00000040;
/*
A server need not support any of these flags. If the server supports
flags that are similar to, but not exactly the same as, these flags,
the implementation may define a mapping between the protocol-defined
flags and the implementation-defined flags. Again, the guiding
principle is that the file not appear to be more secure than it
really is.
For example, suppose a client tries to set an ACE with
ACE4_FILE_INHERIT_ACE set but not ACE4_DIRECTORY_INHERIT_ACE. If the
server does not support any form of ACL inheritance, the server
should reject the request with NFS4ERR_ATTRNOTSUPP. If the server
supports a single "inherit ACE" flag that applies to both files and
directories, the server may reject the request (i.e., requiring the
client to set both the file and directory inheritance flags). The
server may also accept the request and silently turn on the
ACE4_DIRECTORY_INHERIT_ACE flag.
*/
public final static String WHO4_OWNER = "OWNER@";
public final static String WHO4_GROUP = "GROUP@";
public final static String WHO4_EVERYONE = "EVERYONE@";
public final static String WHO4_INTERACTIVE = "INTERACTIVE@";
public final static String WHO4_NETWORK = "NETWORK@";
public final static String WHO4_DIALUP = "DIALUP@";
public final static String WHO4_BATCH = "BATCH@";
public final static String WHO4_ANONYMOUS = "ANONYMOUS@";
public final static String WHO4_AUTHENTICATED = "AUTHENTICATED@";
public final static String WHO4_SERVICE = "SERVICE@";
public final static int MODE4_SUID = 0x800; /* set user id on execution */
public final static int MODE4_SGID = 0x400; /* set group id on execution */
public final static int MODE4_SVTX = 0x200; /* save text even after use */
public final static int MODE4_RUSR = 0x100; /* read permission: owner */
public final static int MODE4_WUSR = 0x080; /* write permission: owner */
public final static int MODE4_XUSR = 0x040; /* execute permission: owner */
public final static int MODE4_RGRP = 0x020; /* read permission: group */
public final static int MODE4_WGRP = 0x010; /* write permission: group */
public final static int MODE4_XGRP = 0x008; /* execute permission: group */
public final static int MODE4_ROTH = 0x004; /* read permission: other */
public final static int MODE4_WOTH = 0x002; /* write permission: other */
public final static int MODE4_XOTH = 0x001; /* execute permission: other */
}