/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
* or http://forgerock.org/license/CDDLv1.0.html.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at legal-notices/CDDLv1_0.txt.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information:
* Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*
*
* Copyright 2008 Sun Microsystems, Inc.
* Portions Copyright 2014-2015 ForgeRock AS
*/
package org.opends.server.authorization.dseecompat;
import org.opends.server.types.AttributeType;
import org.forgerock.opendj.ldap.ByteString;
import org.opends.server.types.Entry;
import java.util.List;
/**
* The AciTargetMatchContext interface provides a
* view of an AciContainer that exposes information to be
* used by the Aci.isApplicable() method to determine if
* an ACI is applicable (targets matched) to the LDAP operation,
* operation rights and entry and attributes having access
* checked on.
*/
public interface AciTargetMatchContext {
/**
* Set the deny ACI list.
* @param denyList The deny ACI list.
*/
void setDenyList(List<Aci> denyList);
/**
* Set the allow ACI list.
* @param allowList The list of allow ACIs.
*/
void setAllowList(List<Aci> allowList);
/**
* Get the entry being evaluated. This is known as the
* resource entry.
* @return The entry being evaluated.
*/
Entry getResourceEntry();
/**
* Get the current attribute type being evaluated.
* @return The attribute type being evaluated.
*/
AttributeType getCurrentAttributeType();
/**
* The current attribute type value being evaluated.
* @return The current attribute type value being evaluated.
*/
ByteString getCurrentAttributeValue();
/**
* True if the first attribute of the resource entry is being evaluated.
* @return True if this is the first attribute.
*/
boolean isFirstAttribute();
/**
* Set to true if the first attribute of the resource entry is
* being evaluated.
* @param isFirst True if this is the first attribute of the
* resource entry being evaluated.
*/
void setIsFirstAttribute(boolean isFirst);
/**
* Set the attribute type to be evaluated.
* @param type The attribute type to set to.
*/
void setCurrentAttributeType(AttributeType type);
/**
* Set the attribute value to be evaluated.
* @param v The current attribute value to set to.
*/
void setCurrentAttributeValue(ByteString v);
/**
* True if the target matching code found an entry test rule. An
* entry test rule is an ACI without a targetattr target rule.
* @param val True if an entry test rule was found.
*/
void setEntryTestRule(boolean val);
/**
* True if an entry test rule was found.
* @return True if an entry test rule was found.
*/
boolean hasEntryTestRule();
/**
* Return the rights for this container's LDAP operation.
* @return The rights for the container's LDAP operation.
*/
int getRights();
/**
* Return the OID (Object Identifier) string of the control being evaluated.
*
* @return The OID string of the control being evaluated.
*/
String getControlOID();
/**
* Return The OID (Object Identifier) string of the extended operation being
* evaluated.
*
* @return The OID string of the extended operation being evaluated.
*/
String getExtOpOID();
/**
* Checks if the container's rights has the specified rights.
* @param rights The rights to check for.
* @return True if the container's rights has the specified rights.
*/
boolean hasRights(int rights);
/**
* Set the rights of the container to the specified rights.
* @param rights The rights to set the container's rights to.
*/
void setRights(int rights);
/**
* Set to true if the ACI had a targattrfilter rule that matched.
* @param v The value to use.
*/
void setTargAttrFiltersMatch(boolean v);
/**
* Return the value of the targAttrFiltersMatch variable. This is set to
* true if the ACI had a targattrfilter rule that matched.
* @return True if the ACI had a targattrfilter rule that matched.
*/
boolean getTargAttrFiltersMatch();
/**
* Add the specified ACI to a list of ACIs that have a targattrfilters rule
* that matched. This is used by geteffectiverights to determine the rights
* of an attribute that possibly might evaluate to true.
* @param aci The ACI to save.
*/
void addTargAttrFiltersMatchAci(Aci aci);
/**
* Save the name of the last ACI that matched a targattrfilters rule. This
* is used by geteffectiverights evaluation.
* @param name The ACI's name to save.
*/
void setTargAttrFiltersAciName(String name);
/**
* Returns true of a match context is performing a geteffectiverights
* evaluation.
* @return True if a match context is evaluating geteffectiverights.
*/
boolean isGetEffectiveRightsEval();
/**
* This method toggles a mask that indicates that access checking of
* individual user attributes may or may not be skipped depending
* on if there is a single ACI containing a targetattr all user
* attributes rule (targetattr="*").
*
* The only case where individual user attribute access checking
* can be skipped, is when a single ACI matched using a targetattr
* all user attributes rule and the attribute type being check is not
* operational.
*
* @param v The mask to this value.
*/
void setEvalUserAttributes(int v);
/**
* This method toggles a mask that indicates that access checking of
* individual operational attributes may or may not be skipped depending
* on if there is a single ACI containing a targetattr all operational
* attributes rule (targetattr="+").
*
* The only case where individual operational attribute access checking
* can be skipped, is when a single ACI matched using a targetattr
* all operational attributes rule and the attribute type being check is
* operational.
*
* @param v The mask to this value.
*/
void setEvalOpAttributes(int v);
/**
* Return true if the evaluating ACI either contained an explicitly defined
* user attribute type in a targeattr target rule or both a targetattr all
* user attributes rule matched and a explicitly defined targetattr target rule
* matched.
*
* @return True if the above condition was seen.
*/
boolean hasEvalUserAttributes();
/**
* Return true if the evaluating ACI either contained an explicitly defined
* operational attribute type in a targetattr target rule or both a targetattr
* all operational attributes rule matched and a explicitly defined targetattr
* target rule matched.
*
* @return True if the above condition was seen.
*/
boolean hasEvalOpAttributes();
/**
* Used to clear the mask used to detect if access checking needs to be
* performed on individual attributes types. The specified
* value is cleared from the mask or if the value equals 0 the mask is
* completely cleared.
*
* @param v The flag to clear or 0 to set the mask to 0.
*/
void clearEvalAttributes(int v);
}