Package com.isode.dsapi.aci

Class ACITuple

java.lang.Object
com.isode.dsapi.aci.ACITuple
public class ACITuple extends Object
An ACI tuple, with context and references back to its source.

Note that some aspects of the tuples are modified in conversion from the original ACIItems, which means that the ACDF (access control decision function) works slightly differently on them. In particular, authentication level is converted into the list of permitted levels (as booleans).

Also the confusing case of non-all-users userClasses combined with non-ANON authentication level for deny rules is not permitted in instances of this class (it must be represented as two independent rules if necessary), meaning that there will never be a deny rule that would be retained for one reason and not for the other in X.501 18.8.3 (1) part 2, which means that the two tests can be applied as discard rules independently. (Putting that another way, this means that these ACITuple instances have 'orthogonal variables' for filtering, whereas the original ACIItem rules don't.)

Certain things aren't handled here from the original ACI:

  • 'other' and 'localqualifier' in the AuthenticationLevel.
  • 'uid' for names and groups is not supported.
  • Only 'entry', 'allUserAttributeTypes', 'allUserAttributeTypesAndValues', 'attributeType', 'allAttributeValues' and 'selfValue' protected entities are supported.

Note that ACITuples are immutable, which means that the limit*() calls may return the exact same ACITuple if no changes are required to it.

Note that there are six aspects of the ACITuple that can be limited or tested: region, permissions, auth-level, signed, user and protected-items. The limit*() calls limit the view of one aspect of the rule, returning a new ACITuple describing the result. The test*() calls test an aspect of a rule, but don't change the ACITuple in any way.

Author:
jp

  • Constructor Details

  • Method Details

    • getMutableCopy

      public MutableACITuple getMutableCopy()
      Create a mutable copy.

    • getSource

      public DN getSource()

    • getRulename

      public String getRulename()

    • getPrecedence

      public int getPrecedence()

    • getRegion

      public ACIRegion getRegion()

    • getIsGrant

      public boolean getIsGrant()

    • getPermissions

      public int getPermissions()

    • getAuthStrong

      public boolean getAuthStrong()

    • getAuthSimple

      public boolean getAuthSimple()

    • getAuthAnon

      public boolean getAuthAnon()

    • getUserAll

      public boolean getUserAll()

    • getUserThis

      public boolean getUserThis()

    • getUserNames

      public List<DN> getUserNames()

    • getUserGroups

      public List<DN> getUserGroups()

    • getUserSubtrees

      public List<ACISubtreeSpec> getUserSubtrees()

    • getProtEntry

      public boolean getProtEntry()

    • getProtAllType

      public boolean getProtAllType()

    • getProtAllTypeValue

      public boolean getProtAllTypeValue()

    • getProtType

      public List<String> getProtType()

    • getProtTypeValue

      public List<String> getProtTypeValue()

    • getProtSelf

      public List<String> getProtSelf()

    • convert

      public static void convert(BAC.ACIItem item, ACIRegion region, DN source, List<ACITuple> list, List<String> errors)
      Convert an ACIItem into a number of ACITuples added to the given list. The maximum number added is 2 or 3 per rule in the ACIItem. The maximum of three per rule is reached by a tuple for both grant and deny, plus an additional tuple if the deny rule has both userClasses and auth-levels present that need separating. If there are any problems converting the ACIItem, then error-strings are added to the 'errors' list. If there are errors then the ACITuples added will probably be an incomplete mapping of the original ACIItem, so shouldn't be used.

    • testSource

      public boolean testSource(DN dn)
      Test whether this rule was sourced from the entry with the given DN.

    • testRegion

      public boolean testRegion(DN dn)
      Test whether this ACITuple applies to the given DN according to its region.

    • limitRegion

      public ACITuple limitRegion(ACIRegion reg) throws BadValueException
      Limit the view of the rule to what intersects with the given region. Return a suitable ACITuple, or null of there is no ACITuple remaining.
      Throws:
      BadValueException - If it was not possible to represent the result.

    • testPermission

      public int testPermission(PermBit perm)
      Test whether this ACITuple gives a grant or denial for the given permission bit. Returns -1 denial, 0 unspecified, 1 grant.

    • testPermission

      public int testPermission(PermBit perm, boolean for_entry)
      Test whether this ACITuple gives a grant or denial for the given permission bit for the given class (entry or attribute). Returns -1 denial, 0 unspecified, 1 grant.
      Parameters:
      perm - PermBit to test
      for_entry - For entry-level access (true) or attribute-level access (false)

    • limitForOperation

      public ACITuple limitForOperation(ACITuple.Operation op)
      Limit the permissions to those which affect the given operation. Return a suitable ACITuple, or null of there is no ACITuple remaining.

    • testAuth

      public boolean testAuth(ACITuple.AuthLevel level)
      Test whether this ACITuple applies to the given auth-level.

    • toString

      public String toString()
      Generate a debugging string.
      Overrides:
      toString in class Object