org.opends.server.authorization.dseecompat
Class AciContainer

java.lang.Object
  extended by org.opends.server.authorization.dseecompat.AciContainer
All Implemented Interfaces:
AciEvalContext, AciTargetMatchContext
Direct Known Subclasses:
AciLDAPOperationContainer

public abstract class AciContainer
extends java.lang.Object
implements AciTargetMatchContext, AciEvalContext

The AciContainer class contains all of the needed information to perform both target match and evaluate an ACI. Target matching is the process of testing if an ACI is applicable to an operation, and evaluation is the actual access evaluation of the ACI.


Constructor Summary
protected AciContainer(Operation operation, int rights, Entry entry)
          This constructor is used by all currently supported LDAP operations.
 
Method Summary
 void addTargAttrFiltersMatchAci(Aci aci)
          Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched.
 void clearEvalAttributes(int v)
          Used to clear the mask used to detect if access checking needs to be performed on individual attributes types.
 java.util.LinkedList<Aci> getAllowList()
          Get the list allow ACIs.
 DN getClientDN()
          Get client DN.
 Entry getClientEntry()
          Get the client entry.
 java.lang.String getControlOID()
          Return the OID (Object Identifier) string of the control being evaluated.
 AttributeType getCurrentAttributeType()
          Get the current attribute type being evaluated.
 AttributeValue getCurrentAttributeValue()
          The current attribute type value being evaluated.
 java.lang.String getDecidingAciName()
          Return the name of the ACI that decided the last access evaluation.
 java.util.LinkedList<Aci> getDenyList()
          Get the list of deny ACIs.
 EnumEvalReason getEvalReason()
          Return the reason the last access evaluation was evaluated the way it was.
 java.lang.String getEvalSummary()
          Return the access evaluation summary string.
 java.lang.String getExtOpOID()
          Return The OID (Object Identifier) string of the extended operation being evaluated.
 java.lang.String getHostName()
          Get the hostname of the bound connection.
 java.net.InetAddress getRemoteAddress()
          Get the address of the bound connection.
 DN getResourceDN()
          Get the resource DN.
 Entry getResourceEntry()
          Get the entry being evaluated.
 int getRights()
          Return the rights for this container's LDAP operation.
 java.util.List<AttributeType> getSpecificAttributes()
          Return the list of additional attributes specified in the geteffectiveritghts control.
 java.lang.String getTargAttrFiltersAciName()
          Return the name of the ACI that last matched a targattrfilters rule.
 boolean getTargAttrFiltersMatch()
          Return the value of the targAttrFiltersMatch variable.
 boolean hasAllOpAttributes()
          Return true if the evaluating ACI contained a targetattr all operational attributes rule match.
 boolean hasAllUserAttributes()
          Return true if the evaluating ACI contained a targetattr all user attributes rule match.
 EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod, java.lang.String saslMech)
          Determine whether the client connection has been authenticated using a specified authentication method.
 boolean hasEntryTestRule()
          True if an entry test rule was found.
 boolean hasEvalOpAttributes()
          Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targeattr target rule or both a targetattr all operational attributes rule matched and a explictly defined targetattr target rule matched.
 boolean hasEvalUserAttributes()
          Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explictly defined targetattr target rule matched.
 boolean hasGetEffectiveRightsControl()
          Return true if the container is being used in a geteffectiverights evaluation.
 boolean hasRights(int rights)
          Checks if the container's rights has the specified rights.
 boolean hasSeenEntry()
          Returns true if an entry has already been processed by an access proxy check.
 boolean hasTargAttrFiltersMatchAci(Aci aci)
          The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation.
 boolean hasTargAttrFiltersMatchOp(int flag)
          Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword.
 boolean isAddOperation()
          Return true if this is an add operation, needed by the userattr USERDN parent inheritance level 0 processing.
 boolean isAnonymousUser()
          Check if the remote client is bound anonymously.
 boolean isAuthzidAuthorizationDN()
          Returns true if the geteffectiverights control's authZid DN is equal to the authoritzation entry's DN.
 boolean isDenyEval()
          Returns true if the deny list is being evaluated.
 boolean isFirstAttribute()
          True if the first attribute of the resource entry is being evaluated.
 boolean isGetEffectiveRightsEval()
          Returns true of a match context is performing a geteffectiverights evaluation.
 boolean isMemberOf(Group group)
          Return true if the operation associated with this evaluation context is a member of the specified group.
 boolean isProxiedAuthorization()
          Return true if a evaluation context is being used in proxied authorization evaluation.
 boolean isTargAttrFilterMatchAciEmpty()
          Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty.
 void resetEffectiveRightsParams()
          Reset the values used by the geteffectiverights evaluation to original values.
 java.lang.String rightToString()
          Return a string representation of the current right being evaluated.
 void setAllowList(java.util.LinkedList<Aci> allows)
          Set the allow ACI list.
protected  void setControlOID(java.lang.String oid)
          Set the the controlOID value to the specified oid string.
 void setCurrentAttributeType(AttributeType type)
          Set the attribute type to be evaluated.
 void setCurrentAttributeValue(AttributeValue value)
          Set the attribute value to be evaluated.
 void setDecidingAci(Aci aci)
          Set the ACI that decided that last access evaluation.
 void setDenyEval(boolean val)
          Set when the deny list is being evaluated.
 void setDenyList(java.util.LinkedList<Aci> denys)
          Set the deny ACI list.
 void setEntryTestRule(boolean val)
          True if the target matching code found an entry test rule.
 void setEvalOpAttributes(int v)
          This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+").
 void setEvalReason(EnumEvalReason reason)
          Set the reason the last access evaluation was evaluated the way it was.
 void setEvalSummary(java.lang.String summary)
          Set the value of the summary string to the specified string.
 void setEvalUserAttributes(int v)
          This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*").
protected  void setExtOpOID(java.lang.String oid)
          Set the extended operation OID value to the specified oid string.
 void setGetEffectiveRightsEval()
          The container is going to be used in a geteffectiverights evaluation, set the flag isGetEffectiveRightsEval to true.
 void setIsFirstAttribute(boolean val)
          Set to true if the first attribute of the resource entry is being evaluated.
 void setRights(int rights)
          Set the rights of the container to the specified rights.
 void setSeenEntry(boolean val)
          Set to true if an entry has already been processsed by an access proxy check.
 void setTargAttrFiltersAciName(java.lang.String name)
          Save the name of the last ACI that matched a targattrfilters rule.
 void setTargAttrFiltersMatch(boolean v)
          Set to true if the ACI had a targattrfilter rule that matched.
 void setTargAttrFiltersMatchOp(int flag)
          Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword.
 void useAuthzid(boolean v)
          Use the DN from the geteffectiverights control's authzId as the client DN, rather than the authorization entry's DN.
 void useFullResourceEntry(boolean val)
          During the geteffectiverights entrylevel read evaluation, an entry with all of the attributes used in the AciHandler's maysend method evaluation is needed to perform the evaluation over again.
 void useOrigAuthorizationEntry(boolean val)
          If the specified value is true, then the original authorization entry, which is the entry before the switch performed by the proxied authorization control processing should be set to the current authorization entry.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

AciContainer

protected AciContainer(Operation operation,
                       int rights,
                       Entry entry)
This constructor is used by all currently supported LDAP operations.

Parameters:
operation - The Operation object being evaluated and target matching.
rights - The rights array to use in evaluation and target matching.
entry - The current entry being evaluated and target matched.
Method Detail

hasSeenEntry

public boolean hasSeenEntry()
Returns true if an entry has already been processed by an access proxy check.

Returns:
True if an entry has already been processed by an access proxy check.

setSeenEntry

public void setSeenEntry(boolean val)
Set to true if an entry has already been processsed by an access proxy check.

Parameters:
val - The value to set the seenEntry boolean to.

isProxiedAuthorization

public boolean isProxiedAuthorization()
Return true if a evaluation context is being used in proxied authorization evaluation.

Specified by:
isProxiedAuthorization in interface AciEvalContext
Returns:
True if evaluation context is being used in proxied authorization evaluation.

isGetEffectiveRightsEval

public boolean isGetEffectiveRightsEval()
Returns true of a match context is performing a geteffectiverights evaluation.

Specified by:
isGetEffectiveRightsEval in interface AciEvalContext
Specified by:
isGetEffectiveRightsEval in interface AciTargetMatchContext
Returns:
True if a match context is evaluating geteffectiverights.

setGetEffectiveRightsEval

public void setGetEffectiveRightsEval()
The container is going to be used in a geteffectiverights evaluation, set the flag isGetEffectiveRightsEval to true.


hasGetEffectiveRightsControl

public boolean hasGetEffectiveRightsControl()
Return true if the container is being used in a geteffectiverights evaluation.

Returns:
True if the container is being used in a geteffectiverights evaluation.

useAuthzid

public void useAuthzid(boolean v)
Use the DN from the geteffectiverights control's authzId as the client DN, rather than the authorization entry's DN.

Parameters:
v - The valued to set the useAuthzid to.

getSpecificAttributes

public java.util.List<AttributeType> getSpecificAttributes()
Return the list of additional attributes specified in the geteffectiveritghts control.

Returns:
The list of attributes to return rights information about in the entry.

useFullResourceEntry

public void useFullResourceEntry(boolean val)
During the geteffectiverights entrylevel read evaluation, an entry with all of the attributes used in the AciHandler's maysend method evaluation is needed to perform the evaluation over again. This entry was saved in the operation's attachment mechanism when the container was created during the SearchOperation read evaluation. This method is used to replace the current resource entry with that saved entry to perform the entrylevel read evaluation described above and to switch back to the current resource entry when needed.

Specified by:
useFullResourceEntry in interface AciEvalContext
Parameters:
val - Specifies if the saved entry should be used or not. True if it should be used, false if the original resource entry should be used.

addTargAttrFiltersMatchAci

public void addTargAttrFiltersMatchAci(Aci aci)
Add the specified ACI to a list of ACIs that have a targattrfilters rule that matched. This is used by geteffectiverights to determine the rights of an attribute that possibly might evaluate to true.

Specified by:
addTargAttrFiltersMatchAci in interface AciTargetMatchContext
Parameters:
aci - The ACI to save.

hasTargAttrFiltersMatchAci

public boolean hasTargAttrFiltersMatchAci(Aci aci)
The context maintains a hashtable of ACIs that matched the targattrfilters keyword evaluation. The hasTargAttrFiltersMatchAci method returns true if the specified ACI is contained in that hashtable. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:
hasTargAttrFiltersMatchAci in interface AciEvalContext
Parameters:
aci - The ACI that to evaluate if it contains a match during targattrfilters keyword evaluation.
Returns:
True if a specified ACI matched targattrfilters evaluation.

isTargAttrFilterMatchAciEmpty

public boolean isTargAttrFilterMatchAciEmpty()
Returns true if the hashtable of ACIs that matched the targattrfilters keyword evaluation is empty. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:
isTargAttrFilterMatchAciEmpty in interface AciEvalContext
Returns:
True if there were not any ACIs that matched targattrfilters keyword evaluation.

resetEffectiveRightsParams

public void resetEffectiveRightsParams()
Reset the values used by the geteffectiverights evaluation to original values. The geteffectiverights evaluation uses the same container repeatedly for different rights evaluations (read, write, proxy,...) and this method resets variables that are specific to a single evaluation.


setTargAttrFiltersAciName

public void setTargAttrFiltersAciName(java.lang.String name)
Save the name of the last ACI that matched a targattrfilters rule. This is used by geteffectiverights evaluation.

Specified by:
setTargAttrFiltersAciName in interface AciEvalContext
Specified by:
setTargAttrFiltersAciName in interface AciTargetMatchContext
Parameters:
name - The ACI's name to save.

getTargAttrFiltersAciName

public java.lang.String getTargAttrFiltersAciName()
Return the name of the ACI that last matched a targattrfilters rule. Used in geteffectiverights evaluation.

Specified by:
getTargAttrFiltersAciName in interface AciEvalContext
Returns:
The name of the ACI that last matched a targattrfilters rule.

setTargAttrFiltersMatchOp

public void setTargAttrFiltersMatchOp(int flag)
Set a flag that specifies that a ACI that evaluated to either deny or allow contains a targattrfilters keyword. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:
setTargAttrFiltersMatchOp in interface AciEvalContext
Parameters:
flag - Either the integer value representing an allow or a deny, but not both.

hasTargAttrFiltersMatchOp

public boolean hasTargAttrFiltersMatchOp(int flag)
Return true if an ACI that evaluated to deny or allow has an targattrfilters keyword. Used by geteffectiverights evaluation to determine the access value to put in the "write" rights evaluation field.

Specified by:
hasTargAttrFiltersMatchOp in interface AciEvalContext
Parameters:
flag - The integer value specifying either a deny or allow, but not both.
Returns:
True if the ACI that evaluated to

setDecidingAci

public void setDecidingAci(Aci aci)
Set the ACI that decided that last access evaluation. Used by geteffectiverights evaluation to the build summary string.

Specified by:
setDecidingAci in interface AciEvalContext
Parameters:
aci - The ACI that decided the last access evaluation.

getDecidingAciName

public java.lang.String getDecidingAciName()
Return the name of the ACI that decided the last access evaluation. Used by geteffectiverights evaluation to build the summmary string.

Specified by:
getDecidingAciName in interface AciEvalContext
Returns:
The name of the ACI that decided the last access evaluation.

setEvalReason

public void setEvalReason(EnumEvalReason reason)
Set the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights evaluation to eventually build the summary string.

Specified by:
setEvalReason in interface AciEvalContext
Parameters:
reason - The enumeration representing the reason of the last access evaluation.

getEvalReason

public EnumEvalReason getEvalReason()
Return the reason the last access evaluation was evaluated the way it was. Used by geteffectiverights evaluation to build the summary string.

Specified by:
getEvalReason in interface AciEvalContext
Returns:
The enumeration representing the reason of the last access evaluation.

setEvalSummary

public void setEvalSummary(java.lang.String summary)
Set the value of the summary string to the specified string. Used in geteffectiverights evaluation to build summary string.

Specified by:
setEvalSummary in interface AciEvalContext
Parameters:
summary - The string to set the summary string to

getEvalSummary

public java.lang.String getEvalSummary()
Return the access evaluation summary string. Used by the geteffectiverights evaluation when a aclRightsInfo attribute was specified in a search.

Specified by:
getEvalSummary in interface AciEvalContext
Returns:
The string describing the access evaluation.

isAuthzidAuthorizationDN

public boolean isAuthzidAuthorizationDN()
Returns true if the geteffectiverights control's authZid DN is equal to the authoritzation entry's DN.

Returns:
True if the authZid is equal to the authorization entry's DN.

useOrigAuthorizationEntry

public void useOrigAuthorizationEntry(boolean val)
If the specified value is true, then the original authorization entry, which is the entry before the switch performed by the proxied authorization control processing should be set to the current authorization entry. If the specified value is false then the proxied authorization entry is switched back using the saved copy.

Parameters:
val - The value used to select the authorization entry to use.

setDenyList

public void setDenyList(java.util.LinkedList<Aci> denys)
Set the deny ACI list.

Specified by:
setDenyList in interface AciTargetMatchContext
Parameters:
denys - The deny ACI list.

setAllowList

public void setAllowList(java.util.LinkedList<Aci> allows)
Set the allow ACI list.

Specified by:
setAllowList in interface AciTargetMatchContext
Parameters:
allows - The list of allow ACIs.

getCurrentAttributeType

public AttributeType getCurrentAttributeType()
Get the current attribute type being evaluated.

Specified by:
getCurrentAttributeType in interface AciEvalContext
Specified by:
getCurrentAttributeType in interface AciTargetMatchContext
Returns:
The attribute type being evaluated.

getCurrentAttributeValue

public AttributeValue getCurrentAttributeValue()
The current attribute type value being evaluated.

Specified by:
getCurrentAttributeValue in interface AciTargetMatchContext
Returns:
The current attribute type value being evaluated.

setCurrentAttributeType

public void setCurrentAttributeType(AttributeType type)
Set the attribute type to be evaluated.

Specified by:
setCurrentAttributeType in interface AciTargetMatchContext
Parameters:
type - The attribute type to set to.

setCurrentAttributeValue

public void setCurrentAttributeValue(AttributeValue value)
Set the attribute value to be evaluated.

Specified by:
setCurrentAttributeValue in interface AciTargetMatchContext
Parameters:
value - The current attribute value to set to.

isFirstAttribute

public boolean isFirstAttribute()
True if the first attribute of the resource entry is being evaluated.

Specified by:
isFirstAttribute in interface AciTargetMatchContext
Returns:
True if this is the first attribute.

setIsFirstAttribute

public void setIsFirstAttribute(boolean val)
Set to true if the first attribute of the resource entry is being evaluated.

Specified by:
setIsFirstAttribute in interface AciTargetMatchContext
Parameters:
val - True if this is the first attribute of the resource entry being evaluated.

hasEntryTestRule

public boolean hasEntryTestRule()
True if an entry test rule was found.

Specified by:
hasEntryTestRule in interface AciTargetMatchContext
Returns:
True if an entry test rule was found.

setEntryTestRule

public void setEntryTestRule(boolean val)
True if the target matching code found an entry test rule. An entry test rule is an ACI without a targetattr target rule.

Specified by:
setEntryTestRule in interface AciTargetMatchContext
Parameters:
val - True if an entry test rule was found.

getResourceEntry

public Entry getResourceEntry()
Get the entry being evaluated. This is known as the resource entry.

Specified by:
getResourceEntry in interface AciEvalContext
Specified by:
getResourceEntry in interface AciTargetMatchContext
Returns:
The entry being evaluated.

getClientEntry

public Entry getClientEntry()
Get the client entry. The client entry is the entry that corresponds to the client DN.

Specified by:
getClientEntry in interface AciEvalContext
Returns:
The client entry corresponding to the client DN.

getDenyList

public java.util.LinkedList<Aci> getDenyList()
Get the list of deny ACIs.

Specified by:
getDenyList in interface AciEvalContext
Returns:
The deny ACI list.

getAllowList

public java.util.LinkedList<Aci> getAllowList()
Get the list allow ACIs.

Specified by:
getAllowList in interface AciEvalContext
Returns:
The allow ACI list.

isDenyEval

public boolean isDenyEval()
Returns true if the deny list is being evaluated.

Specified by:
isDenyEval in interface AciEvalContext
Returns:
True if the deny list is being evaluated.

isAnonymousUser

public boolean isAnonymousUser()
Check if the remote client is bound anonymously.

Specified by:
isAnonymousUser in interface AciEvalContext
Returns:
True if client is bound anonymously.

setDenyEval

public void setDenyEval(boolean val)
Set when the deny list is being evaluated.

Specified by:
setDenyEval in interface AciEvalContext
Parameters:
val - True if deny's are being evaluated.

getClientDN

public DN getClientDN()
Get client DN. The client DN is the authorization DN.

Specified by:
getClientDN in interface AciEvalContext
Returns:
The client DN.

getResourceDN

public DN getResourceDN()
Get the resource DN. The resource DN is the DN of the entry being evaluated.

Specified by:
getResourceDN in interface AciEvalContext
Returns:
The resource DN.

hasRights

public boolean hasRights(int rights)
Checks if the container's rights has the specified rights.

Specified by:
hasRights in interface AciEvalContext
Specified by:
hasRights in interface AciTargetMatchContext
Parameters:
rights - The rights to check for.
Returns:
True if the container's rights has the specified rights.

getRights

public int getRights()
Return the rights for this container's LDAP operation.

Specified by:
getRights in interface AciEvalContext
Specified by:
getRights in interface AciTargetMatchContext
Returns:
The rights for the container's LDAP operation.

setRights

public void setRights(int rights)
Set the rights of the container to the specified rights.

Specified by:
setRights in interface AciTargetMatchContext
Parameters:
rights - The rights to set the container's rights to.

getHostName

public java.lang.String getHostName()
Get the hostname of the bound connection.

Specified by:
getHostName in interface AciEvalContext
Returns:
The hostname of the connection.

getRemoteAddress

public java.net.InetAddress getRemoteAddress()
Get the address of the bound connection.

Specified by:
getRemoteAddress in interface AciEvalContext
Returns:
The address of the bound connection.

isAddOperation

public boolean isAddOperation()
Return true if this is an add operation, needed by the userattr USERDN parent inheritance level 0 processing.

Specified by:
isAddOperation in interface AciEvalContext
Returns:
True if this is an add operation.

setTargAttrFiltersMatch

public void setTargAttrFiltersMatch(boolean v)
Set to true if the ACI had a targattrfilter rule that matched.

Specified by:
setTargAttrFiltersMatch in interface AciTargetMatchContext
Parameters:
v - The value to use.

getTargAttrFiltersMatch

public boolean getTargAttrFiltersMatch()
Return the value of the targAttrFiltersMatch variable. This is set to true if the ACI had a targattrfilter rule that matched.

Specified by:
getTargAttrFiltersMatch in interface AciTargetMatchContext
Returns:
True if the ACI had a targattrfilter rule that matched.

getControlOID

public java.lang.String getControlOID()
Return the OID (Object Identifier) string of the control being evaluated.

Specified by:
getControlOID in interface AciTargetMatchContext
Returns:
The OID string of the control being evaluated.

getExtOpOID

public java.lang.String getExtOpOID()
Return The OID (Object Identifier) string of the extended operation being evaluated.

Specified by:
getExtOpOID in interface AciTargetMatchContext
Returns:
The OID string of the extended operation being evaluated.

setControlOID

protected void setControlOID(java.lang.String oid)
Set the the controlOID value to the specified oid string.

Parameters:
oid - The control oid string.

setExtOpOID

protected void setExtOpOID(java.lang.String oid)
Set the extended operation OID value to the specified oid string.

Parameters:
oid - The extended operation oid string.

hasAuthenticationMethod

public EnumEvalResult hasAuthenticationMethod(EnumAuthMethod authMethod,
                                              java.lang.String saslMech)
Determine whether the client connection has been authenticated using a specified authentication method. This method is used for the authmethod bind rule keyword.

Specified by:
hasAuthenticationMethod in interface AciEvalContext
Parameters:
authMethod - The required authentication method.
saslMech - The required SASL mechanism if the authentication method is SASL.
Returns:
An evaluation result indicating whether the client connection has been authenticated using the required authentication method.

isMemberOf

public boolean isMemberOf(Group group)
Return true if the operation associated with this evaluation context is a member of the specified group. Calls the ClientConnection.isMemberOf() method, which checks authorization DN membership in the specified group.

Specified by:
isMemberOf in interface AciEvalContext
Parameters:
group - The group to check membership in.
Returns:
True if the authorization DN of the operation is a member of the specified group.

rightToString

public java.lang.String rightToString()
Return a string representation of the current right being evaluated. Used in geteffectiverights evaluation to build summary string.

Specified by:
rightToString in interface AciEvalContext
Returns:
String representation of the current right being evaluated.

setEvalUserAttributes

public void setEvalUserAttributes(int v)
This method toggles a mask that indicates that access checking of individual user attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all user attributes rule (targetattr="*"). The only case where individual user attribute access checking can be skipped, is when a single ACI matched using a targetattr all user attributes rule and the attribute type being check is not operational.

Specified by:
setEvalUserAttributes in interface AciTargetMatchContext
Parameters:
v - The mask to this value.

setEvalOpAttributes

public void setEvalOpAttributes(int v)
This method toggles a mask that indicates that access checking of individual operational attributes may or may not be skipped depending on if there is a single ACI containing a targetattr all operational attributes rule (targetattr="+"). The only case where individual operational attribute access checking can be skipped, is when a single ACI matched using a targetattr all operational attributes rule and the attribute type being check is operational.

Specified by:
setEvalOpAttributes in interface AciTargetMatchContext
Parameters:
v - The mask to this value.

hasEvalUserAttributes

public boolean hasEvalUserAttributes()
Return true if the evaluating ACI either contained an explicitly defined user attribute type in a targeattr target rule or both a targetattr all user attributes rule matched and a explictly defined targetattr target rule matched.

Specified by:
hasEvalUserAttributes in interface AciTargetMatchContext
Returns:
True if the above condition was seen.

hasEvalOpAttributes

public boolean hasEvalOpAttributes()
Return true if the evaluating ACI either contained an explicitly defined operational attribute type in a targeattr target rule or both a targetattr all operational attributes rule matched and a explictly defined targetattr target rule matched.

Specified by:
hasEvalOpAttributes in interface AciTargetMatchContext
Returns:
True if the above condition was seen.

hasAllUserAttributes

public boolean hasAllUserAttributes()
Return true if the evaluating ACI contained a targetattr all user attributes rule match.

Returns:
True if the above condition was seen.

hasAllOpAttributes

public boolean hasAllOpAttributes()
Return true if the evaluating ACI contained a targetattr all operational attributes rule match.

Returns:
True if the above condition was seen.

clearEvalAttributes

public void clearEvalAttributes(int v)
Used to clear the mask used to detect if access checking needs to be performed on individual attributes types. The specified value is cleared from the mask or if the value equals 0 the mask is completely cleared.

Specified by:
clearEvalAttributes in interface AciTargetMatchContext
Parameters:
v - The flag to clear or 0 to set the mask to 0.