Examples with AccessMgr org.apache.directory.fortress.core.AccessMgr used on opensource projects

Example 36 with AccessMgr

use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.

the class PswdPolicyMgrImplTest method lockout.

/**
 * PT9
 * 5.2.9  pwdLockout
 * <p>
 * This attribute indicates, when its value is "TRUE", that the password
 * may not be used to authenticate after a specified number of
 * consecutive failed bind attempts.  The maximum number of consecutive
 * failed bind attempts is specified in pwdMaxFailure.
 * <p>
 * If this attribute is not present, or if the value is "FALSE", the
 * password may be used to authenticate when the number of failed bind
 * attempts has been reached.
 *
 * @param msg
 * @param usr
 * @param plcy
 */
public void lockout(String msg, String[] usr, String[] plcy) {
    LogUtil.logIt(msg);
    try {
        PwPolicyMgr policyMgr = getManagedPswdMgr();
        AdminMgr adminMgr = AdminMgrImplTest.getManagedAdminMgr();
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        User user = UserTestData.getUser(usr);
        policyMgr.updateUserPolicy(user.getUserId(), PolicyTestData.getName(plcy));
        for (int i = 0; i < 3; i++) {
            // first lock it:
            adminMgr.lockUserAccount(user);
            try {
                // because account is locked, this better fail:
                accessMgr.createSession(user, false);
                fail(CLS_NM + ".lockout name [" + PolicyTestData.getName(plcy) + "] user [" + UserTestData.getUserId(usr) + "] failed lockout test iteration=" + i);
            } catch (SecurityException ex) {
                assertTrue(CLS_NM + ".lockout invalid error message userId [" + UserTestData.getUserId(usr) + "]", ex.getErrorId() == GlobalErrIds.USER_PW_LOCKED);
                // still good
                TestUtils.sleep(1);
            }
            // now unlock it:
            adminMgr.unlockUserAccount(user);
            // this better work:
            accessMgr.createSession(user, false);
        }
    } catch (SecurityException ex) {
        LOG.error("lockout caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}

Example 37 with AccessMgr

use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.

the class PswdPolicyMgrImplTest method lockoutDuration.

/**
 * PT8
 * 5.2.10  pwdLockoutDuration
 * <p>
 * This attribute holds the number of seconds that the password cannot
 * be used to authenticate due to too many failed bind attempts.  If
 * this attribute is not present, or if the value is 0 the password
 * cannot be used to authenticate until reset by a password
 * administrator.
 *
 * @param msg
 * @param usr
 * @param plcy
 */
public void lockoutDuration(String msg, String[] usr, String[] plcy) {
    LogUtil.logIt(msg);
    try {
        PwPolicyMgr policyMgr = getManagedPswdMgr();
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        User user = UserTestData.getUser(usr);
        policyMgr.updateUserPolicy(user.getUserId(), PolicyTestData.getName(plcy));
        int maxFailures = PolicyTestData.getMaxFailure(plcy);
        int lockoutDuration = PolicyTestData.getLockoutDuration(plcy);
        for (int i = 0; i < maxFailures; i++) {
            try {
                User badUser = new User(user.getUserId(), "wrongpw");
                accessMgr.createSession(badUser, false);
                fail(CLS_NM + ".lockoutDuration name [" + PolicyTestData.getName(plcy) + "] user [" + UserTestData.getUserId(usr) + "] failed lockout duration test=" + maxFailures + " iteration=" + i);
            } catch (SecurityException ex) {
                assertTrue(CLS_NM + ".lockoutDuration invalid error message userId [" + UserTestData.getUserId(usr) + "]", ex.getErrorId() == GlobalErrIds.USER_PW_INVLD);
                // still good
                TestUtils.sleep(1);
            }
        }
        try {
            // now try with valid password - better be locked out...
            accessMgr.createSession(user, false);
            fail(CLS_NM + ".lockoutDuration name [" + PolicyTestData.getName(plcy) + "] user [" + UserTestData.getUserId(usr) + "] failed lockout duration test 2");
        } catch (SecurityException ex) {
            assertTrue(CLS_NM + ".lockoutDuration invalid error message userId [" + UserTestData.getUserId(usr) + "]", ex.getErrorId() == GlobalErrIds.USER_PW_LOCKED);
        // still good
        }
        // now sleep for lockout duration - password should unlock automatically:
        TestUtils.sleep(lockoutDuration);
        // sleep one more second for good measure.
        TestUtils.sleep(1);
        // now try with valid password - better work this time...
        accessMgr.createSession(user, false);
    } catch (SecurityException ex) {
        LOG.error("lockoutDuration caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}

Example 38 with AccessMgr

use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.

the class PswdPolicyMgrImplTest method maxAge.

/**
 * PT2
 * 5.2.3  pwdMaxAge
 * <p>
 * This attribute holds the number of seconds after which a modified
 * password will expire.
 * <p>
 * If this attribute is not present, or if the value is 0 the password
 * does not expire.  If not 0, the value must be greater than or equal
 * to the value of the pwdMinAge.*
 *
 * @param msg
 * @param oldusr
 * @param newusr
 * @param plcy
 */
public void maxAge(String msg, String[] oldusr, String[] newusr, String[] plcy) {
    LogUtil.logIt(msg);
    try {
        AdminMgr adminMgr = AdminMgrImplTest.getManagedAdminMgr();
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        User oldUser = UserTestData.getUser(oldusr);
        User newUser = UserTestData.getUser(newusr);
        oldUser.setPwPolicy(PolicyTestData.getName(plcy));
        adminMgr.updateUser(oldUser);
        String newPassword = newUser.getPassword();
        adminMgr.changePassword(oldUser, newPassword);
        oldUser.setPassword(newPassword);
        for (int i = 0; i < 3; i++) {
            TestUtils.sleep(PolicyTestData.getMaxAge(plcy));
            TestUtils.sleep(1);
            try {
                accessMgr.createSession(oldUser, false);
                fail(CLS_NM + ".maxAge name [" + PolicyTestData.getName(plcy) + "] user [" + UserTestData.getUserId(oldusr) + "] failed age test");
            } catch (SecurityException ex) {
                assertTrue(CLS_NM + ".maxAge invalid error message userId [" + UserTestData.getUserId(oldusr) + "]", ex.getErrorId() == GlobalErrIds.USER_PW_EXPIRED);
            // still good
            }
            newPassword = "changedabc";
            oldUser = new User(oldUser.getUserId());
            oldUser.setPassword(newPassword);
            // since this password is now expired we have to call update rather than changePassword:
            adminMgr.updateUser(oldUser);
            accessMgr.createSession(oldUser, false);
        }
    } catch (SecurityException ex) {
        LOG.error("maxAge caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}

Example 39 with AccessMgr

use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.

the class PswdPolicyMgrImplTest method expireWarning.

/**
 * PT5
 * 5.2.7  pwdExpireWarning
 * <p>
 * This attribute specifies the maximum number of seconds before a
 * password is due to expire that expiration warning messages will be
 * returned to an authenticating user.
 * <p>
 * If this attribute is not present, or if the value is 0 no warnings
 * will be returned.  If not 0, the value must be smaller than the value
 * of the pwdMaxAge attribute.
 *
 * @param msg
 * @param usr
 * @param plcy
 */
public void expireWarning(String msg, String[] usr, String[] plcy) {
    LogUtil.logIt(msg);
    try {
        AdminMgr adminMgr = AdminMgrImplTest.getManagedAdminMgr();
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        User user = UserTestData.getUser(usr);
        long expireSecs = PolicyTestData.getExpireWarning(plcy);
        long maxSecs = PolicyTestData.getMaxAge(plcy);
        long elapsedWait = maxSecs - expireSecs;
        String newPassword = UserTestData.getPassword(usr) + "a";
        user.setPassword(newPassword);
        user.setPwPolicy(PolicyTestData.getName(plcy));
        // because the password max age is so short, need to set new password, otherwise it will have already expired:
        adminMgr.updateUser(user);
        // now do the password change to start the clock ticking:
        newPassword = UserTestData.getPassword(usr) + "b";
        adminMgr.changePassword(user, newPassword);
        user.setPassword(newPassword);
        Session s1 = accessMgr.createSession(user, false);
        assertTrue(CLS_NM + ".expireWarning invalid error message userId [" + UserTestData.getUserId(usr) + "]", s1.getExpirationSeconds() == 0);
        TestUtils.sleep(elapsedWait);
        // add one second for good measure:
        TestUtils.sleep(1);
        s1 = accessMgr.createSession(user, false);
        assertTrue(CLS_NM + ".expireWarning invalid error message 2 userId [" + UserTestData.getUserId(usr) + "]", (0 < s1.getExpirationSeconds()) && (s1.getExpirationSeconds() < maxSecs));
        TestUtils.sleep(elapsedWait);
        try {
            accessMgr.createSession(user, false);
            fail(CLS_NM + ".expireWarning name [" + PolicyTestData.getName(plcy) + "] user [" + UserTestData.getUserId(usr) + "] failed expired pw test");
        } catch (SecurityException ex) {
            assertTrue(CLS_NM + ".expireWarning invalid error message 3 userId [" + UserTestData.getUserId(usr) + "]", ex.getErrorId() == GlobalErrIds.USER_PW_EXPIRED);
        // still good
        }
    } catch (SecurityException ex) {
        LOG.error("expireWarning caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}

Example 40 with AccessMgr

use of org.apache.directory.fortress.core.AccessMgr in project directory-fortress-core by apache.

the class CreateSessionSample method createSession.

/**
 * Calls AccessMgr createSession API.  Will check to ensure the RBAC Session contains the expected number of Roles
 * activated.
 *
 * @param userId  Case insensitive userId.
 * @param password Password is case sensitive, clear text but is stored in directory as hashed value.
 * @param expectedRoles integer contains the expected number of Roles in the Session.
 */
public static void createSession(String userId, String password, int expectedRoles) {
    String szLocation = ".createSession";
    try {
        // Instantiate the AccessMgr implementation which perform runtime RBAC operations.
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        // The User entity is used to pass data into the createSession API.
        User user = new User(userId, password);
        // This API will return a Session object that contains the User's activated Roles and other info.
        Session session = accessMgr.createSession(user, false);
        // createSession will throw SecurityException if fails thus the Session should never be null.
        assertNotNull(session);
        // Pull the userId from the Session.
        String sessUserId = accessMgr.getUserId(session);
        assertTrue(szLocation + " failed compare found userId in session [" + sessUserId + "] valid userId [" + userId + "]", userId.equalsIgnoreCase(sessUserId));
        // Get the User's activated Roles.
        List<UserRole> uRoles = session.getRoles();
        // do some validations
        assertNotNull(uRoles);
        assertEquals(szLocation + " user role check failed list size user [" + user.getUserId() + "]", expectedRoles, uRoles.size());
        // now try negative test case:
        try {
            // this better fail
            User userBad = new User(user.getUserId(), "badpw");
            // The API will authenticate the User password, evaluate password policies and perform Role activations.
            accessMgr.createSession(userBad, false);
            fail(szLocation + " userId [" + userId + "]  failed negative test");
        } catch (PasswordException pe) {
            assertTrue(szLocation + " userId [" + userId + "]  excep id check", pe.getErrorId() == GlobalErrIds.USER_PW_INVLD);
        // pass
        } catch (SecurityException se) {
            fail(szLocation + " userId [" + userId + "]  failed with unexpected errorId" + se.getErrorId() + " msg=" + se.getMessage());
        // pass
        }
        LOG.info(szLocation + " userId [" + userId + "] successful");
    } catch (SecurityException ex) {
        LOG.error(szLocation + " userId [" + userId + "]  caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}