Example 1 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class AdminUtil method checkAccess.
/**
* Wrapper function to call {@link DelAccessMgrImpl#checkAccess(org.apache.directory.fortress.core.model.Session, Permission)}.
* Perform user arbac authorization. This function returns a Boolean value meaning whether the subject of a given session is
* allowed or not to perform a given operation on a given object. The function is valid if and
* only if the session is a valid Fortress session, the object is a member of the OBJS data set,
* and the operation is a member of the OPS data set. The session's subject has the permission
* to perform the operation on that object if and only if that permission is assigned to (at least)
* one of the session's active roles. This implementation will verify the roles or userId correspond
* to the subject's active roles are registered in the object's access control list.
*
* @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
* @param perm object contains obj attribute which is a String and contains the name of the object user is trying to access;
* perm object contains operation attribute which is also a String and contains the operation name for the object.
* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
* @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
*/
static void checkAccess(Session session, Permission perm, String contextId) throws SecurityException {
if (session != null) {
DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
boolean result = dAccessMgr.checkAccess(session, perm);
if (!result) {
String info = "checkAccess failed for user [" + session.getUserId() + "] object [" + perm.getObjName() + "] operation [" + perm.getOpName() + "]";
throw new AuthorizationException(GlobalErrIds.USER_ADMIN_NOT_AUTHORIZED, info);
}
}
}
Also used :
AuthorizationException(org.apache.directory.fortress.core.AuthorizationException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
Example 2 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class AdminUtil method canRevoke.
/**
* Wrapper function to call {@link DelAccessMgrImpl#canRevoke(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
*
* This function will determine if the user contains an AdminRole that is authorized revoke control over
* Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
*
* @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param perm Instantiated Permission entity requires valid object name and operation name attributes set.
* @param role Instantiated Role entity requires only valid role name attribute set.
* @param perm Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
* @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
*/
static void canRevoke(Session session, Role role, Permission perm, String contextId) throws SecurityException {
if (session != null) {
DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
boolean result = dAccessMgr.canRevoke(session, role, perm);
if (!result) {
String warning = "canRevoke Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_REVOKE, warning);
}
}
}
Also used :
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
Example 3 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class AdminUtil method canAssign.
/**
* Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
* This will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-assign URA.
*
* @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
* @param user Instantiated User entity requires only valid userId attribute set.
* @param role Instantiated Role entity requires only valid role name attribute set.
* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
* @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
*/
static void canAssign(Session session, User user, Role role, String contextId) throws SecurityException {
if (session != null) {
DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
boolean result = dAccessMgr.canAssign(session, user, role);
if (!result) {
String warning = "canAssign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_ASSIGN, warning);
}
}
}
Also used :
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
Example 4 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class DelegatedMgrImplTest method canAssignUsers.
/**
* @param msg
* @param op
* @param uraArray
* @param uaArray
* @param uArray
* @param rArray
*/
public static void canAssignUsers(String msg, ASSIGN_OP op, String[][] uraArray, String[][] uaArray, String[][] uArray, String[][] rArray) {
LogUtil.logIt(msg);
Role role;
Map<URA, URA> uraTestResults = URATestData.getURAs(uraArray);
try {
DelAccessMgr delAccessMgr = DelAccessMgrFactory.createInstance(TestUtils.getContext());
AccessMgr accessMgr = (AccessMgr) delAccessMgr;
int i = 0;
for (String[] aUsr : uaArray) {
User aUser = UserTestData.getUser(aUsr);
Session session = accessMgr.createSession(aUser, false);
assertNotNull(session);
for (String[] usr : uArray) {
User user = UserTestData.getUser(usr);
i++;
for (String[] rle : rArray) {
role = RoleTestData.getRole(rle);
String methodName;
boolean result;
if (op == ASSIGN_OP.ASSIGN) {
result = delAccessMgr.canAssign(session, user, role);
methodName = ".canAssignUsers";
} else {
result = delAccessMgr.canDeassign(session, user, role);
methodName = ".canDeassignUsers";
}
List<UserAdminRole> aRoles = session.getAdminRoles();
assertNotNull(aRoles);
assertTrue(CLS_NM + methodName + " Admin User invalid number of roles", aRoles.size() == 1);
// since this user should only have one admin role, get the first one from list:
UserAdminRole aRole = aRoles.get(0);
URA sourceUra = new URA(aRole.getName(), user.getOu(), role.getName(), result);
URA targetUra = uraTestResults.get(sourceUra);
assertTrue(CLS_NM + methodName + " cannot find target URA admin role [" + sourceUra.getArole() + " uou [" + sourceUra.getUou() + "] role [" + sourceUra.getUrole() + "] Result [" + sourceUra.isCanAssign() + "] actual result [" + result + "]", targetUra != null);
LOG.debug(methodName + " User [" + user.getUserId() + "] success URA using admin role [" + targetUra.getArole() + " uou [" + targetUra.getUou() + "] role [" + targetUra.getUrole() + "] target result [" + targetUra.isCanAssign() + "] actual result [" + result + "]");
}
}
}
} catch (SecurityException ex) {
LOG.error("canAssignUsers op [" + op + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
Also used :
User(org.apache.directory.fortress.core.model.User)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
AccessMgr(org.apache.directory.fortress.core.AccessMgr)
Session(org.apache.directory.fortress.core.model.Session)
Example 5 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class DelegatedMgrImplTest method canGrantPerms.
/**
* @param msg
* @param op
* @param uraArray
* @param uaArray
* @param pArray
* @param rArray
*/
public static void canGrantPerms(String msg, GRANT_OP op, String[][] uraArray, String[][] uaArray, String[][] pArray, String[][] rArray) {
LogUtil.logIt(msg);
Role role;
Map<PRA, PRA> praTestResults = PRATestData.getPRAs(uraArray);
try {
DelAccessMgr delAccessMgr = DelAccessMgrFactory.createInstance(TestUtils.getContext());
AccessMgr accessMgr = (AccessMgr) delAccessMgr;
int i = 0;
for (String[] aUsr : uaArray) {
User aUser = UserTestData.getUser(aUsr);
Session session = accessMgr.createSession(aUser, false);
assertNotNull(session);
for (String[] prm : pArray) {
PermObj pObj = PermTestData.getObj(prm);
i++;
for (String[] rle : rArray) {
role = RoleTestData.getRole(rle);
String methodName;
boolean result;
if (op == GRANT_OP.GRANT) {
result = delAccessMgr.canGrant(session, role, new Permission(pObj.getObjName(), ""));
methodName = ".canGrantPerms";
} else {
result = delAccessMgr.canRevoke(session, role, new Permission(pObj.getObjName(), ""));
methodName = ".canRevokePerms";
}
List<UserAdminRole> aRoles = session.getAdminRoles();
assertNotNull(aRoles);
assertTrue(CLS_NM + methodName + " Admin User invalid number of roles", aRoles.size() == 1);
UserAdminRole aRole = aRoles.get(0);
PRA sourceUra = new PRA(aRole.getName(), pObj.getOu(), role.getName(), result);
PRA targetUra = praTestResults.get(sourceUra);
assertTrue(CLS_NM + methodName + " cannot find target PRA admin role [" + sourceUra.getArole() + " pou [" + sourceUra.getPou() + "] role [" + sourceUra.getUrole() + "] Result [" + sourceUra.isCanAssign() + "] actual result [" + result + "]", targetUra != null);
LOG.debug(methodName + " failed target PRA admin role [" + targetUra.getArole() + " pou [" + targetUra.getPou() + "] role [" + targetUra.getUrole() + "] target result [" + targetUra.isCanAssign() + "] actual result [" + result + "]");
}
}
}
} catch (SecurityException ex) {
LOG.error("canGrantPerms op [" + op + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
Also used :
PermObj(org.apache.directory.fortress.core.model.PermObj)
User(org.apache.directory.fortress.core.model.User)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
AccessMgr(org.apache.directory.fortress.core.AccessMgr)
Permission(org.apache.directory.fortress.core.model.Permission)
Session(org.apache.directory.fortress.core.model.Session)
Aggregations
DelAccessMgr (org.apache.directory.fortress.core.DelAccessMgr)8
SecurityException (org.apache.directory.fortress.core.SecurityException)7
AccessMgr (org.apache.directory.fortress.core.AccessMgr)3
Session (org.apache.directory.fortress.core.model.Session)3
User (org.apache.directory.fortress.core.model.User)3
AdminRole (org.apache.directory.fortress.core.model.AdminRole)2
Permission (org.apache.directory.fortress.core.model.Permission)2
Role (org.apache.directory.fortress.core.model.Role)2
UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)2
AuthorizationException (org.apache.directory.fortress.core.AuthorizationException)1
PermObj (org.apache.directory.fortress.core.model.PermObj)1
