Example 6 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class DelegatedMgrImplTest method checkAccess.
public static void checkAccess(String msg, String[][] uArray, String[][] oArray, String[][] opArray, String[][] oArrayBad, String[][] opArrayBad) {
LogUtil.logIt(msg);
try {
DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(TestUtils.getContext());
AccessMgr accessMgr = (AccessMgr) dAccessMgr;
for (String[] usr : uArray) {
User user = UserTestData.getUser(usr);
Session session = accessMgr.createSession(user, false);
assertNotNull(session);
int i = 0;
for (String[] obj : oArray) {
int j = 0;
for (String[] op : opArray) {
// Call checkAccess method
assertTrue(CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" + PermTestData.getName(obj) + "] operationName [" + PermTestData.getName(op) + "]", dAccessMgr.checkAccess(session, new Permission(PermTestData.getName(obj), PermTestData.getName(op))));
j++;
}
i++;
}
i = 0;
for (String[] obj : oArrayBad) {
int j = 0;
for (String[] op : opArrayBad) {
// Call checkAccess method (this should fail):
try {
boolean result = dAccessMgr.checkAccess(session, new Permission(PermTestData.getName(oArrayBad[i]), PermTestData.getName(opArrayBad[j])));
assertTrue(CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" + PermTestData.getName(oArrayBad[i]) + "] operationName [" + PermTestData.getName(opArrayBad[j]) + "]", !result);
} catch (SecurityException se) {
// The expected condition is security exception perm not exist:
assertTrue(CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" + PermTestData.getName(oArrayBad[i]) + "] operationName [" + PermTestData.getName(opArrayBad[j]) + "], negative use case, incorrect exception id=" + se.getErrorId(), se.getErrorId() == GlobalErrIds.PERM_NOT_EXIST);
}
j++;
}
i++;
}
}
LOG.debug("checkAccess successful");
} catch (SecurityException ex) {
LOG.error("checkAccess: caught SecurityException rc=" + ex.getErrorId() + ", msg: " + ex.getMessage(), ex);
fail(ex.getMessage());
}
}
Also used :
User(org.apache.directory.fortress.core.model.User)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
AccessMgr(org.apache.directory.fortress.core.AccessMgr)
Permission(org.apache.directory.fortress.core.model.Permission)
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
Session(org.apache.directory.fortress.core.model.Session)
Example 7 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class AdminUtil method canDeassign.
/**
* Wrapper function to call {@link DelAccessMgrImpl#canDeassign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
*
* This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-revoke URA.
*
* @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param user Instantiated User entity requires only valid userId attribute set.
* @param user Instantiated User entity requires userId attribute set.
* @param role Instantiated Role entity requires only valid role name attribute set.
* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
* @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
*/
static void canDeassign(Session session, User user, Role role, String contextId) throws SecurityException {
if (session != null) {
DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
boolean result = dAccessMgr.canDeassign(session, user, role);
if (!result) {
String warning = "canDeassign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_DEASSIGN, warning);
}
}
}
Also used :
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
Example 8 with DelAccessMgr
use of org.apache.directory.fortress.core.DelAccessMgr in project directory-fortress-core by apache.
the class AdminUtil method canGrant.
/**
* Wrapper function to call {@link DelAccessMgrImpl#canGrant(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
* This function will determine if the user contains an AdminRole that is authorized assignment control over
* Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-assign-p PRA.
*
* @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param perm Instantiated Permission entity requires valid object name and operation name attributes set.
* @param role Instantiated Role entity requires only valid role name attribute set.
* @param perm Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
* @return boolean value true indicates access allowed.
* @throws SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
*/
static void canGrant(Session session, Role role, Permission perm, String contextId) throws SecurityException {
if (session != null) {
DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
boolean result = dAccessMgr.canGrant(session, role, perm);
if (!result) {
String warning = "canGrant Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_GRANT, warning);
}
}
}
Also used :
SecurityException(org.apache.directory.fortress.core.SecurityException)
DelAccessMgr(org.apache.directory.fortress.core.DelAccessMgr)
Aggregations
DelAccessMgr (org.apache.directory.fortress.core.DelAccessMgr)8
SecurityException (org.apache.directory.fortress.core.SecurityException)7
AccessMgr (org.apache.directory.fortress.core.AccessMgr)3
Session (org.apache.directory.fortress.core.model.Session)3
User (org.apache.directory.fortress.core.model.User)3
AdminRole (org.apache.directory.fortress.core.model.AdminRole)2
Permission (org.apache.directory.fortress.core.model.Permission)2
Role (org.apache.directory.fortress.core.model.Role)2
UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)2
AuthorizationException (org.apache.directory.fortress.core.AuthorizationException)1
PermObj (org.apache.directory.fortress.core.model.PermObj)1
