Examples with SecurityException org.apache.directory.fortress.core.SecurityException used on opensource projects

Example 6 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AdminRoleUtil method loadGraph.

/**
 * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
 * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
 *
 * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
 * @return handle to simple digraph containing adminRole hierarchies.
 */
private static synchronized SimpleDirectedGraph<String, Relationship> loadGraph(String contextId) {
    Hier inHier = new Hier(Hier.Type.ROLE);
    inHier.setContextId(contextId);
    LOG.info("loadGraph initializing ADMIN ROLE context [{}]", inHier.getContextId());
    List<Graphable> descendants = null;
    try {
        descendants = adminRoleP.getAllDescendants(inHier.getContextId());
    } catch (SecurityException se) {
        LOG.info("loadGraph caught SecurityException={}", se);
    }
    Hier hier = HierUtil.loadHier(contextId, descendants);
    SimpleDirectedGraph<String, Relationship> graph;
    graph = HierUtil.buildGraph(hier);
    adminRoleCache.put(getKey(contextId), graph);
    return graph;
}

Example 7 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AdminUtil method canRevoke.

/**
 * Wrapper function to call {@link DelAccessMgrImpl#canRevoke(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
 *
 * This function will determine if the user contains an AdminRole that is authorized revoke control over
 * Permission-Role Assignment (PRA).  This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
 *
 * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param perm    Instantiated Permission entity requires valid object name and operation name attributes set.
 * @param role    Instantiated Role entity requires only valid role name attribute set.
 * @param perm    Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
 * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
 * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
 */
static void canRevoke(Session session, Role role, Permission perm, String contextId) throws SecurityException {
    if (session != null) {
        DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
        boolean result = dAccessMgr.canRevoke(session, role, perm);
        if (!result) {
            String warning = "canRevoke Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
            throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_REVOKE, warning);
        }
    }
}

Example 8 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class AdminUtil method canAssign.

/**
 * Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
 * This will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA).  This adheres to the ARBAC02 functional specification for can-assign URA.
 *
 * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
 * @param user    Instantiated User entity requires only valid userId attribute set.
 * @param role    Instantiated Role entity requires only valid role name attribute set.
 * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
 * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
 */
static void canAssign(Session session, User user, Role role, String contextId) throws SecurityException {
    if (session != null) {
        DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
        boolean result = dAccessMgr.canAssign(session, user, role);
        if (!result) {
            String warning = "canAssign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
            throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_ASSIGN, warning);
        }
    }
}

Example 9 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class PermP method remove.

/**
 * Remove the Admin Role assignment attribute from all Admin permssions.  This method is called by DelAdminMgrImpl
 * when the AdminRole is being deleted.
 *
 * @param role contains the name of AdminRole targeted for attribute removal.
 * @throws SecurityException in the event of DAO search error.
 */
void remove(AdminRole role) throws SecurityException {
    List<Permission> list;
    try {
        list = search(role);
        for (Permission perm : list) {
            perm.setAdmin(true);
            revoke(perm, role);
        }
    } catch (FinderException fe) {
        String error = "remove admin role [" + role.getName() + "] caught FinderException=" + fe;
        throw new SecurityException(GlobalErrIds.PERM_BULK_ADMINROLE_REVOKE_FAILED, error, fe);
    }
}

Example 10 with SecurityException

use of org.apache.directory.fortress.core.SecurityException in project directory-fortress-core by apache.

the class DelAccessMgrImpl method addActiveRole.

/**
 * {@inheritDoc}
 */
@Override
public void addActiveRole(Session session, UserAdminRole role) throws SecurityException {
    String methodName = "addActiveRole";
    assertContext(CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL);
    assertContext(CLS_NM, methodName, role, GlobalErrIds.ARLE_NULL);
    role.setUserId(session.getUserId());
    List<UserAdminRole> sRoles = session.getAdminRoles();
    // If session already has admin role activated log an error and throw an exception:
    if (sRoles != null && sRoles.contains(role)) {
        String info = getFullMethodName(CLS_NM, methodName) + " User [" + session.getUserId() + "] Role [" + role.getName() + "] role already activated.";
        throw new SecurityException(GlobalErrIds.ARLE_ALREADY_ACTIVE, info);
    }
    User ue = userP.read(session.getUser(), true);
    List<UserAdminRole> uRoles = ue.getAdminRoles();
    int indx;
    // Is the admin role activation target valid for this user?
    if (!CollectionUtils.isNotEmpty(uRoles) || ((indx = uRoles.indexOf(role)) == -1)) {
        String info = getFullMethodName(CLS_NM, methodName) + " Admin Role [" + role.getName() + "] User [" + session.getUserId() + "] adminRole not authorized for user.";
        throw new SecurityException(GlobalErrIds.ARLE_ACTIVATE_FAILED, info);
    }
    SDUtil.getInstance().validateDSD(session, role);
    // now activate the role to the session:
    session.setRole(uRoles.get(indx));
}