Example 1 with ValidationException
use of org.apache.directory.fortress.core.ValidationException in project directory-fortress-core by apache.
the class UserP method validate.
/**
* Method will perform various validations to ensure the integrity of the User entity targeted for insertion
* or updating in directory. For example the ou attribute will be "read" from the OrgUnit dataset to ensure
* that it is valid. Data reasonability checks will be performed on all non-null attributes.
* This method will also copy the source constraints to target entity iff the target input entity does not have set
* prior to calling.
*
* @param entity User entity contains data targeted for insertion or update. The input role constraints will be accepted.
* @param isUpdate if true update operation is being performed which specifies a different set of targeted attributes.
* @throws SecurityException in the event of data validation error or DAO error on Org validation.
*/
private void validate(User entity, boolean isUpdate) throws SecurityException {
if (!isUpdate) {
// the UserId attribute is required on User:
VUtil.userId(entity.getUserId());
// the cn attribute is optional as input. entity will default to userId if cn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
// the sn attribute is optional as input. entity will default to userId if sn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
// password is not required on user object but user cannot execute AccessMgr or DelAccessMgr methods w/out pw.
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
// the OU attribute is required:
if (StringUtils.isEmpty(entity.getOu())) {
String error = "OU validation failed, null or empty value";
throw new ValidationException(GlobalErrIds.ORG_NULL_USER, error);
}
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] adding user with userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
// description attribute is optional:
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
} else {
// on User update, all attributes are optional:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
if (StringUtils.isNotEmpty(entity.getOu())) {
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] updating user wth userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
}
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
}
// 1 OpenLDAP password policy name must be valid if set:
if (StringUtils.isNotEmpty(entity.getPwPolicy())) {
PwPolicy policy = new PwPolicy(entity.getPwPolicy());
policy.setContextId(entity.getContextId());
if (!policyP.isValid(policy)) {
String error = "validate detected invalid OpenLDAP policy name [" + entity.getPwPolicy() + "] for userId [" + entity.getUserId() + "]. Assignment is optional for User but must be valid if specified.";
throw new ValidationException(GlobalErrIds.USER_PW_PLCY_INVALID, error);
}
}
// 2 Validate constraints on User object:
ConstraintUtil.validate(entity);
// 3 Validate or copy constraints on RBAC roles:
if (CollectionUtils.isNotEmpty(entity.getRoles())) {
RoleP rp = new RoleP();
List<UserRole> roles = entity.getRoles();
for (UserRole ure : roles) {
Role inRole = new Role(ure.getName());
inRole.setContextId(entity.getContextId());
Role role = rp.read(inRole);
ConstraintUtil.validateOrCopy(role, ure);
}
}
// 4 Validate and copy constraints on Administrative roles:
if (CollectionUtils.isNotEmpty(entity.getAdminRoles())) {
List<UserAdminRole> uRoles = entity.getAdminRoles();
for (UserAdminRole uare : uRoles) {
AdminRole inRole = new AdminRole(uare.getName());
inRole.setContextId(entity.getContextId());
AdminRole outRole = admRoleP.read(inRole);
ConstraintUtil.validateOrCopy(outRole, uare);
// copy the ARBAC AdminRole attributes to UserAdminRole:
copyAdminAttrs(outRole, uare);
}
}
}
Also used :
OrgUnit(org.apache.directory.fortress.core.model.OrgUnit)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
ValidationException(org.apache.directory.fortress.core.ValidationException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
PwPolicy(org.apache.directory.fortress.core.model.PwPolicy)
Example 2 with ValidationException
use of org.apache.directory.fortress.core.ValidationException in project directory-fortress-core by apache.
the class UserP method validate.
/**
* Ensure that the passed in role constraint is valid
*
* @param rc RoleConstaint
* @param contextId
* @throws ValidationException
*/
private void validate(RoleConstraint rc, String contextId) throws ValidationException {
if (StringUtils.isEmpty(rc.getPaSetName())) {
throw new ValidationException(GlobalErrIds.PERM_ATTRIBUTE_SET_NM_NULL, CLS_NM + ".validate pa set name is NULL");
}
try {
PermP permP = new PermP();
permP.validatePaSet(rc.getPaSetName(), contextId);
} catch (SecurityException e) {
String error = "validate - paSetName not found with name [" + rc.getPaSetName() + "] caught SecurityException=" + e;
throw new ValidationException(GlobalErrIds.PERM_ATTRIBUTE_SET_NOT_FOUND, error);
}
if (rc.getType() == null) {
throw new ValidationException(GlobalErrIds.ROLE_CONSTRAINT_TYPE_NULL, CLS_NM + ".validate type is NULL");
}
if (StringUtils.isEmpty(rc.getValue())) {
throw new ValidationException(GlobalErrIds.ROLE_CONSTRAINT_VALUE_NULL, CLS_NM + ".validate value is NULL");
}
}
Also used :
ValidationException(org.apache.directory.fortress.core.ValidationException)
SecurityException(org.apache.directory.fortress.core.SecurityException)
Example 3 with ValidationException
use of org.apache.directory.fortress.core.ValidationException in project directory-fortress-core by apache.
the class VUtil method validateConstraints.
/**
* This utility iterates over all of the Validators initialized for runtime and calls them passing the {@link org.apache.directory.fortress.core.model.Constraint} contained within the
* targeted entity. If a particular {@link org.apache.directory.fortress.core.model.UserRole} violates constraint it will not be activated. If {@link org.apache.directory.fortress.core.model.User} validation fails a ValidationException will be thrown thus preventing User logon.
*
* @param session contains {@link org.apache.directory.fortress.core.model.User} and {@link org.apache.directory.fortress.core.model.UserRole} constraints {@link org.apache.directory.fortress.core.model.Constraint} to be checked.
* @param type specifies User {@link ConstraintType#USER} or rOLE {@link ConstraintType#ROLE}.
* @param checkDsd will check DSD constraints if true
* @throws org.apache.directory.fortress.core.SecurityException in the event validation fails for User or system error occurs.
*/
public void validateConstraints(Session session, ConstraintType type, boolean checkDsd) throws SecurityException {
String location = "validateConstraints";
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
int rc;
if (validators == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("{} " + entityType + " [{}] has no constraints enabled", location, entityId);
}
return;
} else // no need to continue if the role list is empty and we're trying to check role constraints:
if (type == ConstraintType.ROLE && CollectionUtils.isEmpty(session.getRoles()) && CollectionUtils.isEmpty(session.getAdminRoles())) {
if (LOG.isDebugEnabled()) {
LOG.debug("{} " + entityType + " [{}] has no roles assigned", location, entityId);
}
return;
}
for (Validator val : validators) {
Time currTime = TUtil.getCurrentTime();
// first check the constraint on the user:
if (type == ConstraintType.USER && !session.isGroupSession()) {
rc = val.validate(session, session.getUser(), currTime, type);
if (rc > 0) {
String info = location + " user [" + entityId + "] was deactivated reason code [" + rc + "]";
throw new ValidationException(rc, info);
}
} else // Check the constraints for each activated role:
{
if (CollectionUtils.isNotEmpty(session.getRoles())) {
// now check the constraint on every role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for (UserRole role : session.getRoles()) {
rc = val.validate(session, role, currTime, type);
if (rc > 0) {
rolesToRemove.add(role);
String msg = location + " role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info(msg);
session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
}
}
// remove all roles not passing validation
session.getRoles().removeAll(rolesToRemove);
}
if (CollectionUtils.isNotEmpty(session.getAdminRoles())) {
// now check the constraint on every arbac role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for (UserRole role : session.getAdminRoles()) {
rc = val.validate(session, role, currTime, type);
if (rc > 0) {
rolesToRemove.add(role);
String msg = location + " admin role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info(msg);
session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
}
}
// remove all roles not passing validation
session.getAdminRoles().removeAll(rolesToRemove);
}
}
}
// now perform DSD validation on session's impl roles:
if (checkDsd && DSDVALIDATOR != null && DSDVALIDATOR.length() > 0 && type == ConstraintType.ROLE && CollectionUtils.isNotEmpty(session.getRoles())) {
Validator dsdVal = (Validator) ClassUtil.createInstance(DSDVALIDATOR);
if (session.isGroupSession()) {
// pass session's group wrapped into constraint interface
dsdVal.validate(session, new ConstraintedGroup(session.getGroup()), null, null);
} else {
dsdVal.validate(session, session.getUser(), null, null);
}
}
// reset the user's last access timestamp:
session.setLastAccess();
}
Also used :
ValidationException(org.apache.directory.fortress.core.ValidationException)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
UserRole(org.apache.directory.fortress.core.model.UserRole)
ArrayList(java.util.ArrayList)
Time(org.apache.directory.fortress.core.util.time.Time)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Validator(org.apache.directory.fortress.core.util.time.Validator)
Example 4 with ValidationException
use of org.apache.directory.fortress.core.ValidationException in project directory-fortress-core by apache.
the class VUtil method description.
/**
* Simple length check and safe text validation on description field that uses {@link org.apache.directory.fortress.core.GlobalIds#DESC_LEN}.
*
* @param value contains the entity description.
* @throws org.apache.directory.fortress.core.ValidationException
* in the event of failure, {@link org.apache.directory.fortress.core.GlobalErrIds#CONST_DESC_LEN_INVLD}.
*/
public static void description(String value) throws ValidationException {
int length = value.length();
if (length > GlobalIds.DESC_LEN) {
String error = "description value [" + value + "] invalid length [" + length + "]";
throw new ValidationException(GlobalErrIds.CONST_DESC_LEN_INVLD, error);
}
RegExUtil.getInstance().safeText(value);
}
Also used :
ValidationException(org.apache.directory.fortress.core.ValidationException)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Example 5 with ValidationException
use of org.apache.directory.fortress.core.ValidationException in project directory-fortress-core by apache.
the class VUtil method safeText.
/**
* Perform a simple length and safe text validation.
*
* @param value contains the attribute to check.
* @param validLen contains the length to use.
* @throws ValidationException in the event of length {@link org.apache.directory.fortress.core.GlobalErrIds#CONST_INVLD_FIELD_LEN} or regex failure.
*/
public static void safeText(String value, int validLen) throws ValidationException {
if (StringUtils.isEmpty(value)) {
String error = "safeText null value";
throw new ValidationException(GlobalErrIds.CONST_NULL_TEXT, error);
}
int length = value.length();
if (length > validLen) {
String error = "safeText value [" + value + "] invalid length [" + length + "]";
throw new ValidationException(GlobalErrIds.CONST_INVLD_FIELD_LEN, error);
}
RegExUtil.getInstance().safeText(value);
}
Also used :
ValidationException(org.apache.directory.fortress.core.ValidationException)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Aggregations
ValidationException (org.apache.directory.fortress.core.ValidationException)8
Constraint (org.apache.directory.fortress.core.model.Constraint)3
SecurityException (org.apache.directory.fortress.core.SecurityException)2
OrgUnit (org.apache.directory.fortress.core.model.OrgUnit)2
UserRole (org.apache.directory.fortress.core.model.UserRole)2
ArrayList (java.util.ArrayList)1
AdminRole (org.apache.directory.fortress.core.model.AdminRole)1
ObjectFactory (org.apache.directory.fortress.core.model.ObjectFactory)1
PermissionAttributeSet (org.apache.directory.fortress.core.model.PermissionAttributeSet)1
PwPolicy (org.apache.directory.fortress.core.model.PwPolicy)1
Role (org.apache.directory.fortress.core.model.Role)1
UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)1
Time (org.apache.directory.fortress.core.util.time.Time)1
Validator (org.apache.directory.fortress.core.util.time.Validator)1
