Example 1 with AuthZ
use of org.apache.directory.fortress.core.model.AuthZ in project directory-fortress-core by apache.
the class AuditDAO method searchAuthZs.
/**
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<AuthZ> searchAuthZs(UserAudit audit) throws FinderException {
List<AuthZ> auditList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String permRoot = getRootDn(audit.isAdmin(), audit.getContextId());
String userRoot = getRootDn(audit.getContextId(), GlobalIds.USER_ROOT);
try {
String reqDn = PermDAO.getOpRdn(audit.getOpName(), audit.getObjId()) + "," + GlobalIds.POBJ_NAME + "=" + audit.getObjName() + "," + permRoot;
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(" + REQDN + "=" + reqDn + ")(" + REQUAUTHZID + "=" + SchemaConstants.UID_AT + "=" + audit.getUserId() + "," + userRoot + ")";
if (audit.isFailedOnly()) {
filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")";
}
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// System.out.println("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
auditList.add(getAuthzEntityFromLdapEntry(searchResults.getEntry(), sequence++));
}
} catch (LdapException e) {
String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "CursorException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return auditList;
}
Also used :
FinderException(org.apache.directory.fortress.core.FinderException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
AuthZ(org.apache.directory.fortress.core.model.AuthZ)
ArrayList(java.util.ArrayList)
SearchCursor(org.apache.directory.api.ldap.model.cursor.SearchCursor)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 2 with AuthZ
use of org.apache.directory.fortress.core.model.AuthZ in project directory-fortress-core by apache.
the class AuditDAO method getAllAuthZs.
/**
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<AuthZ> getAllAuthZs(UserAudit audit) throws FinderException {
List<AuthZ> auditList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String userRoot = getRootDn(audit.getContextId(), GlobalIds.USER_ROOT);
try {
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
if (audit.getUserId() != null && audit.getUserId().length() > 0) {
filter += REQUAUTHZID + "=" + SchemaConstants.UID_AT + "=" + audit.getUserId() + "," + userRoot + ")";
} else {
// have to limit the query to only authorization entries.
// TODO: determine why the cn=Manager user is showing up in this search:
filter += REQUAUTHZID + "=*)(!(" + REQUAUTHZID + "=cn=Manager," + Config.getInstance().getProperty(GlobalIds.SUFFIX) + "))";
// TODO: fix this so filter by only the Fortress AuthZ entries and not the others:
if (audit.isFailedOnly()) {
filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")";
}
}
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// log.warn("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
auditList.add(getAuthzEntityFromLdapEntry(searchResults.getEntry(), sequence++));
}
} catch (LdapException e) {
String error = "LdapException in AuditDAO.getAllAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "CursorException in AuditDAO.getAllAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return auditList;
}
Also used :
FinderException(org.apache.directory.fortress.core.FinderException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
AuthZ(org.apache.directory.fortress.core.model.AuthZ)
ArrayList(java.util.ArrayList)
SearchCursor(org.apache.directory.api.ldap.model.cursor.SearchCursor)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 3 with AuthZ
use of org.apache.directory.fortress.core.model.AuthZ in project directory-fortress-core by apache.
the class AuditDAO method searchInvalidAuthNs.
/**
* This method returns failed authentications where the userid is not present in the directory. This
* is possible because Fortress performs read on user before the bind.
* User:
* dn: reqStart=20101014235402.000000Z, cn=log
* reqStart: 20101014235402.000000Z
* reqEnd: 20101014235402.000001Z
* reqAuthzID: cn=Manager,dc=jts,dc=com
* reqDerefAliases: never
* reqSession: 84
* reqAttrsOnly: FALSE
* reqSizeLimit: -1
* objectClass: auditSearch
* reqResult: 32
* reqAttr: ftId
* reqAttr: uid
* reqAttr: userpassword
* reqAttr: description
* reqAttr: ou
* reqAttr: cn
* reqAttr: sn
* reqAttr: ftRoleCstr
* reqAttr: ftCstr
* reqAttr: ftRoleAsgn
* reqAttr: pwdReset
* reqAttr: pwdAccountLockedTime
* reqAttr: ftProps
* reqEntries: 0
* reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
* reqType: search
* reqDN: uid=foo,ou=People,dc=jts,dc=com /cal/cal2.jsp
* reqTimeLimit: -1
* reqScope: base
*
* @param audit
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<AuthZ> searchInvalidAuthNs(UserAudit audit) throws FinderException {
List<AuthZ> auditList = new ArrayList<>();
LdapConnection ld = null;
String auditRoot = Config.getInstance().getProperty(AUDIT_ROOT);
String userRoot = Config.getInstance().getProperty(GlobalIds.USER_ROOT);
try {
// use wildcard for user if not passed in:
// reqDN: uid=foo,ou=People,dc=jts,dc=com
// (&
// (objectclass=auditSearch)
// (reqDN=uid=*,ou=People,dc=jts,dc=com)
// (reqAuthzID=cn=Manager,dc=jts,dc=com)
// (reqEntries=0)
// )
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
String userId;
if (StringUtils.isNotEmpty(audit.getUserId())) {
userId = audit.getUserId();
filter += REQDN + "=" + SchemaConstants.UID_AT + "=" + userId + "," + userRoot + ")(" + REQUAUTHZID + "=" + "cn=Manager," + Config.getInstance().getProperty(GlobalIds.SUFFIX) + ")";
} else {
// pull back all failed authN attempts for all users:
filter += REQATTR + "=" + SchemaConstants.UID_AT + ")(" + REQUAUTHZID + "=" + "cn=Manager," + Config.getInstance().getProperty(GlobalIds.SUFFIX) + ")";
}
if (audit.isFailedOnly()) {
filter += "(" + REQENTRIES + "=" + 0 + ")";
}
if (audit.getBeginDate() != null) {
String szTime = TUtil.encodeGeneralizedTime(audit.getBeginDate());
filter += "(" + REQEND + ">=" + szTime + ")";
}
filter += ")";
// log.warn("filter=" + filter);
ld = getLogConnection();
SearchCursor searchResults = search(ld, auditRoot, SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
AuthZ authZ = getAuthzEntityFromLdapEntry(searchResults.getEntry(), sequence++);
// Work around is to remove the ou=People failed searches from user failed searches on authN.
if (!AuditUtil.getAuthZId(authZ.getReqDN()).equalsIgnoreCase("People")) {
auditList.add(authZ);
}
}
} catch (LdapException e) {
String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e);
} catch (CursorException e) {
String error = "CursorException in AuditDAO.searchAuthZs id=" + e.getMessage();
throw new FinderException(GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e);
} finally {
closeLogConnection(ld);
}
return auditList;
}
Also used :
FinderException(org.apache.directory.fortress.core.FinderException)
CursorException(org.apache.directory.api.ldap.model.cursor.CursorException)
AuthZ(org.apache.directory.fortress.core.model.AuthZ)
ArrayList(java.util.ArrayList)
SearchCursor(org.apache.directory.api.ldap.model.cursor.SearchCursor)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 4 with AuthZ
use of org.apache.directory.fortress.core.model.AuthZ in project directory-fortress-core by apache.
the class AuditMgrRestImpl method getUserAuthZs.
/**
* {@inheritDoc}
*/
@Override
public List<AuthZ> getUserAuthZs(UserAudit uAudit) throws SecurityException {
VUtil.assertNotNull(uAudit, GlobalErrIds.AUDT_INPUT_NULL, CLS_NM + ".getUserAuthZs");
List<AuthZ> outRecords;
FortRequest request = new FortRequest();
request.setContextId(this.contextId);
request.setEntity(uAudit);
if (this.adminSess != null) {
request.setSession(adminSess);
}
String szRequest = RestUtils.marshal(request);
String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.AUDIT_UAUTHZS);
FortResponse response = RestUtils.unmarshall(szResponse);
if (response.getErrorCode() == 0) {
outRecords = response.getEntities();
// do not return a null list to the caller:
if (outRecords == null) {
outRecords = new ArrayList<>();
}
} else {
throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
}
return outRecords;
}
Also used :
AuthZ(org.apache.directory.fortress.core.model.AuthZ)
FortResponse(org.apache.directory.fortress.core.model.FortResponse)
SecurityException(org.apache.directory.fortress.core.SecurityException)
FortRequest(org.apache.directory.fortress.core.model.FortRequest)
Example 5 with AuthZ
use of org.apache.directory.fortress.core.model.AuthZ in project directory-fortress-core by apache.
the class AuditMgrRestImpl method searchAuthZs.
/**
* {@inheritDoc}
*/
@Override
public List<AuthZ> searchAuthZs(UserAudit uAudit) throws SecurityException {
VUtil.assertNotNull(uAudit, GlobalErrIds.AUDT_INPUT_NULL, CLS_NM + ".searchAuthZs");
List<AuthZ> outRecords;
FortRequest request = new FortRequest();
request.setContextId(this.contextId);
request.setEntity(uAudit);
if (this.adminSess != null) {
request.setSession(adminSess);
}
String szRequest = RestUtils.marshal(request);
String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.AUDIT_AUTHZS);
FortResponse response = RestUtils.unmarshall(szResponse);
if (response.getErrorCode() == 0) {
outRecords = response.getEntities();
// do not return a null list to the caller:
if (outRecords == null) {
outRecords = new ArrayList<>();
}
} else {
throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
}
return outRecords;
}
Also used :
AuthZ(org.apache.directory.fortress.core.model.AuthZ)
FortResponse(org.apache.directory.fortress.core.model.FortResponse)
SecurityException(org.apache.directory.fortress.core.SecurityException)
FortRequest(org.apache.directory.fortress.core.model.FortRequest)
Aggregations
AuthZ (org.apache.directory.fortress.core.model.AuthZ)17
UserAudit (org.apache.directory.fortress.core.model.UserAudit)7
SecurityException (org.apache.directory.fortress.core.SecurityException)6
Date (java.util.Date)4
ArrayList (java.util.ArrayList)3
CursorException (org.apache.directory.api.ldap.model.cursor.CursorException)3
SearchCursor (org.apache.directory.api.ldap.model.cursor.SearchCursor)3
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)3
AuditMgr (org.apache.directory.fortress.core.AuditMgr)3
FinderException (org.apache.directory.fortress.core.FinderException)3
FortRequest (org.apache.directory.fortress.core.model.FortRequest)3
FortResponse (org.apache.directory.fortress.core.model.FortResponse)3
LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)3
ParseException (java.text.ParseException)2
SimpleDateFormat (java.text.SimpleDateFormat)2
User (org.apache.directory.fortress.core.model.User)2
LdapInvalidDnException (org.apache.directory.api.ldap.model.exception.LdapInvalidDnException)1
ObjectFactory (org.apache.directory.fortress.core.model.ObjectFactory)1
Permission (org.apache.directory.fortress.core.model.Permission)1
