use of org.apache.directory.fortress.core.model.Permission in project directory-fortress-core by apache.
the class PermDAO method findPermissionOperations.
List<Permission> findPermissionOperations(PermObj permObj) throws FinderException {
List<Permission> permList = new ArrayList<>();
LdapConnection ld = null;
String permRoot = getRootDn(permObj.isAdmin(), permObj.getContextId());
try {
String permObjVal = encodeSafeText(permObj.getObjName(), GlobalIds.PERM_LEN);
StringBuilder filterbuf = new StringBuilder();
filterbuf.append(GlobalIds.FILTER_PREFIX);
filterbuf.append(PERM_OP_OBJECT_CLASS_NAME);
filterbuf.append(")(");
filterbuf.append(GlobalIds.POBJ_NAME);
filterbuf.append("=");
filterbuf.append(permObjVal);
filterbuf.append("))");
ld = getAdminConnection();
SearchCursor searchResults = search(ld, permRoot, SearchScope.SUBTREE, filterbuf.toString(), PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
permList.add(unloadPopLdapEntry(searchResults.getEntry(), sequence++, permObj.isAdmin()));
}
} catch (LdapException e) {
String error = "findPermissions caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "findPermissions caught CursorException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return permList;
}
use of org.apache.directory.fortress.core.model.Permission in project directory-fortress-core by apache.
the class PermDAO method findAnyPermissions.
/**
* Uses substring filters to allow any permission matching the passed in obj and op names.
*
* @param permission
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<Permission> findAnyPermissions(Permission permission) throws FinderException {
List<Permission> permList = new ArrayList<>();
LdapConnection ld = null;
String permRoot = getRootDn(permission.isAdmin(), permission.getContextId());
try {
String permObjVal = encodeSafeText(permission.getObjName(), GlobalIds.PERM_LEN);
String permOpVal = encodeSafeText(permission.getOpName(), GlobalIds.PERM_LEN);
StringBuilder filterbuf = new StringBuilder();
filterbuf.append(GlobalIds.FILTER_PREFIX);
filterbuf.append(PERM_OP_OBJECT_CLASS_NAME);
filterbuf.append(")(|");
if (permObjVal != null && permObjVal != "") {
filterbuf.append("(");
filterbuf.append(GlobalIds.POBJ_NAME);
filterbuf.append("=*");
filterbuf.append(permObjVal);
filterbuf.append("*)");
}
if (permOpVal != null && permOpVal != "") {
filterbuf.append("(");
filterbuf.append(GlobalIds.POP_NAME);
filterbuf.append("=*");
filterbuf.append(permOpVal);
filterbuf.append("*)");
}
filterbuf.append("))");
ld = getAdminConnection();
SearchCursor searchResults = search(ld, permRoot, SearchScope.SUBTREE, filterbuf.toString(), PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
permList.add(unloadPopLdapEntry(searchResults.getEntry(), sequence++, permission.isAdmin()));
}
} catch (LdapException e) {
String error = "findAnyPermissions caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "findAnyPermissions caught CursorException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return permList;
}
use of org.apache.directory.fortress.core.model.Permission in project directory-fortress-core by apache.
the class PermDAO method findPermissions.
/**
* @param permission
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
List<Permission> findPermissions(Permission permission) throws FinderException {
List<Permission> permList = new ArrayList<>();
LdapConnection ld = null;
String permRoot = getRootDn(permission.isAdmin(), permission.getContextId());
try {
String permObjVal = encodeSafeText(permission.getObjName(), GlobalIds.PERM_LEN);
String permOpVal = encodeSafeText(permission.getOpName(), GlobalIds.PERM_LEN);
StringBuilder filterbuf = new StringBuilder();
filterbuf.append(GlobalIds.FILTER_PREFIX);
filterbuf.append(PERM_OP_OBJECT_CLASS_NAME);
filterbuf.append(")(");
filterbuf.append(GlobalIds.POBJ_NAME);
filterbuf.append("=");
filterbuf.append(permObjVal);
filterbuf.append("*)(");
filterbuf.append(GlobalIds.POP_NAME);
filterbuf.append("=");
filterbuf.append(permOpVal);
filterbuf.append("*))");
ld = getAdminConnection();
SearchCursor searchResults = search(ld, permRoot, SearchScope.SUBTREE, filterbuf.toString(), PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE);
long sequence = 0;
while (searchResults.next()) {
permList.add(unloadPopLdapEntry(searchResults.getEntry(), sequence++, permission.isAdmin()));
}
} catch (LdapException e) {
String error = "findPermissions caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} catch (CursorException e) {
String error = "findPermissions caught CursorException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return permList;
}
use of org.apache.directory.fortress.core.model.Permission in project directory-fortress-core by apache.
the class PermDAO method checkPermission.
/**
* This method performs fortress authorization using data passed in (session) and stored on ldap server (permission). It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
* It performs ldap operations: read and (optionally) compare. The first is to pull back the permission to see if user has access or not. The second is to trigger audit
* record storage on ldap server but can be disabled.
*
* @param session contains {@link Session#getUserId()}, for impl check {@link org.apache.directory.fortress.core.model.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.model.Session#getAdminRoles()}.
* @param inPerm must contain required attributes {@link Permission#objName} and {@link Permission#opName}. {@link org.apache.directory.fortress.core.model.Permission#objId} is optional.
* @return boolean containing result of check.
* @throws org.apache.directory.fortress.core.FinderException
* In the event system error occurs looking up data on ldap server.
*/
boolean checkPermission(Session session, Permission inPerm) throws FinderException {
boolean isAuthZd = false;
LdapConnection ld = null;
String dn = getOpRdn(inPerm.getOpName(), inPerm.getObjId()) + "," + GlobalIds.POBJ_NAME + "=" + inPerm.getObjName() + "," + getRootDn(inPerm.isAdmin(), inPerm.getContextId());
try {
ld = getAdminConnection();
// LDAP Operation #1: Read the targeted permission from ldap server
Entry entry = read(ld, dn, PERMISSION_OP_ATRS);
if (entry == null) {
// if permission not found, cannot continue.
String error = "checkPermission DOES NOT EXIST : obj name [" + inPerm.getObjName() + "], obj id [" + inPerm.getObjId() + "], op name [" + inPerm.getOpName() + "], idAdmin [" + inPerm.isAdmin() + "]";
throw new FinderException(GlobalErrIds.PERM_NOT_EXIST, error);
}
// load the permission entity with data retrieved from the permission node:
Permission outPerm = unloadPopLdapEntry(entry, 0, inPerm.isAdmin());
// The admin flag will be set to 'true' if this is an administrative permission:
outPerm.setAdmin(inPerm.isAdmin());
// Pass the tenant id along:
outPerm.setContextId(inPerm.getContextId());
// The objective of these next steps is to evaluate the outcome of authorization attempt and trigger a write to slapd access logger containing the result.
// The objectClass triggered by slapd access log write for upcoming ldap op is 'auditCompare'.
// Set this attribute either with actual operation name that will succeed compare (for authZ success) or bogus value which will fail compare (for authZ failure):
String attributeValue;
// This method determines if the user is authorized for this permission:
isAuthZd = isAuthorized(session, outPerm);
// This is done to leave an audit trail in ldap server log:
if (isAuthZd) {
// Yes, set the operation name onto this attribute for storage into audit trail:
attributeValue = outPerm.getOpName();
} else {
// Changing this attribute value forces the compare to fail. This facilitates tracking of authorization failures events in the slapd access log (by searching for compare failures).
attributeValue = outPerm.getOpName() + GlobalIds.FAILED_AUTHZ_INDICATOR;
}
// LDAP Operation #2: Compare.
if (!session.isGroupSession()) {
addAuthZAudit(ld, dn, session.getUser().getDn(), attributeValue);
}
} catch (LdapException e) {
if (!(e instanceof LdapNoSuchObjectException)) {
String error = "checkPermission caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_READ_OP_FAILED, error, e);
}
// There is a switch in fortress config to disable the audit ops.
if (!session.isGroupSession()) {
addAuthZAudit(ld, dn, session.getUser().getDn(), "AuthZ Invalid");
}
} finally {
closeAdminConnection(ld);
}
return isAuthZd;
}
use of org.apache.directory.fortress.core.model.Permission in project directory-fortress-core by apache.
the class PermDAO method getPerm.
/**
* @param permission
* @return
* @throws org.apache.directory.fortress.core.FinderException
*/
Permission getPerm(Permission permission) throws FinderException {
Permission entity = null;
LdapConnection ld = null;
String dn = getOpRdn(permission.getOpName(), permission.getObjId()) + "," + GlobalIds.POBJ_NAME + "=" + permission.getObjName() + "," + getRootDn(permission.isAdmin(), permission.getContextId());
try {
ld = getAdminConnection();
Entry findEntry = read(ld, dn, PERMISSION_OP_ATRS);
if (findEntry == null) {
String warning = "getPerm no entry found dn [" + dn + "]";
throw new FinderException(GlobalErrIds.PERM_OP_NOT_FOUND, warning);
}
entity = unloadPopLdapEntry(findEntry, 0, permission.isAdmin());
} catch (LdapNoSuchObjectException e) {
String warning = "getPerm Op COULD NOT FIND ENTRY for dn [" + dn + "]";
throw new FinderException(GlobalErrIds.PERM_OP_NOT_FOUND, warning);
} catch (LdapException e) {
String error = "getUser [" + dn + "] caught LdapException=" + e.getMessage();
throw new FinderException(GlobalErrIds.PERM_READ_OP_FAILED, error, e);
} finally {
closeAdminConnection(ld);
}
return entity;
}
Aggregations