Example 11 with Role
use of org.apache.directory.fortress.core.model.Role in project directory-fortress-core by apache.
the class FortressAntTask method deletePermGrants.
/**
* @throws BuildException An error occurred while building
*/
private void deletePermGrants() throws BuildException {
if (delpermGrants == null) {
return;
}
// Loop through the entityclass elements
for (DelpermGrant delpermGrant : delpermGrants) {
List<PermGrant> permGrants = delpermGrant.getPermGrants();
for (PermGrant permGrant : permGrants) {
try {
Permission perm = new Permission(permGrant.getObjName(), permGrant.getOpName(), permGrant.isAdmin());
perm.setOpName(permGrant.getOpName());
perm.setObjId(permGrant.getObjId());
if (permGrant.getRoleNm() != null && permGrant.getRoleNm().length() > 0) {
LOG.info("deletePermGrants tenant={} roleName={} objName={} opName={} objId={}", getTenant(), permGrant.getRoleNm(), permGrant.getObjName(), permGrant.getOpName(), permGrant.getObjId());
adminMgr.revokePermission(perm, new Role(permGrant.getRoleNm()));
} else if (permGrant.getUserId() != null && permGrant.getUserId().length() > 0) {
LOG.info("deletePermGrants tenant={} userId={} objName={} opName={} objId={}", getTenant(), permGrant.getUserId(), permGrant.getObjName(), permGrant.getOpName(), permGrant.getObjId());
adminMgr.revokePermission(perm, new User(permGrant.getUserId()));
} else {
String warning = "deletePermGrants called without user or role set in xml";
LOG.warn(warning);
}
} catch (SecurityException se) {
LOG.warn("deletePermGrants tenant={} roleName={} objName={} opName={} objId={} caught SecurityException={}", getTenant(), permGrant.getRoleNm(), permGrant.getObjName(), permGrant.getOpName(), permGrant.getObjId(), se);
}
}
}
}
Also used :
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
PermGrant(org.apache.directory.fortress.core.model.PermGrant)
User(org.apache.directory.fortress.core.model.User)
Permission(org.apache.directory.fortress.core.model.Permission)
SecurityException(org.apache.directory.fortress.core.SecurityException)
Example 12 with Role
use of org.apache.directory.fortress.core.model.Role in project directory-fortress-core by apache.
the class FortressAntTask method addPermGrants.
/**
* @throws BuildException An error occurred while building
*/
private void addPermGrants() throws BuildException {
if (addpermGrants == null) {
return;
}
// Loop through the entityclass elements
for (AddpermGrant addpermGrant : addpermGrants) {
List<PermGrant> permGrants = addpermGrant.getPermGrants();
for (PermGrant permGrant : permGrants) {
try {
Permission perm = new Permission(permGrant.getObjName(), permGrant.getOpName(), permGrant.isAdmin());
perm.setOpName(permGrant.getOpName());
perm.setObjId(permGrant.getObjId());
if (permGrant.getRoleNm() != null && permGrant.getRoleNm().length() > 0) {
LOG.info("addPermGrants tenant={} roleName={} objName={} opName={} objId={}", getTenant(), permGrant.getRoleNm(), permGrant.getObjName(), permGrant.getOpName(), permGrant.getObjId());
adminMgr.grantPermission(perm, new Role(permGrant.getRoleNm()));
} else if (permGrant.getUserId() != null && permGrant.getUserId().length() > 0) {
LOG.info("addPermGrants tenant={} userId={} objName={} opName={} objId={}", getTenant(), permGrant.getUserId(), permGrant.getObjName(), permGrant.getOpName(), permGrant.getObjId());
adminMgr.grantPermission(perm, new User(permGrant.getUserId()));
} else {
String warning = "addPermGrants called without user or role set in xml";
LOG.warn(warning);
}
} catch (SecurityException se) {
LOG.warn("addPermGrants tenant={} roleName={} objName={} opName={} objId={} caught SecurityException={}", getTenant(), permGrant.getRoleNm(), permGrant.getObjName(), permGrant.getOpName(), permGrant.getObjId(), se);
}
}
}
}
Also used :
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
PermGrant(org.apache.directory.fortress.core.model.PermGrant)
User(org.apache.directory.fortress.core.model.User)
Permission(org.apache.directory.fortress.core.model.Permission)
SecurityException(org.apache.directory.fortress.core.SecurityException)
Example 13 with Role
use of org.apache.directory.fortress.core.model.Role in project directory-fortress-core by apache.
the class SdP method validate.
/**
* Method will perform simple validations to ensure the integrity of the SDSet entity targeted for insertion
* or updating in directory. This method will ensure the name and type enum are specified. Method will
* also ensure every Role name set is valid RBAC role entity in directory. It will also perform
* reasonability check on description if set.
*
* @param entity contains the enum type to validate
* @throws SecurityException thrown in the event the attribute is null.
*/
private void validate(SDSet entity) throws SecurityException {
// TODO: Add more validations here:
VUtil.safeText(entity.getName(), GlobalIds.OU_LEN);
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
Set<String> roles = entity.getMembers();
if (roles != null) {
RoleP rp = new RoleP();
for (String key : roles) {
// when removing last role member a placeholder must be left in data set:
if (!key.equalsIgnoreCase(GlobalIds.NONE)) {
// Ensure the name exists:
Role role = new Role(key);
role.setContextId(entity.getContextId());
rp.read(role);
}
}
}
}
Also used :
Role(org.apache.directory.fortress.core.model.Role)
Example 14 with Role
use of org.apache.directory.fortress.core.model.Role in project directory-fortress-core by apache.
the class UserP method validate.
/**
* Method will perform various validations to ensure the integrity of the User entity targeted for insertion
* or updating in directory. For example the ou attribute will be "read" from the OrgUnit dataset to ensure
* that it is valid. Data reasonability checks will be performed on all non-null attributes.
* This method will also copy the source constraints to target entity iff the target input entity does not have set
* prior to calling.
*
* @param entity User entity contains data targeted for insertion or update. The input role constraints will be accepted.
* @param isUpdate if true update operation is being performed which specifies a different set of targeted attributes.
* @throws SecurityException in the event of data validation error or DAO error on Org validation.
*/
private void validate(User entity, boolean isUpdate) throws SecurityException {
if (!isUpdate) {
// the UserId attribute is required on User:
VUtil.userId(entity.getUserId());
// the cn attribute is optional as input. entity will default to userId if cn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
// the sn attribute is optional as input. entity will default to userId if sn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
// password is not required on user object but user cannot execute AccessMgr or DelAccessMgr methods w/out pw.
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
// the OU attribute is required:
if (StringUtils.isEmpty(entity.getOu())) {
String error = "OU validation failed, null or empty value";
throw new ValidationException(GlobalErrIds.ORG_NULL_USER, error);
}
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] adding user with userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
// description attribute is optional:
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
} else {
// on User update, all attributes are optional:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
if (StringUtils.isNotEmpty(entity.getOu())) {
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] updating user wth userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
}
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
}
// 1 OpenLDAP password policy name must be valid if set:
if (StringUtils.isNotEmpty(entity.getPwPolicy())) {
PwPolicy policy = new PwPolicy(entity.getPwPolicy());
policy.setContextId(entity.getContextId());
if (!policyP.isValid(policy)) {
String error = "validate detected invalid OpenLDAP policy name [" + entity.getPwPolicy() + "] for userId [" + entity.getUserId() + "]. Assignment is optional for User but must be valid if specified.";
throw new ValidationException(GlobalErrIds.USER_PW_PLCY_INVALID, error);
}
}
// 2 Validate constraints on User object:
ConstraintUtil.validate(entity);
// 3 Validate or copy constraints on RBAC roles:
if (CollectionUtils.isNotEmpty(entity.getRoles())) {
RoleP rp = new RoleP();
List<UserRole> roles = entity.getRoles();
for (UserRole ure : roles) {
Role inRole = new Role(ure.getName());
inRole.setContextId(entity.getContextId());
Role role = rp.read(inRole);
ConstraintUtil.validateOrCopy(role, ure);
}
}
// 4 Validate and copy constraints on Administrative roles:
if (CollectionUtils.isNotEmpty(entity.getAdminRoles())) {
List<UserAdminRole> uRoles = entity.getAdminRoles();
for (UserAdminRole uare : uRoles) {
AdminRole inRole = new AdminRole(uare.getName());
inRole.setContextId(entity.getContextId());
AdminRole outRole = admRoleP.read(inRole);
ConstraintUtil.validateOrCopy(outRole, uare);
// copy the ARBAC AdminRole attributes to UserAdminRole:
copyAdminAttrs(outRole, uare);
}
}
}
Also used :
OrgUnit(org.apache.directory.fortress.core.model.OrgUnit)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
ValidationException(org.apache.directory.fortress.core.ValidationException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
PwPolicy(org.apache.directory.fortress.core.model.PwPolicy)
Example 15 with Role
use of org.apache.directory.fortress.core.model.Role in project directory-fortress-core by apache.
the class ReviewMgrImpl method assignedUsers.
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public List<String> assignedUsers(Role role, int limit) throws SecurityException {
String methodName = "assignedUsers";
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
checkAccess(CLS_NM, methodName);
List<String> users = null;
// If role occupant is set on role, get it from the role object itself:
if (Config.getInstance().isRoleOccupant()) {
Role entity = roleP.read(role);
// this one retrieves from the role itself.
users = entity.getOccupants();
if (users != null && users.size() > limit) {
users = users.subList(0, limit);
}
} else // otherwise, search across the people tree for all users assigned to this role:
{
users = userP.getAssignedUserIds(role);
}
// return empty list to caller:
if (users == null) {
users = new ArrayList<>();
}
return users;
}
Also used :
Role(org.apache.directory.fortress.core.model.Role)
UserRole(org.apache.directory.fortress.core.model.UserRole)
AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)
Aggregations
Role (org.apache.directory.fortress.core.model.Role)117
UserRole (org.apache.directory.fortress.core.model.UserRole)83
SecurityException (org.apache.directory.fortress.core.SecurityException)66
AdminMgr (org.apache.directory.fortress.core.AdminMgr)40
ReviewMgr (org.apache.directory.fortress.core.ReviewMgr)30
User (org.apache.directory.fortress.core.model.User)30
AdminRole (org.apache.directory.fortress.core.model.AdminRole)25
Permission (org.apache.directory.fortress.core.model.Permission)24
RoleConstraint (org.apache.directory.fortress.core.model.RoleConstraint)17
AdminPermissionOperation (org.apache.directory.fortress.annotation.AdminPermissionOperation)15
UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)15
Relationship (org.apache.directory.fortress.core.model.Relationship)7
SDSet (org.apache.directory.fortress.core.model.SDSet)7
FinderException (org.apache.directory.fortress.core.FinderException)6
PermObj (org.apache.directory.fortress.core.model.PermObj)6
ArrayList (java.util.ArrayList)5
Group (org.apache.directory.fortress.core.model.Group)5
Constraint (org.apache.directory.fortress.core.model.Constraint)4
FortRequest (org.apache.directory.fortress.core.model.FortRequest)4
FortResponse (org.apache.directory.fortress.core.model.FortResponse)4
