Example 56 with SDSet
use of org.apache.directory.fortress.core.model.SDSet in project directory-fortress-core by apache.
the class AdminMgrImpl method addDsdRoleMember.
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public SDSet addDsdRoleMember(SDSet dsdSet, Role role) throws SecurityException {
String methodName = "addDsdRoleMember";
assertContext(CLS_NM, methodName, dsdSet, GlobalErrIds.DSD_NULL);
assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
setEntitySession(CLS_NM, methodName, dsdSet);
SDSet entity = sdP.read(dsdSet);
entity.setContextId(this.contextId);
entity.addMember(role.getName());
setAdminData(CLS_NM, methodName, entity);
SDSet dsdOut = sdP.update(entity);
// remove any references to the old DSD from cache:
clearDSDCache(dsdSet);
return dsdOut;
}
Also used :
SDSet(org.apache.directory.fortress.core.model.SDSet)
AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)
Example 57 with SDSet
use of org.apache.directory.fortress.core.model.SDSet in project directory-fortress-core by apache.
the class ReviewMgrImpl method ssdRoleSetRoles.
/**
* {@inheritDoc}
*/
@Override
@AdminPermissionOperation
public Set<String> ssdRoleSetRoles(SDSet ssd) throws SecurityException {
String methodName = "ssdRoleSetRoles";
assertContext(CLS_NM, methodName, ssd, GlobalErrIds.SSD_NULL);
checkAccess(CLS_NM, methodName);
ssd.setType(SDSet.SDType.STATIC);
SDSet se = ssdP.read(ssd);
return se.getMembers();
}
Also used :
SDSet(org.apache.directory.fortress.core.model.SDSet)
AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)
Example 58 with SDSet
use of org.apache.directory.fortress.core.model.SDSet in project directory-fortress-core by apache.
the class DSDChecker method validate.
/**
* This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
*
* @param session contains list of RBAC roles {@link org.apache.directory.fortress.core.model.UserRole} targeted for activation.
* @param constraint required for Validator interface, not used here..
* @param time required for Validator interface, not used here.
* @param type required by interface, not used here.
* @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD} if failed.
*/
@Override
public int validate(Session session, Constraint constraint, Time time, VUtil.ConstraintType type) throws org.apache.directory.fortress.core.SecurityException {
int rc = 0;
int matchCount;
// get all candidate activated roles user:
List<UserRole> activeRoleList = session.getRoles();
if (activeRoleList == null || activeRoleList.size() == 0) {
return rc;
}
// Depending on if session is group or user session, fill objects
String contextId = session.isGroupSession() ? session.getGroup().getContextId() : session.getUser().getContextId();
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
// get the list of authorized roles for this user/group:
Set<String> authorizedRoleSet = RoleUtil.getInstance().getInheritedRoles(activeRoleList, contextId);
// only need to check DSD constraints if more than one role is being activated:
if (authorizedRoleSet != null && authorizedRoleSet.size() > 1) {
// get all DSD sets that contain the candidate activated and authorized roles,
// If DSD cache is disabled, this will search the directory using authorizedRoleSet
Set<SDSet> dsdSets = SDUtil.getInstance().getDsdCache(authorizedRoleSet, contextId);
if (dsdSets != null && dsdSets.size() > 0) {
for (SDSet dsd : dsdSets) {
Iterator<UserRole> activatedRoles = activeRoleList.iterator();
matchCount = 0;
Set<String> map = dsd.getMembers();
// now check the DSD on every role activation candidate contained within session object:
while (activatedRoles.hasNext()) {
UserRole activatedRole = activatedRoles.next();
if (map.contains(activatedRole.getName())) {
matchCount++;
if (matchCount >= dsd.getCardinality()) {
activatedRoles.remove();
String warning = "validate " + entityType + " [" + entityId + "] failed activation of assignedRole [" + activatedRole.getName() + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
LOG.warn(warning);
rc = GlobalErrIds.ACTV_FAILED_DSD;
session.setWarning(new ObjectFactory().createWarning(rc, warning, Warning.Type.ROLE, activatedRole.getName()));
}
} else {
Set<String> parentSet = RoleUtil.getInstance().getAscendants(activatedRole.getName(), contextId);
// now check for every role inherited from this activated role:
for (String parentRole : parentSet) {
if (map.contains(parentRole)) {
matchCount++;
if (matchCount >= dsd.getCardinality()) {
String warning = "validate " + entityType + " [" + entityId + "] assignedRole [" + activatedRole.getName() + "] parentRole [" + parentRole + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
rc = GlobalErrIds.ACTV_FAILED_DSD;
// remove the assigned role from session (not the authorized role):
activatedRoles.remove();
session.setWarning(new ObjectFactory().createWarning(rc, warning, Warning.Type.ROLE, activatedRole.getName()));
LOG.warn(warning);
// Breaking out of the loop because assigned role has been removed from session.
break;
}
}
}
}
}
}
}
}
return rc;
}
Also used :
SDSet(org.apache.directory.fortress.core.model.SDSet)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
UserRole(org.apache.directory.fortress.core.model.UserRole)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Aggregations
SDSet (org.apache.directory.fortress.core.model.SDSet)58
SecurityException (org.apache.directory.fortress.core.SecurityException)37
FortRequest (org.apache.directory.fortress.core.model.FortRequest)20
FortResponse (org.apache.directory.fortress.core.model.FortResponse)20
AdminMgr (org.apache.directory.fortress.core.AdminMgr)12
UserRole (org.apache.directory.fortress.core.model.UserRole)12
AdminPermissionOperation (org.apache.directory.fortress.annotation.AdminPermissionOperation)8
ReviewMgr (org.apache.directory.fortress.core.ReviewMgr)8
Role (org.apache.directory.fortress.core.model.Role)7
User (org.apache.directory.fortress.core.model.User)5
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)4
FinderException (org.apache.directory.fortress.core.FinderException)4
RoleConstraint (org.apache.directory.fortress.core.model.RoleConstraint)4
LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)4
CursorException (org.apache.directory.api.ldap.model.cursor.CursorException)3
SearchCursor (org.apache.directory.api.ldap.model.cursor.SearchCursor)3
Constraint (org.apache.directory.fortress.core.model.Constraint)3
ArrayList (java.util.ArrayList)2
HashSet (java.util.HashSet)2
AccessMgr (org.apache.directory.fortress.core.AccessMgr)2
