Examples with UserAdminRole org.apache.directory.fortress.core.model.UserAdminRole used on opensource projects

Example 1 with UserAdminRole

use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.

the class DelAccessMgrImpl method checkUserRole.

/**
 * This helper function processes ARBAC URA "can assign".
 * @param session
 * @param user
 * @param role
 * @return boolean
 * @throws SecurityException
 */
private boolean checkUserRole(Session session, User user, Role role) throws SecurityException {
    boolean result = false;
    List<UserAdminRole> uaRoles = session.getAdminRoles();
    if (CollectionUtils.isNotEmpty(uaRoles)) {
        // validate user and retrieve user' ou:
        User ue = userP.read(user, false);
        for (UserAdminRole uaRole : uaRoles) {
            if (uaRole.getName().equalsIgnoreCase(SUPER_ADMIN)) {
                result = true;
                break;
            }
            Set<String> osUs = uaRole.getOsUSet();
            if (CollectionUtils.isNotEmpty(osUs)) {
                // create Set with case insensitive comparator:
                Set<String> osUsFinal = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
                for (String osU : osUs) {
                    // Add osU children to the set:
                    osUsFinal.add(osU);
                    Set<String> children = UsoUtil.getInstance().getDescendants(osU, this.contextId);
                    osUsFinal.addAll(children);
                }
                // does the admin role have authority over the user object?
                if (osUsFinal.contains(ue.getOu())) {
                    // Get the Role range for admin role:
                    Set<String> range;
                    if (uaRole.getBeginRange() != null && uaRole.getEndRange() != null && !uaRole.getBeginRange().equalsIgnoreCase(uaRole.getEndRange())) {
                        range = RoleUtil.getInstance().getAscendants(uaRole.getBeginRange(), uaRole.getEndRange(), uaRole.isEndInclusive(), this.contextId);
                        if (uaRole.isBeginInclusive()) {
                            range.add(uaRole.getBeginRange());
                        }
                        if (CollectionUtils.isNotEmpty(range)) {
                            // Does admin role have authority over a role contained with the allowable role range?
                            if (range.contains(role.getName())) {
                                result = true;
                                break;
                            }
                        }
                    } else // Does admin role have authority over the role?
                    if (uaRole.getBeginRange() != null && uaRole.getBeginRange().equalsIgnoreCase(role.getName())) {
                        result = true;
                        break;
                    }
                }
            }
        }
    }
    return result;
}

Example 2 with UserAdminRole

use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.

the class DelAccessMgrImpl method addActiveRole.

/**
 * {@inheritDoc}
 */
@Override
public void addActiveRole(Session session, UserAdminRole role) throws SecurityException {
    String methodName = "addActiveRole";
    assertContext(CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL);
    assertContext(CLS_NM, methodName, role, GlobalErrIds.ARLE_NULL);
    role.setUserId(session.getUserId());
    List<UserAdminRole> sRoles = session.getAdminRoles();
    // If session already has admin role activated log an error and throw an exception:
    if (sRoles != null && sRoles.contains(role)) {
        String info = getFullMethodName(CLS_NM, methodName) + " User [" + session.getUserId() + "] Role [" + role.getName() + "] role already activated.";
        throw new SecurityException(GlobalErrIds.ARLE_ALREADY_ACTIVE, info);
    }
    User ue = userP.read(session.getUser(), true);
    List<UserAdminRole> uRoles = ue.getAdminRoles();
    int indx;
    // Is the admin role activation target valid for this user?
    if (!CollectionUtils.isNotEmpty(uRoles) || ((indx = uRoles.indexOf(role)) == -1)) {
        String info = getFullMethodName(CLS_NM, methodName) + " Admin Role [" + role.getName() + "] User [" + session.getUserId() + "] adminRole not authorized for user.";
        throw new SecurityException(GlobalErrIds.ARLE_ACTIVATE_FAILED, info);
    }
    SDUtil.getInstance().validateDSD(session, role);
    // now activate the role to the session:
    session.setRole(uRoles.get(indx));
}

Example 3 with UserAdminRole

use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.

the class DelAccessMgrImpl method checkRolePermission.

/**
 * This helper function processes ARBAC PRA "can assign".
 * @param session
 * @param role
 * @param perm
 * @return boolean
 * @throws SecurityException
 */
private boolean checkRolePermission(Session session, Role role, Permission perm) throws SecurityException {
    boolean result = false;
    List<UserAdminRole> uaRoles = session.getAdminRoles();
    if (CollectionUtils.isNotEmpty(uaRoles)) {
        // validate perm and retrieve perm's ou:
        PermObj inObj = new PermObj(perm.getObjName());
        inObj.setContextId(contextId);
        PermObj pObj = permP.read(inObj);
        for (UserAdminRole uaRole : uaRoles) {
            if (uaRole.getName().equalsIgnoreCase(SUPER_ADMIN)) {
                result = true;
                break;
            }
            Set<String> osPs = uaRole.getOsPSet();
            if (CollectionUtils.isNotEmpty(osPs)) {
                // create Set with case insensitive comparator:
                Set<String> osPsFinal = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
                for (String osP : osPs) {
                    // Add osU children to the set:
                    osPsFinal.add(osP);
                    Set<String> children = PsoUtil.getInstance().getDescendants(osP, this.contextId);
                    osPsFinal.addAll(children);
                }
                // does the admin role have authority over the perm object?
                if (osPsFinal.contains(pObj.getOu())) {
                    // Get the Role range for admin role:
                    Set<String> range;
                    if (uaRole.getBeginRange() != null && uaRole.getEndRange() != null && !uaRole.getBeginRange().equalsIgnoreCase(uaRole.getEndRange())) {
                        range = RoleUtil.getInstance().getAscendants(uaRole.getBeginRange(), uaRole.getEndRange(), uaRole.isEndInclusive(), this.contextId);
                        if (uaRole.isBeginInclusive()) {
                            range.add(uaRole.getBeginRange());
                        }
                        if (CollectionUtils.isNotEmpty(range)) {
                            // Does admin role have authority over a role contained with the allowable role range?
                            if (range.contains(role.getName())) {
                                result = true;
                                break;
                            }
                        }
                    } else // Does admin role have authority over the role?
                    if (uaRole.getBeginRange() != null && uaRole.getBeginRange().equalsIgnoreCase(role.getName())) {
                        result = true;
                        break;
                    }
                }
            }
        }
    }
    return result;
}

Example 4 with UserAdminRole

use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.

the class DelAdminMgrImpl method updateRole.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public AdminRole updateRole(AdminRole role) throws SecurityException {
    String methodName = "updateRole";
    assertContext(CLS_NM, methodName, role, GlobalErrIds.ARLE_NULL);
    setEntitySession(CLS_NM, methodName, role);
    AdminRole re = admRP.update(role);
    // search for all users assigned this role and update:
    List<User> users = userP.getAssignedUsers(role);
    if (CollectionUtils.isNotEmpty(users)) {
        final AdminMgr aMgr = AdminMgrFactory.createInstance(this.contextId);
        for (User ue : users) {
            User upUe = new User(ue.getUserId());
            setAdminData(CLS_NM, methodName, upUe);
            List<UserAdminRole> uaRoles = ue.getAdminRoles();
            UserAdminRole chgRole = new UserAdminRole();
            chgRole.setName(role.getName());
            chgRole.setUserId(ue.getUserId());
            chgRole.setOsPSet(role.getOsPSet());
            chgRole.setOsUSet(role.getOsUSet());
            uaRoles.remove(chgRole);
            ConstraintUtil.copy(re, chgRole);
            uaRoles.add(chgRole);
            upUe.setUserId(ue.getUserId());
            upUe.setAdminRole(chgRole);
            aMgr.updateUser(upUe);
        }
    }
    return re;
}

Example 5 with UserAdminRole

use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.

the class DelAdminMgrImpl method deassignUser.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public void deassignUser(UserAdminRole uAdminRole) throws SecurityException {
    String methodName = "deassignUser";
    assertContext(CLS_NM, methodName, uAdminRole, GlobalErrIds.ARLE_NULL);
    setEntitySession(CLS_NM, methodName, uAdminRole);
    String dn = userP.deassign(uAdminRole);
    AdminRole adminRole = new AdminRole(uAdminRole.getName());
    // copy the ARBAC attributes to AdminRole:
    setAdminData(CLS_NM, methodName, adminRole);
    // Deassign user dn attribute to the adminRole, this will remove a single, standard attribute value, called "roleOccupant", directly onto the adminRole node:
    admRP.deassign(adminRole, dn);
}