Example 6 with UserAdminRole
use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.
the class CommandLineInterpreter method printUser.
/**
* @param user
*/
private void printUser(User user) {
String type = "U";
if (user != null) {
printRow(type, "UID ", user.getUserId());
printRow(type, "IID ", user.getInternalId());
printRow(type, "CN ", user.getCn());
printRow(type, "DESC", user.getDescription());
printRow(type, "OU ", user.getOu());
printRow(type, "SN ", user.getSn());
printRow(type, "BDTE", user.getBeginDate());
printRow(type, "EDTE", user.getEndDate());
printRow(type, "BLDT", user.getBeginLockDate());
printRow(type, "ELDT", user.getEndLockDate());
printRow(type, "DMSK", user.getDayMask());
printRow(type, "TO ", "" + user.getTimeout());
printRow(type, "REST", "" + user.isReset());
printTemporal(type, user, "USER");
printAddress(type, user.getAddress(), "ADDR");
printPhone(type, user.getPhones(), "PHNE");
printPhone(type, user.getPhones(), "MOBL");
if (CollectionUtils.isNotEmpty(user.getRoles())) {
for (UserRole ur : user.getRoles()) {
printSeparator();
printTemporal("R", ur, "RBACROLE");
if (CollectionUtils.isNotEmpty(ur.getParents())) {
for (String parentRole : ur.getParents()) {
printRow("R", "PRLE", parentRole);
}
}
}
}
if (CollectionUtils.isNotEmpty(user.getAdminRoles())) {
for (UserAdminRole ur : user.getAdminRoles()) {
printSeparator();
printTemporal("A", ur, "ADMINROLE");
printAdminRole("A", ur);
}
}
if (PropUtil.isNotEmpty(user.getProperties())) {
printSeparator();
int ctr = 0;
for (Enumeration<?> e = user.getProperties().propertyNames(); e.hasMoreElements(); ) {
String key = (String) e.nextElement();
String val = user.getProperty(key);
++ctr;
LOG.info("{} KEY{} [{}]", type, ctr, key);
LOG.info("{} VAL{} [{}]", type, ctr, val);
}
}
}
}
Also used :
UserRole(org.apache.directory.fortress.core.model.UserRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Example 7 with UserAdminRole
use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.
the class CommandLineInterpreter method processDelegatedAdminCommand.
private void processDelegatedAdminCommand(Set<String> commands, Options options) {
String command;
try {
if (commands.contains(ADD_ROLE)) {
command = ADD_ROLE;
LOG.info(command);
AdminRole role = options.getAdminRole();
delAdminMgr.addRole(role);
} else if (commands.contains(UPDATE_ROLE)) {
command = UPDATE_ROLE;
LOG.info(command);
AdminRole role = options.getAdminRole();
delAdminMgr.updateRole(role);
} else if (commands.contains(DELETE_ROLE)) {
command = DELETE_ROLE;
LOG.info(command);
AdminRole role = options.getAdminRole();
delAdminMgr.deleteRole(role);
} else if (commands.contains(ASSIGN_ROLE)) {
command = ASSIGN_ROLE;
LOG.info(command);
Role role = options.getRole();
String userId = options.getUserId();
delAdminMgr.assignUser(new UserAdminRole(userId, role));
} else if (commands.contains(DEASSIGN_ROLE)) {
command = DEASSIGN_ROLE;
LOG.info(command);
Role role = options.getRole();
String userId = options.getUserId();
delAdminMgr.deassignUser(new UserAdminRole(userId, role));
} else if (commands.contains(ADD_ROLE_INHERITANCE)) {
command = ADD_ROLE_INHERITANCE;
LOG.info(command);
Relationship relationship = options.getRelationship();
delAdminMgr.addInheritance(new AdminRole(relationship.getParent()), new AdminRole(relationship.getChild()));
} else if (commands.contains(DELETE_ROLE_INHERITANCE)) {
command = DELETE_ROLE_INHERITANCE;
LOG.info(command);
Relationship relationship = options.getRelationship();
delAdminMgr.deleteInheritance(new AdminRole(relationship.getParent()), new AdminRole(relationship.getChild()));
} else if (commands.contains(ADD_POBJ)) {
command = ADD_POBJ;
LOG.info(command);
PermObj permObj = options.getPermObj();
delAdminMgr.addPermObj(permObj);
} else if (commands.contains(UPDATE_POBJ)) {
command = UPDATE_POBJ;
LOG.info(command);
PermObj permObj = options.getPermObj();
delAdminMgr.updatePermObj(permObj);
} else if (commands.contains(DELETE_POBJ)) {
command = DELETE_POBJ;
LOG.info(command);
PermObj permObj = options.getPermObj();
delAdminMgr.deletePermObj(permObj);
} else if (commands.contains(ADD_PERM)) {
command = ADD_PERM;
LOG.info(command);
Permission perm = options.getPermission();
delAdminMgr.addPermission(perm);
} else if (commands.contains(UPDATE_PERM)) {
command = UPDATE_PERM;
LOG.info(command);
Permission perm = options.getPermission();
delAdminMgr.updatePermission(perm);
} else if (commands.contains(DELETE_PERM)) {
command = DELETE_PERM;
LOG.info(command);
Permission permObj = options.getPermission();
delAdminMgr.deletePermission(permObj);
} else if (commands.contains(GRANT)) {
command = GRANT;
LOG.info(command);
Permission perm = options.getPermission();
AdminRole role = options.getAdminRole();
role.setName(options.getRoleNm());
delAdminMgr.grantPermission(perm, role);
} else if (commands.contains(REVOKE)) {
command = REVOKE;
LOG.info(command);
Permission perm = options.getPermission();
AdminRole role = options.getAdminRole();
role.setName(options.getRoleNm());
delAdminMgr.revokePermission(perm, role);
} else if (commands.contains(ADD_USERORG)) {
command = ADD_USERORG;
LOG.info(command);
OrgUnit orgUnit = options.getOrgUnit();
orgUnit.setType(OrgUnit.Type.USER);
delAdminMgr.add(orgUnit);
} else if (commands.contains(UPDATE_USERORG)) {
command = UPDATE_USERORG;
LOG.info(command);
OrgUnit orgUnit = options.getOrgUnit();
orgUnit.setType(OrgUnit.Type.USER);
delAdminMgr.update(orgUnit);
} else if (commands.contains(DELETE_USERORG)) {
command = DELETE_USERORG;
LOG.info(command);
OrgUnit orgUnit = options.getOrgUnit();
orgUnit.setType(OrgUnit.Type.USER);
delAdminMgr.delete(orgUnit);
} else if (commands.contains(ADD_USERORG_INHERITANCE)) {
command = ADD_USERORG_INHERITANCE;
LOG.info(command);
Relationship relationship = options.getRelationship();
delAdminMgr.addInheritance(new OrgUnit(relationship.getParent(), OrgUnit.Type.USER), new OrgUnit(relationship.getChild(), OrgUnit.Type.USER));
} else if (commands.contains(DELETE_USERORG_INHERITANCE)) {
command = DELETE_USERORG_INHERITANCE;
LOG.info(command);
Relationship relationship = options.getRelationship();
delAdminMgr.deleteInheritance(new OrgUnit(relationship.getParent(), OrgUnit.Type.USER), new OrgUnit(relationship.getChild(), OrgUnit.Type.USER));
} else if (commands.contains(ADD_PERMORG)) {
command = ADD_PERMORG;
LOG.info(command);
OrgUnit orgUnit = options.getOrgUnit();
orgUnit.setType(OrgUnit.Type.PERM);
delAdminMgr.add(orgUnit);
} else if (commands.contains(UPDATE_PERMORG)) {
command = UPDATE_PERMORG;
LOG.info(command);
OrgUnit orgUnit = options.getOrgUnit();
orgUnit.setType(OrgUnit.Type.PERM);
delAdminMgr.update(orgUnit);
} else if (commands.contains(DELETE_PERMORG)) {
command = DELETE_PERMORG;
LOG.info(command);
OrgUnit orgUnit = options.getOrgUnit();
orgUnit.setType(OrgUnit.Type.PERM);
delAdminMgr.delete(orgUnit);
} else if (commands.contains(ADD_PERMORG_INHERITANCE)) {
command = ADD_PERMORG_INHERITANCE;
LOG.info(command);
Relationship relationship = options.getRelationship();
delAdminMgr.addInheritance(new OrgUnit(relationship.getParent(), OrgUnit.Type.PERM), new OrgUnit(relationship.getChild(), OrgUnit.Type.PERM));
} else if (commands.contains(DELETE_PERMORG_INHERITANCE)) {
command = DELETE_PERMORG_INHERITANCE;
LOG.info(command);
Relationship relationship = options.getRelationship();
delAdminMgr.deleteInheritance(new OrgUnit(relationship.getParent(), OrgUnit.Type.PERM), new OrgUnit(relationship.getChild(), OrgUnit.Type.PERM));
} else {
LOG.warn("unknown delegated admin operation detected");
return;
}
LOG.info("command:{} was successful", command);
} catch (org.apache.directory.fortress.core.SecurityException se) {
String error = "processDelegatedAdminCommand caught SecurityException=" + se + ", return code=" + se.getErrorId();
LOG.error(error);
}
}
Also used :
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
OrgUnit(org.apache.directory.fortress.core.model.OrgUnit)
org.apache.directory.fortress.core(org.apache.directory.fortress.core)
PermObj(org.apache.directory.fortress.core.model.PermObj)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
Relationship(org.apache.directory.fortress.core.model.Relationship)
Permission(org.apache.directory.fortress.core.model.Permission)
SecurityException(org.apache.directory.fortress.core.SecurityException)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
Example 8 with UserAdminRole
use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.
the class UserDAO method loadUserAdminRoles.
/**
* Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap
* attribute set in preparation for ldap add.
*
* @param list contains List of type {@link UserAdminRole} targeted for adding to ldap.
* @param entry collection of ldap attributes containing ARBAC role assignments in raw ldap format.
* @throws LdapException
*/
private void loadUserAdminRoles(List<UserAdminRole> list, Entry entry) throws LdapException {
if (list != null) {
Attribute userAdminRoleData = new DefaultAttribute(GlobalIds.USER_ADMINROLE_DATA);
Attribute userAdminRoleAssign = new DefaultAttribute(GlobalIds.USER_ADMINROLE_ASSIGN);
for (UserAdminRole userRole : list) {
userAdminRoleData.add(userRole.getRawData());
userAdminRoleAssign.add(userRole.getName());
}
if (userAdminRoleData.size() != 0) {
entry.add(userAdminRoleData);
entry.add(userAdminRoleAssign);
}
}
}
Also used :
DefaultAttribute(org.apache.directory.api.ldap.model.entry.DefaultAttribute)
Attribute(org.apache.directory.api.ldap.model.entry.Attribute)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
DefaultAttribute(org.apache.directory.api.ldap.model.entry.DefaultAttribute)
Example 9 with UserAdminRole
use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.
the class UserDAO method deassign.
/**
* @param uRole
* @return
* @throws UpdateException
* @throws FinderException
*/
String deassign(UserAdminRole uRole) throws UpdateException, FinderException {
LdapConnection ld = null;
String userDn = getDn(uRole.getUserId(), uRole.getContextId());
try {
// read the user's ARBAC roles to locate record. Need the raw data before attempting removal:
User user = new User(uRole.getUserId());
user.setContextId(uRole.getContextId());
List<UserAdminRole> roles = getUserAdminRoles(user);
int indx = -1;
// Does the user have any roles assigned?
if (roles != null) {
// function call will set index to -1 if name not found:
indx = roles.indexOf(uRole);
// Is the targeted name assigned to user?
if (indx > -1) {
// Retrieve the targeted name:
UserRole fRole = roles.get(indx);
// delete the name assignment attribute using the raw name data:
List<Modification> mods = new ArrayList<Modification>();
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData()));
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName()));
ld = getAdminConnection();
modify(ld, userDn, mods, uRole);
}
}
// target name not found:
if (indx == -1) {
// The user does not have the target name assigned,
String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] " + "assignment does not exist.";
throw new FinderException(GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning);
}
} catch (LdapException e) {
String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] caught " + "LDAPException=" + e.getMessage();
throw new UpdateException(GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e);
} finally {
closeAdminConnection(ld);
}
return userDn;
}
Also used :
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
Modification(org.apache.directory.api.ldap.model.entry.Modification)
User(org.apache.directory.fortress.core.model.User)
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
ArrayList(java.util.ArrayList)
RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint)
FinderException(org.apache.directory.fortress.core.FinderException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UpdateException(org.apache.directory.fortress.core.UpdateException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 10 with UserAdminRole
use of org.apache.directory.fortress.core.model.UserAdminRole in project directory-fortress-core by apache.
the class UserP method validate.
/**
* Method will perform various validations to ensure the integrity of the User entity targeted for insertion
* or updating in directory. For example the ou attribute will be "read" from the OrgUnit dataset to ensure
* that it is valid. Data reasonability checks will be performed on all non-null attributes.
* This method will also copy the source constraints to target entity iff the target input entity does not have set
* prior to calling.
*
* @param entity User entity contains data targeted for insertion or update. The input role constraints will be accepted.
* @param isUpdate if true update operation is being performed which specifies a different set of targeted attributes.
* @throws SecurityException in the event of data validation error or DAO error on Org validation.
*/
private void validate(User entity, boolean isUpdate) throws SecurityException {
if (!isUpdate) {
// the UserId attribute is required on User:
VUtil.userId(entity.getUserId());
// the cn attribute is optional as input. entity will default to userId if cn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
// the sn attribute is optional as input. entity will default to userId if sn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
// password is not required on user object but user cannot execute AccessMgr or DelAccessMgr methods w/out pw.
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
// the OU attribute is required:
if (StringUtils.isEmpty(entity.getOu())) {
String error = "OU validation failed, null or empty value";
throw new ValidationException(GlobalErrIds.ORG_NULL_USER, error);
}
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] adding user with userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
// description attribute is optional:
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
} else {
// on User update, all attributes are optional:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
if (StringUtils.isNotEmpty(entity.getOu())) {
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] updating user wth userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
}
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
}
// 1 OpenLDAP password policy name must be valid if set:
if (StringUtils.isNotEmpty(entity.getPwPolicy())) {
PwPolicy policy = new PwPolicy(entity.getPwPolicy());
policy.setContextId(entity.getContextId());
if (!policyP.isValid(policy)) {
String error = "validate detected invalid OpenLDAP policy name [" + entity.getPwPolicy() + "] for userId [" + entity.getUserId() + "]. Assignment is optional for User but must be valid if specified.";
throw new ValidationException(GlobalErrIds.USER_PW_PLCY_INVALID, error);
}
}
// 2 Validate constraints on User object:
ConstraintUtil.validate(entity);
// 3 Validate or copy constraints on RBAC roles:
if (CollectionUtils.isNotEmpty(entity.getRoles())) {
RoleP rp = new RoleP();
List<UserRole> roles = entity.getRoles();
for (UserRole ure : roles) {
Role inRole = new Role(ure.getName());
inRole.setContextId(entity.getContextId());
Role role = rp.read(inRole);
ConstraintUtil.validateOrCopy(role, ure);
}
}
// 4 Validate and copy constraints on Administrative roles:
if (CollectionUtils.isNotEmpty(entity.getAdminRoles())) {
List<UserAdminRole> uRoles = entity.getAdminRoles();
for (UserAdminRole uare : uRoles) {
AdminRole inRole = new AdminRole(uare.getName());
inRole.setContextId(entity.getContextId());
AdminRole outRole = admRoleP.read(inRole);
ConstraintUtil.validateOrCopy(outRole, uare);
// copy the ARBAC AdminRole attributes to UserAdminRole:
copyAdminAttrs(outRole, uare);
}
}
}
Also used :
OrgUnit(org.apache.directory.fortress.core.model.OrgUnit)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
ValidationException(org.apache.directory.fortress.core.ValidationException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
PwPolicy(org.apache.directory.fortress.core.model.PwPolicy)
Aggregations
UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)34
User (org.apache.directory.fortress.core.model.User)16
SecurityException (org.apache.directory.fortress.core.SecurityException)12
UserRole (org.apache.directory.fortress.core.model.UserRole)10
AdminRole (org.apache.directory.fortress.core.model.AdminRole)8
Constraint (org.apache.directory.fortress.core.model.Constraint)6
Enumeration (java.util.Enumeration)5
DelAdminMgr (org.apache.directory.fortress.core.DelAdminMgr)5
ArrayList (java.util.ArrayList)4
AdminPermissionOperation (org.apache.directory.fortress.annotation.AdminPermissionOperation)4
Role (org.apache.directory.fortress.core.model.Role)4
Session (org.apache.directory.fortress.core.model.Session)4
TreeSet (java.util.TreeSet)3
AccessMgr (org.apache.directory.fortress.core.AccessMgr)3
OrgUnit (org.apache.directory.fortress.core.model.OrgUnit)3
PermObj (org.apache.directory.fortress.core.model.PermObj)3
Attribute (org.apache.directory.api.ldap.model.entry.Attribute)2
DefaultAttribute (org.apache.directory.api.ldap.model.entry.DefaultAttribute)2
DefaultModification (org.apache.directory.api.ldap.model.entry.DefaultModification)2
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)2
