Search in sources :

Example 81 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class UserP method findRoleConstraints.

List<RoleConstraint> findRoleConstraints(Set<String> roles, User user, RoleConstraint.RCType rcType, Set<String> paSets) throws SecurityException {
    List<RoleConstraint> matchingConstraints = new ArrayList<RoleConstraint>();
    // TODO: can we do this in a query?
    List<UserRole> userRoles = uDao.getUser(user, true).getRoles();
    for (UserRole ur : userRoles) {
        // only get constraints for passed in roles
        if (roles.contains(ur.getName())) {
            for (RoleConstraint rc : ur.getRoleConstraints()) {
                if (rc.getType().equals(rcType) && paSets.contains(rc.getPaSetName())) {
                    matchingConstraints.add(rc);
                }
            }
        }
    }
    return matchingConstraints;
}
Also used : UserRole(org.apache.directory.fortress.core.model.UserRole) ArrayList(java.util.ArrayList) RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint)

Example 82 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AdminMgrImpl method addRoleConstraint.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public RoleConstraint addRoleConstraint(UserRole uRole, RoleConstraint roleConstraint) throws SecurityException {
    String methodName = "assignUser";
    assertContext(CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL);
    AdminUtil.canAssign(uRole.getAdminSession(), new User(uRole.getUserId()), new Role(uRole.getName()), contextId);
    // todo assert roleconstraint here
    userP.assign(uRole, roleConstraint);
    return roleConstraint;
}
Also used : AdminRole(org.apache.directory.fortress.core.model.AdminRole) Role(org.apache.directory.fortress.core.model.Role) UserRole(org.apache.directory.fortress.core.model.UserRole) User(org.apache.directory.fortress.core.model.User) AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)

Example 83 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AdminMgrImpl method deleteRole.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public void deleteRole(Role role) throws SecurityException {
    String methodName = "deleteRole";
    assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
    setEntitySession(CLS_NM, methodName, role);
    int numChildren = RoleUtil.getInstance().numChildren(role.getName(), role.getContextId());
    if (numChildren > 0) {
        String error = methodName + " role [" + role.getName() + "] must remove [" + numChildren + "] descendants before deletion";
        LOG.error(error);
        throw new SecurityException(GlobalErrIds.HIER_DEL_FAILED_HAS_CHILD, error, null);
    }
    // Read the Role from LDAP:
    Role outRole = roleP.read(role);
    outRole.setContextId(role.getContextId());
    // deassign all groups assigned to this role first (because of schema's configGroup class constraints)
    List<Group> groups = groupP.roleGroups(outRole);
    for (Group group : groups) {
        group.setContextId(this.contextId);
        groupP.deassign(group, outRole.getDn());
    }
    // If user membership associated with role, remove the role object:
    if (Config.getInstance().isRoleOccupant()) {
        // this reads the role object itself:
        List<User> users = userP.getAssignedUsers(role);
        if (users != null) {
            for (User ue : users) {
                UserRole uRole = new UserRole(ue.getUserId(), role.getName());
                setAdminData(CLS_NM, methodName, uRole);
                deassignUser(uRole);
            }
        }
    } else {
        // search for all users assigned this role and deassign:
        List<String> userIds = userP.getAssignedUserIds(role);
        for (String userId : userIds) {
            UserRole uRole = new UserRole(userId, role.getName());
            setAdminData(CLS_NM, methodName, uRole);
            deassignUser(uRole);
        }
    }
    // Now remove the role association from all permissions:
    permP.remove(role);
    // remove all parent relationships from the role graph:
    Set<String> parents = RoleUtil.getInstance().getParents(role.getName(), this.contextId);
    if (parents != null) {
        for (String parent : parents) {
            RoleUtil.getInstance().updateHier(this.contextId, new Relationship(role.getName().toUpperCase(), parent.toUpperCase()), Hier.Op.REM);
        }
    }
    // Finally, delete the role object:
    roleP.delete(role);
}
Also used : AdminRole(org.apache.directory.fortress.core.model.AdminRole) Role(org.apache.directory.fortress.core.model.Role) UserRole(org.apache.directory.fortress.core.model.UserRole) Group(org.apache.directory.fortress.core.model.Group) User(org.apache.directory.fortress.core.model.User) UserRole(org.apache.directory.fortress.core.model.UserRole) Relationship(org.apache.directory.fortress.core.model.Relationship) SecurityException(org.apache.directory.fortress.core.SecurityException) RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint) AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)

Example 84 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AdminMgrImpl method assignUser.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public void assignUser(UserRole uRole) throws SecurityException {
    String methodName = "assignUser";
    assertContext(CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL);
    Role role = new Role(uRole.getName());
    role.setContextId(contextId);
    User user = new User(uRole.getUserId());
    user.setContextId(contextId);
    setEntitySession(CLS_NM, methodName, uRole);
    AdminUtil.canAssign(uRole.getAdminSession(), user, role, contextId);
    SDUtil.getInstance().validateSSD(user, role);
    // Get the default constraints from role:
    role.setContextId(this.contextId);
    Role validRole = roleP.read(role);
    // if the input role entity attribute doesn't have temporal constraints set, copy from the role declaration:
    ConstraintUtil.validateOrCopy(validRole, uRole);
    // Assign the Role data to User:
    String dn = userP.assign(uRole);
    // If user membership associated with role, set it here:
    if (Config.getInstance().isRoleOccupant()) {
        setAdminData(CLS_NM, methodName, role);
        // Assign user dn attribute to the role, this will add a single, standard attribute value,
        // called "roleOccupant", directly onto the role node:
        roleP.assign(role, dn);
    }
}
Also used : AdminRole(org.apache.directory.fortress.core.model.AdminRole) Role(org.apache.directory.fortress.core.model.Role) UserRole(org.apache.directory.fortress.core.model.UserRole) User(org.apache.directory.fortress.core.model.User) AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)

Example 85 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AdminMgrImpl method deassignUser.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public void deassignUser(UserRole uRole) throws SecurityException {
    String methodName = "deassignUser";
    assertContext(CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL);
    Role role = new Role(uRole.getName());
    role.setContextId(contextId);
    User user = new User(uRole.getUserId());
    setEntitySession(CLS_NM, methodName, uRole);
    AdminUtil.canDeassign(user.getAdminSession(), user, role, contextId);
    String dn = userP.deassign(uRole);
    // If user membership is assocated with role, remove role occupants:
    if (Config.getInstance().isRoleOccupant()) {
        setAdminData(CLS_NM, methodName, role);
        // Now "deassign" user dn attribute, this will remove a single, standard attribute value,
        // called "roleOccupant", from the node:
        roleP.deassign(role, dn);
    }
}
Also used : AdminRole(org.apache.directory.fortress.core.model.AdminRole) Role(org.apache.directory.fortress.core.model.Role) UserRole(org.apache.directory.fortress.core.model.UserRole) User(org.apache.directory.fortress.core.model.User) AdminPermissionOperation(org.apache.directory.fortress.annotation.AdminPermissionOperation)

Aggregations

UserRole (org.apache.directory.fortress.core.model.UserRole)89 User (org.apache.directory.fortress.core.model.User)55 SecurityException (org.apache.directory.fortress.core.SecurityException)48 Session (org.apache.directory.fortress.core.model.Session)28 AccessMgr (org.apache.directory.fortress.core.AccessMgr)17 ArrayList (java.util.ArrayList)16 Role (org.apache.directory.fortress.core.model.Role)16 RoleConstraint (org.apache.directory.fortress.core.model.RoleConstraint)16 AdminMgr (org.apache.directory.fortress.core.AdminMgr)14 ReviewMgr (org.apache.directory.fortress.core.ReviewMgr)12 UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)11 Constraint (org.apache.directory.fortress.core.model.Constraint)10 AdminRole (org.apache.directory.fortress.core.model.AdminRole)9 LdapException (org.apache.directory.api.ldap.model.exception.LdapException)7 AdminPermissionOperation (org.apache.directory.fortress.annotation.AdminPermissionOperation)7 AccelMgr (org.apache.directory.fortress.core.AccelMgr)6 FinderException (org.apache.directory.fortress.core.FinderException)6 SDSet (org.apache.directory.fortress.core.model.SDSet)6 LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)6 Enumeration (java.util.Enumeration)5