Examples with UserRole org.apache.directory.fortress.core.model.UserRole used on opensource projects

Example 86 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AdminMgrImpl method removeRoleConstraint.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public void removeRoleConstraint(UserRole uRole, RoleConstraint roleConstraint) throws SecurityException {
    String methodName = "assignUser";
    assertContext(CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL);
    AdminUtil.canDeassign(uRole.getAdminSession(), new User(uRole.getUserId()), new Role(uRole.getName()), contextId);
    // todo assert roleconstraint here
    userP.deassign(uRole, roleConstraint);
}

Example 87 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class ReviewMgrImpl method authorizedRoles.

/**
 * {@inheritDoc}
 */
@Override
@AdminPermissionOperation
public Set<String> authorizedRoles(User user) throws SecurityException {
    String methodName = "authorizedRoles";
    assertContext(CLS_NM, methodName, user, GlobalErrIds.USER_NULL);
    checkAccess(CLS_NM, methodName);
    User ue = userP.read(user, true);
    List<UserRole> roles = ue.getRoles();
    Set<String> iRoles = null;
    if (CollectionUtils.isNotEmpty(roles)) {
        iRoles = RoleUtil.getInstance().getInheritedRoles(roles, this.contextId);
    }
    return iRoles;
}

Example 88 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class RoleUtil method getInheritedRoles.

/**
 * Return Set of RBAC {@link org.apache.directory.fortress.core.model.Role#name}s ascendants.  Used by {@link org.apache.directory.fortress.core.impl.PermDAO#checkPermission}
 * for computing authorized {@link org.apache.directory.fortress.core.model.UserRole#name}s.
 *
 * @param uRoles contains list of Roles activated within a {@link org.apache.directory.fortress.core.model.User}'s {@link org.apache.directory.fortress.core.model.Session}.
 * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
 * @return contains Set of all authorized RBAC Roles for a given User.
 */
Set<String> getInheritedRoles(List<UserRole> uRoles, String contextId) {
    // create Set with case insensitive comparator:
    Set<String> iRoles = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
    if (CollectionUtils.isNotEmpty(uRoles)) {
        for (UserRole uRole : uRoles) {
            String rleName = uRole.getName();
            iRoles.add(rleName);
            Set<String> parents = HierUtil.getAscendants(rleName, getGraph(contextId));
            if (CollectionUtils.isNotEmpty(parents)) {
                iRoles.addAll(parents);
            }
        }
    }
    return iRoles;
}

Example 89 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class DSDChecker method validate.

/**
 * This method is called during entity activation, {@link org.apache.directory.fortress.core.util.VUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
 *
 * @param session    contains list of RBAC roles {@link org.apache.directory.fortress.core.model.UserRole} targeted for activation.
 * @param constraint required for Validator interface, not used here..
 * @param time       required for Validator interface, not used here.
 * @param type       required by interface, not used here.
 * @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD} if failed.
 */
@Override
public int validate(Session session, Constraint constraint, Time time, VUtil.ConstraintType type) throws org.apache.directory.fortress.core.SecurityException {
    int rc = 0;
    int matchCount;
    // get all candidate activated roles user:
    List<UserRole> activeRoleList = session.getRoles();
    if (activeRoleList == null || activeRoleList.size() == 0) {
        return rc;
    }
    // Depending on if session is group or user session, fill objects
    String contextId = session.isGroupSession() ? session.getGroup().getContextId() : session.getUser().getContextId();
    String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
    String entityType = session.isGroupSession() ? "groupName" : "userId";
    // get the list of authorized roles for this user/group:
    Set<String> authorizedRoleSet = RoleUtil.getInstance().getInheritedRoles(activeRoleList, contextId);
    // only need to check DSD constraints if more than one role is being activated:
    if (authorizedRoleSet != null && authorizedRoleSet.size() > 1) {
        // get all DSD sets that contain the candidate activated and authorized roles,
        // If DSD cache is disabled, this will search the directory using authorizedRoleSet
        Set<SDSet> dsdSets = SDUtil.getInstance().getDsdCache(authorizedRoleSet, contextId);
        if (dsdSets != null && dsdSets.size() > 0) {
            for (SDSet dsd : dsdSets) {
                Iterator<UserRole> activatedRoles = activeRoleList.iterator();
                matchCount = 0;
                Set<String> map = dsd.getMembers();
                // now check the DSD on every role activation candidate contained within session object:
                while (activatedRoles.hasNext()) {
                    UserRole activatedRole = activatedRoles.next();
                    if (map.contains(activatedRole.getName())) {
                        matchCount++;
                        if (matchCount >= dsd.getCardinality()) {
                            activatedRoles.remove();
                            String warning = "validate " + entityType + " [" + entityId + "] failed activation of assignedRole [" + activatedRole.getName() + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
                            LOG.warn(warning);
                            rc = GlobalErrIds.ACTV_FAILED_DSD;
                            session.setWarning(new ObjectFactory().createWarning(rc, warning, Warning.Type.ROLE, activatedRole.getName()));
                        }
                    } else {
                        Set<String> parentSet = RoleUtil.getInstance().getAscendants(activatedRole.getName(), contextId);
                        // now check for every role inherited from this activated role:
                        for (String parentRole : parentSet) {
                            if (map.contains(parentRole)) {
                                matchCount++;
                                if (matchCount >= dsd.getCardinality()) {
                                    String warning = "validate " + entityType + " [" + entityId + "] assignedRole [" + activatedRole.getName() + "] parentRole [" + parentRole + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
                                    rc = GlobalErrIds.ACTV_FAILED_DSD;
                                    // remove the assigned role from session (not the authorized role):
                                    activatedRoles.remove();
                                    session.setWarning(new ObjectFactory().createWarning(rc, warning, Warning.Type.ROLE, activatedRole.getName()));
                                    LOG.warn(warning);
                                    // Breaking out of the loop because assigned role has been removed from session.
                                    break;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
    return rc;
}