Examples with UserRole org.apache.directory.fortress.core.model.UserRole used on opensource projects
Example 11 with UserRole
use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.
the class UserDAO method deassign.
/**
* @param uRole
* @return
* @throws UpdateException
* @throws FinderException
*/
String deassign(UserAdminRole uRole) throws UpdateException, FinderException {
LdapConnection ld = null;
String userDn = getDn(uRole.getUserId(), uRole.getContextId());
try {
// read the user's ARBAC roles to locate record. Need the raw data before attempting removal:
User user = new User(uRole.getUserId());
user.setContextId(uRole.getContextId());
List<UserAdminRole> roles = getUserAdminRoles(user);
int indx = -1;
// Does the user have any roles assigned?
if (roles != null) {
// function call will set index to -1 if name not found:
indx = roles.indexOf(uRole);
// Is the targeted name assigned to user?
if (indx > -1) {
// Retrieve the targeted name:
UserRole fRole = roles.get(indx);
// delete the name assignment attribute using the raw name data:
List<Modification> mods = new ArrayList<Modification>();
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData()));
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName()));
ld = getAdminConnection();
modify(ld, userDn, mods, uRole);
}
}
// target name not found:
if (indx == -1) {
// The user does not have the target name assigned,
String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] " + "assignment does not exist.";
throw new FinderException(GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning);
}
} catch (LdapException e) {
String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] caught " + "LDAPException=" + e.getMessage();
throw new UpdateException(GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e);
} finally {
closeAdminConnection(ld);
}
return userDn;
}
Also used :
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
Modification(org.apache.directory.api.ldap.model.entry.Modification)
User(org.apache.directory.fortress.core.model.User)
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
ArrayList(java.util.ArrayList)
RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint)
FinderException(org.apache.directory.fortress.core.FinderException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UpdateException(org.apache.directory.fortress.core.UpdateException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 12 with UserRole
use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.
the class UserDAO method deassign.
/**
* @param uRole
* @return
* @throws UpdateException
* @throws FinderException
*/
String deassign(UserRole uRole) throws UpdateException, FinderException {
LdapConnection ld = null;
String userDn = getDn(uRole.getUserId(), uRole.getContextId());
try {
// read the user's RBAC role assignments to locate target record. Need the raw data before attempting
// removal:
List<UserRole> roles = getUserRoles(uRole.getUserId(), uRole.getContextId());
int indx = -1;
// Does the user have any roles assigned?
if (roles != null) {
// function call will set indx to -1 if name not found:
indx = roles.indexOf(uRole);
// Is the targeted name assigned to user?
if (indx > -1) {
// Retrieve the targeted name:
UserRole fRole = roles.get(indx);
// delete the name assignment attribute using the raw name data:
List<Modification> mods = new ArrayList<Modification>();
// Remove user role constraints
for (RoleConstraint rc : fRole.getRoleConstraints()) {
this.deassign(fRole, rc);
}
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ROLE_DATA, fRole.getRawData()));
mods.add(new DefaultModification(ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ROLE_ASSIGN, fRole.getName()));
ld = getAdminConnection();
modify(ld, userDn, mods, uRole);
}
}
// target name not found:
if (indx == -1) {
// The user does not have the target name assigned,
String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] " + "assignment does not exist.";
throw new FinderException(GlobalErrIds.URLE_ASSIGN_NOT_EXIST, warning);
}
} catch (LdapException e) {
String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] caught " + "LDAPException=" + e.getMessage();
throw new UpdateException(GlobalErrIds.URLE_DEASSIGN_FAILED, warning, e);
} finally {
closeAdminConnection(ld);
}
return userDn;
}
Also used :
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
Modification(org.apache.directory.api.ldap.model.entry.Modification)
DefaultModification(org.apache.directory.api.ldap.model.entry.DefaultModification)
ArrayList(java.util.ArrayList)
RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint)
RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint)
FinderException(org.apache.directory.fortress.core.FinderException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UpdateException(org.apache.directory.fortress.core.UpdateException)
LdapException(org.apache.directory.api.ldap.model.exception.LdapException)
LdapConnection(org.apache.directory.ldap.client.api.LdapConnection)
Example 13 with UserRole
use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.
the class UserP method validate.
/**
* Method will perform various validations to ensure the integrity of the User entity targeted for insertion
* or updating in directory. For example the ou attribute will be "read" from the OrgUnit dataset to ensure
* that it is valid. Data reasonability checks will be performed on all non-null attributes.
* This method will also copy the source constraints to target entity iff the target input entity does not have set
* prior to calling.
*
* @param entity User entity contains data targeted for insertion or update. The input role constraints will be accepted.
* @param isUpdate if true update operation is being performed which specifies a different set of targeted attributes.
* @throws SecurityException in the event of data validation error or DAO error on Org validation.
*/
private void validate(User entity, boolean isUpdate) throws SecurityException {
if (!isUpdate) {
// the UserId attribute is required on User:
VUtil.userId(entity.getUserId());
// the cn attribute is optional as input. entity will default to userId if cn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
// the sn attribute is optional as input. entity will default to userId if sn not set by caller on add:
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
// password is not required on user object but user cannot execute AccessMgr or DelAccessMgr methods w/out pw.
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
// the OU attribute is required:
if (StringUtils.isEmpty(entity.getOu())) {
String error = "OU validation failed, null or empty value";
throw new ValidationException(GlobalErrIds.ORG_NULL_USER, error);
}
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] adding user with userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
// description attribute is optional:
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
} else {
// on User update, all attributes are optional:
if (StringUtils.isNotEmpty(entity.getCn())) {
VUtil.safeText(entity.getCn(), GlobalIds.CN_LEN);
}
if (StringUtils.isNotEmpty(entity.getSn())) {
VUtil.safeText(entity.getSn(), GlobalIds.SN_LEN);
}
if (StringUtils.isNotEmpty(entity.getPassword())) {
VUtil.safeText(entity.getPassword(), GlobalIds.PASSWORD_LEN);
}
if (StringUtils.isNotEmpty(entity.getOu())) {
VUtil.orgUnit(entity.getOu());
// ensure ou exists in the OS-U pool:
OrgUnit ou = new OrgUnit(entity.getOu(), OrgUnit.Type.USER);
ou.setContextId(entity.getContextId());
if (!orgUnitP.isValid(ou)) {
String error = "validate detected invalid orgUnit name [" + entity.getOu() + "] updating user wth userId [" + entity.getUserId() + "]";
throw new ValidationException(GlobalErrIds.USER_OU_INVALID, error);
}
}
if (StringUtils.isNotEmpty(entity.getDescription())) {
VUtil.description(entity.getDescription());
}
}
// 1 OpenLDAP password policy name must be valid if set:
if (StringUtils.isNotEmpty(entity.getPwPolicy())) {
PwPolicy policy = new PwPolicy(entity.getPwPolicy());
policy.setContextId(entity.getContextId());
if (!policyP.isValid(policy)) {
String error = "validate detected invalid OpenLDAP policy name [" + entity.getPwPolicy() + "] for userId [" + entity.getUserId() + "]. Assignment is optional for User but must be valid if specified.";
throw new ValidationException(GlobalErrIds.USER_PW_PLCY_INVALID, error);
}
}
// 2 Validate constraints on User object:
ConstraintUtil.validate(entity);
// 3 Validate or copy constraints on RBAC roles:
if (CollectionUtils.isNotEmpty(entity.getRoles())) {
RoleP rp = new RoleP();
List<UserRole> roles = entity.getRoles();
for (UserRole ure : roles) {
Role inRole = new Role(ure.getName());
inRole.setContextId(entity.getContextId());
Role role = rp.read(inRole);
ConstraintUtil.validateOrCopy(role, ure);
}
}
// 4 Validate and copy constraints on Administrative roles:
if (CollectionUtils.isNotEmpty(entity.getAdminRoles())) {
List<UserAdminRole> uRoles = entity.getAdminRoles();
for (UserAdminRole uare : uRoles) {
AdminRole inRole = new AdminRole(uare.getName());
inRole.setContextId(entity.getContextId());
AdminRole outRole = admRoleP.read(inRole);
ConstraintUtil.validateOrCopy(outRole, uare);
// copy the ARBAC AdminRole attributes to UserAdminRole:
copyAdminAttrs(outRole, uare);
}
}
}
Also used :
OrgUnit(org.apache.directory.fortress.core.model.OrgUnit)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
Role(org.apache.directory.fortress.core.model.Role)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
UserRole(org.apache.directory.fortress.core.model.UserRole)
ValidationException(org.apache.directory.fortress.core.ValidationException)
UserRole(org.apache.directory.fortress.core.model.UserRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
AdminRole(org.apache.directory.fortress.core.model.AdminRole)
UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole)
PwPolicy(org.apache.directory.fortress.core.model.PwPolicy)
Example 14 with UserRole
use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.
the class DelAccessMgrRestImpl method canDeassign.
/**
* {@inheritDoc}
*/
@Override
public boolean canDeassign(Session session, User user, Role role) throws SecurityException {
String methodName = CLS_NM + ".canDeassign";
VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, methodName);
VUtil.assertNotNull(user, GlobalErrIds.USER_NULL, methodName);
VUtil.assertNotNull(role, GlobalErrIds.ROLE_NULL, methodName);
boolean result;
FortRequest request = new FortRequest();
request.setContextId(this.contextId);
UserRole uRole = new UserRole(user.getUserId(), role.getName());
request.setSession(session);
request.setEntity(uRole);
String szRequest = RestUtils.marshal(request);
String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.ADMIN_DEASSIGN);
FortResponse response = RestUtils.unmarshall(szResponse);
if (response.getErrorCode() == 0) {
result = response.getAuthorized();
Session outSession = response.getSession();
session.copy(outSession);
} else {
throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
}
return result;
}
Also used :
UserRole(org.apache.directory.fortress.core.model.UserRole)
FortResponse(org.apache.directory.fortress.core.model.FortResponse)
SecurityException(org.apache.directory.fortress.core.SecurityException)
FortRequest(org.apache.directory.fortress.core.model.FortRequest)
Session(org.apache.directory.fortress.core.model.Session)
Example 15 with UserRole
use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.
the class RoleP method addOccupant.
/**
* Add the User dn occupant attribute to the OrganizationalRole entity in ldap. This method is called by AdminMgrImpl
* when the User is being added.
*
* @param uRoles contains a collection of UserRole being targeted for assignment.
* @param userDn contains the userId targeted for addition.
* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
* @throws SecurityException in the event of DAO search error.
*/
void addOccupant(List<UserRole> uRoles, String userDn, String contextId) throws SecurityException {
if (CollectionUtils.isNotEmpty(uRoles)) {
for (UserRole uRole : uRoles) {
Role role = new Role(uRole.getName());
role.setContextId(contextId);
assign(role, userDn);
}
}
}Aggregations
UserRole (org.apache.directory.fortress.core.model.UserRole)89
User (org.apache.directory.fortress.core.model.User)55
SecurityException (org.apache.directory.fortress.core.SecurityException)48
Session (org.apache.directory.fortress.core.model.Session)28
AccessMgr (org.apache.directory.fortress.core.AccessMgr)17
ArrayList (java.util.ArrayList)16
Role (org.apache.directory.fortress.core.model.Role)16
RoleConstraint (org.apache.directory.fortress.core.model.RoleConstraint)16
AdminMgr (org.apache.directory.fortress.core.AdminMgr)14
ReviewMgr (org.apache.directory.fortress.core.ReviewMgr)12
UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)11
Constraint (org.apache.directory.fortress.core.model.Constraint)10
AdminRole (org.apache.directory.fortress.core.model.AdminRole)9
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)7
AdminPermissionOperation (org.apache.directory.fortress.annotation.AdminPermissionOperation)7
AccelMgr (org.apache.directory.fortress.core.AccelMgr)6
FinderException (org.apache.directory.fortress.core.FinderException)6
SDSet (org.apache.directory.fortress.core.model.SDSet)6
LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)6
Enumeration (java.util.Enumeration)5
