Search in sources :

Example 36 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AccessMgrSample method testSessionRoles.

/**
 * The RBAC Session can be interrogated to return the list of all activated Roles within a User's Session.  The API
 * will cache these Roles in the User's Session object.  The Roles will also include temporal data that is used to
 * enforce the day, date and time for which a given Role may be placed in the User's Session.
 */
public static void testSessionRoles() {
    String szLocation = ".testSessionRoles";
    User inUser = new User(CreateUserSample.TEST_USERID);
    try {
        // Instantiate the AccessMgr implementation.
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        // utility function will create an Fortress Session.  The Session contains the user's activated
        // roles along with other related attributes and status information (i.e. password status)
        Session session = createSession(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
        // A null Session would be a bug and should never happen.  Fortress will throw a SecurityException if it cannot create.
        assertNotNull(session);
        // Get the activated Roles from the Session.
        List<UserRole> uRoles = accessMgr.sessionRoles(session);
        // The list of Roles could be null if User has not been assigned any or if all assigned failed activation checks.
        assertNotNull(uRoles);
        // Test to see that the list size is same as expected.
        assertTrue(szLocation + " list check, expected: 10, actual:" + uRoles.size(), uRoles.size() == 10);
        // program this would not be necessary.
        for (int i = 1; i < 11; i++) {
            UserRole inUserRole = new UserRole(inUser.getUserId(), CreateRoleSample.TEST_ROLE_PREFIX + i);
            assertTrue(szLocation + " contains check userId [" + inUserRole.getUserId() + "] role [" + inUserRole.getName() + "]", uRoles.contains(inUserRole));
            LOG.info(szLocation + " userId [" + inUserRole.getUserId() + "] activated role [" + inUserRole.getName() + "] found in session");
        }
    } catch (SecurityException ex) {
        LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}
Also used : User(org.apache.directory.fortress.core.model.User) AccessMgr(org.apache.directory.fortress.core.AccessMgr) UserRole(org.apache.directory.fortress.core.model.UserRole) SecurityException(org.apache.directory.fortress.core.SecurityException) Session(org.apache.directory.fortress.core.model.Session)

Example 37 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AccessMgrSample method testAddActiveRoles.

/**
 * The addActivateRole API allows only Roles that have been assigned to a given User to be activated in their
 * RBAC Session.  The API will also ensure that a given Role has passed its constraint tests which include
 * Static Separation of Duty (SSD) and RBAC Role temporal constraint validations.
 */
public static void testAddActiveRoles() {
    String szLocation = ".testAddActiveRoles";
    try {
        // Instantiate the AccessMgr implementation.
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        // authenticate will check the password but will not activated any roles into Session.
        Session session = authenticate(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
        assertNotNull(session);
        // now, activate roles into User's Session one at a time:
        for (int i = 1; i < 11; i++) {
            UserRole addUserRole = new UserRole(CreateUserSample.TEST_USERID, CreateRoleSample.TEST_ROLE_PREFIX + i);
            accessMgr.addActiveRole(session, addUserRole);
            LOG.info(szLocation + " userId [" + addUserRole.getUserId() + "] activated role [" + addUserRole.getName() + "] added to session");
        }
    } catch (SecurityException ex) {
        LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}
Also used : AccessMgr(org.apache.directory.fortress.core.AccessMgr) UserRole(org.apache.directory.fortress.core.model.UserRole) SecurityException(org.apache.directory.fortress.core.SecurityException) Session(org.apache.directory.fortress.core.model.Session)

Example 38 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AccessMgrSample method testDropActiveRoles.

/**
 * RBAC compliant systems allow User Roles to be activated and deactivated from their Session.  This facilitates
 * the principle of least privilege which prescribes only giving User's as much capability as they need to complete
 * their job duties.  This means not all Roles that a User may be authorized to activated will necessarily be active
 * at any one point in time.  This allows for separation of duty restrictions to be enforced.
 */
public static void testDropActiveRoles() {
    String szLocation = ".testDropActiveRoles";
    User inUser = new User(CreateUserSample.TEST_USERID);
    try {
        // Instantiate the AccessMgr implementation.
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        // Calling createSession and not setting any roles on User beforehand will attempt to activate all assigned Roles:
        Session session = createSession(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
        assertNotNull(session);
        // now, drop roles from User's Session one at a time:
        for (int i = 1; i < 11; i++) {
            UserRole dropUserRole = new UserRole(inUser.getUserId(), CreateRoleSample.TEST_ROLE_PREFIX + i);
            accessMgr.dropActiveRole(session, dropUserRole);
            LOG.info(szLocation + " userId [" + dropUserRole.getUserId() + "] deactivated role [" + dropUserRole.getName() + "] removed from session");
        }
    } catch (SecurityException ex) {
        LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}
Also used : User(org.apache.directory.fortress.core.model.User) AccessMgr(org.apache.directory.fortress.core.AccessMgr) UserRole(org.apache.directory.fortress.core.model.UserRole) SecurityException(org.apache.directory.fortress.core.SecurityException) Session(org.apache.directory.fortress.core.model.Session)

Example 39 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class AccessMgrSample method testDisplayUserSession.

/**
 * This test will display all of the User Session attributes to the System out of test machine.  It is intended
 * to demonstrate what data is carried within a User's Fortress Session object.
 */
public static void testDisplayUserSession() {
    String szLocation = ".testDisplayUserSession";
    try {
        // Instantiate the AccessMgr implementation.
        AccessMgr accessMgr = AccessMgrFactory.createInstance(TestUtils.getContext());
        // utility function will create an Fortress Session.  The Session contains the user's activated
        // roles along with other related attributes and status information (i.e. password status)
        Session session = createSession(CreateUserSample.TEST_USERID, CreateUserSample.TEST_PASSWORD, accessMgr);
        assertNotNull(session);
        User user = accessMgr.getUser(session);
        assertNotNull(user);
        LOG.info(szLocation);
        LOG.info("S   UID  [" + session.getUserId() + "]:");
        LOG.info("S   IID  [" + session.getInternalUserId() + "]");
        LOG.info("S   ERR  [" + session.getErrorId() + "]");
        LOG.info("S   WARN [" + session.getWarnings() + "]");
        LOG.info("S   MSG  [" + session.getMsg() + "]");
        LOG.info("S   EXP  [" + session.getExpirationSeconds() + "]");
        LOG.info("S   GRAC [" + session.getGraceLogins() + "]");
        LOG.info("S   AUTH [" + session.isAuthenticated() + "]");
        LOG.info("S   LAST [" + session.getLastAccess() + "]");
        LOG.info("S   SID  [" + session.getSessionId() + "]");
        LOG.info("------------------------------------------");
        LOG.info("U   UID  [" + user.getUserId() + "]");
        LOG.info("U   IID  [" + user.getInternalId() + "]");
        LOG.info("U   CN   [" + user.getCn() + "]");
        LOG.info("U   DESC [" + user.getDescription() + "]");
        LOG.info("U   OU   [" + user.getOu() + "]");
        LOG.info("U   SN   [" + user.getSn() + "]");
        LOG.info("U   BDTE [" + user.getBeginDate() + "]");
        LOG.info("U   EDTE [" + user.getEndDate() + "]");
        LOG.info("U   BLDT [" + user.getBeginLockDate() + "]");
        LOG.info("U   ELDT [" + user.getEndLockDate() + "]");
        LOG.info("U   DMSK [" + user.getDayMask() + "]");
        LOG.info("U   TO   [" + user.getTimeout() + "]");
        LOG.info("U   REST [" + user.isReset() + "]");
        if (user.getProperties() != null && user.getProperties().size() > 0) {
            int ctr = 0;
            for (Enumeration e = user.getProperties().propertyNames(); e.hasMoreElements(); ) {
                String key = (String) e.nextElement();
                String val = user.getProperty(key);
                LOG.info("U   PROP[" + ctr++ + "]=" + key + " VAL=" + val);
            }
        }
        List<UserRole> roles = session.getRoles();
        if (roles != null) {
            for (int i = 0; i < roles.size(); i++) {
                UserRole ur = roles.get(i);
                LOG.info("    USER ROLE[" + i + "]:");
                LOG.info("        role name [" + ur.getName() + "]");
                LOG.info("        begin time [" + ur.getBeginTime() + "]");
                LOG.info("        end time [" + ur.getEndTime() + "]");
                LOG.info("        begin date [" + ur.getBeginDate() + "]");
                LOG.info("        end date [" + ur.getEndDate() + "]");
                LOG.info("        begin lock [" + ur.getBeginLockDate() + "]");
                LOG.info("        end lock [" + ur.getEndLockDate() + "]");
                LOG.info("        day mask [" + ur.getDayMask() + "]");
                LOG.info("        time out [" + ur.getTimeout() + "]");
            }
        }
        List<UserAdminRole> aRoles = session.getAdminRoles();
        if (aRoles != null) {
            for (int i = 0; i < aRoles.size(); i++) {
                UserAdminRole ur = aRoles.get(i);
                LOG.info("    USER ADMIN ROLE[" + i + "]:");
                LOG.info("        admin role name [" + ur.getName() + "]");
                LOG.info("        OsU [" + ur.getOsUSet() + "]");
                LOG.info("        OsP [" + ur.getOsPSet() + "]");
                LOG.info("        begin range [" + ur.getBeginRange() + "]");
                LOG.info("        end range [" + ur.getEndRange() + "]");
                LOG.info("        begin time [" + ur.getBeginTime() + "]");
                LOG.info("        end time [" + ur.getEndTime() + "]");
                LOG.info("        begin date [" + ur.getBeginDate() + "]");
                LOG.info("        end date [" + ur.getEndDate() + "]");
                LOG.info("        begin lock [" + ur.getBeginLockDate() + "]");
                LOG.info("        end lock [" + ur.getEndLockDate() + "]");
                LOG.info("        day mask [" + ur.getDayMask() + "]");
                LOG.info("        time out [" + ur.getTimeout() + "]");
            }
        }
        java.util.Properties jProps = System.getProperties();
        if (jProps != null && jProps.size() > 0) {
            int ctr = 0;
            for (Enumeration e = jProps.propertyNames(); e.hasMoreElements(); ) {
                String key = (String) e.nextElement();
                String val = jProps.getProperty(key);
                LOG.info("J   PROP[" + ctr++ + "]=" + key + " VAL=" + val);
            }
        }
    } catch (SecurityException ex) {
        LOG.error(szLocation + " caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}
Also used : User(org.apache.directory.fortress.core.model.User) Enumeration(java.util.Enumeration) UserAdminRole(org.apache.directory.fortress.core.model.UserAdminRole) SecurityException(org.apache.directory.fortress.core.SecurityException) AccessMgr(org.apache.directory.fortress.core.AccessMgr) UserRole(org.apache.directory.fortress.core.model.UserRole) Session(org.apache.directory.fortress.core.model.Session)

Example 40 with UserRole

use of org.apache.directory.fortress.core.model.UserRole in project directory-fortress-core by apache.

the class ReviewMgrImplTest method findUserRoleWithConstraints.

public static void findUserRoleWithConstraints(String msg, String usr, String role, RoleConstraint.RCType rcType, String paSetName) {
    LogUtil.logIt(msg);
    try {
        ReviewMgr reviewMgr = getManagedReviewMgr();
        List<UserRole> urs = reviewMgr.assignedUsers(new Role(role), rcType, paSetName);
        assertTrue(urs.size() > 0);
        assertTrue(urs.get(0).getRoleConstraints().size() > 0);
        LOG.debug("findUserRoleWithConstraints paSetName [" + paSetName + "] successful");
    } catch (SecurityException ex) {
        LOG.error("findUserRoleWithConstraints paSetName [" + paSetName + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
        fail(ex.getMessage());
    }
}
Also used : Role(org.apache.directory.fortress.core.model.Role) UserRole(org.apache.directory.fortress.core.model.UserRole) ReviewMgr(org.apache.directory.fortress.core.ReviewMgr) UserRole(org.apache.directory.fortress.core.model.UserRole) SecurityException(org.apache.directory.fortress.core.SecurityException)

Aggregations

UserRole (org.apache.directory.fortress.core.model.UserRole)89 User (org.apache.directory.fortress.core.model.User)55 SecurityException (org.apache.directory.fortress.core.SecurityException)48 Session (org.apache.directory.fortress.core.model.Session)28 AccessMgr (org.apache.directory.fortress.core.AccessMgr)17 ArrayList (java.util.ArrayList)16 Role (org.apache.directory.fortress.core.model.Role)16 RoleConstraint (org.apache.directory.fortress.core.model.RoleConstraint)16 AdminMgr (org.apache.directory.fortress.core.AdminMgr)14 ReviewMgr (org.apache.directory.fortress.core.ReviewMgr)12 UserAdminRole (org.apache.directory.fortress.core.model.UserAdminRole)11 Constraint (org.apache.directory.fortress.core.model.Constraint)10 AdminRole (org.apache.directory.fortress.core.model.AdminRole)9 LdapException (org.apache.directory.api.ldap.model.exception.LdapException)7 AdminPermissionOperation (org.apache.directory.fortress.annotation.AdminPermissionOperation)7 AccelMgr (org.apache.directory.fortress.core.AccelMgr)6 FinderException (org.apache.directory.fortress.core.FinderException)6 SDSet (org.apache.directory.fortress.core.model.SDSet)6 LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)6 Enumeration (java.util.Enumeration)5