Search in sources :

Example 1 with Time

use of org.apache.directory.fortress.core.util.time.Time in project directory-fortress-core by apache.

the class VUtil method validateConstraints.

/**
 * This utility iterates over all of the Validators initialized for runtime and calls them passing the {@link org.apache.directory.fortress.core.model.Constraint} contained within the
 * targeted entity.  If a particular {@link org.apache.directory.fortress.core.model.UserRole} violates constraint it will not be activated.  If {@link org.apache.directory.fortress.core.model.User} validation fails a ValidationException will be thrown thus preventing User logon.
 *
 * @param session contains {@link org.apache.directory.fortress.core.model.User} and {@link org.apache.directory.fortress.core.model.UserRole} constraints {@link org.apache.directory.fortress.core.model.Constraint} to be checked.
 * @param type    specifies User {@link ConstraintType#USER} or rOLE {@link ConstraintType#ROLE}.
 * @param checkDsd will check DSD constraints if true
 * @throws org.apache.directory.fortress.core.SecurityException in the event validation fails for User or system error occurs.
 */
public void validateConstraints(Session session, ConstraintType type, boolean checkDsd) throws SecurityException {
    String location = "validateConstraints";
    String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
    String entityType = session.isGroupSession() ? "groupName" : "userId";
    int rc;
    if (validators == null) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} " + entityType + " [{}] has no constraints enabled", location, entityId);
        }
        return;
    } else // no need to continue if the role list is empty and we're trying to check role constraints:
    if (type == ConstraintType.ROLE && CollectionUtils.isEmpty(session.getRoles()) && CollectionUtils.isEmpty(session.getAdminRoles())) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} " + entityType + " [{}]  has no roles assigned", location, entityId);
        }
        return;
    }
    for (Validator val : validators) {
        Time currTime = TUtil.getCurrentTime();
        // first check the constraint on the user:
        if (type == ConstraintType.USER && !session.isGroupSession()) {
            rc = val.validate(session, session.getUser(), currTime, type);
            if (rc > 0) {
                String info = location + " user [" + entityId + "] was deactivated reason code [" + rc + "]";
                throw new ValidationException(rc, info);
            }
        } else // Check the constraints for each activated role:
        {
            if (CollectionUtils.isNotEmpty(session.getRoles())) {
                // now check the constraint on every role activation candidate contained within session object:
                List<UserRole> rolesToRemove = new ArrayList<>();
                for (UserRole role : session.getRoles()) {
                    rc = val.validate(session, role, currTime, type);
                    if (rc > 0) {
                        rolesToRemove.add(role);
                        String msg = location + " role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
                        LOG.info(msg);
                        session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
                    }
                }
                // remove all roles not passing validation
                session.getRoles().removeAll(rolesToRemove);
            }
            if (CollectionUtils.isNotEmpty(session.getAdminRoles())) {
                // now check the constraint on every arbac role activation candidate contained within session object:
                List<UserRole> rolesToRemove = new ArrayList<>();
                for (UserRole role : session.getAdminRoles()) {
                    rc = val.validate(session, role, currTime, type);
                    if (rc > 0) {
                        rolesToRemove.add(role);
                        String msg = location + " admin role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
                        LOG.info(msg);
                        session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
                    }
                }
                // remove all roles not passing validation
                session.getAdminRoles().removeAll(rolesToRemove);
            }
        }
    }
    // now perform DSD validation on session's impl roles:
    if (checkDsd && DSDVALIDATOR != null && DSDVALIDATOR.length() > 0 && type == ConstraintType.ROLE && CollectionUtils.isNotEmpty(session.getRoles())) {
        Validator dsdVal = (Validator) ClassUtil.createInstance(DSDVALIDATOR);
        if (session.isGroupSession()) {
            // pass session's group wrapped into constraint interface
            dsdVal.validate(session, new ConstraintedGroup(session.getGroup()), null, null);
        } else {
            dsdVal.validate(session, session.getUser(), null, null);
        }
    }
    // reset the user's last access timestamp:
    session.setLastAccess();
}
Also used : ValidationException(org.apache.directory.fortress.core.ValidationException) ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory) UserRole(org.apache.directory.fortress.core.model.UserRole) ArrayList(java.util.ArrayList) Time(org.apache.directory.fortress.core.util.time.Time) Constraint(org.apache.directory.fortress.core.model.Constraint) Validator(org.apache.directory.fortress.core.util.time.Validator)

Aggregations

ArrayList (java.util.ArrayList)1 ValidationException (org.apache.directory.fortress.core.ValidationException)1 Constraint (org.apache.directory.fortress.core.model.Constraint)1 ObjectFactory (org.apache.directory.fortress.core.model.ObjectFactory)1 UserRole (org.apache.directory.fortress.core.model.UserRole)1 Time (org.apache.directory.fortress.core.util.time.Time)1 Validator (org.apache.directory.fortress.core.util.time.Validator)1