use of org.apache.directory.fortress.core.util.time.Validator in project directory-fortress-core by apache.
the class VUtil method validateConstraints.
/**
* This utility iterates over all of the Validators initialized for runtime and calls them passing the {@link org.apache.directory.fortress.core.model.Constraint} contained within the
* targeted entity. If a particular {@link org.apache.directory.fortress.core.model.UserRole} violates constraint it will not be activated. If {@link org.apache.directory.fortress.core.model.User} validation fails a ValidationException will be thrown thus preventing User logon.
*
* @param session contains {@link org.apache.directory.fortress.core.model.User} and {@link org.apache.directory.fortress.core.model.UserRole} constraints {@link org.apache.directory.fortress.core.model.Constraint} to be checked.
* @param type specifies User {@link ConstraintType#USER} or rOLE {@link ConstraintType#ROLE}.
* @param checkDsd will check DSD constraints if true
* @throws org.apache.directory.fortress.core.SecurityException in the event validation fails for User or system error occurs.
*/
public void validateConstraints(Session session, ConstraintType type, boolean checkDsd) throws SecurityException {
String location = "validateConstraints";
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
int rc;
if (validators == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("{} " + entityType + " [{}] has no constraints enabled", location, entityId);
}
return;
} else // no need to continue if the role list is empty and we're trying to check role constraints:
if (type == ConstraintType.ROLE && CollectionUtils.isEmpty(session.getRoles()) && CollectionUtils.isEmpty(session.getAdminRoles())) {
if (LOG.isDebugEnabled()) {
LOG.debug("{} " + entityType + " [{}] has no roles assigned", location, entityId);
}
return;
}
for (Validator val : validators) {
Time currTime = TUtil.getCurrentTime();
// first check the constraint on the user:
if (type == ConstraintType.USER && !session.isGroupSession()) {
rc = val.validate(session, session.getUser(), currTime, type);
if (rc > 0) {
String info = location + " user [" + entityId + "] was deactivated reason code [" + rc + "]";
throw new ValidationException(rc, info);
}
} else // Check the constraints for each activated role:
{
if (CollectionUtils.isNotEmpty(session.getRoles())) {
// now check the constraint on every role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for (UserRole role : session.getRoles()) {
rc = val.validate(session, role, currTime, type);
if (rc > 0) {
rolesToRemove.add(role);
String msg = location + " role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info(msg);
session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
}
}
// remove all roles not passing validation
session.getRoles().removeAll(rolesToRemove);
}
if (CollectionUtils.isNotEmpty(session.getAdminRoles())) {
// now check the constraint on every arbac role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for (UserRole role : session.getAdminRoles()) {
rc = val.validate(session, role, currTime, type);
if (rc > 0) {
rolesToRemove.add(role);
String msg = location + " admin role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info(msg);
session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
}
}
// remove all roles not passing validation
session.getAdminRoles().removeAll(rolesToRemove);
}
}
}
// now perform DSD validation on session's impl roles:
if (checkDsd && DSDVALIDATOR != null && DSDVALIDATOR.length() > 0 && type == ConstraintType.ROLE && CollectionUtils.isNotEmpty(session.getRoles())) {
Validator dsdVal = (Validator) ClassUtil.createInstance(DSDVALIDATOR);
if (session.isGroupSession()) {
// pass session's group wrapped into constraint interface
dsdVal.validate(session, new ConstraintedGroup(session.getGroup()), null, null);
} else {
dsdVal.validate(session, session.getUser(), null, null);
}
}
// reset the user's last access timestamp:
session.setLastAccess();
}
use of org.apache.directory.fortress.core.util.time.Validator in project directory-fortress-core by apache.
the class VUtil method getValidators.
/**
* Utility is used internally by this class to retrieve a list of all Validator class names, instantiate and return.
*
* @return list of type {@link Validator} containing all active validation routines for entity constraint processing.
* @throws org.apache.directory.fortress.core.CfgException in the event validator cannot be instantiated.
*/
private List<Validator> getValidators() throws CfgException {
List<Validator> validators = new ArrayList<>();
for (int i = 0; ; i++) {
String prop = GlobalIds.VALIDATOR_PROPS + i;
String className = Config.getInstance().getProperty(prop);
if (className == null) {
break;
}
validators.add((Validator) ClassUtil.createInstance(className));
}
return validators;
}
Aggregations