Examples with LdapConnection org.apache.directory.ldap.client.api.LdapConnection used on opensource projects

Example 31 with LdapConnection

use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.

the class PermDAO method grant.

/**
 * @param pOp
 * @param user
 * @throws org.apache.directory.fortress.core.UpdateException
 *
 * @throws org.apache.directory.fortress.core.FinderException
 */
void grant(Permission pOp, User user) throws UpdateException {
    LdapConnection ld = null;
    String dn = getDn(pOp, pOp.getContextId());
    try {
        List<Modification> mods = new ArrayList<Modification>();
        mods.add(new DefaultModification(ModificationOperation.ADD_ATTRIBUTE, USERS, user.getUserId()));
        ld = getAdminConnection();
        modify(ld, dn, mods, pOp);
    } catch (LdapAttributeInUseException e) {
        String warning = "grant perm object [" + pOp.getObjName() + "] operation [" + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment already exists, Fortress rc=" + GlobalErrIds.PERM_USER_EXIST;
        throw new UpdateException(GlobalErrIds.PERM_USER_EXIST, warning);
    } catch (LdapNoSuchObjectException e) {
        String warning = "grant perm object [" + pOp.getObjName() + "] operation [" + pOp.getOpName() + "] userId [" + user.getUserId() + "] perm not found, Fortress rc=" + GlobalErrIds.PERM_OP_NOT_FOUND;
        throw new UpdateException(GlobalErrIds.PERM_OP_NOT_FOUND, warning);
    } catch (LdapException e) {
        String error = "grant perm object [" + pOp.getObjName() + "] operation [" + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LdapException=" + e.getMessage();
        throw new UpdateException(GlobalErrIds.PERM_GRANT_USER_FAILED, error, e);
    } finally {
        closeAdminConnection(ld);
    }
}

Example 32 with LdapConnection

use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.

the class PermDAO method findPermissions.

/**
 * @param permission
 * @return
 * @throws org.apache.directory.fortress.core.FinderException
 */
List<Permission> findPermissions(Permission permission) throws FinderException {
    List<Permission> permList = new ArrayList<>();
    LdapConnection ld = null;
    String permRoot = getRootDn(permission.isAdmin(), permission.getContextId());
    try {
        String permObjVal = encodeSafeText(permission.getObjName(), GlobalIds.PERM_LEN);
        String permOpVal = encodeSafeText(permission.getOpName(), GlobalIds.PERM_LEN);
        StringBuilder filterbuf = new StringBuilder();
        filterbuf.append(GlobalIds.FILTER_PREFIX);
        filterbuf.append(PERM_OP_OBJECT_CLASS_NAME);
        filterbuf.append(")(");
        filterbuf.append(GlobalIds.POBJ_NAME);
        filterbuf.append("=");
        filterbuf.append(permObjVal);
        filterbuf.append("*)(");
        filterbuf.append(GlobalIds.POP_NAME);
        filterbuf.append("=");
        filterbuf.append(permOpVal);
        filterbuf.append("*))");
        ld = getAdminConnection();
        SearchCursor searchResults = search(ld, permRoot, SearchScope.SUBTREE, filterbuf.toString(), PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE);
        long sequence = 0;
        while (searchResults.next()) {
            permList.add(unloadPopLdapEntry(searchResults.getEntry(), sequence++, permission.isAdmin()));
        }
    } catch (LdapException e) {
        String error = "findPermissions caught LdapException=" + e.getMessage();
        throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
    } catch (CursorException e) {
        String error = "findPermissions caught CursorException=" + e.getMessage();
        throw new FinderException(GlobalErrIds.PERM_SEARCH_FAILED, error, e);
    } finally {
        closeAdminConnection(ld);
    }
    return permList;
}

Example 33 with LdapConnection

use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.

the class PermDAO method checkPermission.

/**
 * This method performs fortress authorization using data passed in (session) and stored on ldap server (permission).  It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
 * It performs ldap operations:  read and (optionally) compare.  The first is to pull back the permission to see if user has access or not.  The second is to trigger audit
 * record storage on ldap server but can be disabled.
 *
 * @param session contains {@link Session#getUserId()}, for impl check {@link org.apache.directory.fortress.core.model.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.model.Session#getAdminRoles()}.
 * @param inPerm  must contain required attributes {@link Permission#objName} and {@link Permission#opName}.  {@link org.apache.directory.fortress.core.model.Permission#objId} is optional.
 * @return boolean containing result of check.
 * @throws org.apache.directory.fortress.core.FinderException
 *          In the event system error occurs looking up data on ldap server.
 */
boolean checkPermission(Session session, Permission inPerm) throws FinderException {
    boolean isAuthZd = false;
    LdapConnection ld = null;
    String dn = getOpRdn(inPerm.getOpName(), inPerm.getObjId()) + "," + GlobalIds.POBJ_NAME + "=" + inPerm.getObjName() + "," + getRootDn(inPerm.isAdmin(), inPerm.getContextId());
    try {
        ld = getAdminConnection();
        // LDAP Operation #1: Read the targeted permission from ldap server
        Entry entry = read(ld, dn, PERMISSION_OP_ATRS);
        if (entry == null) {
            // if permission not found, cannot continue.
            String error = "checkPermission DOES NOT EXIST : obj name [" + inPerm.getObjName() + "], obj id [" + inPerm.getObjId() + "], op name [" + inPerm.getOpName() + "], idAdmin [" + inPerm.isAdmin() + "]";
            throw new FinderException(GlobalErrIds.PERM_NOT_EXIST, error);
        }
        // load the permission entity with data retrieved from the permission node:
        Permission outPerm = unloadPopLdapEntry(entry, 0, inPerm.isAdmin());
        // The admin flag will be set to 'true' if this is an administrative permission:
        outPerm.setAdmin(inPerm.isAdmin());
        // Pass the tenant id along:
        outPerm.setContextId(inPerm.getContextId());
        // The objective of these next steps is to evaluate the outcome of authorization attempt and trigger a write to slapd access logger containing the result.
        // The objectClass triggered by slapd access log write for upcoming ldap op is 'auditCompare'.
        // Set this attribute either with actual operation name that will succeed compare (for authZ success) or bogus value which will fail compare (for authZ failure):
        String attributeValue;
        // This method determines if the user is authorized for this permission:
        isAuthZd = isAuthorized(session, outPerm);
        // This is done to leave an audit trail in ldap server log:
        if (isAuthZd) {
            // Yes, set the operation name onto this attribute for storage into audit trail:
            attributeValue = outPerm.getOpName();
        } else {
            // Changing this attribute value forces the compare to fail.  This facilitates tracking of authorization failures events in the slapd access log (by searching for compare failures).
            attributeValue = outPerm.getOpName() + GlobalIds.FAILED_AUTHZ_INDICATOR;
        }
        // LDAP Operation #2: Compare.
        if (!session.isGroupSession()) {
            addAuthZAudit(ld, dn, session.getUser().getDn(), attributeValue);
        }
    } catch (LdapException e) {
        if (!(e instanceof LdapNoSuchObjectException)) {
            String error = "checkPermission caught LdapException=" + e.getMessage();
            throw new FinderException(GlobalErrIds.PERM_READ_OP_FAILED, error, e);
        }
        // There is a switch in fortress config to disable the audit ops.
        if (!session.isGroupSession()) {
            addAuthZAudit(ld, dn, session.getUser().getDn(), "AuthZ Invalid");
        }
    } finally {
        closeAdminConnection(ld);
    }
    return isAuthZd;
}

Example 34 with LdapConnection

use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.

the class PermDAO method getPerm.

/**
 * @param permObj
 * @return
 * @throws org.apache.directory.fortress.core.FinderException
 */
PermObj getPerm(PermObj permObj) throws FinderException {
    PermObj entity = null;
    LdapConnection ld = null;
    String dn = GlobalIds.POBJ_NAME + "=" + permObj.getObjName() + "," + getRootDn(permObj.isAdmin(), permObj.getContextId());
    try {
        ld = getAdminConnection();
        Entry findEntry = read(ld, dn, PERMISION_OBJ_ATRS);
        if (findEntry == null) {
            String warning = "getPerm Obj no entry found dn [" + dn + "]";
            throw new FinderException(GlobalErrIds.PERM_OBJ_NOT_FOUND, warning);
        }
        entity = unloadPobjLdapEntry(findEntry, 0, permObj.isAdmin());
    } catch (LdapNoSuchObjectException e) {
        String warning = "getPerm Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
        throw new FinderException(GlobalErrIds.PERM_OBJ_NOT_FOUND, warning);
    } catch (LdapException e) {
        String error = "getPerm Obj dn [" + dn + "] caught LdapException=" + e.getMessage();
        throw new FinderException(GlobalErrIds.PERM_READ_OBJ_FAILED, error, e);
    } finally {
        closeAdminConnection(ld);
    }
    return entity;
}

Example 35 with LdapConnection

use of org.apache.directory.ldap.client.api.LdapConnection in project directory-fortress-core by apache.

the class PermDAO method createPermissionAttribute.

/**
 * @param entity
 * @param attributeSetName
 * @return
 * @throws CreateException
 */
PermissionAttribute createPermissionAttribute(PermissionAttribute entity, String attributeSetName) throws CreateException {
    LdapConnection ld = null;
    String dn = getDn(entity, attributeSetName, entity.getContextId());
    try {
        Entry entry = new DefaultEntry(dn);
        entry.add(SchemaConstants.OBJECT_CLASS_AT, PERM_ATTR_OBJ_CLASS);
        // this will generate a new random, unique id on this entity:
        entity.setInternalId();
        // create the internal id:
        entry.add(GlobalIds.FT_IID, entity.getInternalId());
        entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE, entity.getAttributeName());
        entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE_SET, attributeSetName);
        // description is optional
        if (StringUtils.isNotEmpty(entity.getDescription())) {
            entry.add(SchemaConstants.DESCRIPTION_AT, entity.getDescription());
        }
        if (StringUtils.isNotEmpty(entity.getDataType())) {
            entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE_DATA_TYPE, entity.getDataType());
        }
        if (StringUtils.isNotEmpty(entity.getDefaultOperator())) {
            entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE_DEFAULT_OPERATOR, entity.getDefaultOperator());
        }
        if (StringUtils.isNotEmpty(entity.getDefaultStrategy())) {
            entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE_DEFAULT_STRATEGY, entity.getDefaultStrategy());
        }
        if (StringUtils.isNotEmpty(entity.getDefaultValue())) {
            entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE_DEFAULT_VALUE, entity.getDefaultValue());
        }
        // add one to many valid values
        for (String validValue : entity.getValidValues()) {
            entry.add(GlobalIds.FT_PERMISSION_ATTRIBUTE_VALID_VALUES, validValue);
        }
        // organizational name requires CN attribute:
        entry.add(SchemaConstants.CN_AT, entity.getAttributeName());
        // now add the new entry to directory:
        ld = getAdminConnection();
        add(ld, entry, entity);
        entity.setDn(dn);
    } catch (LdapException e) {
        String error = "createPermissionAttribute name [" + entity.getAttributeName() + "] caught LdapException=" + e.getMessage();
        throw new CreateException(GlobalErrIds.PERM_ATTR_ADD_FAILED, error, e);
    } finally {
        closeAdminConnection(ld);
    }
    return entity;
}