use of org.apache.syncope.common.lib.to.RoleTO in project syncope by apache.
the class DynRealmITCase method delegatedAdmin.
@Test
public void delegatedAdmin() {
DynRealmTO dynRealm = null;
RoleTO role = null;
try {
// 1. create dynamic realm for all users and groups having resource-ldap assigned
dynRealm = new DynRealmTO();
dynRealm.setKey("LDAPLovers" + getUUIDString());
dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "$resources==resource-ldap");
dynRealm.getDynMembershipConds().put(AnyTypeKind.GROUP.name(), "$resources==resource-ldap");
Response response = dynRealmService.create(dynRealm);
dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
assertNotNull(dynRealm);
// 2. create role for such dynamic realm
role = new RoleTO();
role.setKey("Administer LDAP" + getUUIDString());
role.getEntitlements().add(StandardEntitlement.USER_SEARCH);
role.getEntitlements().add(StandardEntitlement.USER_READ);
role.getEntitlements().add(StandardEntitlement.USER_UPDATE);
role.getEntitlements().add(StandardEntitlement.GROUP_READ);
role.getEntitlements().add(StandardEntitlement.GROUP_UPDATE);
role.getDynRealms().add(dynRealm.getKey());
role = createRole(role);
assertNotNull(role);
// 3. create new user and assign the new role
UserTO dynRealmAdmin = UserITCase.getUniqueSampleTO("dynRealmAdmin@apache.org");
dynRealmAdmin.setPassword("password123");
dynRealmAdmin.getRoles().add(role.getKey());
dynRealmAdmin = createUser(dynRealmAdmin).getEntity();
assertNotNull(dynRealmAdmin);
// 4. create new user and group, assign resource-ldap
UserTO user = UserITCase.getUniqueSampleTO("dynRealmUser@apache.org");
user.setRealm("/even/two");
user.getResources().clear();
user.getResources().add(RESOURCE_NAME_LDAP);
user = createUser(user).getEntity();
assertNotNull(user);
final String userKey = user.getKey();
GroupTO group = GroupITCase.getSampleTO("dynRealmGroup");
group.setRealm("/odd");
group.getResources().clear();
group.getResources().add(RESOURCE_NAME_LDAP);
group = createGroup(group).getEntity();
assertNotNull(group);
final String groupKey = group.getKey();
if (ElasticsearchDetector.isElasticSearchEnabled(syncopeService)) {
try {
Thread.sleep(2000);
} catch (InterruptedException ex) {
// ignore
}
}
// 5. verify that the new user and group are found when searching by dynamic realm
PagedResult<UserTO> matchingUsers = userService.search(new AnyQuery.Builder().realm("/").fiql(SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));
PagedResult<GroupTO> matchingGroups = groupService.search(new AnyQuery.Builder().realm("/").fiql(SyncopeClient.getGroupSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
assertTrue(matchingGroups.getResult().stream().anyMatch(object -> object.getKey().equals(groupKey)));
// 6. prepare to act as delegated admin
SyncopeClient delegatedClient = clientFactory.create(dynRealmAdmin.getUsername(), "password123");
UserService delegatedUserService = delegatedClient.getService(UserService.class);
GroupService delegatedGroupService = delegatedClient.getService(GroupService.class);
// 7. verify delegated administration
// USER_READ
assertNotNull(delegatedUserService.read(userKey));
// GROUP_READ
assertNotNull(delegatedGroupService.read(groupKey));
// USER_SEARCH
matchingUsers = delegatedUserService.search(new AnyQuery.Builder().realm("/").build());
assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));
// USER_UPDATE
UserPatch userPatch = new UserPatch();
userPatch.setKey(userKey);
userPatch.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_LDAP).operation(PatchOperation.DELETE).build());
// this will fail because unassigning resource-ldap would result in removing the user from the dynamic realm
try {
delegatedUserService.update(userPatch);
fail("This should not happen");
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
}
// this will succeed instead
userPatch.getResources().clear();
userPatch.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_NOPROPAGATION).build());
user = delegatedUserService.update(userPatch).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
}).getEntity();
assertNotNull(user);
assertTrue(user.getResources().contains(RESOURCE_NAME_NOPROPAGATION));
// GROUP_UPDATE
GroupPatch groupPatch = new GroupPatch();
groupPatch.setKey(groupKey);
groupPatch.getPlainAttrs().add(new AttrPatch.Builder().attrTO(attrTO("icon", "modified")).build());
group = delegatedGroupService.update(groupPatch).readEntity(new GenericType<ProvisioningResult<GroupTO>>() {
}).getEntity();
assertNotNull(group);
assertEquals("modified", group.getPlainAttr("icon").get().getValues().get(0));
} finally {
if (role != null) {
roleService.delete(role.getKey());
}
if (dynRealm != null) {
dynRealmService.delete(dynRealm.getKey());
}
}
}
use of org.apache.syncope.common.lib.to.RoleTO in project syncope by apache.
the class RoleServiceImpl method create.
@Override
public Response create(final RoleTO roleTO) {
RoleTO created = logic.create(roleTO);
URI location = uriInfo.getAbsolutePathBuilder().path(created.getKey()).build();
return Response.created(location).header(RESTHeaders.RESOURCE_KEY, created.getKey()).build();
}
use of org.apache.syncope.common.lib.to.RoleTO in project syncope by apache.
the class RoleDirectoryPanel method getActions.
@Override
public ActionsPanel<RoleTO> getActions(final IModel<RoleTO> model) {
final ActionsPanel<RoleTO> panel = super.getActions(model);
panel.add(new ActionLink<RoleTO>() {
private static final long serialVersionUID = -7978723352517770644L;
@Override
public void onClick(final AjaxRequestTarget target, final RoleTO ignore) {
send(RoleDirectoryPanel.this, Broadcast.EXACT, new AjaxWizard.EditItemActionEvent<>(new RoleWrapper(new RoleRestClient().read(model.getObject().getKey())), target));
}
}, ActionLink.ActionType.EDIT, StandardEntitlement.ROLE_READ);
panel.add(new ActionLink<RoleTO>() {
private static final long serialVersionUID = -7978723352517770644L;
@Override
public void onClick(final AjaxRequestTarget target, final RoleTO ignore) {
final RoleTO clone = SerializationUtils.clone(model.getObject());
clone.setKey(null);
send(RoleDirectoryPanel.this, Broadcast.EXACT, new AjaxWizard.NewItemActionEvent<>(new RoleWrapper(clone), target));
}
}, ActionLink.ActionType.CLONE, StandardEntitlement.ROLE_CREATE);
panel.add(new ActionLink<RoleTO>() {
private static final long serialVersionUID = -7978723352517770644L;
@Override
public void onClick(final AjaxRequestTarget target, final RoleTO ignore) {
final String query = SyncopeClient.getUserSearchConditionBuilder().and(SyncopeClient.getUserSearchConditionBuilder().inRoles(model.getObject().getKey()), SyncopeClient.getUserSearchConditionBuilder().is("key").notNullValue()).query();
final AnyTypeRestClient typeRestClient = new AnyTypeRestClient();
final AnyTypeClassRestClient classRestClient = new AnyTypeClassRestClient();
final AnyTypeTO anyTypeTO = typeRestClient.read(AnyTypeKind.USER.name());
ModalPanel panel = new AnyPanel(BaseModal.CONTENT_ID, anyTypeTO, null, null, false, pageRef) {
private static final long serialVersionUID = -7514498203393023415L;
@Override
protected Panel getDirectoryPanel(final String id) {
final Panel panel = new UserDirectoryPanel.Builder(classRestClient.list(anyTypeTO.getClasses()), anyTypeTO.getKey(), pageRef).setRealm("/").setFiltered(true).setFiql(query).disableCheckBoxes().addNewItemPanelBuilder(FormLayoutInfoUtils.instantiate(new UserTO(), anyTypeTO.getClasses(), FormLayoutInfoUtils.fetch(typeRestClient.list()).getLeft(), pageRef), false).setWizardInModal(false).build(id);
MetaDataRoleAuthorizationStrategy.authorize(panel, WebPage.RENDER, StandardEntitlement.USER_SEARCH);
return panel;
}
};
membersModal.header(new StringResourceModel("role.members", RoleDirectoryPanel.this, model));
membersModal.setContent(panel);
membersModal.show(true);
target.add(membersModal);
}
}, ActionLink.ActionType.MEMBERS, StandardEntitlement.USER_SEARCH);
panel.add(new ActionLink<RoleTO>() {
private static final long serialVersionUID = -7978723352517770644L;
@Override
public void onClick(final AjaxRequestTarget target, final RoleTO ignore) {
final ConsoleLayoutInfo info = new ConsoleLayoutInfo(model.getObject().getKey());
info.setContent(restClient.readConsoleLayoutInfo(model.getObject().getKey()));
utilityModal.header(new ResourceModel("console.layout.info", "JSON Content"));
utilityModal.setContent(new JsonEditorPanel(utilityModal, new PropertyModel<String>(info, "content"), false, pageRef) {
private static final long serialVersionUID = -8927036362466990179L;
@Override
public void onSubmit(final AjaxRequestTarget target, final Form<?> form) {
try {
restClient.setConsoleLayoutInfo(info.getKey(), info.getContent());
SyncopeConsoleSession.get().info(getString(Constants.OPERATION_SUCCEEDED));
modal.show(false);
modal.close(target);
} catch (Exception e) {
LOG.error("While updating console layout info for role {}", info.getKey(), e);
SyncopeConsoleSession.get().error(StringUtils.isBlank(e.getMessage()) ? e.getClass().getName() : e.getMessage());
}
((BasePage) pageRef.getPage()).getNotificationPanel().refresh(target);
}
});
utilityModal.show(true);
target.add(utilityModal);
}
}, ActionLink.ActionType.LAYOUT_EDIT, StandardEntitlement.ROLE_UPDATE);
panel.add(new ActionLink<RoleTO>() {
private static final long serialVersionUID = -7978723352517770644L;
@Override
public void onClick(final AjaxRequestTarget target, final RoleTO ignore) {
try {
restClient.delete(model.getObject().getKey());
SyncopeConsoleSession.get().info(getString(Constants.OPERATION_SUCCEEDED));
target.add(container);
} catch (SyncopeClientException e) {
LOG.error("While deleting object {}", model.getObject().getKey(), e);
SyncopeConsoleSession.get().error(StringUtils.isBlank(e.getMessage()) ? e.getClass().getName() : e.getMessage());
}
((BasePage) pageRef.getPage()).getNotificationPanel().refresh(target);
}
}, ActionLink.ActionType.DELETE, StandardEntitlement.ROLE_DELETE, true);
return panel;
}
Aggregations