You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by el...@apache.org on 2014/10/21 01:07:04 UTC
[47/50] git commit: FC-149 - AuditMgr.getUserAuthZs incorrectly
handles failures
FC-149 - AuditMgr.getUserAuthZs incorrectly handles failures
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/9d516b8a
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/9d516b8a
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/9d516b8a
Branch: refs/heads/master
Commit: 9d516b8add9230fa7bda59f2bccf9e925498338c
Parents: 2300162
Author: Shawn McKinney <sh...@jts.us>
Authored: Thu Sep 18 22:21:25 2014 -0500
Committer: Shawn McKinney <sh...@jts.us>
Committed: Thu Sep 18 22:21:25 2014 -0500
----------------------------------------------------------------------
.../java/org/openldap/fortress/GlobalIds.java | 2 ++
.../java/org/openldap/fortress/rbac/AuthZ.java | 22 ++++++++++++++++++++
.../fortress/rbac/dao/unboundid/AuditDAO.java | 16 +++++++++++---
.../fortress/rbac/dao/unboundid/PermDAO.java | 10 ++++-----
4 files changed, 42 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/9d516b8a/src/main/java/org/openldap/fortress/GlobalIds.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/GlobalIds.java b/src/main/java/org/openldap/fortress/GlobalIds.java
index 8453ea2..fc55cd3 100755
--- a/src/main/java/org/openldap/fortress/GlobalIds.java
+++ b/src/main/java/org/openldap/fortress/GlobalIds.java
@@ -505,6 +505,8 @@ public class GlobalIds
public final static boolean LDAP_FILTER_SIZE_FOUND = ( org.openldap.fortress.cfg.Config
.getProperty( LDAP_FILTER_SIZE_PROP ) != null );
public static final String APACHE_LDAP_API = "apache";
+ public static final String AUTH_Z_FAILED = "authzfailed";
+ public static final String AUTH_Z_FAILED_VALUE = "ftOpNm=" + AUTH_Z_FAILED;
/**
* maximum number of entries allowed for ldap filter replacements.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/9d516b8a/src/main/java/org/openldap/fortress/rbac/AuthZ.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/rbac/AuthZ.java b/src/main/java/org/openldap/fortress/rbac/AuthZ.java
index 3c8ecd4..8a61cc7 100755
--- a/src/main/java/org/openldap/fortress/rbac/AuthZ.java
+++ b/src/main/java/org/openldap/fortress/rbac/AuthZ.java
@@ -72,6 +72,7 @@ import java.io.Serializable;
"reqStart",
"reqTimeLimit",
"reqType",
+ "reqAssertion",
"structuralObjectClass",
"subschemaSubentry",
"sequenceId"
@@ -103,6 +104,7 @@ public class AuthZ extends FortEntity implements Serializable
private String reqStart;
private String reqTimeLimit;
private String reqType;
+ private String reqAssertion;
private String structuralObjectClass;
private String subschemaSubentry;
private long sequenceId;
@@ -497,6 +499,26 @@ public class AuthZ extends FortEntity implements Serializable
}
/**
+ * Get the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.
+ *
+ * @return value that maps to 'reqAssertion' attribute on 'auditCompare' object class.
+ */
+ public String getReqAssertion()
+ {
+ return reqAssertion;
+ }
+
+ /**
+ * Set the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.
+ *
+ * @param reqAssertion value maps to 'reqAssertion' attribute contained in the 'auditCompare' object class.
+ */
+ public void setReqAssertion( String reqAssertion )
+ {
+ this.reqAssertion = reqAssertion;
+ }
+
+ /**
* Returns the name of the structural object class that is used to log the event. For this entity
* this value will always be 'auditSearch'.
*
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/9d516b8a/src/main/java/org/openldap/fortress/rbac/dao/unboundid/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/rbac/dao/unboundid/AuditDAO.java b/src/main/java/org/openldap/fortress/rbac/dao/unboundid/AuditDAO.java
index 2d3d4be..3d7255c 100755
--- a/src/main/java/org/openldap/fortress/rbac/dao/unboundid/AuditDAO.java
+++ b/src/main/java/org/openldap/fortress/rbac/dao/unboundid/AuditDAO.java
@@ -160,7 +160,7 @@ public final class AuditDAO extends UnboundIdDataProvider implements org.openlda
CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
MODIFYTIMESTAMP, OBJECTCLASS, REQATTR, REQATTRSONLY, REQUAUTHZID, REQCONTROLS, REQDN, REQDREFALIASES,
REQEND, REQENTRIES, REQFILTER, REQRESULT, REQSCOPE, REQSESSION, REQSIZELIMIT, REQSTART, REQTIMELIMIT,
- REQTYPE, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
+ REQTYPE, REQASSERTION, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
};
private static final String[] AUDIT_BIND_ATRS =
@@ -309,10 +309,14 @@ public final class AuditDAO extends UnboundIdDataProvider implements org.openlda
+ audit.getObjName() + "," + permRoot;
String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(" + REQDN + "=" +
reqDn + ")(" + REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
+/*
+ todo: fixme (can't search on reqAssertion attribute):
if ( audit.isFailedOnly() )
{
- filter += "(!(" + REQRESULT + "=" + 6 + "))";
+ //filter += "(!(" + REQRESULT + "=" + 6 + "))";
+ filter += "(" + REQASSERTION + "=" + GlobalIds.AUTH_Z_FAILED_VALUE + ")";
}
+*/
if ( audit.getBeginDate() != null )
{
String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
@@ -393,10 +397,14 @@ public final class AuditDAO extends UnboundIdDataProvider implements org.openlda
//filter += "(" + REQDN + "=" + GlobalIds.POP_NAME + "=" + audit.getOpName() + "," + GlobalIds.POBJ_NAME + "=" + audit.getObjName() + ",*)";
filter += "(" + REQDN + "=" + audit.getDn() + ")";
}
+/*
+ todo: fixme (can't search on reqAssertion attribute):
if (audit.isFailedOnly())
{
- filter += "(!(" + REQRESULT + "=" + 6 + "))";
+ //filter += "(!(" + REQRESULT + "=" + 6 + "))";
+ filter += "(" + REQASSERTION + "=" + GlobalIds.AUTH_Z_FAILED_VALUE + ")";
}
+*/
if ( audit.getBeginDate() != null )
{
String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
@@ -752,6 +760,7 @@ public final class AuditDAO extends UnboundIdDataProvider implements org.openlda
private String reqStart;
private String reqTimeLimit;
private String reqType;
+ private String reqAssertion;
private String structuralObjectClass;
private String subschemaSubentry;
}*/
@@ -786,6 +795,7 @@ public final class AuditDAO extends UnboundIdDataProvider implements org.openlda
authZ.setReqScope( getAttribute( le, REQSCOPE ) );
authZ.setReqSizeLimit( getAttribute( le, REQSIZELIMIT ) );
authZ.setReqTimeLimit( getAttribute( le, REQTIMELIMIT ) );
+ authZ.setReqAssertion( getAttribute( le, REQASSERTION ) );
return authZ;
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/9d516b8a/src/main/java/org/openldap/fortress/rbac/dao/unboundid/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/openldap/fortress/rbac/dao/unboundid/PermDAO.java b/src/main/java/org/openldap/fortress/rbac/dao/unboundid/PermDAO.java
index 0fbff79..2395d10 100755
--- a/src/main/java/org/openldap/fortress/rbac/dao/unboundid/PermDAO.java
+++ b/src/main/java/org/openldap/fortress/rbac/dao/unboundid/PermDAO.java
@@ -144,10 +144,10 @@ import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
public final class PermDAO extends UnboundIdDataProvider implements org.openldap.fortress.rbac.dao.PermDAO
{
/*
- * *************************************************************************
- * ** OpenAccessMgr PERMISSION STATICS
- * ************************************************************************
- */
+ * *************************************************************************
+ * ** OpenAccessMgr PERMISSION STATICS
+ * ************************************************************************
+ */
private static final String TYPE = "ftType";
private static final String PERM_OBJ_OBJECT_CLASS_NAME = "ftObject";
private static final String PERM_OP_OBJECT_CLASS_NAME = "ftOperation";
@@ -821,7 +821,7 @@ public final class PermDAO extends UnboundIdDataProvider implements org.openldap
else
{
// No, set a simple error message onto this attribute for storage into audit trail:
- attributeValue = "AuthZ Failed";
+ attributeValue = GlobalIds.AUTH_Z_FAILED;
}
// There is a switch in fortress config to disable audit ops like this one.
// But if used the compare method will use OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection.