You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by cp...@apache.org on 2017/07/11 16:42:37 UTC
directory-fortress-core git commit: FC-222 added method to find user
role with constraint type and attribute set name
Repository: directory-fortress-core
Updated Branches:
refs/heads/master 995073dac -> e834cc6c9
FC-222 added method to find user role with constraint type and attribute set name
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/e834cc6c
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/e834cc6c
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/e834cc6c
Branch: refs/heads/master
Commit: e834cc6c918831bb84666618acabd8a102d5d20c
Parents: 995073d
Author: clp207 <cl...@psu.edu>
Authored: Tue Jul 11 12:42:25 2017 -0400
Committer: clp207 <cl...@psu.edu>
Committed: Tue Jul 11 12:42:25 2017 -0400
----------------------------------------------------------------------
.../directory/fortress/core/ReviewMgr.java | 13 +++
.../fortress/core/impl/ReviewMgrImpl.java | 15 +++
.../directory/fortress/core/impl/UserDAO.java | 107 ++++++++++++++++---
.../directory/fortress/core/impl/UserP.java | 15 +++
.../fortress/core/model/RoleConstraint.java | 2 +-
.../fortress/core/rest/ReviewMgrRestImpl.java | 9 ++
.../fortress/core/impl/ReviewMgrImplTest.java | 34 ++++--
7 files changed, 173 insertions(+), 22 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/main/java/org/apache/directory/fortress/core/ReviewMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ReviewMgr.java b/src/main/java/org/apache/directory/fortress/core/ReviewMgr.java
index a7f985a..dae8315 100755
--- a/src/main/java/org/apache/directory/fortress/core/ReviewMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/ReviewMgr.java
@@ -29,6 +29,7 @@ import org.apache.directory.fortress.core.model.Permission;
import org.apache.directory.fortress.core.model.PermissionAttributeSet;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.RoleConstraint;
+import org.apache.directory.fortress.core.model.RoleConstraint.RCType;
import org.apache.directory.fortress.core.model.SDSet;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserRole;
@@ -390,6 +391,18 @@ public interface ReviewMgr extends Manageable
List<User> assignedUsers( Role role, RoleConstraint roleConstraint ) throws SecurityException;
/**
+ * This method returns the user roles for all users who have the given role, with a specified constraint type
+ * and permission attribute set name.
+ *
+ * @param role
+ * @param rcType
+ * @param paSetName
+ * @return
+ * @throws SecurityException
+ */
+ List<UserRole> assignedUsers( Role role, RCType rcType, String paSetName ) throws SecurityException;
+
+ /**
* This function returns the set of roles assigned to a given user. The function is valid if and
* only if the user is a member of the USERS data set.
*
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/main/java/org/apache/directory/fortress/core/impl/ReviewMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/ReviewMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/ReviewMgrImpl.java
index 9828ebf..0454e4a 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/ReviewMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/ReviewMgrImpl.java
@@ -39,6 +39,7 @@ import org.apache.directory.fortress.core.model.Permission;
import org.apache.directory.fortress.core.model.PermissionAttributeSet;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.RoleConstraint;
+import org.apache.directory.fortress.core.model.RoleConstraint.RCType;
import org.apache.directory.fortress.core.model.SDSet;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserRole;
@@ -383,6 +384,20 @@ public class ReviewMgrImpl extends Manageable implements ReviewMgr, Serializable
checkAccess(CLS_NM, methodName);
return userP.getAssignedUsers(role, roleConstraint);
}
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ @AdminPermissionOperation
+ public List<UserRole> assignedUsers(Role role, RCType rcType, String paSetName)
+ throws SecurityException
+ {
+ String methodName = "assignedUsers";
+ assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+ checkAccess(CLS_NM, methodName);
+ return userP.getAssignedUsers(role, rcType, paSetName);
+ }
/**
* {@inheritDoc}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
index 9644800..083425f 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/UserDAO.java
@@ -70,6 +70,7 @@ import org.apache.directory.fortress.core.util.PropUtil;
import org.apache.directory.fortress.core.model.PwMessage;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.RoleConstraint;
+import org.apache.directory.fortress.core.model.RoleConstraint.RCType;
import org.apache.directory.fortress.core.model.Session;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserAdminRole;
@@ -1190,8 +1191,80 @@ final class UserDAO extends LdapDataProvider
return userList;
}
+
+ List<UserRole> getUserRoles( Role role, RCType rcType, String paSetName ) throws FinderException
+ {
+ List<UserRole> userRoleList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
+ StringBuilder filterbuf = new StringBuilder();
+ filterbuf.append( GlobalIds.FILTER_PREFIX );
+ filterbuf.append( USERS_AUX_OBJECT_CLASS_NAME );
+ filterbuf.append( ")(" );
+ filterbuf.append( GlobalIds.USER_ROLE_ASSIGN );
+ filterbuf.append( "=" );
+ filterbuf.append( roleVal );
+ filterbuf.append( ")" );
+
+ filterbuf.append( "(" );
+ filterbuf.append( GlobalIds.USER_ROLE_DATA );
+ filterbuf.append( "=" );
+ filterbuf.append( this.getFilterForRoleConstraint( role.getName(), rcType, paSetName ) );
+ filterbuf.append( ")" );
+
+ filterbuf.append( ")" );
+
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot, SearchScope.ONELEVEL, filterbuf.toString(), defaultAtrs, false,
+ GlobalIds.BATCH_SIZE );
+ while ( searchResults.next() )
+ {
+ userRoleList.addAll( this.unloadUserRoles( searchResults.getEntry(), getAttribute( searchResults.getEntry(), SchemaConstants.UID_AT ), role.getContextId(), role.getName() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException=" + e
+ .getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException=" + e
+ .getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userRoleList;
+ }
+
+ private String getFilterForRoleConstraint(String roleName, RCType rcType, String paSetName)
+ {
+ StringBuilder sb = new StringBuilder();
+ String delimeter = Config.getInstance().getDelimiter();
+
+ sb.append( roleName );
+ sb.append( delimeter );
+ sb.append( RoleConstraint.RC_TYPE_NAME );
+ sb.append( delimeter );
+ sb.append( rcType );
+ sb.append( delimeter );
+ sb.append( paSetName );
+ sb.append( delimeter );
+ sb.append( "*" );
+
+ return sb.toString();
+ }
+
/**
* @param role
* @return
@@ -2047,7 +2120,7 @@ final class UserDAO extends LdapDataProvider
entity.setTitle( getAttribute( entry, SchemaConstants.TITLE_AT ) );
entity.setEmployeeType( getAttribute( entry, EMPLOYEE_TYPE ) );
unloadTemporal( entry, entity );
- entity.setRoles( unloadUserRoles( entry, entity.getUserId(), contextId ) );
+ entity.setRoles( unloadUserRoles( entry, entity.getUserId(), contextId, null ) );
entity.setAdminRoles( unloadUserAdminRoles( entry, entity.getUserId(), contextId ) );
entity.setAddress( unloadAddress( entry ) );
entity.setPhones( getAttributes( entry, SchemaConstants.TELEPHONE_NUMBER_AT ) );
@@ -2111,7 +2184,7 @@ final class UserDAO extends LdapDataProvider
{
ld = getAdminConnection();
Entry findEntry = read( ld, userDn, ROLE_ATR );
- roles = unloadUserRoles( findEntry, userId, contextId );
+ roles = unloadUserRoles( findEntry, userId, contextId, null );
}
catch ( LdapNoSuchObjectException e )
{
@@ -2478,9 +2551,10 @@ final class UserDAO extends LdapDataProvider
* @param entry contains ldap entry to retrieve roles from.
* @param userId attribute maps to {@link UserRole#userId}.
* @param contextId
+ * @param roleNameFilter optional filter to only unload specified roles
* @return List of type {@link UserRole} containing RBAC roles assigned to a particular user.
*/
- private List<UserRole> unloadUserRoles( Entry entry, String userId, String contextId )
+ private List<UserRole> unloadUserRoles( Entry entry, String userId, String contextId, String roleNameFilter )
{
Map<String, UserRole> uRoles = new HashMap<String, UserRole>();
List<String> roles = getAttributes( entry, GlobalIds.USER_ROLE_DATA );
@@ -2494,18 +2568,21 @@ final class UserDAO extends LdapDataProvider
//get role name
String roleName = raw.substring(0, raw.indexOf( Config.getInstance().getDelimiter() )).toUpperCase();
- //if already found, add to user role
- if(uRoles.containsKey(roleName)){
- UserRole ure = uRoles.get(roleName);
- ure.load( raw, contextId, RoleUtil.getInstance() );
- }
- //else create new
- else{
- UserRole ure = new ObjectFactory().createUserRole();
- ure.load( raw, contextId, RoleUtil.getInstance() );
- ure.setUserId( userId );
- ure.setSequenceId( sequence++ );
- uRoles.put(roleName, ure );
+ //if role name filter provided, only unload role if it has that name
+ if(roleNameFilter == null || roleNameFilter.toUpperCase().equals( roleName )){
+ //if already found, add to user role
+ if(uRoles.containsKey(roleName)){
+ UserRole ure = uRoles.get(roleName);
+ ure.load( raw, contextId, RoleUtil.getInstance() );
+ }
+ //else create new
+ else{
+ UserRole ure = new ObjectFactory().createUserRole();
+ ure.load( raw, contextId, RoleUtil.getInstance() );
+ ure.setUserId( userId );
+ ure.setSequenceId( sequence++ );
+ uRoles.put(roleName, ure );
+ }
}
}
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/UserP.java b/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
index d8cfd9a..dd4cf0e 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
@@ -39,6 +39,7 @@ import org.apache.directory.fortress.core.model.OrgUnit;
import org.apache.directory.fortress.core.model.PwPolicy;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.RoleConstraint;
+import org.apache.directory.fortress.core.model.RoleConstraint.RCType;
import org.apache.directory.fortress.core.model.Session;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserAdminRole;
@@ -180,6 +181,20 @@ final class UserP
}
/**
+ * Return a list of user roles for the provided role name, role constraint type and pa set name
+ *
+ * @param role
+ * @param rcType
+ * @param paSetName
+ * @return
+ * @throws SecurityException
+ */
+ List<UserRole> getAssignedUsers( Role role, RCType rcType, String paSetName ) throws SecurityException
+ {
+ return uDao.getUserRoles( role, rcType, paSetName );
+ }
+
+ /**
* Return a list of Users assigned the given RBAC role.
* "Assigned" implies the hierarchical role relation graph will NOT be considered in result set.
*
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/main/java/org/apache/directory/fortress/core/model/RoleConstraint.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/RoleConstraint.java b/src/main/java/org/apache/directory/fortress/core/model/RoleConstraint.java
index ca5987c..2c96e67 100644
--- a/src/main/java/org/apache/directory/fortress/core/model/RoleConstraint.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/RoleConstraint.java
@@ -142,5 +142,5 @@ public class RoleConstraint extends FortEntity implements Serializable
return sb.toString();
}
-
+
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/main/java/org/apache/directory/fortress/core/rest/ReviewMgrRestImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/ReviewMgrRestImpl.java b/src/main/java/org/apache/directory/fortress/core/rest/ReviewMgrRestImpl.java
index cfe0527..d02a535 100755
--- a/src/main/java/org/apache/directory/fortress/core/rest/ReviewMgrRestImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/ReviewMgrRestImpl.java
@@ -36,6 +36,7 @@ import org.apache.directory.fortress.core.model.Permission;
import org.apache.directory.fortress.core.model.PermissionAttributeSet;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.RoleConstraint;
+import org.apache.directory.fortress.core.model.RoleConstraint.RCType;
import org.apache.directory.fortress.core.model.SDSet;
import org.apache.directory.fortress.core.model.User;
import org.apache.directory.fortress.core.model.UserRole;
@@ -1352,4 +1353,12 @@ public class ReviewMgrRestImpl extends Manageable implements ReviewMgr
// TODO Auto-generated method stub
return null;
}
+
+
+ @Override
+ public List<UserRole> assignedUsers( Role role, RCType rcType, String paSetName ) throws SecurityException
+ {
+ // TODO Auto-generated method stub
+ return null;
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/e834cc6c/src/test/java/org/apache/directory/fortress/core/impl/ReviewMgrImplTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/ReviewMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/impl/ReviewMgrImplTest.java
index 7848741..aafe024 100755
--- a/src/test/java/org/apache/directory/fortress/core/impl/ReviewMgrImplTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/impl/ReviewMgrImplTest.java
@@ -1662,29 +1662,51 @@ public class ReviewMgrImplTest extends TestCase
public void testFindRoleConstraints()
{
findRoleConstraints( "SRCH-RCS TU1 TR1", UserTestData.USERS_TU1[0][0], PermTestData.getOp("TOB1_1", PermTestData.OPS_TOP1_UPD[0]), URATestData.getRC(URATestData.URC_T1).getType() );
+ findUserRoleWithConstraints( "SRCH-RCS TU1 TR1", UserTestData.USERS_TU1[0][0], RoleTestData.ROLES_TR1[1][0], URATestData.getRC(URATestData.URC_T1).getType(), URATestData.getRC(URATestData.URC_T1).getPaSetName() );
}
- public static void findRoleConstraints( String msg, String usr, Permission permission, RoleConstraint.RCType rcType )
+ public static void findUserRoleWithConstraints( String msg, String usr, String role, RoleConstraint.RCType rcType, String paSetName )
{
LogUtil.logIt(msg);
try
{
ReviewMgr reviewMgr = getManagedReviewMgr();
- List<RoleConstraint> rcs = reviewMgr.findRoleConstraints(new User(usr), permission, rcType);
- assertTrue(rcs.size() > 0);
- assertTrue(rcs.get(0).getType().equals(rcType));
+ List<UserRole> urs = reviewMgr.assignedUsers( new Role(role), rcType, paSetName);
+ assertTrue(urs.size() > 0);
+ assertTrue(urs.get(0).getRoleConstraints().size() > 0);
- LOG.debug( "findRoleConstraints permission [" + permission.getObjName() + "." + permission.getOpName() + "] successful" );
+ LOG.debug( "findUserRoleWithConstraints paSetName [" + paSetName + "] successful" );
}
catch ( SecurityException ex )
{
- LOG.error( "findRoleConstraints permission [" + permission.getObjName() + "." + permission.getOpName()
+ LOG.error( "findUserRoleWithConstraints paSetName [" + paSetName
+ "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex );
fail( ex.getMessage() );
}
}
+ public static void findRoleConstraints( String msg, String usr, Permission permission, RoleConstraint.RCType rcType )
+ {
+ LogUtil.logIt(msg);
+ try
+ {
+ ReviewMgr reviewMgr = getManagedReviewMgr();
+
+ List<RoleConstraint> rcs = reviewMgr.findRoleConstraints(new User(usr), permission, rcType);
+ assertTrue(rcs.size() > 0);
+ assertTrue(rcs.get(0).getType().equals(rcType));
+
+ LOG.debug( "findRoleConstraints permission [" + permission.getObjName() + "." + permission.getOpName() + "] successful" );
+ }
+ catch ( SecurityException ex )
+ {
+ LOG.error( "findRoleConstraints permission [" + permission.getObjName() + "." + permission.getOpName()
+ + "] caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex );
+ fail( ex.getMessage() );
+ }
+ }
+
public void testDeassignRoleWithRoleConstraint() throws SecurityException{
AdminMgr adminMgr = AdminMgrImplTest.getManagedAdminMgr();
adminMgr.deassignUser( new UserRole( UserTestData.USERS_TU1[0][0], RoleTestData.ROLES_TR1[1][0] ) );