You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2016/09/26 18:25:02 UTC
[1/4] directory-fortress-core git commit: FC-144 Use Groups of Roles
to create Sessions
Repository: directory-fortress-core
Updated Branches:
refs/heads/master 9271edf9a -> cb34ef224
FC-144 Use Groups of Roles to create Sessions
There're certain situations where userId is not known to the tenant.
Possible use case here is federated and multi-tenant login into
openstack via keystone. This commit allows to create a Session with
Group, map the Group to a Role(s) inside the tenant's domain and
check Session' Permissions.
There's still more work to do:
- REST Implementation of managers
- Add new unit-tests
- Update Console managers with new functionality
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/098f0a37
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/098f0a37
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/098f0a37
Branch: refs/heads/master
Commit: 098f0a37b69be2cf76fa8d6e23ef3d250ccf58fc
Parents: cc3e60f
Author: Vyacheslav Vakhlyuev <vv...@mirantis.com>
Authored: Sun Aug 28 21:45:13 2016 +0300
Committer: Vyacheslav Vakhlyuev <vv...@mirantis.com>
Committed: Sun Aug 28 21:45:13 2016 +0300
----------------------------------------------------------------------
.../directory/fortress/core/AccessMgr.java | 77 ++++++++++-
.../directory/fortress/core/GroupMgr.java | 20 +++
.../fortress/core/impl/AccessMgrImpl.java | 80 ++++++++---
.../fortress/core/impl/AdminMgrImpl.java | 3 +-
.../directory/fortress/core/impl/GroupDAO.java | 59 +++++++-
.../fortress/core/impl/GroupMgrImpl.java | 36 +++++
.../directory/fortress/core/impl/GroupP.java | 117 +++++++++++++++-
.../directory/fortress/core/impl/PermDAO.java | 30 ++--
.../directory/fortress/core/impl/UserP.java | 12 +-
.../directory/fortress/core/model/Group.java | 21 +++
.../directory/fortress/core/model/Session.java | 137 +++++++++++++++++--
.../directory/fortress/core/model/UserRole.java | 35 ++++-
.../fortress/core/rest/AccessMgrRestImpl.java | 12 +-
.../directory/fortress/core/util/VUtil.java | 8 +-
.../fortress/core/AccessMgrConsole.java | 14 +-
15 files changed, 578 insertions(+), 83 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
index a45e498..6d2e19a 100755
--- a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
@@ -23,10 +23,7 @@ package org.apache.directory.fortress.core;
import java.util.List;
import java.util.Set;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.model.*;
/**
@@ -183,6 +180,78 @@ public interface AccessMgr extends Manageable
Session createSession( User user, boolean isTrusted )
throws SecurityException;
+ /**
+ * Perform user authentication {@link Group} and role activations {@link Group#members}.<br>
+ * Group sessions are always trusted. <br>
+ * This method must be called once per user prior to calling other methods within this class.
+ * The successful result is {@link org.apache.directory.fortress.core.model.Session} that contains target group's RBAC
+ * {@link Group#members}
+ * <h4> This API will...</h4>
+ * <ul>
+ * <li>
+ * fail for any non-existing group
+ * </li>
+ * <li>
+ * evaluate temporal {@link org.apache.directory.fortress.core.model.Constraint}(s) on member {@link UserRole} entities.
+ * <li>process selective role activations into Group RBAC Session {@link Group#roles}.</li>
+ * <li>
+ * check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.impl.DSDChecker#validate(
+ * org.apache.directory.fortress.core.model.Session,
+ * org.apache.directory.fortress.core.model.Constraint,
+ * org.apache.directory.fortress.core.util.time.Time,
+ * org.apache.directory.fortress.core.util.VUtil.ConstraintType)} on
+ * {@link org.apache.directory.fortress.core.model.User#roles}.
+ * </li>
+ * <li>
+ * return a {@link org.apache.directory.fortress.core.model.Session} containing
+ * {@link org.apache.directory.fortress.core.model.Session#getGroup()},
+ * {@link org.apache.directory.fortress.core.model.Session#getRoles()}
+ * </li>
+ * <li>throw a checked exception that will be {@link SecurityException} or its derivation.</li>
+ * <li>throw a {@link SecurityException} for system failures.</li>
+ * <li>throw a {@link ValidationException} for data validation errors.</li>
+ * <li>throw a {@link FinderException} if Group name not found.</li>
+ * </ul>
+ * <h4>
+ * The function is valid if and only if:
+ * </h4>
+ * <ul>
+ * <li> the group is a member of the GROUPS data set</li>
+ * <li> the (optional) active role set is a subset of the roles authorized for that group.</li>
+ * </ul>
+ * <h4>
+ * The following attributes may be set when calling this method
+ * </h4>
+ * <ul>
+ * <li>{@link Group#name} - required</li>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.Group#members} contains a list of RBAC role names authorized for group
+ * and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this
+ * Session.
+ * </li>
+ * </ul>
+ * <h4>
+ * Notes:
+ * </h4>
+ * <ul>
+ * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
+ * </ul>
+ *
+ * @param group Contains {@link Group#name}, {@link org.apache.directory.fortress.core.model.Group#members}
+ * (optional), optional {@link Group#type}, optional
+ * @return Session object will contain authentication result code
+ * {@link org.apache.directory.fortress.core.model.Session#errorId},
+ * RBAC role activations {@link org.apache.directory.fortress.core.model.Session#getRoles()},
+ * OpenLDAP pw policy codes {@link org.apache.directory.fortress.core.model.Session#warnings},
+ * {@link org.apache.directory.fortress.core.model.Session#expirationSeconds},
+ * {@link org.apache.directory.fortress.core.model.Session#graceLogins} and more.
+ * @throws SecurityException
+ * in the event of data validation failure, security policy violation or DAO error.
+ */
+ Session createGroupSession(Group group)
+ throws SecurityException;
+
+
/**
* Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/GroupMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/GroupMgr.java b/src/main/java/org/apache/directory/fortress/core/GroupMgr.java
index 56a9fc2..2cbe83c 100755
--- a/src/main/java/org/apache/directory/fortress/core/GroupMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/GroupMgr.java
@@ -21,7 +21,9 @@ package org.apache.directory.fortress.core;
import org.apache.directory.fortress.core.model.Group;
+import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.User;
+import org.apache.directory.fortress.core.model.UserRole;
import java.util.List;
@@ -121,6 +123,24 @@ public interface GroupMgr extends Manageable
*/
List<Group> find( User user ) throws SecurityException;
+ /**
+ * Search for groups by role name. Member (maps to role name) is required.
+ *
+ * @param role contains userId that maps to Group member attribute.
+ * @return {@link Group} containing entity just added.
+ * @throws org.apache.directory.fortress.core.SecurityException in the event system error.
+ */
+ List<Group> roleGroups( Role role ) throws SecurityException;
+
+ /**
+ * Read an existing group node's roles. The name is required.
+ *
+ * @param group contains {@link Group} with name field set with an existing group name.
+ * @return list of {@link UserRole} for given group. Will return empty list if Group has no roles assigned.
+ * @throws org.apache.directory.fortress.core.SecurityException in the event system error.
+ */
+ List<UserRole> groupRoles( Group group ) throws SecurityException;
+
/**
* Assign a user to an existing group node. The group name and member are required.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
index c4ae52a..f13c6b5 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
@@ -28,10 +28,7 @@ import org.apache.commons.collections.CollectionUtils;
import org.apache.directory.fortress.core.AccessMgr;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.VUtil;
@@ -80,6 +77,7 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
{
private static final String CLS_NM = AccessMgrImpl.class.getName();
private static final UserP userP = new UserP();
+ private static final GroupP groupP = new GroupP();
private static final PermP permP = new PermP();
/**
@@ -118,6 +116,19 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
return userP.createSession( user, isTrusted );
}
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public Session createGroupSession(Group group)
+ throws SecurityException
+ {
+ String methodName = "createGroupSession";
+ assertContext( CLS_NM, methodName, group, GlobalErrIds.GROUP_NULL );
+
+ return groupP.createSession( group );
+ }
+
/**
* {@inheritDoc}
@@ -182,7 +193,14 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
{
String methodName = "authorizedRoles";
assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
- VUtil.getInstance().assertNotNull( session.getUser(), GlobalErrIds.USER_NULL, CLS_NM + ".authorizedRoles" );
+ if (session.isGroupSession())
+ {
+ VUtil.getInstance().assertNotNull(session.getGroup(), GlobalErrIds.GROUP_NULL, CLS_NM + ".authorizedRoles");
+ }
+ else
+ {
+ VUtil.getInstance().assertNotNull(session.getUser(), GlobalErrIds.USER_NULL, CLS_NM + ".authorizedRoles");
+ }
VUtil.getInstance().validateConstraints( session, VUtil.ConstraintType.USER, false );
VUtil.getInstance().validateConstraints( session, VUtil.ConstraintType.ROLE, false );
setEntitySession(CLS_NM, methodName, session);
@@ -200,27 +218,47 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
String methodName = "addActiveRole";
assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
assertContext( CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL );
- role.setUserId( session.getUserId() );
+
+ String entityId;
+ if (session.isGroupSession())
+ {
+ entityId = session.getGroupName();
+ }
+ else
+ {
+ entityId = session.getUserId();
+ }
+ role.setUserId(entityId);
List<UserRole> uRoles;
List<UserRole> sRoles = session.getRoles();
// If session already has same role activated:
if ( sRoles != null && sRoles.contains( role ) )
{
- String info = getFullMethodName( CLS_NM, methodName ) + " User [" + session.getUserId() + "] Role ["
- + role.getName() + "] role already activated.";
+ String info = getFullMethodName(CLS_NM, methodName) + " Entity [" + entityId + "] Role ["
+ + role.getName() + "] role already activated.";
throw new SecurityException( GlobalErrIds.URLE_ALREADY_ACTIVE, info );
}
- User inUser = new User( session.getUserId() );
- inUser.setContextId( this.contextId );
- User ue = userP.read( inUser, true );
- uRoles = ue.getRoles();
+ if (session.isGroupSession())
+ {
+ Group inGroup = new Group(session.getGroupName());
+ inGroup.setContextId(this.contextId);
+ Group ge = groupP.read(inGroup);
+ uRoles = ge.getRoles();
+ }
+ else
+ {
+ User inUser = new User(session.getUserId());
+ inUser.setContextId(this.contextId);
+ User ue = userP.read(inUser, true);
+ uRoles = ue.getRoles();
+ }
int indx;
// Is the role activation target valid for this user?
if ( !CollectionUtils.isNotEmpty( uRoles ) || ( ( indx = uRoles.indexOf( role ) ) == -1 ) )
{
- String info = getFullMethodName( CLS_NM, methodName ) + " Role [" + role.getName() + "] User ["
- + session.getUserId() + "] role not authorized for user.";
+ String info = getFullMethodName(CLS_NM, methodName) + " Role [" + role.getName() + "] Entity ["
+ + entityId + "] role not authorized for entity.";
throw new SecurityException( GlobalErrIds.URLE_ACTIVATE_FAILED, info );
}
@@ -245,7 +283,17 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
String methodName = "dropActiveRole";
assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
assertContext( CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL );
- role.setUserId( session.getUserId() );
+
+ String entityId;
+ if (session.isGroupSession())
+ {
+ entityId = session.getGroupName();
+ }
+ else
+ {
+ entityId = session.getUserId();
+ }
+ role.setUserId(entityId);
List<UserRole> roles = session.getRoles();
VUtil.getInstance()
.assertNotNull( roles, GlobalErrIds.URLE_DEACTIVE_FAILED, CLS_NM + getFullMethodName( CLS_NM, methodName ) );
@@ -256,7 +304,7 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
}
else
{
- String info = getFullMethodName( CLS_NM, methodName ) + " Role [" + role.getName() + "] User ["
+ String info = getFullMethodName( CLS_NM, methodName ) + " Role [" + role.getName() + "] Entity ["
+ session.getUserId() + "], not previously activated";
throw new SecurityException( GlobalErrIds.URLE_NOT_ACTIVE, info );
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
index e58242a..ec0019e 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
@@ -285,7 +285,8 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
}
}
roleP.delete( role );
- }
+ // TODO: what about groups? Should we remove roles from group members?
+ }
/**
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
index 7019441..26519a8 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/GroupDAO.java
@@ -44,10 +44,7 @@ import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.RemoveException;
import org.apache.directory.fortress.core.UpdateException;
import org.apache.directory.fortress.core.ldap.LdapDataProvider;
-import org.apache.directory.fortress.core.model.Group;
-import org.apache.directory.fortress.core.model.ObjectFactory;
-import org.apache.directory.fortress.core.model.PropUtil;
-import org.apache.directory.fortress.core.model.User;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.Config;
import org.apache.directory.ldap.client.api.LdapConnection;
import org.slf4j.Logger;
@@ -89,6 +86,7 @@ final class GroupDAO extends LdapDataProvider
{
SchemaConstants.CN_AT,
SchemaConstants.DESCRIPTION_AT,
+ GlobalIds.TYPE,
GROUP_PROTOCOL_ATTR_IMPL,
GROUP_PROPERTY_ATTR_IMPL,
SchemaConstants.MEMBER_AT };
@@ -484,6 +482,54 @@ final class GroupDAO extends LdapDataProvider
/**
+ * @param role
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ List<Group> roleGroups( Role role ) throws FinderException
+ {
+ List<Group> groupList = new ArrayList<>();
+ LdapConnection ld = null;
+ SearchCursor searchResults;
+ String groupRoot = getRootDn( role.getContextId(), GlobalIds.GROUP_ROOT );
+ String filter = null;
+
+ try
+ {
+ encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
+ filter = GlobalIds.FILTER_PREFIX + GROUP_OBJECT_CLASS_IMPL + ")(" + SchemaConstants.MEMBER_AT + "="
+ + role.getDn() + "))";
+ ld = getAdminConnection();
+ searchResults = search( ld, groupRoot, SearchScope.ONELEVEL, filter, GROUP_ATRS, false,
+ GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ groupList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( CursorException e )
+ {
+ String error = "find filter [" + filter + "] caught CursorException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.GROUP_SEARCH_FAILED, error, e );
+ }
+ catch ( LdapException e )
+ {
+ String error = "find filter [" + filter + "] caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.GROUP_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return groupList;
+ }
+
+
+ /**
* @param le
* @param sequence
* @return
@@ -495,6 +541,11 @@ final class GroupDAO extends LdapDataProvider
Group entity = new ObjectFactory().createGroup();
entity.setName( getAttribute( le, SchemaConstants.CN_AT ) );
entity.setDescription( getAttribute( le, SchemaConstants.DESCRIPTION_AT ) );
+ String typeAsString = getAttribute( le, GlobalIds.TYPE );
+ if ( StringUtils.isNotEmpty(typeAsString) )
+ {
+ entity.setType( Group.Type.valueOf( typeAsString.toUpperCase() ) );
+ }
entity.setProtocol( getAttribute( le, GROUP_PROTOCOL_ATTR_IMPL ) );
entity.setMembers( getAttributes( le, SchemaConstants.MEMBER_AT ) );
entity.setMemberDn( true );
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
index e27f25e..6341600 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
@@ -32,6 +32,7 @@ import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.model.Group;
import org.apache.directory.fortress.core.model.Role;
import org.apache.directory.fortress.core.model.User;
+import org.apache.directory.fortress.core.model.UserRole;
/**
@@ -71,6 +72,7 @@ public class GroupMgrImpl extends Manageable implements GroupMgr, Serializable
{
loadUserDns( group );
}
+ group.setMemberDn(true);
}
return GROUP_P.add( group );
@@ -169,6 +171,33 @@ public class GroupMgrImpl extends Manageable implements GroupMgr, Serializable
* {@inheritDoc}
*/
@Override
+ public List<Group> roleGroups( Role role ) throws SecurityException
+ {
+ String methodName = "roleGroups";
+ assertContext(CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL);
+ checkAccess( CLS_NM, methodName );
+ loadRoleDn( role );
+
+ return GROUP_P.roleGroups( role );
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ public List<UserRole> groupRoles( Group group ) throws SecurityException
+ {
+ String methodName = "groupRoles";
+ assertContext(CLS_NM, methodName, group, GlobalErrIds.GROUP_NULL);
+ checkAccess( CLS_NM, methodName );
+
+ return GROUP_P.groupRoles( group );
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
public Group assign( Group group, String member ) throws SecurityException
{
String methodName = "assign";
@@ -255,4 +284,11 @@ public class GroupMgrImpl extends Manageable implements GroupMgr, Serializable
User outUser = reviewMgr.readUser( inUser );
inUser.setDn( outUser.getDn() );
}
+
+ private void loadRoleDn( Role inRole ) throws SecurityException
+ {
+ ReviewMgr reviewMgr = ReviewMgrFactory.createInstance();
+ Role outRole = reviewMgr.readRole( inRole );
+ inRole.setDn( outRole.getDn() );
+ }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java b/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
index 856d201..31512bb 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
@@ -20,15 +20,16 @@
package org.apache.directory.fortress.core.impl;
+import java.util.ArrayList;
import java.util.List;
+import org.apache.commons.collections.CollectionUtils;
import org.apache.directory.api.util.Strings;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.model.Group;
-import org.apache.directory.fortress.core.model.User;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.VUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -61,7 +62,9 @@ final class GroupP
{
validate( group );
- return gDao.create( group );
+ Group outGroup = gDao.create(group);
+ fillRoles(outGroup);
+ return outGroup;
}
@@ -162,7 +165,9 @@ final class GroupP
*/
Group read( Group group ) throws SecurityException
{
- return gDao.get( group );
+ Group outGroup = gDao.get(group);
+ fillRoles(outGroup);
+ return outGroup;
}
@@ -191,6 +196,110 @@ final class GroupP
return gDao.find( user );
}
+ /**
+ * Takes a search string that contains full or partial Role name in directory.
+ *
+ * @param role contains full dn name of role
+ * @return List of type Group containing fully populated matching entities. If no records found this will be empty.
+ * @throws SecurityException in the event of DAO search error.
+ */
+ List<Group> roleGroups( Role role ) throws SecurityException
+ {
+ return gDao.roleGroups( role );
+ }
+
+ /**
+ * Return a list of group Roles for a given Group name. If matching record not found a
+ * SecurityException will be thrown.
+ *
+ * @param group contains full group name for entry in directory.
+ * @return Group entity containing all attributes associated.
+ * @throws SecurityException in the event not found or DAO search error.
+ */
+ List<UserRole> groupRoles( Group group ) throws SecurityException
+ {
+ Group outGroup = read(group);
+ fillRoles( outGroup );
+
+ return outGroup.getRoles();
+ }
+
+
+ /**
+ * Creates a Session using given Group and its members, if Group type is ROLE
+ * @param group a group to create Session for
+ * @return Session object
+ * @throws SecurityException
+ */
+ Session createSession( Group group ) throws SecurityException
+ {
+ // Create the impl session without authentication of password.
+ Session session = createSessionTrusted( group );
+
+ // Did the caller pass in a set of roles for selective activation?
+ if ( CollectionUtils.isNotEmpty( group.getMembers() ) )
+ {
+ // Process selective activation of user's RBAC roles into session:
+ List<String> availableRoles = session.getGroup().getMembers();
+ availableRoles.retainAll(group.getMembers());
+
+ // Fill aux field 'roles' with Role entities
+ fillRoles(session.getGroup());
+ }
+ // Check role temporal constraints + activate roles:
+ VUtil.getInstance().validateConstraints( session, VUtil.ConstraintType.ROLE, true );
+ return session;
+ }
+
+
+ // TODO: docs
+ private Session createSessionTrusted( Group inGroup) throws SecurityException
+ {
+ Group group = read( inGroup );
+ group.setContextId( inGroup.getContextId() );
+
+ Session session = new Session(group);
+ // Set this flag to false because group was not authenticated.
+ session.setAuthenticated( false );
+ return session;
+ }
+
+ /**
+ * Populates the auxiliary field 'roles' in given group object with
+ * {@link UserRole} data
+ * @param group a group object to populate
+ * @throws SecurityException thrown in the event the attribute is null.
+ */
+ private void fillRoles( Group group ) throws SecurityException {
+ if ( Group.Type.ROLE.equals( group.getType() ) )
+ {
+ RoleP rp = new RoleP();
+ List<UserRole> roles = new ArrayList<>();
+ List<String> members = group.getMembers();
+ for ( String roleDn : members )
+ {
+ String roleRdn = roleDn;
+ if (group.isMemberDn())
+ {
+ String[] parts = roleDn.split(",");
+ if (parts.length > 0)
+ {
+ roleRdn = parts[ 0 ];
+ }
+ roleRdn = roleRdn.replaceFirst("cn=", ""); // remove 'cn='
+ }
+ Role inRole = new Role( roleRdn );
+ inRole.setContextId( group.getContextId() );
+ Role role = rp.read( inRole );
+
+ UserRole ure = new UserRole( group.getName(), roleRdn, true );
+ ConstraintUtil.validateOrCopy( role, ure );
+ roles.add( ure );
+ }
+ group.setRoles( roles );
+ }
+ }
+
/**
* Method will perform simple validations to ensure the integrity of the {@link Group} entity targeted for insertion
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
index f2a7eeb..3152a20 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
@@ -885,18 +885,23 @@ final class PermDAO extends LdapDataProvider
// There is a switch in fortress config to disable audit ops like this one.
// But if used the compare method will use OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection.
// LDAP Operation #2: Compare.
- addAuthZAudit( ld, dn, session.getUser().getDn(), attributeValue );
+ if ( !session.isGroupSession() )
+ {
+ addAuthZAudit( ld, dn, session.getUser().getDn(), attributeValue );
+ }
}
- catch ( LdapException e )
- {
- if ( !( e instanceof LdapNoSuchObjectException ) )
+ catch ( LdapException e ) {
+ if (!(e instanceof LdapNoSuchObjectException))
{
String error = "checkPermission caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
+ throw new FinderException(GlobalErrIds.PERM_READ_OP_FAILED, error, e);
}
// There is a switch in fortress config to disable the audit ops.
- addAuthZAudit( ld, dn, session.getUser().getDn(), "AuthZ Invalid" );
+ if (!session.isGroupSession())
+ {
+ addAuthZAudit(ld, dn, session.getUser().getDn(), "AuthZ Invalid");
+ }
}
finally
{
@@ -1585,11 +1590,14 @@ final class PermDAO extends LdapDataProvider
filterbuf.append( GlobalIds.FILTER_PREFIX );
filterbuf.append( PERM_OP_OBJECT_CLASS_NAME );
filterbuf.append( ")(|" );
- filterbuf.append( "(" );
- filterbuf.append( USERS );
- filterbuf.append( "=" );
- filterbuf.append( session.getUserId() );
- filterbuf.append( ")" );
+ if (!session.isGroupSession())
+ {
+ filterbuf.append("(");
+ filterbuf.append(USERS);
+ filterbuf.append("=");
+ filterbuf.append(session.getUserId());
+ filterbuf.append(")");
+ }
Set<String> roles;
if ( isAdmin )
{
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/UserP.java b/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
index 30af294..34a4999 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/UserP.java
@@ -32,17 +32,7 @@ import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.PasswordException;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.model.AdminRole;
-import org.apache.directory.fortress.core.model.Administrator;
-import org.apache.directory.fortress.core.model.ConstraintUtil;
-import org.apache.directory.fortress.core.model.ObjectFactory;
-import org.apache.directory.fortress.core.model.OrgUnit;
-import org.apache.directory.fortress.core.model.PwPolicy;
-import org.apache.directory.fortress.core.model.Role;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserAdminRole;
-import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.VUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/model/Group.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Group.java b/src/main/java/org/apache/directory/fortress/core/model/Group.java
index 5c8fe68..5874871 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/Group.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/Group.java
@@ -56,6 +56,11 @@ public class Group extends FortEntity implements Serializable
private Type type;
/**
+ * Auxiliary field used to store roles in UserRole format. Used only internally by DAO/Managers.
+ */
+ private List<UserRole> roles = new ArrayList<>();
+
+ /**
* enum for User or Role data sets. Both nodes may be stored in the same LDAP container.
*/
@XmlType(name = "type")
@@ -454,6 +459,22 @@ public class Group extends FortEntity implements Serializable
this.memberDn = memberDn;
}
+ /**
+ * List of roles for given groups if they were populated. Empty list otherwise.
+ * @return
+ */
+ public List<UserRole> getRoles() {
+ return roles;
+ }
+
+ /**
+ * Setter for auxiliary 'roles' field.
+ * @param roles list of roles to be set
+ */
+ public void setRoles(List<UserRole> roles) {
+ this.roles = roles;
+ }
+
@Override
public boolean equals( Object o )
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/model/Session.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Session.java b/src/main/java/org/apache/directory/fortress/core/model/Session.java
index 8479a3f..c6d2c62 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/Session.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/Session.java
@@ -163,7 +163,9 @@ import java.util.UUID;
@XmlAccessorType(XmlAccessType.FIELD)
@XmlType(name = "session", propOrder = {
"user",
+ "group",
"isAuthenticated",
+ "isGroupSession",
"sessionId",
"lastAccess",
"timeout",
@@ -178,6 +180,7 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
private static final long serialVersionUID = 1L;
private User user;
+ private Group group;
private String sessionId;
private long lastAccess;
private int timeout;
@@ -186,6 +189,7 @@ public class Session extends FortEntity implements PwMessage, Serializable
private int graceLogins;
private int expirationSeconds;
private boolean isAuthenticated;
+ private boolean isGroupSession;
private String message;
@XmlElement(nillable = true)
private List<Warning> warnings;
@@ -199,6 +203,16 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
return isAuthenticated;
}
+
+ /**
+ * A 'true' value here indicates this Session was created for Group entity
+ *
+ * @return boolean indicating if this Session is created for Group
+ */
+ public boolean isGroupSession()
+ {
+ return isGroupSession;
+ }
private void init()
@@ -217,6 +231,7 @@ public class Session extends FortEntity implements PwMessage, Serializable
public void copy( Session inSession )
{
this.user = inSession.getUser();
+ this.group = inSession.getGroup();
// don't copy session id:
//this.sessionId = inSession.getSessionId();
this.lastAccess = inSession.getLastAccess();
@@ -226,6 +241,7 @@ public class Session extends FortEntity implements PwMessage, Serializable
this.graceLogins = inSession.getGraceLogins();
this.expirationSeconds = inSession.expirationSeconds;
this.isAuthenticated = inSession.isAuthenticated();
+ this.isGroupSession = inSession.isGroupSession();
this.message = inSession.getMsg();
this.warnings = inSession.getWarnings();
}
@@ -239,6 +255,8 @@ public class Session extends FortEntity implements PwMessage, Serializable
init();
// this class will not check for null on user object.
user = new User();
+ // by default, the Session is created for user
+ isGroupSession = false;
}
@@ -251,6 +269,19 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
init();
this.user = user;
+ isGroupSession = false;
+ }
+
+ /**
+ * Construct a new Session instance with given Group entity.
+ *
+ * @param group contains the Group attributes that are associated with the Session.
+ */
+ public Session( Group group )
+ {
+ init();
+ this.group = group;
+ isGroupSession = true;
}
@@ -263,8 +294,21 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
this.sessionId = sessionId;
this.user = user;
+ isGroupSession = false;
}
-
+
+ /**
+ * Construct a new Session instance with given Group entity.
+ *
+ * @param group contains the Group attributes that are associated with the Session.
+ */
+ public Session( Group group, String sessionId )
+ {
+ this.sessionId = sessionId;
+ this.group = group;
+ isGroupSession = true;
+ }
+
/**
* Return the unique id that is associated with User. This attribute is generated automatically
@@ -331,7 +375,12 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
return this.user;
}
-
+
+ /**
+ * Return the Group entity that is associated with this entity.
+ */
+ public Group getGroup() { return this.group; }
+
/**
* Return the userId that is associated with this Session object.
@@ -342,6 +391,16 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
return this.user.getUserId();
}
+
+ /**
+ * Return the group name that is associated with this Session object.
+ *
+ * @return group name maps to the 'name' attribute on the 'ftGroup' object class.
+ */
+ public String getGroupName()
+ {
+ return this.group.getName();
+ }
/**
@@ -354,10 +413,10 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
return this.user.getInternalId();
}
-
+
/**
- * Return the list of User's RBAC Roles that have been activated into User's session. This list will not include
+ * Return the list of User's RBAC Roles that have been activated into User's or Group's session. This list will not include
* ascendant RBAC roles which may be retrieved using {@link org.apache.directory.fortress.core.impl.AccessMgrImpl#authorizedRoles(Session)}.
*
* @return List containing User's RBAC roles. This list may be empty if User not assigned RBAC.
@@ -366,7 +425,11 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
List<UserRole> roles = null;
- if ( user != null )
+ if ( isGroupSession && group != null )
+ {
+ roles = group.getRoles();
+ }
+ if ( !isGroupSession && user != null )
{
roles = user.getRoles();
}
@@ -385,7 +448,12 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
List<UserAdminRole> roles = null;
- if ( user != null )
+// TODO: Do we need admin roles for Group?
+// if ( isGroupSession && group != null )
+// {
+// roles = group.getAdminRoles();
+// }
+ if ( !isGroupSession && user != null )
{
roles = user.getAdminRoles();
}
@@ -548,6 +616,15 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
this.user = user;
}
+
+ /**
+ * Set a Group entity into the Session.
+ * @param group Contains group name, roles members and other security attributes used for access control.
+ */
+ public void setGroup( Group group )
+ {
+ this.group = group;
+ }
/**
@@ -573,7 +650,13 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
isAuthenticated = authenticated;
}
-
+
+
+ /**
+ * Set the value to 'true' indicating that Session is created for Group entity
+ * @param isGroupSession indicates if Session is for Group
+ */
+ public void setGroupSession(boolean isGroupSession) { isGroupSession = isGroupSession; }
/**
* Set the userId that is associated with User. UserId is required attribute and must be set on add, update, delete, createSession, authenticate, etc..
@@ -585,15 +668,32 @@ public class Session extends FortEntity implements PwMessage, Serializable
user.setUserId( userId );
}
+ /**
+ * Set the groupName that is associated with Group. GroupName is required attribute and must be set on add, update, delete, createSession, authenticate, etc..
+ *
+ * @param groupName maps to 'name' attribute in 'ftGroup' object class.
+ */
+ public void setGroupName ( String groupName )
+ {
+ group.setName( groupName );
+ }
+
/**
* Add a list of RBAC Roles to this entity that have been activated into Session or are under consideration for activation.
*
- * @param roles List of type UserRole that contains at minimum UserId and Role name.
+ * @param roles List of type UserRole that contains at minimum UserId or GroupName and Role name.
*/
public void setRoles( List<UserRole> roles )
{
- user.setRoles( roles );
+ if ( isGroupSession )
+ {
+ group.setRoles( roles );
+ }
+ else
+ {
+ user.setRoles( roles );
+ }
}
@@ -604,7 +704,15 @@ public class Session extends FortEntity implements PwMessage, Serializable
*/
public void setRole( UserRole role )
{
- user.setRole( role );
+ if ( isGroupSession )
+ {
+// group.setRole( role );
+ group.getRoles().add( role );
+ }
+ else
+ {
+ user.setRole( role );
+ }
}
@@ -747,7 +855,14 @@ public class Session extends FortEntity implements PwMessage, Serializable
sb.append( "Session object: \n" );
sb.append( " sessionId :" ).append( sessionId ).append( '\n' );
- sb.append( " user :" ).append( user ).append( '\n' );
+ if ( isGroupSession )
+ {
+ sb.append( " group :" ).append( group ).append( '\n' );
+ }
+ else
+ {
+ sb.append( " user :" ).append( user ).append( '\n' );
+ }
sb.append( " isAuthenticated :" ).append( isAuthenticated ).append( '\n' );
sb.append( " lastAccess :" ).append( lastAccess ).append( '\n' );
sb.append( " timeout :" ).append( timeout ).append( '\n' );
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/model/UserRole.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/UserRole.java b/src/main/java/org/apache/directory/fortress/core/model/UserRole.java
index 27c0d70..44bc3d1 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/UserRole.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/UserRole.java
@@ -72,8 +72,8 @@ import org.apache.directory.fortress.core.util.Config;
*/
@XmlRootElement( name = "fortUserRole" )
@XmlAccessorType( XmlAccessType.FIELD )
-@XmlType( name = "userRole", propOrder = {"name", "userId", "parents", "beginDate", "beginLockDate", "beginTime",
- "dayMask", "endDate", "endLockDate", "endTime", "timeout"} )
+@XmlType( name = "userRole", propOrder = {"name", "userId", "isGroupRole", "parents", "beginDate", "beginLockDate",
+ "beginTime", "dayMask", "endDate", "endLockDate", "endTime", "timeout"} )
@XmlSeeAlso( {UserAdminRole.class} )
public class UserRole extends FortEntity implements Serializable, Constraint
{
@@ -81,6 +81,7 @@ public class UserRole extends FortEntity implements Serializable, Constraint
protected String userId;
protected String name;
+ protected boolean isGroupRole;
private Integer timeout;
private String beginTime;
private String endTime;
@@ -111,9 +112,21 @@ public class UserRole extends FortEntity implements Serializable, Constraint
{
this.userId = userId;
name = role;
-
+ isGroupRole = false;
}
+ /**
+ * Construct a UserRole entity given the required attributes 'userId' and 'role' name.
+ *
+ * @param userId maps to the 'uid' attribute on the 'inetOrgPerson' object class.
+ * @param name role name, maps to the 'ftRA' attribute on the 'ftUserAttrs' object class.
+ * @param isGroupRole defines if value contained in userId is group name rather than user's uid
+ */
+ public UserRole(String userId, String name, boolean isGroupRole) {
+ this.userId = userId;
+ this.name = name;
+ this.isGroupRole = isGroupRole;
+ }
/**
* Construct an RBAC Role with required attribute 'userId' and optional temporal constraint.
@@ -124,6 +137,7 @@ public class UserRole extends FortEntity implements Serializable, Constraint
public UserRole( String userId, Constraint con )
{
this.userId = userId;
+ isGroupRole = false;
ConstraintUtil.copy( con, this );
}
@@ -573,6 +587,21 @@ public class UserRole extends FortEntity implements Serializable, Constraint
this.parents = parents;
}
+ /**
+ * Returns 'true' if value in userId refers to group name
+ * @return if userId contains group name
+ */
+ public boolean isGroupRole() {
+ return isGroupRole;
+ }
+
+ /**
+ * Set to 'true' if userId contains group name
+ * @param groupRole specifies if value in userId contains group name
+ */
+ public void setGroupRole(boolean groupRole) {
+ isGroupRole = groupRole;
+ }
/**
* Matches the userId and role name from two UserRole entities.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
index ed5b873..416dc0b 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
@@ -28,12 +28,7 @@ import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.impl.AccessMgrImpl;
import org.apache.directory.fortress.core.impl.Manageable;
-import org.apache.directory.fortress.core.model.FortRequest;
-import org.apache.directory.fortress.core.model.FortResponse;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.VUtil;
/**
@@ -141,6 +136,11 @@ public class AccessMgrRestImpl extends Manageable implements AccessMgr
return retSession;
}
+ @Override
+ public Session createGroupSession(Group group, boolean isTrusted) throws SecurityException {
+ return null;
+ }
+
/**
* {@inheritDoc}
*/
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/VUtil.java b/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
index 7b042f8..4e5baf6 100755
--- a/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
+++ b/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
@@ -584,7 +584,7 @@ public final class VUtil implements ConstraintValidator
{
Time currTime = TUtil.getCurrentTime();
// first check the constraint on the user:
- if ( type == ConstraintType.USER )
+ if ( type == ConstraintType.USER && !session.isGroupSession() )
{
rc = val.validate( session, session.getUser(), currTime, type );
if ( rc > 0 )
@@ -645,7 +645,11 @@ public final class VUtil implements ConstraintValidator
&& CollectionUtils.isNotEmpty( session.getRoles() ) )
{
Validator dsdVal = ( Validator ) ClassUtil.createInstance( DSDVALIDATOR );
- dsdVal.validate( session, session.getUser(), null, null );
+ // Do not validate for Groups
+ if ( !session.isGroupSession() )
+ {
+ dsdVal.validate( session, session.getUser(), null, null );
+ }
}
// reset the user's last access timestamp:
session.setLastAccess();
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/098f0a37/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
index 3aaa646..05b5648 100755
--- a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
@@ -19,17 +19,11 @@
*/
package org.apache.directory.fortress.core;
+import org.apache.directory.fortress.core.impl.OrgUnitP;
import org.apache.directory.fortress.core.impl.TestUtils;
-import org.apache.directory.fortress.core.model.UserAdminRole;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
-
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.Enumeration;
-import java.util.List;
+import org.apache.directory.fortress.core.model.*;
+
+import java.util.*;
import org.apache.directory.fortress.core.util.VUtil;
import org.slf4j.Logger;
[2/4] directory-fortress-core git commit: FC-144 Use Groups of Roles
to create Sessions
Posted by sm...@apache.org.
FC-144 Use Groups of Roles to create Sessions
* Modified GroupMgr to support SSD and DSD constraints for roles assignment
* Added tests for new GroupMgr methods
* Updated info needed by EnMasse project (HttpIds etc.)
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/252e6116
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/252e6116
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/252e6116
Branch: refs/heads/master
Commit: 252e6116933c7d37d53159c304fdb1e309a97aa1
Parents: 098f0a3
Author: Vyacheslav Vakhlyuev <vv...@mirantis.com>
Authored: Fri Sep 23 17:17:38 2016 +0300
Committer: Vyacheslav Vakhlyuev <vv...@mirantis.com>
Committed: Fri Sep 23 17:17:38 2016 +0300
----------------------------------------------------------------------
.../directory/fortress/core/AccessMgr.java | 6 +-
.../directory/fortress/core/GlobalErrIds.java | 7 +
.../fortress/core/impl/AccessMgrImpl.java | 4 +-
.../fortress/core/impl/AdminMgrImpl.java | 21 +-
.../fortress/core/impl/DSDChecker.java | 21 +-
.../fortress/core/impl/GroupMgrImpl.java | 2 +
.../directory/fortress/core/impl/GroupP.java | 34 ++-
.../directory/fortress/core/impl/PermDAO.java | 3 +-
.../directory/fortress/core/impl/SDUtil.java | 66 +++--
.../directory/fortress/core/model/Group.java | 15 +-
.../directory/fortress/core/model/Session.java | 3 +-
.../fortress/core/rest/AccessMgrRestImpl.java | 21 +-
.../directory/fortress/core/rest/HttpIds.java | 9 +
.../directory/fortress/core/util/VUtil.java | 181 +++++++++---
.../fortress/core/impl/FortressJUnitTest.java | 12 +
.../fortress/core/impl/GroupMgrImplTest.java | 279 +++++++++++++++++++
.../fortress/core/impl/GroupTestData.java | 94 +++++++
17 files changed, 677 insertions(+), 101 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
index 6d2e19a..51fff40 100755
--- a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
@@ -181,9 +181,9 @@ public interface AccessMgr extends Manageable
throws SecurityException;
/**
- * Perform user authentication {@link Group} and role activations {@link Group#members}.<br>
+ * Perform group {@link Group} role activations {@link Group#members}.<br>
* Group sessions are always trusted. <br>
- * This method must be called once per user prior to calling other methods within this class.
+ * This method must be called once per group prior to calling other methods within this class.
* The successful result is {@link org.apache.directory.fortress.core.model.Session} that contains target group's RBAC
* {@link Group#members}
* <h4> This API will...</h4>
@@ -248,7 +248,7 @@ public interface AccessMgr extends Manageable
* @throws SecurityException
* in the event of data validation failure, security policy violation or DAO error.
*/
- Session createGroupSession(Group group)
+ Session createSession(Group group)
throws SecurityException;
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java b/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
index 363bb37..1fb4ef2 100755
--- a/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
+++ b/src/main/java/org/apache/directory/fortress/core/GlobalErrIds.java
@@ -1655,4 +1655,11 @@ public final class GlobalErrIds
* The supplied group protocol name failed length check.
*/
public static final int GROUP_PROTOCOL_INVLD = 10313;
+
+ /**
+ * The supplied group type is invalid for operation
+ */
+ public static final int GROUP_TYPE_INVLD = 10314;
+
+
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
index f13c6b5..da81b8f 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
@@ -120,10 +120,10 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
* {@inheritDoc}
*/
@Override
- public Session createGroupSession(Group group)
+ public Session createSession( Group group )
throws SecurityException
{
- String methodName = "createGroupSession";
+ String methodName = "createSession";
assertContext( CLS_NM, methodName, group, GlobalErrIds.GROUP_NULL );
return groupP.createSession( group );
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
index ec0019e..9b0eba8 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
@@ -29,16 +29,7 @@ import org.apache.directory.fortress.core.AdminMgr;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.model.AdminRole;
-import org.apache.directory.fortress.core.model.ConstraintUtil;
-import org.apache.directory.fortress.core.model.Hier;
-import org.apache.directory.fortress.core.model.PermObj;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Relationship;
-import org.apache.directory.fortress.core.model.Role;
-import org.apache.directory.fortress.core.model.SDSet;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.VUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -91,6 +82,7 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
private static final RoleP roleP = new RoleP();
private static final SdP sdP = new SdP();
private static final UserP userP = new UserP();
+ private static final GroupP groupP = new GroupP();
private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
@@ -262,6 +254,14 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
LOG.error( error );
throw new SecurityException( GlobalErrIds.HIER_DEL_FAILED_HAS_CHILD, error, null );
}
+ Role outRole = roleP.read( role );
+ outRole.setContextId( role.getContextId() );
+ // deassign all groups assigned to this role first (because of schema's configGroup class constraints)
+ List<Group> groups = groupP.roleGroups( outRole );
+ for ( Group group : groups )
+ {
+ groupP.deassign( group, outRole.getDn() );
+ }
// search for all users assigned this role and deassign:
List<User> users = userP.getAssignedUsers( role );
if ( users != null )
@@ -285,7 +285,6 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
}
}
roleP.delete( role );
- // TODO: what about groups? Should we remove roles from group members?
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java b/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
index 8a47857..077ddea 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java
@@ -88,14 +88,22 @@ public class DSDChecker
{
return rc;
}
- // get the list of authorized roles for this user:
- Set<String> authorizedRoleSet = RoleUtil.getInstance().getInheritedRoles( activeRoleList, session.getUser().getContextId() );
+
+ // Depending on if session is group or user session, fill objects
+ String contextId = session.isGroupSession()
+ ? session.getGroup().getContextId()
+ : session.getUser().getContextId();
+ String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
+ String entityType = session.isGroupSession() ? "groupName" : "userId";
+
+ // get the list of authorized roles for this user/group:
+ Set<String> authorizedRoleSet = RoleUtil.getInstance().getInheritedRoles( activeRoleList, contextId);
// only need to check DSD constraints if more than one role is being activated:
if ( authorizedRoleSet != null && authorizedRoleSet.size() > 1 )
{
// get all DSD sets that contain the candidate activated and authorized roles,
//If DSD cache is disabled, this will search the directory using authorizedRoleSet
- Set<SDSet> dsdSets = SDUtil.getInstance().getDsdCache( authorizedRoleSet, session.getUser().getContextId() );
+ Set<SDSet> dsdSets = SDUtil.getInstance().getDsdCache( authorizedRoleSet, contextId);
if ( dsdSets != null && dsdSets.size() > 0 )
{
for ( SDSet dsd : dsdSets )
@@ -115,7 +123,7 @@ public class DSDChecker
if ( matchCount >= dsd.getCardinality() )
{
activatedRoles.remove();
- String warning = "validate userId [" + session.getUserId()
+ String warning = "validate " + entityType + " [" + entityId
+ "] failed activation of assignedRole [" + activatedRole.getName()
+ "] validates DSD Set Name:" + dsd.getName() + " Cardinality:"
+ dsd.getCardinality();
@@ -127,8 +135,7 @@ public class DSDChecker
}
else
{
- Set<String> parentSet = RoleUtil.getInstance().getAscendants( activatedRole.getName(), session.getUser()
- .getContextId() );
+ Set<String> parentSet = RoleUtil.getInstance().getAscendants( activatedRole.getName(), contextId);
// now check for every role inherited from this activated role:
for ( String parentRole : parentSet )
{
@@ -137,7 +144,7 @@ public class DSDChecker
matchCount++;
if ( matchCount >= dsd.getCardinality() )
{
- String warning = "validate userId [" + session.getUserId()
+ String warning = "validate " + entityType + " [" + entityId
+ "] assignedRole [" + activatedRole.getName() + "] parentRole ["
+ parentRole + "] validates DSD Set Name:" + dsd.getName()
+ " Cardinality:" + dsd.getCardinality();
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
index 6341600..195471d 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/GroupMgrImpl.java
@@ -209,6 +209,8 @@ public class GroupMgrImpl extends Manageable implements GroupMgr, Serializable
{
Role role = reviewMgr.readRole( new Role( member ) );
dn = role.getDn();
+ // Validate SSD constraints
+ SDUtil.getInstance().validateSSD( group, role );
}
else
{
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java b/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
index 31512bb..f0bc6b6 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/GroupP.java
@@ -137,7 +137,10 @@ final class GroupP
*/
Group assign( Group entity, String userDn ) throws SecurityException
{
- return gDao.assign( entity, userDn );
+ Group group = read( entity );
+ group.setContextId( entity.getContextId() );
+
+ return gDao.assign( group, userDn );
}
@@ -151,7 +154,10 @@ final class GroupP
*/
Group deassign( Group entity, String userDn ) throws SecurityException
{
- return gDao.deassign( entity, userDn );
+ Group group = read( entity );
+ group.setContextId( entity.getContextId() );
+
+ return gDao.deassign( group, userDn );
}
@@ -241,29 +247,37 @@ final class GroupP
{
// Process selective activation of user's RBAC roles into session:
List<String> availableRoles = session.getGroup().getMembers();
- availableRoles.retainAll(group.getMembers());
-
- // Fill aux field 'roles' with Role entities
- fillRoles(session.getGroup());
+ availableRoles.retainAll( group.getMembers() );
}
+ // Fill aux field 'roles' with Role entities
+ fillRoles( session.getGroup() );
+
// Check role temporal constraints + activate roles:
VUtil.getInstance().validateConstraints( session, VUtil.ConstraintType.ROLE, true );
return session;
}
- // TODO: docs
private Session createSessionTrusted( Group inGroup) throws SecurityException
{
Group group = read( inGroup );
group.setContextId( inGroup.getContextId() );
+ if ( group.getType() != Group.Type.ROLE )
+ {
+ String info = "createSession failed for Group ["
+ + group.getName() + "], group must be of type ROLE.";
+
+ throw new ValidationException( GlobalErrIds.GROUP_TYPE_INVLD, info );
+ }
+
Session session = new Session(group);
// Set this flag to false because group was not authenticated.
session.setAuthenticated( false );
return session;
}
+
/**
* Populates the auxiliary field 'roles' in given group object with
* {@link UserRole} data
@@ -279,14 +293,14 @@ final class GroupP
for ( String roleDn : members )
{
String roleRdn = roleDn;
- if (group.isMemberDn())
+ if ( group.isMemberDn() )
{
- String[] parts = roleDn.split(",");
+ String[] parts = roleDn.split( "," );
if (parts.length > 0)
{
roleRdn = parts[ 0 ];
}
- roleRdn = roleRdn.replaceFirst("cn=", ""); // remove 'cn='
+ roleRdn = roleRdn.replaceFirst( "cn=", "" ); // remove 'cn='
}
Role inRole = new Role( roleRdn );
inRole.setContextId( group.getContextId() );
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
index 3152a20..4d45c34 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/PermDAO.java
@@ -964,7 +964,8 @@ final class PermDAO extends LdapDataProvider
boolean result = false;
Set<String> userIds = permission.getUsers();
- if ( CollectionUtils.isNotEmpty( userIds ) && userIds.contains( session.getUserId() ) )
+ if ( !session.isGroupSession() && CollectionUtils.isNotEmpty( userIds )
+ && userIds.contains( session.getUserId() ) )
{
// user is assigned directly to this permission, no need to look further.
return true;
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java b/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
index 635e62b..3f9a501 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java
@@ -31,17 +31,9 @@ import net.sf.ehcache.search.Results;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.directory.api.ldap.model.constants.SchemaConstants;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ReviewMgr;
-import org.apache.directory.fortress.core.ReviewMgrFactory;
+import org.apache.directory.fortress.core.*;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.model.Constraint;
-import org.apache.directory.fortress.core.model.Role;
-import org.apache.directory.fortress.core.model.SDSet;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.Config;
import org.apache.directory.fortress.core.util.cache.Cache;
import org.apache.directory.fortress.core.util.cache.CacheMgr;
@@ -128,34 +120,62 @@ final class SDUtil
void validateSSD(User user, Role role)
throws SecurityException
{
- int matchCount;
// get all authorized roles for user
- ReviewMgr rMgr = ReviewMgrFactory.createInstance(user.getContextId());
- Set<String> rls = rMgr.authorizedRoles(user);
+ String contextId = user.getContextId();
+ ReviewMgr rMgr = ReviewMgrFactory.createInstance( contextId );
+ Set<String> rls = rMgr.authorizedRoles( user );
+
+ checkSSD( role, rls, contextId);
+ }
+
+ /**
+ * This method is called by GroupMgr.assign and is used to validate Static Separation of Duty
+ * constraints when assigning a role to group.
+ *
+ * @param group
+ * @param role
+ * @throws org.apache.directory.fortress.core.SecurityException
+ *
+ */
+ void validateSSD( Group group, Role role ) throws SecurityException
+ {
+ // get all authorized roles for this group
+ String contextId = group.getContextId();
+ GroupMgr groupMgr = GroupMgrFactory.createInstance(contextId);
+ List<UserRole> roles = groupMgr.groupRoles( group );
+ Set<String> rls = RoleUtil.getInstance().getInheritedRoles( roles, contextId);
+ // check SSD constraints
+ checkSSD( role, rls, contextId);
+ }
+
+ private void checkSSD( Role role, Set<String> authorizedRls, String contextId ) throws SecurityException
+ {
+ int matchCount;
// Need to proceed?
- if (!CollectionUtils.isNotEmpty( rls ))
+ if (CollectionUtils.isEmpty( authorizedRls ))
{
return;
}
// get all SSD sets that contain the new role
- List<SDSet> ssdSets = getSsdCache(role.getName(), user.getContextId());
- for (SDSet ssd : ssdSets)
+ List<SDSet> ssdSets = getSsdCache( role.getName(), contextId );
+ for ( SDSet ssd : ssdSets )
{
matchCount = 0;
Set<String> map = ssd.getMembers();
- // iterate over every authorized role for user:
- for (String authRole : rls)
+ // iterate over every authorized role for user/group:
+ for ( String authRole : authorizedRls )
{
// is there a match found between authorized role and SSD set's members?
- if (map.contains(authRole))
+ if ( map.contains( authRole ) )
{
matchCount++;
// does the match count exceed the cardinality allowed for this particular SSD set?
- if (matchCount >= ssd.getCardinality() - 1)
+ if ( matchCount >= ssd.getCardinality() - 1 )
{
- String error = "validateSSD new role [" + role.getName() + "] validates SSD Set Name:" + ssd.getName() + " Cardinality:" + ssd.getCardinality();
- throw new SecurityException(GlobalErrIds.SSD_VALIDATION_FAILED, error);
+ String error = "validateSSD new role [" + role.getName() + "] validates SSD Set Name:"
+ + ssd.getName() + " Cardinality:" + ssd.getCardinality();
+ throw new SecurityException( GlobalErrIds.SSD_VALIDATION_FAILED, error );
}
}
}
@@ -177,7 +197,7 @@ final class SDUtil
{
// get all activated roles from user's session:
List<UserRole> rls = session.getRoles();
- if (!CollectionUtils.isNotEmpty( rls ))
+ if (CollectionUtils.isEmpty( rls ))
{
// An empty list of roles was passed in the session variable.
// No need to continue.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/model/Group.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Group.java b/src/main/java/org/apache/directory/fortress/core/model/Group.java
index 5874871..73aa6bd 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/Group.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/Group.java
@@ -20,11 +20,7 @@
package org.apache.directory.fortress.core.model;
-import javax.xml.bind.annotation.XmlAccessType;
-import javax.xml.bind.annotation.XmlAccessorType;
-import javax.xml.bind.annotation.XmlEnum;
-import javax.xml.bind.annotation.XmlRootElement;
-import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.*;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Enumeration;
@@ -42,7 +38,8 @@ import java.util.StringTokenizer;
"protocol",
"members",
"props",
- "type"
+ "type",
+ "roles"
})
public class Group extends FortEntity implements Serializable
{
@@ -52,18 +49,20 @@ public class Group extends FortEntity implements Serializable
private String protocol;
private List<String> members;
private Props props = new Props();
+ @XmlTransient
private boolean memberDn;
private Type type;
/**
- * Auxiliary field used to store roles in UserRole format. Used only internally by DAO/Managers.
+ * Auxiliary field used to store roles in UserRole format.
*/
+ @XmlElement( nillable = true )
private List<UserRole> roles = new ArrayList<>();
/**
* enum for User or Role data sets. Both nodes may be stored in the same LDAP container.
*/
- @XmlType(name = "type")
+ @XmlType(name = "groupType")
@XmlEnum
public enum Type
{
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/model/Session.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/model/Session.java b/src/main/java/org/apache/directory/fortress/core/model/Session.java
index c6d2c62..12ff328 100755
--- a/src/main/java/org/apache/directory/fortress/core/model/Session.java
+++ b/src/main/java/org/apache/directory/fortress/core/model/Session.java
@@ -656,7 +656,7 @@ public class Session extends FortEntity implements PwMessage, Serializable
* Set the value to 'true' indicating that Session is created for Group entity
* @param isGroupSession indicates if Session is for Group
*/
- public void setGroupSession(boolean isGroupSession) { isGroupSession = isGroupSession; }
+ public void setGroupSession(boolean isGroupSession) { this.isGroupSession = isGroupSession; }
/**
* Set the userId that is associated with User. UserId is required attribute and must be set on add, update, delete, createSession, authenticate, etc..
@@ -706,7 +706,6 @@ public class Session extends FortEntity implements PwMessage, Serializable
{
if ( isGroupSession )
{
-// group.setRole( role );
group.getRoles().add( role );
}
else
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
index 416dc0b..533988b 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
@@ -137,8 +137,25 @@ public class AccessMgrRestImpl extends Manageable implements AccessMgr
}
@Override
- public Session createGroupSession(Group group, boolean isTrusted) throws SecurityException {
- return null;
+ public Session createSession( Group group ) throws SecurityException
+ {
+ VUtil.assertNotNull( group, GlobalErrIds.GROUP_NULL, CLS_NM + ".createSession" );
+ Session retSession;
+ FortRequest request = new FortRequest();
+ request.setContextId( this.contextId );
+ request.setEntity( group );
+ String szRequest = RestUtils.marshal( request );
+ String szResponse = RestUtils.getInstance().post( szRequest, HttpIds.RBAC_CREATE_GROUP_SESSION );
+ FortResponse response = RestUtils.unmarshall( szResponse );
+ if (response.getErrorCode() == 0)
+ {
+ retSession = response.getSession();
+ }
+ else
+ {
+ throw new SecurityException( response.getErrorCode(), response.getErrorMessage() );
+ }
+ return retSession;
}
/**
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java b/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
index 30d825c..eb55ec8 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
@@ -155,4 +155,13 @@ public class HttpIds
public static final String CFG_UPDATE = "cfgUpdate";
public static final String CFG_DELETE = "cfgDelete";
public static final String CFG_READ = "cfgRead";
+ public static final String RBAC_CREATE_GROUP_SESSION = "rbacCreateGroup";
+ public static final String GROUP_ADD = "groupAdd";
+ public static final String GROUP_READ = "groupRead";
+ public static final String GROUP_UPDATE = "groupUpdate";
+ public static final String GROUP_DELETE = "groupDelete";
+ public static final String GROUP_ROLE_ASGNED = "roleGroupAsigned";
+ public static final String GROUP_ASGNED = "groupAsigned";
+ public static final String GROUP_ROLE_ASGN = "groupRoleAsgn";
+ public static final String GROUP_ROLE_DEASGN = "groupRoleDeasgn";
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/VUtil.java b/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
index 4e5baf6..622cf9d 100755
--- a/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
+++ b/src/main/java/org/apache/directory/fortress/core/util/VUtil.java
@@ -36,13 +36,7 @@ import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.model.Constraint;
-import org.apache.directory.fortress.core.model.ConstraintValidator;
-import org.apache.directory.fortress.core.model.ObjectFactory;
-import org.apache.directory.fortress.core.model.PropUtil;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.UserRole;
-import org.apache.directory.fortress.core.model.Warning;
+import org.apache.directory.fortress.core.model.*;
import org.apache.directory.fortress.core.util.time.TUtil;
import org.apache.directory.fortress.core.util.time.Time;
import org.apache.directory.fortress.core.util.time.Validator;
@@ -561,22 +555,25 @@ public final class VUtil implements ConstraintValidator
throws SecurityException
{
String location = "validateConstraints";
+ String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
+ String entityType = session.isGroupSession() ? "groupName" : "userId";
int rc;
+
if ( validators == null )
{
if ( LOG.isDebugEnabled() )
{
- LOG.debug( "{} userId [{}] no constraints enabled", location, session.getUserId() );
+ LOG.debug("{} " + entityType + " [{}] has no constraints enabled", location, entityId);
}
return;
}
// no need to continue if the role list is empty and we're trying to check role constraints:
- else if ( type == ConstraintType.ROLE && !CollectionUtils.isNotEmpty( session.getRoles() )
- && !CollectionUtils.isNotEmpty( session.getAdminRoles() ) )
+ else if ( type == ConstraintType.ROLE && CollectionUtils.isEmpty( session.getRoles() )
+ && CollectionUtils.isEmpty( session.getAdminRoles() ) )
{
if ( LOG.isDebugEnabled() )
{
- LOG.debug( "{} userId [{}] has no roles assigned", location, session.getUserId() );
+ LOG.debug("{} " + entityType + " [{}] has no roles assigned", location, entityId);
}
return;
}
@@ -589,7 +586,7 @@ public final class VUtil implements ConstraintValidator
rc = val.validate( session, session.getUser(), currTime, type );
if ( rc > 0 )
{
- String info = location + " user [" + session.getUserId() + "] was deactivated reason code [" + rc
+ String info = location + " user [" + entityId + "] was deactivated reason code [" + rc
+ "]";
throw new ValidationException( rc, info );
}
@@ -600,42 +597,42 @@ public final class VUtil implements ConstraintValidator
if ( CollectionUtils.isNotEmpty( session.getRoles() ) )
{
// now check the constraint on every role activation candidate contained within session object:
- ListIterator<UserRole> roleItems = session.getRoles().listIterator();
-
- while ( roleItems.hasNext() )
+ List<UserRole> rolesToRemove = new ArrayList<>();
+ for ( UserRole role : session.getRoles() )
{
- Constraint constraint = roleItems.next();
- rc = val.validate( session, constraint, currTime, type );
-
+ rc = val.validate( session, role, currTime, type );
if ( rc > 0 )
{
- String msg = location + " role [" + constraint.getName() + "] for user ["
- + session.getUserId() + "] was deactivated reason code [" + rc + "]";
+ rolesToRemove.add( role );
+ String msg = location + " role [" + role.getName() + "] for " + entityType
+ + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info( msg );
- roleItems.remove();
session.setWarning( new ObjectFactory().createWarning( rc, msg, Warning.Type.ROLE,
- constraint.getName() ) );
+ role.getName() ) );
}
}
+ // remove all roles not passing validation
+ session.getRoles().removeAll( rolesToRemove );
}
if ( CollectionUtils.isNotEmpty( session.getAdminRoles() ) )
{
// now check the constraint on every arbac role activation candidate contained within session object:
- ListIterator roleItems = session.getAdminRoles().listIterator();
- while ( roleItems.hasNext() )
+ List<UserRole> rolesToRemove = new ArrayList<>();
+ for ( UserRole role : session.getAdminRoles() )
{
- Constraint constraint = ( Constraint ) roleItems.next();
- rc = val.validate( session, constraint, currTime, ConstraintType.ROLE );
+ rc = val.validate( session, role, currTime, type );
if ( rc > 0 )
{
- String msg = location + " admin role [" + constraint.getName() + "] for user ["
- + session.getUserId() + "] was deactivated reason code [" + rc + "]";
+ rolesToRemove.add( role );
+ String msg = location + " admin role [" + role.getName() + "] for " + entityType
+ + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info( msg );
- roleItems.remove();
session.setWarning( new ObjectFactory().createWarning( rc, msg, Warning.Type.ROLE,
- constraint.getName() ) );
+ role.getName() ) );
}
}
+ // remove all roles not passing validation
+ session.getAdminRoles().removeAll( rolesToRemove );
}
}
}
@@ -645,8 +642,12 @@ public final class VUtil implements ConstraintValidator
&& CollectionUtils.isNotEmpty( session.getRoles() ) )
{
Validator dsdVal = ( Validator ) ClassUtil.createInstance( DSDVALIDATOR );
- // Do not validate for Groups
- if ( !session.isGroupSession() )
+ if ( session.isGroupSession() )
+ {
+ // pass session's group wrapped into constraint interface
+ dsdVal.validate( session, new ConstraintedGroup( session.getGroup() ), null, null );
+ }
+ else
{
dsdVal.validate( session, session.getUser(), null, null );
}
@@ -679,4 +680,120 @@ public final class VUtil implements ConstraintValidator
}
return validators;
}
+
+ /**
+ * A class to wrap the group into constrainted interface to pass to DSD validator.
+ * Group itself doesn't have temporal contraints.
+ */
+ private class ConstraintedGroup implements Constraint {
+ private Group group;
+
+ public ConstraintedGroup(Group group) {
+ this.group = group;
+ }
+
+ public Group getGroup() {
+ return group;
+ }
+
+ @Override
+ public boolean isTemporalSet() {
+ return false;
+ }
+
+ @Override
+ public void setTimeout(Integer timeout) {
+
+ }
+
+ @Override
+ public void setBeginTime(String beginTime) {
+
+ }
+
+ @Override
+ public void setEndTime(String endTime) {
+
+ }
+
+ @Override
+ public void setBeginDate(String beginDate) {
+
+ }
+
+ @Override
+ public void setEndDate(String endDate) {
+
+ }
+
+ @Override
+ public void setDayMask(String dayMask) {
+
+ }
+
+ @Override
+ public void setBeginLockDate(String beginLockDate) {
+
+ }
+
+ @Override
+ public void setEndLockDate(String endLockDate) {
+
+ }
+
+ @Override
+ public void setName(String name) {
+
+ }
+
+ @Override
+ public String getRawData() {
+ return null;
+ }
+
+ @Override
+ public Integer getTimeout() {
+ return null;
+ }
+
+ @Override
+ public String getBeginTime() {
+ return null;
+ }
+
+ @Override
+ public String getEndTime() {
+ return null;
+ }
+
+ @Override
+ public String getBeginDate() {
+ return null;
+ }
+
+ @Override
+ public String getEndDate() {
+ return null;
+ }
+
+ @Override
+ public String getBeginLockDate() {
+ return null;
+ }
+
+ @Override
+ public String getEndLockDate() {
+ return null;
+ }
+
+ @Override
+ public String getDayMask() {
+ return null;
+ }
+
+ @Override
+ public String getName() {
+ return group.getName();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/test/java/org/apache/directory/fortress/core/impl/FortressJUnitTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/FortressJUnitTest.java b/src/test/java/org/apache/directory/fortress/core/impl/FortressJUnitTest.java
index c590b68..b7e6166 100755
--- a/src/test/java/org/apache/directory/fortress/core/impl/FortressJUnitTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/impl/FortressJUnitTest.java
@@ -110,6 +110,11 @@ public class FortressJUnitTest extends TestCase
suite.addTest( new PswdPolicyMgrImplTest( "testDeletePasswordPolicy" ) );
}
+ // GroupMgr
+ suite.addTest( new GroupMgrImplTest( "testDeassignGroupRoleMember" ) );
+ suite.addTest( new GroupMgrImplTest( "testDeassignGroupUserMember" ) );
+ suite.addTest( new GroupMgrImplTest( "testDeleteGroup" ) );
+
// AdminMgrImplTest RBAC Teardown APIs:
suite.addTest( new AdminMgrImplTest( "testRevokePermissionUser" ) );
suite.addTest( new AdminMgrImplTest( "testRevokePermissionRole" ) );
@@ -200,6 +205,13 @@ public class FortressJUnitTest extends TestCase
suite.addTest( new AdminMgrImplTest( "testGrantPermissionRole" ) );
suite.addTest( new AdminMgrImplTest( "testGrantPermissionUser" ) );
+ // GroupMgr APIs
+ suite.addTest( new GroupMgrImplTest( "testAddGroup" ) );
+ suite.addTest( new GroupMgrImplTest( "testAssignGroupUserMember" ) );
+ suite.addTest( new GroupMgrImplTest( "testAssignGroupRoleMember" ) );
+ suite.addTest( new GroupMgrImplTest( "testGroupRoles" ) );
+ suite.addTest( new GroupMgrImplTest( "testRoleGroups" ) );
+
/***********************************************************/
/* 3. Interrogation */
/***********************************************************/
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/test/java/org/apache/directory/fortress/core/impl/GroupMgrImplTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/GroupMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/impl/GroupMgrImplTest.java
new file mode 100644
index 0000000..e1a4a1d
--- /dev/null
+++ b/src/test/java/org/apache/directory/fortress/core/impl/GroupMgrImplTest.java
@@ -0,0 +1,279 @@
+package org.apache.directory.fortress.core.impl;
+
+import junit.framework.TestCase;
+import org.apache.directory.fortress.core.*;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.model.Group;
+import org.apache.directory.fortress.core.model.Role;
+import org.apache.directory.fortress.core.model.User;
+import org.apache.directory.fortress.core.model.UserRole;
+import org.apache.directory.fortress.core.util.LogUtil;
+import org.junit.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+
+
+public class GroupMgrImplTest extends TestCase {
+ private static final String CLS_NM = AdminMgrImplTest.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+ private GroupMgr groupMgr;
+
+ public GroupMgrImplTest( String name )
+ {
+ super( name );
+ }
+
+ public void testAddGroup()
+ {
+ addGroups( "ADD-GRP TG1", GroupTestData.TEST_GROUP1 );
+ addGroups( "ADD-GRP TG2", GroupTestData.TEST_GROUP2 );
+ addGroups( "ADD-GRP TG3", GroupTestData.TEST_GROUP3 );
+ }
+
+ private void addGroups( String message, Group group )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance(TestUtils.getContext());
+ groupMgr.add( group );
+ LOG.debug( "addGroup group [" + group.getName() + "] successful" );
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("addGroup: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testDeleteGroup()
+ {
+ deleteGroups( "DEL-GRP TG1", GroupTestData.TEST_GROUP1 );
+ deleteGroups( "DEL-GRP TG2", GroupTestData.TEST_GROUP2 );
+ deleteGroups( "DEL-GRP TG3", GroupTestData.TEST_GROUP3 );
+ }
+
+ private void deleteGroups( String message, Group group )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance(TestUtils.getContext());
+ Group nameOnlyGroup = new Group( group.getName() );
+ groupMgr.delete( nameOnlyGroup );
+ LOG.debug( "addGroup group [" + group.getName() + "] successful" );
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("addGroup: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testAssignGroupRoleMember()
+ {
+ assignRoleMember( "ASGN-GRP TG1 TR2", GroupTestData.TEST_GROUP1, RoleTestData.ROLES_TR2 );
+ assignRoleMember( "ASGN-GRP TG2 TR3", GroupTestData.TEST_GROUP2, RoleTestData.ROLES_TR3 );
+ }
+
+ private void assignRoleMember( String message, Group group, String[][] roles )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance( TestUtils.getContext() );
+
+ for ( String[] roleArray : roles )
+ {
+ Role role = RoleTestData.getRole( roleArray );
+ groupMgr.assign(group, role.getName() );
+ }
+ LOG.debug( "assignRoleMember group [" + group.getName() + "] successful" );
+
+ int countOfOldRoles = group.getMembers().size();
+ int countOfNewRoles = roles.length;
+ // read from LDAP and get count of members
+ Group groupFromLdap = groupMgr.read(group);
+ int actualAmountOfMembers = groupFromLdap.getMembers().size();
+ assertEquals( CLS_NM + ".assignRoleMember failed members size check",
+ countOfOldRoles + countOfNewRoles, actualAmountOfMembers);
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("assignRoleMember: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testAssignGroupUserMember()
+ {
+ assignUserMember( "ASGN-GRP TG3 TU2", GroupTestData.TEST_GROUP3, UserTestData.USERS_TU2);
+ }
+
+ private void assignUserMember( String message, Group group, String[][] users )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance( TestUtils.getContext() );
+
+ for ( String[] userArray : users )
+ {
+ User user = UserTestData.getUser( userArray );
+ groupMgr.assign(group, user.getUserId() );
+ }
+ LOG.debug( "assignUserMember group [" + group.getName() + "] successful" );
+
+ int countOfOldUsers = group.getMembers().size();
+ int countOfNewUsers = users.length;
+ // read from LDAP and get count of members
+ Group groupFromLdap = groupMgr.read(group);
+ int actualAmountOfMembers = groupFromLdap.getMembers().size();
+ assertEquals( CLS_NM + ".assignUserMember failed members size check",
+ countOfOldUsers + countOfNewUsers, actualAmountOfMembers);
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("assignUserMember: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testDeassignGroupRoleMember()
+ {
+ deassignRoleMember( "DEASGN-GRP TG1 TR2", GroupTestData.TEST_GROUP1, RoleTestData.ROLES_TR2 );
+ deassignRoleMember( "DEASGN-GRP TG2 TR3", GroupTestData.TEST_GROUP2, RoleTestData.ROLES_TR3 );
+ }
+
+ private void deassignRoleMember( String message, Group group, String[][] roles )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance( TestUtils.getContext() );
+
+ for ( String[] roleArray : roles )
+ {
+ Role role = RoleTestData.getRole( roleArray );
+ groupMgr.deassign(group, role.getName() );
+ }
+ LOG.debug( "deassignRoleMember group [" + group.getName() + "] successful" );
+
+ int countOfOldRoles = group.getMembers().size();
+ // read from LDAP and get count of members
+ Group groupFromLdap = groupMgr.read(group);
+ int actualAmountOfMembers = groupFromLdap.getMembers().size();
+ assertEquals( CLS_NM + ".deassignRoleMember failed members size check",
+ countOfOldRoles, actualAmountOfMembers);
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("deassignRoleMember: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testDeassignGroupUserMember()
+ {
+ deassignUserMember( "DEASGN-GRP TG3 TU2", GroupTestData.TEST_GROUP3, UserTestData.USERS_TU2);
+ }
+
+ private void deassignUserMember( String message, Group group, String[][] users )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance( TestUtils.getContext() );
+
+ for ( String[] userArray : users )
+ {
+ User user = UserTestData.getUser( userArray );
+ groupMgr.deassign(group, user.getUserId() );
+ }
+ LOG.debug( "deassignUserMember group [" + group.getName() + "] successful" );
+
+ int countOfOldUsers = group.getMembers().size();
+ // read from LDAP and get count of members after deassignment
+ Group groupFromLdap = groupMgr.read(group);
+ int actualAmountOfMembers = groupFromLdap.getMembers().size();
+ assertEquals( CLS_NM + ".deassignUserMember failed members size check",
+ countOfOldUsers, actualAmountOfMembers);
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("deassignUserMember: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testGroupRoles()
+ {
+ groupRoles( "GRP-RLS TG1 TR1+TR2", GroupTestData.TEST_GROUP1, RoleTestData.ROLES_TR2 );
+ groupRoles( "GRP-RLS TG2 TR2+TR3", GroupTestData.TEST_GROUP2, RoleTestData.ROLES_TR3 );
+ }
+
+ private void groupRoles( String message, Group group, String[][] addedRoles )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance( TestUtils.getContext() );
+ List<UserRole> actualRoles = groupMgr.groupRoles(group);
+ LOG.debug( "groupRoles group [" + group.getName() + "] successful" );
+
+ int initialRolesSize = group.getMembers().size();
+ int addedRolesSize = addedRoles.length;
+ assertEquals( CLS_NM + ".groupRoles failed members size check",
+ initialRolesSize + addedRolesSize, actualRoles.size() );
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("groupRoles: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+
+ public void testRoleGroups()
+ {
+ roleGroups( "RLE-GRPS TR2 TG1+TG2", RoleTestData.ROLES_TR2,
+ Arrays.asList( GroupTestData.TEST_GROUP1, GroupTestData.TEST_GROUP2 ));
+ }
+
+ private void roleGroups( String message, String[][] roles, List<Group> expectedGroups )
+ {
+ LogUtil.logIt( message );
+ try
+ {
+ groupMgr = GroupMgrFactory.createInstance( TestUtils.getContext() );
+ for ( String[] roleArray : roles )
+ {
+ Role role = RoleTestData.getRole(roleArray);
+ List<Group> actualGroups = groupMgr.roleGroups(role);
+ LOG.debug( "roleGroups role [" + role.getName() + "] successful" );
+
+ assertEquals( CLS_NM + ".roleGroups failed", expectedGroups, actualGroups);
+ }
+ }
+ catch ( SecurityException ex )
+ {
+ ex.printStackTrace();
+ LOG.error("groupRoles: caught SecurityException rc=" + ex.getErrorId() + ", msg=" + ex.getMessage(), ex);
+ fail(ex.getMessage());
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/252e6116/src/test/java/org/apache/directory/fortress/core/impl/GroupTestData.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/GroupTestData.java b/src/test/java/org/apache/directory/fortress/core/impl/GroupTestData.java
new file mode 100755
index 0000000..ff95a15
--- /dev/null
+++ b/src/test/java/org/apache/directory/fortress/core/impl/GroupTestData.java
@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.impl;
+
+
+import org.apache.directory.fortress.core.model.Group;
+import org.apache.directory.fortress.core.model.Group.Type;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public class GroupTestData
+{
+ public static final Group TEST_GROUP1 =
+ createGroup
+ (
+ "TestGroup1",
+ Type.ROLE,
+ "protocol1",
+ false,
+ roleNames( RoleTestData.ROLES_TR1 )
+ );
+
+ public static final Group TEST_GROUP2 =
+ createGroup
+ (
+ "TestGroup2",
+ Type.ROLE,
+ "protocol2",
+ false,
+ roleNames( RoleTestData.ROLES_TR2 )
+ );
+
+ public static final Group TEST_GROUP3 =
+ createGroup
+ (
+ "TestGroup3",
+ Type.USER,
+ "protocol3",
+ false,
+ userNames( UserTestData.USERS_TU1 )
+ );
+
+ private static List<String> roleNames(String[][] rolesArray )
+ {
+ List<String> names = new ArrayList<>();
+ for (String[] role : rolesArray )
+ {
+ names.add( RoleTestData.getName( role ) );
+ }
+ return names;
+ }
+
+ private static List<String> userNames(String[][] userArray )
+ {
+ List<String> names = new ArrayList<>();
+ for (String[] user : userArray )
+ {
+ names.add( UserTestData.getUserId( user ) );
+ }
+ return names;
+ }
+
+ private static Group createGroup(String name, Type type, String protocol, boolean memberDn, List<String> memberNames)
+ {
+ Group group = new Group();
+ group.setName( name );
+ group.setProtocol( protocol );
+ group.setMemberDn( memberDn );
+ group.setType( type );
+ group.setMembers( memberNames );
+ return group;
+ }
+}
\ No newline at end of file
[4/4] directory-fortress-core git commit: FC-144 Use Groups of Roles
to create Sessions. This closes #6
Posted by sm...@apache.org.
FC-144 Use Groups of Roles to create Sessions. This closes #6
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/cb34ef22
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/cb34ef22
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/cb34ef22
Branch: refs/heads/master
Commit: cb34ef224bc9b1c680fb4002039e6f3dd988a8fc
Parents: 5192805
Author: Shawn McKinney <sm...@apache.org>
Authored: Sun Sep 25 17:48:05 2016 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Sun Sep 25 17:48:05 2016 -0500
----------------------------------------------------------------------
README-QUICKSTART-APACHEDS.md | 2 +-
README-QUICKSTART-SLAPD.md | 2 +-
README-TEN-MINUTE-GUIDE.md | 2 +-
README.md | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/cb34ef22/README-QUICKSTART-APACHEDS.md
----------------------------------------------------------------------
diff --git a/README-QUICKSTART-APACHEDS.md b/README-QUICKSTART-APACHEDS.md
index c791e48..ad3b214 100644
--- a/README-QUICKSTART-APACHEDS.md
+++ b/README-QUICKSTART-APACHEDS.md
@@ -18,7 +18,7 @@
# ApacheDS & Fortress QUICKSTART
- Apache Fortress 1.0.1 and ApacheDS Quickstart System Architecture
+ Apache Fortress1.0.2-SNAPSHOT and ApacheDS Quickstart System Architecture
![ApacheDS & Fortress System Architecture](images/fortress-apacheds-system-arch.png "ApacheDS & Fortress System Architecture")
-------------------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/cb34ef22/README-QUICKSTART-SLAPD.md
----------------------------------------------------------------------
diff --git a/README-QUICKSTART-SLAPD.md b/README-QUICKSTART-SLAPD.md
index a07a913..de79204 100644
--- a/README-QUICKSTART-SLAPD.md
+++ b/README-QUICKSTART-SLAPD.md
@@ -18,7 +18,7 @@
# OpenLDAP & Fortress QUICKSTART
- Apache Fortress 1.0.1 and OpenLDAP Quickstart System Architecture
+ Apache Fortress 1.0.2-SNAPSHOT and OpenLDAP Quickstart System Architecture
![OpenLDAP & Fortress System Architecture](images/fortress-openldap-accel-system-arch.png "OpenLDAP & Fortress System Architecture")
-------------------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/cb34ef22/README-TEN-MINUTE-GUIDE.md
----------------------------------------------------------------------
diff --git a/README-TEN-MINUTE-GUIDE.md b/README-TEN-MINUTE-GUIDE.md
index 197e63e..a71b24b 100644
--- a/README-TEN-MINUTE-GUIDE.md
+++ b/README-TEN-MINUTE-GUIDE.md
@@ -19,7 +19,7 @@
-------------------------------------------------------------------------------
# README for Apache Fortress Ten Minute Guide
- * Version 1.0.1
+ * Version 1.0.2-SNAPSHOT
* This document has been deprecated in favor of:
* Follow these instructions: [README-QUICKSTART-APACHEDS](./README-QUICKSTART-APACHEDS.md)
* Follow these instructions: [README-QUICKSTART-SLAPD](./README-QUICKSTART-SLAPD.md)
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/cb34ef22/README.md
----------------------------------------------------------------------
diff --git a/README.md b/README.md
index 380b69f..b64a762 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@
-------------------------------------------------------------------------------
# README for Apache Fortress Core
- * Version 1.0.1
+ * Version 1.0.2-SNAPSHOT
* Apache Fortress Core System Architecture Diagram
![Apache Fortress Core System Architecture](images/fortress-core-system-arch.png "Apache Fortress Core System Architecture")
[3/4] directory-fortress-core git commit: Merge branch
'FC-144/assign-roles-for-groups' of
https://github.com/vvakhlyuev-work/directory-fortress-core
Posted by sm...@apache.org.
Merge branch 'FC-144/assign-roles-for-groups' of https://github.com/vvakhlyuev-work/directory-fortress-core
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/5192805c
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/5192805c
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/5192805c
Branch: refs/heads/master
Commit: 5192805c88f4d1216215f340aacd0300937c295c
Parents: 9271edf 252e611
Author: Shawn McKinney <sm...@apache.org>
Authored: Sun Sep 25 17:45:02 2016 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Sun Sep 25 17:45:02 2016 -0500
----------------------------------------------------------------------
.../directory/fortress/core/AccessMgr.java | 77 ++++-
.../directory/fortress/core/GlobalErrIds.java | 7 +
.../directory/fortress/core/GroupMgr.java | 20 ++
.../fortress/core/impl/AccessMgrImpl.java | 80 ++++--
.../fortress/core/impl/AdminMgrImpl.java | 22 +-
.../fortress/core/impl/DSDChecker.java | 21 +-
.../directory/fortress/core/impl/GroupDAO.java | 59 +++-
.../fortress/core/impl/GroupMgrImpl.java | 38 +++
.../directory/fortress/core/impl/GroupP.java | 135 ++++++++-
.../directory/fortress/core/impl/PermDAO.java | 33 ++-
.../directory/fortress/core/impl/SDUtil.java | 66 +++--
.../directory/fortress/core/impl/UserP.java | 12 +-
.../directory/fortress/core/model/Group.java | 34 ++-
.../directory/fortress/core/model/Session.java | 136 ++++++++-
.../directory/fortress/core/model/UserRole.java | 35 ++-
.../fortress/core/rest/AccessMgrRestImpl.java | 29 +-
.../directory/fortress/core/rest/HttpIds.java | 9 +
.../directory/fortress/core/util/VUtil.java | 185 +++++++++---
.../fortress/core/AccessMgrConsole.java | 14 +-
.../fortress/core/impl/FortressJUnitTest.java | 12 +
.../fortress/core/impl/GroupMgrImplTest.java | 279 +++++++++++++++++++
.../fortress/core/impl/GroupTestData.java | 94 +++++++
22 files changed, 1234 insertions(+), 163 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/5192805c/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
----------------------------------------------------------------------