You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2018/08/30 23:46:14 UTC
directory-fortress-core git commit: FC-239 - enable admin perm checks
on new apis
Repository: directory-fortress-core
Updated Branches:
refs/heads/master 5b99d7422 -> 246517fae
FC-239 - enable admin perm checks on new apis
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/246517fa
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/246517fa
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/246517fa
Branch: refs/heads/master
Commit: 246517faec971672fd62ceeefaada54910ddd531
Parents: 5b99d74
Author: Shawn McKinney <sm...@apache.org>
Authored: Thu Aug 30 17:03:00 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Thu Aug 30 17:03:00 2018 -0500
----------------------------------------------------------------------
.gitignore | 7 ++--
ldap/setup/DelegatedAdminManagerLoad.xml | 8 ++++
.../fortress/core/impl/AdminMgrImpl.java | 19 +++++----
.../fortress/core/impl/PermTestData.java | 44 ++++++++++++++++++++
4 files changed, 66 insertions(+), 12 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/246517fa/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index f3c5e0f..b146c45 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,10 +14,11 @@ apache-ant-1.9.1
ldap/setup/refreshLDAPData.xml
maven-eclipse.xml
.idea
-*.conf
*.rpm
*.deb
*.properties
-config
b.sh
-b.bat
\ No newline at end of file
+b.bat
+*.conf
+*.zip
+*.sav
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/246517fa/ldap/setup/DelegatedAdminManagerLoad.xml
----------------------------------------------------------------------
diff --git a/ldap/setup/DelegatedAdminManagerLoad.xml b/ldap/setup/DelegatedAdminManagerLoad.xml
index 3f6257d..8967254 100644
--- a/ldap/setup/DelegatedAdminManagerLoad.xml
+++ b/ldap/setup/DelegatedAdminManagerLoad.xml
@@ -97,6 +97,10 @@
<permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="updateRole" roleNm="fortress-core-super-admin" admin="true"/>
<permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="assignUser" roleNm="fortress-core-super-admin" admin="true"/>
<permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="deassignUser" roleNm="fortress-core-super-admin" admin="true"/>
+ <permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="addRoleConstraint" roleNm="fortress-core-super-admin" admin="true"/>
+ <permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="removeRoleConstraint" roleNm="fortress-core-super-admin" admin="true"/>
+ <permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="enableRoleConstraint" roleNm="fortress-core-super-admin" admin="true"/>
+ <permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="disableRoleConstraint" roleNm="fortress-core-super-admin" admin="true"/>
<permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="addPermission" roleNm="fortress-core-super-admin" admin="true"/>
<permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="addPermObj" roleNm="fortress-core-super-admin" admin="true"/>
<permgrant objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="deletePermission" roleNm="fortress-core-super-admin" admin="true"/>
@@ -250,6 +254,10 @@
<permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="updateRole" admin="true"/>
<permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="assignUser" admin="true"/>
<permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="deassignUser" admin="true"/>
+ <permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="addRoleConstraint" admin="true"/>
+ <permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="removeRoleConstraint" admin="true"/>
+ <permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="enableRoleConstraint" admin="true"/>
+ <permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="disableRoleConstraint" admin="true"/>
<permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="addPermission" admin="true"/>
<permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="addPermObj" admin="true"/>
<permop objName="org.apache.directory.fortress.core.impl.AdminMgrImpl" opName="deletePermission" admin="true"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/246517fa/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
index 3784a26..4752c77 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminMgrImpl.java
@@ -398,10 +398,11 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
public void enableRoleConstraint( Role role, RoleConstraint roleConstraint )
throws SecurityException
{
- String methodName = ".enableRoleConstraint";
+ String methodName = "enableRoleConstraint";
VUtil.assertNotNull( role, GlobalErrIds.ROLE_NULL, CLS_NM + methodName );
VUtil.assertNotNull( roleConstraint, GlobalErrIds.ROLE_CONSTRAINT_NULL, CLS_NM + methodName );
VUtil.assertNotNull( role.getName(), GlobalErrIds.ROLE_NM_NULL, CLS_NM + methodName );
+ setEntitySession( CLS_NM, methodName, role );
// The name:value pair is bound as fortress property, using prefix 'RC-'.
// It's for convenient and efficient lookup during the runtime checks.
// We will cache as java.util.properties, require case insensitivity, convention is use lower case keys:
@@ -427,10 +428,11 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
public void disableRoleConstraint( Role role, RoleConstraint roleConstraint )
throws SecurityException
{
- String methodName = ".disableRoleConstraint";
+ String methodName = "disableRoleConstraint";
VUtil.assertNotNull( role, GlobalErrIds.ROLE_NULL, CLS_NM + methodName );
VUtil.assertNotNull( roleConstraint, GlobalErrIds.ROLE_CONSTRAINT_NULL, CLS_NM + methodName );
VUtil.assertNotNull( role.getName(), GlobalErrIds.ROLE_NM_NULL, CLS_NM + methodName );
+ setEntitySession( CLS_NM, methodName, role );
// We want case insensitive on java.util.propp, convention is use lower case key:
String propKey = GlobalIds.CONSTRAINT_KEY_PREFIX + role.getName().toLowerCase();
String propValue = roleConstraint.getKey();
@@ -452,8 +454,9 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
public RoleConstraint addRoleConstraint( UserRole uRole, RoleConstraint roleConstraint )
throws SecurityException
{
- String methodName = "assignUser";
+ String methodName = "addRoleConstraint";
assertContext( CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL );
+ setEntitySession( CLS_NM, methodName, uRole );
// Validate the user-role assignment exists:
List<String> assignedRoles = userP.getAssignedRoles( new User( uRole.getUserId() ) );
@@ -479,13 +482,10 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
public void removeRoleConstraint( UserRole uRole, RoleConstraint roleConstraint )
throws SecurityException
{
- String methodName = "assignUser";
+ String methodName = "removeRoleConstraint";
assertContext( CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL );
- AdminUtil.canDeassign( uRole.getAdminSession(), new User( uRole.getUserId() ), new Role( uRole.getName() ), contextId );
-
- // todo assert roleconstraint here
-
- userP.deassign( uRole, roleConstraint );
+ setEntitySession( CLS_NM, methodName, uRole );
+ userP.deassign( uRole, roleConstraint );
}
/**
@@ -498,6 +498,7 @@ public final class AdminMgrImpl extends Manageable implements AdminMgr, Serializ
{
String methodName = "deassignUser";
assertContext( CLS_NM, methodName, uRole, GlobalErrIds.URLE_NULL );
+ setEntitySession( CLS_NM, methodName, uRole );
AdminUtil.canDeassign( uRole.getAdminSession(), new User( uRole.getUserId() ), new Role( uRole.getName() ), contextId );
//find role constraint that needs removed
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/246517fa/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java b/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
index f5007cd..e489987 100755
--- a/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
+++ b/src/test/java/org/apache/directory/fortress/core/impl/PermTestData.java
@@ -1156,6 +1156,50 @@ public class PermTestData extends TestCase
"T" /* IS_ADMIN_COL */
},
{
+ "enableRoleConstraint", /* NAME_COL */
+ "Assign Admin Role",/* DESC_COL */
+ "", /* OBJ_ID_COL */
+ "ADMIN", /* TYPE_COL */
+ "", /* PROPS_COL */
+ "", /* ROLES_COL */
+ "", /* USERS_COL */
+ "", /* GROUPS_COL */
+ "T" /* IS_ADMIN_COL */
+},
+ {
+ "disableRoleConstraint", /* NAME_COL */
+ "Deassign Admin Role",/* DESC_COL */
+ "", /* OBJ_ID_COL */
+ "ADMIN", /* TYPE_COL */
+ "", /* PROPS_COL */
+ "", /* ROLES_COL */
+ "", /* USERS_COL */
+ "", /* GROUPS_COL */
+ "T" /* IS_ADMIN_COL */
+},
+ {
+ "addRoleConstraint", /* NAME_COL */
+ "Assign Admin Role",/* DESC_COL */
+ "", /* OBJ_ID_COL */
+ "ADMIN", /* TYPE_COL */
+ "", /* PROPS_COL */
+ "", /* ROLES_COL */
+ "", /* USERS_COL */
+ "", /* GROUPS_COL */
+ "T" /* IS_ADMIN_COL */
+},
+ {
+ "removeRoleConstraint", /* NAME_COL */
+ "Deassign Admin Role",/* DESC_COL */
+ "", /* OBJ_ID_COL */
+ "ADMIN", /* TYPE_COL */
+ "", /* PROPS_COL */
+ "", /* ROLES_COL */
+ "", /* USERS_COL */
+ "", /* GROUPS_COL */
+ "T" /* IS_ADMIN_COL */
+},
+ {
"addOrgUnit", /* NAME_COL */
"Add Org Unit", /* DESC_COL */
"", /* OBJ_ID_COL */