You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:44:48 UTC
[29/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
new file mode 100755
index 0000000..fd4a8ee
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
@@ -0,0 +1,150 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.rbac.dao.unboundid.AuditDAO;
+
+
+/**
+ * This class is process layer for Fortress audit data. It performs data validation
+ * and data mapping functions.
+ * Process module for the for Fortress audit data. It performs data validation and data mapping functions.
+ * The audit data is passed using {@link org.apache.directory.fortress.core.rbac.AuthZ} class. This class does perform simple data validations to ensure data reasonability and
+ * the required fields are present..<BR>
+ * The methods in this class are called by {@link AuditMgrImpl} methods during audit log interrogations.
+ * <p/>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exception {@link org.apache.directory.fortress.core.FinderException},
+ * or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link org.apache.directory.fortress.core.GlobalErrIds}.
+ * <p/>
+ * This class performs simple data validations.
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+public final class AuditP
+{
+ private static final AuditDAO aDao = new AuditDAO();
+
+
+ /**
+ * Package private constructor
+ */
+ AuditP()
+ {
+ }
+
+
+ /**
+ * This method returns a list of authorization events for a particular user {@link UserAudit#userId}
+ * and given timestamp field {@link UserAudit#beginDate}.<BR>
+ * Method also can discriminate between all events or failed only by setting {@link UserAudit#failedOnly}.
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one authorization event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ final List<AuthZ> getAuthZs( UserAudit uAudit ) throws SecurityException
+ {
+ return aDao.getAllAuthZs( uAudit );
+ }
+
+
+ /**
+ * This method returns a list of authorization events for a particular user {@link UserAudit#userId},
+ * object {@link UserAudit#objName}, and given timestamp field {@link UserAudit#beginDate}.<BR>
+ * Method also can discriminate between all events or failed only by setting flag {@link UserAudit#failedOnly}..
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one authorization event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ final List<AuthZ> searchAuthZs( UserAudit uAudit ) throws SecurityException
+ {
+ return aDao.searchAuthZs( uAudit );
+ }
+
+
+ /**
+ * This method returns a list of authentication audit events for a particular user {@link UserAudit#userId},
+ * and given timestamp field {@link UserAudit#beginDate}.<BR>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type Bind. Each Bind object contains one bind event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ final List<Bind> searchBinds( UserAudit uAudit ) throws SecurityException
+ {
+ return aDao.searchBinds( uAudit );
+ }
+
+
+ /**
+ * This method returns a list of sessions created for a given user {@link UserAudit#userId},
+ * and timestamp {@link UserAudit#beginDate}.<BR>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one authorization event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ final List<Mod> searchUserMods( UserAudit uAudit ) throws SecurityException
+ {
+ return aDao.searchUserMods( uAudit );
+ }
+
+
+ /**
+ * This method returns a list of admin operations events for a particular entity {@link UserAudit#dn},
+ * object {@link UserAudit#objName} and timestamp {@link UserAudit#beginDate}. If the internal
+ * userId {@link UserAudit#internalUserId} is set it will limit search by that field.
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one authorization event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ final List<Mod> searchAdminMods( UserAudit uAudit ) throws SecurityException
+ {
+ return aDao.searchAdminMods( uAudit );
+ }
+
+
+ /**
+ * This method returns a list of failed authentication events for a particular invalid user {@link UserAudit#userId},
+ * and given timestamp {@link UserAudit#beginDate}. If the {@link UserAudit#failedOnly} is true it will
+ * return only authentication attempts made with invalid userId.
+ * </p>
+ * This is possible because Fortress performs read on user before the bind.
+ * </p>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one failed authentication event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ final List<AuthZ> searchInvalidAuthNs( UserAudit uAudit ) throws SecurityException
+ {
+ return aDao.searchInvalidAuthNs( uAudit );
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java
new file mode 100755
index 0000000..b4ffe16
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java
@@ -0,0 +1,769 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import java.io.Serializable;
+
+/**
+ * This entity class contains OpenLDAP slapo-accesslog records that correspond to authorization attempts made to the directory.
+ * <p/>
+ * The auditCompare Structural object class is used by the slapo-accesslog overlay to store record of fortress authorization events.
+ * These events can later be pulled as audit trail using ldap protocol. The data pertaining to authZ events are stored in this entity record.<br/>
+ * <p/>
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.7
+ * NAME 'auditCompare'
+ * DESC 'Compare operation'
+ * SUP auditObject STRUCTURAL
+ * MUST reqAssertion )
+ * ------------------------------------------
+ * </pre>
+ * For the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request
+ * <p/>
+ * Note this class uses descriptions pulled from man pages on slapo-accesslog.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortAuthZ")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "authZ", propOrder = {
+ "createTimestamp",
+ "creatorsName",
+ "entryCSN",
+ "entryDN",
+ "entryUUID",
+ "hasSubordinates",
+ "modifiersName",
+ "modifyTimestamp",
+ "objectClass",
+ "reqAttr",
+ "reqAttrsOnly",
+ "reqAuthzID",
+ "reqControls",
+ "reqDN",
+ "reqDerefAliases",
+ "reqEnd",
+ "reqEntries",
+ "reqFilter",
+ "reqResult",
+ "reqScope",
+ "reqSession",
+ "reqSizeLimit",
+ "reqStart",
+ "reqTimeLimit",
+ "reqType",
+ "reqAssertion",
+ "structuralObjectClass",
+ "subschemaSubentry",
+ "sequenceId"
+})
+public class AuthZ extends FortEntity implements Serializable
+{
+ private String createTimestamp;
+ private String creatorsName;
+ private String entryCSN;
+ private String entryDN;
+ private String entryUUID;
+ private String hasSubordinates;
+ private String modifiersName;
+ private String modifyTimestamp;
+ private String objectClass;
+ private String reqAttr;
+ private String reqAttrsOnly;
+ private String reqAuthzID;
+ private String reqControls;
+ private String reqDN;
+ private String reqDerefAliases;
+ private String reqEnd;
+ private String reqEntries;
+ private String reqFilter;
+ private String reqResult;
+ private String reqScope;
+ private String reqSession;
+ private String reqSizeLimit;
+ private String reqStart;
+ private String reqTimeLimit;
+ private String reqType;
+ private String reqAssertion;
+ private String structuralObjectClass;
+ private String subschemaSubentry;
+ private long sequenceId;
+
+ /**
+ * Get the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+ * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @return attribute that maps to 'reqStart' in 'auditSearch' object class.
+ */
+ public String getCreateTimestamp()
+ {
+ return createTimestamp;
+ }
+
+ /**
+ * Set the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+ * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @param createTimestamp attribute that maps to 'reqStart' in 'auditSearch' object class.
+ */
+ public void setCreateTimestamp(String createTimestamp)
+ {
+ this.createTimestamp = createTimestamp;
+ }
+
+ /**
+ * Return the user dn containing the identity of log user who added the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @return value that maps to 'creatorsName' attribute on 'auditSearch' object class.
+ */
+ public String getCreatorsName()
+ {
+ return creatorsName;
+ }
+
+ /**
+ * Set the user dn containing the identity of log user who added the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @param creatorsName maps to 'creatorsName' attribute on 'auditSearch' object class.
+ */
+ public void setCreatorsName(String creatorsName)
+ {
+ this.creatorsName = creatorsName;
+ }
+
+ /**
+ * Return the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+ *
+ * @return attribute that maps to 'entryCSN' on 'auditSearch' object class.
+ */
+ public String getEntryCSN()
+ {
+ return entryCSN;
+ }
+
+ /**
+ * Set the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+ *
+ * @param entryCSN maps to 'entryCSN' attribute on 'auditSearch' object class.
+ */
+ public void setEntryCSN(String entryCSN)
+ {
+ this.entryCSN = entryCSN;
+ }
+
+ /**
+ * Get the entry dn for bind object stored in directory. This attribute uses the 'reqStart' along with suffix for log.
+ *
+ * @return attribute that maps to 'entryDN' on 'auditSearch' object class.
+ */
+ public String getEntryDN()
+ {
+ return entryDN;
+ }
+
+ /**
+ * Set the entry dn for bind object stored in directory. This attribute uses the 'reqStart' along with suffix for log.
+ *
+ * @param entryDN attribute that maps to 'entryDN' on 'auditSearch' object class.
+ */
+ public void setEntryDN(String entryDN)
+ {
+ this.entryDN = entryDN;
+ }
+
+ /**
+ * Get the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditSearch' record.
+ *
+ * @return value that maps to 'entryUUID' attribute on 'auditSearch' object class.
+ */
+ public String getEntryUUID()
+ {
+ return entryUUID;
+ }
+
+ /**
+ * Set the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditSearch' record.
+ *
+ * @param entryUUID that maps to 'entryUUID' attribute on 'auditSearch' object class.
+ */
+ public void setEntryUUID(String entryUUID)
+ {
+ this.entryUUID = entryUUID;
+ }
+
+ /**
+ * Get the attribute that corresponds to the boolean value hasSubordinates.
+ *
+ * @return value that maps to 'hasSubordinates' attribute on 'auditSearch' object class.
+ */
+ public String getHasSubordinates()
+ {
+ return hasSubordinates;
+ }
+
+ /**
+ * Set the attribute that corresponds to the boolean value hasSubordinates.
+ *
+ * @param hasSubordinates maps to same name on 'auditSearch' object class.
+ */
+ public void setHasSubordinates(String hasSubordinates)
+ {
+ this.hasSubordinates = hasSubordinates;
+ }
+
+ /**
+ * Return the user dn containing the identity of log user who last modified the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @return value that maps to 'modifiersName' attribute on 'auditSearch' object class.
+ */
+ public String getModifiersName()
+ {
+ return modifiersName;
+ }
+
+ /**
+ * Set the user dn containing the identity of log user who modified the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @param modifiersName maps to 'modifiersName' attribute on 'auditSearch' object class.
+ */
+ public void setModifiersName(String modifiersName)
+ {
+ this.modifiersName = modifiersName;
+ }
+
+ /**
+ * Get the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+ * The time attributes use generalizedTime syntax.
+ *
+ * @return attribute that maps to 'modifyTimestamp' in 'auditSearch' object class.
+ */
+ public String getModifyTimestamp()
+ {
+ return modifyTimestamp;
+ }
+
+ /**
+ * Set the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+ * The time attributes use generalizedTime syntax.
+ *
+ * @param modifyTimestamp attribute that maps to same name in 'auditSearch' object class.
+ */
+ public void setModifyTimestamp(String modifyTimestamp)
+ {
+ this.modifyTimestamp = modifyTimestamp;
+ }
+
+ /**
+ * Get the object class name of the audit record. For this entity, this value will always be 'auditSearch'.
+ *
+ * @return value that maps to 'objectClass' attribute on 'auditSearch' obejct class.
+ */
+ public String getObjectClass()
+ {
+ return objectClass;
+ }
+
+ /**
+ * Set the object class name of the audit record. For this entity, this value will always be 'auditSearch'.
+ *
+ * @param objectClass value that maps to same name on 'auditSearch' obejct class.
+ */
+ public void setObjectClass(String objectClass)
+ {
+ this.objectClass = objectClass;
+ }
+
+ /**
+ * The reqAuthzID attribute is the distinguishedName of the user that
+ * performed the operation. This will usually be the same name as was
+ * established at the start of a session by a Bind request (if any) but
+ * may be altered in various circumstances.
+ * For Fortress bind operations this will map to {@link org.apache.directory.fortress.core.rbac.User#userId}
+ *
+ * @return value that maps to 'reqAuthzID' on 'auditSearch' object class.
+ */
+ public String getReqAuthzID()
+ {
+ return reqAuthzID;
+ }
+
+ /**
+ * The reqAuthzID attribute is the distinguishedName of the user that
+ * performed the operation. This will usually be the same name as was
+ * established at the start of a session by a Bind request (if any) but
+ * may be altered in various circumstances.
+ * For Fortress bind operations this will map to {@link org.apache.directory.fortress.core.rbac.User#userId}
+ *
+ */
+ public void setReqAuthzID(String reqAuthzID)
+ {
+ this.reqAuthzID = reqAuthzID;
+ }
+
+ /**
+ * The reqControls and reqRespControls attributes carry any controls sent
+ * by the client on the request and returned by the server in the
+ * response, respectively. The attribute values are just uninterpreted
+ * octet strings.
+ *
+ * @return value that maps to 'reqControls' attribute on 'auditSearch' object class.
+ */
+ public String getReqControls()
+ {
+ return reqControls;
+ }
+
+ /**
+ * The reqControls and reqRespControls attributes carry any controls sent
+ * by the client on the request and returned by the server in the
+ * response, respectively. The attribute values are just uninterpreted
+ * octet strings.
+ *
+ * @param reqControls maps to same name attribute on 'auditSearch' object class.
+ */
+ public void setReqControls(String reqControls)
+ {
+ this.reqControls = reqControls;
+ }
+
+ /**
+ * The reqDN attribute is the distinguishedName of the target of the
+ * operation. E.g., for a Bind request, this is the Bind DN. For an Add
+ * request, this is the DN of the entry being added. For a Search request,
+ * this is the base DN of the search.
+ *
+ * @return value that map to 'reqDN' attribute on 'auditSearch' object class.
+ */
+ public String getReqDN()
+ {
+ return reqDN;
+ }
+
+ /**
+ * The reqDN attribute is the distinguishedName of the target of the
+ * operation. E.g., for a Bind request, this is the Bind DN. For an Add
+ * request, this is the DN of the entry being added. For a Search request,
+ * this is the base DN of the search.
+ *
+ * @param reqDN maps to 'reqDN' attribute on 'auditSearch' object class.
+ */
+ public void setReqDN(String reqDN)
+ {
+ this.reqDN = reqDN;
+ }
+
+ /**
+ * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+ *
+ * @return value that maps to 'reqEnd' attribute on 'auditSearch' object class.
+ */
+ public String getReqEnd()
+ {
+ return reqEnd;
+ }
+
+ /**
+ * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+ *
+ * @param reqEnd value that maps to same name on 'auditSearch' object class.
+ */
+ public void setReqEnd(String reqEnd)
+ {
+ this.reqEnd = reqEnd;
+ }
+
+ /**
+ * The reqResult attribute is the numeric LDAP result code of the
+ * operation, indicating either success or a particular LDAP error code.
+ * An error code may be accompanied by a text error message which will be
+ * recorded in the reqMessage attribute.
+ *
+ * @return value that maps to 'reqResult' attribute on 'auditSearch' object class.
+ */
+ public String getReqResult()
+ {
+ return reqResult;
+ }
+
+ /**
+ * The reqResult attribute is the numeric LDAP result code of the
+ * operation, indicating either success or a particular LDAP error code.
+ * An error code may be accompanied by a text error message which will be
+ * recorded in the reqMessage attribute.
+ *
+ * @param reqResult maps to same name on 'auditSearch' object class.
+ */
+ public void setReqResult(String reqResult)
+ {
+ this.reqResult = reqResult;
+ }
+
+ /**
+ * The reqSession attribute is an implementation-specific identifier that
+ * is common to all the operations associated with the same LDAP session.
+ * Currently this is slapd's internal connection ID, stored in decimal.
+ *
+ * @return value that maps to 'reqSession' attribute on 'auditSearch' object class.
+ */
+ public String getReqSession()
+ {
+ return reqSession;
+ }
+
+ /**
+ * The reqSession attribute is an implementation-specific identifier that
+ * is common to all the operations associated with the same LDAP session.
+ * Currently this is slapd's internal connection ID, stored in decimal.
+ *
+ * @param reqSession maps to same name on 'auditSearch' object class.
+ */
+ public void setReqSession(String reqSession)
+ {
+ this.reqSession = reqSession;
+ }
+
+ /**
+ * reqStart provide the start of the operation, They use generalizedTime syntax.
+ * The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @return value that maps to 'reqStart' attribute on 'auditSearch' object class.
+ */
+ public String getReqStart()
+ {
+ return reqStart;
+ }
+
+ /**
+ * reqStart provide the start of the operation, They use generalizedTime syntax.
+ * The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @param reqStart maps to same name on 'auditSearch' object class.
+ */
+ public void setReqStart(String reqStart)
+ {
+ this.reqStart = reqStart;
+ }
+
+ /**
+ * The reqType attribute is a simple string containing the type of
+ * operation being logged, e.g. add, delete, search, etc. For extended
+ * operations, the type also includes the OID of the extended operation,
+ * e.g. extended(1.1.1.1)
+ *
+ * @return value that maps to 'reqType' attribute on 'auditSearch' object class.
+ */
+ public String getReqType()
+ {
+ return reqType;
+ }
+
+ /**
+ * The reqType attribute is a simple string containing the type of
+ * operation being logged, e.g. add, delete, search, etc. For extended
+ * operations, the type also includes the OID of the extended operation,
+ * e.g. extended(1.1.1.1)
+ *
+ * @param reqType maps to same name on 'auditSearch' object class.
+ */
+ public void setReqType(String reqType)
+ {
+ this.reqType = reqType;
+ }
+
+ /**
+ * Get the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.
+ *
+ * @return value that maps to 'reqAssertion' attribute on 'auditCompare' object class.
+ */
+ public String getReqAssertion()
+ {
+ return reqAssertion;
+ }
+
+ /**
+ * Set the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.
+ *
+ * @param reqAssertion value maps to 'reqAssertion' attribute contained in the 'auditCompare' object class.
+ */
+ public void setReqAssertion( String reqAssertion )
+ {
+ this.reqAssertion = reqAssertion;
+ }
+
+ /**
+ * Returns the name of the structural object class that is used to log the event. For this entity
+ * this value will always be 'auditSearch'.
+ *
+ * @return value that maps to 'structuralObjectClass' attribute that contains the name 'auditSearch'.
+ */
+ public String getStructuralObjectClass()
+ {
+ return structuralObjectClass;
+ }
+
+ /**
+ * Returns the name of the structural object class that is used to log the event. For this entity
+ * this value will always be 'auditSearch'.
+ *
+ * @param structuralObjectClass maps to same name on 'auditSearch' object class.
+ */
+ public void setStructuralObjectClass(String structuralObjectClass)
+ {
+ this.structuralObjectClass = structuralObjectClass;
+ }
+
+ /**
+ * The reqEntries attribute is the integer count of how many entries were returned by this search request.
+ *
+ * @return value that maps to 'reqEntries' attribute on 'auditSearch' object class
+ */
+ public String getReqEntries()
+ {
+ return reqEntries;
+ }
+
+ /**
+ * The reqEntries attribute is the integer count of how many entries were returned by this search request.
+ *
+ * @param reqEntries maps to same name on 'auditSearch' object class
+ */
+ public void setReqEntries(String reqEntries)
+ {
+ this.reqEntries = reqEntries;
+ }
+
+ /**
+ * The reqAttr attribute lists the requested attributes if specific attributes were requested.
+ *
+ * @return value maps to 'reqAttr' on 'auditSearch' object class.
+ */
+ public String getReqAttr()
+ {
+ return reqAttr;
+ }
+
+ /**
+ * The reqAttr attribute lists the requested attributes if specific attributes were requested.
+ *
+ * @param reqAttr maps to same name on 'auditSearch' object class.
+ */
+ public void setReqAttr(String reqAttr)
+ {
+ this.reqAttr = reqAttr;
+ }
+
+ /**
+ * The reqAttrsOnly attribute is a Boolean value showing TRUE if only attribute names
+ * were requested, or FALSE if attributes and their values were requested.
+ * For Fortress authorization requests this value will always be TRUE.
+ *
+ * @return value maps to 'reqAttrsOnly' on 'auditSearch' object class.
+ */
+ public String getReqAttrsOnly()
+ {
+ return reqAttrsOnly;
+ }
+
+ /**
+ * The reqAttrsOnly attribute is a Boolean value showing TRUE if only attribute names
+ * were requested, or FALSE if attributes and their values were requested.
+ * For Fortress authorization requests this value will always be TRUE.
+ *
+ * @param reqAttrsOnly maps to same name on 'auditSearch' object class.
+ */
+ public void setReqAttrsOnly(String reqAttrsOnly)
+ {
+ this.reqAttrsOnly = reqAttrsOnly;
+ }
+
+ /**
+ * The reqFilter attribute carries the filter used in the search request.
+ * <p/>
+ * For Fortress authorization events this will contain the following:
+ * <ul>
+ * <li>userId: {@link org.apache.directory.fortress.core.rbac.User#userId}
+ * <li>activated roles: {@link UserRole#name}
+ * <li>object name: {@link Permission#objName}
+ * <li>operation name: {@link Permission#opName}
+ * </ul>
+ *
+ * @return value that maps to 'reqFilter' attribute on 'auditSearch' object class.
+ */
+ public String getReqFilter()
+ {
+ return reqFilter;
+ }
+
+ /**
+ * The reqFilter attribute carries the filter used in the search request.
+ * <p/>
+ * For Fortress authorization events this will contain the following:
+ * <ul>
+ * <li>userId: {@link org.apache.directory.fortress.core.rbac.User#userId}
+ * <li>activated roles: {@link UserRole#name}
+ * <li>object name: {@link Permission#objName}
+ * <li>operation name: {@link Permission#opName}
+ * </ul>
+ *
+ * @param reqFilter maps to same name on 'auditSearch' object class.
+ */
+ public void setReqFilter(String reqFilter)
+ {
+ this.reqFilter = reqFilter;
+ }
+
+ /**
+ * The reqScope attribute contains the scope of the original search request, using
+ * the values specified for the LDAP URL format. I.e. base, one, sub, or subord.
+ *
+ * @return value that maps to 'reqScope' attribute on 'auditSearch' object class.
+ */
+ public String getReqScope()
+ {
+ return reqScope;
+ }
+
+ /**
+ * The reqScope attribute contains the scope of the original search request, using
+ * the values specified for the LDAP URL format. I.e. base, one, sub, or subord.
+ *
+ * @param reqScope maps to same name on 'auditSearch' object class.
+ */
+ public void setReqScope(String reqScope)
+ {
+ this.reqScope = reqScope;
+ }
+
+ /**
+ * The reqSizeLimit attribute indicate what limits were requested on the search operation.
+ *
+ * @return value that maps to 'reqSizeLimit' attribute on 'auditSearch' object class.
+ */
+ public String getReqSizeLimit()
+ {
+ return reqSizeLimit;
+ }
+
+ /**
+ * The reqSizeLimit attribute indicate what limits were requested on the search operation.
+ *
+ * @param reqSizeLimit maps to same name on 'auditSearch' object class.
+ */
+ public void setReqSizeLimit(String reqSizeLimit)
+ {
+ this.reqSizeLimit = reqSizeLimit;
+ }
+
+ /**
+ * The reqTimeLimit attribute indicate what limits were requested on the search operation.
+ *
+ * @return value that maps to 'reqTimeLimit' attribute on 'auditSearch' object class.
+ */
+ public String getReqTimeLimit()
+ {
+ return reqTimeLimit;
+ }
+
+ /**
+ * The reqTimeLimit attribute indicate what limits were requested on the search operation.
+ *
+ * @param reqTimeLimit maps to same name on 'auditSearch' object class.
+ */
+ public void setReqTimeLimit(String reqTimeLimit)
+ {
+ this.reqTimeLimit = reqTimeLimit;
+ }
+
+ /**
+ * Return the subschemaSubentry attribute from the audit entry.
+ *
+ * @return value that maps to 'subschemaSubentry' on 'auditSearch' object class.
+ */
+ public String getSubschemaSubentry()
+ {
+ return subschemaSubentry;
+ }
+
+ /**
+ * Set the subschemaSubentry attribute from the audit entry.
+ *
+ * @param subschemaSubentry maps to same name on 'auditSearch' object class.
+ */
+ public void setSubschemaSubentry(String subschemaSubentry)
+ {
+ this.subschemaSubentry = subschemaSubentry;
+ }
+
+ /**
+ * The reqDerefAliases attribute is on of never, finding, searching, or always, denoting how aliases
+ * will be processed during the search.
+ *
+ * @return value that maps to 'reqDerefAliases' on 'auditSearch' object class.
+ */
+ public String getReqDerefAliases()
+ {
+ return reqDerefAliases;
+ }
+
+ /**
+ * The reqDerefAliases attribute is on of never, finding, searching, or always, denoting how aliases
+ * will be processed during the search.
+ *
+ * @param reqDerefAliases maps to same name on 'auditSearch' object class.
+ */
+ public void setReqDerefAliases(String reqDerefAliases)
+ {
+ this.reqDerefAliases = reqDerefAliases;
+ }
+
+ /**
+ * Sequence id is used internal to Fortress.
+ * @return long value contains sequence id.
+ */
+ public long getSequenceId()
+ {
+ return sequenceId;
+ }
+
+ /**
+ * Sequence id is used internal to Fortress
+ * @param sequenceId contains sequence to use.
+ */
+ public void setSequenceId(long sequenceId)
+ {
+ this.sequenceId = sequenceId;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java b/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java
new file mode 100755
index 0000000..34edddc
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java
@@ -0,0 +1,579 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import java.io.Serializable;
+
+/**
+ * This entity class contains OpenLDAP slapd access log records that correspond to bind attempts made to the directory.
+ * <p/>
+ * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
+ * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
+ * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
+ * <code># which contains the Bind Method used in the Bind. This will be the string</code>
+ * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
+ * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
+ * <code># the current database will be logged:</code>
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
+ * DESC 'Bind operation'</code>
+ * SUP auditObject STRUCTURAL</code>
+ * MUST ( reqVersion $ reqMethod ) )</code>
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * Note this class used descriptions pulled from man pages on slapd access log.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortBind")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "bind", propOrder = {
+ "createTimestamp",
+ "creatorsName",
+ "entryCSN",
+ "entryDN",
+ "entryUUID",
+ "hasSubordinates",
+ "modifiersName",
+ "modifyTimestamp",
+ "objectClass",
+ "reqAuthzID",
+ "reqControls",
+ "reqDN",
+ "reqEnd",
+ "reqMethod",
+ "reqResult",
+ "reqSession",
+ "reqStart",
+ "reqType",
+ "reqVersion",
+ "structuralObjectClass",
+ "sequenceId"
+})
+public class Bind extends FortEntity implements Serializable
+{
+ private String createTimestamp;
+ private String creatorsName;
+ private String entryCSN;
+ private String entryDN;
+ private String entryUUID;
+ private String hasSubordinates;
+ private String modifiersName;
+ private String modifyTimestamp;
+ private String objectClass;
+ private String reqAuthzID;
+ private String reqControls;
+ private String reqDN;
+ private String reqEnd;
+ private String reqMethod;
+ private String reqResult;
+ private String reqSession;
+ private String reqStart;
+ private String reqType;
+ private String reqVersion;
+ private String structuralObjectClass;
+ private long sequenceId;
+
+ /**
+ * Get the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+ * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @return attribute that maps to 'reqStart' in 'auditBind' object class.
+ */
+ public String getCreateTimestamp()
+ {
+ return createTimestamp;
+ }
+
+ /**
+ * Set the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+ * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @param createTimestamp attribute that maps to 'reqStart' in 'auditBind' object class.
+ */
+ public void setCreateTimestamp(String createTimestamp)
+ {
+ this.createTimestamp = createTimestamp;
+ }
+
+ /**
+ * Return the user dn containing the identity of log user who added the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @return value that maps to 'creatorsName' attribute on 'auditBind' object class.
+ */
+ public String getCreatorsName()
+ {
+ return creatorsName;
+ }
+
+ /**
+ * Set the user dn containing the identity of log user who added the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @param creatorsName maps to 'creatorsName' attribute on 'auditBind' object class.
+ */
+ public void setCreatorsName(String creatorsName)
+ {
+ this.creatorsName = creatorsName;
+ }
+
+ /**
+ * Return the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+ *
+ * @return attribute that maps to 'entryCSN' on 'auditBind' object class.
+ */
+ public String getEntryCSN()
+ {
+ return entryCSN;
+ }
+
+ /**
+ * Set the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+ *
+ * @param entryCSN maps to 'entryCSN' attribute on 'auditBind' object class.
+ */
+ public void setEntryCSN(String entryCSN)
+ {
+ this.entryCSN = entryCSN;
+ }
+
+ /**
+ * Get the entry dn for bind object stored in directory. This attribute uses the 'reqStart' along with suffix for log.
+ *
+ * @return attribute that maps to 'entryDN' on 'auditBind' object class.
+ */
+ public String getEntryDN()
+ {
+ return entryDN;
+ }
+
+ /**
+ * Set the entry dn for bind object stored in directory. This attribute uses the 'reqStart' along with suffix for log.
+ *
+ * @param entryDN attribute that maps to 'entryDN' on 'auditBind' object class.
+ */
+ public void setEntryDN(String entryDN)
+ {
+ this.entryDN = entryDN;
+ }
+
+ /**
+ * Get the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditBind' record.
+ *
+ * @return value that maps to 'entryUUID' attribute on 'auditBind' object class.
+ */
+ public String getEntryUUID()
+ {
+ return entryUUID;
+ }
+
+ /**
+ * Set the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditBind' record.
+ *
+ * @param entryUUID that maps to 'entryUUID' attribute on 'auditBind' object class.
+ */
+ public void setEntryUUID(String entryUUID)
+ {
+ this.entryUUID = entryUUID;
+ }
+
+ /**
+ * Get the attribute that corresponds to the boolean value hasSubordinates.
+ *
+ * @return value that maps to 'hasSubordinates' attribute on 'auditBind' object class.
+ */
+ public String getHasSubordinates()
+ {
+ return hasSubordinates;
+ }
+
+ /**
+ * Set the attribute that corresponds to the boolean value hasSubordinates.
+ *
+ * @param hasSubordinates maps to same name on 'auditBind' object class.
+ */
+ public void setHasSubordinates(String hasSubordinates)
+ {
+ this.hasSubordinates = hasSubordinates;
+ }
+
+ /**
+ * Return the user dn containing the identity of log user who last modified the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @return value that maps to 'modifiersName' attribute on 'auditBind' object class.
+ */
+ public String getModifiersName()
+ {
+ return modifiersName;
+ }
+
+ /**
+ * Set the user dn containing the identity of log user who modified the audit record. This will be the system user that
+ * is configured for performing slapd access log operations on behalf of Fortress.
+ * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+ *
+ * @param modifiersName maps to 'modifiersName' attribute on 'auditBind' object class.
+ */
+ public void setModifiersName(String modifiersName)
+ {
+ this.modifiersName = modifiersName;
+ }
+
+ /**
+ * Get the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+ * The time attributes use generalizedTime syntax.
+ *
+ * @return attribute that maps to 'modifyTimestamp' in 'auditBind' object class.
+ */
+ public String getModifyTimestamp()
+ {
+ return modifyTimestamp;
+ }
+
+ /**
+ * Set the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+ * The time attributes use generalizedTime syntax.
+ *
+ * @param modifyTimestamp attribute that maps to same name in 'auditBind' object class.
+ */
+ public void setModifyTimestamp(String modifyTimestamp)
+ {
+ this.modifyTimestamp = modifyTimestamp;
+ }
+
+ /**
+ * Get the object class name of the audit record. For this entity, this value will always be 'auditBind'.
+ *
+ * @return value that maps to 'objectClass' attribute on 'auditBind' obejct class.
+ */
+ public String getObjectClass()
+ {
+ return objectClass;
+ }
+
+ /**
+ * Set the object class name of the audit record. For this entity, this value will always be 'auditBind'.
+ *
+ * @param objectClass value that maps to same name on 'auditBind' obejct class.
+ */
+ public void setObjectClass(String objectClass)
+ {
+ this.objectClass = objectClass;
+ }
+
+ /**
+ * The reqAuthzID attribute is the distinguishedName of the user that
+ * performed the operation. This will usually be the same name as was
+ * established at the start of a session by a Bind request (if any) but
+ * may be altered in various circumstances.
+ * For Fortress bind operations this will map to {@link User#userId}
+ *
+ * @return value that maps to 'reqAuthzID' on 'auditBind' object class.
+ */
+ public String getReqAuthzID()
+ {
+ return reqAuthzID;
+ }
+
+ /**
+ * The reqAuthzID attribute is the distinguishedName of the user that
+ * performed the operation. This will usually be the same name as was
+ * established at the start of a session by a Bind request (if any) but
+ * may be altered in various circumstances.
+ * For Fortress bind operations this will map to {@link User#userId}
+ *
+ */
+ public void setReqAuthzID(String reqAuthzID)
+ {
+ this.reqAuthzID = reqAuthzID;
+ }
+
+ /**
+ * The reqControls and reqRespControls attributes carry any controls sent
+ * by the client on the request and returned by the server in the
+ * response, respectively. The attribute values are just uninterpreted
+ * octet strings.
+ *
+ * @return value that maps to 'reqControls' attribute on 'auditBind' object class.
+ */
+ public String getReqControls()
+ {
+ return reqControls;
+ }
+
+ /**
+ * The reqControls and reqRespControls attributes carry any controls sent
+ * by the client on the request and returned by the server in the
+ * response, respectively. The attribute values are just uninterpreted
+ * octet strings.
+ *
+ * @param reqControls maps to same name attribute on 'auditBind' object class.
+ */
+ public void setReqControls(String reqControls)
+ {
+ this.reqControls = reqControls;
+ }
+
+ /**
+ * The reqDN attribute is the distinguishedName of the target of the
+ * operation. E.g., for a Bind request, this is the Bind DN. For an Add
+ * request, this is the DN of the entry being added. For a Search request,
+ * this is the base DN of the search.
+ *
+ * @return value that map to 'reqDN' attribute on 'auditBind' object class.
+ */
+ public String getReqDN()
+ {
+ return reqDN;
+ }
+
+ /**
+ * The reqDN attribute is the distinguishedName of the target of the
+ * operation. E.g., for a Bind request, this is the Bind DN. For an Add
+ * request, this is the DN of the entry being added. For a Search request,
+ * this is the base DN of the search.
+ *
+ * @param reqDN maps to 'reqDN' attribute on 'auditBind' object class.
+ */
+ public void setReqDN(String reqDN)
+ {
+ this.reqDN = reqDN;
+ }
+
+ /**
+ * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+ *
+ * @return value that maps to 'reqEnd' attribute on 'auditBind' object class.
+ */
+ public String getReqEnd()
+ {
+ return reqEnd;
+ }
+
+ /**
+ * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+ *
+ * @param reqEnd value that maps to same name on 'auditBind' object class.
+ */
+ public void setReqEnd(String reqEnd)
+ {
+ this.reqEnd = reqEnd;
+ }
+
+ /**
+ * The reqMethod attribute contains the Bind Method used in the Bind. This will be
+ * the string SIMPLE for LDAP Simple Binds or SASL(<mech>) for SASL Binds.
+ * Note that unless configured as a global overlay, only Simple Binds
+ * using DNs that reside in the current database will be logged.
+ *
+ * @return String that maps to 'reqMethod' attribute on 'auditBind' object class.
+ */
+ public String getReqMethod()
+ {
+ return reqMethod;
+ }
+
+ /**
+ * The reqMethod attribute contains the Bind Method used in the Bind. This will be
+ * the string SIMPLE for LDAP Simple Binds or SASL(<mech>) for SASL Binds.
+ * Note that unless configured as a global overlay, only Simple Binds
+ * using DNs that reside in the current database will be logged.
+ *
+ * @param reqMethod maps to same name on 'auditBind' object class.
+ */
+ public void setReqMethod(String reqMethod)
+ {
+ this.reqMethod = reqMethod;
+ }
+
+ /**
+ * The reqResult attribute is the numeric LDAP result code of the
+ * operation, indicating either success or a particular LDAP error code.
+ * An error code may be accompanied by a text error message which will be
+ * recorded in the reqMessage attribute.
+ *
+ * @return value that maps to 'reqResult' attribute on 'auditBind' object class.
+ */
+ public String getReqResult()
+ {
+ return reqResult;
+ }
+
+ /**
+ * The reqResult attribute is the numeric LDAP result code of the
+ * operation, indicating either success or a particular LDAP error code.
+ * An error code may be accompanied by a text error message which will be
+ * recorded in the reqMessage attribute.
+ *
+ * @param reqResult maps to same name on 'auditBind' object class.
+ */
+ public void setReqResult(String reqResult)
+ {
+ this.reqResult = reqResult;
+ }
+
+ /**
+ * The reqSession attribute is an implementation-specific identifier that
+ * is common to all the operations associated with the same LDAP session.
+ * Currently this is slapd's internal connection ID, stored in decimal.
+ *
+ * @return value that maps to 'reqSession' attribute on 'auditBind' object class.
+ */
+ public String getReqSession()
+ {
+ return reqSession;
+ }
+
+ /**
+ * The reqSession attribute is an implementation-specific identifier that
+ * is common to all the operations associated with the same LDAP session.
+ * Currently this is slapd's internal connection ID, stored in decimal.
+ *
+ * @param reqSession maps to same name on 'auditBind' object class.
+ */
+ public void setReqSession(String reqSession)
+ {
+ this.reqSession = reqSession;
+ }
+
+ /**
+ * reqStart provide the start of the operation, They use generalizedTime syntax.
+ * The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @return value that maps to 'reqStart' attribute on 'auditBind' object class.
+ */
+ public String getReqStart()
+ {
+ return reqStart;
+ }
+
+ /**
+ * reqStart provide the start of the operation, They use generalizedTime syntax.
+ * The reqStart attribute is also used as the RDN for each log entry.
+ *
+ * @param reqStart maps to same name on 'auditBind' object class.
+ */
+ public void setReqStart(String reqStart)
+ {
+ this.reqStart = reqStart;
+ }
+
+ /**
+ * The reqType attribute is a simple string containing the type of
+ * operation being logged, e.g. add, delete, search, etc. For extended
+ * operations, the type also includes the OID of the extended operation,
+ * e.g. extended(1.1.1.1)
+ *
+ * @return value that maps to 'reqType' attribute on 'auditBind' object class.
+ */
+ public String getReqType()
+ {
+ return reqType;
+ }
+
+ /**
+ * The reqType attribute is a simple string containing the type of
+ * operation being logged, e.g. add, delete, search, etc. For extended
+ * operations, the type also includes the OID of the extended operation,
+ * e.g. extended(1.1.1.1)
+ *
+ * @param reqType maps to same name on 'auditBind' object class.
+ */
+ public void setReqType(String reqType)
+ {
+ this.reqType = reqType;
+ }
+
+ /**
+ * The reqVersion attribute which contains the
+ * LDAP protocol version specified in the Bind
+ *
+ * @return value that maps to the 'reqVersion' attribute on 'auditBind' object class.
+ */
+ public String getReqVersion()
+ {
+ return reqVersion;
+ }
+
+ /**
+ * The reqVersion attribute which contains the
+ * LDAP protocol version specified in the Bind
+ *
+ * @param reqVersion maps to same name on 'auditBind' object class.
+ */
+ public void setReqVersion(String reqVersion)
+ {
+ this.reqVersion = reqVersion;
+ }
+
+ /**
+ * Returns the name of the structural object class that is used to log the event. For this entity
+ * this value will always be 'auditBind'.
+ *
+ * @return value that maps to 'structuralObjectClass' attribute that contains the name 'auditBind'.
+ */
+ public String getStructuralObjectClass()
+ {
+ return structuralObjectClass;
+ }
+
+ /**
+ * Returns the name of the structural object class that is used to log the event. For this entity
+ * this value will always be 'auditBind'.
+ *
+ * @param structuralObjectClass maps to same name on 'auditBind' object class.
+ */
+ public void setStructuralObjectClass(String structuralObjectClass)
+ {
+ this.structuralObjectClass = structuralObjectClass;
+ }
+
+ /**
+ * Sequence id is used internal to Fortress.
+ * @return long value contains sequence id.
+ */
+ public long getSequenceId()
+ {
+ return sequenceId;
+ }
+
+ /**
+ * Sequence id is used internal to Fortress
+ * @param sequenceId contains sequence to use.
+ */
+ public void setSequenceId(long sequenceId)
+ {
+ this.sequenceId = sequenceId;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java b/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java
new file mode 100755
index 0000000..e5ce164
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java
@@ -0,0 +1,42 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.adapters.XmlAdapter;
+import java.util.Arrays;
+
+/**
+ * Created by IntelliJ IDEA.
+ * User: Shawn McKinney
+ * Date: 1/8/12
+ * Time: 7:29 AM
+ */
+public class CharArrayAdapter extends XmlAdapter<String, char[]>
+{
+ public char[] unmarshal(String val) throws Exception
+ {
+ return val.toCharArray();
+ }
+
+ public String marshal(char[] val) throws Exception
+ {
+ return Arrays.toString(val);
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java b/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java
new file mode 100755
index 0000000..9dde185
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java
@@ -0,0 +1,103 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import org.apache.directory.fortress.core.CfgException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+
+import java.io.InputStream;
+
+
+/**
+ * General purpose factory uses java reflection to instantiate new Manager object.
+ * </p>
+ * This class is called by the Manager factories:
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.AccessMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.AdminMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.AuditMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.DelAccessMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.DelAdminMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.DelReviewMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.PwPolicyMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.ReviewMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.cfg.ConfigMgrFactory}</li>
+ * </ol>
+ *
+ * @author Shawn McKinney
+ */
+public class ClassUtil
+{
+ /**
+ * Given a valid class name call the default constructor through reflexion and return the reference to the caller.
+ * @param className contains fully qualified java class name to be instantiated. Must have a public default constructor to be successful.
+ * @return reference to instantiated ManagerImpl object.
+ * @throws org.apache.directory.fortress.core.CfgException in the event of failure to instantiate.
+ *
+ */
+ public static Object createInstance(String className)
+ throws CfgException
+ {
+ Object target;
+ try
+ {
+ if (className == null || className.length() == 0)
+ {
+ String error = "createInstance() null or empty classname";
+ throw new CfgException(GlobalErrIds.FT_MGR_CLASS_NAME_NULL, error);
+ }
+ target = Class.forName(className).newInstance();
+ }
+ catch (java.lang.ClassNotFoundException e)
+ {
+ String error = "createInstance() className [" + className + "] caught java.lang.ClassNotFoundException=" + e;
+ throw new CfgException(GlobalErrIds.FT_MGR_CLASS_NOT_FOUND, error, e);
+ }
+ catch (java.lang.InstantiationException e)
+ {
+ String error = "createInstance() [" + className + "] caught java.lang.InstantiationException=" + e;
+ throw new CfgException(GlobalErrIds.FT_MGR_INST_EXCEPTION, error, e);
+ }
+ catch (java.lang.IllegalAccessException e)
+ {
+ String error = "createInstance() [" + className + "] caught java.lang.IllegalAccessException=" + e;
+ throw new CfgException(GlobalErrIds.FT_MGR_ILLEGAL_ACCESS, error, e);
+ }
+ return target;
+ }
+
+
+ /**
+ * Find a file on the classloader and return as InputStream.
+ * @param name contains the name of the file resource.
+ * @return handle to the InputStream
+ * @throws org.apache.directory.fortress.core.CfgException in the event resource is not found on classloader.
+ */
+ public static InputStream resourceAsStream(String name) throws CfgException
+ {
+ InputStream is;
+ is = ClassUtil.class.getClassLoader().getResourceAsStream(name);
+ if (is == null)
+ {
+ throw new CfgException(GlobalErrIds.FT_RESOURCE_NOT_FOUND, name);
+ }
+ return is;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Context.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Context.java b/src/main/java/org/apache/directory/fortress/core/rbac/Context.java
new file mode 100644
index 0000000..e7a646d
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Context.java
@@ -0,0 +1,95 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+/**
+ * This class contains the Context id which is used as container for segregating data by customer within the LDAP Directory Information Tree.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public class Context
+{
+ private String name;
+ private String description;
+
+
+ /**
+ * Generate instance of context.
+ *
+ * @param name contains the id to use for sub-directory within the DIT.
+ * @param description maps to 'description' attribute in 'organizationalUnit' object class.
+ */
+ public Context(String name, String description)
+ {
+ this.name = name;
+ this.description = description;
+ }
+
+ /**
+ * Default constructor used by {@link org.apache.directory.fortress.core.ant.FortressAntTask}
+ */
+ public Context()
+ {
+ }
+
+ /**
+ * Get the id to use for sub-directory within the DIT. This attribute is required.
+ *
+ * @return name maps to 'dcObject' object class.
+ */
+ public String getName()
+ {
+ return name;
+ }
+
+ /**
+ * Set the id to use for sub-directory within the DIT. This attribute is required.
+ *
+ * @param name maps to 'dcObject' object class.
+ */
+ public void setName(String name)
+ {
+ this.name = name;
+ }
+
+ /**
+ * Get the description for the context. This value is not required or constrained
+ * but is validated on reasonability.
+ *
+ * @return field maps to 'description' attribute on 'organizationalUnit'.
+ */
+ public String getDescription()
+ {
+ return description;
+ }
+
+ /**
+ * Set the description for the context. This value is not required or constrained
+ * but is validated on reasonability.
+ *
+ * @param description maps to to 'description' attribute on 'organizationalUnit'.
+ */
+ public void setDescription(String description)
+ {
+ this.description = description;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java b/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java
new file mode 100755
index 0000000..ed5c928
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java
@@ -0,0 +1,152 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.util.time.Time;
+import org.apache.directory.fortress.core.util.time.Validator;
+
+
+/**
+ * This class performs Dynamic Separation of Duty checking on a collection of roles targeted for
+ * activation within a particular user's session. This method is called from {@link org.apache.directory.fortress.core.util.time.CUtil#validateConstraints} during createSession
+ * sequence for users. If DSD constraint violation is detected for a particular role method will remove the role
+ * from collection of activation candidates and log a warning. This proc will also consider hierarchical relations
+ * between roles (RBAC spec calls these authorized roles).
+ * This validator will ensure the role being targeted for activation does not violate RBAC dynamic separation of duty constraints.
+ * <h4> Constraint Targets include</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User} maps to 'ftCstr' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole} maps to 'ftRC' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole} maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link UserAdminRole} maps to 'ftARC' attribute on 'ftRls' object class</li>
+ * </ol>
+ * </p>
+ *
+ * @author Shawn McKinney
+ */
+public class DSDChecker
+ implements Validator
+{
+ private static final String CLS_NM = DSDChecker.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+
+
+ /**
+ * This method is called during entity activation, {@link org.apache.directory.fortress.core.util.time.CUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
+ *
+ * @param session contains list of RBAC roles {@link org.apache.directory.fortress.core.rbac.UserRole} targeted for activation.
+ * @param constraint required for Validator interface, not used here..
+ * @param time required for Validator interface, not used here.
+ * @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD} if failed.
+ */
+ @Override
+ public int validate( Session session, Constraint constraint, Time time ) throws org.apache.directory.fortress.core.SecurityException
+ {
+ int rc = 0;
+ int matchCount;
+
+ // get all candidate activated roles user:
+ List<UserRole> activeRoleList = session.getRoles();
+ if ( activeRoleList == null || activeRoleList.size() == 0 )
+ {
+ return rc;
+ }
+ // get the list of authorized roles for this user:
+ Set<String> authorizedRoleSet = RoleUtil.getInheritedRoles( activeRoleList, session.getUser().getContextId() );
+ // only need to check DSD constraints if more than one role is being activated:
+ if ( authorizedRoleSet != null && authorizedRoleSet.size() > 1 )
+ {
+ // get all DSD sets that contain the candidate activated and authorized roles,
+ //If DSD cache is disabled, this will search the directory using authorizedRoleSet
+ Set<SDSet> dsdSets = SDUtil.getDsdCache( authorizedRoleSet, session.getUser().getContextId() );
+ if ( dsdSets != null && dsdSets.size() > 0 )
+ {
+ for ( SDSet dsd : dsdSets )
+ {
+ Iterator activatedRoles = activeRoleList.iterator();
+ matchCount = 0;
+ Set<String> map = dsd.getMembers();
+
+ // now check the DSD on every role activation candidate contained within session object:
+ while ( activatedRoles.hasNext() )
+ {
+ UserRole activatedRole = ( UserRole ) activatedRoles.next();
+ if ( map.contains( activatedRole.getName() ) )
+ {
+ matchCount++;
+ if ( matchCount >= dsd.getCardinality() )
+ {
+ activatedRoles.remove();
+ String warning = "validate userId [" + session.getUserId()
+ + "] failed activation of assignedRole [" + activatedRole.getName()
+ + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:"
+ + dsd.getCardinality();
+ LOG.warn( warning );
+ rc = GlobalErrIds.ACTV_FAILED_DSD;
+ session.setWarning( new ObjectFactory().createWarning( rc, warning,
+ Warning.Type.ROLE, activatedRole.getName() ) );
+ }
+ }
+ else
+ {
+ Set<String> parentSet = RoleUtil.getAscendants( activatedRole.getName(), session.getUser()
+ .getContextId() );
+ // now check for every role inherited from this activated role:
+ for ( String parentRole : parentSet )
+ {
+ if ( map.contains( parentRole ) )
+ {
+ matchCount++;
+ if ( matchCount >= dsd.getCardinality() )
+ {
+ // remove the assigned role from session (not the authorized role):
+ activatedRoles.remove();
+ String warning = "validate userId [" + session.getUserId()
+ + "] assignedRole [" + activatedRole.getName() + "] parentRole ["
+ + parentRole + "] validates DSD Set Name:" + dsd.getName()
+ + " Cardinality:" + dsd.getCardinality();
+ LOG.warn( warning );
+ rc = GlobalErrIds.ACTV_FAILED_DSD;
+ session.setWarning( new ObjectFactory().createWarning( rc, warning, Warning.Type.ROLE, activatedRole.getName() ) );
+ }
+ // Breaking out of the loop here means the DSD algorithm will only match one
+ // role per parent.
+ break;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ return rc;
+ }
+}
\ No newline at end of file