You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2018/10/24 12:02:07 UTC

directory-fortress-enmasse git commit: FC-248 - New API to combine createSession & checkAccess

Repository: directory-fortress-enmasse
Updated Branches:
  refs/heads/master 51b0a64dd -> 9b7057d60


FC-248 - New API to combine createSession & checkAccess


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/commit/9b7057d6
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/tree/9b7057d6
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/diff/9b7057d6

Branch: refs/heads/master
Commit: 9b7057d60c6eabdf5c51933cc9239a2774374091
Parents: 51b0a64
Author: Shawn McKinney <sm...@apache.org>
Authored: Tue Oct 23 09:49:35 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Tue Oct 23 09:49:35 2018 -0500

----------------------------------------------------------------------
 .../directory/fortress/rest/AccessMgrImpl.java  | 31 +++++++++++++
 .../fortress/rest/FortressService.java          | 49 +++++++++++++++++++-
 .../fortress/rest/FortressServiceImpl.java      | 13 ++++++
 3 files changed, 92 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/9b7057d6/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
index f8aca22..c695e5e 100644
--- a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
@@ -23,9 +23,11 @@ import org.apache.directory.fortress.core.AccessMgr;
 import org.apache.directory.fortress.core.AccessMgrFactory;
 import org.apache.directory.fortress.core.GlobalErrIds;
 import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ant.RoleConstraintAnt;
 import org.apache.directory.fortress.core.model.*;
 import org.apache.log4j.Logger;
 
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 
@@ -176,6 +178,35 @@ class AccessMgrImpl extends AbstractMgrImpl
     }
 
     
+    /**
+     * Perform user RBAC authorization.
+     *
+     * @param request The {@link FortRequest} we have to check
+     * @return a {@link FortResponse} containing the response
+     */
+    /* no qualifier*/ FortResponse createSessionCheckAccess( FortRequest request )
+    {
+        FortResponse response = createResponse();
+
+        try
+        {
+            AccessMgr accessMgr = AccessMgrFactory.createInstance( request.getContextId() );
+            Permission perm = (Permission)request.getEntity();
+            perm.setAdmin( false );
+            User user = (User) request.getEntity2();
+            boolean isTrusted = request.getIsFlag();
+            boolean result = accessMgr.checkAccess( user, perm, isTrusted );
+            response.setAuthorized( result );
+        }
+        catch ( SecurityException se )
+        {
+            createError( response, LOG, se );
+        }
+
+        return response;
+    }
+
+
     /* No qualifier */ FortResponse sessionPermissions( FortRequest request )
     {
         FortResponse response = createResponse();

http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/9b7057d6/src/main/java/org/apache/directory/fortress/rest/FortressService.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressService.java b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
index 9f3c194..55c496d 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressService.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
@@ -4004,7 +4004,54 @@ public interface FortressService
      */
     FortResponse checkAccess( FortRequest request );
 
-    
+
+    /**
+     * Perform user RBAC authorization.  This function returns a Boolean value meaning whether the subject of a given
+     * session is allowed or not to perform a given operation on a given object. The function is valid if and
+     * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+     * and the operation is a member of the OPS data set. The session's subject has the permission
+     * to perform the operation on that object if and only if that permission is assigned to (at least)
+     * one of the session's active roles. This implementation will verify the roles or userId correspond
+     * to the subject's active roles are registered in the object's access control list.
+     * <h3></h3>
+     * <h4>required parameters</h4>
+     * <ul>
+     *   <li>
+     *     {@link FortRequest#entity} - contains a reference to {@link org.apache.directory.fortress.core.model.Permission}
+     *     entity
+     *   </li>
+     *   <li>
+     *     {@link FortRequest#session} - contains a reference to User's RBAC session that is created by calling
+     *     {@link FortressServiceImpl#createSession} method before use in this service.
+     *   </li>
+     * </ul>
+     * <ul style="list-style-type:none">
+     *   <li>
+     *     <ul style="list-style-type:none">
+     *       <li>
+     *         <h5>{@link org.apache.directory.fortress.core.model.Permission} required parameters</h5>
+     *         <ul>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.Permission#objName} - contains the name of existing
+     *             object being targeted
+     *           </li>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.Permission#opName} - contains the name of existing
+     *             permission operation
+     *           </li>
+     *         </ul>
+     *       </li>
+     *     </ul>
+     *   </li>
+     * </ul>
+     *
+     * @param request contains a reference to {@code FortRequest}
+     * @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean will be 'true' if User
+     * authorized, otherwise 'false'.  Updated {@link FortResponse#session} will be included in response as well.
+     */
+    FortResponse createSessionCheckAccess( FortRequest request );
+
+
     /**
      * This function returns the permissions of the session, i.e., the permissions assigned
      * to its authorized roles. The function is valid if and only if the session is a valid Fortress session.

http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/9b7057d6/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
index adae965..3e0fe8e 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
@@ -1235,6 +1235,19 @@ public class FortressServiceImpl implements FortressService
      * {@inheritDoc}
      */
     @POST
+    @Path("/" + HttpIds.RBAC_CHECK + "/")
+    @RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
+    @Override
+    public FortResponse createSessionCheckAccess( FortRequest request )
+    {
+        return accessMgrImpl.createSessionCheckAccess( request );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    @POST
     @Path("/" + HttpIds.RBAC_PERMS + "/")
     @RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
     @Override