You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2018/10/24 12:02:07 UTC
directory-fortress-enmasse git commit: FC-248 - New API to combine
createSession & checkAccess
Repository: directory-fortress-enmasse
Updated Branches:
refs/heads/master 51b0a64dd -> 9b7057d60
FC-248 - New API to combine createSession & checkAccess
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/commit/9b7057d6
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/tree/9b7057d6
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/diff/9b7057d6
Branch: refs/heads/master
Commit: 9b7057d60c6eabdf5c51933cc9239a2774374091
Parents: 51b0a64
Author: Shawn McKinney <sm...@apache.org>
Authored: Tue Oct 23 09:49:35 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Tue Oct 23 09:49:35 2018 -0500
----------------------------------------------------------------------
.../directory/fortress/rest/AccessMgrImpl.java | 31 +++++++++++++
.../fortress/rest/FortressService.java | 49 +++++++++++++++++++-
.../fortress/rest/FortressServiceImpl.java | 13 ++++++
3 files changed, 92 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/9b7057d6/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
index f8aca22..c695e5e 100644
--- a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
@@ -23,9 +23,11 @@ import org.apache.directory.fortress.core.AccessMgr;
import org.apache.directory.fortress.core.AccessMgrFactory;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ant.RoleConstraintAnt;
import org.apache.directory.fortress.core.model.*;
import org.apache.log4j.Logger;
+import java.util.ArrayList;
import java.util.List;
import java.util.Set;
@@ -176,6 +178,35 @@ class AccessMgrImpl extends AbstractMgrImpl
}
+ /**
+ * Perform user RBAC authorization.
+ *
+ * @param request The {@link FortRequest} we have to check
+ * @return a {@link FortResponse} containing the response
+ */
+ /* no qualifier*/ FortResponse createSessionCheckAccess( FortRequest request )
+ {
+ FortResponse response = createResponse();
+
+ try
+ {
+ AccessMgr accessMgr = AccessMgrFactory.createInstance( request.getContextId() );
+ Permission perm = (Permission)request.getEntity();
+ perm.setAdmin( false );
+ User user = (User) request.getEntity2();
+ boolean isTrusted = request.getIsFlag();
+ boolean result = accessMgr.checkAccess( user, perm, isTrusted );
+ response.setAuthorized( result );
+ }
+ catch ( SecurityException se )
+ {
+ createError( response, LOG, se );
+ }
+
+ return response;
+ }
+
+
/* No qualifier */ FortResponse sessionPermissions( FortRequest request )
{
FortResponse response = createResponse();
http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/9b7057d6/src/main/java/org/apache/directory/fortress/rest/FortressService.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressService.java b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
index 9f3c194..55c496d 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressService.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
@@ -4004,7 +4004,54 @@ public interface FortressService
*/
FortResponse checkAccess( FortRequest request );
-
+
+ /**
+ * Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given
+ * session is allowed or not to perform a given operation on a given object. The function is valid if and
+ * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The session's subject has the permission
+ * to perform the operation on that object if and only if that permission is assigned to (at least)
+ * one of the session's active roles. This implementation will verify the roles or userId correspond
+ * to the subject's active roles are registered in the object's access control list.
+ * <h3></h3>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>
+ * {@link FortRequest#entity} - contains a reference to {@link org.apache.directory.fortress.core.model.Permission}
+ * entity
+ * </li>
+ * <li>
+ * {@link FortRequest#session} - contains a reference to User's RBAC session that is created by calling
+ * {@link FortressServiceImpl#createSession} method before use in this service.
+ * </li>
+ * </ul>
+ * <ul style="list-style-type:none">
+ * <li>
+ * <ul style="list-style-type:none">
+ * <li>
+ * <h5>{@link org.apache.directory.fortress.core.model.Permission} required parameters</h5>
+ * <ul>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.Permission#objName} - contains the name of existing
+ * object being targeted
+ * </li>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.Permission#opName} - contains the name of existing
+ * permission operation
+ * </li>
+ * </ul>
+ * </li>
+ * </ul>
+ * </li>
+ * </ul>
+ *
+ * @param request contains a reference to {@code FortRequest}
+ * @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean will be 'true' if User
+ * authorized, otherwise 'false'. Updated {@link FortResponse#session} will be included in response as well.
+ */
+ FortResponse createSessionCheckAccess( FortRequest request );
+
+
/**
* This function returns the permissions of the session, i.e., the permissions assigned
* to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/9b7057d6/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
index adae965..3e0fe8e 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
@@ -1235,6 +1235,19 @@ public class FortressServiceImpl implements FortressService
* {@inheritDoc}
*/
@POST
+ @Path("/" + HttpIds.RBAC_CHECK + "/")
+ @RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
+ @Override
+ public FortResponse createSessionCheckAccess( FortRequest request )
+ {
+ return accessMgrImpl.createSessionCheckAccess( request );
+ }
+
+
+ /**
+ * {@inheritDoc}
+ */
+ @POST
@Path("/" + HttpIds.RBAC_PERMS + "/")
@RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
@Override