You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:44:49 UTC
[30/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
new file mode 100755
index 0000000..88bf87f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
@@ -0,0 +1,488 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.Set;
+import java.util.TreeSet;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+import org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO;
+import org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.directory.fortress.core.util.time.Constraint;
+
+
+/**
+ * All entities ({@link AdminRole}, {@link org.apache.directory.fortress.core.rbac.OrgUnit},
+ * {@link org.apache.directory.fortress.core.rbac.SDSet} etc...) are used to carry data between three Fortress
+ * layers.starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into
+ * (3) DAO layer where persistence with the OpenLDAP server occurs.
+ * <h4>Fortress Processing Layers</h4>
+ * <ol>
+ * <li>Manager layer: {@link DelAdminMgrImpl}, {@link DelAccessMgrImpl}, {@link DelReviewMgrImpl},...</li>
+ * <li>Process layer: {@link AdminRoleP}, {@link org.apache.directory.fortress.core.rbac.OrgUnitP},...</li>
+ * <li>DAO layer: {@link AdminRoleDAO}, {@link OrgUnitDAO},...</li>
+ * </ol>
+ * Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs. The caller must
+ * provide enough information to uniquely identity the entity target within ldap.<br />
+ * For example, this entity requires {@link #name} set before passing into {@link DelAdminMgrImpl} or {@link DelReviewMgrImpl} APIs.
+ * Create methods usually require more attributes (than Read) due to constraints enforced between entities.
+ * <p/>
+ * This entity extends the {@link org.apache.directory.fortress.core.rbac.Role} entity and is used to store the ARBAC AdminRole assignments that comprise the many-to-many relationships between Users and Administrative Permissions.
+ * In addition it is used to store the ARBAC {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM} and {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#USER} OU information that adheres to the AdminRole entity in the ARBAC02 model.
+ * <br />The unique key to locate AdminRole entity (which is subsequently assigned both to Users and administrative Permissions) is {@link AdminRole#name}.<br />
+ * <p/>
+ * There is a many-to-many relationship between User's, Administrative Roles and Administrative Permissions.
+ * <h3>{@link org.apache.directory.fortress.core.rbac.User}*<->*{@link AdminRole}*<->*{@link Permission}</h3>
+ * Example to create new ARBAC AdminRole:
+ * <p/>
+ * <code>AdminRole myRole = new AdminRole("MyRoleName");</code><br />
+ * <code>myRole.setDescription("This is a test admin role");</code><br />
+ * <code>DelAdminMgr delAdminMgr = DelAdminMgrFactory.createInstance();</code><br />
+ * <code>delAdminMgr.addRole(myRole);</code><br />
+ * <p/>
+ * This will create a AdminRole name that can be used as a target for User-AdminRole assignments and AdminRole-AdminPermission grants.
+ * <p/>
+ * <p/>
+ * <h4>Administrative Role Schema</h4>
+ * The Fortress AdminRole entity is a composite of the following other Fortress structural and aux object classes:
+ * <p/>
+ * 1. organizationalRole Structural Object Class is used to store basic attributes like cn and description.
+ * <pre>
+ * ------------------------------------------
+ * objectclass ( 2.5.6.8 NAME 'organizationalRole'
+ * DESC 'RFC2256: an organizational role'
+ * SUP top STRUCTURAL
+ * MUST cn
+ * MAY (
+ * x121Address $ registeredAddress $ destinationIndicator $
+ * preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
+ * telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
+ * seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
+ * postOfficeBox $ postalCode $ postalAddress $
+ * physicalDeliveryOfficeName $ ou $ st $ l $ description
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 2. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Roles Structural Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.2.1
+ * NAME 'ftRls'
+ * DESC 'Fortress Role Structural Object Class'
+ * SUP organizationalrole
+ * STRUCTURAL
+ * MUST (
+ * ftId $
+ * ftRoleName
+ * )
+ * MAY (
+ * description $
+ * ftCstr $
+ * ftParents
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 3. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.<br />
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <pre>
+ * ------------------------------------------
+ * AC2: Fortress Properties Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.2
+ * NAME 'ftProperties'
+ * DESC 'Fortress Properties AUX Object Class'
+ * AUXILIARY
+ * MAY (
+ * ftProps
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 4. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Organizational Pools Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.3
+ * NAME 'ftPools'
+ * DESC 'Fortress Pools AUX Object Class'
+ * AUXILIARY
+ * MAY (
+ * ftOSU $
+ * ftOSP $
+ * ftRange
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 5. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ * NAME 'ftMods'
+ * DESC 'Fortress Modifiers AUX Object Class'
+ * AUXILIARY
+ * MAY (
+ * ftModifier $
+ * ftModCode $
+ * ftModId
+ * )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortAdminRole")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "adminRole", propOrder =
+ {
+ "osPs",
+ "osUs",
+ "beginRange",
+ "endRange",
+ "beginInclusive",
+ "endInclusive"
+})
+public class AdminRole extends Role implements Administrator
+{
+ private Set<String> osPs;
+ private Set<String> osUs;
+ private String beginRange;
+ private String endRange;
+ private boolean beginInclusive;
+ private boolean endInclusive;
+
+
+ /**
+ * Default constructor is used by internal Fortress classes.
+ */
+ public AdminRole()
+ {
+ }
+
+
+ /**
+ * Construct an Admin Role with a given temporal constraint.
+ *
+ * @param con maps to 'OamRC' attribute for 'ftTemporal' aux object classes.
+ */
+ public AdminRole( Constraint con )
+ {
+ CUtil.copy( con, this );
+ }
+
+
+ /**
+ * Construct an AdminRole entity with a given name.
+ *
+ */
+ public AdminRole( String name )
+ {
+ this.setName( name );
+ }
+
+
+ /**
+ * Load the role range attributes given a raw format. This method is used internal to Fortress and is not intended
+ * to be used by external callers.
+ *
+ * @param szRaw maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setRoleRangeRaw( String szRaw )
+ {
+ if ( VUtil.isNotNullOrEmpty( szRaw ) )
+ {
+ int bindx = szRaw.indexOf( "(" );
+ if ( bindx > -1 )
+ {
+ this.setBeginInclusive( false );
+ }
+ else
+ {
+ bindx = szRaw.indexOf( "[" );
+ this.setBeginInclusive( true );
+ }
+ int eindx = szRaw.indexOf( ")" );
+ if ( eindx > -1 )
+ {
+ this.setEndInclusive( false );
+ }
+ else
+ {
+ eindx = szRaw.indexOf( "]" );
+ this.setEndInclusive( true );
+ }
+ int cindx = szRaw.indexOf( ":" );
+ if ( cindx > -1 )
+ {
+ String szBeginRange = szRaw.substring( bindx + 1, cindx );
+ String szEndRange = szRaw.substring( cindx + 1, eindx );
+ this.setBeginRange( szBeginRange );
+ this.setEndRange( szEndRange );
+ }
+ }
+ }
+
+
+ /**
+ *
+ * Get the raw format for role range using current AdminRole entity attributes. This method is used internal to Fortress and is not intended
+ * to be used by external callers.
+ *
+ * @return String maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public String getRoleRangeRaw()
+ {
+ String szRaw = "";
+ if ( this.beginRange != null )
+ {
+ if ( this.isBeginInclusive() )
+ szRaw += "[";
+ else
+ szRaw += "(";
+ szRaw += this.getBeginRange();
+ szRaw += ":";
+ szRaw += this.getEndRange();
+ if ( this.isEndInclusive() )
+ szRaw += "]";
+ else
+ szRaw += ")";
+ }
+ return szRaw;
+ }
+
+
+ /**
+ * Get a collection of optional Perm OU attributes that were stored on the AdminRole entity.
+ *
+ * @return List of type String containing Perm OU. This maps to 'ftOSP' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public Set<String> getOsP()
+ {
+ return osPs;
+ }
+
+
+ /**
+ * Set a collection of optional Perm OU attributes to be stored on the AdminRole entity.
+ *
+ * @param osPs is a List of type String containing Perm OU. This maps to 'ftOSP' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setOsP( Set<String> osPs )
+ {
+ this.osPs = osPs;
+ }
+
+
+ /**
+ * Set a Perm OU attribute to be stored on the AdminRole entity.
+ *
+ * @param osP is a Perm OU that maps to 'ftOSP' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setOsP( String osP )
+ {
+ if ( this.osPs == null )
+ {
+ // create Set with case insensitive comparator:
+ osPs = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+ }
+ osPs.add( osP );
+ }
+
+
+ /**
+ * Get a collection of optional User OU attributes that were stored on the AdminRole entity.
+ *
+ * @return List of type String containing User OU. This maps to 'ftOSU' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public Set<String> getOsU()
+ {
+ return osUs;
+ }
+
+
+ /**
+ * Set a collection of optional User OU attributes to be stored on the AdminRole entity.
+ *
+ * @param osUs is a List of type String containing User OU. This maps to 'ftOSU' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setOsU( Set<String> osUs )
+ {
+ this.osUs = osUs;
+ }
+
+
+ /**
+ * Set a User OU attribute to be stored on the AdminRole entity.
+ *
+ * @param osU is a User OU that maps to 'ftOSU' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setOsU( String osU )
+ {
+ if ( this.osUs == null )
+ {
+ // create Set with case insensitive comparator:
+ osUs = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+ }
+ osUs.add( osU );
+ }
+
+
+ /**
+ * Return the begin Role range attribute for AdminRole entity which corresponds to lowest descendant.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public String getBeginRange()
+ {
+ return beginRange;
+ }
+
+
+ /**
+ * Set the begin Role range attribute for AdminRole entity which corresponds to lowest descendant.
+ *
+ * @param beginRange maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setBeginRange( String beginRange )
+ {
+ this.beginRange = beginRange;
+ }
+
+
+ /**
+ * Return the end Role range attribute for AdminRole entity which corresponds to highest ascendant.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public String getEndRange()
+ {
+ return endRange;
+ }
+
+
+ /**
+ * Set the end Role range attribute for AdminRole entity which corresponds to highest ascendant.
+ *
+ * @param endRange maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setEndRange( String endRange )
+ {
+ this.endRange = endRange;
+ }
+
+
+ /**
+ * Get the begin inclusive which specifies if role range includes or excludes the 'beginRange' attribute.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public boolean isBeginInclusive()
+ {
+ return beginInclusive;
+ }
+
+
+ /**
+ * Set the begin inclusive which specifies if role range includes or excludes the 'beginRange' attribute.
+ *
+ * @param beginInclusive maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setBeginInclusive( boolean beginInclusive )
+ {
+ this.beginInclusive = beginInclusive;
+ }
+
+
+ /**
+ * Get the end inclusive which specifies if role range includes or excludes the 'endRange' attribute.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public boolean isEndInclusive()
+ {
+ return endInclusive;
+ }
+
+
+ /**
+ * Set the end inclusive which specifies if role range includes or excludes the 'endRange' attribute.
+ *
+ * @param endInclusive maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ @Override
+ public void setEndInclusive( boolean endInclusive )
+ {
+ this.endInclusive = endInclusive;
+ }
+
+
+ /**
+ * Matches the name from two AdminRole entities.
+ *
+ * @param thatObj contains an AdminRole entity.
+ * @return boolean indicating both objects contain matching AdminRole names.
+ */
+ public boolean equals( Object thatObj )
+ {
+ if ( this == thatObj )
+ return true;
+ if ( this.getName() == null )
+ return false;
+ if ( !( thatObj instanceof AdminRole ) )
+ return false;
+ Role thatRole = ( Role ) thatObj;
+ if ( thatRole.getName() == null )
+ return false;
+ return thatRole.getName().equalsIgnoreCase( this.getName() );
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
new file mode 100755
index 0000000..d589b3c
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
@@ -0,0 +1,403 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO;
+import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * Process module for the AdminRole entity. This class performs data validations and error mapping. It is typically called
+ * by internal Fortress delegated manager classes ({@link DelAdminMgrImpl}, {@link DelAccessMgrImpl},
+ * {@link DelReviewMgrImpl}, ...) and not intended for external non-Fortress clients. This class will accept,
+ * {@link org.apache.directory.fortress.core.rbac.AdminRole}, validate its contents and forward on to it's corresponding DAO class {@link AdminRoleDAO}.
+ * <p>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
+ * {@link org.apache.directory.fortress.core.CreateException},{@link org.apache.directory.fortress.core.UpdateException},{@link org.apache.directory.fortress.core.RemoveException}),
+ * or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link GlobalErrIds}.
+ * <p>
+ * This class is thread safe.
+ * <p/>
+
+ *
+ * @author Shawn McKinney
+ */
+public final class AdminRoleP
+{
+ private static final String CLS_NM = AdminRoleP.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+ private static final AdminRoleDAO rDao = DaoFactory.createAdminRoleDAO();
+ private static final OrgUnitP op = new OrgUnitP();
+
+
+ /**
+ * Package private constructor.
+ */
+ AdminRoleP()
+ {
+ }
+
+
+ /**
+ * Return a fully populated Admin Role entity for a given Admin Role name. If matching record not found a
+ * SecurityException will be thrown.
+ *
+ * @param adminRole contains full Admin Role name.
+ * @return AdminRole entity containing all attributes associated with Administrative Role in directory.
+ * @throws SecurityException in the event AdminRole not found or DAO search error.
+ */
+ final AdminRole read( AdminRole adminRole ) throws SecurityException
+ {
+ return rDao.getRole( adminRole );
+ }
+
+
+ /**
+ * Takes a search string that contains full or partial Admin Role name in directory.
+ *
+ * @param adminRole contains full or partial Admin role name.
+ * @return List of type Role containing fully populated matching Admin Role entities. If no records found this will be empty.
+ * @throws SecurityException in the event of DAO search error.
+ */
+ final List<AdminRole> search( AdminRole adminRole )
+ throws SecurityException
+ {
+ return rDao.findRoles( adminRole );
+ }
+
+
+ /**
+ * Takes a search string that contains full or partial Admin Role name in directory.
+ *
+ * @param adminRole contains full or partial Admin role name.
+ * @param limit specify the max number of records to return in result set.
+ * @return List of type String containing Admin Role name of all matching User entities. If no records found this will be empty.
+ * @throws SecurityException in the event of DAO search error.
+ */
+ final List<String> search( AdminRole adminRole, int limit )
+ throws SecurityException
+ {
+ return rDao.findRoles( adminRole, limit );
+ }
+
+
+ /**
+ * Return all AdminRoles that have a parent assignment. This used for hierarchical processing.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return List of type AdminRole containing {@link AdminRole#name} and {@link AdminRole#parents} populated.
+ * @throws SecurityException in the event of DAO search error.
+ */
+ final List<Graphable> getAllDescendants( String contextId )
+ throws SecurityException
+ {
+ return rDao.getAllDescendants( contextId );
+ }
+
+
+ /**
+ * Adds a new Admin Role entity to directory. The Role entity input object will be validated to ensure that:
+ * role name is present, and reasonability checks on all of the other populated values.
+ *
+ * @param entity Admin Role entity contains data targeted for insertion.
+ * @return AdminRole entity copy of input + additional attributes (internalId) that were added by op.
+ * @throws SecurityException in the event of data validation or DAO system error.
+ */
+ final AdminRole add( AdminRole entity )
+ throws SecurityException
+ {
+ validate( entity );
+ return rDao.create( entity );
+ }
+
+
+ /**
+ * Updates existing AdminRole entity in directory. For example the AdminRole description and temporal constraints
+ * updated.
+ *
+ * @param entity Admin Role entity contains data targeted for updating.
+ * @return AdminRole entity contains fully populated updated entity.
+ * @throws SecurityException in the event of data validation or DAO system error.
+ */
+ final AdminRole update( AdminRole entity ) throws SecurityException
+ {
+ validate( entity );
+ entity = rDao.update( entity );
+ return read( entity );
+ }
+
+
+ /**
+ * Removes parent role assignments from Role entity in directory.
+ * updated.
+ *
+ * @param entity Admin Role entity contains data targeted for updating.
+ * @throws SecurityException in the event of data validation or DAO system error.
+ */
+ final void deleteParent( AdminRole entity ) throws SecurityException
+ {
+ validate( entity );
+ rDao.deleteParent( entity );
+ }
+
+
+ /**
+ * This command assigns a user to an admin role.
+ * Successful completion of this op, the following occurs:
+ * </p>
+ * <ul>
+ * <li> User entity (resides in people container) has role assignment added to aux object class attached to actual user record.
+ * <li> AdminRole entity (resides in admin role container) has userId added as role occupant.
+ * <li> (optional) Temporal constraints may be associated with <code>ftUserAttrs</code> aux object class based on:
+ * <ul>
+ * <li> timeout - number in seconds of session inactivity time allowed.
+ * <li> beginDate - YYYYMMDD - determines date when role may be activated.
+ * <li> endDate - YYMMDD - indicates latest date role may be activated.
+ * <li> beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
+ * <li> endLockDate - YYMMDD - determines end of enforced inactive status.
+ * <li> beginTime - HHMM - determines begin hour role may be activated in user's session.
+ * <li> endTime - HHMM - determines end hour role may be activated in user's session.*
+ * <li> dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
+ * </ul>
+ * </ul>
+ *
+ * @param entity contains userId and admin role name and (optional) role temporal constraints.
+ * @param userDn contains the DN of user being assigned.
+ * @return AdminRole contains copy of input entity and additional data processed by request.
+ * @throws SecurityException in the event data error in user or role objects or system error.
+ */
+ final AdminRole assign( AdminRole entity, String userDn ) throws SecurityException
+ {
+ return rDao.assign( entity, userDn );
+ }
+
+
+ /**
+ * Add the User dn occupant attribute to the OrganizationalRole entity in ldap. This method is called by AdminMgrImpl
+ * when the User is being added.
+ *
+ * @param uRoles contains a collection of UserAdminRole being targeted for assignment.
+ * @param userDn contains the userId targeted for attribute addition.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws SecurityException in the event of DAO search error.
+ */
+ void addOccupant( List<UserAdminRole> uRoles, String userDn, String contextId )
+ throws SecurityException
+ {
+ if ( VUtil.isNotNullOrEmpty( uRoles ) )
+ {
+ for ( UserAdminRole uRole : uRoles )
+ {
+ AdminRole role = new AdminRole( uRole.getName() );
+ role.setContextId( contextId );
+ assign( role, userDn );
+ }
+ }
+ }
+
+
+ /**
+ * Remove the User dn occupant attribute from the OrganizationalRole entity in ldap. This method is called by AdminMgrImpl
+ * when the User is being deleted.
+ *
+ * @param userDn contains the userId targeted for attribute removal.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws SecurityException in the event of DAO search error.
+ */
+ final void removeOccupant( String userDn, String contextId )
+ throws SecurityException
+ {
+ List<String> list;
+ try
+ {
+ list = rDao.findAssignedRoles( userDn, contextId );
+ for ( String roleNm : list )
+ {
+ deassign( new AdminRole( roleNm ), userDn );
+ }
+ }
+ catch ( FinderException fe )
+ {
+ String error = "removeOccupant userDn [" + userDn + "] caught FinderException=" + fe;
+ throw new SecurityException( GlobalErrIds.ARLE_REMOVE_OCCUPANT_FAILED, error, fe );
+ }
+ }
+
+
+ /**
+ * This method removes assigned admin role from user entity. Both user and admin role entities must exist and have role relationship
+ * before calling this method.
+ * Successful completion:
+ * del Role to User assignment in User data set
+ * AND
+ * User to Role assignment in Admin Role data set.
+ *
+ * @param entity contains userId and admin role name targeted for removal.
+ * @param userDn contains the userId targeted for attribute removal.
+ * @return AdminRole contains copy of input entity and additional data processed by request.
+ * @throws SecurityException - in the event data error in user or role objects or system error.
+ */
+ final AdminRole deassign( AdminRole entity, String userDn ) throws SecurityException
+ {
+ return rDao.deassign( entity, userDn );
+ }
+
+
+ /**
+ * This method performs a "hard" delete. It completely the Admin Role node from the ldap directory.
+ * Admin Role entity must exist in directory prior to making this call else exception will be thrown.
+ *
+ * @param entity Contains the name of the Admin Role targeted for deletion.
+ * @throws SecurityException in the event of data validation or DAO system error.
+ */
+ final void delete( AdminRole entity ) throws SecurityException
+ {
+ try
+ {
+ rDao.remove( entity );
+ }
+ catch ( RemoveException re )
+ {
+ String error = "delete name [" + entity.getName() + "] caught RemoveException=" + re;
+ LOG.error( error );
+ throw new SecurityException( GlobalErrIds.ARLE_DELETE_FAILED, error, re );
+ }
+ }
+
+
+ /**
+ * Method will perform simple validations to ensure the integrity of the Admin Role entity targeted for insertion
+ * or updating in directory. For example the Admin Role temporal constraints will be validated. Data reasonability
+ * checks will be performed on all non-null attributes. Validations will be performed on ARBAC constraints as well.
+ *
+ * @param entity contains data targeted for insertion or update.
+ * @throws SecurityException in the event of data validation error or DAO error on Org validation.
+ */
+ private void validate( AdminRole entity )
+ throws SecurityException
+ {
+ VUtil.safeText( entity.getName(), GlobalIds.ROLE_LEN );
+ if ( VUtil.isNotNullOrEmpty( entity.getBeginRange() ) && VUtil.isNotNullOrEmpty( entity.getEndRange() ) )
+ {
+ VUtil.safeText( entity.getBeginRange(), GlobalIds.ROLE_LEN );
+ VUtil.safeText( entity.getEndRange(), GlobalIds.ROLE_LEN );
+ if ( entity.getBeginRange().equalsIgnoreCase( entity.getEndRange() )
+ && ( !entity.isBeginInclusive() || !entity.isEndInclusive() ) )
+ {
+ String error = "validate invalid range detected for role name [" + entity.getName()
+ + "] non inclusive endpoint for identical range [" + entity.getBeginRange() + "] begin inclusive ["
+ + entity.isBeginInclusive() + "] end inclusive [" + entity.isEndInclusive() + "]";
+ LOG.warn( error );
+ throw new SecurityException( GlobalErrIds.ARLE_INVLD_RANGE_INCLUSIVE, error );
+ }
+ else if ( !RoleUtil.isParent( entity.getBeginRange(), entity.getEndRange(), entity.getContextId() )
+ && !entity.getBeginRange().equalsIgnoreCase( entity.getEndRange() ) )
+ //public static boolean isParent(String child, String parent)
+ {
+ String error = "validate invalid range detected for role name [" + entity.getName()
+ + "] begin range [" + entity.getBeginRange() + "] end range [" + entity.getEndRange() + "]";
+ LOG.warn( error );
+ throw new SecurityException( GlobalErrIds.ARLE_INVLD_RANGE, error );
+ }
+ }
+ else if ( !VUtil.isNotNullOrEmpty( entity.getBeginRange() ) && VUtil.isNotNullOrEmpty( entity.getEndRange() ) )
+ {
+ String error = "validate role name [" + entity.getName() + "] begin range value null or empty.";
+ LOG.warn( error );
+ throw new SecurityException( GlobalErrIds.ARLE_BEGIN_RANGE_NULL, error );
+ }
+ else if ( VUtil.isNotNullOrEmpty( entity.getBeginRange() ) && !VUtil.isNotNullOrEmpty( entity.getEndRange() ) )
+ {
+ String error = "validate role name [" + entity.getName() + "] end range value null or empty.";
+ LOG.warn( error );
+ throw new SecurityException( GlobalErrIds.ARLE_END_RANGE_NULL, error );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ VUtil.description( entity.getDescription() );
+ }
+ if ( entity.getTimeout() >= 0 )
+ {
+ VUtil.timeout( entity.getTimeout() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getBeginTime() ) )
+ {
+ VUtil.beginTime( entity.getBeginTime() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getEndTime() ) )
+ {
+ VUtil.endTime( entity.getEndTime() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getBeginDate() ) )
+ {
+ VUtil.beginDate( entity.getBeginDate() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getEndDate() ) )
+ {
+ VUtil.endDate( entity.getEndDate() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getDayMask() ) )
+ {
+ VUtil.dayMask( entity.getDayMask() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getBeginLockDate() ) )
+ {
+ VUtil.beginDate( entity.getBeginDate() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getEndLockDate() ) )
+ {
+ VUtil.endDate( entity.getEndLockDate() );
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getOsU() ) )
+ {
+ for ( String ou : entity.getOsU() )
+ {
+ OrgUnit inOe = new OrgUnit( ou );
+ inOe.setType( OrgUnit.Type.USER );
+ inOe.setContextId( entity.getContextId() );
+ op.read( inOe );
+ }
+ }
+ if ( VUtil.isNotNullOrEmpty( entity.getOsP() ) )
+ {
+ for ( String ou : entity.getOsP() )
+ {
+ OrgUnit inOe = new OrgUnit( ou );
+ inOe.setType( OrgUnit.Type.PERM );
+ inOe.setContextId( entity.getContextId() );
+ op.read( inOe );
+ }
+ }
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleRelationship.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleRelationship.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleRelationship.java
new file mode 100755
index 0000000..22b90d4
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleRelationship.java
@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * This entity is used by en masse to communicate parent and child {@link org.apache.directory.fortress.core.rbac.AdminRole} information to the server.
+ * <p/>
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortAdminRoleRelationship")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "adminrelationship", propOrder = {
+ "child",
+ "parent"
+})
+public class AdminRoleRelationship extends FortEntity
+ implements java.io.Serializable
+{
+ private AdminRole parent;
+ private AdminRole child;
+
+ public AdminRole getParent()
+ {
+ return parent;
+ }
+
+ public void setParent(AdminRole parent)
+ {
+ this.parent = parent;
+ }
+
+ public AdminRole getChild()
+ {
+ return child;
+ }
+
+ public void setChild(AdminRole child)
+ {
+ this.child = child;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java
new file mode 100755
index 0000000..cdcafbc
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java
@@ -0,0 +1,290 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.jgrapht.graph.SimpleDirectedGraph;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ValidationException;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.cache.Cache;
+import org.apache.directory.fortress.core.util.cache.CacheMgr;
+
+
+/**
+ * This utility wraps {@link org.apache.directory.fortress.core.rbac.HierUtil} methods to provide hierarchical functionality for the {@link org.apache.directory.fortress.core.rbac.AdminRole} data set.
+ * The child to parent relationships are stored within a data cache, {@link #adminRoleCache}, contained within this class. The parent-child edges are contained in LDAP,
+ * in {@code ftParents} attribute. The ldap data is retrieved {@link org.apache.directory.fortress.core.rbac.AdminRoleP#getAllDescendants(String)} and loaded into {@code org.jgrapht.graph.SimpleDirectedGraph}.
+ * The graph...
+ * <ol>
+ * <li>is stored as singleton in this class with vertices of {@code String}, and edges, as {@link org.apache.directory.fortress.core.rbac.Relationship}s</li>
+ * <li>utilizes open source library, see <a href="http://www.jgrapht.org/">JGraphT</a>.</li>
+ * <li>contains a general hierarchical data structure i.e. allows multiple inheritance with parents.</li>
+ * <li>is a simple directed graph thus does not allow cycles.</li>
+ * </ol>
+ * After update is performed to ldap, the singleton is refreshed with latest info.
+ * <p/>
+ * Static methods on this class are intended for use by other Fortress classes, i.e. {@link DelAdminMgrImpl} and {@link org.apache.directory.fortress.core.rbac.dao.PermDAO}
+ * and cannot be directly invoked by outside programs.
+ * <p/>
+ * This class contains singleton that can be updated but is thread safe.
+ * <p/>
+
+ * @author Shawn McKinney
+ */
+public final class AdminRoleUtil
+{
+ private static final Cache adminRoleCache;
+ private static final AdminRoleP adminRoleP = new AdminRoleP();
+ private static final String CLS_NM = AdminRoleUtil.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+
+ /**
+ * Initialize the AdminRole hierarchies. This will read the {@link org.apache.directory.fortress.core.rbac.Hier} data set from ldap and load into
+ * the JGraphT simple digraph that referenced statically within this class.
+ */
+ static
+ {
+ CacheMgr cacheMgr = CacheMgr.getInstance();
+ adminRoleCache = cacheMgr.getCache( "fortress.admin.roles" );
+ }
+
+
+ /**
+ * Used to determine if one {@link org.apache.directory.fortress.core.rbac.AdminRole} is the parent of another. This method
+ * will call recursive routine {@link #getAscendants(String, String)} to walk the {@code org.jgrapht.graph.SimpleDirectedGraph} data structure
+ * returning flag indicating if parent-child relationship is valid.
+ *
+ * @param child maps to logical {@link org.apache.directory.fortress.core.rbac.AdminRole#name} on 'ftRls' object class.
+ * @param parent maps to logical {@link org.apache.directory.fortress.core.rbac.AdminRole#name} on 'ftRls' object class.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return boolean result, 'true' indicates parent/child relationship exists.
+ */
+ static boolean isParent( String child, String parent, String contextId )
+ {
+ boolean result = false;
+ Set<String> parents = getAscendants( child, contextId );
+ if ( parents != null && parents.size() > 0 )
+ {
+ result = parents.contains( parent.toUpperCase() );
+ }
+ return result;
+ }
+
+
+ /**
+ * Recursively traverse the {@link org.apache.directory.fortress.core.rbac.AdminRole} graph and return all of the descendants of a given parent {@link org.apache.directory.fortress.core.rbac.AdminRole#name}.
+ * @param roleName {@link org.apache.directory.fortress.core.rbac.AdminRole#name} maps on 'ftRls' object class.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return Set of AdminRole names are children {@link org.apache.directory.fortress.core.rbac.AdminRole}s of given parent.
+ */
+ static Set<String> getDescendants( String roleName, String contextId )
+ {
+ return HierUtil.getDescendants( roleName, getGraph( contextId ) );
+ }
+
+
+ /**
+ * Recursively traverse the hierarchical role graph and return all of the parents of a given child role.
+ * @param roleName maps to logical {@link org.apache.directory.fortress.core.rbac.AdminRole#name} on 'ftRls' object class.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return Set of AdminRole names that are descendants of given node.
+ */
+ public static Set<String> getAscendants( String roleName, String contextId )
+ {
+ return HierUtil.getAscendants( roleName, getGraph( contextId ) );
+ }
+
+
+ /**
+ * Traverse one level of the {@link org.apache.directory.fortress.core.rbac.AdminRole} graph and return all of the parents (direct ascendants) of a given parent {@link org.apache.directory.fortress.core.rbac.AdminRole#name}.
+ * @param roleName {@link org.apache.directory.fortress.core.rbac.AdminRole#name} maps on 'ftRls' object class.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return Set of AdminRole names are parents {@link org.apache.directory.fortress.core.rbac.AdminRole}s of given child.
+ */
+ static Set<String> getParents( String roleName, String contextId )
+ {
+ return HierUtil.getParents( roleName, getGraph( contextId ) );
+ }
+
+
+ /**
+ * Traverse one level of the hierarchical role graph and return all of the children (direct descendants) of a given parent role.
+ * @param roleName maps to logical {@link org.apache.directory.fortress.core.rbac.AdminRole#name} on 'ftRls' object class.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return Set of AdminRole names that are children of given parent.
+ */
+ public static Set<String> getChildren( String roleName, String contextId )
+ {
+ return HierUtil.getChildren( roleName, getGraph( contextId ) );
+ }
+
+
+ /**
+ * Return number of children (direct descendants) a given parent role has.
+ * @param roleName maps to logical {@link org.apache.directory.fortress.core.rbac.AdminRole#name} on 'ftRls' object class.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return int value contains the number of children of a given parent AdminRole.
+ */
+ static int numChildren( String roleName, String contextId )
+ {
+ return HierUtil.numChildren( roleName, getGraph( contextId ) );
+ }
+
+
+ /**
+ * Return Set of {@link org.apache.directory.fortress.core.rbac.AdminRole#name}s ascendants. Used by {@link org.apache.directory.fortress.core.rbac.dao.PermDAO#checkPermission}
+ * for computing authorized {@link UserAdminRole#name}s.
+ * @param uRoles contains list of adminRoles activated within a {@link org.apache.directory.fortress.core.rbac.User}'s {@link org.apache.directory.fortress.core.rbac.Session}.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return contains Set of all authorized adminRoles for a given User.
+ */
+ public static Set<String> getInheritedRoles( List<UserAdminRole> uRoles, String contextId )
+ {
+ // create Set with case insensitive comparator:
+ Set<String> iRoles = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+ if ( VUtil.isNotNullOrEmpty( uRoles ) )
+ {
+ for ( UserAdminRole uRole : uRoles )
+ {
+ String rleName = uRole.getName();
+ iRoles.add( rleName );
+ Set<String> parents = HierUtil.getAscendants( rleName, getGraph( contextId ) );
+ if ( VUtil.isNotNullOrEmpty( parents ) )
+ iRoles.addAll( parents );
+ }
+ }
+ return iRoles;
+ }
+
+
+ /**
+ * This api is used by {@link DelAdminMgrImpl} to determine parentage for Hierarchical ARBAC processing.
+ * It calls {@link HierUtil#validateRelationship(org.jgrapht.graph.SimpleDirectedGraph, String, String, boolean)} to evaluate three adminRole relationship expressions:
+ * <ol>
+ * <li>If child equals parent</li>
+ * <li>If mustExist true and parent-child relationship exists</li>
+ * <li>If mustExist false and parent-child relationship does not exist</li>
+ * </ol>
+ * Method will throw {@link org.apache.directory.fortress.core.ValidationException} if rule check fails meaning caller failed validation
+ * attempt to add/remove hierarchical relationship failed.
+ *
+ * @param childRole contains {@link org.apache.directory.fortress.core.rbac.AdminRole#name} of child.
+ * @param parentRole contains {@link org.apache.directory.fortress.core.rbac.AdminRole#name} of parent.
+ * @param mustExist boolean is used to specify if relationship must be true.
+ * @throws org.apache.directory.fortress.core.ValidationException in the event it fails one of the 3 checks.
+ */
+ static void validateRelationship( AdminRole childRole, AdminRole parentRole, boolean mustExist )
+ throws ValidationException
+ {
+ HierUtil.validateRelationship( getGraph( childRole.getContextId() ), childRole.getName(), parentRole.getName(),
+ mustExist );
+ }
+
+
+ /**
+ * This api allows synchronized access to allow updates to hierarchical relationships.
+ * Method will update the hierarchical data set and reload the JGraphT simple digraph with latest.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @param relationship contains parent-child relationship targeted for addition.
+ * @param op used to pass the ldap op {@link org.apache.directory.fortress.core.rbac.Hier.Op#ADD}, {@link org.apache.directory.fortress.core.rbac.Hier.Op#MOD}, {@link org.apache.directory.fortress.core.rbac.Hier.Op#REM}
+ * @throws org.apache.directory.fortress.core.SecurityException in the event of a system error.
+ */
+ static void updateHier( String contextId, Relationship relationship, Hier.Op op ) throws SecurityException
+ {
+ HierUtil.updateHier( getGraph( contextId ), relationship, op );
+ }
+
+
+ /**
+ * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
+ * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return
+ */
+ private static SimpleDirectedGraph<String, Relationship> loadGraph( String contextId )
+ {
+ Hier inHier = new Hier( Hier.Type.ROLE );
+ inHier.setContextId( contextId );
+ LOG.info( "loadGraph initializing ADMIN ROLE context [" + inHier.getContextId() + "]" );
+ List<Graphable> descendants = null;
+ try
+ {
+ descendants = adminRoleP.getAllDescendants( inHier.getContextId() );
+ }
+ catch ( SecurityException se )
+ {
+ LOG.info( "loadGraph caught SecurityException={}", se );
+ }
+ Hier hier = HierUtil.loadHier( contextId, descendants );
+ SimpleDirectedGraph<String, Relationship> graph;
+ synchronized ( HierUtil.getLock( contextId, HierUtil.Type.ARLE ) )
+ {
+ graph = HierUtil.buildGraph( hier );
+ }
+ adminRoleCache.put( getKey( contextId ), graph );
+ return graph;
+ }
+
+
+ /**
+ * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
+ * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return
+ */
+ private static SimpleDirectedGraph<String, Relationship> getGraph( String contextId )
+ {
+ SimpleDirectedGraph<String, Relationship> graph = ( SimpleDirectedGraph<String, Relationship> ) adminRoleCache
+ .get( getKey( contextId ) );
+ if ( graph == null )
+ {
+ graph = loadGraph( contextId );
+ }
+ return graph;
+ }
+
+
+ /**
+ *
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return
+ */
+ private static String getKey( String contextId )
+ {
+ String key = HierUtil.Type.ARLE.toString();
+ if ( VUtil.isNotNullOrEmpty( contextId ) && !contextId.equalsIgnoreCase( GlobalIds.NULL ) )
+ {
+ key += ":" + contextId;
+ }
+ return key;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java
new file mode 100755
index 0000000..227ea9f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java
@@ -0,0 +1,207 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import org.apache.directory.fortress.core.DelAccessMgr;
+import org.apache.directory.fortress.core.AuthorizationException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.DelAccessMgrFactory;
+
+/**
+ * This class supplies static wrapper utilities to provide ARBAC functionality to Fortress internal Manager APIs.
+ * The utilities within this class are all static and can not be called by code outside of Fortress.
+ * </p>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+final class AdminUtil
+{
+ private static final String CLS_NM = AdminUtil.class.getName();
+
+ /**
+ * Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.User, org.apache.directory.fortress.core.rbac.Role)}.
+ * This will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-assign URA.
+ *
+ * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
+ * @param user Instantiated User entity requires only valid userId attribute set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
+ */
+ static void canAssign(Session session, User user, Role role, String contextId) throws SecurityException
+ {
+ if (session != null)
+ {
+ DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+ boolean result = dAccessMgr.canAssign(session, user, role);
+ if (!result)
+ {
+ String warning = "canAssign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
+ throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_ASSIGN, warning);
+ }
+ }
+ }
+
+ /**
+ * Wrapper function to call {@link DelAccessMgrImpl#canDeassign(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.User, org.apache.directory.fortress.core.rbac.Role)}.
+ *
+ * This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA). This adheres to the ARBAC02 functional specification for can-revoke URA.
+ *
+ * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param user Instantiated User entity requires only valid userId attribute set.
+ * @param user Instantiated User entity requires userId attribute set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
+ */
+ static void canDeassign(Session session, User user, Role role, String contextId) throws SecurityException
+ {
+ if (session != null)
+ {
+ DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+ boolean result = dAccessMgr.canDeassign(session, user, role);
+ if (!result)
+ {
+ String warning = "canDeassign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
+ throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_DEASSIGN, warning);
+
+ }
+ }
+ }
+
+ /**
+ * Wrapper function to call {@link DelAccessMgrImpl#canGrant(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.Role, Permission)}.
+ * This function will determine if the user contains an AdminRole that is authorized assignment control over
+ * Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-assign-p PRA.
+ *
+ * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param perm Instantiated Permission entity requires valid object name and operation name attributes set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @param perm Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @return boolean value true indicates access allowed.
+ * @throws SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
+ */
+ static void canGrant(Session session, Role role, Permission perm, String contextId) throws SecurityException
+ {
+ if (session != null)
+ {
+ DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+ boolean result = dAccessMgr.canGrant(session, role, perm);
+ if (!result)
+ {
+ String warning = "canGrant Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
+ throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_GRANT, warning);
+ }
+ }
+ }
+
+ /**
+ * Wrapper function to call {@link DelAccessMgrImpl#canRevoke(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.Role, Permission)}.
+ *
+ * This function will determine if the user contains an AdminRole that is authorized revoke control over
+ * Permission-Role Assignment (PRA). This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
+ *
+ * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession. * @param perm Instantiated Permission entity requires valid object name and operation name attributes set.
+ * @param role Instantiated Role entity requires only valid role name attribute set.
+ * @param perm Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
+ */
+ static void canRevoke(Session session, Role role, Permission perm, String contextId) throws SecurityException
+ {
+ if (session != null)
+ {
+ DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+ boolean result = dAccessMgr.canRevoke(session, role, perm);
+ if (!result)
+ {
+ String warning = "canRevoke Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
+ throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_REVOKE, warning);
+ }
+ }
+ }
+
+ /**
+ * Method is called by Manager APIs to load contextual information on {@link FortEntity} and perform checkAccess on Administrative permission.
+ * </p>
+ * The information is used to
+ * <ol>
+ * <li>Load the administrative User's {@link Session} object into entity. This is used for checking to ensure administrator has privilege to perform administrative operation.</li>
+ * <li>Load the target operation's permission into the audit context. This is used for Fortress audit log stored in OpenLDAP</li>
+ * </ol>
+ *
+ * @param session object contains the {@link org.apache.directory.fortress.core.rbac.User}'s RBAC, {@link org.apache.directory.fortress.core.rbac.UserRole}, and Administrative Roles {@link UserAdminRole}.
+ * @param perm contains the permission object name, {@link Permission#objName}, and operation name, {@link Permission#opName}
+ * @param entity used to pass contextual information through Fortress layers for administrative security checks and audit.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws org.apache.directory.fortress.core.SecurityException in the event of system error.
+ */
+ static void setEntitySession(Session session, Permission perm, FortEntity entity, String contextId) throws SecurityException
+ {
+ if (session != null)
+ {
+ entity.setAdminSession(session);
+ entity.setModCode(getObjName(perm.getObjName()) + "." + perm.getOpName());
+ checkAccess(session, perm, contextId);
+ }
+ }
+
+ /**
+ * Wrapper function to call {@link DelAccessMgrImpl#checkAccess(org.apache.directory.fortress.core.rbac.Session, Permission)}.
+ * Perform user arbac authorization. This function returns a Boolean value meaning whether the subject of a given session is
+ * allowed or not to perform a given operation on a given object. The function is valid if and
+ * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The session's subject has the permission
+ * to perform the operation on that object if and only if that permission is assigned to (at least)
+ * one of the session's active roles. This implementation will verify the roles or userId correspond
+ * to the subject's active roles are registered in the object's access control list.
+ *
+ * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
+ * @param perm object contains obj attribute which is a String and contains the name of the object user is trying to access;
+ * perm object contains operation attribute which is also a String and contains the operation name for the object.
+ * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+ * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
+ */
+ static void checkAccess(Session session, Permission perm, String contextId) throws SecurityException
+ {
+ if (session != null)
+ {
+ DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+ boolean result = dAccessMgr.checkAccess(session, perm);
+ if (!result)
+ {
+ String info = "checkAccess failed for user [" + session.getUserId() + "] object [" + perm.getObjName() + "] operation [" + perm.getOpName() + "]";
+ throw new AuthorizationException(GlobalErrIds.USER_ADMIN_NOT_AUTHORIZED, info);
+ }
+ }
+ }
+
+ /**
+ * Utility will parse a String containing objName.operationName and return the objName only.
+ *
+ * @param szObj contains raw data format.
+ * @return String containing objName.
+ */
+ static String getObjName(String szObj)
+ {
+ return szObj.substring(szObj.lastIndexOf('.') + 1);
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Administrator.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Administrator.java b/src/main/java/org/apache/directory/fortress/core/rbac/Administrator.java
new file mode 100755
index 0000000..2e723b3
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Administrator.java
@@ -0,0 +1,149 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import java.util.Set;
+
+/**
+ * This interface is used by Fortress admin role processing. It prescribes the APIs that are necessary for an Administrative
+ * Role entity to fullfill the ARBAC functionality.
+ * <p/>
+
+ *
+ * @author Shawn McKinney
+ */
+public interface Administrator
+{
+
+ /**
+ * Get a collection of optional Perm OU attributes that were stored on the AdminRole entity.
+ *
+ * @return List of type String containing Perm OU. This maps to 'ftOSP' attribute on 'ftPools' aux object class.
+ */
+ public Set<String> getOsP();
+
+ /**
+ * Set a collection of optional Perm OU attributes to be stored on the AdminRole entity.
+ *
+ * @param osPs is a List of type String containing Perm OU. This maps to 'ftOSP' attribute on 'ftPools' aux object class.
+ */
+ public void setOsP(Set<String> osPs);
+
+ /**
+ * Set a Perm OU attribute to be stored on the AdminRole entity.
+ *
+ * @param osP is a Perm OU that maps to 'ftOSP' attribute on 'ftPools' aux object class.
+ */
+ public void setOsP(String osP);
+
+ /**
+ * Get a collection of optional User OU attributes that were stored on the AdminRole entity.
+ *
+ * @return List of type String containing User OU. This maps to 'ftOSU' attribute on 'ftPools' aux object class.
+ */
+ public Set<String> getOsU();
+
+ /**
+ * Set a collection of optional User OU attributes to be stored on the AdminRole entity.
+ *
+ * @param osUs is a List of type String containing User OU. This maps to 'ftOSU' attribute on 'ftPools' aux object class.
+ */
+ public void setOsU(Set<String> osUs);
+
+ /**
+ * Set a User OU attribute to be stored on the AdminRole entity.
+ *
+ * @param osU is a User OU that maps to 'ftOSU' attribute on 'ftPools' aux object class.
+ */
+ public void setOsU(String osU);
+
+ /**
+ * Load the role range attributes given a raw format. This method is used internal to Fortress and is not intended
+ * to be used by external callers.
+ *
+ * @param szRaw maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ void setRoleRangeRaw(String szRaw);
+
+ /**
+ * Get the raw format for role range using current AdminRole entity attributes. This method is used internal to Fortress and is not intended
+ * to be used by external callers.
+ *
+ * @return String maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public String getRoleRangeRaw();
+
+ /**
+ * Return the begin Role range attribute for AdminRole entity.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public String getBeginRange();
+
+ /**
+ * Set the begin Role range attribute for AdminRole entity.
+ *
+ * @param beginRange maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public void setBeginRange(String beginRange);
+
+ /**
+ * Return the end Role range attribute for AdminRole entity.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public String getEndRange();
+
+ /**
+ * Set the end Role range attribute for AdminRole entity.
+ *
+ * @param endRange maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public void setEndRange(String endRange);
+
+ /**
+ * Set the begin inclusive which specifies if role range includes or excludes the 'beginRange' attribute.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public boolean isBeginInclusive();
+
+ /**
+ * Get the begin inclusive which specifies if role range includes or excludes the 'beginRange' attribute.
+ *
+ * @param beginInclusive maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public void setBeginInclusive(boolean beginInclusive);
+
+ /**
+ * Set the end inclusive which specifies if role range includes or excludes the 'endRange' attribute.
+ *
+ * @return String that maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public boolean isEndInclusive();
+
+ /**
+ * Get the end inclusive which specifies if role range includes or excludes the 'endRange' attribute.
+ *
+ * @param endInclusive maps to 'ftRange' attribute on 'ftPools' aux object class.
+ */
+ public void setEndInclusive(boolean endInclusive);
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AuditMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditMgrImpl.java
new file mode 100755
index 0000000..8b06405
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditMgrImpl.java
@@ -0,0 +1,259 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import org.apache.directory.fortress.core.AuditMgr;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.ReviewMgrFactory;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ReviewMgr;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+import java.util.List;
+
+/**
+ * This object performs searches across <a href="http://www.openldap.org/">OpenLDAP</a>'s slapd access log. The access log events are
+ * persisted in <a href="http://www.oracle.com/technetwork/database/berkeleydb/overview/index.html">BDB</a> and available for inquiry via common LDAP protocols.
+ * Audit entries stored on behalf of Fortress operations correspond to runtime authentication {@link org.apache.directory.fortress.core.rbac.Bind}, authorization {@link org.apache.directory.fortress.core.rbac.AuthZ} and modification {@link org.apache.directory.fortress.core.rbac.Mod}
+ * events as they occur automatically on the server when audit is enabled.
+ * <h4>Audit Interrogator</h4>
+ * Provides an OpenLDAP access log retrieval mechanism that enables security event monitoring.
+ * <ol>
+ * <li>Authentication events:
+ * <li>Session enablement events
+ * <li>Authorization events
+ * <li>Entity mods and deletes
+ * </li>
+ * </ol>
+ * <img src="../doc-files/Audit.png">
+ * <p/>
+ * All events include Fortress context, see {@link org.apache.directory.fortress.core.rbac.FortEntity}.
+ * <p/>
+ * <h4>
+ * The following APIs generate events subsequently stored in this access log:
+ * </h4>
+ * <ul>
+ * <li> {@link org.apache.directory.fortress.core.AccessMgr}
+ * <li> {@link org.apache.directory.fortress.core.AdminMgr}
+ * <li> {@link org.apache.directory.fortress.core.AdminMgr}
+ * <li> {@link org.apache.directory.fortress.core.DelAdminMgr}
+ * <li> {@link org.apache.directory.fortress.core.cfg.ConfigMgr}
+ * <li> {@link org.apache.directory.fortress.core.PwPolicyMgr}
+ * </ul>
+ * <h4>
+ * The following reports are supported using search input: {@link org.apache.directory.fortress.core.rbac.UserAudit}
+ * </h4>
+ * <ul>
+ * <li>User Authentications: <code>List<{@link org.apache.directory.fortress.core.rbac.Bind}> {@link org.apache.directory.fortress.core.AuditMgr#searchBinds(org.apache.directory.fortress.core.rbac.UserAudit)}</code>
+ * <li>Invalid Users AuthN: <code>List<{@link org.apache.directory.fortress.core.rbac.Bind}> {@link org.apache.directory.fortress.core.AuditMgr#searchInvalidUsers(org.apache.directory.fortress.core.rbac.UserAudit)} </code>
+ * <li>User Authorizations 1: <code>List<{@link org.apache.directory.fortress.core.rbac.AuthZ}> {@link org.apache.directory.fortress.core.AuditMgr#getUserAuthZs(org.apache.directory.fortress.core.rbac.UserAudit)} </code>
+ * <li>User Authorizations 2: <code>List<{@link org.apache.directory.fortress.core.rbac.AuthZ}> {@link org.apache.directory.fortress.core.AuditMgr#searchAuthZs(org.apache.directory.fortress.core.rbac.UserAudit)} </code>
+ * <li>User Session Activations: <code>List<{@link org.apache.directory.fortress.core.rbac.Mod}> {@link org.apache.directory.fortress.core.AuditMgr#searchUserSessions(org.apache.directory.fortress.core.rbac.UserAudit)} </code>
+ * <li>Entity Modifications: <code>List<{@link org.apache.directory.fortress.core.rbac.Mod}> {@link org.apache.directory.fortress.core.AuditMgr#searchAdminMods(org.apache.directory.fortress.core.rbac.UserAudit)} </code>
+ * </ul>
+ * <p/>
+ * This class is NOT thread safe if parent instance variables ({@link #contextId} or {@link #adminSess}) are set.
+ *
+ * @author Shawn McKinney
+ */
+public class AuditMgrImpl extends Manageable implements AuditMgr
+{
+ private static final String CLS_NM = AuditMgrImpl.class.getName();
+ private static final AuditP auditP = new AuditP();
+
+ // package private constructor ensures outside classes cannot use:
+ AuditMgrImpl()
+ {}
+
+ /**
+ * This method returns a list of authorization events for a particular user {@link org.apache.directory.fortress.core.rbac.UserAudit#userId}
+ * and given timestamp field {@link org.apache.directory.fortress.core.rbac.UserAudit#beginDate}.<BR>
+ * Method also can discriminate between all events or failed only by setting {@link org.apache.directory.fortress.core.rbac.UserAudit#failedOnly}.
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAudit#userId} - contains the target userId</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAudit#beginDate} - contains the date in which to begin search</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserAudit#failedOnly} - if set to 'true', return only failed authorization events</li>
+ * </ul>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one authorization event.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * if a runtime system error occurs.
+ */
+ @Override
+ public List<AuthZ> getUserAuthZs(UserAudit uAudit)
+ throws SecurityException
+ {
+ String methodName = "getUserAuthZs";
+ assertContext(CLS_NM, methodName, uAudit, GlobalErrIds.AUDT_INPUT_NULL);
+ checkAccess(CLS_NM, methodName);
+ return auditP.getAuthZs(uAudit);
+ }
+
+
+ /**
+ * This method returns a list of authorization events for a particular user {@link UserAudit#userId},
+ * object {@link UserAudit#objName}, and given timestamp field {@link UserAudit#beginDate}.<BR>
+ * Method also can discriminate between all events or failed only by setting flag {@link UserAudit#failedOnly}..
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#userId} - contains the target userId<</li>
+ * <li>{@link UserAudit#objName} - contains the object (authorization resource) name</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#beginDate} - contains the date in which to begin search</li>
+ * <li>{@link UserAudit#failedOnly} - if set to 'true', return only failed authorization events</li>
+ * </ul>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one authorization event.
+ * @throws SecurityException if a runtime system error occurs.
+ */
+ @Override
+ public List<AuthZ> searchAuthZs(UserAudit uAudit)
+ throws SecurityException
+ {
+ String methodName = "searchAuthZs";
+ assertContext(CLS_NM, methodName, uAudit, GlobalErrIds.AUDT_INPUT_NULL);
+ checkAccess(CLS_NM, methodName);
+ return auditP.searchAuthZs(uAudit);
+ }
+
+
+ /**
+ * This method returns a list of authentication audit events for a particular user {@link UserAudit#userId},
+ * and given timestamp field {@link UserAudit#beginDate}.<BR>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#userId} - contains the target userId<</li>
+ * <li>{@link UserAudit#beginDate} - contains the date in which to begin search</li>
+ * <li>{@link UserAudit#failedOnly} - if set to 'true', return only failed authorization events</li>
+ * </ul>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type Bind. Each Bind object contains one bind event.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * if a runtime system error occurs.
+ */
+ @Override
+ public List<Bind> searchBinds(UserAudit uAudit)
+ throws SecurityException
+ {
+ String methodName = "searchBinds";
+ assertContext(CLS_NM, methodName, uAudit, GlobalErrIds.AUDT_INPUT_NULL);
+ checkAccess(CLS_NM, methodName);
+ return auditP.searchBinds(uAudit);
+ }
+
+ /**
+ * This method returns a list of sessions created for a given user {@link UserAudit#userId},
+ * and timestamp {@link UserAudit#beginDate}.<BR>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#userId} - contains the target userId<</li>
+ * </ul>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#beginDate} - contains the date in which to begin search</li>
+ * </ul>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type Mod. Each Mod object in list corresponds to one update or delete event on directory.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * if a runtime system error occurs.
+ */
+ @Override
+ public List<Mod> searchUserSessions(UserAudit uAudit)
+ throws SecurityException
+ {
+ String methodName = "searchUserSessions";
+ assertContext(CLS_NM, methodName, uAudit, GlobalErrIds.AUDT_INPUT_NULL);
+ checkAccess(CLS_NM, methodName);
+ return auditP.searchUserMods(uAudit);
+ }
+
+ /**
+ * This method returns a list of admin operations events for a particular entity {@link UserAudit#dn},
+ * object {@link UserAudit#objName} and timestamp {@link UserAudit#beginDate}. If the internal
+ * userId {@link UserAudit#internalUserId} is set it will limit search by that field.
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#dn} - contains the LDAP distinguished name for the updated object. For example if caller
+ * wants to find out what changes were made to John Doe's user object this would be 'uid=jdoe,ou=People,dc=example,dc=com'</li>
+ * <li>{@link UserAudit#objName} - contains the object (authorization resource) name corresponding to the event. For example if caller
+ * wants to return events where User object was modified, this would be 'updateUser'</li>
+ * <li>{@link UserAudit#internalUserId} - maps to the internalUserId of user who changed the record in LDAP. This maps to {@link org.apache.directory.fortress.core.rbac.User#internalId}.</li>
+ * <li>{@link UserAudit#beginDate} - contains the date in which to begin search</li>
+ * <li>{@link UserAudit#endDate} - contains the date in which to end search</li>
+ * </ul>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type Mod. Each Mod object in list corresponds to one update or delete event on directory.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * if a runtime system error occurs.
+ */
+ @Override
+ public List<Mod> searchAdminMods(UserAudit uAudit)
+ throws SecurityException
+ {
+ String methodName = "searchAdminMods";
+ assertContext(CLS_NM, methodName, uAudit, GlobalErrIds.AUDT_INPUT_NULL);
+ checkAccess(CLS_NM, methodName);
+ if (VUtil.isNotNullOrEmpty(uAudit.getUserId()))
+ {
+ ReviewMgr rMgr = ReviewMgrFactory.createInstance(this.contextId);
+ User user = rMgr.readUser(new User(uAudit.getUserId()));
+ uAudit.setInternalUserId(user.getInternalId());
+ }
+ return auditP.searchAdminMods(uAudit);
+ }
+
+
+ /**
+ * This method returns a list of failed authentication events for a particular invalid user {@link UserAudit#userId},
+ * and given timestamp {@link UserAudit#beginDate}. If the {@link UserAudit#failedOnly} is true it will
+ * return only authentication attempts made with invalid userId.
+ * </p>
+ * This is possible because Fortress performs read on user before the bind.
+ * </p>
+ * <h4>optional parameters</h4>
+ * <ul>
+ * <li>{@link UserAudit#userId} - contains the target userId</li>
+ * <li>{@link UserAudit#beginDate} - contains the date in which to begin search</li>
+ * <li>{@link UserAudit#failedOnly} - if set to 'true', return only failed authorization events</li>
+ * </ul>
+ *
+ * @param uAudit This entity is instantiated and populated before invocation.
+ * @return a List of objects of type AuthZ. Each AuthZ object contains one failed authentication event.
+ * @throws org.apache.directory.fortress.core.SecurityException
+ * if a runtime system error occurs.
+ */
+ @Override
+ public List<AuthZ> searchInvalidUsers(UserAudit uAudit)
+ throws SecurityException
+ {
+ String methodName = "searchInvalidUsers";
+ assertContext(CLS_NM, methodName, uAudit, GlobalErrIds.AUDT_INPUT_NULL);
+ checkAccess(CLS_NM, methodName);
+ return auditP.searchInvalidAuthNs(uAudit);
+ }
+}
\ No newline at end of file