You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2018/10/24 13:26:43 UTC
directory-fortress-enmasse git commit: FC-249 - New API isUserInRole
in AccessMgr
Repository: directory-fortress-enmasse
Updated Branches:
refs/heads/master 9b7057d60 -> 3cd213617
FC-249 - New API isUserInRole in AccessMgr
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/commit/3cd21361
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/tree/3cd21361
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/diff/3cd21361
Branch: refs/heads/master
Commit: 3cd213617259e8c6d8345416f79678a3095ba08b
Parents: 9b7057d
Author: Shawn McKinney <sm...@apache.org>
Authored: Tue Oct 23 11:14:13 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Tue Oct 23 11:14:13 2018 -0500
----------------------------------------------------------------------
.../directory/fortress/rest/AccessMgrImpl.java | 28 ++++++
.../fortress/rest/FortressService.java | 95 ++++++++++++++++++--
.../fortress/rest/FortressServiceImpl.java | 13 +++
3 files changed, 128 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/3cd21361/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
index c695e5e..b451741 100644
--- a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
@@ -207,6 +207,34 @@ class AccessMgrImpl extends AbstractMgrImpl
}
+ /**
+ * Perform user ROLE check.
+ *
+ * @param request The {@link FortRequest} we have to check
+ * @return a {@link FortResponse} containing the response
+ */
+ /* no qualifier*/ FortResponse isUserInRole( FortRequest request )
+ {
+ FortResponse response = createResponse();
+
+ try
+ {
+ AccessMgr accessMgr = AccessMgrFactory.createInstance( request.getContextId() );
+ Role role = (Role)request.getEntity();
+ User user = (User) request.getEntity2();
+ boolean isTrusted = request.getIsFlag();
+ boolean result = accessMgr.isUserInRole( user, role, isTrusted );
+ response.setAuthorized( result );
+ }
+ catch ( SecurityException se )
+ {
+ createError( response, LOG, se );
+ }
+
+ return response;
+ }
+
+
/* No qualifier */ FortResponse sessionPermissions( FortRequest request )
{
FortResponse response = createResponse();
http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/3cd21361/src/main/java/org/apache/directory/fortress/rest/FortressService.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressService.java b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
index 55c496d..a36608a 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressService.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
@@ -4006,13 +4006,13 @@ public interface FortressService
/**
- * Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given
- * session is allowed or not to perform a given operation on a given object. The function is valid if and
- * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
- * and the operation is a member of the OPS data set. The session's subject has the permission
+ * Combine createSession and checkAccess into a single method.
+ * This function returns a Boolean value meaning whether the User is allowed or not to perform a given operation on a given object.
+ * The function is valid if and only if the user is a valid Fortress user, the object is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The user has the permission
* to perform the operation on that object if and only if that permission is assigned to (at least)
* one of the session's active roles. This implementation will verify the roles or userId correspond
- * to the subject's active roles are registered in the object's access control list.
+ * to the user's active roles are registered in the object's access control list.
* <h3></h3>
* <h4>required parameters</h4>
* <ul>
@@ -4021,8 +4021,10 @@ public interface FortressService
* entity
* </li>
* <li>
- * {@link FortRequest#session} - contains a reference to User's RBAC session that is created by calling
- * {@link FortressServiceImpl#createSession} method before use in this service.
+ * {@link FortRequest#entity2} - contains a reference to User object containing userId.
+ * </li>
+ * <li>
+ * {@link FortRequest#isFlag} - boolean value if true, password check will not be performed.
* </li>
* </ul>
* <ul style="list-style-type:none">
@@ -4041,18 +4043,95 @@ public interface FortressService
* </li>
* </ul>
* </li>
+ * <li>
+ * <h5>{@link org.apache.directory.fortress.core.model.User} required parameters</h5>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.model.User#userId} - maps to INetOrgPerson uid</li>
+ * <li>{@link org.apache.directory.fortress.core.model.User#password} - used to authenticate the User</li>
+ * </ul>
+ * <h5>User optional parameters</h5>
+ * <ul>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.User#roles} * - multi-occurring attribute contains the
+ * names of assigned RBAC roles targeted for activation into Session.
+ * </li>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.User#props} collection of name value pairs collected on
+ * behalf of User during signon. For example locale:east
+ * </li>
+ * </ul>
+ * </li>
* </ul>
* </li>
* </ul>
*
* @param request contains a reference to {@code FortRequest}
* @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean will be 'true' if User
- * authorized, otherwise 'false'. Updated {@link FortResponse#session} will be included in response as well.
+ * authorized, otherwise 'false'.
*/
FortResponse createSessionCheckAccess( FortRequest request );
/**
+ * Combine createSession and a role check into a single method.
+ * This function returns a Boolean value meaning whether the User has a particular role.
+ * The function is valid if and only if the user is a valid Fortress user and the role is a member of the ROLES data set.
+ * <h3></h3>
+ * <h4>required parameters</h4>
+ * <ul>
+ * <li>
+ * {@link FortRequest#entity} - contains a reference to {@link org.apache.directory.fortress.core.model.Role}
+ * entity
+ * </li>
+ * <li>
+ * {@link FortRequest#entity2} - contains a reference to User object containing userId.
+ * </li>
+ * <li>
+ * {@link FortRequest#isFlag} - boolean value if true, password check will not be performed.
+ * </li>
+ * </ul>
+ * <ul style="list-style-type:none">
+ * <li>
+ * <ul style="list-style-type:none">
+ * <li>
+ * <h5>{@link org.apache.directory.fortress.core.model.Role} required parameters</h5>
+ * <ul>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.Role#name} - contains the name of existing
+ * role being targeted for check.
+ * </li>
+ * </ul>
+ * </li>
+ * <li>
+ * <h5>{@link org.apache.directory.fortress.core.model.User} required parameters</h5>
+ * <ul>
+ * <li>{@link org.apache.directory.fortress.core.model.User#userId} - maps to INetOrgPerson uid</li>
+ * <li>{@link org.apache.directory.fortress.core.model.User#password} - used to authenticate the User</li>
+ * </ul>
+ * <h5>User optional parameters</h5>
+ * <ul>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.User#roles} * - multi-occurring attribute contains the
+ * names of assigned RBAC roles targeted for activation into Session.
+ * </li>
+ * <li>
+ * {@link org.apache.directory.fortress.core.model.User#props} collection of name value pairs collected on
+ * behalf of User during signon. For example locale:east
+ * </li>
+ * </ul>
+ * </li>
+ * </ul>
+ * </li>
+ * </ul>
+ *
+ * @param request contains a reference to {@code FortRequest}
+ * @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean will be 'true' if User
+ * authorized, otherwise 'false'..
+ */
+ FortResponse isUserInRole( FortRequest request );
+
+
+ /**
* This function returns the permissions of the session, i.e., the permissions assigned
* to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
* <h3></h3>
http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/3cd21361/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
index 3e0fe8e..1cd57b0 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
@@ -1248,6 +1248,19 @@ public class FortressServiceImpl implements FortressService
* {@inheritDoc}
*/
@POST
+ @Path("/" + HttpIds.RBAC_CHECK_ROLE + "/")
+ @RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
+ @Override
+ public FortResponse isUserInRole( FortRequest request )
+ {
+ return accessMgrImpl.isUserInRole( request );
+ }
+
+
+ /**
+ * {@inheritDoc}
+ */
+ @POST
@Path("/" + HttpIds.RBAC_PERMS + "/")
@RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
@Override