You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 17:44:29 UTC
[10/51] [partial] Rename packages from org.openldap.fortress to
org.apache.directory.fortress.core. Change default suffix to org.apache.
Switch default ldap api from unbound to apache ldap.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java
new file mode 100755
index 0000000..2c953e1
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java
@@ -0,0 +1,2365 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac.dao.unboundid;
+
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.PasswordException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
+import org.apache.directory.fortress.core.ldap.openldap.OLPWControlImpl;
+import org.apache.directory.fortress.core.rbac.Address;
+import org.apache.directory.fortress.core.rbac.AdminRole;
+import org.apache.directory.fortress.core.rbac.GlobalPwMsgIds;
+import org.apache.directory.fortress.core.rbac.OrgUnit;
+import org.apache.directory.fortress.core.rbac.PwMessage;
+import org.apache.directory.fortress.core.rbac.PwPolicyControl;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.RoleUtil;
+import org.apache.directory.fortress.core.rbac.Session;
+import org.apache.directory.fortress.core.rbac.User;
+import org.apache.directory.fortress.core.rbac.UserAdminRole;
+import org.apache.directory.fortress.core.rbac.UserRole;
+import org.apache.directory.fortress.core.rbac.Warning;
+import org.apache.directory.fortress.core.util.attr.AttrHelper;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
+import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
+
+
+/**
+ * Data access class for LDAP User entity.
+ * <p/>
+ * <p/>
+ * The Fortress User LDAP schema follows:
+ * <p/>
+ * <h4>1. InetOrgPerson Structural Object Class </h4>
+ * <code># The inetOrgPerson represents people who are associated with an</code><br />
+ * <code># organization in some way. It is a structural class and is derived</code><br />
+ * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
+ * <li> <code>NAME 'inetOrgPerson'</code>
+ * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
+ * <li> <code>SUP organizationalPerson</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
+ * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
+ * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
+ * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
+ * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
+ * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
+ * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
+ * <li> <code>NAME 'ftUserAttrs'</code>
+ * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( ftId )</code>
+ * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ * @created August 30, 2009
+ */
+public final class UserDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.UserDAO
+{
+ private static final String CLS_NM = UserDAO.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+ private static PwPolicyControl pwControl;
+
+ /**
+ * Initialize the OpenLDAP Pw Policy validator.
+ */
+ static
+ {
+ if ( GlobalIds.IS_OPENLDAP )
+ {
+ pwControl = new OLPWControlImpl();
+ }
+ }
+
+ /*
+ * *************************************************************************
+ * ** OpenAccessMgr USERS STATICS
+ * ************************************************************************
+ */
+ private static final String USERS_AUX_OBJECT_CLASS_NAME = "ftUserAttrs";
+ private static final String ORGANIZATIONAL_PERSON_OBJECT_CLASS_NAME = "organizationalPerson";
+ private static final String USER_OBJECT_CLASS = "user.objectclass";
+ private static final String USERS_EXTENSIBLE_OBJECT = "extensibleObject";
+
+ // The Fortress User entity attributes are stored within standard LDAP object classes along with custom auxiliary object classes:
+ private static final String USER_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP,
+ Config.getProperty( USER_OBJECT_CLASS ),
+ USERS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME,
+ USERS_EXTENSIBLE_OBJECT
+ };
+
+ private static final String objectClassImpl = Config.getProperty( USER_OBJECT_CLASS );
+ private static final String SN = "sn";
+ private static final String PW = "userpassword";
+ private static final String SYSTEM_USER = "ftSystem";
+
+ /**
+ * Constant contains the locale attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String L = "l";
+
+ /**
+ * Constant contains the postal address attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String POSTAL_ADDRESS = "postalAddress";
+
+ /**
+ * Constant contains the state attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String STATE = "st";
+
+ /**
+ * Constant contains the postal code attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String POSTAL_CODE = "postalCode";
+
+ /**
+ * Constant contains the post office box attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String POST_OFFICE_BOX = "postOfficeBox";
+
+ /**
+ * Constant contains the country attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String COUNTRY = "c";
+
+ /**
+ * Constant contains the attribute name used within inetorgperson ldap object classes.
+ */
+ private static final String PHYSICAL_DELIVERY_OFFICE_NAME = "physicalDeliveryOfficeName";
+
+ /**
+ * Constant contains the attribute name used within inetorgperson ldap object classes.
+ */
+ private static final String DEPARTMENT_NUMBER = "departmentNumber";
+
+ /**
+ * Constant contains the attribute name used within inetorgperson ldap object classes.
+ */
+ private static final String ROOM_NUMBER = "roomNumber";
+
+ /**
+ * Constant contains the mobile attribute values used within iNetOrgPerson ldap object classes.
+ */
+ private static final String MOBILE = "mobile";
+
+ /**
+ * Constant contains the telephone attribute values used within organizationalPerson ldap object classes.
+ */
+ private static final String TELEPHONE_NUMBER = "telephoneNumber";
+
+ /**
+ * Constant contains the attribute name for jpeg images to be stored within inetorgperson ldap object classes.
+ */
+ private static final String JPEGPHOTO = "jpegPhoto";
+
+ /**
+ * Constant contains the email attribute values used within iNetOrgPerson ldap object classes.
+ */
+ private static final String MAIL = "mail";
+ private static final String DISPLAY_NAME = "displayName";
+ private static final String TITLE = "title";
+ private static final String EMPLOYEE_TYPE = "employeeType";
+
+ private static final String OPENLDAP_POLICY_SUBENTRY = "pwdPolicySubentry";
+ private static final String OPENLDAP_PW_RESET = "pwdReset";
+ private static final String OPENLDAP_PW_LOCKED_TIME = "pwdAccountLockedTime";
+ private static final String OPENLDAP_ACCOUNT_LOCKED_TIME = "pwdAccountLockedTime";
+ private static final String LOCK_VALUE = "000001010000Z";
+ private static final String[] USERID =
+ { GlobalIds.UID };
+ private static final String[] ROLES =
+ { GlobalIds.USER_ROLE_ASSIGN };
+
+ private static final String[] USERID_ATRS =
+ {
+ GlobalIds.UID
+ };
+
+ // This smaller result set of attributes are needed for user validation and authentication operations.
+ private static final String[] AUTHN_ATRS =
+ {
+ GlobalIds.FT_IID,
+ GlobalIds.UID, PW,
+ GlobalIds.DESC,
+ GlobalIds.OU, GlobalIds.CN,
+ SN,
+ GlobalIds.CONSTRAINT,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
+ GlobalIds.PROPS
+ };
+
+ // This default set of attributes contains all and is used for search operations.
+ private static final String[] DEFAULT_ATRS =
+ {
+ GlobalIds.FT_IID,
+ GlobalIds.UID, PW,
+ GlobalIds.DESC,
+ GlobalIds.OU,
+ GlobalIds.CN,
+ SN,
+ GlobalIds.USER_ROLE_DATA,
+ GlobalIds.CONSTRAINT,
+ GlobalIds.USER_ROLE_ASSIGN,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_POLICY_SUBENTRY : null,
+ GlobalIds.PROPS,
+ GlobalIds.USER_ADMINROLE_ASSIGN,
+ GlobalIds.USER_ADMINROLE_DATA,
+ POSTAL_ADDRESS,
+ L,
+ POSTAL_CODE,
+ POST_OFFICE_BOX,
+ STATE,
+ PHYSICAL_DELIVERY_OFFICE_NAME,
+ DEPARTMENT_NUMBER,
+ ROOM_NUMBER,
+ TELEPHONE_NUMBER,
+ MOBILE,
+ MAIL,
+ EMPLOYEE_TYPE,
+ TITLE,
+ SYSTEM_USER,
+ DISPLAY_NAME,
+ JPEGPHOTO
+ };
+
+ private static final String[] ROLE_ATR =
+ {
+ GlobalIds.USER_ROLE_DATA
+ };
+
+ private static final String[] AROLE_ATR =
+ {
+ GlobalIds.USER_ADMINROLE_DATA
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws CreateException
+ *
+ */
+ public final User create( User entity )
+ throws CreateException
+ {
+ LDAPConnection ld = null;
+
+ try
+ {
+ LDAPAttributeSet attrs = new LDAPAttributeSet();
+ attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, USER_OBJ_CLASS ) );
+
+ entity.setInternalId();
+ attrs.add( createAttribute( GlobalIds.FT_IID, entity.getInternalId() ) );
+ attrs.add( createAttribute( GlobalIds.UID, entity.getUserId() ) );
+
+ // CN is required on inetOrgPerson object class, if caller did not set, use the userId:
+ if ( !VUtil.isNotNullOrEmpty( entity.getCn() ) )
+ {
+ entity.setCn( entity.getUserId() );
+ }
+
+ attrs.add( createAttribute( GlobalIds.CN, entity.getCn() ) );
+
+ // SN is required on inetOrgPerson object class, if caller did not set, use the userId:
+ if ( !VUtil.isNotNullOrEmpty( entity.getSn() ) )
+ {
+ entity.setSn( entity.getUserId() );
+ }
+
+ attrs.add( createAttribute( SN, entity.getSn() ) );
+
+ // guard against npe
+ attrs.add( createAttribute( PW,
+ VUtil.isNotNullOrEmpty( entity.getPassword() ) ? new String( entity.getPassword() ) : new String(
+ new char[]
+ {} ) ) );
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDisplayName() ) )
+ {
+ attrs.add( createAttribute( DISPLAY_NAME, entity.getDisplayName() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
+ {
+ attrs.add( createAttribute( TITLE, entity.getTitle() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
+ {
+ attrs.add( createAttribute( EMPLOYEE_TYPE, entity.getEmployeeType() ) );
+ }
+
+ // These are multi-valued attributes, use the util function to load:
+ // These items are optional. The utility function will return quietly if no items are loaded into collection:
+ loadAttrs( entity.getPhones(), attrs, TELEPHONE_NUMBER );
+ loadAttrs( entity.getMobiles(), attrs, MOBILE );
+ loadAttrs( entity.getEmails(), attrs, MAIL );
+
+ // The following attributes are optional:
+ if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
+ {
+ attrs.add( createAttribute( SYSTEM_USER, entity.isSystem().toString().toUpperCase() ) );
+ }
+ if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
+ {
+ String dn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
+ + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
+ attrs.add( createAttribute( OPENLDAP_POLICY_SUBENTRY, dn ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+ {
+ attrs.add( createAttribute( GlobalIds.OU, entity.getOu() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ // props are optional as well:
+ // Add "initial" property here.
+ entity.addProperty( "init", "" );
+ loadProperties( entity.getProperties(), attrs, GlobalIds.PROPS );
+ // map the userid to the name field in constraint:
+ entity.setName( entity.getUserId() );
+ attrs.add( createAttribute( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) ) );
+ loadAddress( entity.getAddress(), attrs );
+ if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
+ {
+ attrs.add( new LDAPAttribute( JPEGPHOTO, entity.getJpegPhoto() ) );
+ }
+
+ String dn = getDn( entity.getUserId(), entity.getContextId() );
+
+ LDAPEntry myEntry = new LDAPEntry( dn, attrs );
+ ld = getAdminConnection();
+ add( ld, myEntry, entity );
+ entity.setDn( dn );
+ }
+ catch ( LDAPException e )
+ {
+ String error = "create userId [" + entity.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new CreateException( GlobalErrIds.USER_ADD_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws UpdateException
+ */
+ public final User update( User entity )
+ throws UpdateException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+ try
+ {
+ LDAPModificationSet mods = new LDAPModificationSet();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getCn() ) )
+ {
+ LDAPAttribute cn = new LDAPAttribute( GlobalIds.CN, entity.getCn() );
+ mods.add( LDAPModification.REPLACE, cn );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getSn() ) )
+ {
+ LDAPAttribute sn = new LDAPAttribute( SN, entity.getSn() );
+ mods.add( LDAPModification.REPLACE, sn );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+ {
+ LDAPAttribute ou = new LDAPAttribute( GlobalIds.OU, entity.getOu() );
+ mods.add( LDAPModification.REPLACE, ou );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getPassword() ) )
+ {
+ LDAPAttribute pw = new LDAPAttribute( PW, new String( entity.getPassword() ) );
+ mods.add( LDAPModification.REPLACE, pw );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC,
+ entity.getDescription() );
+ mods.add( LDAPModification.REPLACE, desc );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
+ {
+ LDAPAttribute employeeType = new LDAPAttribute( EMPLOYEE_TYPE, entity.getEmployeeType() );
+ mods.add( LDAPModification.REPLACE, employeeType );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
+ {
+ LDAPAttribute title = new LDAPAttribute( TITLE, entity.getTitle() );
+ mods.add( LDAPModification.REPLACE, title );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDisplayName() ) )
+ {
+ LDAPAttribute name = new LDAPAttribute( DISPLAY_NAME, entity.getDisplayName() );
+ mods.add( LDAPModification.REPLACE, name );
+ }
+
+ if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
+ {
+ String szDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
+ + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
+ LDAPAttribute dn = new LDAPAttribute( OPENLDAP_POLICY_SUBENTRY, szDn );
+ mods.add( LDAPModification.REPLACE, dn );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
+ {
+ LDAPAttribute system = new LDAPAttribute( SYSTEM_USER, entity.isSystem().toString().toUpperCase() );
+ mods.add( LDAPModification.REPLACE, system );
+ }
+
+ if ( entity.isTemporalSet() )
+ {
+ // map the userid to the name field in constraint:
+ entity.setName( entity.getUserId() );
+ String szRawData = CUtil.setConstraint( entity );
+
+ if ( VUtil.isNotNullOrEmpty( szRawData ) )
+ {
+ LDAPAttribute constraint = new LDAPAttribute( GlobalIds.CONSTRAINT, szRawData );
+ mods.add( LDAPModification.REPLACE, constraint );
+ }
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
+ }
+
+ loadAddress( entity.getAddress(), mods );
+ // These are multi-valued attributes, use the util function to load:
+ loadAttrs( entity.getPhones(), mods, TELEPHONE_NUMBER );
+ loadAttrs( entity.getMobiles(), mods, MOBILE );
+ loadAttrs( entity.getEmails(), mods, MAIL );
+ if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
+ {
+ mods.add( LDAPModification.REPLACE, new LDAPAttribute( JPEGPHOTO, entity.getJpegPhoto() ) );
+ }
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, entity );
+ entity.setDn( userDn );
+ }
+
+ entity.setDn( userDn );
+ }
+ catch ( LDAPException e )
+ {
+ String error = "update userId [" + entity.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @param replace
+ * @return
+ * @throws UpdateException
+ */
+ public final User updateProps( User entity, boolean replace )
+ throws UpdateException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+ try
+ {
+ LDAPModificationSet mods = new LDAPModificationSet();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, replace );
+ }
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, entity );
+ entity.setDn( userDn );
+ }
+
+ entity.setDn( userDn );
+ }
+ catch ( LDAPException e )
+ {
+ String error = "updateProps userId [" + entity.getUserId() + "] isReplace [" + replace
+ + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param user
+ * @throws RemoveException
+ */
+ public final String remove( User user )
+ throws RemoveException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, userDn, user );
+ }
+ catch ( LDAPException e )
+ {
+ String error = "remove userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new RemoveException( GlobalErrIds.USER_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param user
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ public final void lock( User user )
+ throws UpdateException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ LDAPModificationSet mods = new LDAPModificationSet();
+ LDAPAttribute pwdAccoutLock = new LDAPAttribute( OPENLDAP_PW_LOCKED_TIME, LOCK_VALUE );
+ mods.add( LDAPModification.REPLACE, pwdAccoutLock );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LDAPException e )
+ {
+ String error = "lock user [" + user.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_LOCK_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param user
+ * @throws UpdateException
+ *
+ */
+ public final void unlock( User user )
+ throws UpdateException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ //ld = getAdminConnection();
+ LDAPModificationSet mods = new LDAPModificationSet();
+ LDAPAttribute pwdlockedTime = new LDAPAttribute( OPENLDAP_PW_LOCKED_TIME );
+ mods.add( LDAPModification.DELETE, pwdlockedTime );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_ATTRIBUTE )
+ {
+ LOG.info( "unlock user [" + user.getUserId() + "] no such attribute:"
+ + OPENLDAP_ACCOUNT_LOCKED_TIME );
+ }
+ else
+ {
+ String error = "unlock user [" + user.getUserId() + "] caught LDAPException= "
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_UNLOCK_FAILED, error, e );
+ }
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ public final User getUser( User user, boolean isRoles )
+ throws FinderException
+ {
+ User entity = null;
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ String[] uATTRS;
+ // Retrieve role attributes?
+
+ if ( isRoles )
+ {
+ // Retrieve the User's assigned RBAC and Admin Role attributes from directory.
+ uATTRS = DEFAULT_ATRS;
+
+ }
+ else
+ {
+ // Do not retrieve the User's assigned RBAC and Admin Role attributes from directory.
+ uATTRS = AUTHN_ATRS;
+ }
+
+ LDAPEntry findEntry = null;
+
+ try
+ {
+ ld = getAdminConnection();
+ findEntry = read( ld, userDn, uATTRS );
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
+ {
+ String warning = "getUser COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ String error = "getUser [" + userDn + "]= caught LDAPException=" + e.getLDAPResultCode()
+ + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ entity = unloadLdapEntry( findEntry, 0, user.getContextId() );
+
+ if ( entity == null )
+ {
+ String warning = "getUser userId [" + user.getUserId() + "] not found, Fortress rc="
+ + GlobalErrIds.USER_NOT_FOUND;
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ */
+ public final List<UserAdminRole> getUserAdminRoles( User user )
+ throws FinderException
+ {
+ List<UserAdminRole> roles = null;
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ LDAPEntry findEntry = read( ld, userDn, AROLE_ATR );
+ roles = unloadUserAdminRoles( findEntry, user.getUserId(), user.getContextId() );
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
+ {
+ String warning = "getUserAdminRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ String error = "getUserAdminRoles [" + userDn + "]= caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roles;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ public final List<String> getRoles( User user )
+ throws FinderException
+ {
+ List<String> roles = null;
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ LDAPEntry findEntry = read( ld, userDn, ROLES );
+
+ if ( findEntry == null )
+ {
+ String warning = "getRoles userId [" + user.getUserId() + "] not found, Fortress rc="
+ + GlobalErrIds.USER_NOT_FOUND;
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ roles = getAttributes( findEntry, GlobalIds.USER_ROLE_ASSIGN );
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
+ {
+ String warning = "getRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ String error = "getRoles [" + userDn + "]= caught LDAPException=" + e.getLDAPResultCode()
+ + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roles;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ * @throws org.apache.directory.fortress.core.SecurityException
+ */
+ public final Session checkPassword( User user ) throws FinderException
+ {
+ Session session = null;
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ session = new ObjectFactory().createSession();
+ session.setUserId( user.getUserId() );
+ ld = getUserConnection();
+ boolean result = bind( ld, userDn, user.getPassword() );
+
+ if ( result )
+ {
+ // check openldap password policies here
+ checkPwPolicies( ld, session );
+
+ if ( session.getErrorId() == 0 )
+ {
+ session.setAuthenticated( true );
+ }
+ }
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.INVALID_CREDENTIALS )
+ {
+ // Check controls to see if password is locked, expired or out of grace:
+ checkPwPolicies( ld, session );
+ // if check pw control did not find problem the user entered invalid pw:
+ if ( session.getErrorId() == 0 )
+ {
+ String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "]";
+ session.setMsg( info );
+ session.setErrorId( GlobalErrIds.USER_PW_INVLD );
+ session.setAuthenticated( false );
+ }
+ }
+ else
+ {
+ String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_BIND_FAILED, error, e );
+ }
+ }
+ finally
+ {
+ closeUserConnection( ld );
+ }
+
+ return session;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws FinderException
+ */
+ public final List<User> findUsers( User user ) throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter;
+
+ if ( VUtil.isNotNullOrEmpty( user.getUserId() ) )
+ {
+ // place a wild card after the input userId:
+ String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
+ filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.UID + "=" + searchVal + "*))";
+ }
+ else if ( VUtil.isNotNullOrEmpty( user.getInternalId() ) )
+ {
+ // internalUserId search
+ String searchVal = encodeSafeText( user.getInternalId(), GlobalIds.USERID_LEN );
+ // this is not a wildcard search. Must be exact match.
+ filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.FT_IID + "=" + searchVal + "))";
+ }
+ else
+ {
+ // Beware - returns ALL users!!:"
+ filter = "(objectclass=" + objectClassImpl + ")";
+ }
+
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userList.add( unloadLdapEntry( searchResults.next(), sequence++, user.getContextId() ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param user
+ * @param limit
+ * @return
+ * @throws FinderException
+ *
+ */
+ public final List<String> findUsers( User user, int limit ) throws FinderException
+ {
+ List<String> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.UID + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
+
+ while ( searchResults.hasMoreElements() )
+ {
+ LDAPEntry entry = searchResults.next();
+ userList.add( getAttribute( entry, GlobalIds.UID ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "findUsers caught LDAPException=" + e.getLDAPResultCode() + " msg="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws FinderException
+ *
+ */
+ public final List<User> getAuthorizedUsers( Role role )
+ throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(";
+ Set<String> roles = RoleUtil.getDescendants( role.getName(), role.getContextId() );
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ filter += "|(" + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
+
+ for ( String uRole : roles )
+ {
+ filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + uRole + ")";
+ }
+
+ filter += ")";
+ }
+ else
+ {
+ filter += GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
+ }
+
+ filter += ")";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws FinderException
+ */
+ public final List<User> getAssignedUsers( Role role )
+ throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ *
+ * @param roles
+ * @return
+ * @throws FinderException
+ */
+ public final Set<String> getAssignedUsers( Set<String> roles, String contextId )
+ throws FinderException
+ {
+ Set<String> userSet = new HashSet<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(|";
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ for ( String roleVal : roles )
+ {
+ String filteredVal = encodeSafeText( roleVal, GlobalIds.USERID_LEN );
+ filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + filteredVal + ")";
+ }
+ }
+ else
+ {
+ return null;
+ }
+
+ filter += "))";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, USERID_ATRS, false, GlobalIds.BATCH_SIZE );
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userSet.add( getAttribute( searchResults.next(), GlobalIds.UID ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "getAssignedUsers caught LDAPException=" + e.getLDAPResultCode() + " msg="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userSet;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws FinderException
+ */
+ public final List<User> getAssignedUsers( AdminRole role )
+ throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.USER_ADMINROLE_ASSIGN + "=" + roleVal + "))";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "getAssignedUsers admin role name [" + role.getName()
+ + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param role
+ * @param limit
+ * @return
+ * @throws FinderException
+ *
+ */
+ public final List<String> getAuthorizedUsers( Role role, int limit )
+ throws FinderException
+ {
+ List<String> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
+
+ while ( searchResults.hasMoreElements() )
+ {
+ LDAPEntry entry = searchResults.next();
+ userList.add( getAttribute( entry, GlobalIds.UID ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param searchVal
+ * @return
+ * @throws FinderException
+ */
+ public final List<String> findUsersList( String searchVal, String contextId )
+ throws FinderException
+ {
+ List<String> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
+
+ try
+ {
+ searchVal = encodeSafeText( searchVal, GlobalIds.USERID_LEN );
+ //ld = getAdminConnection();
+ String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.UID + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userList.add( ( unloadLdapEntry( searchResults.next(), sequence++, contextId ) ).getUserId() );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "findUsersList caught LDAPException=" + e.getLDAPResultCode() + " msg="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param ou
+ * @return
+ * @throws FinderException
+ */
+ public final List<User> findUsers( OrgUnit ou, boolean limitSize ) throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LDAPConnection ld = null;
+ LDAPSearchResults searchResults;
+ String userRoot = getRootDn( ou.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String szOu = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.OU + "=" + szOu + "))";
+ int maxLimit;
+
+ if ( limitSize )
+ {
+ maxLimit = 10;
+ }
+ else
+ {
+ maxLimit = 0;
+ }
+
+ ld = getAdminConnection();
+ searchResults = search( ld, userRoot,
+ LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
+ long sequence = 0;
+
+ while ( searchResults.hasMoreElements() )
+ {
+ userList.add( unloadLdapEntry( searchResults.next(), sequence++, ou.getContextId() ) );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "findUsers caught LDAPException=" + e.getLDAPResultCode() + " msg="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param entity
+ * @param newPassword
+ * @return
+ * @throws UpdateException
+ *
+ * @throws SecurityException
+ */
+ public final boolean changePassword( User entity, char[] newPassword )
+ throws SecurityException
+ {
+ boolean rc = true;
+ LDAPConnection ld = null;
+ LDAPModificationSet mods;
+ String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+ try
+ {
+ ld = getUserConnection();
+ bind( ld, userDn, entity.getPassword() );
+ mods = new LDAPModificationSet();
+ LDAPAttribute pw = new LDAPAttribute( PW, new String( newPassword ) );
+ mods.add( LDAPModification.REPLACE, pw );
+ modify( ld, userDn, mods );
+
+ // The 2nd modify is to update audit attributes on the User entry:
+ if ( GlobalIds.IS_AUDIT && entity.getAdminSession() != null )
+ {
+ // Because the user modified their own password, set their userId here:
+ //(entity.getAdminSession()).setInternalUserId(entity.getUserId());
+ mods = new LDAPModificationSet();
+ modify( ld, userDn, mods, entity );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+
+ if ( e.getLDAPResultCode() == LDAPException.CONSTRAINT_VIOLATION )
+ {
+ warning += " constraint violation, ldap rc=" + e.getLDAPResultCode() + " ldap msg=" + e.getMessage()
+ + " Fortress rc=" + GlobalErrIds.PSWD_CONST_VIOLATION;
+ throw new PasswordException( GlobalErrIds.PSWD_CONST_VIOLATION, warning );
+ }
+ else if ( e.getLDAPResultCode() == LDAPException.INSUFFICIENT_ACCESS_RIGHTS )
+ {
+ warning += " user not authorized to change password, ldap rc=" + e.getLDAPResultCode() + " ldap msg="
+ + e.getMessage() + " Fortress rc=" + GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
+ throw new UpdateException( GlobalErrIds.USER_PW_MOD_NOT_ALLOWED, warning );
+ }
+
+ warning += " caught LDAPException rc=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_CHANGE_FAILED, warning, e );
+ }
+ finally
+ {
+ closeUserConnection( ld );
+ }
+
+ return rc;
+ }
+
+
+ /**
+ * @param user
+ * @throws UpdateException
+ *
+ */
+ public final void resetUserPassword( User user )
+ throws UpdateException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ LDAPModificationSet mods = new LDAPModificationSet();
+ LDAPAttribute pw = new LDAPAttribute( PW, new String( user.getPassword() ) );
+ mods.add( LDAPModification.REPLACE, pw );
+ LDAPAttribute pwdReset = new LDAPAttribute( OPENLDAP_PW_RESET, "TRUE" );
+ mods.add( LDAPModification.REPLACE, pwdReset );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "resetUserPassword userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_RESET_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ public final String assign( UserRole uRole )
+ throws UpdateException, FinderException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ //ld = getAdminConnection();
+ LDAPModificationSet mods = new LDAPModificationSet();
+ String szUserRole = uRole.getRawData();
+ LDAPAttribute attr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, szUserRole );
+ mods.add( LDAPModification.ADD, attr );
+ attr = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, uRole.getName() );
+ mods.add( LDAPModification.ADD, attr );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
+
+ if ( e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS )
+ {
+ warning += "assignment already exists.";
+ throw new FinderException( GlobalErrIds.URLE_ASSIGN_EXIST, warning );
+ }
+ else
+ {
+ warning += "caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.URLE_ASSIGN_FAILED, warning, e );
+ }
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ public final String deassign( UserRole uRole )
+ throws UpdateException, FinderException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ // read the user's RBAC role assignments to locate target record. Need the raw data before attempting removal:
+ List<UserRole> roles = getUserRoles( uRole.getUserId(), uRole.getContextId() );
+ int indx = -1;
+
+ // Does the user have any roles assigned?
+ if ( roles != null )
+ {
+ // function call will set indx to -1 if name not found:
+ indx = roles.indexOf( uRole );
+
+ // Is the targeted name assigned to user?
+ if ( indx > -1 )
+ {
+ // Retrieve the targeted name:
+ UserRole fRole = roles.get( indx );
+ // delete the name assignment attribute using the raw name data:
+ LDAPModificationSet mods = new LDAPModificationSet();
+ LDAPAttribute rAttr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, fRole.getRawData() );
+ mods.add( LDAPModification.DELETE, rAttr );
+ rAttr = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, fRole.getName() );
+ mods.add( LDAPModification.DELETE, rAttr );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ }
+ // target name not found:
+ if ( indx == -1 )
+ {
+ // The user does not have the target name assigned,
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] assignment does not exist.";
+ throw new FinderException( GlobalErrIds.URLE_ASSIGN_NOT_EXIST, warning );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.URLE_DEASSIGN_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ public final String assign( UserAdminRole uRole )
+ throws UpdateException, FinderException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ LDAPModificationSet mods = new LDAPModificationSet();
+ String szUserRole = uRole.getRawData();
+ LDAPAttribute attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, szUserRole );
+ mods.add( LDAPModification.ADD, attr );
+ attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, uRole.getName() );
+ mods.add( LDAPModification.ADD, attr );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS )
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] assignment already exists.";
+ throw new FinderException( GlobalErrIds.ARLE_ASSIGN_EXIST, warning );
+ }
+ else
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_ASSIGN_FAILED, warning, e );
+ }
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ public final String deassign( UserAdminRole uRole )
+ throws UpdateException, FinderException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ // read the user's ARBAC roles to locate record. Need the raw data before attempting removal:
+ User user = new User( uRole.getUserId() );
+ user.setContextId( uRole.getContextId() );
+ List<UserAdminRole> roles = getUserAdminRoles( user );
+ //User user = getUser(uRole.getUserId(), true);
+ //List<UserAdminRole> roles = user.getAdminRoles();
+ int indx = -1;
+
+ // Does the user have any roles assigned?
+ if ( roles != null )
+ {
+ // function call will set indx to -1 if name not found:
+ indx = roles.indexOf( uRole );
+
+ // Is the targeted name assigned to user?
+ if ( indx > -1 )
+ {
+ // Retrieve the targeted name:
+ UserRole fRole = roles.get( indx );
+ // delete the name assignment attribute using the raw name data:
+ LDAPModificationSet mods = new LDAPModificationSet();
+ LDAPAttribute rAttr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData() );
+ mods.add( LDAPModification.DELETE, rAttr );
+ rAttr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName() );
+ mods.add( LDAPModification.DELETE, rAttr );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ }
+
+ // target name not found:
+ if ( indx == -1 )
+ {
+ // The user does not have the target name assigned,
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] assignment does not exist.";
+ throw new FinderException( GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning );
+ }
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws UpdateException
+ *
+ */
+ public final String deletePwPolicy( User user )
+ throws UpdateException
+ {
+ LDAPConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ LDAPModificationSet mods = new LDAPModificationSet();
+ LDAPAttribute policy = new LDAPAttribute( OPENLDAP_POLICY_SUBENTRY );
+ mods.add( LDAPModification.DELETE, policy );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LDAPException e )
+ {
+ String warning = "deletePwPolicy userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getLDAPResultCode() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_PLCY_DEL_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param le
+ * @return
+ * @throws LDAPException
+ */
+ private User unloadLdapEntry( LDAPEntry le, long sequence, String contextId )
+ {
+ User entity = new ObjectFactory().createUser();
+ entity.setSequenceId( sequence );
+ entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ entity.setUserId( getAttribute( le, GlobalIds.UID ) );
+ entity.setCn( getAttribute( le, GlobalIds.CN ) );
+ entity.setDisplayName( getAttribute( le, DISPLAY_NAME ) );
+ entity.setSn( getAttribute( le, SN ) );
+ entity.setOu( getAttribute( le, GlobalIds.OU ) );
+ entity.setDn( le.getDN() );
+ entity.setTitle( getAttribute( le, TITLE ) );
+ entity.setEmployeeType( getAttribute( le, EMPLOYEE_TYPE ) );
+ unloadTemporal( le, entity );
+ entity.setRoles( unloadUserRoles( le, entity.getUserId(), contextId ) );
+ entity.setAdminRoles( unloadUserAdminRoles( le, entity.getUserId(), contextId ) );
+ entity.setAddress( unloadAddress( le ) );
+ entity.setPhones( getAttributes( le, TELEPHONE_NUMBER ) );
+ entity.setMobiles( getAttributes( le, MOBILE ) );
+ entity.setEmails( getAttributes( le, MAIL ) );
+ String szBoolean = getAttribute( le, SYSTEM_USER );
+ if ( szBoolean != null )
+ {
+ entity.setSystem( Boolean.valueOf( szBoolean ) );
+ }
+
+ entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
+
+ if ( GlobalIds.IS_OPENLDAP )
+ {
+ szBoolean = getAttribute( le, OPENLDAP_PW_RESET );
+ if ( szBoolean != null && szBoolean.equalsIgnoreCase( "true" ) )
+ {
+ entity.setReset( true );
+ }
+ String szPolicy = getAttribute( le, OPENLDAP_POLICY_SUBENTRY );
+ if ( VUtil.isNotNullOrEmpty( szPolicy ) )
+ {
+ entity.setPwPolicy( getRdn( szPolicy ) );
+ }
+ szBoolean = getAttribute( le, OPENLDAP_PW_LOCKED_TIME );
+ if ( szBoolean != null && szBoolean.equals( LOCK_VALUE ) )
+ {
+ entity.setLocked( true );
+ }
+ }
+ entity.setJpegPhoto( getPhoto( le, JPEGPHOTO ) );
+ return entity;
+ }
+
+
+ /**
+ * @param userId
+ * @return
+ * @throws FinderException
+ */
+ private List<UserRole> getUserRoles( String userId, String contextId )
+ throws FinderException
+ {
+ List<UserRole> roles = null;
+ LDAPConnection ld = null;
+ String userDn = getDn( userId, contextId );
+ try
+ {
+ ld = getAdminConnection();
+ LDAPEntry findEntry = read( ld, userDn, ROLE_ATR );
+ roles = unloadUserRoles( findEntry, userId, contextId );
+ }
+ catch ( LDAPException e )
+ {
+ if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
+ {
+ String warning = "getUserRoles COULD NOT FIND ENTRY for user [" + userId + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ String error = "getUserRoles [" + userDn + "]= caught LDAPException=" + e.getLDAPResultCode()
+ + " msg=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return roles;
+ }
+
+
+ /**
+ * @param ld
+ * @param pwMsg
+ */
+ private void checkPwPolicies( LDAPConnection ld, PwMessage pwMsg )
+ {
+ int rc = 0;
+ boolean success = false;
+ String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
+
+ if ( ld != null )
+ {
+ if ( !GlobalIds.IS_OPENLDAP )
+ {
+ //pwMsg.setWarningId( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED );
+ String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
+ pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED, msg, Warning.Type.PASSWORD ) );
+ pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
+ //String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
+ //pwMsg.setMsg( msg );
+ LOG.debug( msg );
+ return;
+ }
+ else if ( pwControl != null )
+ {
+ pwControl.checkPasswordPolicy( ld.getResponseControls(), success, pwMsg );
+ }
+
+ // OpenLDAP has notified of password policy violation:
+ if ( pwMsg.getErrorId() > 0 )
+ {
+ String errMsg;
+
+ switch ( pwMsg.getErrorId() )
+ {
+ case GlobalPwMsgIds.CHANGE_AFTER_RESET:
+ // Don't throw exception if authenticating in J2EE Realm - The Web application must give user a chance to modify their password.
+ if ( !GlobalIds.IS_REALM )
+ {
+ errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
+ rc = GlobalErrIds.USER_PW_RESET;
+ }
+ else
+ {
+ errMsg = msgHdr
+ + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO CONTINUE DUE TO REALM";
+ success = true;
+ pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET, errMsg, Warning.Type.PASSWORD ) );
+ }
+
+ break;
+
+ case GlobalPwMsgIds.ACCOUNT_LOCKED:
+ errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
+ rc = GlobalErrIds.USER_PW_LOCKED;
+ break;
+
+ case GlobalPwMsgIds.PASSWORD_HAS_EXPIRED:
+ errMsg = msgHdr + "PASSWORD HAS EXPIRED";
+ rc = GlobalErrIds.USER_PW_EXPIRED;
+ break;
+
+ case GlobalPwMsgIds.NO_MODIFICATIONS:
+ errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
+ rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
+ break;
+
+ case GlobalPwMsgIds.MUST_SUPPLY_OLD:
+ errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
+ rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
+ break;
+
+ case GlobalPwMsgIds.INSUFFICIENT_QUALITY:
+ errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
+ rc = GlobalErrIds.USER_PW_NSF_QUALITY;
+ break;
+
+ case GlobalPwMsgIds.PASSWORD_TOO_SHORT:
+ errMsg = msgHdr + "PASSWORD TOO SHORT";
+ rc = GlobalErrIds.USER_PW_TOO_SHORT;
+ break;
+
+ case GlobalPwMsgIds.PASSWORD_TOO_YOUNG:
+ errMsg = msgHdr + "PASSWORD TOO YOUNG";
+ rc = GlobalErrIds.USER_PW_TOO_YOUNG;
+ break;
+
+ case GlobalPwMsgIds.HISTORY_VIOLATION:
+ errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
+ rc = GlobalErrIds.USER_PW_IN_HISTORY;
+ break;
+
+ default:
+ errMsg = msgHdr + "PASSWORD CHECK FAILED";
+ rc = GlobalErrIds.USER_PW_CHK_FAILED;
+ break;
+ }
+
+ pwMsg.setMsg( errMsg );
+ pwMsg.setErrorId( rc );
+ pwMsg.setAuthenticated( success );
+ LOG.debug( errMsg );
+ }
+ else
+ {
+ // Checked out good:
+ String msg = msgHdr + "PASSWORD CHECK SUCCESS";
+ pwMsg.setMsg( msg );
+ pwMsg.setErrorId( 0 );
+ pwMsg.setAuthenticated( true );
+ LOG.debug( msg );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
+ *
+ * @param list contains List of type {@link UserAdminRole} targeted for adding to ldap.
+ * @param attrs collection of ldap attributes containing ARBAC role assignments in raw ldap format.
+ */
+ private void loadUserAdminRoles( List<UserAdminRole> list, LDAPAttributeSet attrs )
+ {
+ if ( list != null )
+ {
+ LDAPAttribute attr = null;
+ LDAPAttribute attrNm = null;
+
+ for ( UserAdminRole userRole : list )
+ {
+ String szUserRole = userRole.getRawData();
+
+ if ( attr == null )
+ {
+ attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, szUserRole );
+ attrNm = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, userRole.getName() );
+ }
+ else
+ {
+ attr.addValue( szUserRole );
+ attrNm.addValue( userRole.getName() );
+ }
+ }
+
+ if ( attr != null )
+ {
+ attrs.add( attr );
+ attrs.add( attrNm );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
+ *
+ * @param list contains List of type {@link UserRole} targeted for updating into ldap.
+ * @param mods contains ldap modification set containing RBAC role assignments in raw ldap format to be updated.
+ */
+ private void loadUserRoles( List<UserRole> list, LDAPModificationSet mods )
+ {
+ LDAPAttribute attr = null;
+ LDAPAttribute attrNm = null;
+
+ if ( list != null )
+ {
+ for ( UserRole userRole : list )
+ {
+ String szUserRole = userRole.getRawData();
+
+ if ( attr == null )
+ {
+ attr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, szUserRole );
+ attrNm = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, userRole.getName() );
+ }
+ else
+ {
+ attr.addValue( szUserRole );
+ attrNm.addValue( userRole.getName() );
+ }
+ }
+
+ if ( attr != null )
+ {
+ mods.add( LDAPModification.REPLACE, attr );
+ mods.add( LDAPModification.REPLACE, attrNm );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
+ *
+ * @param list contains List of type {@link UserAdminRole} targeted for updating to ldap.
+ * @param mods contains ldap modification set containing ARBAC role assignments in raw ldap format to be updated.
+ */
+ private void loadUserAdminRoles( List<UserAdminRole> list, LDAPModificationSet mods )
+ {
+ LDAPAttribute attr = null;
+ LDAPAttribute attrNm = null;
+
+ if ( list != null )
+ {
+ for ( UserAdminRole userRole : list )
+ {
+ String szUserRole = userRole.getRawData();
+
+ if ( attr == null )
+ {
+ attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, szUserRole );
+ attrNm = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, userRole.getName() );
+ }
+ else
+ {
+ attr.addValue( szUserRole );
+ attrNm.addValue( userRole.getName() );
+ }
+ }
+
+ if ( attr != null )
+ {
+ mods.add( LDAPModification.REPLACE, attr );
+ mods.add( LDAPModification.REPLACE, attrNm );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
+ *
+ * @param list contains List of type {@link UserRole} targeted for adding to ldap.
+ * @param attrs collection of ldap attributes containing RBAC role assignments in raw ldap format.
+ */
+ private void loadUserRoles( List<UserRole> list, LDAPAttributeSet attrs )
+ {
+ if ( list != null )
+ {
+ LDAPAttribute attr = null;
+ LDAPAttribute attrNm = null;
+
+ for ( UserRole userRole : list )
+ {
+ String szUserRole = userRole.getRawData();
+
+ if ( attr == null )
+ {
+ attr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, szUserRole );
+ attrNm = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, userRole.getName() );
+ }
+ else
+ {
+ attr.addValue( szUserRole );
+ attrNm.addValue( userRole.getName() );
+ }
+ }
+
+ if ( attr != null )
+ {
+ attrs.add( attr );
+ attrs.add( attrNm );
+ }
+ }
+ }
+
+
+ /**
+ * Given a User address, {@link Address}, load into ldap attribute set in preparation for ldap add.
+ *
+ * @param address contains User address {@link Address} targeted for adding to ldap.
+ * @param attrs collection of ldap attributes containing RBAC role assignments in raw ldap format.
+ */
+ private void loadAddress( Address address, LDAPAttributeSet attrs )
+ {
+ if ( address != null )
+ {
+ LDAPAttribute attr;
+
+ if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
+ {
+ for ( String val : address.getAddresses() )
+ {
+ attr = new LDAPAttribute( POSTAL_ADDRESS, val );
+ attrs.add( attr );
+ }
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
+ {
+ attr = new LDAPAttribute( L, address.getCity() );
+ attrs.add( attr );
+ }
+
+ //if(VUtil.isNotNullOrEmpty(address.getCountry()))
+ //{
+ // attr = new LDAPAttribute(GlobalIds.COUNTRY, address.getAddress1());
+ // attrs.add(attr);
+ //}
+ if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
+ {
+ attr = new LDAPAttribute( POSTAL_CODE, address.getPostalCode() );
+ attrs.add( attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
+ {
+ attr = new LDAPAttribute( POST_OFFICE_BOX, address.getPostOfficeBox() );
+ attrs.add( attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getState() ) )
+ {
+ attr = new LDAPAttribute( STATE, address.getState() );
+ attrs.add( attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
+ {
+ attr = new LDAPAttribute( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
+ attrs.add( attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
+ {
+ attr = new LDAPAttribute( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
+ attrs.add( attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
+ {
+ attr = new LDAPAttribute( ROOM_NUMBER, address.getRoomNumber() );
+ attrs.add( attr );
+ }
+ }
+ }
+
+
+ /**
+ * Given an address, {@link Address}, load into ldap modification set in preparation for ldap modify.
+ *
+ * @param address contains entity of type {@link Address} targeted for updating into ldap.
+ * @param mods contains ldap modification set contains attributes to be updated in ldap.
+ */
+ private void loadAddress( Address address, LDAPModificationSet mods )
+ {
+ LDAPAttribute attr;
+
+ if ( address != null )
+ {
+ if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
+ {
+ attr = new LDAPAttribute( POSTAL_ADDRESS );
+ mods.add( LDAPModification.REPLACE, attr );
+
+ for ( String val : address.getAddresses() )
+ {
+ attr = new LDAPAttribute( POSTAL_ADDRESS, val );
+ mods.add( LDAPModification.ADD, attr );
+ }
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
+ {
+ attr = new LDAPAttribute( L, address.getCity() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
+ {
+ attr = new LDAPAttribute( POSTAL_CODE, address.getPostalCode() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
+ {
+ attr = new LDAPAttribute( POST_OFFICE_BOX, address.getPostOfficeBox() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getState() ) )
+ {
+ attr = new LDAPAttribute( STATE, address.getState() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
+ {
+ attr = new LDAPAttribute( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
+ {
+ attr = new LDAPAttribute( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
+ {
+ attr = new LDAPAttribute( ROOM_NUMBER, address.getRoomNumber() );
+ mods.add( LDAPModification.REPLACE, attr );
+ }
+ }
+ }
+
+
+ /**
+ * Given an ldap entry containing organzationalPerson address information, convert to {@link Address}
+ *
+ * @param le contains ldap entry to retrieve admin roles from.
+ * @return entity of type {@link Address}.
+ * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+ */
+ private Address unloadAddress( LDAPEntry le )
+ {
+ Address addr = new ObjectFactory().createAddress();
+ List<String> pAddrs = getAttributes( le, POSTAL_ADDRESS );
+ if ( pAddrs != null )
+ {
+ for ( String pAddr : pAddrs )
+ {
+ addr.setAddress( pAddr );
+ }
+ }
+ addr.setCity( getAttribute( le, L ) );
+ addr.setState( getAttribute( le, STATE ) );
+ addr.setPostalCode( getAttribute( le, POSTAL_CODE ) );
+ addr.setPostOfficeBox( getAttribute( le, POST_OFFICE_BOX ) );
+ addr.setBuilding( getAttribute( le, PHYSICAL_DELIVERY_OFFICE_NAME ) );
+ addr.setDepartmentNumber( getAttribute( le, DEPARTMENT_NUMBER ) );
+ addr.setRoomNumber( getAttribute( le, ROOM_NUMBER ) );
+ // todo: add support for country attribute
+ //addr.setCountry(getAttribute(le, GlobalIds.COUNTRY));
+
+ return addr;
+ }
+
+
+ /**
+ * Given an ldap entry containing ARBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserAdminRole}
+ * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+ *
+ * @param le contains ldap entry to retrieve admin roles from.
+ * @param userId attribute maps to {@link UserAdminRole#userId}.
+ * @param contextId
+ * @return List of type {@link UserAdminRole} containing admin roles assigned to a particular user.
+ * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+ */
+ private List<UserAdminRole> unloadUserAdminRoles( LDAPEntry le, String userId, String contextId )
+ {
+ List<UserAdminRole> uRoles = null;
+ List<String> roles = getAttributes( le, GlobalIds.USER_ADMINROLE_DATA );
+
+ if ( roles != null )
+ {
+ long sequence = 0;
+ uRoles = new ArrayList<>();
+
+ for ( String raw : roles )
+ {
+ UserAdminRole ure = new ObjectFactory().createUserAdminRole();
+ ure.load( raw, contextId );
+ ure.setSequenceId( sequence++ );
+ ure.setUserId( userId );
+ uRoles.add( ure );
+ }
+ }
+
+ return uRoles;
+ }
+
+
+ /**
+ *
+ * @param userId
+ * @param contextId
+ * @return
+ */
+ private String getDn( String userId, String contextId )
+ {
+ return GlobalIds.UID + "=" + userId + "," + getRootDn( contextId, GlobalIds.USER_ROOT );
+ }
+
+
+ /**
+ * Given an ldap entry containing RBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserRole}
+ * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+ *
+ * @param le contains ldap entry to retrieve roles from.
+ * @param userId attribute maps to {@link UserRole#userId}.
+ * @param contextId
+ * @return List of type {@link UserRole} containing RBAC roles assigned to a particular user.
+ * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+ */
+ private List<UserRole> unloadUserRoles( LDAPEntry le, String userId, String contextId )
+ {
+ List<UserRole> uRoles = null;
+ List<String> roles = getAttributes( le, GlobalIds.USER_ROLE_DATA );
+
+ if ( roles != null )
+ {
+ long sequence = 0;
+ uRoles = new ArrayList<>();
+
+ for ( String raw : roles )
+ {
+ UserRole ure = new ObjectFactory().createUserRole();
+ ure.load( raw, contextId );
+ ure.setUserId( userId );
+ ure.setSequenceId( sequence++ );
+ uRoles.add( ure );
+ }
+ }
+
+ return uRoles;
+ }
+}
\ No newline at end of file