You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/10/22 19:48:16 UTC
[01/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Repository: directory-fortress-core
Updated Branches:
refs/heads/master 687ee1add -> 49e82a58b
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/build.xml
----------------------------------------------------------------------
diff --git a/src/test/build.xml b/src/test/build.xml
index 6416b6a..2aceace 100755
--- a/src/test/build.xml
+++ b/src/test/build.xml
@@ -43,7 +43,6 @@
<property name="commons-pool.jar" value="${lib.dir}/commons-pool-1.5.2.jar"/>
<property name="commons-logging.jar" value="${lib.dir}/commons-logging-1.1.1.jar"/>
<property name="commons-beanutils.jar" value="${lib.dir}/commons-beanutils-1.8.0.jar"/>
- <property name="unboundsdk.jar" value="${lib.dir}/unboundid-ldapsdk-se.jar"/>
<property name="jgraph.jar" value="${lib.dir}/jgrapht-jdk1.6.jar"/>
<property name="log4j.jar" value="${lib.dir}/log4j-1.2.8.jar"/>
<property name="junit.jar" value="${lib.dir}/junit-4.4.jar"/>
@@ -65,7 +64,6 @@
<pathelement location="${build.test-classes.dir}"/>
<pathelement location="${dist.jar}"/>
<pathelement location="${jgraph.jar}"/>
- <pathelement location="${unboundsdk.jar}"/>
<pathelement location="${junit.jar}"/>
<pathelement location="${log4j.jar}"/>
<pathelement location="${commons-config.jar}"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/java/org/apache/directory/fortress/core/ant/TestAddUsers.xml
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/ant/TestAddUsers.xml b/src/test/java/org/apache/directory/fortress/core/ant/TestAddUsers.xml
index fe26813..394ce25 100755
--- a/src/test/java/org/apache/directory/fortress/core/ant/TestAddUsers.xml
+++ b/src/test/java/org/apache/directory/fortress/core/ant/TestAddUsers.xml
@@ -20,22 +20,8 @@
-->
<project basedir="." default="all" name="Fortress Sample Data">
- <property name="root.dir" value = "/home/smckinn/" />
- <property name="home.dir" value = "${root.dir}/SVN/oamDev/oamCore/trunk/" />
- <property name="lib.dir" value = "${home.dir}/lib" />
- <property name="pub.dir" value = "${home.dir}/target/pub" />
- <property name="config" value="${home.dir}/config"/>
- <property name="Fortress.jar" value="${pub.dir}/oamCore-dev.jar"/>
- <property name="log4j.jar" value="${lib.dir}/log4j-1.2.8.jar"/>
- <property name="ldapjdk.jar" value="${lib.dir}/unboundid-ldapsdk-se.jar"/>
- <property name="jgrapht.jar" value="${lib.dir}/jgrapht-jdk1.6.jar"/>
- <property name="commons-configuration.jar" value="${lib.dir}/commons-configuration-1.6.jar"/>
- <property name="commons-lang.jar" value="${lib.dir}/commons-lang-2.4.jar"/>
- <property name="commons-collections.jar" value="${lib.dir}/commons-collections-3.2.1.jar"/>
- <property name="commons-logging.jar" value="${lib.dir}/commons-logging-1.1.1.jar"/>
- <property name="commons-beanutils.jar" value="${lib.dir}/commons-beanutils-1.8.0.jar"/>
<taskdef classname="org.apache.directory.fortress.core.ant.FortressAntTask" name="FortressAdmin" >
- <classpath path="${config}:${Fortress.jar}:${log4j.jar}:${ldapjdk.jar}:${jgrapht.jar}:${commons-configuration.jar}:${commons-lang.jar}:${commons-collections.jar}:${commons-logging.jar}:${commons-beanutils.jar}"/>
+ <classpath path="${java.class.path}"/>
</taskdef>
<target name="all">
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/java/org/apache/directory/fortress/core/example/ExampleDAO.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/example/ExampleDAO.java b/src/test/java/org/apache/directory/fortress/core/example/ExampleDAO.java
index fcf8647..78fed81 100755
--- a/src/test/java/org/apache/directory/fortress/core/example/ExampleDAO.java
+++ b/src/test/java/org/apache/directory/fortress/core/example/ExampleDAO.java
@@ -19,30 +19,34 @@
*/
package org.apache.directory.fortress.core.example;
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.directory.ldap.client.api.LdapConnection;
import org.slf4j.LoggerFactory;
import org.apache.directory.fortress.core.CreateException;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.RemoveException;
import org.apache.directory.fortress.core.UpdateException;
import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
-public class ExampleDAO extends UnboundIdDataProvider
+public class ExampleDAO extends ApacheDsDataProvider
{
private static final String CLS_NM = ExampleDAO.class.getName();
@@ -60,7 +64,7 @@ public class ExampleDAO extends UnboundIdDataProvider
public Example create(Example entity)
throws CreateException
{
- LDAPConnection ld = null;
+ LdapConnection ld = null;
String dn = GlobalIds.CN + "=" + entity.getName() + "," + Config.getProperty(EIds.EXAMPLE_ROOT);
if (LOG.isDebugEnabled())
{
@@ -88,24 +92,27 @@ public class ExampleDAO extends UnboundIdDataProvider
*/
ld = getAdminConnection();
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add(createAttributes(GlobalIds.OBJECT_CLASS, EIds.EXAMPLE_OBJ_CLASS));
+ Entry entry = new DefaultEntry( dn );
+ entry.add( createAttributes( GlobalIds.OBJECT_CLASS, EIds.EXAMPLE_OBJ_CLASS ) );
+
entity.setId();
- attrs.add(createAttribute(GlobalIds.FT_IID, entity.getId()));
- attrs.add(createAttribute(EIds.EXAMPLE_NM, entity.getName()));
+
+ entry.add( GlobalIds.FT_IID, entity.getId() );
+
+ entry.add( EIds.EXAMPLE_NM, entity.getName() );
+
if (entity.getDescription() != null && entity.getDescription().length() > 0)
- attrs.add(createAttribute(GlobalIds.DESC, entity.getDescription()));
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+
// organizational name requires CN attribute:
- attrs.add(createAttribute(GlobalIds.CN, entity.getName()));
+ entry.add( GlobalIds.CN, entity.getName() );
//AttrHelper.loadTemporalAttrs(entity, attrs);
entity.setName("EXAMPLE");
- attrs.add(createAttribute(GlobalIds.CONSTRAINT, CUtil.setConstraint( entity )));
-
- LDAPEntry myEntry = new LDAPEntry(dn, attrs);
- add(ld, myEntry);
+ entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+ add(ld, entry);
}
- catch (LDAPException e)
+ catch (LdapException e)
{
String error = "create [" + entity.getName() + "] caught LDAPException=" + e;
LOG.error(error);
@@ -128,7 +135,7 @@ public class ExampleDAO extends UnboundIdDataProvider
public Example update(Example entity)
throws UpdateException
{
- LDAPConnection ld = null;
+ LdapConnection ld = null;
String dn = GlobalIds.CN + "=" + entity.getName() + "," + Config.getProperty( EIds.EXAMPLE_ROOT );
if (LOG.isDebugEnabled())
{
@@ -137,24 +144,24 @@ public class ExampleDAO extends UnboundIdDataProvider
try
{
ld = getAdminConnection();
- LDAPModificationSet mods = new LDAPModificationSet();
+ List<Modification> mods = new ArrayList<Modification>();
if (entity.getDescription() != null && entity.getDescription().length() > 0)
{
- LDAPAttribute desc = new LDAPAttribute(GlobalIds.DESC, entity.getDescription());
- mods.add(LDAPModification.REPLACE, desc);
+ mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+
}
+
String szRawData = CUtil.setConstraint( entity );
if (szRawData != null && szRawData.length() > 0)
{
- LDAPAttribute constraint = new LDAPAttribute(GlobalIds.CONSTRAINT, szRawData);
- mods.add(LDAPModification.REPLACE, constraint);
+ mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
}
if (mods.size() > 0)
{
modify(ld, dn, mods);
}
}
- catch (LDAPException e)
+ catch (LdapException e)
{
String error = "update [" + entity.getName() + "] caught LDAPException=" + e;
LOG.error(error);
@@ -176,7 +183,7 @@ public class ExampleDAO extends UnboundIdDataProvider
public void remove(String name)
throws RemoveException
{
- LDAPConnection ld = null;
+ LdapConnection ld = null;
String dn = GlobalIds.CN + "=" + name + "," + Config.getProperty(EIds.EXAMPLE_ROOT);
if (LOG.isDebugEnabled())
{
@@ -187,7 +194,7 @@ public class ExampleDAO extends UnboundIdDataProvider
ld = getAdminConnection();
delete(ld, dn);
}
- catch (LDAPException e)
+ catch (LdapException e)
{
String error = "remove [" + name + "] caught LDAPException=" + e;
LOG.error(error);
@@ -210,7 +217,7 @@ public class ExampleDAO extends UnboundIdDataProvider
throws FinderException
{
Example entity = null;
- LDAPConnection ld = null;
+ LdapConnection ld = null;
String dn = GlobalIds.CN + "=" + name + "," + Config.getProperty(EIds.EXAMPLE_ROOT);
if (LOG.isDebugEnabled())
{
@@ -219,7 +226,8 @@ public class ExampleDAO extends UnboundIdDataProvider
try
{
ld = getAdminConnection();
- LDAPEntry findEntry = read(ld, dn, EXAMPLE_ATRS);
+ Entry findEntry = read( ld, dn, EXAMPLE_ATRS );
+
entity = getEntityFromLdapEntry(findEntry);
if (entity == null)
{
@@ -228,20 +236,16 @@ public class ExampleDAO extends UnboundIdDataProvider
throw new FinderException(EErrIds.EXAMPLE_NOT_FOUND, error);
}
}
- catch (LDAPException e)
+ catch ( LdapNoSuchObjectException e )
{
- if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT)
- {
- String error = "findByKey COULD NOT FIND ENTRY for example name [" + name + "]";
- LOG.warn(error);
- throw new FinderException(EErrIds.EXAMPLE_NOT_FOUND, error);
- }
- else
- {
- String error = "findByKey name [" + name + "] caught LDAPException=" + e;
- LOG.warn(error);
- throw new FinderException(EErrIds.EXAMPLE_READ_FAILED, error);
- }
+ String error = "findByKey COULD NOT FIND ENTRY for example name [" + name + "]";
+ throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, error );
+ }
+ catch (LdapException e)
+ {
+ String error = "findByKey name [" + name + "] caught LDAPException=" + e;
+ LOG.warn(error);
+ throw new FinderException(EErrIds.EXAMPLE_READ_FAILED, error);
}
finally
{
@@ -261,8 +265,7 @@ public class ExampleDAO extends UnboundIdDataProvider
throws FinderException
{
List<Example> exampleList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
+ LdapConnection ld = null;
String exampleRoot = Config.getProperty( EIds.EXAMPLE_ROOT );
if (LOG.isDebugEnabled())
@@ -275,19 +278,24 @@ public class ExampleDAO extends UnboundIdDataProvider
ld = getAdminConnection();
String filter = GlobalIds.FILTER_PREFIX + Arrays.toString(EIds.EXAMPLE_OBJ_CLASS) + ")("
+ EIds.EXAMPLE_NM + "=" + searchVal + "*))";
- searchResults = search(ld, exampleRoot,
- LDAPConnection.SCOPE_ONE, filter, EXAMPLE_ATRS, false, EIds.BATCH_SIZE);
- while (searchResults.hasMoreElements())
+ SearchCursor searchResults = search( ld, exampleRoot,
+ SearchScope.SUBTREE, filter, EXAMPLE_ATRS, false, GlobalIds.BATCH_SIZE );
+ while ( searchResults.next() )
{
- exampleList.add(getEntityFromLdapEntry(searchResults.next()));
+ exampleList.add(getEntityFromLdapEntry(searchResults.getEntry()));
}
}
- catch (LDAPException e)
+ catch (LdapException e)
{
String error = "findExamples caught LDAPException=" + e;
LOG.warn(error);
throw new FinderException(EErrIds.EXAMPLE_SEARCH_FAILED, error);
}
+ catch ( CursorException e )
+ {
+ String error = "findExamples caught CursorException=" + e;
+ throw new FinderException( EErrIds.EXAMPLE_SEARCH_FAILED, error, e );
+ }
finally
{
closeAdminConnection(ld);
@@ -299,29 +307,11 @@ public class ExampleDAO extends UnboundIdDataProvider
/**
* @param le
* @return
- * @throws LDAPException
*/
- private Example getEntityFromLdapEntry(LDAPEntry le)
+ private Example getEntityFromLdapEntry(Entry le) throws LdapInvalidAttributeValueException
{
- /*
- public class Role
- implements Constraint, java.io.Serializable
- {
- private String id; // this maps to oamId
- private String name; // this is oamRoleName
- private String description; // this is description
- private String dn; // this attribute is automatically saved to each ldap record.
- private String beginTime; // this attribute is oamBeginTime
- private String endTime; // this attribute is oamEndTime
- private String beginDate; // this attribute is oamBeginDate
- private String endDate; // this attribute is oamEndDate
- private String beginLockDate;// this attribute is oamBeginLockDate
- private String endLockDate; // this attribute is oamEndLockDate
- private String dayMask; // this attribute is oamDayMask
- private int timeout; // this attribute is oamTimeOut
- */
Example entity = new Example();
- entity.setId(getAttribute(le, GlobalIds.FT_IID));
+ entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
entity.setName(getAttribute(le, EIds.EXAMPLE_NM));
entity.setDescription(getAttribute(le, GlobalIds.DESC));
unloadTemporal(le, entity);
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/java/org/apache/directory/fortress/core/rbac/FortressJUnitTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/FortressJUnitTest.java b/src/test/java/org/apache/directory/fortress/core/rbac/FortressJUnitTest.java
index 5aeba7e..f1f7f84 100755
--- a/src/test/java/org/apache/directory/fortress/core/rbac/FortressJUnitTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/rbac/FortressJUnitTest.java
@@ -23,7 +23,6 @@ import junit.framework.Test;
import junit.framework.TestSuite;
import junit.framework.TestCase;
import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
import org.apache.directory.fortress.core.ldap.LdapCounters;
/**
@@ -328,6 +327,8 @@ public class FortressJUnitTest extends TestCase
public void testDisplayCounters()
{
+ // TODO: fix me (removed for unboundid)
+/*
LdapCounters counters = UnboundIdDataProvider.getLdapCounters();
System.out.println( "NUMBER OF READS: " + counters.getRead() );
System.out.println( "NUMBER OF SEARCHES: " + counters.getSearch() );
@@ -336,6 +337,7 @@ public class FortressJUnitTest extends TestCase
System.out.println( "NUMBER OF ADDS: " + counters.getAdd() );
System.out.println( "NUMBER OF MODS: " + counters.getMod() );
System.out.println( "NUMBER OF DELETES: " + counters.getDelete() );
+*/
}
/**
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/java/org/apache/directory/fortress/core/rbac/accelerator/TestAccelerator.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/accelerator/TestAccelerator.java b/src/test/java/org/apache/directory/fortress/core/rbac/accelerator/TestAccelerator.java
index 0248b22..9593e14 100644
--- a/src/test/java/org/apache/directory/fortress/core/rbac/accelerator/TestAccelerator.java
+++ b/src/test/java/org/apache/directory/fortress/core/rbac/accelerator/TestAccelerator.java
@@ -207,7 +207,7 @@ public class TestAccelerator
public void testDropActiveRole()
{
LOG.info( "testDropActiveRole..." );
- //AcceleratorDAO aDao = new org.apache.directory.fortress.core.rbac.dao.apache.AcceleratorDAO();
+ //AcceleratorDAO aDao = new org.apache.directory.fortress.core.rbac.AcceleratorDAO();
try
{
AccelMgr accelMgr = AccelMgrFactory.createInstance( TestUtils.getContext() );
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/java/org/apache/directory/fortress/core/rbac/apacheds/FortressJUnitApachedsTest.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/apacheds/FortressJUnitApachedsTest.java b/src/test/java/org/apache/directory/fortress/core/rbac/apacheds/FortressJUnitApachedsTest.java
index b807a89..45fa6a4 100644
--- a/src/test/java/org/apache/directory/fortress/core/rbac/apacheds/FortressJUnitApachedsTest.java
+++ b/src/test/java/org/apache/directory/fortress/core/rbac/apacheds/FortressJUnitApachedsTest.java
@@ -35,7 +35,6 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
import org.apache.directory.fortress.core.ldap.LdapCounters;
import org.apache.directory.fortress.core.rbac.AccessMgrImplTest;
import org.apache.directory.fortress.core.rbac.AdminMgrImplTest;
@@ -84,14 +83,15 @@ public class FortressJUnitApachedsTest extends AbstractLdapTestUnit
@After
public void displayCounters()
{
- LdapCounters counters = UnboundIdDataProvider.getLdapCounters();
- System.out.println( "NUMBER OF READS: " + counters.getRead() );
- System.out.println( "NUMBER OF SEARCHES: " + counters.getSearch() );
- System.out.println( "NUMBER OF COMPARES: " + counters.getCompare() );
- System.out.println( "NUMBER OF BINDS: " + counters.getBind() );
- System.out.println( "NUMBER OF ADDS: " + counters.getAdd() );
- System.out.println( "NUMBER OF MODS: " + counters.getMod() );
- System.out.println( "NUMBER OF DELETES: " + counters.getDelete() );
+ // TODO: FIX THIS: (removed with unboundid)
+ //LdapCounters counters = UnboundIdDataProvider.getLdapCounters();
+ //System.out.println( "NUMBER OF READS: " + counters.getRead() );
+ //System.out.println( "NUMBER OF SEARCHES: " + counters.getSearch() );
+ //System.out.println( "NUMBER OF COMPARES: " + counters.getCompare() );
+ //System.out.println( "NUMBER OF BINDS: " + counters.getBind() );
+ //System.out.println( "NUMBER OF ADDS: " + counters.getAdd() );
+ //System.out.println( "NUMBER OF MODS: " + counters.getMod() );
+ //System.out.println( "NUMBER OF DELETES: " + counters.getDelete() );
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/test/java/org/apache/directory/fortress/core/samples/overview.html
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/samples/overview.html b/src/test/java/org/apache/directory/fortress/core/samples/overview.html
index b96fb1d..e0fc67d 100755
--- a/src/test/java/org/apache/directory/fortress/core/samples/overview.html
+++ b/src/test/java/org/apache/directory/fortress/core/samples/overview.html
@@ -63,7 +63,6 @@
<ol>
<li><a href="http://www.openldap.org/project/">The OpenLDAP Project</a></li>
<li><a href="http://www.apache.org/">The Apache Software Foundation</a></li>
- <li><a href="http://www.unboundid.com/">UnboundID</a></li>
<li><a href="http://www.eigenbase.org/">The Eigenbase Project</a></li>
</ol>
</p>
[12/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/PolicyDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PolicyDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/PolicyDAO.java
new file mode 100755
index 0000000..1a4683b
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PolicyDAO.java
@@ -0,0 +1,685 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.rbac.PwPolicy;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * This DAO class maintains the OpenLDAP Password Policy entity which is a composite of the following structural and aux object classes:
+ * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code> objectclass ( 2.5.6.14 NAME 'device'</code>
+ * <li> <code>DESC 'RFC2256: a device'</code>
+ * <li> <code>SUP top STRUCTURAL</code>
+ * <li> <code>MUST cn</code>
+ * <li> <code>MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
+ * <li> <code>NAME 'pwdPolicy'</code>
+ * <li> <code>SUP top</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( pwdAttribute )</code>
+ * <li> <code>MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $</code>
+ * <li> <code>pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $</code>
+ * <li> <code>pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $</code>
+ * <li> <code>pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )</code>
+ * <li> <code></code>
+ * <li> <code></code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+final class PolicyDAO extends ApacheDsDataProvider
+{
+ /*
+ * *************************************************************************
+ * ** OPENLDAP PW POLICY ATTRIBUTES AND CONSTANTS
+ * ************************************************************************
+ */
+ private static final String OLPW_POLICY_EXTENSION = "2.5.4.35";
+ private static final String OLPW_POLICY_CLASS = "pwdPolicy";
+ /**
+ * This object class combines OpenLDAP PW Policy schema with the Fortress audit context.
+ */
+ private static final String OAM_PWPOLICY_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP, "device", OLPW_POLICY_CLASS, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+
+ private static final String OLPW_ATTRIBUTE = "pwdAttribute";
+ private static final String OLPW_MIN_AGE = "pwdMinAge";
+ private static final String OLPW_MAX_AGE = "pwdMaxAge";
+ private static final String OLPW_IN_HISTORY = "pwdInHistory";
+ private static final String OLPW_CHECK_QUALITY = "pwdCheckQuality";
+ private static final String OLPW_MIN_LENGTH = "pwdMinLength";
+ private static final String OLPW_EXPIRE_WARNING = "pwdExpireWarning";
+ private static final String OLPW_GRACE_LOGIN_LIMIT = "pwdGraceAuthNLimit";
+ private static final String OLPW_LOCKOUT = "pwdLockout";
+ private static final String OLPW_LOCKOUT_DURATION = "pwdLockoutDuration";
+ private static final String OLPW_MAX_FAILURE = "pwdMaxFailure";
+ private static final String OLPW_FAILURE_COUNT_INTERVAL = "pwdFailureCountInterval";
+ private static final String OLPW_MUST_CHANGE = "pwdMustChange";
+ private static final String OLPW_ALLOW_USER_CHANGE = "pwdAllowUserChange";
+ private static final String OLPW_SAFE_MODIFY = "pwdSafeModify";
+ private static final String[] PASSWORD_POLICY_ATRS =
+ {
+ OLPW_MIN_AGE, OLPW_MAX_AGE, OLPW_IN_HISTORY, OLPW_CHECK_QUALITY,
+ OLPW_MIN_LENGTH, OLPW_EXPIRE_WARNING, OLPW_GRACE_LOGIN_LIMIT, OLPW_LOCKOUT,
+ OLPW_LOCKOUT_DURATION, OLPW_MAX_FAILURE, OLPW_FAILURE_COUNT_INTERVAL,
+ OLPW_MUST_CHANGE, OLPW_ALLOW_USER_CHANGE, OLPW_SAFE_MODIFY,
+ };
+
+ private static final String[] PASSWORD_POLICY_NAME_ATR =
+ {
+ GlobalIds.CN
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.CreateException
+ *
+ */
+ final PwPolicy create( PwPolicy entity )
+ throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+ entry.add( GlobalIds.OBJECT_CLASS, OAM_PWPOLICY_OBJ_CLASS );
+ entry.add( GlobalIds.CN, entity.getName() );
+ entry.add( OLPW_ATTRIBUTE, OLPW_POLICY_EXTENSION );
+
+ if ( entity.getMinAge() != null )
+ {
+ entry.add( OLPW_MIN_AGE, entity.getMinAge().toString() );
+ }
+
+ if ( entity.getMaxAge() != null )
+ {
+ entry.add( OLPW_MAX_AGE, entity.getMaxAge().toString() );
+ }
+
+ if ( entity.getInHistory() != null )
+ {
+ entry.add( OLPW_IN_HISTORY, entity.getInHistory().toString() );
+ }
+
+ if ( entity.getCheckQuality() != null )
+ {
+ entry.add( OLPW_CHECK_QUALITY, entity.getCheckQuality().toString() );
+ }
+
+ if ( entity.getMinLength() != null )
+ {
+ entry.add( OLPW_MIN_LENGTH, entity.getMinLength().toString() );
+ }
+
+ if ( entity.getExpireWarning() != null )
+ {
+ entry.add( OLPW_EXPIRE_WARNING, entity.getExpireWarning().toString() );
+ }
+
+ if ( entity.getGraceLoginLimit() != null )
+ {
+ entry.add( OLPW_GRACE_LOGIN_LIMIT, entity.getGraceLoginLimit().toString() );
+ }
+
+ if ( entity.getLockout() != null )
+ {
+ /**
+ * For some reason OpenLDAP requires the pwdLockout boolean value to be upper case:
+ */
+ entry.add( OLPW_LOCKOUT, entity.getLockout().toString().toUpperCase() );
+ }
+
+ if ( entity.getLockoutDuration() != null )
+ {
+ entry.add( OLPW_LOCKOUT_DURATION, entity.getLockoutDuration().toString() );
+ }
+
+ if ( entity.getMaxFailure() != null )
+ {
+ entry.add( OLPW_MAX_FAILURE, entity.getMaxFailure().toString() );
+ }
+
+ if ( entity.getFailureCountInterval() != null )
+ {
+ entry.add( OLPW_FAILURE_COUNT_INTERVAL, entity.getFailureCountInterval().toString() );
+ }
+
+ if ( entity.getMustChange() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ entry.add( OLPW_MUST_CHANGE, entity.getMustChange().toString().toUpperCase() );
+ }
+
+ if ( entity.getAllowUserChange() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ entry.add( OLPW_ALLOW_USER_CHANGE, entity.getAllowUserChange().toString()
+ .toUpperCase() );
+ }
+
+ if ( entity.getSafeModify() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ entry.add( OLPW_SAFE_MODIFY, entity.getSafeModify().toString().toUpperCase() );
+ }
+
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "create name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new CreateException( GlobalErrIds.PSWD_CREATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final void update( PwPolicy entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( entity.getMinAge() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_MIN_AGE, entity.getMinAge().toString() ) );
+ }
+
+ if ( entity.getMaxAge() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_MAX_AGE, entity.getMaxAge().toString() ) );
+ }
+
+ if ( entity.getInHistory() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_IN_HISTORY, entity.getInHistory().toString() ) );
+ }
+
+ if ( entity.getCheckQuality() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_CHECK_QUALITY, entity.getCheckQuality().toString() ) );
+ }
+
+ if ( entity.getMinLength() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_MIN_LENGTH, entity.getMinLength().toString() ) );
+ }
+
+ if ( entity.getExpireWarning() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_EXPIRE_WARNING, entity.getExpireWarning().toString() ) );
+ }
+
+ if ( entity.getGraceLoginLimit() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_GRACE_LOGIN_LIMIT, entity.getGraceLoginLimit().toString() ) );
+ }
+
+ if ( entity.getLockout() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_LOCKOUT, entity.getLockout().toString().toUpperCase() ) );
+ }
+
+ if ( entity.getLockoutDuration() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_LOCKOUT_DURATION, entity.getLockoutDuration().toString() ) );
+ }
+
+ if ( entity.getMaxFailure() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_MAX_FAILURE, entity.getMaxFailure().toString() ) );
+ }
+
+ if ( entity.getFailureCountInterval() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_FAILURE_COUNT_INTERVAL, entity.getFailureCountInterval().toString() ) );
+ }
+
+ if ( entity.getMustChange() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_MUST_CHANGE, entity.getMustChange().toString().toUpperCase() ) );
+ }
+
+ if ( entity.getAllowUserChange() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_ALLOW_USER_CHANGE, entity.getAllowUserChange().toString().toUpperCase() ) );
+ }
+
+ if ( entity.getSafeModify() != null )
+ {
+ /**
+ * OpenLDAP requires the boolean values to be upper case:
+ */
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ OLPW_SAFE_MODIFY, entity.getSafeModify().toString().toUpperCase() ) );
+ }
+
+ if ( mods != null && mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.PSWD_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param entity
+ * @throws org.apache.directory.fortress.core.RemoveException
+ */
+ final void remove( PwPolicy entity ) throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, dn, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "remove name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new RemoveException( GlobalErrIds.PSWD_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param policy
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final PwPolicy getPolicy( PwPolicy policy ) throws FinderException
+ {
+ PwPolicy entity = null;
+ LdapConnection ld = null;
+ String dn = getDn( policy );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, PASSWORD_POLICY_ATRS );
+ entity = unloadLdapEntry( findEntry, 0 );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getPolicy Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.PSWD_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getPolicy name [" + policy.getName() + "] caught LdapException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.PSWD_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ *
+ * @param le
+ * @param sequence
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private PwPolicy unloadLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
+ {
+ PwPolicy entity = new ObjectFactory().createPswdPolicy();
+ entity.setSequenceId( sequence );
+ entity.setName( getRdn( le.getDn().getName() ) );
+ //entity.setAttribute(getAttribute(le, OLPW_ATTRIBUTE));
+ String val = getAttribute( le, OLPW_MIN_AGE );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setMinAge( new Integer( val ) );
+ }
+
+ val = getAttribute( le, OLPW_MAX_AGE );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setMaxAge( new Long( val ) );
+ }
+
+ val = getAttribute( le, OLPW_IN_HISTORY );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setInHistory( new Short( val ) );
+ }
+
+ val = getAttribute( le, OLPW_CHECK_QUALITY );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setCheckQuality( new Short( val ) );
+ }
+
+ val = getAttribute( le, OLPW_MIN_LENGTH );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setMinLength( new Short( val ) );
+ }
+
+ val = getAttribute( le, OLPW_EXPIRE_WARNING );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setExpireWarning( new Long( val ) );
+ }
+
+ val = getAttribute( le, OLPW_GRACE_LOGIN_LIMIT );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setGraceLoginLimit( new Short( val ) );
+ }
+
+ val = getAttribute( le, OLPW_LOCKOUT );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setLockout( Boolean.valueOf( val ) );
+ }
+
+ val = getAttribute( le, OLPW_LOCKOUT_DURATION );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setLockoutDuration( new Integer( val ) );
+ }
+
+ val = getAttribute( le, OLPW_MAX_FAILURE );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setMaxFailure( new Short( val ) );
+ }
+
+ val = getAttribute( le, OLPW_FAILURE_COUNT_INTERVAL );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setFailureCountInterval( new Short( val ) );
+ }
+
+ val = getAttribute( le, OLPW_MUST_CHANGE );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ //noinspection BooleanConstructorCall
+ entity.setMustChange( Boolean.valueOf( val ) );
+ }
+
+ val = getAttribute( le, OLPW_ALLOW_USER_CHANGE );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setAllowUserChange( Boolean.valueOf( val ) );
+ }
+
+ val = getAttribute( le, OLPW_SAFE_MODIFY );
+
+ if ( VUtil.isNotNullOrEmpty( val ) )
+ {
+ entity.setSafeModify( Boolean.valueOf( val ) );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param policy
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<PwPolicy> findPolicy( PwPolicy policy ) throws FinderException
+ {
+ List<PwPolicy> policyArrayList = new ArrayList<>();
+ LdapConnection ld = null;
+ String policyRoot = getPolicyRoot( policy.getContextId() );
+ String searchVal = null;
+
+ try
+ {
+ searchVal = encodeSafeText( policy.getName(), GlobalIds.PWPOLICY_NAME_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + OLPW_POLICY_CLASS + ")("
+ + GlobalIds.POLICY_NODE_TYPE + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, policyRoot,
+ SearchScope.ONELEVEL, filter, PASSWORD_POLICY_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ policyArrayList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPolicy name [" + searchVal + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPolicy name [" + searchVal + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return policyArrayList;
+ }
+
+
+ /**
+ * @return
+ * @throws FinderException
+ */
+ final Set<String> getPolicies( String contextId )
+ throws FinderException
+ {
+ Set<String> policySet = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+ LdapConnection ld = null;
+ String policyRoot = getPolicyRoot( contextId );
+
+ try
+ {
+ String filter = "(objectclass=" + OLPW_POLICY_CLASS + ")";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, policyRoot,
+ SearchScope.ONELEVEL, filter, PASSWORD_POLICY_NAME_ATR, false, GlobalIds.BATCH_SIZE );
+
+ while ( searchResults.next() )
+ {
+ policySet.add( getAttribute( searchResults.getEntry(), GlobalIds.CN ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "getPolicies caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "getPolicies caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return policySet;
+ }
+
+
+ private String getDn( PwPolicy policy )
+ {
+ return GlobalIds.POLICY_NODE_TYPE + "=" + policy.getName() + "," + getPolicyRoot( policy.getContextId() );
+ }
+
+
+ private String getPolicyRoot( String contextId )
+ {
+ return getRootDn( contextId, GlobalIds.PPOLICY_ROOT );
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/PolicyP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PolicyP.java b/src/main/java/org/apache/directory/fortress/core/rbac/PolicyP.java
index e6f935f..bdd31ba 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/PolicyP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PolicyP.java
@@ -30,7 +30,6 @@ import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.rbac.dao.unboundid.PolicyDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
import org.apache.directory.fortress.core.util.cache.Cache;
import org.apache.directory.fortress.core.util.cache.CacheMgr;
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
index 8cc7c51..bbb00e6 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PwPolicyControl.java
@@ -20,8 +20,6 @@
package org.apache.directory.fortress.core.rbac;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPControl;
-
/**
* Interface is used to allow pluggable password policy interrogation.
@@ -37,5 +35,5 @@ public interface PwPolicyControl
* @param isAuthenticated set to 'true' if password checks pass.
* @param pwMsg describes the outcome of the policy checks.
*/
- public void checkPasswordPolicy( LDAPControl[] controls, boolean isAuthenticated, PwMessage pwMsg );
+ public void checkPasswordPolicy( Object[] controls, boolean isAuthenticated, PwMessage pwMsg );
}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Role.java b/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
index 0d9c20a..8651808 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Role.java
@@ -33,8 +33,6 @@ import javax.xml.bind.annotation.XmlSeeAlso;
import javax.xml.bind.annotation.XmlTransient;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
-import org.apache.directory.fortress.core.rbac.dao.UserDAO;
import org.apache.directory.fortress.core.util.time.CUtil;
import org.apache.directory.fortress.core.util.time.Constraint;
@@ -48,7 +46,7 @@ import org.apache.directory.fortress.core.util.time.Constraint;
* <ol>
* <li>Manager layer: {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...</li>
* <li>Process layer: {@link UserP}, {@link RoleP}, {@link PermP},...</li>
- * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...</li>
+ * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...</li>
* </ol>
* Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs. The caller must
* provide enough information to uniquely identity the entity target within ldap.<br />
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/RoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/RoleDAO.java
new file mode 100755
index 0000000..7b62ba4
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/RoleDAO.java
@@ -0,0 +1,657 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.rbac.Graphable;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.RoleUtil;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+
+
+/**
+ * This class perform data access for Fortress Role entity.
+ * <p/>
+ * The Fortress Role entity is a composite of the following other Fortress structural and aux object classes:
+ * <h4>1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
+ * <li> <code>NAME 'ftRls'</code>
+ * <li> <code>DESC 'Fortress Role Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftRoleName )</code>
+ * <li> <code>MAY ( description $ ftCstr ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Kevin McKinney
+ */
+final class RoleDAO extends ApacheDsDataProvider
+{
+ /*
+ * *************************************************************************
+ * ** OpenAccessMgr ROLE STATICS
+ * ************************************************************************
+ */
+ private static final String ROLE_OCCUPANT = "roleOccupant";
+ private static final String ROLE_NM = "ftRoleName";
+
+ private static final String[] ROLE_NM_ATR =
+ {
+ ROLE_NM
+ };
+
+ private static final String[] ROLE_ATRS =
+ {
+ GlobalIds.FT_IID, ROLE_NM, GlobalIds.DESC, GlobalIds.CONSTRAINT, ROLE_OCCUPANT, GlobalIds.PARENT_NODES
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws CreateException
+ */
+ final Role create( Role entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+ entry.add( GlobalIds.OBJECT_CLASS, GlobalIds.ROLE_OBJ_CLASS );
+ entity.setId();
+ entry.add( GlobalIds.FT_IID, entity.getId() );
+ entry.add( ROLE_NM, entity.getName() );
+
+ // description field is optional on this object class:
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // CN attribute is required for this object class:
+ entry.add( GlobalIds.CN, entity.getName() );
+ entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+
+ // These multi-valued attributes are optional. The utility function will return quietly if items are not loaded into collection:
+ loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
+
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "create role [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new CreateException( GlobalErrIds.ROLE_ADD_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final Role update( Role entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
+ GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOccupants() ) )
+ {
+ for ( String name : entity.getOccupants() )
+ {
+ mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
+ ROLE_OCCUPANT, entity.getOccupants().toArray( new String[]
+ {} ) ) );
+ }
+ }
+
+ if ( entity.isTemporalSet() )
+ {
+ String szRawData = CUtil.setConstraint( entity );
+
+ if ( VUtil.isNotNullOrEmpty( szRawData ) )
+ {
+ mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
+ GlobalIds.CONSTRAINT, szRawData ) );
+ }
+ }
+
+ loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
+ }
+ catch ( Exception e )
+ {
+ String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ try
+ {
+ closeAdminConnection( ld );
+ }
+ catch ( Exception e )
+ {
+ String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
+ }
+ }
+
+ return entity;
+ }
+
+
+ /**
+ *
+ * @param entity
+ * @throws UpdateException
+ */
+ final void deleteParent( Role entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE,
+ GlobalIds.PARENT_NODES ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deleteParent name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ROLE_REMOVE_PARENT_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param entity
+ * @param userDn
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final Role assign( Role entity, String userDn ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+
+ try
+ {
+ //ld = getAdminConnection();
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.ADD_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LdapException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ROLE_USER_ASSIGN_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @param userDn
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final Role deassign( Role entity, String userDn ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
+ + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ROLE_USER_DEASSIGN_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param role
+ * @throws RemoveException
+ */
+ final void remove( Role role )
+ throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( role.getName(), role.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, dn, role );
+ }
+ catch ( LdapException e )
+ {
+ String error = "remove role name=" + role.getName() + " LdapException=" + e.getMessage();
+ throw new RemoveException( GlobalErrIds.ROLE_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final Role getRole( Role role )
+ throws FinderException
+ {
+ Role entity = null;
+ LdapConnection ld = null;
+ String dn = getDn( role.getName(), role.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, ROLE_ATRS );
+ if(findEntry != null)
+ {
+ entity = unloadLdapEntry( findEntry, 0, role.getContextId() );
+ }
+ if ( entity == null )
+ {
+ String warning = "getRole no entry found dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
+ }
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getRole Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getRole dn [" + dn + "] LEXCD=" + e;
+ throw new FinderException( GlobalErrIds.ROLE_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Role> findRoles( Role role )
+ throws FinderException
+ {
+ List<Role> roleList = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( role.getContextId(), GlobalIds.ROLE_ROOT );
+ String filter = null;
+
+ try
+ {
+ String searchVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
+ filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+ + ROLE_NM + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ roleList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roleList;
+ }
+
+
+ /**
+ * @param role
+ * @param limit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<String> findRoles( Role role, int limit )
+ throws FinderException
+ {
+ List<String> roleList = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( role.getContextId(), GlobalIds.ROLE_ROOT );
+ String filter = null;
+
+ try
+ {
+ String searchVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
+ filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+ + ROLE_NM + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
+
+ while ( searchResults.next() )
+ {
+ Entry entry = searchResults.getEntry();
+ roleList.add( getAttribute( entry, ROLE_NM ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roleList;
+ }
+
+
+ /**
+ *
+ * @param userDn
+ * @param contextId
+ * @return
+ * @throws FinderException
+ */
+ final List<String> findAssignedRoles( String userDn, String contextId )
+ throws FinderException
+ {
+ List<String> roleNameList = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( contextId, GlobalIds.ROLE_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
+ filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
+
+ while ( searchResults.next() )
+ {
+ roleNameList.add( getAttribute( searchResults.getEntry(), ROLE_NM ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_OCCUPANT_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_OCCUPANT_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roleNameList;
+ }
+
+
+ /**
+ *
+ * @param contextId
+ * @return
+ * @throws FinderException
+ */
+ final List<Graphable> getAllDescendants( String contextId )
+ throws FinderException
+ {
+ String[] DESC_ATRS =
+ { ROLE_NM, GlobalIds.PARENT_NODES };
+ List<Graphable> descendants = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( contextId, GlobalIds.ROLE_ROOT );
+ String filter = null;
+
+ try
+ {
+ filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+ + GlobalIds.PARENT_NODES + "=*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ descendants.add( unloadDescendants( searchResults.getEntry(), sequence++, contextId ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return descendants;
+ }
+
+
+ /**
+ *
+ * @param le
+ * @param sequence
+ * @param contextId
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private Graphable unloadDescendants( Entry le, long sequence, String contextId )
+ throws LdapInvalidAttributeValueException
+ {
+ Role entity = new ObjectFactory().createRole();
+ entity.setSequenceId( sequence );
+ entity.setName( getAttribute( le, ROLE_NM ) );
+ entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+ return entity;
+ }
+
+
+ /**
+ *
+ * @param le
+ * @param sequence
+ * @param contextId
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private Role unloadLdapEntry( Entry le, long sequence, String contextId ) throws LdapInvalidAttributeValueException
+ {
+ Role entity = new ObjectFactory().createRole();
+ entity.setSequenceId( sequence );
+ entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setName( getAttribute( le, ROLE_NM ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
+ //entity.setParents(RoleUtil.getParents(entity.getName().toUpperCase(), contextId));
+ entity.setChildren( RoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
+ entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+ unloadTemporal( le, entity );
+
+ return entity;
+ }
+
+
+ private String getDn( String name, String contextId )
+ {
+ return GlobalIds.CN + "=" + name + "," + getRootDn( contextId, GlobalIds.ROLE_ROOT );
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java b/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
index 56e4a13..750c2c8 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/RoleP.java
@@ -27,8 +27,6 @@ import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
-import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
@@ -52,7 +50,7 @@ import org.apache.directory.fortress.core.util.attr.VUtil;
*/
public final class RoleP
{
- private static RoleDAO rDao = DaoFactory.createRoleDAO();
+ private static RoleDAO rDao = new RoleDAO();
/**
* Package private
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/SdDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/SdDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/SdDAO.java
new file mode 100755
index 0000000..5888f85
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/SdDAO.java
@@ -0,0 +1,633 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.rbac.RoleUtil;
+import org.apache.directory.fortress.core.rbac.SDSet;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * This class performs persistence on the RBAC Static Separation of Duties and Dynamic Separation of Duties data sets.
+ * <p/>
+ * The Fortress SDSet entity is a composite of the following other Fortress structural and aux object classes:
+ * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 2.5.6.8 NAME 'organizationalRole'</code>
+ * <li> <code>DESC 'RFC2256: an organizational role'</code>
+ * <li> <code>SUP top STRUCTURAL</code>
+ * <li> <code>MUST cn</code>
+ * <li> <code>MAY ( x121Address $ registeredAddress $ destinationIndicator $</code>
+ * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
+ * <li> <code>telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $</code>
+ * <li> <code>seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $</code>
+ * <li> <code>postOfficeBox $ postalCode $ postalAddress $</code>
+ * <li> <code>physicalDeliveryOfficeName $ ou $ st $ l $ description ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. The RBAC Separation of Duties</h4>
+ * <ul>
+ * <li> ---Static Separation of Duties Set-------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.4</code>
+ * <li> <code>NAME 'ftSSDSet'</code>
+ * <li> <code>DESC 'Fortress Role Static Separation of Duty Set Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
+ * <li> <code>MAY ( ftRoles $ description ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * OR
+ * <h4>Dynamic Separation of Duties Set</h4>
+ * <ul>
+ * <li>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.5</code>
+ * <li> <code>NAME 'ftDSDSet'</code>
+ * <li> <code>DESC 'Fortress Role Dynamic Separation of Duty Set Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
+ * <li> <code>MAY ( ftRoles $ description ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+final class SdDAO extends ApacheDsDataProvider
+{
+ private static final String SD_SET_NM = "ftSetName";
+ private static final String ROLES = "ftRoles";
+ private static final String SD_SET_CARDINALITY = "ftSetCardinality";
+
+ private static final String SSD_OBJECT_CLASS_NM = "ftSSDSet";
+ private static final String SSD_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP, SSD_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+
+ private static final String DSD_OBJECT_CLASS_NM = "ftDSDSet";
+ private static final String DSD_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP, DSD_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+
+ private static final String[] SD_SET_ATRS =
+ {
+ GlobalIds.FT_IID, SD_SET_NM, GlobalIds.DESC, ROLES, SD_SET_CARDINALITY
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.CreateException
+ */
+ final SDSet create( SDSet entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+ String[] objectClass = SSD_OBJ_CLASS;
+
+ if ( entity.getType() == SDSet.SDType.DYNAMIC )
+ {
+ objectClass = DSD_OBJ_CLASS;
+ }
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+ entry.add( createAttributes( GlobalIds.OBJECT_CLASS, objectClass ) );
+ entity.setId();
+ entry.add( GlobalIds.FT_IID, entity.getId() );
+ entry.add( SD_SET_NM, entity.getName() );
+
+ // description field is optional on this object class:
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // CN attribute is required for this object class:
+ entry.add( GlobalIds.CN, entity.getName() );
+ loadAttrs( entity.getMembers(), entry, ROLES );
+ entry.add( SD_SET_CARDINALITY, "" + entity.getCardinality() );
+
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "create SD set name [" + entity.getName() + "] type [" + entity.getType()
+ + "] caught LdapException=" + e.getMessage();
+ int errCode;
+ if ( entity.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_ADD_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_ADD_FAILED;
+ }
+
+ throw new CreateException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ */
+ final SDSet update( SDSet entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ if ( entity.getCardinality() != null )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, SD_SET_CARDINALITY, entity.getCardinality().toString() ) );
+ }
+
+ loadAttrs( entity.getMembers(), mods, ROLES );
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "update name [" + entity.getName() + "] type [" + entity.getType()
+ + "] caught LdapException=" + e.getMessage();
+ int errCode;
+ if ( entity.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_UPDATE_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_UPDATE_FAILED;
+ }
+
+ throw new UpdateException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @throws org.apache.directory.fortress.core.RemoveException
+ */
+ final SDSet remove( SDSet entity ) throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity.getName(), entity.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, dn, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "remove SD name=" + entity.getName() + " type [" + entity.getType() + "] LdapException="
+ + e.getMessage();
+ int errCode;
+ if ( entity.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_DELETE_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_DELETE_FAILED;
+ }
+
+ throw new RemoveException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param sdSet
+ * @return
+ * @throws FinderException
+ */
+ final SDSet getSD( SDSet sdSet ) throws FinderException
+ {
+ SDSet entity = null;
+ LdapConnection ld = null;
+ String dn = getDn( sdSet.getName(), sdSet.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, SD_SET_ATRS );
+ entity = unloadLdapEntry( findEntry, 0 );
+
+ if ( entity == null )
+ {
+ String warning = "getSD no entry found dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, warning );
+ }
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getSD Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getSSD dn [" + dn + "] LEXCD=" + e;
+ int errCode;
+
+ if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_READ_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_READ_FAILED;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * Given an SSD name and type, find matching object in the directory.
+ * @param sdset requires name and type.
+ * @return List of matching SDSets.
+ * @throws org.apache.directory.fortress.core.FinderException
+ */
+ final List<SDSet> search( SDSet sdset ) throws FinderException
+ {
+ List<SDSet> sdList = new ArrayList<>();
+ LdapConnection ld = null;
+ String ssdRoot = getSdRoot( sdset.getContextId() );
+ String objectClass = SSD_OBJECT_CLASS_NM;
+
+ if ( sdset.getType() == SDSet.SDType.DYNAMIC )
+ {
+ objectClass = DSD_OBJECT_CLASS_NM;
+ }
+
+ try
+ {
+ String searchVal = encodeSafeText( sdset.getName(), GlobalIds.ROLE_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(" + SD_SET_NM + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, ssdRoot,
+ SearchScope.SUBTREE, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ sdList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "search sdset name [" + sdset.getName() + "] type [" + sdset.getType()
+ + "] caught LdapException=" + e.getMessage();
+ int errCode;
+
+ if ( sdset.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_SEARCH_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_SEARCH_FAILED;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "search sdset name [" + sdset.getName() + "] type [" + sdset.getType()
+ + "] caught LdapException=" + e.getMessage();
+ int errCode;
+
+ if ( sdset.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_SEARCH_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_SEARCH_FAILED;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return sdList;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ */
+ final List<SDSet> search( Role role, SDSet.SDType type ) throws FinderException
+ {
+ List<SDSet> sdList = new ArrayList<>();
+ LdapConnection ld = null;
+ String ssdRoot = getSdRoot( role.getContextId() );
+ String objectClass = SSD_OBJECT_CLASS_NM;
+
+ if ( type == SDSet.SDType.DYNAMIC )
+ {
+ objectClass = DSD_OBJECT_CLASS_NM;
+ }
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
+ //String filter = GlobalIds.FILTER_PREFIX + SSD_OBJECT_CLASS_NM + ")(" + ROLES + "=" + roleVal + "))";
+ String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(";
+ // Include any parents target role may have:
+ Set<String> roles = RoleUtil.getAscendants( role.getName(), role.getContextId() );
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ filter += "|(" + ROLES + "=" + roleVal + ")";
+
+ for ( String uRole : roles )
+ {
+ filter += "(" + ROLES + "=" + uRole + ")";
+ }
+ filter += ")";
+ }
+ else
+ {
+ filter += ROLES + "=" + roleVal + ")";
+ }
+
+ filter += ")";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, ssdRoot,
+ SearchScope.SUBTREE, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
+
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ sdList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "search role [" + role.getName() + "] type [" + type + "] caught LdapException="
+ + e.getMessage();
+ int errCode;
+
+ if ( type == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_SEARCH_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_SEARCH_FAILED;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "search role [" + role.getName() + "] type [" + type + "] caught LdapException="
+ + e.getMessage();
+ int errCode;
+
+ if ( type == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_SEARCH_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_SEARCH_FAILED;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return sdList;
+ }
+
+
+ /**
+ * @param roles
+ * @param sdSet
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ */
+ final Set<SDSet> search( Set<String> roles, SDSet sdSet ) throws FinderException
+ {
+ Set<SDSet> sdList = new HashSet<>();
+ LdapConnection ld = null;
+ String ssdRoot = getSdRoot( sdSet.getContextId() );
+ String objectClass = SSD_OBJECT_CLASS_NM;
+
+ if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
+ {
+ objectClass = DSD_OBJECT_CLASS_NM;
+ }
+
+ try
+ {
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(|";
+ for ( String rle : roles )
+ {
+ filter += "(" + ROLES + "=" + rle + ")";
+ }
+ filter += "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, ssdRoot,
+ SearchScope.SUBTREE, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ sdList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "search type [" + sdSet.getType() + "] caught LdapException=" + e.getMessage();
+ int errCode;
+
+ if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_SEARCH_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_SEARCH_FAILED;
+ }
+ throw new FinderException( errCode, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "search type [" + sdSet.getType() + "] caught LdapException=" + e.getMessage();
+ int errCode;
+
+ if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
+ {
+ errCode = GlobalErrIds.DSD_SEARCH_FAILED;
+ }
+ else
+ {
+ errCode = GlobalErrIds.SSD_SEARCH_FAILED;
+ }
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return sdList;
+ }
+
+
+ /**
+ * @param le
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private SDSet unloadLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
+ {
+ SDSet entity = new ObjectFactory().createSDset();
+ entity.setSequenceId( sequence );
+ entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setName( getAttribute( le, SD_SET_NM ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ entity.setMembers( getAttributeSet( le, ROLES ) );
+ String szCard = getAttribute( le, SD_SET_CARDINALITY );
+ entity.setCardinality( new Integer( szCard ) );
+
+ return entity;
+ }
+
+
+ private String getDn( String name, String contextId )
+ {
+ return GlobalIds.CN + "=" + name + "," + getSdRoot( contextId );
+ }
+
+
+ private String getSdRoot( String contextId )
+ {
+ return getRootDn( contextId, GlobalIds.SD_ROOT );
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/SdP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/SdP.java b/src/main/java/org/apache/directory/fortress/core/rbac/SdP.java
index fa06867..0b69838 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/SdP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/SdP.java
@@ -25,7 +25,6 @@ import java.util.Set;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.rbac.dao.unboundid.SdDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
@@ -39,7 +38,7 @@ import org.apache.directory.fortress.core.util.attr.VUtil;
* This class performs data validations and error mapping in addition to calling DAO methods. It is typically called
* by internal Fortress Manager classes ({@link org.apache.directory.fortress.core.AdminMgr}, {@link org.apache.directory.fortress.core.ReviewMgr}) and also by internal SD utils.
* This class is not intended to be called externally or outside of Fortress Core itself. This class will accept {@link SDSet},
- * validate its contents and forward on to it's corresponding DAO {@link org.apache.directory.fortress.core.rbac.dao.unboundid.SdDAO}.
+ * validate its contents and forward on to it's corresponding DAO {@link org.apache.directory.fortress.core.rbac.SdDAO}.
* <p>
* Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
* error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/User.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/User.java b/src/main/java/org/apache/directory/fortress/core/rbac/User.java
index 907063e..4f00ac1 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/User.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/User.java
@@ -34,7 +34,6 @@ import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlTransient;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.apache.UserDAO;
import org.apache.directory.fortress.core.util.time.Constraint;
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/UserAudit.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/UserAudit.java b/src/main/java/org/apache/directory/fortress/core/rbac/UserAudit.java
index dc98611..1e01e2a 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/UserAudit.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/UserAudit.java
@@ -25,8 +25,6 @@ import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.unboundid.AuditDAO;
-
import java.util.Date;
/**
[09/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java
deleted file mode 100644
index efaf510..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AcceleratorDAO.java
+++ /dev/null
@@ -1,379 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.openldap.accelerator.api.addRole.RbacAddRoleRequest;
-import org.openldap.accelerator.api.addRole.RbacAddRoleRequestImpl;
-import org.openldap.accelerator.api.addRole.RbacAddRoleResponse;
-import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequest;
-import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequestImpl;
-import org.openldap.accelerator.api.checkAccess.RbacCheckAccessResponse;
-import org.openldap.accelerator.api.createSession.RbacCreateSessionRequest;
-import org.openldap.accelerator.api.createSession.RbacCreateSessionRequestImpl;
-import org.openldap.accelerator.api.createSession.RbacCreateSessionResponse;
-import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequest;
-import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequestImpl;
-import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionResponse;
-import org.openldap.accelerator.api.dropRole.RbacDropRoleRequest;
-import org.openldap.accelerator.api.dropRole.RbacDropRoleRequestImpl;
-import org.openldap.accelerator.api.dropRole.RbacDropRoleResponse;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequest;
-import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequestImpl;
-import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.Permission;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.rbac.UserRole;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-import java.util.ArrayList;
-import java.util.List;
-
-
-/**
- * Data access class for invoking RBAC Accelerator server-side operations. This class utilizes the openldap accelerator component for LDAPv3 extended operations.
- * This class follows the pattern of {@link org.apache.directory.fortress.core.AccessMgr} except policy decisions are session state are made/stored on server-side and not client-side.
- * Its methods are not intended to be invoked by outside clients that should instead use {@link org.apache.directory.fortress.core.rbac.AccelMgrImpl}.
- *
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class AcceleratorDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.AcceleratorDAO
-
-{
- private static final Logger LOG = LoggerFactory.getLogger( AcceleratorDAO.class.getName() );
-
- /**
- * Authenticate user and return sessionId inside {@link Session#sessionId}.
- * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#createSession(org.apache.directory.fortress.core.rbac.User, boolean)}
- * Success will result in rbac session state, i.e. {@link org.apache.directory.fortress.core.rbac.Session}, to be stored on server-side.
- * Result may be stored inside RBAC server-side audit record and retrieved with {@link org.apache.directory.fortress.core.AuditMgr#searchBinds(org.apache.directory.fortress.core.rbac.UserAudit)}
- *
- * It uses the {@link RbacCreateSessionRequest} and {@link RbacCreateSessionResponse} accelerator APIs.
- *
- * todo: this method does not yet, but will soon, return password policy decisions.
- *
- * @param user
- * @return session contains a valid sessionId captured from accelerator createSession method.
- *
- * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CREATE_SESSION_ERR}.
- *
- */
- @Override
- public final Session createSession( User user ) throws SecurityException
- {
- Session session = null;
- LdapConnection ld = null;
- try
- {
- ld = getAdminConnection();
- ld.setTimeOut( 0 );
- // Create a new RBAC session
- RbacCreateSessionRequest rbacCreateSessionRequest = new RbacCreateSessionRequestImpl();
- //rbacCreateSessionRequest.setTenantId( "jts" );
- rbacCreateSessionRequest.setTenantId( user.getContextId() );
- rbacCreateSessionRequest.setUserIdentity( user.getUserId() );
- rbacCreateSessionRequest.setPassword( new String(user.getPassword()) );
- if( VUtil.isNotNullOrEmpty( user.getRoles() ))
- {
- for ( UserRole userRole : user.getRoles())
- {
- rbacCreateSessionRequest.addRole( userRole.getName() );
- }
- }
- // Send the request
- RbacCreateSessionResponse rbacCreateSessionResponse = ( RbacCreateSessionResponse ) ld.extended(
- rbacCreateSessionRequest );
- LOG.debug( "createSession userId: " + user.getUserId() + ", sessionId: " + rbacCreateSessionResponse.getSessionId() + ", resultCode: " + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode());
- session = new Session( user, rbacCreateSessionResponse.getSessionId() );
- if(rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode() == 0)
- {
- session.setAuthenticated(true);
- }
- else
- {
- session.setAuthenticated(false);
- String info = "createSession UserId [" + user.getUserId() + "] failed: " + rbacCreateSessionResponse.getLdapResult() + " , resultCode: " + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode();
- throw new SecurityException( GlobalErrIds.USER_PW_INVLD, info );
- }
- }
- catch ( LdapException e )
- {
- String error = "createSession userId [" + user.getUserId() + "] caught LDAPException=" + " msg=" + e
- .getMessage();
- throw new SecurityException( GlobalErrIds.ACEL_CREATE_SESSION_ERR, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return session;
- }
-
-
- /**
- * Perform user rbac authorization. This function returns a Boolean value meaning whether the subject of a given session is
- * allowed or not to perform a given operation on a given object. The function is valid if and
- * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
- * and the operation is a member of the OPS data set. The session's subject has the permission
- * to perform the operation on that object if and only if that permission is assigned to (at least)
- * one of the session's active roles. This implementation will verify the roles or userId correspond
- * to the subject's active roles are registered in the object's access control list.
- * It uses the {@link RbacCheckAccessRequest} and {@link RbacCheckAccessResponse} accelerator APIs.
- *
- * @param session This object must be instantiated by calling {@link #createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
- * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, of permission User is trying to access.
- * @return True if user has access, false otherwise.
- * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CHECK_ACCESS_ERR}.
- */
- @Override
- public boolean checkAccess( Session session, Permission perm )
- throws SecurityException
- {
- boolean result = false;
- LdapConnection ld = null;
- try
- {
- ld = getAdminConnection();
- RbacCheckAccessRequest rbacCheckAccessRequest = new RbacCheckAccessRequestImpl();
- rbacCheckAccessRequest.setSessionId( session.getSessionId() );
- rbacCheckAccessRequest.setObject( perm.getObjName() );
- // objectId is optional
- if(VUtil.isNotNullOrEmpty( perm.getObjId()))
- {
- rbacCheckAccessRequest.setObjectId( perm.getObjId() );
- }
- rbacCheckAccessRequest.setOperation( perm.getOpName() );
- // Send the request
- RbacCheckAccessResponse rbacCheckAccessResponse = ( RbacCheckAccessResponse ) ld.extended(
- rbacCheckAccessRequest );
- LOG.debug( "checkAccess result: {}", rbacCheckAccessResponse.getLdapResult().getResultCode().getResultCode());
- if(rbacCheckAccessResponse.getLdapResult().getResultCode().getResultCode() == 0)
- {
- result = true;
- }
- else
- {
- result = false;
- }
- }
- catch ( LdapException e )
- {
- String error = "checkAccess perm obj [" + perm.getObjName() + "], operation [" + perm.getOpName() + "] caught LDAPException=" + " msg=" + e
- .getMessage();
- throw new SecurityException( GlobalErrIds.ACEL_CHECK_ACCESS_ERR, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return result;
- }
-
-
- /**
- * Deactivate user role from rbac session
- * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#dropActiveRole(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.UserRole)}.
- * Success will result in rbac session state to be modified inside server-side cache.
- * It uses the {@link RbacDropRoleRequest} and {@link RbacDropRoleResponse} accelerator APIs.
- *
- * @param session contains a valid sessionId captured from accelerator createSession method.
- * @param userRole both the {@link UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
- * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DROP_ROLE_ERR}.
- */
- public void dropActiveRole( Session session, UserRole userRole ) throws SecurityException
- {
- LdapConnection ld = null;
- try
- {
- ld = getAdminConnection();
- RbacDropRoleRequest dropRoleRequest = new RbacDropRoleRequestImpl();
- dropRoleRequest.setSessionId( session.getSessionId() );
- dropRoleRequest.setRole( userRole.getName() );
- dropRoleRequest.setUserIdentity( userRole.getUserId() );
- // Send the request
- RbacDropRoleResponse rbacDropRoleResponse = ( RbacDropRoleResponse ) ld.extended(
- dropRoleRequest );
- LOG.debug( "dropActiveRole result: {}", rbacDropRoleResponse.getLdapResult().getResultCode().getResultCode());
- if(rbacDropRoleResponse.getLdapResult().getResultCode().getResultCode() != 0)
- {
- String info = "dropActiveRole Role [" + userRole.getName() + "] User ["
- + session.getUserId() + "], not previously activated.";
- throw new SecurityException( GlobalErrIds.URLE_NOT_ACTIVE, info );
- }
- }
- catch ( LdapException e )
- {
- String error = "dropActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e
- .getMessage();
- throw new SecurityException( GlobalErrIds.ACEL_DROP_ROLE_ERR, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
- /**
- * Activate user role into rbac session
- * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#addActiveRole(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.UserRole)}.
- * Success will result in rbac session state to be modified inside server-side cache.
- * It uses the {@link RbacAddRoleRequest} and {@link RbacAddRoleResponse} accelerator APIs.
- *
- * @param session contains a valid sessionId captured from accelerator createSession method.
- * @param userRole both the {@link UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
- * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_ADD_ROLE_ERR}.
- */
- public void addActiveRole( Session session, UserRole userRole ) throws SecurityException
- {
- LdapConnection ld = null;
- try
- {
- ld = getAdminConnection();
- RbacAddRoleRequest addRoleRequest = new RbacAddRoleRequestImpl();
- addRoleRequest.setSessionId( session.getSessionId() );
- addRoleRequest.setRole( userRole.getName() );
- addRoleRequest.setUserIdentity( userRole.getUserId() );
- // Send the request
- RbacAddRoleResponse rbacAddRoleResponse = ( RbacAddRoleResponse ) ld.extended(
- addRoleRequest );
- LOG.debug( "addActiveRole result: {}", rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode());
- if(rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode() != 0)
- {
- String info;
- int rc;
- if(rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode() == 20)
- {
- info = "addActiveRole Role [" + userRole.getName() + "] User ["
- + session.getUserId() + "], already activated.";
- rc = GlobalErrIds.URLE_ALREADY_ACTIVE;
- }
- else
- {
- info = "addActiveRole Role [" + userRole.getName() + "] User ["
- + session.getUserId() + "], not authorized for user.";
- rc = GlobalErrIds.URLE_ACTIVATE_FAILED;
- }
- throw new SecurityException( rc, info );
- }
- }
- catch ( LdapException e )
- {
- String error = "addActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e
- .getMessage();
- throw new SecurityException( GlobalErrIds.ACEL_ADD_ROLE_ERR, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
- /**
- * Delete the stored session on rbac accelerator server.
- * It uses the {@link RbacDeleteSessionRequest} and {@link RbacDeleteSessionResponse} accelerator APIs.
- *
- * @param session contains a valid sessionId captured from accelerator createSession method.
- * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DELETE_SESSION_ERR}.
- */
- public void deleteSession( Session session ) throws SecurityException
- {
- LdapConnection ld = null;
- try
- {
- ld = getAdminConnection();
- RbacDeleteSessionRequest deleteSessionRequest = new RbacDeleteSessionRequestImpl();
- deleteSessionRequest.setSessionId( session.getSessionId() );
- deleteSessionRequest.setUserIdentity( session.getUserId() );
- // Send the request
- RbacDeleteSessionResponse deleteSessionResponse = ( RbacDeleteSessionResponse ) ld.extended(
- deleteSessionRequest );
- LOG.debug( "deleteSession result: {}", deleteSessionResponse.getLdapResult().getResultCode().getResultCode());
- }
- catch ( LdapException e )
- {
- String error = "deleteSession caught LDAPException=" + " msg=" + e
- .getMessage();
- throw new SecurityException( GlobalErrIds.ACEL_DELETE_SESSION_ERR, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * SessionRoles returns a list of UserRole's activated for user on rbac server.
- * It uses the {@link RbacSessionRolesRequest} and {@link RbacSessionRolesResponse} accelerator APIs.
- *
- * todo: This method does not yet, but will soon populate temporal constraints associated with entities returned.
- *
- * @param session contains a valid sessionId captured from accelerator createSession method.
- * @return List of type UserRole. May be null if user has no roles activated in session stored - server side.
- * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_SESSION_ROLES_ERR}.
- */
- public List<UserRole> sessionRoles( Session session ) throws SecurityException
- {
- LdapConnection ld = null;
- List<UserRole> userRoleList = null;
- try
- {
- ld = getAdminConnection();
- RbacSessionRolesRequest sessionRolesRequest = new RbacSessionRolesRequestImpl();
- sessionRolesRequest.setSessionId( session.getSessionId() );
- sessionRolesRequest.setUserIdentity( session.getUserId() );
- // Send the request
- RbacSessionRolesResponse sessionRolesResponse = ( RbacSessionRolesResponse ) ld.extended(
- sessionRolesRequest );
- LOG.debug( "sessionRoles result: {}", sessionRolesResponse.getLdapResult().getResultCode().getResultCode());
- if(VUtil.isNotNullOrEmpty( sessionRolesResponse.getRoles() ) )
- {
- userRoleList = new ArrayList<>( );
- for( String roleNm : sessionRolesResponse.getRoles() )
- {
- userRoleList.add( new UserRole( session.getUserId(), roleNm ) );
- // todo: add temporal constraints here
- }
- }
- }
- catch ( LdapException e )
- {
- String error = "sessionRoles caught LDAPException=" + " msg=" + e
- .getMessage();
- throw new SecurityException( GlobalErrIds.ACEL_SESSION_ROLES_ERR, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return userRoleList;
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AdminRoleDAO.java
deleted file mode 100755
index 20a1648..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AdminRoleDAO.java
+++ /dev/null
@@ -1,694 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.AdminRoleP;
-import org.apache.directory.fortress.core.rbac.AdminRoleUtil;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-
-/**
- * The AdminRoleDAO is called by {@link AdminRoleP} and processes data via its entity {@link AdminRole}.
- * <p/>
- * The Fortress AdminRoleDAO uses the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.3</code>
- * <li> <code>NAME 'ftPools'</code>
- * <li> <code>DESC 'Fortress Pools AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftOSU $ ftOSP ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class AdminRoleDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO
-{
- private static final String ROLE_OCCUPANT = "roleOccupant";
- private static final String ROLE_OSP = "ftOSP";
- private static final String ROLE_OSU = "ftOSU";
- private static final String ROLE_RANGE = "ftRange";
- private static final String POOLS_AUX_OBJECT_CLASS_NAME = "ftPools";
- private static final String ADMIN_ROLE_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- GlobalIds.ROLE_OBJECT_CLASS_NM,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- POOLS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
- private static final String ROLE_NM = "ftRoleName";
- private static final String[] ROLE_NM_ATR =
- {
- ROLE_NM
- };
-
- private static final String[] ROLE_ATRS =
- {
- GlobalIds.FT_IID,
- ROLE_NM,
- GlobalIds.DESC,
- GlobalIds.CONSTRAINT,
- ROLE_OCCUPANT,
- ROLE_OSP,
- ROLE_OSU,
- ROLE_RANGE,
- GlobalIds.PARENT_NODES
- };
-
-
- /**
- * Create a new AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains AdminRole data. Null attributes will be ignored.
- * @return input record back to client.
- * @throws org.apache.directory.fortress.core.CreateException in the event LDAP errors occur.
- */
- public final AdminRole create( AdminRole entity ) throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- Entry entry = new DefaultEntry( dn );
-
- entry.add( GlobalIds.OBJECT_CLASS, ADMIN_ROLE_OBJ_CLASS );
- entity.setId();
- entry.add( GlobalIds.FT_IID, entity.getId() );
- entry.add( ROLE_NM, entity.getName() );
-
- // description field is optional on this object class:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- entry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // CN attribute is required for this object class:
- entry.add( GlobalIds.CN, entity.getName() );
- entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
- loadAttrs( entity.getOsP(), entry, ROLE_OSP );
- loadAttrs( entity.getOsU(), entry, ROLE_OSU );
- String szRaw = entity.getRoleRangeRaw();
-
- if ( VUtil.isNotNullOrEmpty( szRaw ) )
- {
- entry.add( ROLE_RANGE, szRaw );
- }
-
- // These multi-valued attributes are optional. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
-
- ld = getAdminConnection();
- add( ld, entry, entity );
- }
- catch ( LdapException e )
- {
- String error = "create role [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new CreateException( GlobalErrIds.ARLE_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * Update existing AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains AdminRole data. Null attributes will be ignored.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- public final AdminRole update( AdminRole entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- GlobalIds.DESC, entity.getDescription() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getOccupants() ) )
- {
- for ( String name : entity.getOccupants() )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, ROLE_OCCUPANT, name ) );
- }
- }
-
- if ( entity.isTemporalSet() )
- {
- String szRawData = CUtil.setConstraint( entity );
- if ( VUtil.isNotNullOrEmpty( szRawData ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
- }
- }
-
- loadAttrs( entity.getOsU(), mods, ROLE_OSU );
- loadAttrs( entity.getOsP(), mods, ROLE_OSP );
- String szRaw = entity.getRoleRangeRaw();
-
- if ( VUtil.isNotNullOrEmpty( szRaw ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, ROLE_RANGE, szRaw ) );
- }
-
- loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LdapException e )
- {
- String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- *
- * @param entity
- * @throws UpdateException
- */
- public final void deleteParent( AdminRole entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.PARENT_NODES ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "deleteParent name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_REMOVE_PARENT_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * This method will add the supplied DN as a role occupant to the target record.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
- * @param userDn contains the DN for userId who is being assigned.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- public final AdminRole assign( AdminRole entity, String userDn ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.ADD_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LdapException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_USER_ASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * This method will remove the supplied DN as a role occupant to the target record.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
- * @param userDn contains the DN for userId who is being deassigned.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- public final AdminRole deassign( AdminRole entity, String userDn ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification(
- ModificationOperation.REMOVE_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
- + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_USER_DEASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * This method will completely remove the AdminRole from the directory. It will use {@link AdminRole#name} as key.
- * This operation is performed on the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param role record contains {@link AdminRole#name}.
- * @throws RemoveException in the event LDAP errors occur.
- */
- public final void remove( AdminRole role ) throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getDn( role );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, role );
- }
- catch ( LdapException e )
- {
- String error = "remove role name=" + role.getName() + " LdapException=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.ARLE_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * This method will retrieve the AdminRole from {@link GlobalIds#ADMIN_ROLE_ROOT} container by name.
- *
- * @param adminRole maps to {@link AdminRole#name}.
- * @return AdminRole back to client.
- * @throws FinderException in the event LDAP errors occur.
- */
- public final AdminRole getRole( AdminRole adminRole ) throws FinderException
- {
- AdminRole entity = null;
- LdapConnection ld = null;
- String dn = getDn( adminRole );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, ROLE_ATRS );
- entity = unloadLdapEntry( findEntry, 0, adminRole.getContextId() );
-
- if ( entity == null )
- {
- String warning = "getRole name [" + adminRole.getName() + "] no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
- }
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getRole name [" + adminRole.getName() + "] Obj COULD NOT FIND ENTRY for dn [" + dn
- + "]";
- throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getRole dn [" + dn + "] LEXCD=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param adminRole
- * @return
- * @throws FinderException
- *
- */
- public final List<AdminRole> findRoles( AdminRole adminRole ) throws FinderException
- {
- List<AdminRole> roleList = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
- String filter;
-
- try
- {
- String searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- roleList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, adminRole.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findRoles name [" + adminRole.getName() + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findRoles name [" + adminRole.getName() + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roleList;
- }
-
-
- /**
- * @param adminRole
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- public final List<String> findRoles( AdminRole adminRole, int limit ) throws FinderException
- {
- List<String> roleList = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
- String filter;
- String searchVal = null;
-
- try
- {
- searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
-
- while ( searchResults.next() )
- {
- Entry entry = searchResults.getEntry();
- roleList.add( getAttribute( entry, ROLE_NM ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findRoles name [" + searchVal + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findRoles name [" + searchVal + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roleList;
- }
-
-
- /**
- * @param userDn
- * @return
- * @throws FinderException
- */
- public final List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException
- {
- List<String> roleNameList = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
- filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
-
- while ( searchResults.next() )
- {
- roleNameList.add( getAttribute( searchResults.getEntry(), ROLE_NM ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roleNameList;
- }
-
-
- /**
- *
- * @param contextId
- * @return
- * @throws FinderException
- */
- public final List<Graphable> getAllDescendants( String contextId )
- throws FinderException
- {
- String[] DESC_ATRS =
- { ROLE_NM, GlobalIds.PARENT_NODES };
- List<Graphable> descendants = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
- String filter = null;
-
- try
- {
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + GlobalIds.PARENT_NODES + "=*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- descendants.add( unloadDescendants( searchResults.getEntry(), sequence++, contextId ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return descendants;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private Graphable unloadDescendants( Entry le, long sequence, String contextId )
- throws LdapInvalidAttributeValueException
- {
- Role entity = new ObjectFactory().createRole();
- entity.setSequenceId( sequence );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- return entity;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private AdminRole unloadLdapEntry( Entry le, long sequence, String contextId )
- throws LdapInvalidAttributeValueException
- {
- AdminRole entity = new ObjectFactory().createAdminRole();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
- entity.setOsP( getAttributeSet( le, ROLE_OSP ) );
- entity.setOsU( getAttributeSet( le, ROLE_OSU ) );
- unloadTemporal( le, entity );
- entity.setRoleRangeRaw( getAttribute( le, ROLE_RANGE ) );
- //entity.setParents(AdminRoleUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- entity.setChildren( AdminRoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- return entity;
- }
-
-
- private String getDn( AdminRole adminRole )
- {
- return GlobalIds.CN + "=" + adminRole.getName() + ","
- + getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AuditDAO.java
deleted file mode 100755
index a7f2cdb..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/AuditDAO.java
+++ /dev/null
@@ -1,784 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.AuthZ;
-import org.apache.directory.fortress.core.rbac.Bind;
-import org.apache.directory.fortress.core.rbac.Mod;
-import org.apache.directory.fortress.core.rbac.UserAudit;
-import org.apache.directory.fortress.core.util.attr.AttrHelper;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-
-/**
- * This class performs data access for OpenLDAP synch repl log data
- * <p/>
- * <h3>1. Binds</h3>
- * <p/>
- * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
- * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
- * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
- * <code># which contains the Bind Method used in the Bind. This will be the string</code>
- * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
- * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
- * <code># the current database will be logged:</code>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
- * <li> <code>DESC 'Bind operation'</code>
- * <li> <code>SUP auditObject STRUCTURAL</code>
- * <li> <code>MUST ( reqVersion $ reqMethod ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h3>2. Authorizations</h3>
- * <code>For the Search class the reqScope attribute contains the scope of the</code><br />
- * <code>original search request, using the values specified for the LDAP URL</code><br />
- * <code>format. I.e. base, one, sub, or subord. The reqDerefAliases attribute</code><br />
- * <code>is one of never, finding, searching, or always, denoting how aliases</code><br />
- * <code>will be processed during the search. The reqAttrsOnly attribute is a</code><br />
- * <code>Boolean value showing TRUE if only attribute names were requested, or</code><br />
- * <code>FALSE if attributes and their values were requested. The reqFilter</code><br />
- * <code>attribute carries the filter used in the search request. The reqAttr</code><br />
- * <code>attribute lists the requested attributes if specific attributes were</code><br />
- * <code>requested. The reqEntries attribute is the integer count of how many</code><br />
- * <code>entries were returned by this search request. The reqSizeLimit and</code><br />
- * <code>reqTimeLimit attributes indicate what limits were requested on the</code><br />
- * <code>search operation.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.11</code>
- * <li> <code>NAME 'auditSearch'</code>
- * <li> <code>DESC 'Search operation'</code>
- * <li> <code>SUP auditReadObject STRUCTURAL</code>
- * <li> <code>MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )</code>
- * <li> <code>MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $</code>
- * <li> <code>reqTimeLimit ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * <p/>
- * <h3>3. Modifications</h3>
- * The auditModify Structural object class is used to store Fortress update and delete events that can later be queried via ldap API.<br />
- * The deletions can be recorded in this manner and associated with Fortress context because deletions will perform a modification first
- * if audit is enabled.
- * <p/>
- * <code>The Modify operation contains a description of modifications in the</code><br />
- * <code>reqMod attribute, which was already described above in the Add</code><br />
- * <code>operation. It may optionally contain the previous contents of any</code><br />
- * <code>modified attributes in the reqOld attribute, using the same format as</code><br />
- * <code>described above for the Delete operation. The reqOld attribute is only</code><br />
- * <code>populated if the entry being modified matches the configured logold</code><br />
- * <code>filter.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.9</code>
- * <li> <code>NAME 'auditModify'</code>
- * <li> <code>DESC 'Modify operation'</code>
- * <li> <code>SUP auditWriteObject STRUCTURAL</code>
- * <li> <code>MAY reqOld MUST reqMod )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * Note this class used descriptions pulled from man pages on slapd access log.
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class AuditDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.AuditDAO
-{
- private static final String CREATETIMESTAMP = "createTimestamp";
- private static final String CREATORSNAME = "creatorsName";
- private static final String ENTRYCSN = "entryCSN";
- private static final String ENTRYDN = "entryDN";
- private static final String ENTRYUUID = "entryUUID";
- private static final String HASSUBORDINATES = "hasSubordinates";
- private static final String MODIFIERSNAME = "modifiersName";
- private static final String MODIFYTIMESTAMP = "modifyTimestamp";
- private static final String OBJECTCLASS = "objectClass";
- private static final String REQUAUTHZID = "reqAuthzID";
- private static final String REQCONTROLS = "reqControls";
- private static final String REQDN = "reqDN";
- private static final String REQEND = "reqEnd";
- private static final String REQMETHOD = "reqMethod";
- private static final String REQRESULT = "reqResult";
- private static final String REQSESSION = "reqSession";
- private static final String REQSTART = "reqStart";
- private static final String REQTYPE = "reqType";
- private static final String REQVERSION = "reqVersion";
- private static final String REQMOD = "reqMod";
- private static final String STRUCTURALOBJECTCLASS = "structuralObjectClass";
- private static final String SUBSCHEMAENTRY = "subschemaSubentry";
- private static final String REQATTR = "reqAttr";
- private static final String REQATTRSONLY = "reqAttrsOnly";
- private static final String REQDREFALIASES = "reqDerefAliases";
- private static final String REQENTRIES = "reqEntries";
- private static final String REQFILTER = "reqFilter";
- private static final String REQSCOPE = "reqScope";
- private static final String REQSIZELIMIT = "reqSizeLimit";
- private static final String REQTIMELIMIT = "reqTimeLimit";
- private static final String REQASSERTION = "reqAssertion";
- private static final String ACCESS_BIND_CLASS_NM = "auditBind";
- //private static final String ACCESS_AUTHZ_CLASS_NM = "auditSearch";
- private static final String ACCESS_AUTHZ_CLASS_NM = "auditCompare";
- private static final String ACCESS_MOD_CLASS_NM = "auditModify";
- private static final String ACCESS_ADD_CLASS_NM = "auditAdd";
- private static final String AUDIT_ROOT = "audit.root";
-
- private static final String[] AUDIT_AUTHZ_ATRS =
- {
- CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
- MODIFYTIMESTAMP, OBJECTCLASS, REQATTR, REQATTRSONLY, REQUAUTHZID, REQCONTROLS, REQDN, REQDREFALIASES,
- REQEND, REQENTRIES, REQFILTER, REQRESULT, REQSCOPE, REQSESSION, REQSIZELIMIT, REQSTART, REQTIMELIMIT,
- REQTYPE, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
- };
-
- private static final String[] AUDIT_BIND_ATRS =
- {
- CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
- MODIFYTIMESTAMP, OBJECTCLASS, REQUAUTHZID, REQCONTROLS, REQDN, REQEND, REQMETHOD, REQRESULT,
- REQSESSION, REQSTART, REQTYPE, REQVERSION, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
- };
-
- private static final String[] AUDIT_MOD_ATRS =
- {
- OBJECTCLASS, REQUAUTHZID, REQDN, REQEND, REQRESULT, REQSESSION, REQSTART, REQTYPE, REQMOD
- };
-
-
- /**
- * This method returns failed authentications where the userid is not present in the directory. This
- * is possible because Fortress performs read on user before the bind.
- * User:
- * dn: reqStart=20101014235402.000000Z, cn=log
- * reqStart: 20101014235402.000000Z
- * reqEnd: 20101014235402.000001Z
- * reqAuthzID: cn=Manager,dc=jts,dc=com
- * reqDerefAliases: never
- * reqSession: 84
- * reqAttrsOnly: FALSE
- * reqSizeLimit: -1
- * objectClass: auditSearch
- * reqResult: 32
- * reqAttr: ftId
- * reqAttr: uid
- * reqAttr: userpassword
- * reqAttr: description
- * reqAttr: ou
- * reqAttr: cn
- * reqAttr: sn
- * reqAttr: ftRoleCstr
- * reqAttr: ftCstr
- * reqAttr: ftRoleAsgn
- * reqAttr: pwdReset
- * reqAttr: pwdAccountLockedTime
- * reqAttr: ftProps
- * reqEntries: 0
- * reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
- * reqType: search
- * reqDN: uid=foo,ou=People,dc=jts,dc=com /cal/cal2.jsp
- * reqTimeLimit: -1
- * reqScope: base
- *
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<AuthZ> searchInvalidAuthNs( UserAudit audit ) throws FinderException
- {
- List<AuthZ> auditList = new ArrayList<>();
- LdapConnection ld = null;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String userRoot = Config.getProperty( GlobalIds.USER_ROOT );
-
- try
- {
- // use wildcard for user if not passed in:
- //reqDN: uid=foo,ou=People,dc=jts,dc=com
- //(&
- // (objectclass=auditSearch)
- // (reqDN=uid=*,ou=People,dc=jts,dc=com)
- // (reqAuthzID=cn=Manager,dc=jts,dc=com)
- // (reqEntries=0)
- // )
-
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
- String userId;
-
- if ( VUtil.isNotNullOrEmpty( audit.getUserId() ) )
- {
- userId = audit.getUserId();
- filter += REQDN + "=" + GlobalIds.UID + "=" + userId + "," + userRoot + ")(" +
- REQUAUTHZID + "=" + "cn=Manager," + Config.getProperty( GlobalIds.SUFFIX ) + ")";
- }
- else
- {
- // pull back all failed authN attempts for all users:
- filter += REQATTR + "=" + GlobalIds.UID + ")(" +
- REQUAUTHZID + "=" + "cn=Manager," + Config.getProperty( GlobalIds.SUFFIX ) + ")";
- }
-
- if ( audit.isFailedOnly() )
- {
- filter += "(" + REQENTRIES + "=" + 0 + ")";
- }
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- filter += ")";
-
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- SearchCursor searchResults = search( ld, auditRoot,
- SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- AuthZ authZ = getAuthzEntityFromLdapEntry( searchResults.getEntry(), sequence++ );
- // todo: fix this workaround. This search will return failed role assign searches as well.
- // Work around is to remove the ou=People failed searches from user failed searches on authN.
- if ( !AttrHelper.getAuthZId( authZ.getReqDN() ).equalsIgnoreCase( "People" ) )
- auditList.add( authZ );
- }
- }
- catch ( LdapException e )
- {
- String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
-
- return auditList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<AuthZ> searchAuthZs( UserAudit audit ) throws FinderException
- {
- List<AuthZ> auditList = new ArrayList<>();
- LdapConnection ld = null;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String permRoot = getRootDn( audit.isAdmin(), audit.getContextId() );
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String reqDn = PermDAO.getOpRdn( audit.getOpName(), audit.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + audit.getObjName() + "," + permRoot;
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(" + REQDN + "=" +
- reqDn + ")(" + REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
-
- if ( audit.isFailedOnly() )
- {
- filter += "(!(" + REQRESULT + "=" + 6 + "))";
- }
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- filter += ")";
-
- //System.out.println("filter=" + filter);
- ld = getLogConnection();
- SearchCursor searchResults = search( ld, auditRoot,
- SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- auditList.add( getAuthzEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
-
- return auditList;
- }
-
-
- private String getRootDn( boolean isAdmin, String contextId )
- {
- String dn;
-
- if ( isAdmin )
- {
- dn = getRootDn( contextId, GlobalIds.ADMIN_PERM_ROOT );
- }
- else
- {
- dn = getRootDn( contextId, GlobalIds.PERM_ROOT );
- }
-
- return dn;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<AuthZ> getAllAuthZs( UserAudit audit ) throws FinderException
- {
- List<AuthZ> auditList = new ArrayList<>();
- LdapConnection ld = null;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
-
- if ( audit.getUserId() != null && audit.getUserId().length() > 0 )
- {
- filter += REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
- }
- else
- {
- // have to limit the query to only authorization entries.
- // TODO: determine why the cn=Manager user is showing up in this search:
- filter += REQUAUTHZID + "=*)(!(" + REQUAUTHZID + "=cn=Manager," + Config.getProperty( GlobalIds.SUFFIX )
- + "))";
-
- // TODO: fix this so filter by only the Fortress AuthZ entries and not the others:
- if ( audit.isFailedOnly() )
- {
- filter += "(!(" + REQRESULT + "=" + 6 + "))";
- }
- }
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- filter += ")";
-
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- SearchCursor searchResults = search( ld, auditRoot,
- SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- auditList.add( getAuthzEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "LdapException in AuditDAO.getAllAuthZs id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "LdapException in AuditDAO.getAllAuthZs id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
-
- return auditList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Bind> searchBinds( UserAudit audit ) throws FinderException
- {
- List<Bind> auditList = new ArrayList<>();
- LdapConnection ld = null;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter;
-
- if ( audit.getUserId() != null && audit.getUserId().length() > 0 )
- {
- filter = GlobalIds.FILTER_PREFIX + ACCESS_BIND_CLASS_NM + ")(" +
- REQDN + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
-
- if ( audit.isFailedOnly() )
- {
- filter += "(" + REQRESULT + ">=" + 1 + ")";
- }
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- filter += ")";
- }
- else
- {
- filter = GlobalIds.FILTER_PREFIX + ACCESS_BIND_CLASS_NM + ")";
-
- if ( audit.isFailedOnly() )
- {
- filter += "(" + REQRESULT + ">=" + 1 + ")";
- }
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- filter += ")";
- }
-
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- SearchCursor searchResults = search( ld, auditRoot,
- SearchScope.ONELEVEL, filter, AUDIT_BIND_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- auditList.add( getBindEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "LdapException in AuditDAO.searchBinds id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_BIND_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "LdapException in AuditDAO.searchBinds id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_BIND_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
-
- return auditList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Mod> searchUserMods( UserAudit audit ) throws FinderException
- {
- List<Mod> modList = new ArrayList<>();
- LdapConnection ld = null;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
-
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_MOD_CLASS_NM + ")(" +
- REQDN + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- filter += ")";
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- SearchCursor searchResults = search( ld, auditRoot,
- SearchScope.ONELEVEL, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- modList.add( getModEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "searchUserMods caught LdapException id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "searchUserMods caught LdapException id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
-
- return modList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws FinderException
- */
- public final List<Mod> searchAdminMods( UserAudit audit ) throws FinderException
- {
- List<Mod> modList = new ArrayList<>();
- LdapConnection ld = null;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
-
- try
- {
- String filter = "(&(|(objectclass=" + ACCESS_MOD_CLASS_NM + ")";
- filter += "(objectclass=" + ACCESS_ADD_CLASS_NM + "))";
-
- if ( VUtil.isNotNullOrEmpty( audit.getDn() ) )
- {
- filter += "(" + REQDN + "=" + audit.getDn() + ")";
- }
-
- if ( VUtil.isNotNullOrEmpty( audit.getObjName() ) )
- {
- filter += "(|(" + REQMOD + "=" + GlobalIds.FT_MODIFIER_CODE + ":= " + audit.getObjName() + ".";
-
- if ( VUtil.isNotNullOrEmpty( audit.getOpName() ) )
- {
- filter += audit.getOpName();
- }
-
- filter += "*)";
- filter += "(" + REQMOD + "=" + GlobalIds.FT_MODIFIER_CODE + ":+ " + audit.getObjName() + ".";
-
- if ( VUtil.isNotNullOrEmpty( audit.getOpName() ) )
- {
- filter += audit.getOpName();
- }
-
- filter += "*))";
- }
-
- if ( VUtil.isNotNullOrEmpty( audit.getInternalUserId() ) )
- {
- filter += "(|(" + REQMOD + "=" + GlobalIds.FT_MODIFIER + ":= " + audit.getInternalUserId() + ")";
- filter += "(" + REQMOD + "=" + GlobalIds.FT_MODIFIER + ":+ " + audit.getInternalUserId() + "))";
- }
-
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
-
- if ( audit.getEndDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getEndDate() );
- filter += "(" + REQEND + "<=" + szTime + ")";
- }
-
- filter += ")";
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- SearchCursor searchResults = search( ld, auditRoot,
- SearchScope.ONELEVEL, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- modList.add( getModEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "searchAdminMods caught LdapException id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_MOD_ADMIN_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "searchAdminMods caught LdapException id=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_MOD_ADMIN_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
-
- return modList;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private Bind getBindEntityFromLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
- {
-
- Bind auditBind = new ObjectFactory().createBind();
- auditBind.setSequenceId( sequence );
- auditBind.setCreateTimestamp( getAttribute( le, CREATETIMESTAMP ) );
- auditBind.setCreatorsName( getAttribute( le, CREATORSNAME ) );
- auditBind.setEntryCSN( getAttribute( le, ENTRYCSN ) );
- auditBind.setEntryDN( getAttribute( le, ENTRYDN ) );
- auditBind.setEntryUUID( getAttribute( le, ENTRYUUID ) );
- auditBind.setHasSubordinates( getAttribute( le, HASSUBORDINATES ) );
- auditBind.setModifiersName( getAttribute( le, MODIFIERSNAME ) );
- auditBind.setModifyTimestamp( getAttribute( le, MODIFYTIMESTAMP ) );
- auditBind.setObjectClass( getAttribute( le, OBJECTCLASS ) );
- auditBind.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
- auditBind.setReqControls( getAttribute( le, REQCONTROLS ) );
- auditBind.setReqDN( getAttribute( le, REQDN ) );
- auditBind.setReqEnd( getAttribute( le, REQEND ) );
- auditBind.setReqMethod( getAttribute( le, REQMETHOD ) );
- auditBind.setReqResult( getAttribute( le, REQRESULT ) );
- auditBind.setReqSession( getAttribute( le, REQSESSION ) );
- auditBind.setReqStart( getAttribute( le, REQSTART ) );
- auditBind.setReqType( getAttribute( le, REQTYPE ) );
- auditBind.setReqVersion( getAttribute( le, REQVERSION ) );
- auditBind.setStructuralObjectClass( getAttribute( le, STRUCTURALOBJECTCLASS ) );
-
- return auditBind;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private AuthZ getAuthzEntityFromLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
- {
-
- // these attrs also on audit bind OC:
- AuthZ authZ = new ObjectFactory().createAuthZ();
- authZ.setSequenceId( sequence );
- authZ.setCreateTimestamp( getAttribute( le, CREATETIMESTAMP ) );
- authZ.setCreatorsName( getAttribute( le, CREATORSNAME ) );
- authZ.setEntryCSN( getAttribute( le, ENTRYCSN ) );
- authZ.setEntryDN( getAttribute( le, ENTRYDN ) );
- authZ.setEntryUUID( getAttribute( le, ENTRYUUID ) );
- authZ.setHasSubordinates( getAttribute( le, HASSUBORDINATES ) );
- authZ.setModifiersName( getAttribute( le, MODIFIERSNAME ) );
- authZ.setModifyTimestamp( getAttribute( le, MODIFYTIMESTAMP ) );
- authZ.setObjectClass( getAttribute( le, OBJECTCLASS ) );
- authZ.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
- authZ.setReqControls( getAttribute( le, REQCONTROLS ) );
- authZ.setReqDN( getAttribute( le, REQDN ) );
- authZ.setReqEnd( getAttribute( le, REQEND ) );
- authZ.setReqResult( getAttribute( le, REQRESULT ) );
- authZ.setReqSession( getAttribute( le, REQSESSION ) );
- authZ.setReqStart( getAttribute( le, REQSTART ) );
- authZ.setReqType( getAttribute( le, REQTYPE ) );
- authZ.setStructuralObjectClass( getAttribute( le, STRUCTURALOBJECTCLASS ) );
-
- // these attrs only on audit search OC:
- authZ.setReqAttr( getAttribute( le, REQATTR ) );
- authZ.setReqAttrsOnly( getAttribute( le, REQATTRSONLY ) );
- authZ.setReqDerefAliases( getAttribute( le, REQDREFALIASES ) );
- authZ.setReqEntries( getAttribute( le, REQENTRIES ) );
- authZ.setReqFilter( getAttribute( le, REQFILTER ) );
- authZ.setReqScope( getAttribute( le, REQSCOPE ) );
- authZ.setReqSizeLimit( getAttribute( le, REQSIZELIMIT ) );
- authZ.setReqTimeLimit( getAttribute( le, REQTIMELIMIT ) );
-
- return authZ;
- }
-
-
- private Mod getModEntityFromLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
- {
- Mod mod = new ObjectFactory().createMod();
- mod.setSequenceId( sequence );
- mod.setObjectClass( getAttribute( le, OBJECTCLASS ) );
- mod.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
- mod.setReqDN( getAttribute( le, REQDN ) );
- mod.setReqEnd( getAttribute( le, REQEND ) );
- mod.setReqResult( getAttribute( le, REQRESULT ) );
- mod.setReqSession( getAttribute( le, REQSESSION ) );
- mod.setReqStart( getAttribute( le, REQSTART ) );
- mod.setReqType( getAttribute( le, REQTYPE ) );
- mod.setReqMod( getAttributes( le, REQMOD ) );
-
- return mod;
- }
-}
\ No newline at end of file
[02/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java
deleted file mode 100755
index 2c953e1..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/UserDAO.java
+++ /dev/null
@@ -1,2365 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.PasswordException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.ldap.openldap.OLPWControlImpl;
-import org.apache.directory.fortress.core.rbac.Address;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.GlobalPwMsgIds;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PwMessage;
-import org.apache.directory.fortress.core.rbac.PwPolicyControl;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.rbac.UserAdminRole;
-import org.apache.directory.fortress.core.rbac.UserRole;
-import org.apache.directory.fortress.core.rbac.Warning;
-import org.apache.directory.fortress.core.util.attr.AttrHelper;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * Data access class for LDAP User entity.
- * <p/>
- * <p/>
- * The Fortress User LDAP schema follows:
- * <p/>
- * <h4>1. InetOrgPerson Structural Object Class </h4>
- * <code># The inetOrgPerson represents people who are associated with an</code><br />
- * <code># organization in some way. It is a structural class and is derived</code><br />
- * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
- * <li> <code>NAME 'inetOrgPerson'</code>
- * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
- * <li> <code>SUP organizationalPerson</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
- * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
- * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
- * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
- * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
- * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
- * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
- * <li> <code>NAME 'ftUserAttrs'</code>
- * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MUST ( ftId )</code>
- * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- * @created August 30, 2009
- */
-public final class UserDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.UserDAO
-{
- private static final String CLS_NM = UserDAO.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
- private static PwPolicyControl pwControl;
-
- /**
- * Initialize the OpenLDAP Pw Policy validator.
- */
- static
- {
- if ( GlobalIds.IS_OPENLDAP )
- {
- pwControl = new OLPWControlImpl();
- }
- }
-
- /*
- * *************************************************************************
- * ** OpenAccessMgr USERS STATICS
- * ************************************************************************
- */
- private static final String USERS_AUX_OBJECT_CLASS_NAME = "ftUserAttrs";
- private static final String ORGANIZATIONAL_PERSON_OBJECT_CLASS_NAME = "organizationalPerson";
- private static final String USER_OBJECT_CLASS = "user.objectclass";
- private static final String USERS_EXTENSIBLE_OBJECT = "extensibleObject";
-
- // The Fortress User entity attributes are stored within standard LDAP object classes along with custom auxiliary object classes:
- private static final String USER_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- Config.getProperty( USER_OBJECT_CLASS ),
- USERS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME,
- USERS_EXTENSIBLE_OBJECT
- };
-
- private static final String objectClassImpl = Config.getProperty( USER_OBJECT_CLASS );
- private static final String SN = "sn";
- private static final String PW = "userpassword";
- private static final String SYSTEM_USER = "ftSystem";
-
- /**
- * Constant contains the locale attribute name used within organizationalPerson ldap object classes.
- */
- private static final String L = "l";
-
- /**
- * Constant contains the postal address attribute name used within organizationalPerson ldap object classes.
- */
- private static final String POSTAL_ADDRESS = "postalAddress";
-
- /**
- * Constant contains the state attribute name used within organizationalPerson ldap object classes.
- */
- private static final String STATE = "st";
-
- /**
- * Constant contains the postal code attribute name used within organizationalPerson ldap object classes.
- */
- private static final String POSTAL_CODE = "postalCode";
-
- /**
- * Constant contains the post office box attribute name used within organizationalPerson ldap object classes.
- */
- private static final String POST_OFFICE_BOX = "postOfficeBox";
-
- /**
- * Constant contains the country attribute name used within organizationalPerson ldap object classes.
- */
- private static final String COUNTRY = "c";
-
- /**
- * Constant contains the attribute name used within inetorgperson ldap object classes.
- */
- private static final String PHYSICAL_DELIVERY_OFFICE_NAME = "physicalDeliveryOfficeName";
-
- /**
- * Constant contains the attribute name used within inetorgperson ldap object classes.
- */
- private static final String DEPARTMENT_NUMBER = "departmentNumber";
-
- /**
- * Constant contains the attribute name used within inetorgperson ldap object classes.
- */
- private static final String ROOM_NUMBER = "roomNumber";
-
- /**
- * Constant contains the mobile attribute values used within iNetOrgPerson ldap object classes.
- */
- private static final String MOBILE = "mobile";
-
- /**
- * Constant contains the telephone attribute values used within organizationalPerson ldap object classes.
- */
- private static final String TELEPHONE_NUMBER = "telephoneNumber";
-
- /**
- * Constant contains the attribute name for jpeg images to be stored within inetorgperson ldap object classes.
- */
- private static final String JPEGPHOTO = "jpegPhoto";
-
- /**
- * Constant contains the email attribute values used within iNetOrgPerson ldap object classes.
- */
- private static final String MAIL = "mail";
- private static final String DISPLAY_NAME = "displayName";
- private static final String TITLE = "title";
- private static final String EMPLOYEE_TYPE = "employeeType";
-
- private static final String OPENLDAP_POLICY_SUBENTRY = "pwdPolicySubentry";
- private static final String OPENLDAP_PW_RESET = "pwdReset";
- private static final String OPENLDAP_PW_LOCKED_TIME = "pwdAccountLockedTime";
- private static final String OPENLDAP_ACCOUNT_LOCKED_TIME = "pwdAccountLockedTime";
- private static final String LOCK_VALUE = "000001010000Z";
- private static final String[] USERID =
- { GlobalIds.UID };
- private static final String[] ROLES =
- { GlobalIds.USER_ROLE_ASSIGN };
-
- private static final String[] USERID_ATRS =
- {
- GlobalIds.UID
- };
-
- // This smaller result set of attributes are needed for user validation and authentication operations.
- private static final String[] AUTHN_ATRS =
- {
- GlobalIds.FT_IID,
- GlobalIds.UID, PW,
- GlobalIds.DESC,
- GlobalIds.OU, GlobalIds.CN,
- SN,
- GlobalIds.CONSTRAINT,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
- GlobalIds.PROPS
- };
-
- // This default set of attributes contains all and is used for search operations.
- private static final String[] DEFAULT_ATRS =
- {
- GlobalIds.FT_IID,
- GlobalIds.UID, PW,
- GlobalIds.DESC,
- GlobalIds.OU,
- GlobalIds.CN,
- SN,
- GlobalIds.USER_ROLE_DATA,
- GlobalIds.CONSTRAINT,
- GlobalIds.USER_ROLE_ASSIGN,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_POLICY_SUBENTRY : null,
- GlobalIds.PROPS,
- GlobalIds.USER_ADMINROLE_ASSIGN,
- GlobalIds.USER_ADMINROLE_DATA,
- POSTAL_ADDRESS,
- L,
- POSTAL_CODE,
- POST_OFFICE_BOX,
- STATE,
- PHYSICAL_DELIVERY_OFFICE_NAME,
- DEPARTMENT_NUMBER,
- ROOM_NUMBER,
- TELEPHONE_NUMBER,
- MOBILE,
- MAIL,
- EMPLOYEE_TYPE,
- TITLE,
- SYSTEM_USER,
- DISPLAY_NAME,
- JPEGPHOTO
- };
-
- private static final String[] ROLE_ATR =
- {
- GlobalIds.USER_ROLE_DATA
- };
-
- private static final String[] AROLE_ATR =
- {
- GlobalIds.USER_ADMINROLE_DATA
- };
-
-
- /**
- * @param entity
- * @return
- * @throws CreateException
- *
- */
- public final User create( User entity )
- throws CreateException
- {
- LDAPConnection ld = null;
-
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, USER_OBJ_CLASS ) );
-
- entity.setInternalId();
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getInternalId() ) );
- attrs.add( createAttribute( GlobalIds.UID, entity.getUserId() ) );
-
- // CN is required on inetOrgPerson object class, if caller did not set, use the userId:
- if ( !VUtil.isNotNullOrEmpty( entity.getCn() ) )
- {
- entity.setCn( entity.getUserId() );
- }
-
- attrs.add( createAttribute( GlobalIds.CN, entity.getCn() ) );
-
- // SN is required on inetOrgPerson object class, if caller did not set, use the userId:
- if ( !VUtil.isNotNullOrEmpty( entity.getSn() ) )
- {
- entity.setSn( entity.getUserId() );
- }
-
- attrs.add( createAttribute( SN, entity.getSn() ) );
-
- // guard against npe
- attrs.add( createAttribute( PW,
- VUtil.isNotNullOrEmpty( entity.getPassword() ) ? new String( entity.getPassword() ) : new String(
- new char[]
- {} ) ) );
-
- if ( VUtil.isNotNullOrEmpty( entity.getDisplayName() ) )
- {
- attrs.add( createAttribute( DISPLAY_NAME, entity.getDisplayName() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
- {
- attrs.add( createAttribute( TITLE, entity.getTitle() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
- {
- attrs.add( createAttribute( EMPLOYEE_TYPE, entity.getEmployeeType() ) );
- }
-
- // These are multi-valued attributes, use the util function to load:
- // These items are optional. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getPhones(), attrs, TELEPHONE_NUMBER );
- loadAttrs( entity.getMobiles(), attrs, MOBILE );
- loadAttrs( entity.getEmails(), attrs, MAIL );
-
- // The following attributes are optional:
- if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
- {
- attrs.add( createAttribute( SYSTEM_USER, entity.isSystem().toString().toUpperCase() ) );
- }
- if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
- {
- String dn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
- + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
- attrs.add( createAttribute( OPENLDAP_POLICY_SUBENTRY, dn ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
- {
- attrs.add( createAttribute( GlobalIds.OU, entity.getOu() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- }
-
- // props are optional as well:
- // Add "initial" property here.
- entity.addProperty( "init", "" );
- loadProperties( entity.getProperties(), attrs, GlobalIds.PROPS );
- // map the userid to the name field in constraint:
- entity.setName( entity.getUserId() );
- attrs.add( createAttribute( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) ) );
- loadAddress( entity.getAddress(), attrs );
- if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
- {
- attrs.add( new LDAPAttribute( JPEGPHOTO, entity.getJpegPhoto() ) );
- }
-
- String dn = getDn( entity.getUserId(), entity.getContextId() );
-
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- entity.setDn( dn );
- }
- catch ( LDAPException e )
- {
- String error = "create userId [" + entity.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new CreateException( GlobalErrIds.USER_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws UpdateException
- */
- public final User update( User entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String userDn = getDn( entity.getUserId(), entity.getContextId() );
-
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
-
- if ( VUtil.isNotNullOrEmpty( entity.getCn() ) )
- {
- LDAPAttribute cn = new LDAPAttribute( GlobalIds.CN, entity.getCn() );
- mods.add( LDAPModification.REPLACE, cn );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getSn() ) )
- {
- LDAPAttribute sn = new LDAPAttribute( SN, entity.getSn() );
- mods.add( LDAPModification.REPLACE, sn );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
- {
- LDAPAttribute ou = new LDAPAttribute( GlobalIds.OU, entity.getOu() );
- mods.add( LDAPModification.REPLACE, ou );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getPassword() ) )
- {
- LDAPAttribute pw = new LDAPAttribute( PW, new String( entity.getPassword() ) );
- mods.add( LDAPModification.REPLACE, pw );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC,
- entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
- {
- LDAPAttribute employeeType = new LDAPAttribute( EMPLOYEE_TYPE, entity.getEmployeeType() );
- mods.add( LDAPModification.REPLACE, employeeType );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
- {
- LDAPAttribute title = new LDAPAttribute( TITLE, entity.getTitle() );
- mods.add( LDAPModification.REPLACE, title );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDisplayName() ) )
- {
- LDAPAttribute name = new LDAPAttribute( DISPLAY_NAME, entity.getDisplayName() );
- mods.add( LDAPModification.REPLACE, name );
- }
-
- if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
- {
- String szDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
- + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
- LDAPAttribute dn = new LDAPAttribute( OPENLDAP_POLICY_SUBENTRY, szDn );
- mods.add( LDAPModification.REPLACE, dn );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
- {
- LDAPAttribute system = new LDAPAttribute( SYSTEM_USER, entity.isSystem().toString().toUpperCase() );
- mods.add( LDAPModification.REPLACE, system );
- }
-
- if ( entity.isTemporalSet() )
- {
- // map the userid to the name field in constraint:
- entity.setName( entity.getUserId() );
- String szRawData = CUtil.setConstraint( entity );
-
- if ( VUtil.isNotNullOrEmpty( szRawData ) )
- {
- LDAPAttribute constraint = new LDAPAttribute( GlobalIds.CONSTRAINT, szRawData );
- mods.add( LDAPModification.REPLACE, constraint );
- }
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
- }
-
- loadAddress( entity.getAddress(), mods );
- // These are multi-valued attributes, use the util function to load:
- loadAttrs( entity.getPhones(), mods, TELEPHONE_NUMBER );
- loadAttrs( entity.getMobiles(), mods, MOBILE );
- loadAttrs( entity.getEmails(), mods, MAIL );
- if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
- {
- mods.add( LDAPModification.REPLACE, new LDAPAttribute( JPEGPHOTO, entity.getJpegPhoto() ) );
- }
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, userDn, mods, entity );
- entity.setDn( userDn );
- }
-
- entity.setDn( userDn );
- }
- catch ( LDAPException e )
- {
- String error = "update userId [" + entity.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @param replace
- * @return
- * @throws UpdateException
- */
- public final User updateProps( User entity, boolean replace )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String userDn = getDn( entity.getUserId(), entity.getContextId() );
-
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
-
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, replace );
- }
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, userDn, mods, entity );
- entity.setDn( userDn );
- }
-
- entity.setDn( userDn );
- }
- catch ( LDAPException e )
- {
- String error = "updateProps userId [" + entity.getUserId() + "] isReplace [" + replace
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param user
- * @throws RemoveException
- */
- public final String remove( User user )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, userDn, user );
- }
- catch ( LDAPException e )
- {
- String error = "remove userId [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.USER_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final void lock( User user )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute pwdAccoutLock = new LDAPAttribute( OPENLDAP_PW_LOCKED_TIME, LOCK_VALUE );
- mods.add( LDAPModification.REPLACE, pwdAccoutLock );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LDAPException e )
- {
- String error = "lock user [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_LOCK_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param user
- * @throws UpdateException
- *
- */
- public final void unlock( User user )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- //ld = getAdminConnection();
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute pwdlockedTime = new LDAPAttribute( OPENLDAP_PW_LOCKED_TIME );
- mods.add( LDAPModification.DELETE, pwdlockedTime );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_ATTRIBUTE )
- {
- LOG.info( "unlock user [" + user.getUserId() + "] no such attribute:"
- + OPENLDAP_ACCOUNT_LOCKED_TIME );
- }
- else
- {
- String error = "unlock user [" + user.getUserId() + "] caught LDAPException= "
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_UNLOCK_FAILED, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final User getUser( User user, boolean isRoles )
- throws FinderException
- {
- User entity = null;
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- String[] uATTRS;
- // Retrieve role attributes?
-
- if ( isRoles )
- {
- // Retrieve the User's assigned RBAC and Admin Role attributes from directory.
- uATTRS = DEFAULT_ATRS;
-
- }
- else
- {
- // Do not retrieve the User's assigned RBAC and Admin Role attributes from directory.
- uATTRS = AUTHN_ATRS;
- }
-
- LDAPEntry findEntry = null;
-
- try
- {
- ld = getAdminConnection();
- findEntry = read( ld, userDn, uATTRS );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getUser COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- String error = "getUser [" + userDn + "]= caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- entity = unloadLdapEntry( findEntry, 0, user.getContextId() );
-
- if ( entity == null )
- {
- String warning = "getUser userId [" + user.getUserId() + "] not found, Fortress rc="
- + GlobalErrIds.USER_NOT_FOUND;
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- return entity;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final List<UserAdminRole> getUserAdminRoles( User user )
- throws FinderException
- {
- List<UserAdminRole> roles = null;
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, userDn, AROLE_ATR );
- roles = unloadUserAdminRoles( findEntry, user.getUserId(), user.getContextId() );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getUserAdminRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- String error = "getUserAdminRoles [" + userDn + "]= caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roles;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<String> getRoles( User user )
- throws FinderException
- {
- List<String> roles = null;
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, userDn, ROLES );
-
- if ( findEntry == null )
- {
- String warning = "getRoles userId [" + user.getUserId() + "] not found, Fortress rc="
- + GlobalErrIds.USER_NOT_FOUND;
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- roles = getAttributes( findEntry, GlobalIds.USER_ROLE_ASSIGN );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- String error = "getRoles [" + userDn + "]= caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roles;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- * @throws org.apache.directory.fortress.core.SecurityException
- */
- public final Session checkPassword( User user ) throws FinderException
- {
- Session session = null;
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- session = new ObjectFactory().createSession();
- session.setUserId( user.getUserId() );
- ld = getUserConnection();
- boolean result = bind( ld, userDn, user.getPassword() );
-
- if ( result )
- {
- // check openldap password policies here
- checkPwPolicies( ld, session );
-
- if ( session.getErrorId() == 0 )
- {
- session.setAuthenticated( true );
- }
- }
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.INVALID_CREDENTIALS )
- {
- // Check controls to see if password is locked, expired or out of grace:
- checkPwPolicies( ld, session );
- // if check pw control did not find problem the user entered invalid pw:
- if ( session.getErrorId() == 0 )
- {
- String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "]";
- session.setMsg( info );
- session.setErrorId( GlobalErrIds.USER_PW_INVLD );
- session.setAuthenticated( false );
- }
- }
- else
- {
- String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_BIND_FAILED, error, e );
- }
- }
- finally
- {
- closeUserConnection( ld );
- }
-
- return session;
- }
-
-
- /**
- * @param user
- * @return
- * @throws FinderException
- */
- public final List<User> findUsers( User user ) throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter;
-
- if ( VUtil.isNotNullOrEmpty( user.getUserId() ) )
- {
- // place a wild card after the input userId:
- String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
- filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.UID + "=" + searchVal + "*))";
- }
- else if ( VUtil.isNotNullOrEmpty( user.getInternalId() ) )
- {
- // internalUserId search
- String searchVal = encodeSafeText( user.getInternalId(), GlobalIds.USERID_LEN );
- // this is not a wildcard search. Must be exact match.
- filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.FT_IID + "=" + searchVal + "))";
- }
- else
- {
- // Beware - returns ALL users!!:"
- filter = "(objectclass=" + objectClassImpl + ")";
- }
-
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.hasMoreElements() )
- {
- userList.add( unloadLdapEntry( searchResults.next(), sequence++, user.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param user
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- public final List<String> findUsers( User user, int limit ) throws FinderException
- {
- List<String> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.UID + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
-
- while ( searchResults.hasMoreElements() )
- {
- LDAPEntry entry = searchResults.next();
- userList.add( getAttribute( entry, GlobalIds.UID ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "findUsers caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- *
- */
- public final List<User> getAuthorizedUsers( Role role )
- throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(";
- Set<String> roles = RoleUtil.getDescendants( role.getName(), role.getContextId() );
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- filter += "|(" + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
-
- for ( String uRole : roles )
- {
- filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + uRole + ")";
- }
-
- filter += ")";
- }
- else
- {
- filter += GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
- }
-
- filter += ")";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.hasMoreElements() )
- {
- userList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- */
- public final List<User> getAssignedUsers( Role role )
- throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
- + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.hasMoreElements() )
- {
- userList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- *
- * @param roles
- * @return
- * @throws FinderException
- */
- public final Set<String> getAssignedUsers( Set<String> roles, String contextId )
- throws FinderException
- {
- Set<String> userSet = new HashSet<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(|";
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- for ( String roleVal : roles )
- {
- String filteredVal = encodeSafeText( roleVal, GlobalIds.USERID_LEN );
- filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + filteredVal + ")";
- }
- }
- else
- {
- return null;
- }
-
- filter += "))";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, USERID_ATRS, false, GlobalIds.BATCH_SIZE );
-
- while ( searchResults.hasMoreElements() )
- {
- userSet.add( getAttribute( searchResults.next(), GlobalIds.UID ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "getAssignedUsers caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userSet;
- }
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- */
- public final List<User> getAssignedUsers( AdminRole role )
- throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
- + GlobalIds.USER_ADMINROLE_ASSIGN + "=" + roleVal + "))";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.hasMoreElements() )
- {
- userList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "getAssignedUsers admin role name [" + role.getName()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param role
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- public final List<String> getAuthorizedUsers( Role role, int limit )
- throws FinderException
- {
- List<String> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
- + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
-
- while ( searchResults.hasMoreElements() )
- {
- LDAPEntry entry = searchResults.next();
- userList.add( getAttribute( entry, GlobalIds.UID ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param searchVal
- * @return
- * @throws FinderException
- */
- public final List<String> findUsersList( String searchVal, String contextId )
- throws FinderException
- {
- List<String> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
-
- try
- {
- searchVal = encodeSafeText( searchVal, GlobalIds.USERID_LEN );
- //ld = getAdminConnection();
- String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.UID + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.hasMoreElements() )
- {
- userList.add( ( unloadLdapEntry( searchResults.next(), sequence++, contextId ) ).getUserId() );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "findUsersList caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param ou
- * @return
- * @throws FinderException
- */
- public final List<User> findUsers( OrgUnit ou, boolean limitSize ) throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String userRoot = getRootDn( ou.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String szOu = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.OU + "=" + szOu + "))";
- int maxLimit;
-
- if ( limitSize )
- {
- maxLimit = 10;
- }
- else
- {
- maxLimit = 0;
- }
-
- ld = getAdminConnection();
- searchResults = search( ld, userRoot,
- LDAPConnection.SCOPE_ONE, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
- long sequence = 0;
-
- while ( searchResults.hasMoreElements() )
- {
- userList.add( unloadLdapEntry( searchResults.next(), sequence++, ou.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "findUsers caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param entity
- * @param newPassword
- * @return
- * @throws UpdateException
- *
- * @throws SecurityException
- */
- public final boolean changePassword( User entity, char[] newPassword )
- throws SecurityException
- {
- boolean rc = true;
- LDAPConnection ld = null;
- LDAPModificationSet mods;
- String userDn = getDn( entity.getUserId(), entity.getContextId() );
-
- try
- {
- ld = getUserConnection();
- bind( ld, userDn, entity.getPassword() );
- mods = new LDAPModificationSet();
- LDAPAttribute pw = new LDAPAttribute( PW, new String( newPassword ) );
- mods.add( LDAPModification.REPLACE, pw );
- modify( ld, userDn, mods );
-
- // The 2nd modify is to update audit attributes on the User entry:
- if ( GlobalIds.IS_AUDIT && entity.getAdminSession() != null )
- {
- // Because the user modified their own password, set their userId here:
- //(entity.getAdminSession()).setInternalUserId(entity.getUserId());
- mods = new LDAPModificationSet();
- modify( ld, userDn, mods, entity );
- }
- }
- catch ( LDAPException e )
- {
- String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
-
- if ( e.getLDAPResultCode() == LDAPException.CONSTRAINT_VIOLATION )
- {
- warning += " constraint violation, ldap rc=" + e.getLDAPResultCode() + " ldap msg=" + e.getMessage()
- + " Fortress rc=" + GlobalErrIds.PSWD_CONST_VIOLATION;
- throw new PasswordException( GlobalErrIds.PSWD_CONST_VIOLATION, warning );
- }
- else if ( e.getLDAPResultCode() == LDAPException.INSUFFICIENT_ACCESS_RIGHTS )
- {
- warning += " user not authorized to change password, ldap rc=" + e.getLDAPResultCode() + " ldap msg="
- + e.getMessage() + " Fortress rc=" + GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
- throw new UpdateException( GlobalErrIds.USER_PW_MOD_NOT_ALLOWED, warning );
- }
-
- warning += " caught LDAPException rc=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_CHANGE_FAILED, warning, e );
- }
- finally
- {
- closeUserConnection( ld );
- }
-
- return rc;
- }
-
-
- /**
- * @param user
- * @throws UpdateException
- *
- */
- public final void resetUserPassword( User user )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute pw = new LDAPAttribute( PW, new String( user.getPassword() ) );
- mods.add( LDAPModification.REPLACE, pw );
- LDAPAttribute pwdReset = new LDAPAttribute( OPENLDAP_PW_RESET, "TRUE" );
- mods.add( LDAPModification.REPLACE, pwdReset );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LDAPException e )
- {
- String warning = "resetUserPassword userId [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_RESET_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String assign( UserRole uRole )
- throws UpdateException, FinderException
- {
- LDAPConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- //ld = getAdminConnection();
- LDAPModificationSet mods = new LDAPModificationSet();
- String szUserRole = uRole.getRawData();
- LDAPAttribute attr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, szUserRole );
- mods.add( LDAPModification.ADD, attr );
- attr = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, uRole.getName() );
- mods.add( LDAPModification.ADD, attr );
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- catch ( LDAPException e )
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
-
- if ( e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS )
- {
- warning += "assignment already exists.";
- throw new FinderException( GlobalErrIds.URLE_ASSIGN_EXIST, warning );
- }
- else
- {
- warning += "caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.URLE_ASSIGN_FAILED, warning, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String deassign( UserRole uRole )
- throws UpdateException, FinderException
- {
- LDAPConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- // read the user's RBAC role assignments to locate target record. Need the raw data before attempting removal:
- List<UserRole> roles = getUserRoles( uRole.getUserId(), uRole.getContextId() );
- int indx = -1;
-
- // Does the user have any roles assigned?
- if ( roles != null )
- {
- // function call will set indx to -1 if name not found:
- indx = roles.indexOf( uRole );
-
- // Is the targeted name assigned to user?
- if ( indx > -1 )
- {
- // Retrieve the targeted name:
- UserRole fRole = roles.get( indx );
- // delete the name assignment attribute using the raw name data:
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute rAttr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, fRole.getRawData() );
- mods.add( LDAPModification.DELETE, rAttr );
- rAttr = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, fRole.getName() );
- mods.add( LDAPModification.DELETE, rAttr );
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- }
- // target name not found:
- if ( indx == -1 )
- {
- // The user does not have the target name assigned,
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.URLE_ASSIGN_NOT_EXIST, warning );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.URLE_DEASSIGN_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String assign( UserAdminRole uRole )
- throws UpdateException, FinderException
- {
- LDAPConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- String szUserRole = uRole.getRawData();
- LDAPAttribute attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, szUserRole );
- mods.add( LDAPModification.ADD, attr );
- attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, uRole.getName() );
- mods.add( LDAPModification.ADD, attr );
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS )
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] assignment already exists.";
- throw new FinderException( GlobalErrIds.ARLE_ASSIGN_EXIST, warning );
- }
- else
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_ASSIGN_FAILED, warning, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String deassign( UserAdminRole uRole )
- throws UpdateException, FinderException
- {
- LDAPConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- // read the user's ARBAC roles to locate record. Need the raw data before attempting removal:
- User user = new User( uRole.getUserId() );
- user.setContextId( uRole.getContextId() );
- List<UserAdminRole> roles = getUserAdminRoles( user );
- //User user = getUser(uRole.getUserId(), true);
- //List<UserAdminRole> roles = user.getAdminRoles();
- int indx = -1;
-
- // Does the user have any roles assigned?
- if ( roles != null )
- {
- // function call will set indx to -1 if name not found:
- indx = roles.indexOf( uRole );
-
- // Is the targeted name assigned to user?
- if ( indx > -1 )
- {
- // Retrieve the targeted name:
- UserRole fRole = roles.get( indx );
- // delete the name assignment attribute using the raw name data:
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute rAttr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData() );
- mods.add( LDAPModification.DELETE, rAttr );
- rAttr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName() );
- mods.add( LDAPModification.DELETE, rAttr );
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- }
-
- // target name not found:
- if ( indx == -1 )
- {
- // The user does not have the target name assigned,
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning );
- }
- }
- catch ( LDAPException e )
- {
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param user
- * @return
- * @throws UpdateException
- *
- */
- public final String deletePwPolicy( User user )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute policy = new LDAPAttribute( OPENLDAP_POLICY_SUBENTRY );
- mods.add( LDAPModification.DELETE, policy );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LDAPException e )
- {
- String warning = "deletePwPolicy userId [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_PLCY_DEL_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LDAPException
- */
- private User unloadLdapEntry( LDAPEntry le, long sequence, String contextId )
- {
- User entity = new ObjectFactory().createUser();
- entity.setSequenceId( sequence );
- entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setUserId( getAttribute( le, GlobalIds.UID ) );
- entity.setCn( getAttribute( le, GlobalIds.CN ) );
- entity.setDisplayName( getAttribute( le, DISPLAY_NAME ) );
- entity.setSn( getAttribute( le, SN ) );
- entity.setOu( getAttribute( le, GlobalIds.OU ) );
- entity.setDn( le.getDN() );
- entity.setTitle( getAttribute( le, TITLE ) );
- entity.setEmployeeType( getAttribute( le, EMPLOYEE_TYPE ) );
- unloadTemporal( le, entity );
- entity.setRoles( unloadUserRoles( le, entity.getUserId(), contextId ) );
- entity.setAdminRoles( unloadUserAdminRoles( le, entity.getUserId(), contextId ) );
- entity.setAddress( unloadAddress( le ) );
- entity.setPhones( getAttributes( le, TELEPHONE_NUMBER ) );
- entity.setMobiles( getAttributes( le, MOBILE ) );
- entity.setEmails( getAttributes( le, MAIL ) );
- String szBoolean = getAttribute( le, SYSTEM_USER );
- if ( szBoolean != null )
- {
- entity.setSystem( Boolean.valueOf( szBoolean ) );
- }
-
- entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
-
- if ( GlobalIds.IS_OPENLDAP )
- {
- szBoolean = getAttribute( le, OPENLDAP_PW_RESET );
- if ( szBoolean != null && szBoolean.equalsIgnoreCase( "true" ) )
- {
- entity.setReset( true );
- }
- String szPolicy = getAttribute( le, OPENLDAP_POLICY_SUBENTRY );
- if ( VUtil.isNotNullOrEmpty( szPolicy ) )
- {
- entity.setPwPolicy( getRdn( szPolicy ) );
- }
- szBoolean = getAttribute( le, OPENLDAP_PW_LOCKED_TIME );
- if ( szBoolean != null && szBoolean.equals( LOCK_VALUE ) )
- {
- entity.setLocked( true );
- }
- }
- entity.setJpegPhoto( getPhoto( le, JPEGPHOTO ) );
- return entity;
- }
-
-
- /**
- * @param userId
- * @return
- * @throws FinderException
- */
- private List<UserRole> getUserRoles( String userId, String contextId )
- throws FinderException
- {
- List<UserRole> roles = null;
- LDAPConnection ld = null;
- String userDn = getDn( userId, contextId );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, userDn, ROLE_ATR );
- roles = unloadUserRoles( findEntry, userId, contextId );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getUserRoles COULD NOT FIND ENTRY for user [" + userId + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- String error = "getUserRoles [" + userDn + "]= caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roles;
- }
-
-
- /**
- * @param ld
- * @param pwMsg
- */
- private void checkPwPolicies( LDAPConnection ld, PwMessage pwMsg )
- {
- int rc = 0;
- boolean success = false;
- String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
-
- if ( ld != null )
- {
- if ( !GlobalIds.IS_OPENLDAP )
- {
- //pwMsg.setWarningId( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED );
- String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED, msg, Warning.Type.PASSWORD ) );
- pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
- //String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
- //pwMsg.setMsg( msg );
- LOG.debug( msg );
- return;
- }
- else if ( pwControl != null )
- {
- pwControl.checkPasswordPolicy( ld.getResponseControls(), success, pwMsg );
- }
-
- // OpenLDAP has notified of password policy violation:
- if ( pwMsg.getErrorId() > 0 )
- {
- String errMsg;
-
- switch ( pwMsg.getErrorId() )
- {
- case GlobalPwMsgIds.CHANGE_AFTER_RESET:
- // Don't throw exception if authenticating in J2EE Realm - The Web application must give user a chance to modify their password.
- if ( !GlobalIds.IS_REALM )
- {
- errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
- rc = GlobalErrIds.USER_PW_RESET;
- }
- else
- {
- errMsg = msgHdr
- + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO CONTINUE DUE TO REALM";
- success = true;
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET, errMsg, Warning.Type.PASSWORD ) );
- }
-
- break;
-
- case GlobalPwMsgIds.ACCOUNT_LOCKED:
- errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
- rc = GlobalErrIds.USER_PW_LOCKED;
- break;
-
- case GlobalPwMsgIds.PASSWORD_HAS_EXPIRED:
- errMsg = msgHdr + "PASSWORD HAS EXPIRED";
- rc = GlobalErrIds.USER_PW_EXPIRED;
- break;
-
- case GlobalPwMsgIds.NO_MODIFICATIONS:
- errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
- rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
- break;
-
- case GlobalPwMsgIds.MUST_SUPPLY_OLD:
- errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
- rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
- break;
-
- case GlobalPwMsgIds.INSUFFICIENT_QUALITY:
- errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
- rc = GlobalErrIds.USER_PW_NSF_QUALITY;
- break;
-
- case GlobalPwMsgIds.PASSWORD_TOO_SHORT:
- errMsg = msgHdr + "PASSWORD TOO SHORT";
- rc = GlobalErrIds.USER_PW_TOO_SHORT;
- break;
-
- case GlobalPwMsgIds.PASSWORD_TOO_YOUNG:
- errMsg = msgHdr + "PASSWORD TOO YOUNG";
- rc = GlobalErrIds.USER_PW_TOO_YOUNG;
- break;
-
- case GlobalPwMsgIds.HISTORY_VIOLATION:
- errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
- rc = GlobalErrIds.USER_PW_IN_HISTORY;
- break;
-
- default:
- errMsg = msgHdr + "PASSWORD CHECK FAILED";
- rc = GlobalErrIds.USER_PW_CHK_FAILED;
- break;
- }
-
- pwMsg.setMsg( errMsg );
- pwMsg.setErrorId( rc );
- pwMsg.setAuthenticated( success );
- LOG.debug( errMsg );
- }
- else
- {
- // Checked out good:
- String msg = msgHdr + "PASSWORD CHECK SUCCESS";
- pwMsg.setMsg( msg );
- pwMsg.setErrorId( 0 );
- pwMsg.setAuthenticated( true );
- LOG.debug( msg );
- }
- }
- }
-
-
- /**
- * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
- *
- * @param list contains List of type {@link UserAdminRole} targeted for adding to ldap.
- * @param attrs collection of ldap attributes containing ARBAC role assignments in raw ldap format.
- */
- private void loadUserAdminRoles( List<UserAdminRole> list, LDAPAttributeSet attrs )
- {
- if ( list != null )
- {
- LDAPAttribute attr = null;
- LDAPAttribute attrNm = null;
-
- for ( UserAdminRole userRole : list )
- {
- String szUserRole = userRole.getRawData();
-
- if ( attr == null )
- {
- attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, szUserRole );
- attrNm = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, userRole.getName() );
- }
- else
- {
- attr.addValue( szUserRole );
- attrNm.addValue( userRole.getName() );
- }
- }
-
- if ( attr != null )
- {
- attrs.add( attr );
- attrs.add( attrNm );
- }
- }
- }
-
-
- /**
- * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
- *
- * @param list contains List of type {@link UserRole} targeted for updating into ldap.
- * @param mods contains ldap modification set containing RBAC role assignments in raw ldap format to be updated.
- */
- private void loadUserRoles( List<UserRole> list, LDAPModificationSet mods )
- {
- LDAPAttribute attr = null;
- LDAPAttribute attrNm = null;
-
- if ( list != null )
- {
- for ( UserRole userRole : list )
- {
- String szUserRole = userRole.getRawData();
-
- if ( attr == null )
- {
- attr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, szUserRole );
- attrNm = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, userRole.getName() );
- }
- else
- {
- attr.addValue( szUserRole );
- attrNm.addValue( userRole.getName() );
- }
- }
-
- if ( attr != null )
- {
- mods.add( LDAPModification.REPLACE, attr );
- mods.add( LDAPModification.REPLACE, attrNm );
- }
- }
- }
-
-
- /**
- * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
- *
- * @param list contains List of type {@link UserAdminRole} targeted for updating to ldap.
- * @param mods contains ldap modification set containing ARBAC role assignments in raw ldap format to be updated.
- */
- private void loadUserAdminRoles( List<UserAdminRole> list, LDAPModificationSet mods )
- {
- LDAPAttribute attr = null;
- LDAPAttribute attrNm = null;
-
- if ( list != null )
- {
- for ( UserAdminRole userRole : list )
- {
- String szUserRole = userRole.getRawData();
-
- if ( attr == null )
- {
- attr = new LDAPAttribute( GlobalIds.USER_ADMINROLE_DATA, szUserRole );
- attrNm = new LDAPAttribute( GlobalIds.USER_ADMINROLE_ASSIGN, userRole.getName() );
- }
- else
- {
- attr.addValue( szUserRole );
- attrNm.addValue( userRole.getName() );
- }
- }
-
- if ( attr != null )
- {
- mods.add( LDAPModification.REPLACE, attr );
- mods.add( LDAPModification.REPLACE, attrNm );
- }
- }
- }
-
-
- /**
- * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
- *
- * @param list contains List of type {@link UserRole} targeted for adding to ldap.
- * @param attrs collection of ldap attributes containing RBAC role assignments in raw ldap format.
- */
- private void loadUserRoles( List<UserRole> list, LDAPAttributeSet attrs )
- {
- if ( list != null )
- {
- LDAPAttribute attr = null;
- LDAPAttribute attrNm = null;
-
- for ( UserRole userRole : list )
- {
- String szUserRole = userRole.getRawData();
-
- if ( attr == null )
- {
- attr = new LDAPAttribute( GlobalIds.USER_ROLE_DATA, szUserRole );
- attrNm = new LDAPAttribute( GlobalIds.USER_ROLE_ASSIGN, userRole.getName() );
- }
- else
- {
- attr.addValue( szUserRole );
- attrNm.addValue( userRole.getName() );
- }
- }
-
- if ( attr != null )
- {
- attrs.add( attr );
- attrs.add( attrNm );
- }
- }
- }
-
-
- /**
- * Given a User address, {@link Address}, load into ldap attribute set in preparation for ldap add.
- *
- * @param address contains User address {@link Address} targeted for adding to ldap.
- * @param attrs collection of ldap attributes containing RBAC role assignments in raw ldap format.
- */
- private void loadAddress( Address address, LDAPAttributeSet attrs )
- {
- if ( address != null )
- {
- LDAPAttribute attr;
-
- if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
- {
- for ( String val : address.getAddresses() )
- {
- attr = new LDAPAttribute( POSTAL_ADDRESS, val );
- attrs.add( attr );
- }
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
- {
- attr = new LDAPAttribute( L, address.getCity() );
- attrs.add( attr );
- }
-
- //if(VUtil.isNotNullOrEmpty(address.getCountry()))
- //{
- // attr = new LDAPAttribute(GlobalIds.COUNTRY, address.getAddress1());
- // attrs.add(attr);
- //}
- if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
- {
- attr = new LDAPAttribute( POSTAL_CODE, address.getPostalCode() );
- attrs.add( attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
- {
- attr = new LDAPAttribute( POST_OFFICE_BOX, address.getPostOfficeBox() );
- attrs.add( attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getState() ) )
- {
- attr = new LDAPAttribute( STATE, address.getState() );
- attrs.add( attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
- {
- attr = new LDAPAttribute( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
- attrs.add( attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
- {
- attr = new LDAPAttribute( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
- attrs.add( attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
- {
- attr = new LDAPAttribute( ROOM_NUMBER, address.getRoomNumber() );
- attrs.add( attr );
- }
- }
- }
-
-
- /**
- * Given an address, {@link Address}, load into ldap modification set in preparation for ldap modify.
- *
- * @param address contains entity of type {@link Address} targeted for updating into ldap.
- * @param mods contains ldap modification set contains attributes to be updated in ldap.
- */
- private void loadAddress( Address address, LDAPModificationSet mods )
- {
- LDAPAttribute attr;
-
- if ( address != null )
- {
- if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
- {
- attr = new LDAPAttribute( POSTAL_ADDRESS );
- mods.add( LDAPModification.REPLACE, attr );
-
- for ( String val : address.getAddresses() )
- {
- attr = new LDAPAttribute( POSTAL_ADDRESS, val );
- mods.add( LDAPModification.ADD, attr );
- }
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
- {
- attr = new LDAPAttribute( L, address.getCity() );
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
- {
- attr = new LDAPAttribute( POSTAL_CODE, address.getPostalCode() );
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
- {
- attr = new LDAPAttribute( POST_OFFICE_BOX, address.getPostOfficeBox() );
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getState() ) )
- {
- attr = new LDAPAttribute( STATE, address.getState() );
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
- {
- attr = new LDAPAttribute( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
- {
- attr = new LDAPAttribute( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
- {
- attr = new LDAPAttribute( ROOM_NUMBER, address.getRoomNumber() );
- mods.add( LDAPModification.REPLACE, attr );
- }
- }
- }
-
-
- /**
- * Given an ldap entry containing organzationalPerson address information, convert to {@link Address}
- *
- * @param le contains ldap entry to retrieve admin roles from.
- * @return entity of type {@link Address}.
- * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
- */
- private Address unloadAddress( LDAPEntry le )
- {
- Address addr = new ObjectFactory().createAddress();
- List<String> pAddrs = getAttributes( le, POSTAL_ADDRESS );
- if ( pAddrs != null )
- {
- for ( String pAddr : pAddrs )
- {
- addr.setAddress( pAddr );
- }
- }
- addr.setCity( getAttribute( le, L ) );
- addr.setState( getAttribute( le, STATE ) );
- addr.setPostalCode( getAttribute( le, POSTAL_CODE ) );
- addr.setPostOfficeBox( getAttribute( le, POST_OFFICE_BOX ) );
- addr.setBuilding( getAttribute( le, PHYSICAL_DELIVERY_OFFICE_NAME ) );
- addr.setDepartmentNumber( getAttribute( le, DEPARTMENT_NUMBER ) );
- addr.setRoomNumber( getAttribute( le, ROOM_NUMBER ) );
- // todo: add support for country attribute
- //addr.setCountry(getAttribute(le, GlobalIds.COUNTRY));
-
- return addr;
- }
-
-
- /**
- * Given an ldap entry containing ARBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserAdminRole}
- * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
- *
- * @param le contains ldap entry to retrieve admin roles from.
- * @param userId attribute maps to {@link UserAdminRole#userId}.
- * @param contextId
- * @return List of type {@link UserAdminRole} containing admin roles assigned to a particular user.
- * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
- */
- private List<UserAdminRole> unloadUserAdminRoles( LDAPEntry le, String userId, String contextId )
- {
- List<UserAdminRole> uRoles = null;
- List<String> roles = getAttributes( le, GlobalIds.USER_ADMINROLE_DATA );
-
- if ( roles != null )
- {
- long sequence = 0;
- uRoles = new ArrayList<>();
-
- for ( String raw : roles )
- {
- UserAdminRole ure = new ObjectFactory().createUserAdminRole();
- ure.load( raw, contextId );
- ure.setSequenceId( sequence++ );
- ure.setUserId( userId );
- uRoles.add( ure );
- }
- }
-
- return uRoles;
- }
-
-
- /**
- *
- * @param userId
- * @param contextId
- * @return
- */
- private String getDn( String userId, String contextId )
- {
- return GlobalIds.UID + "=" + userId + "," + getRootDn( contextId, GlobalIds.USER_ROOT );
- }
-
-
- /**
- * Given an ldap entry containing RBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserRole}
- * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
- *
- * @param le contains ldap entry to retrieve roles from.
- * @param userId attribute maps to {@link UserRole#userId}.
- * @param contextId
- * @return List of type {@link UserRole} containing RBAC roles assigned to a particular user.
- * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
- */
- private List<UserRole> unloadUserRoles( LDAPEntry le, String userId, String contextId )
- {
- List<UserRole> uRoles = null;
- List<String> roles = getAttributes( le, GlobalIds.USER_ROLE_DATA );
-
- if ( roles != null )
- {
- long sequence = 0;
- uRoles = new ArrayList<>();
-
- for ( String raw : roles )
- {
- UserRole ure = new ObjectFactory().createUserRole();
- ure.load( raw, contextId );
- ure.setUserId( userId );
- ure.setSequenceId( sequence++ );
- uRoles.add( ure );
- }
- }
-
- return uRoles;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
index 27ae3a7..6976ed4 100755
--- a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
+++ b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java
@@ -194,8 +194,9 @@ public class AttrHelper
*/
public static Date decodeGeneralizedTime(String inputString) throws ParseException
{
- Date aDate;
- aDate = com.unboundid.util.StaticUtils.decodeGeneralizedTime(inputString);
+ Date aDate = null;
+ // TODO: fix me (removed for unboundid)
+ //aDate = com.unboundid.util.StaticUtils.decodeGeneralizedTime(inputString);
return aDate;
}
@@ -209,8 +210,9 @@ public class AttrHelper
*/
public static String encodeGeneralizedTime(Date date)
{
- String szTime;
- szTime = com.unboundid.util.StaticUtils.encodeGeneralizedTime(date);
+ String szTime = null;
+ // TODO: fix me (removed for unboundid)
+ //szTime = com.unboundid.util.StaticUtils.encodeGeneralizedTime(date);
return szTime;
}
[07/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PolicyDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PolicyDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PolicyDAO.java
deleted file mode 100755
index 1fedf7f..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PolicyDAO.java
+++ /dev/null
@@ -1,685 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.PwPolicy;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-
-/**
- * This DAO class maintains the OpenLDAP Password Policy entity which is a composite of the following structural and aux object classes:
- * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code> objectclass ( 2.5.6.14 NAME 'device'</code>
- * <li> <code>DESC 'RFC2256: a device'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST cn</code>
- * <li> <code>MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
- * <li> <code>NAME 'pwdPolicy'</code>
- * <li> <code>SUP top</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MUST ( pwdAttribute )</code>
- * <li> <code>MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $</code>
- * <li> <code>pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $</code>
- * <li> <code>pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $</code>
- * <li> <code>pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )</code>
- * <li> <code></code>
- * <li> <code></code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class PolicyDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.PolicyDAO
-{
- /*
- * *************************************************************************
- * ** OPENLDAP PW POLICY ATTRIBUTES AND CONSTANTS
- * ************************************************************************
- */
- private static final String OLPW_POLICY_EXTENSION = "2.5.4.35";
- private static final String OLPW_POLICY_CLASS = "pwdPolicy";
- /**
- * This object class combines OpenLDAP PW Policy schema with the Fortress audit context.
- */
- private static final String OAM_PWPOLICY_OBJ_CLASS[] =
- {
- GlobalIds.TOP, "device", OLPW_POLICY_CLASS, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String OLPW_ATTRIBUTE = "pwdAttribute";
- private static final String OLPW_MIN_AGE = "pwdMinAge";
- private static final String OLPW_MAX_AGE = "pwdMaxAge";
- private static final String OLPW_IN_HISTORY = "pwdInHistory";
- private static final String OLPW_CHECK_QUALITY = "pwdCheckQuality";
- private static final String OLPW_MIN_LENGTH = "pwdMinLength";
- private static final String OLPW_EXPIRE_WARNING = "pwdExpireWarning";
- private static final String OLPW_GRACE_LOGIN_LIMIT = "pwdGraceAuthNLimit";
- private static final String OLPW_LOCKOUT = "pwdLockout";
- private static final String OLPW_LOCKOUT_DURATION = "pwdLockoutDuration";
- private static final String OLPW_MAX_FAILURE = "pwdMaxFailure";
- private static final String OLPW_FAILURE_COUNT_INTERVAL = "pwdFailureCountInterval";
- private static final String OLPW_MUST_CHANGE = "pwdMustChange";
- private static final String OLPW_ALLOW_USER_CHANGE = "pwdAllowUserChange";
- private static final String OLPW_SAFE_MODIFY = "pwdSafeModify";
- private static final String[] PASSWORD_POLICY_ATRS =
- {
- OLPW_MIN_AGE, OLPW_MAX_AGE, OLPW_IN_HISTORY, OLPW_CHECK_QUALITY,
- OLPW_MIN_LENGTH, OLPW_EXPIRE_WARNING, OLPW_GRACE_LOGIN_LIMIT, OLPW_LOCKOUT,
- OLPW_LOCKOUT_DURATION, OLPW_MAX_FAILURE, OLPW_FAILURE_COUNT_INTERVAL,
- OLPW_MUST_CHANGE, OLPW_ALLOW_USER_CHANGE, OLPW_SAFE_MODIFY,
- };
-
- private static final String[] PASSWORD_POLICY_NAME_ATR =
- {
- GlobalIds.CN
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final PwPolicy create( PwPolicy entity )
- throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- Entry entry = new DefaultEntry( dn );
- entry.add( GlobalIds.OBJECT_CLASS, OAM_PWPOLICY_OBJ_CLASS );
- entry.add( GlobalIds.CN, entity.getName() );
- entry.add( OLPW_ATTRIBUTE, OLPW_POLICY_EXTENSION );
-
- if ( entity.getMinAge() != null )
- {
- entry.add( OLPW_MIN_AGE, entity.getMinAge().toString() );
- }
-
- if ( entity.getMaxAge() != null )
- {
- entry.add( OLPW_MAX_AGE, entity.getMaxAge().toString() );
- }
-
- if ( entity.getInHistory() != null )
- {
- entry.add( OLPW_IN_HISTORY, entity.getInHistory().toString() );
- }
-
- if ( entity.getCheckQuality() != null )
- {
- entry.add( OLPW_CHECK_QUALITY, entity.getCheckQuality().toString() );
- }
-
- if ( entity.getMinLength() != null )
- {
- entry.add( OLPW_MIN_LENGTH, entity.getMinLength().toString() );
- }
-
- if ( entity.getExpireWarning() != null )
- {
- entry.add( OLPW_EXPIRE_WARNING, entity.getExpireWarning().toString() );
- }
-
- if ( entity.getGraceLoginLimit() != null )
- {
- entry.add( OLPW_GRACE_LOGIN_LIMIT, entity.getGraceLoginLimit().toString() );
- }
-
- if ( entity.getLockout() != null )
- {
- /**
- * For some reason OpenLDAP requires the pwdLockout boolean value to be upper case:
- */
- entry.add( OLPW_LOCKOUT, entity.getLockout().toString().toUpperCase() );
- }
-
- if ( entity.getLockoutDuration() != null )
- {
- entry.add( OLPW_LOCKOUT_DURATION, entity.getLockoutDuration().toString() );
- }
-
- if ( entity.getMaxFailure() != null )
- {
- entry.add( OLPW_MAX_FAILURE, entity.getMaxFailure().toString() );
- }
-
- if ( entity.getFailureCountInterval() != null )
- {
- entry.add( OLPW_FAILURE_COUNT_INTERVAL, entity.getFailureCountInterval().toString() );
- }
-
- if ( entity.getMustChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- entry.add( OLPW_MUST_CHANGE, entity.getMustChange().toString().toUpperCase() );
- }
-
- if ( entity.getAllowUserChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- entry.add( OLPW_ALLOW_USER_CHANGE, entity.getAllowUserChange().toString()
- .toUpperCase() );
- }
-
- if ( entity.getSafeModify() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- entry.add( OLPW_SAFE_MODIFY, entity.getSafeModify().toString().toUpperCase() );
- }
-
- ld = getAdminConnection();
- add( ld, entry, entity );
- }
- catch ( LdapException e )
- {
- String error = "create name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new CreateException( GlobalErrIds.PSWD_CREATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final void update( PwPolicy entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( entity.getMinAge() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_MIN_AGE, entity.getMinAge().toString() ) );
- }
-
- if ( entity.getMaxAge() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_MAX_AGE, entity.getMaxAge().toString() ) );
- }
-
- if ( entity.getInHistory() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_IN_HISTORY, entity.getInHistory().toString() ) );
- }
-
- if ( entity.getCheckQuality() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_CHECK_QUALITY, entity.getCheckQuality().toString() ) );
- }
-
- if ( entity.getMinLength() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_MIN_LENGTH, entity.getMinLength().toString() ) );
- }
-
- if ( entity.getExpireWarning() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_EXPIRE_WARNING, entity.getExpireWarning().toString() ) );
- }
-
- if ( entity.getGraceLoginLimit() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_GRACE_LOGIN_LIMIT, entity.getGraceLoginLimit().toString() ) );
- }
-
- if ( entity.getLockout() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_LOCKOUT, entity.getLockout().toString().toUpperCase() ) );
- }
-
- if ( entity.getLockoutDuration() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_LOCKOUT_DURATION, entity.getLockoutDuration().toString() ) );
- }
-
- if ( entity.getMaxFailure() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_MAX_FAILURE, entity.getMaxFailure().toString() ) );
- }
-
- if ( entity.getFailureCountInterval() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_FAILURE_COUNT_INTERVAL, entity.getFailureCountInterval().toString() ) );
- }
-
- if ( entity.getMustChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_MUST_CHANGE, entity.getMustChange().toString().toUpperCase() ) );
- }
-
- if ( entity.getAllowUserChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_ALLOW_USER_CHANGE, entity.getAllowUserChange().toString().toUpperCase() ) );
- }
-
- if ( entity.getSafeModify() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE,
- OLPW_SAFE_MODIFY, entity.getSafeModify().toString().toUpperCase() ) );
- }
-
- if ( mods != null && mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LdapException e )
- {
- String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PSWD_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- */
- public final void remove( PwPolicy entity ) throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, entity );
- }
- catch ( LdapException e )
- {
- String error = "remove name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.PSWD_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param policy
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final PwPolicy getPolicy( PwPolicy policy ) throws FinderException
- {
- PwPolicy entity = null;
- LdapConnection ld = null;
- String dn = getDn( policy );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, PASSWORD_POLICY_ATRS );
- entity = unloadLdapEntry( findEntry, 0 );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getPolicy Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PSWD_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getPolicy name [" + policy.getName() + "] caught LdapException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private PwPolicy unloadLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
- {
- PwPolicy entity = new ObjectFactory().createPswdPolicy();
- entity.setSequenceId( sequence );
- entity.setName( getRdn( le.getDn().getName() ) );
- //entity.setAttribute(getAttribute(le, OLPW_ATTRIBUTE));
- String val = getAttribute( le, OLPW_MIN_AGE );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMinAge( new Integer( val ) );
- }
-
- val = getAttribute( le, OLPW_MAX_AGE );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMaxAge( new Long( val ) );
- }
-
- val = getAttribute( le, OLPW_IN_HISTORY );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setInHistory( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_CHECK_QUALITY );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setCheckQuality( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_MIN_LENGTH );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMinLength( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_EXPIRE_WARNING );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setExpireWarning( new Long( val ) );
- }
-
- val = getAttribute( le, OLPW_GRACE_LOGIN_LIMIT );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setGraceLoginLimit( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_LOCKOUT );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setLockout( Boolean.valueOf( val ) );
- }
-
- val = getAttribute( le, OLPW_LOCKOUT_DURATION );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setLockoutDuration( new Integer( val ) );
- }
-
- val = getAttribute( le, OLPW_MAX_FAILURE );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMaxFailure( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_FAILURE_COUNT_INTERVAL );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setFailureCountInterval( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_MUST_CHANGE );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- //noinspection BooleanConstructorCall
- entity.setMustChange( Boolean.valueOf( val ) );
- }
-
- val = getAttribute( le, OLPW_ALLOW_USER_CHANGE );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setAllowUserChange( Boolean.valueOf( val ) );
- }
-
- val = getAttribute( le, OLPW_SAFE_MODIFY );
-
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setSafeModify( Boolean.valueOf( val ) );
- }
-
- return entity;
- }
-
-
- /**
- * @param policy
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<PwPolicy> findPolicy( PwPolicy policy ) throws FinderException
- {
- List<PwPolicy> policyArrayList = new ArrayList<>();
- LdapConnection ld = null;
- String policyRoot = getPolicyRoot( policy.getContextId() );
- String searchVal = null;
-
- try
- {
- searchVal = encodeSafeText( policy.getName(), GlobalIds.PWPOLICY_NAME_LEN );
- String filter = GlobalIds.FILTER_PREFIX + OLPW_POLICY_CLASS + ")("
- + GlobalIds.POLICY_NODE_TYPE + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, policyRoot,
- SearchScope.ONELEVEL, filter, PASSWORD_POLICY_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- policyArrayList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPolicy name [" + searchVal + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPolicy name [" + searchVal + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return policyArrayList;
- }
-
-
- /**
- * @return
- * @throws FinderException
- */
- public final Set<String> getPolicies( String contextId )
- throws FinderException
- {
- Set<String> policySet = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
- LdapConnection ld = null;
- String policyRoot = getPolicyRoot( contextId );
-
- try
- {
- String filter = "(objectclass=" + OLPW_POLICY_CLASS + ")";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, policyRoot,
- SearchScope.ONELEVEL, filter, PASSWORD_POLICY_NAME_ATR, false, GlobalIds.BATCH_SIZE );
-
- while ( searchResults.next() )
- {
- policySet.add( getAttribute( searchResults.getEntry(), GlobalIds.CN ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "getPolicies caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "getPolicies caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return policySet;
- }
-
-
- private String getDn( PwPolicy policy )
- {
- return GlobalIds.POLICY_NODE_TYPE + "=" + policy.getName() + "," + getPolicyRoot( policy.getContextId() );
- }
-
-
- private String getPolicyRoot( String contextId )
- {
- return getRootDn( contextId, GlobalIds.PPOLICY_ROOT );
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/RoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/RoleDAO.java
deleted file mode 100755
index 6aa4900..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/RoleDAO.java
+++ /dev/null
@@ -1,657 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-
-/**
- * This class perform data access for Fortress Role entity.
- * <p/>
- * The Fortress Role entity is a composite of the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Kevin McKinney
- */
-public final class RoleDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.RoleDAO
-{
- /*
- * *************************************************************************
- * ** OpenAccessMgr ROLE STATICS
- * ************************************************************************
- */
- private static final String ROLE_OCCUPANT = "roleOccupant";
- private static final String ROLE_NM = "ftRoleName";
-
- private static final String[] ROLE_NM_ATR =
- {
- ROLE_NM
- };
-
- private static final String[] ROLE_ATRS =
- {
- GlobalIds.FT_IID, ROLE_NM, GlobalIds.DESC, GlobalIds.CONSTRAINT, ROLE_OCCUPANT, GlobalIds.PARENT_NODES
- };
-
-
- /**
- * @param entity
- * @return
- * @throws CreateException
- */
- public final Role create( Role entity ) throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
-
- try
- {
- Entry entry = new DefaultEntry( dn );
- entry.add( GlobalIds.OBJECT_CLASS, GlobalIds.ROLE_OBJ_CLASS );
- entity.setId();
- entry.add( GlobalIds.FT_IID, entity.getId() );
- entry.add( ROLE_NM, entity.getName() );
-
- // description field is optional on this object class:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- entry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // CN attribute is required for this object class:
- entry.add( GlobalIds.CN, entity.getName() );
- entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
-
- // These multi-valued attributes are optional. The utility function will return quietly if items are not loaded into collection:
- loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
-
- ld = getAdminConnection();
- add( ld, entry, entity );
- }
- catch ( LdapException e )
- {
- String error = "create role [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new CreateException( GlobalErrIds.ROLE_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Role update( Role entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
- GlobalIds.DESC, entity.getDescription() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getOccupants() ) )
- {
- for ( String name : entity.getOccupants() )
- {
- mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
- ROLE_OCCUPANT, entity.getOccupants().toArray( new String[]
- {} ) ) );
- }
- }
-
- if ( entity.isTemporalSet() )
- {
- String szRawData = CUtil.setConstraint( entity );
-
- if ( VUtil.isNotNullOrEmpty( szRawData ) )
- {
- mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE,
- GlobalIds.CONSTRAINT, szRawData ) );
- }
- }
-
- loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LdapException e )
- {
- String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
- }
- catch ( Exception e )
- {
- String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
- }
- finally
- {
- try
- {
- closeAdminConnection( ld );
- }
- catch ( Exception e )
- {
- String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
- }
- }
-
- return entity;
- }
-
-
- /**
- *
- * @param entity
- * @throws UpdateException
- */
- public final void deleteParent( Role entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE,
- GlobalIds.PARENT_NODES ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "deleteParent name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_REMOVE_PARENT_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @param userDn
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Role assign( Role entity, String userDn ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
-
- try
- {
- //ld = getAdminConnection();
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.ADD_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LdapException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_USER_ASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @param userDn
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Role deassign( Role entity, String userDn ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
- + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_USER_DEASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param role
- * @throws RemoveException
- */
- public final void remove( Role role )
- throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getDn( role.getName(), role.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, role );
- }
- catch ( LdapException e )
- {
- String error = "remove role name=" + role.getName() + " LdapException=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.ROLE_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final Role getRole( Role role )
- throws FinderException
- {
- Role entity = null;
- LdapConnection ld = null;
- String dn = getDn( role.getName(), role.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, ROLE_ATRS );
- if(findEntry != null)
- {
- entity = unloadLdapEntry( findEntry, 0, role.getContextId() );
- }
- if ( entity == null )
- {
- String warning = "getRole no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
- }
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getRole Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getRole dn [" + dn + "] LEXCD=" + e;
- throw new FinderException( GlobalErrIds.ROLE_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Role> findRoles( Role role )
- throws FinderException
- {
- List<Role> roleList = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( role.getContextId(), GlobalIds.ROLE_ROOT );
- String filter = null;
-
- try
- {
- String searchVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- roleList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roleList;
- }
-
-
- /**
- * @param role
- * @param limit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<String> findRoles( Role role, int limit )
- throws FinderException
- {
- List<String> roleList = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( role.getContextId(), GlobalIds.ROLE_ROOT );
- String filter = null;
-
- try
- {
- String searchVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
-
- while ( searchResults.next() )
- {
- Entry entry = searchResults.getEntry();
- roleList.add( getAttribute( entry, ROLE_NM ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findRoles filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roleList;
- }
-
-
- /**
- *
- * @param userDn
- * @param contextId
- * @return
- * @throws FinderException
- */
- public final List<String> findAssignedRoles( String userDn, String contextId )
- throws FinderException
- {
- List<String> roleNameList = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( contextId, GlobalIds.ROLE_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
- filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
-
- while ( searchResults.next() )
- {
- roleNameList.add( getAttribute( searchResults.getEntry(), ROLE_NM ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_OCCUPANT_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_OCCUPANT_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roleNameList;
- }
-
-
- /**
- *
- * @param contextId
- * @return
- * @throws FinderException
- */
- public final List<Graphable> getAllDescendants( String contextId )
- throws FinderException
- {
- String[] DESC_ATRS =
- { ROLE_NM, GlobalIds.PARENT_NODES };
- List<Graphable> descendants = new ArrayList<>();
- LdapConnection ld = null;
- String roleRoot = getRootDn( contextId, GlobalIds.ROLE_ROOT );
- String filter = null;
-
- try
- {
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + GlobalIds.PARENT_NODES + "=*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, roleRoot,
- SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- descendants.add( unloadDescendants( searchResults.getEntry(), sequence++, contextId ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return descendants;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private Graphable unloadDescendants( Entry le, long sequence, String contextId )
- throws LdapInvalidAttributeValueException
- {
- Role entity = new ObjectFactory().createRole();
- entity.setSequenceId( sequence );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- return entity;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private Role unloadLdapEntry( Entry le, long sequence, String contextId ) throws LdapInvalidAttributeValueException
- {
- Role entity = new ObjectFactory().createRole();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
- //entity.setParents(RoleUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setChildren( RoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- unloadTemporal( le, entity );
-
- return entity;
- }
-
-
- private String getDn( String name, String contextId )
- {
- return GlobalIds.CN + "=" + name + "," + getRootDn( contextId, GlobalIds.ROLE_ROOT );
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/SdDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/SdDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/SdDAO.java
deleted file mode 100755
index f4d25b6..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/SdDAO.java
+++ /dev/null
@@ -1,633 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.rbac.SDSet;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-
-/**
- * This class performs persistence on the RBAC Static Separation of Duties and Dynamic Separation of Duties data sets.
- * <p/>
- * The Fortress SDSet entity is a composite of the following other Fortress structural and aux object classes:
- * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.5.6.8 NAME 'organizationalRole'</code>
- * <li> <code>DESC 'RFC2256: an organizational role'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST cn</code>
- * <li> <code>MAY ( x121Address $ registeredAddress $ destinationIndicator $</code>
- * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
- * <li> <code>telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $</code>
- * <li> <code>seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $</code>
- * <li> <code>postOfficeBox $ postalCode $ postalAddress $</code>
- * <li> <code>physicalDeliveryOfficeName $ ou $ st $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. The RBAC Separation of Duties</h4>
- * <ul>
- * <li> ---Static Separation of Duties Set-------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.4</code>
- * <li> <code>NAME 'ftSSDSet'</code>
- * <li> <code>DESC 'Fortress Role Static Separation of Duty Set Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
- * <li> <code>MAY ( ftRoles $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * OR
- * <h4>Dynamic Separation of Duties Set</h4>
- * <ul>
- * <li>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.5</code>
- * <li> <code>NAME 'ftDSDSet'</code>
- * <li> <code>DESC 'Fortress Role Dynamic Separation of Duty Set Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
- * <li> <code>MAY ( ftRoles $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public final class SdDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.SdDAO
-{
- private static final String SD_SET_NM = "ftSetName";
- private static final String ROLES = "ftRoles";
- private static final String SD_SET_CARDINALITY = "ftSetCardinality";
-
- private static final String SSD_OBJECT_CLASS_NM = "ftSSDSet";
- private static final String SSD_OBJ_CLASS[] =
- {
- GlobalIds.TOP, SSD_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String DSD_OBJECT_CLASS_NM = "ftDSDSet";
- private static final String DSD_OBJ_CLASS[] =
- {
- GlobalIds.TOP, DSD_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String[] SD_SET_ATRS =
- {
- GlobalIds.FT_IID, SD_SET_NM, GlobalIds.DESC, ROLES, SD_SET_CARDINALITY
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- */
- public final SDSet create( SDSet entity ) throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- String[] objectClass = SSD_OBJ_CLASS;
-
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJ_CLASS;
- }
-
- try
- {
- Entry entry = new DefaultEntry( dn );
- entry.add( createAttributes( GlobalIds.OBJECT_CLASS, objectClass ) );
- entity.setId();
- entry.add( GlobalIds.FT_IID, entity.getId() );
- entry.add( SD_SET_NM, entity.getName() );
-
- // description field is optional on this object class:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- entry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // CN attribute is required for this object class:
- entry.add( GlobalIds.CN, entity.getName() );
- loadAttrs( entity.getMembers(), entry, ROLES );
- entry.add( SD_SET_CARDINALITY, "" + entity.getCardinality() );
-
- ld = getAdminConnection();
- add( ld, entry, entity );
- }
- catch ( LdapException e )
- {
- String error = "create SD set name [" + entity.getName() + "] type [" + entity.getType()
- + "] caught LdapException=" + e.getMessage();
- int errCode;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_ADD_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_ADD_FAILED;
- }
-
- throw new CreateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- */
- public final SDSet update( SDSet entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
- }
-
- if ( entity.getCardinality() != null )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, SD_SET_CARDINALITY, entity.getCardinality().toString() ) );
- }
-
- loadAttrs( entity.getMembers(), mods, ROLES );
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LdapException e )
- {
- String error = "update name [" + entity.getName() + "] type [" + entity.getType()
- + "] caught LdapException=" + e.getMessage();
- int errCode;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_UPDATE_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_UPDATE_FAILED;
- }
-
- throw new UpdateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- */
- public final SDSet remove( SDSet entity ) throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, entity );
- }
- catch ( LdapException e )
- {
- String error = "remove SD name=" + entity.getName() + " type [" + entity.getType() + "] LdapException="
- + e.getMessage();
- int errCode;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_DELETE_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_DELETE_FAILED;
- }
-
- throw new RemoveException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param sdSet
- * @return
- * @throws FinderException
- */
- public final SDSet getSD( SDSet sdSet ) throws FinderException
- {
- SDSet entity = null;
- LdapConnection ld = null;
- String dn = getDn( sdSet.getName(), sdSet.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, SD_SET_ATRS );
- entity = unloadLdapEntry( findEntry, 0 );
-
- if ( entity == null )
- {
- String warning = "getSD no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, warning );
- }
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getSD Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getSSD dn [" + dn + "] LEXCD=" + e;
- int errCode;
-
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_READ_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_READ_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * Given an SSD name and type, find matching object in the directory.
- * @param sdset requires name and type.
- * @return List of matching SDSets.
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final List<SDSet> search( SDSet sdset ) throws FinderException
- {
- List<SDSet> sdList = new ArrayList<>();
- LdapConnection ld = null;
- String ssdRoot = getSdRoot( sdset.getContextId() );
- String objectClass = SSD_OBJECT_CLASS_NM;
-
- if ( sdset.getType() == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJECT_CLASS_NM;
- }
-
- try
- {
- String searchVal = encodeSafeText( sdset.getName(), GlobalIds.ROLE_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(" + SD_SET_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, ssdRoot,
- SearchScope.SUBTREE, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- sdList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "search sdset name [" + sdset.getName() + "] type [" + sdset.getType()
- + "] caught LdapException=" + e.getMessage();
- int errCode;
-
- if ( sdset.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- catch ( CursorException e )
- {
- String error = "search sdset name [" + sdset.getName() + "] type [" + sdset.getType()
- + "] caught LdapException=" + e.getMessage();
- int errCode;
-
- if ( sdset.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return sdList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final List<SDSet> search( Role role, SDSet.SDType type ) throws FinderException
- {
- List<SDSet> sdList = new ArrayList<>();
- LdapConnection ld = null;
- String ssdRoot = getSdRoot( role.getContextId() );
- String objectClass = SSD_OBJECT_CLASS_NM;
-
- if ( type == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJECT_CLASS_NM;
- }
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- //String filter = GlobalIds.FILTER_PREFIX + SSD_OBJECT_CLASS_NM + ")(" + ROLES + "=" + roleVal + "))";
- String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(";
- // Include any parents target role may have:
- Set<String> roles = RoleUtil.getAscendants( role.getName(), role.getContextId() );
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- filter += "|(" + ROLES + "=" + roleVal + ")";
-
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- filter += ")";
- }
- else
- {
- filter += ROLES + "=" + roleVal + ")";
- }
-
- filter += ")";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, ssdRoot,
- SearchScope.SUBTREE, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
-
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- sdList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "search role [" + role.getName() + "] type [" + type + "] caught LdapException="
- + e.getMessage();
- int errCode;
-
- if ( type == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- catch ( CursorException e )
- {
- String error = "search role [" + role.getName() + "] type [" + type + "] caught LdapException="
- + e.getMessage();
- int errCode;
-
- if ( type == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return sdList;
- }
-
-
- /**
- * @param roles
- * @param sdSet
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final Set<SDSet> search( Set<String> roles, SDSet sdSet ) throws FinderException
- {
- Set<SDSet> sdList = new HashSet<>();
- LdapConnection ld = null;
- String ssdRoot = getSdRoot( sdSet.getContextId() );
- String objectClass = SSD_OBJECT_CLASS_NM;
-
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJECT_CLASS_NM;
- }
-
- try
- {
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(|";
- for ( String rle : roles )
- {
- filter += "(" + ROLES + "=" + rle + ")";
- }
- filter += "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, ssdRoot,
- SearchScope.SUBTREE, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- sdList.add( unloadLdapEntry( searchResults.getEntry(), sequence++ ) );
- }
- }
- }
- catch ( LdapException e )
- {
- String error = "search type [" + sdSet.getType() + "] caught LdapException=" + e.getMessage();
- int errCode;
-
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
- throw new FinderException( errCode, error, e );
- }
- catch ( CursorException e )
- {
- String error = "search type [" + sdSet.getType() + "] caught LdapException=" + e.getMessage();
- int errCode;
-
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return sdList;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private SDSet unloadLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
- {
- SDSet entity = new ObjectFactory().createSDset();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, SD_SET_NM ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setMembers( getAttributeSet( le, ROLES ) );
- String szCard = getAttribute( le, SD_SET_CARDINALITY );
- entity.setCardinality( new Integer( szCard ) );
-
- return entity;
- }
-
-
- private String getDn( String name, String contextId )
- {
- return GlobalIds.CN + "=" + name + "," + getSdRoot( contextId );
- }
-
-
- private String getSdRoot( String contextId )
- {
- return getRootDn( contextId, GlobalIds.SD_ROOT );
- }
-}
[11/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java
new file mode 100755
index 0000000..3def2ff
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/UserDAO.java
@@ -0,0 +1,2375 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.Attribute;
+import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapAttributeInUseException;
+import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoPermissionException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.PasswordException;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.util.attr.AttrHelper;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+
+
+/**
+ * Data access class for LDAP User entity.
+ * <p/>
+ * <p/>
+ * The Fortress User LDAP schema follows:
+ * <p/>
+ * <h4>1. InetOrgPerson Structural Object Class </h4>
+ * <code># The inetOrgPerson represents people who are associated with an</code><br />
+ * <code># organization in some way. It is a structural class and is derived</code><br />
+ * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
+ * <li> <code>NAME 'inetOrgPerson'</code>
+ * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
+ * <li> <code>SUP organizationalPerson</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
+ * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
+ * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
+ * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
+ * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
+ * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
+ * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
+ * <li> <code>NAME 'ftUserAttrs'</code>
+ * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MUST ( ftId )</code>
+ * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ * @created August 30, 2009
+ */
+final class UserDAO extends ApacheDsDataProvider
+{
+ private static final String CLS_NM = UserDAO.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+ private static PwPolicyControl pwControlx;
+
+ /**
+ * Initialize the OpenLDAP Pw Policy validator.
+ */
+ //todo: fix me, removed with unbound:
+/*
+ static
+ {
+ if ( GlobalIds.IS_OPENLDAP )
+ {
+ pwControl = new OLPWControlImpl();
+ }
+ }
+*/
+
+ /*
+ * *************************************************************************
+ * ** OpenAccessMgr USERS STATICS
+ * ************************************************************************
+ */
+ private static final String USERS_AUX_OBJECT_CLASS_NAME = "ftUserAttrs";
+ private static final String ORGANIZATIONAL_PERSON_OBJECT_CLASS_NAME = "organizationalPerson";
+ private static final String USER_OBJECT_CLASS = "user.objectclass";
+ private static final String USERS_EXTENSIBLE_OBJECT = "extensibleObject";
+
+ // The Fortress User entity attributes are stored within standard LDAP object classes along with custom auxiliary object classes:
+ private static final String USER_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP,
+ Config.getProperty( USER_OBJECT_CLASS ),
+ USERS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME,
+ USERS_EXTENSIBLE_OBJECT
+ };
+
+ private static final String objectClassImpl = Config.getProperty( USER_OBJECT_CLASS );
+ private static final String SN = "sn";
+ private static final String PW = "userpassword";
+ private static final String SYSTEM_USER = "ftSystem";
+
+ /**
+ * Constant contains the locale attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String L = "l";
+
+ /**
+ * Constant contains the postal address attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String POSTAL_ADDRESS = "postalAddress";
+
+ /**
+ * Constant contains the state attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String STATE = "st";
+
+ /**
+ * Constant contains the postal code attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String POSTAL_CODE = "postalCode";
+
+ /**
+ * Constant contains the post office box attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String POST_OFFICE_BOX = "postOfficeBox";
+
+ /**
+ * Constant contains the country attribute name used within organizationalPerson ldap object classes.
+ */
+ private static final String COUNTRY = "c";
+
+ /**
+ * Constant contains the attribute name used within inetorgperson ldap object classes.
+ */
+ private static final String PHYSICAL_DELIVERY_OFFICE_NAME = "physicalDeliveryOfficeName";
+
+ /**
+ * Constant contains the attribute name used within inetorgperson ldap object classes.
+ */
+ private static final String DEPARTMENT_NUMBER = "departmentNumber";
+
+ /**
+ * Constant contains the attribute name used within inetorgperson ldap object classes.
+ */
+ private static final String ROOM_NUMBER = "roomNumber";
+
+ /**
+ * Constant contains the mobile attribute values used within iNetOrgPerson ldap object classes.
+ */
+ private static final String MOBILE = "mobile";
+
+ /**
+ * Constant contains the telephone attribute values used within organizationalPerson ldap object classes.
+ */
+ private static final String TELEPHONE_NUMBER = "telephoneNumber";
+
+ /**
+ * Constant contains the attribute name for jpeg images to be stored within inetorgperson ldap object classes.
+ */
+ private static final String JPEGPHOTO = "jpegPhoto";
+
+ /**
+ * Constant contains the email attribute values used within iNetOrgPerson ldap object classes.
+ */
+ private static final String MAIL = "mail";
+ private static final String DISPLAY_NAME = "displayName";
+ private static final String TITLE = "title";
+ private static final String EMPLOYEE_TYPE = "employeeType";
+
+ private static final String OPENLDAP_POLICY_SUBENTRY = "pwdPolicySubentry";
+ private static final String OPENLDAP_PW_RESET = "pwdReset";
+ private static final String OPENLDAP_PW_LOCKED_TIME = "pwdAccountLockedTime";
+ private static final String OPENLDAP_ACCOUNT_LOCKED_TIME = "pwdAccountLockedTime";
+ private static final String LOCK_VALUE = "000001010000Z";
+ private static final String[] USERID =
+ { GlobalIds.UID };
+ private static final String[] ROLES =
+ { GlobalIds.USER_ROLE_ASSIGN };
+
+ private static final String[] USERID_ATRS =
+ {
+ GlobalIds.UID
+ };
+
+ // This smaller result set of attributes are needed for user validation and authentication operations.
+ private static final String[] AUTHN_ATRS =
+ {
+ GlobalIds.FT_IID,
+ GlobalIds.UID, PW,
+ GlobalIds.DESC,
+ GlobalIds.OU, GlobalIds.CN,
+ SN,
+ GlobalIds.CONSTRAINT,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
+ GlobalIds.PROPS
+ };
+
+ // This default set of attributes contains all and is used for search operations.
+ private static final String[] DEFAULT_ATRS =
+ {
+ GlobalIds.FT_IID,
+ GlobalIds.UID, PW,
+ GlobalIds.DESC,
+ GlobalIds.OU,
+ GlobalIds.CN,
+ SN,
+ GlobalIds.USER_ROLE_DATA,
+ GlobalIds.CONSTRAINT,
+ GlobalIds.USER_ROLE_ASSIGN,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
+ GlobalIds.IS_OPENLDAP ? OPENLDAP_POLICY_SUBENTRY : null,
+ GlobalIds.PROPS,
+ GlobalIds.USER_ADMINROLE_ASSIGN,
+ GlobalIds.USER_ADMINROLE_DATA,
+ POSTAL_ADDRESS,
+ L,
+ POSTAL_CODE,
+ POST_OFFICE_BOX,
+ STATE,
+ PHYSICAL_DELIVERY_OFFICE_NAME,
+ DEPARTMENT_NUMBER,
+ ROOM_NUMBER,
+ TELEPHONE_NUMBER,
+ MOBILE,
+ MAIL,
+ EMPLOYEE_TYPE,
+ TITLE,
+ SYSTEM_USER,
+ JPEGPHOTO
+ };
+
+ private static final String[] ROLE_ATR =
+ {
+ GlobalIds.USER_ROLE_DATA
+ };
+
+ private static final String[] AROLE_ATR =
+ {
+ GlobalIds.USER_ADMINROLE_DATA
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws CreateException
+ *
+ */
+ final User create( User entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+
+ try
+ {
+ entity.setInternalId();
+
+ String dn = getDn( entity.getUserId(), entity.getContextId() );
+
+ Entry myEntry = new DefaultEntry( dn );
+
+ myEntry.add( GlobalIds.OBJECT_CLASS, USER_OBJ_CLASS );
+ myEntry.add( GlobalIds.FT_IID, entity.getInternalId() );
+ myEntry.add( GlobalIds.UID, entity.getUserId() );
+
+ // CN is required on inetOrgPerson object class, if caller did not set, use the userId:
+ if ( !VUtil.isNotNullOrEmpty( entity.getCn() ) )
+ {
+ entity.setCn( entity.getUserId() );
+ }
+
+ myEntry.add( GlobalIds.CN, entity.getCn() );
+
+ // SN is required on inetOrgPerson object class, if caller did not set, use the userId:
+ if ( !VUtil.isNotNullOrEmpty( entity.getSn() ) )
+ {
+ entity.setSn( entity.getUserId() );
+ }
+
+ myEntry.add( SN, entity.getSn() );
+
+ // guard against npe
+ myEntry.add( PW,
+ VUtil.isNotNullOrEmpty( entity.getPassword() ) ? new String( entity.getPassword() ) : new String(
+ new char[]
+ {} ) );
+ myEntry.add( DISPLAY_NAME, entity.getCn() );
+
+ if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
+ {
+ myEntry.add( TITLE, entity.getTitle() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
+ {
+ myEntry.add( EMPLOYEE_TYPE, entity.getEmployeeType() );
+ }
+
+ // These are multi-valued attributes, use the util function to load.
+ // These items are optional. The utility function will return quietly if item list is empty:
+ loadAttrs( entity.getPhones(), myEntry, TELEPHONE_NUMBER );
+ loadAttrs( entity.getMobiles(), myEntry, MOBILE );
+ loadAttrs( entity.getEmails(), myEntry, MAIL );
+
+ // The following attributes are optional:
+ if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
+ {
+ myEntry.add( SYSTEM_USER, entity.isSystem().toString().toUpperCase() );
+ }
+
+ if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
+ {
+ String pwdPolicyDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
+ + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
+ myEntry.add( OPENLDAP_POLICY_SUBENTRY, pwdPolicyDn );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+ {
+ myEntry.add( GlobalIds.OU, entity.getOu() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ myEntry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // props are optional as well:
+ // Add "initial" property here.
+ entity.addProperty( "init", "" );
+ loadProperties( entity.getProperties(), myEntry, GlobalIds.PROPS );
+ // map the userid to the name field in constraint:
+ entity.setName( entity.getUserId() );
+ myEntry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+ loadAddress( entity.getAddress(), myEntry );
+
+ if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
+ {
+ myEntry.add( JPEGPHOTO, entity.getJpegPhoto() );
+ }
+
+ ld = getAdminConnection();
+ add( ld, myEntry, entity );
+ entity.setDn( dn );
+ }
+ catch ( LdapException e )
+ {
+ String error = "create userId [" + entity.getUserId() + "] caught LDAPException="
+ + e.getMessage();
+ throw new CreateException( GlobalErrIds.USER_ADD_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws UpdateException
+ */
+ final User update( User entity )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getCn() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CN, entity.getCn() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getSn() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, SN, entity.getSn() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.OU, entity.getOu() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getPassword() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( entity.getPassword() ) ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, EMPLOYEE_TYPE, entity.getEmployeeType() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, TITLE, entity.getTitle() ) );
+ }
+
+ if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
+ {
+ String szDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
+ + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_POLICY_SUBENTRY, szDn ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, SYSTEM_USER, entity.isSystem().toString().toUpperCase() ) );
+ }
+
+ if ( entity.isTemporalSet() )
+ {
+ // map the userid to the name field in constraint:
+ entity.setName( entity.getUserId() );
+ String szRawData = CUtil.setConstraint( entity );
+
+ if ( VUtil.isNotNullOrEmpty( szRawData ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
+ }
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
+ }
+
+ loadAddress( entity.getAddress(), mods );
+
+ // These are multi-valued attributes, use the util function to load:
+ loadAttrs( entity.getPhones(), mods, TELEPHONE_NUMBER );
+ loadAttrs( entity.getMobiles(), mods, MOBILE );
+ loadAttrs( entity.getEmails(), mods, MAIL );
+
+ if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, JPEGPHOTO, entity.getJpegPhoto() ) );
+ }
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, entity );
+ entity.setDn( userDn );
+ }
+
+ entity.setDn( userDn );
+ }
+ catch ( LdapException e )
+ {
+ String error = "update userId [" + entity.getUserId() + "] caught LDAPException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @param replace
+ * @return
+ * @throws UpdateException
+ */
+ final User updateProps( User entity, boolean replace )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, replace );
+ }
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, entity );
+ entity.setDn( userDn );
+ }
+
+ entity.setDn( userDn );
+ }
+ catch ( LdapException e )
+ {
+ String error = "updateProps userId [" + entity.getUserId() + "] isReplace [" + replace
+ + "] caught LDAPException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param user
+ * @throws RemoveException
+ */
+ final String remove( User user )
+ throws RemoveException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, userDn, user );
+ }
+ catch ( LdapException e )
+ {
+ String error = "remove userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getMessage();
+ throw new RemoveException( GlobalErrIds.USER_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param user
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final void lock( User user ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_LOCKED_TIME,
+ LOCK_VALUE ) );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LdapException e )
+ {
+ String error = "lock user [" + user.getUserId() + "] caught LDAPException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_LOCK_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param user
+ * @throws UpdateException
+ *
+ */
+ final void unlock( User user )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ //ld = getAdminConnection();
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, OPENLDAP_PW_LOCKED_TIME ) );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LdapNoSuchAttributeException e )
+ {
+ LOG.info( "unlock user [" + user.getUserId() + "] no such attribute:"
+ + OPENLDAP_ACCOUNT_LOCKED_TIME );
+ }
+ catch ( LdapException e )
+ {
+ String error = "unlock user [" + user.getUserId() + "] caught LDAPException= "
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_UNLOCK_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final User getUser( User user, boolean isRoles )
+ throws FinderException
+ {
+ User entity = null;
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ String[] uATTRS;
+ // Retrieve role attributes?
+
+ if ( isRoles )
+ {
+ // Retrieve the User's assigned RBAC and Admin Role attributes from directory.
+ uATTRS = DEFAULT_ATRS;
+
+ }
+ else
+ {
+ // Do not retrieve the User's assigned RBAC and Admin Role attributes from directory.
+ uATTRS = AUTHN_ATRS;
+ }
+
+ Entry findEntry = null;
+
+ try
+ {
+ ld = getAdminConnection();
+ findEntry = read( ld, userDn, uATTRS );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getUser COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getUser [" + userDn + "]= caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ try
+ {
+ if(findEntry != null)
+ {
+ entity = unloadLdapEntry( findEntry, 0, user.getContextId() );
+ }
+ }
+ catch ( LdapInvalidAttributeValueException e )
+ {
+ entity = null;
+ }
+
+ if ( entity == null )
+ {
+ String warning = "getUser userId [" + user.getUserId() + "] not found, Fortress rc="
+ + GlobalErrIds.USER_NOT_FOUND;
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ */
+ final List<UserAdminRole> getUserAdminRoles( User user )
+ throws FinderException
+ {
+ List<UserAdminRole> roles = null;
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, userDn, AROLE_ATR );
+ roles = unloadUserAdminRoles( findEntry, user.getUserId(), user.getContextId() );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getUserAdminRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getUserAdminRoles [" + userDn + "]= caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roles;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<String> getRoles( User user )
+ throws FinderException
+ {
+ List<String> roles = null;
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, userDn, ROLES );
+
+ if ( findEntry == null )
+ {
+ String warning = "getRoles userId [" + user.getUserId() + "] not found, Fortress rc="
+ + GlobalErrIds.USER_NOT_FOUND;
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+
+ roles = getAttributes( findEntry, GlobalIds.USER_ROLE_ASSIGN );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getRoles [" + userDn + "]= caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roles;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ * @throws org.apache.directory.fortress.core.SecurityException
+ */
+ final Session checkPassword( User user ) throws FinderException
+ {
+ Session session = null;
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ session = new ObjectFactory().createSession();
+ session.setUserId( user.getUserId() );
+ ld = getUserConnection();
+ boolean result = bind( ld, userDn, user.getPassword() );
+
+ if ( result )
+ {
+ // check openldap password policies here
+ checkPwPolicies( ld, session );
+
+ if ( session.getErrorId() == 0 )
+ {
+ session.setAuthenticated( true );
+ }
+ }
+ }
+ catch ( LdapAuthenticationException e )
+ {
+ // Check controls to see if password is locked, expired or out of grace:
+ checkPwPolicies( ld, session );
+ // if check pw control did not find problem the user entered invalid pw:
+ if ( session.getErrorId() == 0 )
+ {
+ String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "]";
+ session.setMsg( info );
+ session.setErrorId( GlobalErrIds.USER_PW_INVLD );
+ session.setAuthenticated( false );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeUserConnection( ld );
+ }
+
+ return session;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws FinderException
+ */
+ final List<User> findUsers( User user ) throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter;
+
+ if ( VUtil.isNotNullOrEmpty( user.getUserId() ) )
+ {
+ // place a wild card after the input userId:
+ String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
+ filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.UID + "=" + searchVal + "*))";
+ }
+ else if ( VUtil.isNotNullOrEmpty( user.getInternalId() ) )
+ {
+ // internalUserId search
+ String searchVal = encodeSafeText( user.getInternalId(), GlobalIds.USERID_LEN );
+ // this is not a wildcard search. Must be exact match.
+ filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.FT_IID + "=" + searchVal + "))";
+ }
+ else
+ {
+ // Beware - returns ALL users!!:"
+ filter = "(objectclass=" + objectClassImpl + ")";
+ }
+
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, user.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param user
+ * @param limit
+ * @return
+ * @throws FinderException
+ *
+ */
+ final List<String> findUsers( User user, int limit ) throws FinderException
+ {
+ List<String> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.UID + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
+
+ while ( searchResults.next() )
+ {
+ Entry entry = searchResults.getEntry();
+ userList.add( getAttribute( entry, GlobalIds.UID ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "findUsers caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "findUsers caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws FinderException
+ *
+ */
+ final List<User> getAuthorizedUsers( Role role ) throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(";
+ Set<String> roles = RoleUtil.getDescendants( role.getName(), role.getContextId() );
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ filter += "|(" + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
+
+ for ( String uRole : roles )
+ {
+ filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + uRole + ")";
+ }
+
+ filter += ")";
+ }
+ else
+ {
+ filter += GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
+ }
+
+ filter += ")";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws FinderException
+ */
+ final List<User> getAssignedUsers( Role role )
+ throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ *
+ * @param roles
+ * @return
+ * @throws FinderException
+ */
+ final Set<String> getAssignedUsers( Set<String> roles, String contextId )
+ throws FinderException
+ {
+ Set<String> userSet = new HashSet<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(|";
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ for ( String roleVal : roles )
+ {
+ String filteredVal = encodeSafeText( roleVal, GlobalIds.USERID_LEN );
+ filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + filteredVal + ")";
+ }
+ }
+ else
+ {
+ return null;
+ }
+
+ filter += "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, USERID_ATRS, false, GlobalIds.BATCH_SIZE );
+
+ while ( searchResults.next() )
+ {
+ userSet.add( getAttribute( searchResults.getEntry(), GlobalIds.UID ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "getAssignedUsers caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "getAssignedUsers caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userSet;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws FinderException
+ */
+ final List<User> getAssignedUsers( AdminRole role )
+ throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.USER_ADMINROLE_ASSIGN + "=" + roleVal + "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "getAssignedUsers admin role name [" + role.getName()
+ + "] caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "getAssignedUsers admin role name [" + role.getName()
+ + "] caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param role
+ * @param limit
+ * @return
+ * @throws FinderException
+ *
+ */
+ final List<String> getAuthorizedUsers( Role role, int limit )
+ throws FinderException
+ {
+ List<String> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
+
+ while ( searchResults.next() )
+ {
+ Entry entry = searchResults.getEntry();
+ userList.add( getAttribute( entry, GlobalIds.UID ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param searchVal
+ * @return
+ * @throws FinderException
+ */
+ final List<String> findUsersList( String searchVal, String contextId )
+ throws FinderException
+ {
+ List<String> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
+
+ try
+ {
+ searchVal = encodeSafeText( searchVal, GlobalIds.USERID_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.UID + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ userList.add( ( unloadLdapEntry( searchResults.getEntry(), sequence++, contextId ) ).getUserId() );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "findUsersList caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "findUsersList caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param ou
+ * @return
+ * @throws FinderException
+ */
+ final List<User> findUsers( OrgUnit ou, boolean limitSize )
+ throws FinderException
+ {
+ List<User> userList = new ArrayList<>();
+ LdapConnection ld = null;
+ String userRoot = getRootDn( ou.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String szOu = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
+ + GlobalIds.OU + "=" + szOu + "))";
+ int maxLimit;
+
+ if ( limitSize )
+ {
+ maxLimit = 10;
+ }
+ else
+ {
+ maxLimit = 0;
+ }
+
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, userRoot,
+ SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, ou.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "findUsers caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ catch ( CursorException e )
+ {
+ String warning = "findUsers caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userList;
+ }
+
+
+ /**
+ * @param entity
+ * @param newPassword
+ * @return
+ * @throws UpdateException
+ *
+ * @throws SecurityException
+ * @throws PasswordException
+ */
+ final boolean changePassword( User entity, char[] newPassword ) throws SecurityException
+ {
+ boolean rc = true;
+ LdapConnection ld = null;
+ List<Modification> mods;
+ String userDn = getDn( entity.getUserId(), entity.getContextId() );
+
+ try
+ {
+ ld = getUserConnection();
+ bind( ld, userDn, entity.getPassword() );
+ mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( newPassword ) ) );
+
+ modify( ld, userDn, mods );
+
+ // The 2nd modify is to update audit attributes on the User entry:
+ if ( GlobalIds.IS_AUDIT && ( entity.getAdminSession() != null ) )
+ {
+ // Because the user modified their own password, set their userId here:
+ //(entity.getAdminSession()).setInternalUserId(entity.getUserId());
+ mods = new ArrayList<Modification>();
+ modify( ld, userDn, mods, entity );
+ }
+ }
+ catch ( LdapInvalidAttributeValueException e )
+ {
+ String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+
+ warning += " constraint violation, ldap rc=" + e.getMessage()
+ + " Fortress rc=" + GlobalErrIds.PSWD_CONST_VIOLATION;
+
+ throw new PasswordException( GlobalErrIds.PSWD_CONST_VIOLATION, warning );
+ }
+ catch ( LdapNoPermissionException e )
+ {
+ String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+ warning += " user not authorized to change password, ldap rc=" + e.getMessage() + " Fortress rc="
+ + GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
+ throw new UpdateException( GlobalErrIds.USER_PW_MOD_NOT_ALLOWED, warning );
+ }
+ catch ( LdapException e )
+ {
+ String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
+ warning += " caught LDAPException rc=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_CHANGE_FAILED, warning, e );
+ }
+ finally
+ {
+ closeUserConnection( ld );
+ }
+
+ return rc;
+ }
+
+
+ /**
+ * @param user
+ * @throws UpdateException
+ *
+ */
+ final void resetUserPassword( User user ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( user.getPassword() ) ) );
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET, "TRUE" ) );
+
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LdapException e )
+ {
+ String warning = "resetUserPassword userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_RESET_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ final String assign( UserRole uRole ) throws UpdateException, FinderException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ String szUserRole = uRole.getRawData();
+
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE, GlobalIds.USER_ROLE_DATA, szUserRole ) );
+
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE, GlobalIds.USER_ROLE_ASSIGN, uRole.getName() ) );
+
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ catch ( LdapAttributeInUseException e )
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
+
+ warning += "assignment already exists.";
+ throw new FinderException( GlobalErrIds.URLE_ASSIGN_EXIST, warning );
+ }
+ catch ( LdapException e )
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
+
+ warning += "caught LDAPException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.URLE_ASSIGN_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ final String deassign( UserRole uRole )
+ throws UpdateException, FinderException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ // read the user's RBAC role assignments to locate target record. Need the raw data before attempting removal:
+ List<UserRole> roles = getUserRoles( uRole.getUserId(), uRole.getContextId() );
+ int indx = -1;
+
+ // Does the user have any roles assigned?
+ if ( roles != null )
+ {
+ // function call will set indx to -1 if name not found:
+ indx = roles.indexOf( uRole );
+
+ // Is the targeted name assigned to user?
+ if ( indx > -1 )
+ {
+ // Retrieve the targeted name:
+ UserRole fRole = roles.get( indx );
+ // delete the name assignment attribute using the raw name data:
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REMOVE_ATTRIBUTE,
+ GlobalIds.USER_ROLE_DATA, fRole.getRawData() ) );
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REMOVE_ATTRIBUTE,
+ GlobalIds.USER_ROLE_ASSIGN, fRole.getName() ) );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ }
+ // target name not found:
+ if ( indx == -1 )
+ {
+ // The user does not have the target name assigned,
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] assignment does not exist.";
+ throw new FinderException( GlobalErrIds.URLE_ASSIGN_NOT_EXIST, warning );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] caught LDAPException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.URLE_DEASSIGN_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ final String assign( UserAdminRole uRole ) throws UpdateException, FinderException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ String szUserRole = uRole.getRawData();
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE,
+ GlobalIds.USER_ADMINROLE_DATA, szUserRole ) );
+
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE,
+ GlobalIds.USER_ADMINROLE_ASSIGN, uRole.getName() ) );
+
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ catch ( LdapAttributeInUseException e )
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] assignment already exists.";
+ throw new FinderException( GlobalErrIds.ARLE_ASSIGN_EXIST, warning );
+ }
+ catch ( LdapException e )
+ {
+ String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] caught LDAPException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_ASSIGN_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param uRole
+ * @return
+ * @throws UpdateException
+ *
+ * @throws FinderException
+ *
+ */
+ final String deassign( UserAdminRole uRole )
+ throws UpdateException, FinderException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
+
+ try
+ {
+ // read the user's ARBAC roles to locate record. Need the raw data before attempting removal:
+ User user = new User( uRole.getUserId() );
+ user.setContextId( uRole.getContextId() );
+ List<UserAdminRole> roles = getUserAdminRoles( user );
+
+ int indx = -1;
+
+ // Does the user have any roles assigned?
+ if ( roles != null )
+ {
+ // function call will set index to -1 if name not found:
+ indx = roles.indexOf( uRole );
+
+ // Is the targeted name assigned to user?
+ if ( indx > -1 )
+ {
+ // Retrieve the targeted name:
+ UserRole fRole = roles.get( indx );
+ // delete the name assignment attribute using the raw name data:
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData() ) );
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName() ) );
+
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, uRole );
+ }
+ }
+
+ // target name not found:
+ if ( indx == -1 )
+ {
+ // The user does not have the target name assigned,
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] assignment does not exist.";
+ throw new FinderException( GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
+ + "] caught LDAPException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws UpdateException
+ * @throws Exception
+ *
+ */
+ final String deletePwPolicy( User user ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String userDn = getDn( user.getUserId(), user.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, OPENLDAP_POLICY_SUBENTRY ) );
+ ld = getAdminConnection();
+ modify( ld, userDn, mods, user );
+ }
+ catch ( LdapException e )
+ {
+ String warning = "deletePwPolicy userId [" + user.getUserId() + "] caught LDAPException="
+ + e.getMessage() + " msg=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.USER_PW_PLCY_DEL_FAILED, warning, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return userDn;
+ }
+
+
+ /**
+ * @param entry
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ */
+ private User unloadLdapEntry( Entry entry, long sequence, String contextId )
+ throws LdapInvalidAttributeValueException
+ {
+ User entity = new ObjectFactory().createUser();
+ entity.setSequenceId( sequence );
+ entity.setInternalId( getAttribute( entry, GlobalIds.FT_IID ) );
+ entity.setDescription( getAttribute( entry, GlobalIds.DESC ) );
+ entity.setUserId( getAttribute( entry, GlobalIds.UID ) );
+ entity.setCn( getAttribute( entry, GlobalIds.CN ) );
+ entity.setName( entity.getCn() );
+ entity.setSn( getAttribute( entry, SN ) );
+ entity.setOu( getAttribute( entry, GlobalIds.OU ) );
+ entity.setDn( entry.getDn().getName() );
+ entity.setTitle( getAttribute( entry, TITLE ) );
+ entity.setEmployeeType( getAttribute( entry, EMPLOYEE_TYPE ) );
+ unloadTemporal( entry, entity );
+ entity.setRoles( unloadUserRoles( entry, entity.getUserId(), contextId ) );
+ entity.setAdminRoles( unloadUserAdminRoles( entry, entity.getUserId(), contextId ) );
+ entity.setAddress( unloadAddress( entry ) );
+ entity.setPhones( getAttributes( entry, TELEPHONE_NUMBER ) );
+ entity.setMobiles( getAttributes( entry, MOBILE ) );
+ entity.setEmails( getAttributes( entry, MAIL ) );
+ String szBoolean = getAttribute( entry, SYSTEM_USER );
+ if ( szBoolean != null )
+ {
+ entity.setSystem( Boolean.valueOf( szBoolean ) );
+ }
+
+ entity.addProperties( AttrHelper.getProperties( getAttributes( entry, GlobalIds.PROPS ) ) );
+
+ if ( GlobalIds.IS_OPENLDAP )
+ {
+ szBoolean = getAttribute( entry, OPENLDAP_PW_RESET );
+ if ( szBoolean != null && szBoolean.equalsIgnoreCase( "true" ) )
+ {
+ entity.setReset( true );
+ }
+ String szPolicy = getAttribute( entry, OPENLDAP_POLICY_SUBENTRY );
+ if ( VUtil.isNotNullOrEmpty( szPolicy ) )
+ {
+ entity.setPwPolicy( getRdn( szPolicy ) );
+ }
+
+ szBoolean = getAttribute( entry, OPENLDAP_PW_LOCKED_TIME );
+
+ if ( szBoolean != null && szBoolean.equals( LOCK_VALUE ) )
+ {
+ entity.setLocked( true );
+ }
+ }
+
+ entity.setJpegPhoto( getPhoto( entry, JPEGPHOTO ) );
+
+ return entity;
+ }
+
+
+ /**
+ * @param userId
+ * @return
+ * @throws FinderException
+ */
+ private List<UserRole> getUserRoles( String userId, String contextId )
+ throws FinderException
+ {
+ List<UserRole> roles = null;
+ LdapConnection ld = null;
+ String userDn = getDn( userId, contextId );
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, userDn, ROLE_ATR );
+ roles = unloadUserRoles( findEntry, userId, contextId );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getUserRoles COULD NOT FIND ENTRY for user [" + userId + "]";
+ throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getUserRoles [" + userDn + "]= caught LDAPException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roles;
+ }
+
+
+ /**
+ * @param ld
+ * @param pwMsg
+ */
+ private void checkPwPolicies( LdapConnection ld, PwMessage pwMsg )
+ {
+ int rc = 0;
+ boolean success = false;
+ String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
+
+ if ( ld != null )
+ {
+ if ( !GlobalIds.IS_OPENLDAP )
+ {
+ String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
+ pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED, msg, Warning.Type.PASSWORD ) );
+ pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
+ LOG.debug( msg );
+ return;
+ }
+ // todo: fixme, removed with unbound:
+/*
+ else if ( pwControl != null )
+ {
+ // ------------> pwControl.checkPasswordPolicy( ld, success, pwMsg );
+ }
+*/
+
+ // OpenLDAP has notified of password violation:
+ if ( pwMsg.getErrorId() > 0 )
+ {
+ String errMsg;
+
+ switch ( pwMsg.getErrorId() )
+ {
+
+ case GlobalPwMsgIds.CHANGE_AFTER_RESET:
+ // Don't throw exception if authenticating in J2EE Realm - The Web application must give user a chance to modify their password.
+ if ( !GlobalIds.IS_REALM )
+ {
+ errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
+ rc = GlobalErrIds.USER_PW_RESET;
+ }
+ else
+ {
+ errMsg = msgHdr
+ + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO CONTINUE DUE TO REALM";
+ success = true;
+ pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET, errMsg, Warning.Type.PASSWORD ) );
+ }
+
+ break;
+
+ case GlobalPwMsgIds.ACCOUNT_LOCKED:
+ errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
+ rc = GlobalErrIds.USER_PW_LOCKED;
+ break;
+
+ case GlobalPwMsgIds.PASSWORD_HAS_EXPIRED:
+ errMsg = msgHdr + "PASSWORD HAS EXPIRED";
+ rc = GlobalErrIds.USER_PW_EXPIRED;
+ break;
+
+ case GlobalPwMsgIds.NO_MODIFICATIONS:
+ errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
+ rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
+ break;
+
+ case GlobalPwMsgIds.MUST_SUPPLY_OLD:
+ errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
+ rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
+ break;
+
+ case GlobalPwMsgIds.INSUFFICIENT_QUALITY:
+ errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
+ rc = GlobalErrIds.USER_PW_NSF_QUALITY;
+ break;
+
+ case GlobalPwMsgIds.PASSWORD_TOO_SHORT:
+ errMsg = msgHdr + "PASSWORD TOO SHORT";
+ rc = GlobalErrIds.USER_PW_TOO_SHORT;
+ break;
+
+ case GlobalPwMsgIds.PASSWORD_TOO_YOUNG:
+ errMsg = msgHdr + "PASSWORD TOO YOUNG";
+ rc = GlobalErrIds.USER_PW_TOO_YOUNG;
+ break;
+
+ case GlobalPwMsgIds.HISTORY_VIOLATION:
+ errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
+ rc = GlobalErrIds.USER_PW_IN_HISTORY;
+ break;
+
+ default:
+ errMsg = msgHdr + "PASSWORD CHECK FAILED";
+ rc = GlobalErrIds.USER_PW_CHK_FAILED;
+ break;
+ }
+
+ pwMsg.setMsg( errMsg );
+ pwMsg.setErrorId( rc );
+ pwMsg.setAuthenticated( success );
+ LOG.debug( errMsg );
+ }
+ else
+ {
+ // Checked out good:
+ String msg = msgHdr + "PASSWORD CHECK SUCCESS";
+ pwMsg.setMsg( msg );
+ pwMsg.setErrorId( 0 );
+ pwMsg.setAuthenticated( true );
+ LOG.debug( msg );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
+ *
+ * @param list contains List of type {@link UserAdminRole} targeted for adding to ldap.
+ * @param entry collection of ldap attributes containing ARBAC role assignments in raw ldap format.
+ * @throws LdapException
+ */
+ private void loadUserAdminRoles( List<UserAdminRole> list, Entry entry ) throws LdapException
+ {
+ if ( list != null )
+ {
+ Attribute userAdminRoleData = new DefaultAttribute( GlobalIds.USER_ADMINROLE_DATA );
+ Attribute userAdminRoleAssign = new DefaultAttribute( GlobalIds.USER_ADMINROLE_ASSIGN );
+
+ for ( UserAdminRole userRole : list )
+ {
+ userAdminRoleData.add( userRole.getRawData() );
+ userAdminRoleAssign.add( userRole.getName() );
+ }
+
+ if ( userAdminRoleData.size() != 0 )
+ {
+ entry.add( userAdminRoleData );
+ entry.add( userAdminRoleAssign );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
+ *
+ * @param list contains List of type {@link UserRole} targeted for updating into ldap.
+ * @param mods contains ldap modification set containing RBAC role assignments in raw ldap format to be updated.
+ * @throws LdapInvalidAttributeValueException
+ */
+ private void loadUserRoles( List<UserRole> list, List<Modification> mods )
+ throws LdapInvalidAttributeValueException
+ {
+ Attribute userRoleData = new DefaultAttribute( GlobalIds.USER_ROLE_DATA );
+ Attribute userRoleAssign = new DefaultAttribute( GlobalIds.USER_ROLE_ASSIGN );
+
+ if ( list != null )
+ {
+ for ( UserRole userRole : list )
+ {
+ userRoleData.add( userRole.getRawData() );
+ userRoleAssign.add( userRole.getName() );
+ }
+
+ if ( userRoleData.size() != 0 )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, userRoleData ) );
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, userRoleAssign ) );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
+ *
+ * @param list contains List of type {@link UserAdminRole} targeted for updating to ldap.
+ * @param mods contains ldap modification set containing ARBAC role assignments in raw ldap format to be updated.
+ * @throws LdapInvalidAttributeValueException
+ */
+ private void loadUserAdminRoles( List<UserAdminRole> list, List<Modification> mods )
+ throws LdapInvalidAttributeValueException
+ {
+ Attribute userAdminRoleData = new DefaultAttribute( GlobalIds.USER_ADMINROLE_DATA );
+ Attribute userAdminRoleAssign = new DefaultAttribute( GlobalIds.USER_ADMINROLE_ASSIGN );
+
+ if ( list != null )
+ {
+ boolean nameSeen = false;
+
+ for ( UserAdminRole userRole : list )
+ {
+ userAdminRoleData.add( userRole.getRawData() );
+
+ if ( !nameSeen )
+ {
+ userAdminRoleAssign.add( userRole.getName() );
+ nameSeen = true;
+ }
+ }
+
+ if ( userAdminRoleData.size() != 0 )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, userAdminRoleData ) );
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, userAdminRoleAssign ) );
+ }
+ }
+ }
+
+
+ /**
+ * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
+ *
+ * @param list contains List of type {@link UserRole} targeted for adding to ldap.
+ * @param entry ldap entry containing attributes mapping to RBAC role assignments in raw ldap format.
+ * @throws LdapException
+ */
+ private void loadUserRoles( List<UserRole> list, Entry entry ) throws LdapException
+ {
+ if ( list != null )
+ {
+ Attribute userRoleData = new DefaultAttribute( GlobalIds.USER_ROLE_DATA );
+ Attribute userRoleAssign = new DefaultAttribute( GlobalIds.USER_ROLE_ASSIGN );
+
+ for ( UserRole userRole : list )
+ {
+ userRoleData.add( userRole.getRawData() );
+ userRoleAssign.add( userRole.getName() );
+ }
+
+ if ( userRoleData.size() != 0 )
+ {
+ entry.add( userRoleData, userRoleAssign );
+ }
+ }
+ }
+
+
+ /**
+ * Given a User address, {@link Address}, load into ldap attribute set in preparation for ldap add.
+ *
+ * @param address contains User address {@link Address} targeted for adding to ldap.
+ * @param entry collection of ldap attributes containing RBAC role assignments in raw ldap format.
+ */
+ private void loadAddress( Address address, Entry entry ) throws LdapException
+ {
+ if ( address != null )
+ {
+ if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
+ {
+ for ( String val : address.getAddresses() )
+ {
+ entry.add( POSTAL_ADDRESS, val );
+ }
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
+ {
+ entry.add( L, address.getCity() );
+ }
+
+ //if(VUtil.isNotNullOrEmpty(address.getCountry()))
+ //{
+ // attrs.add(GlobalIds.COUNTRY, address.getAddress1());
+ //}
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
+ {
+ entry.add( POSTAL_CODE, address.getPostalCode() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
+ {
+ entry.add( POST_OFFICE_BOX, address.getPostOfficeBox() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getState() ) )
+ {
+ entry.add( STATE, address.getState() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
+ {
+ entry.add( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
+ {
+ entry.add( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
+ {
+ entry.add( ROOM_NUMBER, address.getRoomNumber() );
+ }
+ }
+ }
+
+
+ /**
+ * Given an address, {@link Address}, load into ldap modification set in preparation for ldap modify.
+ *
+ * @param address contains entity of type {@link Address} targeted for updating into ldap.
+ * @param mods contains ldap modification set contains attributes to be updated in ldap.
+ */
+ private void loadAddress( Address address, List<Modification> mods )
+ {
+ if ( address != null )
+ {
+ if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, POSTAL_ADDRESS ) );
+
+ for ( String val : address.getAddresses() )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE, POSTAL_ADDRESS, val ) );
+ }
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, L, address.getCity() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, POSTAL_CODE, address.getPostalCode() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, POST_OFFICE_BOX, address.getPostOfficeBox() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getState() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, STATE, address.getState() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, DEPARTMENT_NUMBER, address.getDepartmentNumber() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, ROOM_NUMBER, address.getRoomNumber() ) );
+ }
+ }
+ }
+
+
+ /**
+ * Given an ldap entry containing organzationalPerson address information, convert to {@link Address}
+ *
+ * @param entry contains ldap entry to retrieve admin roles from.
+ * @return entity of type {@link Address}.
+ * @throws LdapInvalidAttributeValueException
+ * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+ */
+ private Address unloadAddress( Entry entry ) throws LdapInvalidAttributeValueException
+ {
+ Address addr = new ObjectFactory().createAddress();
+ List<String> pAddrs = getAttributes( entry, POSTAL_ADDRESS );
+
+ if ( pAddrs != null )
+ {
+ for ( String pAddr : pAddrs )
+ {
+ addr.setAddress( pAddr );
+ }
+ }
+
+ addr.setCity( getAttribute( entry, L ) );
+ addr.setState( getAttribute( entry, STATE ) );
+ addr.setPostalCode( getAttribute( entry, POSTAL_CODE ) );
+ addr.setPostOfficeBox( getAttribute( entry, POST_OFFICE_BOX ) );
+ addr.setBuilding( getAttribute( entry, PHYSICAL_DELIVERY_OFFICE_NAME ) );
+ addr.setDepartmentNumber( getAttribute( entry, DEPARTMENT_NUMBER ) );
+ addr.setRoomNumber( getAttribute( entry, ROOM_NUMBER ) );
+ // todo: add support for country attribute
+ //addr.setCountry(getAttribute(le, GlobalIds.COUNTRY));
+
+ return addr;
+ }
+
+
+ /**
+ * Given an ldap entry containing ARBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserAdminRole}
+ * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+ *
+ * @param entry contains ldap entry to retrieve admin roles from.
+ * @param userId attribute maps to {@link UserAdminRole#userId}.
+ * @param contextId
+ * @return List of type {@link UserAdminRole} containing admin roles assigned to a particular user.
+ * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+ */
+ private List<UserAdminRole> unloadUserAdminRoles( Entry entry, String userId, String contextId )
+ {
+ List<UserAdminRole> uRoles = null;
+ List<String> roles = getAttributes( entry, GlobalIds.USER_ADMINROLE_DATA );
+
+ if ( roles != null )
+ {
+ long sequence = 0;
+ uRoles = new ArrayList<>();
+
+ for ( String raw : roles )
+ {
+ UserAdminRole ure = new ObjectFactory().createUserAdminRole();
+ ure.load( raw, contextId );
+ ure.setSequenceId( sequence++ );
+ ure.setUserId( userId );
+ uRoles.add( ure );
+ }
+ }
+
+ return uRoles;
+ }
+
+
+ /**
+ *
+ * @param userId
+ * @param contextId
+ * @return
+ */
+ private String getDn( String userId, String contextId )
+ {
+ return GlobalIds.UID + "=" + userId + "," + getRootDn( contextId, GlobalIds.USER_ROOT );
+ }
+
+
+ /**
+ * Given an ldap entry containing RBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserRole}
+ * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
+ *
+ * @param entry contains ldap entry to retrieve roles from.
+ * @param userId attribute maps to {@link UserRole#userId}.
+ * @param contextId
+ * @return List of type {@link UserRole} containing RBAC roles assigned to a particular user.
+ * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
+ */
+ private List<UserRole> unloadUserRoles( Entry entry, String userId, String contextId )
+ {
+ List<UserRole> uRoles = null;
+ List<String> roles = getAttributes( entry, GlobalIds.USER_ROLE_DATA );
+
+ if ( roles != null )
+ {
+ long sequence = 0;
+ uRoles = new ArrayList<>();
+
+ for ( String raw : roles )
+ {
+ UserRole ure = new ObjectFactory().createUserRole();
+ ure.load( raw, contextId );
+ ure.setUserId( userId );
+ ure.setSequenceId( sequence++ );
+ uRoles.add( ure );
+ }
+ }
+
+ return uRoles;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java b/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
index 5d100b6..972a618 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/UserP.java
@@ -33,8 +33,6 @@ import org.apache.directory.fortress.core.ObjectFactory;
import org.apache.directory.fortress.core.PasswordException;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
-import org.apache.directory.fortress.core.rbac.dao.UserDAO;
import org.apache.directory.fortress.core.util.attr.AttrHelper;
import org.apache.directory.fortress.core.util.attr.VUtil;
import org.apache.directory.fortress.core.util.time.CUtil;
@@ -61,7 +59,7 @@ public final class UserP
{
//private static final boolean IS_SESSION_PROPS_ENABLED = Config.getBoolean( "user.session.props.enabled", false );
private static final String CLS_NM = UserP.class.getName();
- private static UserDAO uDao = DaoFactory.createUserDAO();
+ private static UserDAO uDao = new UserDAO();
private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
private static final PolicyP policyP = new PolicyP();
private static final AdminRoleP admRoleP = new AdminRoleP();
[15/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/ldap/UnboundIdDataProvider.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/UnboundIdDataProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/UnboundIdDataProvider.java
deleted file mode 100644
index 944dcb0..0000000
--- a/src/main/java/org/apache/directory/fortress/core/ldap/UnboundIdDataProvider.java
+++ /dev/null
@@ -1,1277 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.ldap;
-
-
-import java.io.UnsupportedEncodingException;
-import java.util.ArrayList;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.Properties;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.rbac.FortEntity;
-import org.apache.directory.fortress.core.rbac.Hier;
-import org.apache.directory.fortress.core.rbac.Relationship;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-import org.apache.directory.fortress.core.util.time.Constraint;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPControl;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPDN;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPReferralException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchConstraints;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * Abstract class contains methods to perform low-level entity to ldap persistence. These methods are called by the
- * Fortress DAO's, i.e. {@link org.apache.directory.fortress.core.rbac.dao.unboundid.UserDAO}. {@link org.apache.directory.fortress.core.rbac.dao.unboundid.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.unboundid.PermDAO}, ....
- * These are low-level data utilities, very little if any data validations are performed here.
- * <p/>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public abstract class UnboundIdDataProvider
-{
- private static final String OPENLDAP_PROXY_CONTROL = "2.16.840.1.113730.3.4.18";
- private static final int MAX_DEPTH = 100;
- private static final String CLS_NM = UnboundIdDataProvider.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
- private static final LdapCounters counters = new LdapCounters();
-
-
- /**
- * Given a contextId and a fortress param name return the LDAP dn.
- *
- * @param contextId is to determine what sub-tree to use.
- * @param root contains the fortress parameter name that corresponds with a particular LDAP container.
- * @return String contains the dn to use for operation.
- */
- protected String getRootDn( String contextId, String root )
- {
- String szDn = Config.getProperty( root );
- StringBuilder dn = new StringBuilder();
-
- // The contextId must not be null, or "HOME" or "null"
- if ( VUtil.isNotNullOrEmpty( contextId ) && !contextId.equalsIgnoreCase( GlobalIds.NULL )
- && !contextId.equals( GlobalIds.HOME ) )
- {
- int idx = szDn.indexOf( Config.getProperty( GlobalIds.SUFFIX ) );
-
- if ( idx != -1 )
- {
- // Found. The DN is ,ou=<contextId>,
- dn.append( szDn.substring( 0, idx - 1 ) ).append( "," ).append( GlobalIds.OU ).append( "=" )
- .append( contextId ).append( "," ).append( szDn.substring( idx ) );
- }
- }
- else
- {
- dn.append( szDn );
- }
-
- return dn.toString();
- }
-
-
- /**
- * Given a contextId return the LDAP dn that includes the suffix.
- *
- * @param contextId is to determine what sub-tree to use.
- * @return String contains the dn to use for operation.
- */
- protected String getRootDn( String contextId )
- {
- StringBuilder dn = new StringBuilder();
- if ( VUtil.isNotNullOrEmpty( contextId ) && !contextId.equalsIgnoreCase( GlobalIds.NULL )
- && !contextId.equals( GlobalIds.HOME ) )
- {
- dn.append( GlobalIds.OU ).append( "=" ).append( contextId ).append( "," )
- .append( Config.getProperty( GlobalIds.SUFFIX ) );
- }
- else
- {
- dn.append( Config.getProperty( GlobalIds.SUFFIX ) );
- }
- return dn.toString();
- }
-
-
- /**
- * Read the ldap record from specified location.
- *
- * @param ld handle to ldap connection.
- * @param dn contains ldap distinguished name.
- * @param atrs array contains array names to pull back.
- * @return ldap entry.
- * @throws LDAPException in the event system error occurs.
- */
- protected LDAPEntry read( LDAPConnection ld, String dn, String[] atrs )
- throws LDAPException
- {
- counters.incrementRead();
-
- return ld.read( dn, atrs );
- }
-
-
- /**
- * Read the ldap record from specified location with user assertion.
- *
- * @param ld handle to ldap connection.
- * @param dn contains ldap distinguished name.
- * @param atrs array contains array names to pull back. , PoolMgr.ConnType.USER
- * @param userDn string value represents the identity of user on who's behalf the request was initiated. The value will be stored in openldap auditsearch record AuthZID's attribute.
- * @return ldap entry.
- * @throws LDAPException in the event system error occurs.
- * @throws UnsupportedEncodingException for search control errors.
- */
- protected LDAPEntry read( LDAPConnection ld, String dn, String[] atrs, String userDn )
- throws LDAPException, UnsupportedEncodingException
- {
- counters.incrementRead();
- LDAPControl proxyCtl = new LDAPControl( OPENLDAP_PROXY_CONTROL, true,
- ( GlobalIds.DN + ": " + userDn ).getBytes( GlobalIds.UTF8 ) );
- LDAPSearchConstraints opt = new LDAPSearchConstraints();
- opt.setServerControls( proxyCtl );
- return ld.read( dn, atrs, opt );
- }
-
-
- /**
- * Add a new ldap entry to the directory. Do not add audit context.
- *
- * @param ld handle to ldap connection.
- * @param entry contains data to add..
- * @throws LDAPException in the event system error occurs.
- */
- protected void add( LDAPConnection ld, LDAPEntry entry )
- throws LDAPException
- {
- counters.incrementAdd();
- ld.add( entry );
- }
-
-
- /**
- * Add a new ldap entry to the directory. Add audit context.
- *
- * @param ld handle to ldap connection.
- * @param entry contains data to add..
- * @param entity contains audit context.
- * @throws LDAPException in the event system error occurs.
- */
- protected void add( LDAPConnection ld, LDAPEntry entry, FortEntity entity )
- throws LDAPException
- {
- counters.incrementAdd();
-
- if ( GlobalIds.IS_AUDIT && entity != null && entity.getAdminSession() != null )
- {
- LDAPAttributeSet attrs = entry.getAttributeSet();
-
- if ( VUtil.isNotNullOrEmpty( entity.getAdminSession().getInternalUserId() ) )
- {
- attrs.add( new LDAPAttribute( GlobalIds.FT_MODIFIER, entity.getAdminSession().getInternalUserId() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getModCode() ) )
- {
- attrs.add( new LDAPAttribute( GlobalIds.FT_MODIFIER_CODE, entity.getModCode() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getModId() ) )
- {
- attrs.add( new LDAPAttribute( GlobalIds.FT_MODIFIER_ID, entity.getModId() ) );
- }
- }
-
- ld.add( entry );
- }
-
-
- /**
- * Update exiting ldap entry to the directory. Do not add audit context.
- *
- * @param ld handle to ldap connection.
- * @param dn contains distinguished node of entry.
- * @param mods contains data to modify.
- * @throws LDAPException in the event system error occurs.
- */
- protected void modify( LDAPConnection ld, String dn, LDAPModificationSet mods )
- throws LDAPException
- {
- counters.incrementMod();
- ld.modify( dn, mods );
- }
-
-
- /**
- * Update exiting ldap entry to the directory. Add audit context.
- *
- * @param ld handle to ldap connection.
- * @param dn contains distinguished node of entry.
- * @param mods contains data to modify.
- * @param entity contains audit context.
- * @throws LDAPException in the event system error occurs.
- */
- protected void modify( LDAPConnection ld, String dn, LDAPModificationSet mods, FortEntity entity )
- throws LDAPException
- {
- counters.incrementMod();
- audit( mods, entity );
- ld.modify( dn, mods );
- }
-
-
- /**
- * Delete exiting ldap entry from the directory. Do not add audit context.
- *
- * @param ld handle to ldap connection.
- * @param dn contains distinguished node of entry targeted for removal..
- * @throws LDAPException in the event system error occurs.
- */
- protected void delete( LDAPConnection ld, String dn )
- throws LDAPException
- {
- counters.incrementDelete();
- ld.delete( dn );
- }
-
-
- /**
- * Delete exiting ldap entry from the directory. Add audit context. This method will call modify prior to delete which will
- * force corresponding audit record to be written to slapd access log.
- *
- * @param ld handle to ldap connection.
- * @param dn contains distinguished node of entry targeted for removal..
- * @param entity contains audit context.
- * @throws LDAPException in the event system error occurs.
- */
- protected void delete( LDAPConnection ld, String dn, FortEntity entity )
- throws LDAPException
- {
- counters.incrementDelete();
- LDAPModificationSet mods = new LDAPModificationSet();
- audit( mods, entity );
- if ( mods.size() > 0 )
- modify( ld, dn, mods );
- ld.delete( dn );
- }
-
-
- /**
- * Delete exiting ldap entry and all descendants from the directory. Do not add audit context.
- *
- * @param ld handle to ldap connection.
- * @param dn contains distinguished node of entry targeted for removal..
- * @throws LDAPException in the event system error occurs.
- */
- protected void deleteRecursive( LDAPConnection ld, String dn )
- throws LDAPException
- {
- int recursiveCount = 0;
- deleteRecursive( dn, ld, recursiveCount );
- }
-
-
- /**
- * Delete exiting ldap entry and all descendants from the directory. Add audit context. This method will call modify prior to delete which will
- * force corresponding audit record to be written to slapd access log.
- *
- * @param ld handle to ldap connection.
- * @param dn contains distinguished node of entry targeted for removal..
- * @param entity contains audit context.
- * @throws LDAPException in the event system error occurs.
- */
- protected void deleteRecursive( LDAPConnection ld, String dn, FortEntity entity )
- throws LDAPException
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- audit( mods, entity );
- if ( mods.size() > 0 )
- modify( ld, dn, mods );
- deleteRecursive( ld, dn );
- }
-
-
- /**
- * Used to recursively remove all nodes up to record pointed to by dn attribute.
- *
- * @param dn contains distinguished node of entry targeted for removal..
- * @param ld handle to ldap connection.
- * @param recursiveCount keeps track of how many iterations have been performed.
- * @throws LDAPException in the event system error occurs.
- */
- private void deleteRecursive( String dn, LDAPConnection ld, int recursiveCount )
- throws LDAPException
- {
- String method = "deleteRecursive";
- // Sanity check - only allow max tree depth of 100
- if ( recursiveCount++ > MAX_DEPTH )
- {
- // too deep inside of a recursive sequence;
- String error = "." + method + " dn [" + dn + "] depth error in recursive";
- throw new LDAPException( error, LDAPException.OPERATION_ERROR );
- }
-
- String theDN;
- // Find child nodes
- LDAPSearchResults res = search( ld, dn, LDAPConnection.SCOPE_ONE, "objectclass=*", GlobalIds.NO_ATRS, false, 0 );
-
- // Iterate over all entries under this entry
- while ( res.hasMoreElements() )
- {
- try
- {
- // Next directory entry
- LDAPEntry entry = res.next();
- theDN = entry.getDN();
- // continue down:
- deleteRecursive( theDN, ld, recursiveCount );
- recursiveCount--;
- }
- catch ( LDAPReferralException lre )
- {
- // cannot continue;
- String error = "." + method + " dn [" + dn + "] caught LDAPReferralException="
- + lre.errorCodeToString() + "=" + lre.getLDAPErrorMessage();
- throw new LDAPException( error, lre.getLDAPResultCode() );
- }
- catch ( LDAPException ldape )
- {
- // cannot continue;
- String error = "." + method + " dn [" + dn + "] caught LDAPException="
- + ldape.errorCodeToString() + "=" + ldape.getLDAPErrorMessage();
- throw new LDAPException( error, ldape.getLDAPResultCode() );
- }
- }
- // delete the node:
- counters.incrementDelete();
- delete( ld, dn );
- }
-
-
- /**
- * Add the audit context variables to the modfication set.
- *
- * @param mods used to update ldap attributes.
- * @param entity contains audit context.
- * @throws LDAPException in the event of error with ldap client.
- */
- private void audit( LDAPModificationSet mods, FortEntity entity )
- {
- if ( GlobalIds.IS_AUDIT && entity != null && entity.getAdminSession() != null )
- {
- if ( VUtil.isNotNullOrEmpty( entity.getAdminSession().getInternalUserId() ) )
- {
- LDAPAttribute modifier = new LDAPAttribute( GlobalIds.FT_MODIFIER, entity.getAdminSession()
- .getInternalUserId() );
- mods.add( LDAPModification.REPLACE, modifier );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getModCode() ) )
- {
- LDAPAttribute modCode = new LDAPAttribute( GlobalIds.FT_MODIFIER_CODE, entity.getModCode() );
- mods.add( LDAPModification.REPLACE, modCode );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getModId() ) )
- {
- LDAPAttribute modId = new LDAPAttribute( GlobalIds.FT_MODIFIER_ID, entity.getModId() );
- mods.add( LDAPModification.REPLACE, modId );
- }
- }
- }
-
-
- /**
- * Perform normal ldap search accepting default batch size.
- *
- * @param ld is LDAPConnection object used for all communication with host.
- * @param baseDn contains address of distinguished name to begin ldap search
- * @param scope indicates depth of search starting at basedn. 0 (base dn), 1 (one level down) or 2 (infinite) are valid values.
- * @param filter contains the search criteria
- * @param atrs is the requested list of attritubutes to return from directory search.
- * @param attrsOnly if true pull back attribute names only.
- * @return result set containing ldap entries returned from directory.
- * @throws LDAPException thrown in the event of error in ldap client or server code.
- */
- protected LDAPSearchResults search( LDAPConnection ld,
- String baseDn,
- int scope,
- String filter,
- String[] atrs,
- boolean attrsOnly )
- throws LDAPException
- {
- counters.incrementSearch();
- LDAPSearchResults result;
- result = ld.search( baseDn, scope, filter, atrs, attrsOnly );
- return result;
- }
-
-
- /**
- * Perform normal ldap search specifying default batch size.
- *
- * @param ld is LDAPConnection object used for all communication with host.
- * @param baseDn contains address of distinguished name to begin ldap search
- * @param scope indicates depth of search starting at basedn. 0 (base dn), 1 (one level down) or 2 (infinite) are valid values.
- * @param filter contains the search criteria
- * @param atrs is the requested list of attritubutes to return from directory search.
- * @param attrsOnly if true pull back attribute names only.
- * @param batchSize Will block until this many entries are ready to return from server. 0 indicates to block until all results are ready.
- * @return result set containing ldap entries returned from directory.
- * @throws LDAPException thrown in the event of error in ldap client or server code.
- */
- protected LDAPSearchResults search( LDAPConnection ld,
- String baseDn,
- int scope,
- String filter,
- String[] atrs,
- boolean attrsOnly,
- int batchSize )
- throws LDAPException
- {
- counters.incrementSearch();
- LDAPSearchResults result;
- LDAPSearchConstraints ldCons = new LDAPSearchConstraints();
- // Returns the maximum number of search results that are to be returned; 0 means there is no limit.
- ldCons.setMaxResults( 0 );
- ldCons.setBatchSize( batchSize );
- result = ld.search( baseDn, scope, filter, atrs, attrsOnly, ldCons );
- return result;
- }
-
-
- /**
- * Perform normal ldap search specifying default batch size and max entries to return.
- *
- * @param ld is LDAPConnection object used for all communication with host.
- * @param baseDn contains address of distinguished name to begin ldap search
- * @param scope indicates depth of search starting at basedn. 0 (base dn), 1 (one level down) or 2 (infinite) are valid values.
- * @param filter contains the search criteria
- * @param atrs is the requested list of attritubutes to return from directory search.
- * @param attrsOnly if true pull back attribute names only.
- * @param batchSize Will block until this many entries are ready to return from server. 0 indicates to block until all results are ready.
- * @param maxEntries specifies the maximum number of entries to return in this search query.
- * @return result set containing ldap entries returned from directory.
- * @throws LDAPException thrown in the event of error in ldap client or server code.
- */
- protected LDAPSearchResults search( LDAPConnection ld,
- String baseDn,
- int scope,
- String filter,
- String[] atrs,
- boolean attrsOnly,
- int batchSize,
- int maxEntries )
- throws LDAPException
- {
- counters.incrementSearch();
- LDAPSearchResults result;
- LDAPSearchConstraints ldCons = new LDAPSearchConstraints();
- // Returns the maximum number of search results that are to be returned;
- ldCons.setMaxResults( maxEntries );
- ldCons.setBatchSize( batchSize );
- result = ld.search( baseDn, scope, filter, atrs, attrsOnly, ldCons );
- return result;
- }
-
-
- /**
- * This method will search the directory and return at most one record. If more than one record is found
- * an ldap exception will be thrown.
- *
- * @param ld is LDAPConnection object used for all communication with host.
- * @param baseDn contains address of distinguished name to begin ldap search
- * @param scope indicates depth of search starting at basedn. 0 (base dn), 1 (one level down) or 2 (infinite) are valid values.
- * @param filter contains the search criteria
- * @param atrs is the requested list of attritubutes to return from directory search.
- * @param attrsOnly if true pull back attribute names only.
- * @return entry containing target ldap node.
- * @throws LDAPException thrown in the event of error in ldap client or server code.
- */
- protected LDAPEntry searchNode( LDAPConnection ld,
- String baseDn,
- int scope, String filter,
- String[] atrs,
- boolean attrsOnly )
- throws LDAPException
- {
- LDAPSearchResults result = ld.search( baseDn, scope,
- filter, atrs, attrsOnly );
- if ( result.getCount() > 1 )
- {
- throw new LDAPException( "searchNode failed to return unique record for LDAP search of base DN ["
- + baseDn + "] filter [" + filter + "]" );
- }
- return result.next();
- }
-
-
- /**
- * This search method uses OpenLDAP Proxy Authorization Control to assert arbitrary user identity onto connection.
- *
- * @param ld is LDAPConnection object used for all communication with host.
- * @param baseDn contains address of distinguished name to begin ldap search
- * @param scope indicates depth of search starting at basedn. 0 (base dn), 1 (one level down) or 2 (infinite) are valid values.
- * @param filter contains the search criteria
- * @param atrs is the requested list of attritubutes to return from directory search.
- * @param attrsOnly if true pull back attribute names only.
- * @param userDn string value represents the identity of user on who's behalf the request was initiated. The value will be stored in openldap auditsearch record AuthZID's attribute.
- * @return entry containing target ldap node.
- * @throws LDAPException thrown in the event of error in ldap client or server code.
- */
- protected LDAPEntry searchNode( LDAPConnection ld,
- String baseDn,
- int scope,
- String filter,
- String[] atrs,
- boolean attrsOnly,
- String userDn )
- throws LDAPException, UnsupportedEncodingException
- {
- counters.incrementSearch();
- LDAPControl proxyCtl = new LDAPControl( OPENLDAP_PROXY_CONTROL, true,
- ( GlobalIds.DN + ": " + userDn ).getBytes( GlobalIds.UTF8 ) );
- LDAPSearchConstraints opt = new LDAPSearchConstraints();
- opt.setServerControls( proxyCtl );
- LDAPSearchResults result = ld.search( baseDn, scope, filter, atrs, attrsOnly, opt );
- if ( result.getCount() > 1 )
- {
- throw new LDAPException( "searchNode failed to return unique record for LDAP search of base DN ["
- + baseDn + "] filter [" + filter + "]" );
- }
- return result.next();
- }
-
-
- /**
- * This method uses the compare ldap func to assert audit record into the directory server's configured audit logger.
- *
- * @param ld is LDAPConnection object used for all communication with host.
- * @param dn contains address of distinguished name to begin ldap search
- * @param userDn dn for user node
- * @param attribute attribute used for compare
- * @return true if compare operation succeeds
- * @throws LDAPException thrown in the event of error in ldap client or server code.
- * @throws UnsupportedEncodingException in the event the server cannot perform the operation.
- */
- protected boolean compareNode( LDAPConnection ld,
- String dn,
- String userDn,
- LDAPAttribute attribute )
- throws LDAPException, UnsupportedEncodingException
- {
- counters.incrementCompare();
- LDAPControl proxyCtl = new LDAPControl( OPENLDAP_PROXY_CONTROL, true,
- ( GlobalIds.DN + ": " + userDn ).getBytes( GlobalIds.UTF8 ) );
- LDAPSearchConstraints opt = new LDAPSearchConstraints();
- opt.setServerControls( proxyCtl );
- return ld.compare( dn, attribute, opt );
- }
-
-
- /**
- * Method wraps ldap client to return multi-occurring attribute values by name within a given entry and returns as a list of strings.
- *
- * @param entry contains the target ldap entry.
- * @param attributeName name of ldap attribute to retrieve.
- * @return List of type string containing attribute values.
- * @throws LDAPException in the event of ldap client error.
- */
- protected List<String> getAttributes( LDAPEntry entry, String attributeName )
- {
- List<String> attrValues = new ArrayList<>();
- LDAPAttribute attr;
- Enumeration values;
- attr = entry.getAttribute( attributeName );
- if ( attr != null )
- {
- values = attr.getStringValues();
- }
- else
- {
- return null;
- }
- if ( values != null )
- {
- while ( values.hasMoreElements() )
- {
- attrValues.add( ( String ) values.nextElement() );
- }
- }
- return attrValues;
- }
-
-
- protected byte[] getPhoto( LDAPEntry entry, String attributeName )
- {
- byte[] photo = null;
- LDAPAttribute attr = entry.getAttribute( attributeName );
- if ( attr != null )
- {
- // Get the values as byte arrays
- Enumeration enumVals =
- attr.getByteValues();
- // Get the first value - if there's more
- // than one
- if ( enumVals.hasMoreElements() )
- {
- photo =
- ( byte[] ) enumVals.nextElement();
- }
- }
- return photo;
- }
-
-
- /**
- * Method wraps ldap client to return multi-occurring attribute values by name within a given entry and returns as a set of strings.
- *
- * @param entry contains the target ldap entry.
- * @param attributeName name of ldap attribute to retrieve.
- * @return List of type string containing attribute values.
- * @throws LDAPException in the event of ldap client error.
- */
- protected Set<String> getAttributeSet( LDAPEntry entry, String attributeName )
- {
- // create Set with case insensitive comparator:
- Set<String> attrValues = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
- LDAPAttribute attr;
- Enumeration values;
- attr = entry.getAttribute( attributeName );
- if ( attr != null )
- {
- values = attr.getStringValues();
- }
- else
- {
- return null;
- }
- if ( values != null )
- {
- while ( values.hasMoreElements() )
- {
- attrValues.add( ( String ) values.nextElement() );
- }
- }
- return attrValues;
- }
-
-
- /**
- * Method wraps ldap client to return multi-occurring attribute values by name within a given entry and return as a list of type {@link org.apache.directory.fortress.core.rbac.Relationship}.
- *
- * @param entry contains the target ldap entry.
- * @param attributeName name of ldap attribute to retrieve.
- * @return List of type {@link org.apache.directory.fortress.core.rbac.Relationship} containing parent-child relationships.
- * @throws LDAPException in the event of ldap client error.
- */
- protected List<Relationship> getRelationshipAttributes( LDAPEntry entry, String attributeName )
- {
- List<Relationship> attrValues = new ArrayList<>();
- LDAPAttribute attr;
- Enumeration values;
-
- attr = entry.getAttribute( attributeName );
- if ( attr != null )
- {
- values = attr.getStringValues();
- }
- else
- {
- return null;
- }
- if ( values != null )
- {
- while ( values.hasMoreElements() )
- {
- String edge = ( String ) values.nextElement();
- int indx = edge.indexOf( GlobalIds.PROP_SEP );
- if ( indx >= 1 )
- {
- // This LDAP attr is stored as a name-value pair separated by a ':'.
- // Separate the parent from the child:
- String child = edge.substring( 0, indx );
- String parent = edge.substring( indx + 1 );
-
- // Load the parent/child relationship values into a helper class:
- Relationship rel = new Relationship( child, parent );
- attrValues.add( rel );
- }
- else
- {
- String warning = "getRelAttributes detected incorrect data in role relationship field: "
- + edge;
- LOG.warn( warning );
- }
- }
- }
- return attrValues;
- }
-
-
- /**
- * Method wraps ldap client to return attribute value by name within a given entry and returns as a string.
- *
- * @param entry contains the target ldap entry.
- * @param attributeName name of ldap attribute to retrieve.
- * @return value contained in a string variable.
- * @throws LDAPException in the event of ldap client error.
- */
- protected String getAttribute( LDAPEntry entry, String attributeName )
- {
- String attrValue = null;
- LDAPAttribute attr;
- Enumeration values;
- attr = entry.getAttribute( attributeName );
- if ( attr != null )
- {
- values = attr.getStringValues();
- }
- else
- {
- return null;
- }
- if ( values != null )
- {
- attrValue = ( String ) values.nextElement();
- }
- return attrValue;
- }
-
-
- /**
- * Method will retrieve the relative distinguished name from a distinguished name variable.
- *
- * @param dn contains ldap distinguished name.
- * @return rDn as string.
- * @throws LDAPException in the event of ldap client error.
- */
- protected String getRdn( String dn )
- {
- String[] dnList;
- dnList = LDAPDN.explodeDN( dn, true );
- return dnList[0];
- }
-
-
- /**
- * Create multi-occurring ldap attribute given array of strings and attribute name.
- *
- * @param name contains attribute name to create.
- * @param values array of string that contains attribute values.
- * @return LDAPAttribute containing multi-occurring attribute set.
- * @throws LDAPException in the event of ldap client error.
- */
- protected LDAPAttribute createAttributes( String name, String values[] )
- throws LDAPException
- {
- LDAPAttribute attr = new LDAPAttribute( name );
- for ( String value : values )
- {
- encodeSafeText( value, value.length() );
- attr.addValue( value );
- }
- return attr;
- }
-
-
- /**
- * Create ldap attribute given an attribute name and value.
- *
- * @param name contains attribute name to create.
- * @param value string contains attribute value.
- * @return LDAPAttribute containing new ldap attribute.
- * @throws LDAPException in the event of ldap client error.
- */
- protected LDAPAttribute createAttribute( String name, String value )
- throws LDAPException
- {
- LDAPAttribute attr = new LDAPAttribute( name );
- encodeSafeText( value, value.length() );
- attr.addValue( value );
- return attr;
- }
-
-
- /**
- * Convert constraint from raw ldap format to application entity.
- *
- * @param le ldap entry containing constraint.
- * @param ftDateTime reference to {@link org.apache.directory.fortress.util.time.Constraint} containing formatted data.
- * @throws LDAPException in the event of ldap client error.
- */
- protected void unloadTemporal( LDAPEntry le, Constraint ftDateTime )
- {
- String szRawData = getAttribute( le, GlobalIds.CONSTRAINT );
-
- if ( szRawData != null && szRawData.length() > 0 )
- {
- CUtil.setConstraint( szRawData, ftDateTime );
- }
- }
-
-
- /**
- * Given an ldap attribute name and a list of attribute values, construct an ldap attribute set to be added to directory.
- *
- * @param list list of type string containing attribute values to load into attribute set.
- * @param attrs contains ldap attribute set targeted for adding.
- * @param attrName name of ldap attribute being added.
- */
- protected void loadAttrs( List<String> list, LDAPAttributeSet attrs, String attrName )
- {
- if ( list != null && list.size() > 0 )
- {
- LDAPAttribute attr = null;
- for ( String val : list )
- {
- if ( attr == null )
- {
- attr = new LDAPAttribute( attrName, val );
- }
- else
- {
- attr.addValue( val );
- }
- }
- if ( attr != null )
- {
- attrs.add( attr );
- }
- }
- }
-
-
- /**
- * Given a collection of {@link org.apache.directory.fortress.core.rbac.Relationship}, convert to raw data name-value format and load into ldap attribute set in preparation for ldap add.
- *
- * @param list contains List of type {@link org.apache.directory.fortress.core.rbac.Relationship} targeted for adding to ldap.
- * @param attrs collection of ldap attributes containing parent-child relationships in raw ldap format.
- * @param attrName contains the name of the ldap attribute to be added.
- */
- protected void loadRelationshipAttrs( List<Relationship> list, LDAPAttributeSet attrs, String attrName )
- {
- if ( list != null )
- {
- LDAPAttribute attr = null;
- for ( Relationship rel : list )
- {
- // This LDAP attr is stored as a name-value pair separated by a ':'.
- if ( attr == null )
- {
- attr = new LDAPAttribute( attrName, rel.getChild() + GlobalIds.PROP_SEP + rel.getParent() );
- }
- else
- {
- attr.addValue( rel.getChild() + GlobalIds.PROP_SEP + rel.getParent() );
- }
- }
- if ( attr != null )
- {
- attrs.add( attr );
- }
- }
- }
-
-
- /**
- * Given an ldap attribute name and a set of attribute values, construct an ldap attribute set to be added to directory.
- *
- * @param values set of type string containing attribute values to load into attribute set.
- * @param attrs contains ldap attribute set targeted for adding.
- * @param attrName name of ldap attribute being added.
- */
- protected void loadAttrs( Set<String> values, LDAPAttributeSet attrs, String attrName )
- {
- if ( values != null && values.size() > 0 )
- {
- LDAPAttribute attr = null;
- for ( String value : values )
- {
- if ( attr == null )
- {
- attr = new LDAPAttribute( attrName, value );
- }
- else
- {
- attr.addValue( value );
- }
- }
- if ( attr != null )
- {
- attrs.add( attr );
- }
- }
- }
-
-
- /**
- * Given a multi-occurring ldap attribute name and a list of attribute values, construct an ldap modification set to be updated in directory.
- * This function will replace all existing attributes with new values.
- *
- * @param list list of type string containing attribute values to load into modification set.
- * @param mods contains ldap modification set targeted for updating.
- * @param attrName name of ldap attribute being modified.
- */
- protected void loadAttrs( List<String> list, LDAPModificationSet mods, String attrName )
- {
- loadAttrs( list, mods, attrName, true );
- }
-
- /**
- * Given a multi-occurring ldap attribute name and a list of attribute values, construct an ldap modification set to be updated in directory.
- *
- * @param list list of type string containing attribute values to load into modification set.
- * @param mods contains ldap modification set targeted for updating.
- * @param attrName name of ldap attribute being modified.
- * @param replace boolean value if true will replace existing attributes with new..
- */
- protected void loadAttrs( List<String> list, LDAPModificationSet mods, String attrName, boolean replace )
- {
- if ( list != null && list.size() > 0 )
- {
- LDAPAttribute attr = new LDAPAttribute( attrName );
- if(replace)
- {
- mods.add( LDAPModification.REPLACE, attr );
- }
-
- for ( String val : list )
- {
- attr = new LDAPAttribute( attrName, val );
- mods.add( LDAPModification.ADD, attr );
- }
- }
- }
-
- /**
- * Given a collection of {@link org.apache.directory.fortress.core.rbac.Relationship}s, convert to raw data name-value format and load into ldap modification set in preparation for ldap modify.
- *
- * @param list contains List of type {@link org.apache.directory.fortress.core.rbac.Relationship} targeted for updating in ldap.
- * @param mods ldap modification set containing parent-child relationships in raw ldap format.
- * @param attrName contains the name of the ldap attribute to be updated.
- * @param op specifies type of mod: {@link Hier.Op#ADD}, {@link org.apache.directory.fortress.core.rbac.Hier.Op#MOD}, {@link Hier.Op#REM}
- */
- protected void loadRelationshipAttrs( List<Relationship> list, LDAPModificationSet mods, String attrName, Hier.Op op )
- {
- if ( list != null )
- {
- LDAPAttribute attr;
- for ( Relationship rel : list )
- {
- // This LDAP attr is stored as a name-value pair separated by a ':'.
- attr = new LDAPAttribute( attrName, rel.getChild() + GlobalIds.PROP_SEP + rel.getParent() );
- switch ( op )
- {
- case ADD:
- mods.add( LDAPModification.ADD, attr );
- break;
- case MOD:
- mods.add( LDAPModification.REPLACE, attr );
- break;
- case REM:
- mods.add( LDAPModification.DELETE, attr );
- break;
- }
- }
- }
- }
-
-
- /**
- * Given an ldap attribute name and a set of attribute values, construct an ldap modification set to be updated in directory.
- *
- * @param values set of type string containing attribute values to load into modification set.
- * @param mods contains ldap modification set targeted for updating.
- * @param attrName name of ldap attribute being updated.
- */
- protected void loadAttrs( Set<String> values, LDAPModificationSet mods, String attrName )
- {
- if ( values != null && values.size() > 0 )
- {
- LDAPAttribute attr = new LDAPAttribute( attrName );
- mods.add( LDAPModification.REPLACE, attr );
- for ( String value : values )
- {
- attr = new LDAPAttribute( attrName, value );
- mods.add( LDAPModification.ADD, attr );
- }
- }
- }
-
-
- /**
- * Given a collection of {@link java.util.Properties}, convert to raw data name-value format and load into ldap modification set in preparation for ldap modify.
- *
- * @param props contains {@link java.util.Properties} targeted for updating in ldap.
- * @param mods ldap modification set containing name-value pairs in raw ldap format.
- * @param attrName contains the name of the ldap attribute to be updated.
- * @param replace boolean variable, if set to true use {@link LDAPModification#REPLACE} else {@link LDAPModification#ADD}.
- */
- protected void loadProperties( Properties props, LDAPModificationSet mods, String attrName, boolean replace )
- {
- loadProperties( props, mods, attrName, GlobalIds.PROP_SEP, replace );
- }
-
-
- /**
- * Given a collection of {@link java.util.Properties}, convert to raw data name-value format and load into ldap modification set in preparation for ldap modify.
- *
- * @param props contains {@link java.util.Properties} targeted for updating in ldap.
- * @param mods ldap modification set containing name-value pairs in raw ldap format.
- * @param attrName contains the name of the ldap attribute to be updated.
- * @param separator contains the delimiter for the property.
- * @param replace boolean variable, if set to true use {@link LDAPModification#REPLACE} else {@link LDAPModification#ADD}.
- */
- protected void loadProperties( Properties props, LDAPModificationSet mods, String attrName, char separator, boolean replace )
- {
- if ( props != null && props.size() > 0 )
- {
- LDAPAttribute prop = new LDAPAttribute( attrName );
- if ( replace )
- mods.add( LDAPModification.REPLACE, prop );
-
- for ( Enumeration e = props.propertyNames(); e.hasMoreElements(); )
- {
- String key = ( String ) e.nextElement();
- String val = props.getProperty( key );
- // This LDAP attr is stored as a name-value pair separated by a ':'.
- prop = new LDAPAttribute( attrName, key + separator + val );
- mods.add( LDAPModification.ADD, prop );
- }
- }
- }
-
-
- /**
- * Given a collection of {@link java.util.Properties}, convert to raw data name-value format and load into ldap modification set in preparation for ldap modify.
- *
- * @param props contains {@link java.util.Properties} targeted for removal from ldap.
- * @param mods ldap modification set containing name-value pairs in raw ldap format to be removed.
- * @param attrName contains the name of the ldap attribute to be removed.
- */
- protected void removeProperties( Properties props, LDAPModificationSet mods, String attrName )
- {
- if ( props != null && props.size() > 0 )
- {
- LDAPAttribute prop;
- for ( Enumeration e = props.propertyNames(); e.hasMoreElements(); )
- {
- String key = ( String ) e.nextElement();
- String val = props.getProperty( key );
- // This LDAP attr is stored as a name-value pair separated by a ':'.
- prop = new LDAPAttribute( attrName, key + GlobalIds.PROP_SEP + val );
- mods.add( LDAPModification.DELETE, prop );
- }
- }
- }
-
-
- /**
- * Given a collection of {@link java.util.Properties}, convert to raw data name-value format and load into ldap modification set in preparation for ldap add.
- *
- * @param props contains {@link java.util.Properties} targeted for adding to ldap.
- * @param attrs ldap attribute set containing name-value pairs in raw ldap format.
- * @param attrName contains the name of the ldap attribute to be added.
- */
- protected void loadProperties( Properties props, LDAPAttributeSet attrs, String attrName )
- {
- loadProperties( props, attrs, attrName, ':' );
- }
-
-
- /**
- * Given a collection of {@link java.util.Properties}, convert to raw data name-value format and load into ldap modification set in preparation for ldap add.
- *
- * @param props contains {@link java.util.Properties} targeted for adding to ldap.
- * @param attrs ldap attribute set containing name-value pairs in raw ldap format.
- * @param attrName contains the name of the ldap attribute to be added.
- */
- protected void loadProperties( Properties props, LDAPAttributeSet attrs, String attrName, char separator )
- {
- if ( props != null && props.size() > 0 )
- {
- LDAPAttribute attr = null;
- for ( Enumeration e = props.propertyNames(); e.hasMoreElements(); )
- {
- // This LDAP attr is stored as a name-value pair separated by a ':'.
- String key = ( String ) e.nextElement();
- String val = props.getProperty( key );
- String prop = key + separator + val;
- if ( attr == null )
- {
- attr = new LDAPAttribute( attrName, prop );
- }
- else
- {
- attr.addValue( prop );
- }
- }
- if ( attr != null )
- {
- attrs.add( attr );
- }
- }
- }
-
-
- /**
- * @param value
- * @param validLen
- * @return String containing encoded data.
- * @throws LDAPException
- */
- protected String encodeSafeText( String value, int validLen )
- throws LDAPException
- {
- if ( VUtil.isNotNullOrEmpty( value ) )
- {
- int length = value.length();
- if ( length > validLen )
- {
- String error = "encodeSafeText value [" + value + "] invalid length [" + length + "]";
- throw new LDAPException( error, LDAPException.PARAM_ERROR );
- }
- if ( GlobalIds.LDAP_FILTER_SIZE_FOUND )
- {
- value = VUtil.escapeLDAPSearchFilter( value );
- }
- }
- return value;
- }
-
-
- /**
- * Calls the PoolMgr to perform an LDAP bind for a user/password combination. This function is valid
- * if and only if the user entity is a member of the USERS data set. The LDAP directory
- * will return the OpenLDAP PW Policy control.
- *
- * @param ld connection to ldap server.
- * @param userId contains the LDAP dn to the user entry.
- * @param password contains the password in clear text.
- * @return boolean value - true if bind successful, false otherwise.
- * @throws LDAPException in the event of LDAP error.
- */
- protected boolean bind( LDAPConnection ld, String userId, char[] password )
- throws LDAPException
- {
- counters.incrementBind();
- return PoolMgr.bind( ld, userId, password );
- }
-
-
- /**
- * Calls the PoolMgr to close the Admin LDAP connection.
- *
- * @param ld handle to ldap connection object.
- */
- protected void closeAdminConnection( LDAPConnection ld )
- {
- PoolMgr.closeConnection( ld, PoolMgr.ConnType.ADMIN );
- }
-
-
- /**
- * Calls the PoolMgr to close the User LDAP connection.
- *
- * @param ld handle to ldap connection object.
- */
- protected void closeUserConnection( LDAPConnection ld )
- {
- PoolMgr.closeConnection( ld, PoolMgr.ConnType.USER );
- }
-
-
- /**
- * Calls the PoolMgr to close the Log LDAP connection.
- *
- * @param ld handle to ldap connection object.
- */
- protected void closeLogConnection( LDAPConnection ld )
- {
- PoolMgr.closeConnection( ld, PoolMgr.ConnType.LOG );
- }
-
-
- /**
- * Calls the PoolMgr to get a User connection to the LDAP server.
- *
- * @return ldap connection.
- * @throws LDAPException
- */
- protected LDAPConnection getUserConnection() throws LDAPException
- {
- return PoolMgr.getConnection( PoolMgr.ConnType.USER );
- }
-
-
- /**
- * Calls the PoolMgr to get an Admin connection to the LDAP server.
- *
- * @return ldap connection.
- * @throws LDAPException
- */
- protected LDAPConnection getAdminConnection() throws LDAPException
- {
- return PoolMgr.getConnection( PoolMgr.ConnType.ADMIN );
- }
-
-
- /**
- * Calls the PoolMgr to get a Log connection to the LDAP server.
- *
- * @return ldap connection.
- * @throws LDAPException
- */
- protected LDAPConnection getLogConnection() throws LDAPException
- {
- return PoolMgr.getConnection( PoolMgr.ConnType.LOG );
- }
-
-
- /**
- * Return to call reference to dao counter object with running totals for ldap operations add, mod, delete, search, etc.
- *
- * @return {@link LdapCounters} contains long values of atomic ldap operations for current running process.
- */
- public static LdapCounters getLdapCounters()
- {
- return counters;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/ldap/openldap/OLPWControlImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/openldap/OLPWControlImpl.java b/src/main/java/org/apache/directory/fortress/core/ldap/openldap/OLPWControlImpl.java
deleted file mode 100755
index 853d906..0000000
--- a/src/main/java/org/apache/directory/fortress/core/ldap/openldap/OLPWControlImpl.java
+++ /dev/null
@@ -1,417 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.ldap.openldap;
-
-
-import java.util.Arrays;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.rbac.GlobalPwMsgIds;
-import org.apache.directory.fortress.core.rbac.PwMessage;
-import org.apache.directory.fortress.core.rbac.PwPolicyControl;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPControl;
-import org.apache.directory.fortress.core.rbac.Warning;
-
-
-/**
- * This class reads the OpenLDAP password policy control and translates into data entity for Fortress. In order for these checks
- * to be successful the OpenLDAP server must have enabled the pw policy overlay. Read the OpenLDAP man pages for how this overlay works.
- * <p/>
-
- *
- * @author Shawn McKinney
- */
-public class OLPWControlImpl implements PwPolicyControl
-{
- private static final String CLS_NM = OLPWControlImpl.class.getName();
- private final static Logger LOG = LoggerFactory.getLogger( CLS_NM );
-
-
- /**
- * Reads the OpenLDAP password policy control and sets the PwMessage with what it finds.
- *
- * <p/>This function will use the password policy control that is contained within the ldap connection object.
- * Ber encoding:
- * <ul>
- * <li> ------------------------------------------
- * <li> PasswordPolicyResponseValue ::= SEQUENCE {
- * <li> warning [0] CHOICE {
- * <li> timeBeforeExpiration [0] INTEGER (0 .. maxInt),
- * <li> graceLoginsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL
- * <li> error [1] ENUMERATED {
- * <li> passwordExpired (0),
- * <li> accountLocked (1),
- * <li> changeAfterReset (2),
- * <li> passwordModNotAllowed (3),
- * <li> mustSupplyOldPassword (4),
- * <li> invalidPasswordSyntax (5),
- * <li> passwordTooShort (6),
- * <li> passwordTooYoung (7),
- * <li> passwordInHistory (8) } OPTIONAL }
- * <li> ---
- * <li> Old Encoding Scheme:
- * <li> PPOLICY_WARNING 0xa0
- * <li> PPOLICY_ERROR 0xa1
- * <li> PPOLICY_EXPIRE 0xa0
- * <li> PPOLICY_GRACE 0xa1
- * <li> New Encoding Scheme:
- * <li> PPOLICY_WARNING 0xa0
- * <li> PPOLICY_ERROR 0x81
- * <li> PPOLICY_EXPIRE 0x80
- * <li> PPOLICY_GRACE 0x81
- * </ul>
- *
- * @param controls ldap controls object.
- * @param isAuthenticated set to 'true' if password checks pass.
- * @param pwMsg describes the outcome of the policy checks.
- */
- @Override
- public void checkPasswordPolicy( LDAPControl[] controls, boolean isAuthenticated, PwMessage pwMsg )
- {
- String methodName = "checkPasswordPolicy";
- pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
- //pwMsg.setWarningId( GlobalPwMsgIds.PP_NOWARNING );
- pwMsg.setAuthenticated( isAuthenticated );
-
- if ( controls == null )
- {
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NO_CONTROLS_FOUND, "PW CONTROLS NOT FOUND", Warning.Type.PASSWORD ) );
- }
- else if ( controls.length >= 1 )
- {
- for ( int i = 0; i < controls.length; i++ )
- {
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} controls[{}]={}", methodName, i, controls[i] );
- }
-
- LDAPControl con = controls[i];
- String id = con.getID();
-
- if ( id.compareTo( GlobalIds.OPENLDAP_PW_RESPONSE_CONTROL ) == 0 )
- {
- byte[] rB = con.getValue();
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} control value length={}", methodName, rB.length );
-
- String bytes = "";
-
- for ( byte aRB : rB )
- {
- bytes = bytes + printRawData( aRB );
- }
-
- LOG.debug( "{} printRawData numbytes: {}", methodName, bytes );
- }
-
- if ( rB == null || rB[1] == 0 )
- {
- LOG.debug( methodName + " no password policy for user" );
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NOT_PW_POLICY_ENABLED, "NO PW POLICY ENABLED FOR USER", Warning.Type.PASSWORD ) );
- }
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} byte[]={}", methodName, Arrays.toString( rB ) );
- LOG.debug( "control.toString()={}", con.toString() );
- }
-
- int indx = 0;
- int lBerObjType = getInt( rB[indx++] );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} BER encoded object type={}", methodName, lBerObjType );
- }
-
- int msgLen = getInt( rB[indx++] );
-
- while ( indx < msgLen )
- {
- switch ( rB[indx++] )
- {
- case ( byte ) 0xa0:
- // BER Encoded byte array:
- //client: 00110000 00000101 10100000
- // ^
- // PPOLICY_WARNING 0xa0
- int policyWarnLen = getInt( rB[indx++] );
-
- switch ( rB[indx++] )
- {
- case ( byte ) 0xa0:
- case ( byte ) 0x80:
- //pwMsg.setWarningId( GlobalPwMsgIds.PASSWORD_EXPIRATION_WARNING );
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.PASSWORD_EXPIRATION_WARNING, "PASSWORD HAS EXPIRED", Warning.Type.PASSWORD ) );
- // BER Encoded byte array:
- // client: 00110000 00000110 10100000 00000100 10100000 00000010 00000010 00100100
- // ^ ^ ^
- // PPOLICY_WARNING 0xa0 PPOLICY_EXPIRE 0xa0 EXP int==(decimal 548) 1000100100
- int expLength = getInt( rB[indx++] );
- int expire = getInt( rB[indx++] );
-
- for ( int k = 1; k < expLength; k++ )
- {
- expire = expire << 8;
- int next = getInt( rB[indx++] );
- expire = expire | next;
- }
-
- pwMsg.setExpirationSeconds( expire );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} User:{}, password expires in: {} seconds.", methodName, pwMsg.getUserId(), expire );
- }
-
- break;
-
- case ( byte ) 0xa1:
- case ( byte ) 0x81:
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.PASSWORD_GRACE_WARNING, "PASSWORD IN GRACE", Warning.Type.PASSWORD ) );
- // BER Encoded byte array:
- //client: 00110000 00000101 10100000 00000011 10100001 00000001 01100100
- // ^ ^ ^
- // PPOLICY_WARNING 0xa0 PPOLICY_GRACE 0xa1 grace integer value
- int graceLen = getInt( rB[indx++] );
- int grace = getInt( rB[indx++] );
-
- for ( int k = 1; k < graceLen; k++ )
- {
- grace = grace << 8;
- int next = getInt( rB[indx++] );
- grace = grace | next;
- }
-
- pwMsg.setGraceLogins( grace );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} UserId:{}, # logins left={}", methodName, pwMsg.getUserId() + grace );
- }
-
- break;
-
- default:
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.INVALID_PASSWORD_MESSAGE, "INVALID PASSWORD", Warning.Type.PASSWORD ) );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} UserId:{}, Invalid PPOlicy Type", methodName, pwMsg.getUserId() );
- }
-
- break;
- }
-
- break;
-
- case ( byte ) 0xa1:
- case ( byte ) 0x81:
- // BER Encoded byte array:
- //client: 00110000 00001011 10100000 00000110 10100000 00000100 00000001 11100001 00110011 01111101 10100001 00000001 00000010
- // ^ ^ ^ ^ ^
- // PPOLICY_WARNING 0xa0 PPOLICY_EXPIRE 0xa0 expire int==(decimal 100) PPOLICY_ERR 0xa1 ERR #==2
- int errLen = getInt( rB[indx++] );
- int err = getInt( rB[indx++] );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} UserId:{}, PPOLICY_ERROR={}", methodName, pwMsg.getUserId(), err);
- }
-
- switch ( err )
- {
- case 0:
- pwMsg.setErrorId( GlobalPwMsgIds.PASSWORD_HAS_EXPIRED );
- break;
-
- case 1:
- pwMsg.setErrorId( GlobalPwMsgIds.ACCOUNT_LOCKED );
- break;
-
- case 2:
- pwMsg.setErrorId( GlobalPwMsgIds.CHANGE_AFTER_RESET );
- break;
-
- case 3:
- pwMsg.setErrorId( GlobalPwMsgIds.NO_MODIFICATIONS );
- break;
-
- case 4:
- pwMsg.setErrorId( GlobalPwMsgIds.MUST_SUPPLY_OLD );
- break;
-
- case 5:
- pwMsg.setErrorId( GlobalPwMsgIds.INSUFFICIENT_QUALITY );
- break;
-
- case 6:
- pwMsg.setErrorId( GlobalPwMsgIds.PASSWORD_TOO_SHORT );
- break;
-
- case 7:
- pwMsg.setErrorId( GlobalPwMsgIds.PASSWORD_TOO_YOUNG );
- break;
-
- case 8:
- pwMsg.setErrorId( GlobalPwMsgIds.HISTORY_VIOLATION );
- break;
-
- case 65535:
- pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
- break;
-
- default:
- pwMsg.setErrorId( GlobalPwMsgIds.INVALID_PASSWORD_MESSAGE );
- break;
- }
-
- break;
-
- default:
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.INVALID_PASSWORD_MESSAGE, "INVALID POLICY MESSAGE TYPE", Warning.Type.PASSWORD ) );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} userId:{}, Invalid PPOlicy Message Type", methodName, pwMsg.getUserId());
- }
-
- break;
- }
- }
- }
- else
- {
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.INVALID_PASSWORD_MESSAGE, "CANNOT PROCESS OPENLDAP POLICY CONTROL", Warning.Type.PASSWORD ) );
-
- if ( LOG.isDebugEnabled() )
- {
- LOG.debug( "{} UserId:{}, Can't process LDAP control.", methodName, pwMsg.getUserId() );
- }
- }
- }
- }
- }
-
-
- /**
- * @param bte
- * @return int
- */
- private static int getInt( byte bte )
- {
- return bte & 0xff;
- }
-
-
- /**
- * Description of the Method
- *
- * @param ch Description of the Parameter
- * @return Description of the Return Value
- */
- private static String printRawData( byte ch )
- {
- int B0 = 0x01;
- int B1 = 0x02;
- int B2 = 0x04;
- int B3 = 0x08;
- int B4 = 0x10;
- int B5 = 0x20;
- int B6 = 0x40;
- int B7 = 0x80;
-
- String byteString;
- if ( ( ch & B7 ) != 0 )
- {
- byteString = "1";
- }
- else
- {
- byteString = "0";
- }
- if ( ( ch & B6 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- if ( ( ch & B5 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- if ( ( ch & B4 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- if ( ( ch & B3 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- if ( ( ch & B2 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- if ( ( ch & B1 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- if ( ( ch & B0 ) != 0 )
- {
- byteString += "1";
- }
- else
- {
- byteString += "0";
- }
- byteString += " ";
- return byteString;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/ldap/package.html
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/package.html b/src/main/java/org/apache/directory/fortress/core/ldap/package.html
index cffad11..176793a 100755
--- a/src/main/java/org/apache/directory/fortress/core/ldap/package.html
+++ b/src/main/java/org/apache/directory/fortress/core/ldap/package.html
@@ -23,7 +23,7 @@
</head>
<body>
<p>
- This package uses <a href="http://www.unboundid.com/products/ldap-sdk/">UnboundID LDAP SDK for Java</a> to provide ldap data access along with a custom, hybrid connection pooling mechanism to maintain connections with the ldap server.
+ This package uses <a href="http://directory.apache.org/api/">Apache Directory LDAP APIâ„¢</a> to provide ldap data access.
</p>
<p>
The <b>org.apache.directory.fortress.ldap</b> package provides ldap system functionality for the fortress DAO classes. The apis contained within this package are for fortress use only.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/overview.html
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/overview.html b/src/main/java/org/apache/directory/fortress/core/overview.html
index 49ccc8f..c5a0ca0 100755
--- a/src/main/java/org/apache/directory/fortress/core/overview.html
+++ b/src/main/java/org/apache/directory/fortress/core/overview.html
@@ -55,7 +55,6 @@
<ol>
<li><a href="http://www.openldap.org/project/">The OpenLDAP Project</a></li>
<li><a href="http://www.apache.org/">The Apache Software Foundation</a></li>
- <li><a href="http://www.unboundid.com/">UnboundID</a></li>
<li><a href="http://www.eigenbase.org/">The Eigenbase Project</a></li>
<li><a href="http://ehcache.org/">Ehcache</a></li>
</ol>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AccelMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AccelMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/rbac/AccelMgrImpl.java
index f9e017c..d6c2b85 100644
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AccelMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AccelMgrImpl.java
@@ -25,7 +25,6 @@ import java.util.List;
import org.apache.directory.fortress.core.AccelMgr;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.rbac.dao.AcceleratorDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
@@ -70,7 +69,7 @@ import org.apache.directory.fortress.core.util.attr.VUtil;
public class AccelMgrImpl extends Manageable implements AccelMgr
{
private static final String CLS_NM = AccessMgrImpl.class.getName();
- private static final AcceleratorDAO aDao = new org.apache.directory.fortress.core.rbac.dao.apache.AcceleratorDAO();
+ private static final AcceleratorDAO aDao = new org.apache.directory.fortress.core.rbac.AcceleratorDAO();
/**
[10/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/AcceleratorDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AcceleratorDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/AcceleratorDAO.java
deleted file mode 100644
index ecf529e..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AcceleratorDAO.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.rbac.Permission;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.rbac.UserRole;
-
-import java.util.List;
-
-
-public interface AcceleratorDAO
-{
- public Session createSession( User user ) throws SecurityException;
- public void deleteSession( Session session ) throws SecurityException;
- public List<UserRole> sessionRoles( Session session ) throws SecurityException;
- public boolean checkAccess( Session session, Permission perm ) throws SecurityException;
- public void dropActiveRole( Session session, UserRole userRole ) throws SecurityException;
- public void addActiveRole( Session session, UserRole userRole ) throws SecurityException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/AdminRoleDAO.java
deleted file mode 100644
index b332924..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AdminRoleDAO.java
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.AdminRoleP;
-import org.apache.directory.fortress.core.rbac.Graphable;
-
-
-/**
- * The AdminRoleDAO is called by {@link AdminRoleP} and processes data via its entity {@link AdminRole}.
- * <p/>
- * The Fortress AdminRoleDAO uses the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.3</code>
- * <li> <code>NAME 'ftPools'</code>
- * <li> <code>DESC 'Fortress Pools AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftOSU $ ftOSP ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public interface AdminRoleDAO
-{
- /**
- * Create a new AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains AdminRole data. Null attributes will be ignored.
- * @return input record back to client.
- * @throws org.apache.directory.fortress.core.CreateException in the event LDAP errors occur.
- */
- AdminRole create( AdminRole entity ) throws CreateException;
-
-
- /**
- * Update existing AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains AdminRole data. Null attributes will be ignored.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- AdminRole update( AdminRole entity ) throws UpdateException;
-
-
- /**
- *
- * @param entity
- * @throws UpdateException
- */
- void deleteParent( AdminRole entity ) throws UpdateException;
-
-
- /**
- * This method will add the supplied DN as a role occupant to the target record.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
- * @param userDn contains the DN for userId who is being assigned.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- AdminRole assign( AdminRole entity, String userDn ) throws UpdateException;
-
-
- /**
- * This method will remove the supplied DN as a role occupant to the target record.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
- * @param userDn contains the DN for userId who is being deassigned.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- AdminRole deassign( AdminRole entity, String userDn ) throws UpdateException;
-
-
- /**
- * This method will completely remove the AdminRole from the directory. It will use {@link AdminRole#name} as key.
- * This operation is performed on the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param role record contains {@link AdminRole#name}.
- * @throws RemoveException in the event LDAP errors occur.
- */
- void remove( AdminRole role ) throws RemoveException;
-
-
- /**
- * This method will retrieve the AdminRole from {@link GlobalIds#ADMIN_ROLE_ROOT} container by name.
- *
- * @param adminRole maps to {@link AdminRole#name}.
- * @return AdminRole back to client.
- * @throws FinderException in the event LDAP errors occur.
- */
- AdminRole getRole( AdminRole adminRole ) throws FinderException;
-
-
- /**
- * @param adminRole
- * @return
- * @throws FinderException
- *
- */
- List<AdminRole> findRoles( AdminRole adminRole ) throws FinderException;
-
-
- /**
- * @param adminRole
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- List<String> findRoles( AdminRole adminRole, int limit ) throws FinderException;
-
-
- /**
- * @param userDn
- * @return
- * @throws FinderException
- */
- List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException;
-
-
- /**
- *
- * @param contextId
- * @return
- * @throws FinderException
- */
- List<Graphable> getAllDescendants( String contextId ) throws FinderException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java
deleted file mode 100644
index 2b4ab29..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/AuditDAO.java
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.rbac.AuthZ;
-import org.apache.directory.fortress.core.rbac.Bind;
-import org.apache.directory.fortress.core.rbac.Mod;
-import org.apache.directory.fortress.core.rbac.UserAudit;
-
-
-/**
- * This class performs data access for OpenLDAP synch repl log data
- * <p/>
- * <h3>1. Binds</h3>
- * <p/>
- * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
- * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
- * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
- * <code># which contains the Bind Method used in the Bind. This will be the string</code>
- * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
- * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
- * <code># the current database will be logged:</code>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
- * <li> <code>DESC 'Bind operation'</code>
- * <li> <code>SUP auditObject STRUCTURAL</code>
- * <li> <code>MUST ( reqVersion $ reqMethod ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h3>2. Authorizations</h3>
- * <code>For the Search class the reqScope attribute contains the scope of the</code><br />
- * <code>original search request, using the values specified for the LDAP URL</code><br />
- * <code>format. I.e. base, one, sub, or subord. The reqDerefAliases attribute</code><br />
- * <code>is one of never, finding, searching, or always, denoting how aliases</code><br />
- * <code>will be processed during the search. The reqAttrsOnly attribute is a</code><br />
- * <code>Boolean value showing TRUE if only attribute names were requested, or</code><br />
- * <code>FALSE if attributes and their values were requested. The reqFilter</code><br />
- * <code>attribute carries the filter used in the search request. The reqAttr</code><br />
- * <code>attribute lists the requested attributes if specific attributes were</code><br />
- * <code>requested. The reqEntries attribute is the integer count of how many</code><br />
- * <code>entries were returned by this search request. The reqSizeLimit and</code><br />
- * <code>reqTimeLimit attributes indicate what limits were requested on the</code><br />
- * <code>search operation.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.11</code>
- * <li> <code>NAME 'auditSearch'</code>
- * <li> <code>DESC 'Search operation'</code>
- * <li> <code>SUP auditReadObject STRUCTURAL</code>
- * <li> <code>MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )</code>
- * <li> <code>MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $</code>
- * <li> <code>reqTimeLimit ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * <p/>
- * <h3>3. Modifications</h3>
- * The auditModify Structural object class is used to store Fortress update and delete events that can later be queried via ldap API.<br />
- * The deletions can be recorded in this manner and associated with Fortress context because deletions will perform a modification first
- * if audit is enabled.
- * <p/>
- * <code>The Modify operation contains a description of modifications in the</code><br />
- * <code>reqMod attribute, which was already described above in the Add</code><br />
- * <code>operation. It may optionally contain the previous contents of any</code><br />
- * <code>modified attributes in the reqOld attribute, using the same format as</code><br />
- * <code>described above for the Delete operation. The reqOld attribute is only</code><br />
- * <code>populated if the entry being modified matches the configured logold</code><br />
- * <code>filter.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.9</code>
- * <li> <code>NAME 'auditModify'</code>
- * <li> <code>DESC 'Modify operation'</code>
- * <li> <code>SUP auditWriteObject STRUCTURAL</code>
- * <li> <code>MAY reqOld MUST reqMod )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * Note this class used descriptions pulled from man pages on slapd access log.
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public interface AuditDAO
-{
- /**
- * This method returns failed authentications where the userid is not present in the directory. This
- * is possible because Fortress performs read on user before the bind.
- * User:
- * dn: reqStart=20101014235402.000000Z, cn=log
- * reqStart: 20101014235402.000000Z
- * reqEnd: 20101014235402.000001Z
- * reqAuthzID: cn=Manager,dc=jts,dc=com
- * reqDerefAliases: never
- * reqSession: 84
- * reqAttrsOnly: FALSE
- * reqSizeLimit: -1
- * objectClass: auditSearch
- * reqResult: 32
- * reqAttr: ftId
- * reqAttr: uid
- * reqAttr: userpassword
- * reqAttr: description
- * reqAttr: ou
- * reqAttr: cn
- * reqAttr: sn
- * reqAttr: ftRoleCstr
- * reqAttr: ftCstr
- * reqAttr: ftRoleAsgn
- * reqAttr: pwdReset
- * reqAttr: pwdAccountLockedTime
- * reqAttr: ftProps
- * reqEntries: 0
- * reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
- * reqType: search
- * reqDN: uid=foo,ou=People,dc=jts,dc=com /cal/cal2.jsp
- * reqTimeLimit: -1
- * reqScope: base
- *
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<AuthZ> searchInvalidAuthNs( UserAudit audit ) throws FinderException;
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<AuthZ> searchAuthZs( UserAudit audit ) throws FinderException;
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<AuthZ> getAllAuthZs( UserAudit audit ) throws FinderException;
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Bind> searchBinds( UserAudit audit ) throws FinderException;
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Mod> searchUserMods( UserAudit audit ) throws FinderException;
-
-
- /**
- * @param audit
- * @return
- * @throws FinderException
- */
- List<Mod> searchAdminMods( UserAudit audit ) throws FinderException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java
deleted file mode 100644
index cb98431..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/DAOType.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-public enum DAOType
-{
- APACHE_LDAP_API,
- UNBOUNDID_API;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java
deleted file mode 100644
index 7f9f535..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/DaoFactory.java
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.cfg.Config;
-
-
-/**
- * A factory that creates DAO for either the UnboundID or the Apache Ldap API lib
- * @author elecharny
- */
-public class DaoFactory
-{
-
- /**
- * Create an instance of a AdminRoleDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static AdminRoleDAO createAdminRoleDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.AdminRoleDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.AdminRoleDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a AuditDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static AuditDAO createAuditDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.AuditDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.AuditDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a OrgUnitDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static OrgUnitDAO createOrgUnitDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.OrgUnitDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.OrgUnitDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a PermDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static PermDAO createPermDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.PermDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.PermDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a PolicyDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static PolicyDAO createPolicyDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.PolicyDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.PolicyDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a RoleDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static RoleDAO createRoleDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.RoleDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.RoleDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a SdDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static SdDAO createSdDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.SdDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.SdDAO();
-
- default:
- return null;
- }
- }
-
-
- /**
- * Create an instance of a UserDAO which depends of the used Backend
- *
- * @return The created instance
- */
- public static UserDAO createUserDAO()
- {
- String daoConnector = Config.getProperty( GlobalIds.DAO_CONNECTOR );
-
- DAOType daoType = DAOType.UNBOUNDID_API;
-
- if ( ( daoConnector != null ) && ( daoConnector.equalsIgnoreCase( GlobalIds.APACHE_LDAP_API ) ) )
- {
- daoType = DAOType.APACHE_LDAP_API;
- }
-
- switch ( daoType )
- {
- case UNBOUNDID_API:
- return new org.apache.directory.fortress.core.rbac.dao.unboundid.UserDAO();
-
- case APACHE_LDAP_API:
- return new org.apache.directory.fortress.core.rbac.dao.apache.UserDAO();
-
- default:
- return null;
- }
- }
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java
deleted file mode 100644
index d7dba4d..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/OrgUnitDAO.java
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-
-
-/**
- * This class provides dataaccess to the OrgUnit datasets in LDAP.
- * <p/>
- * The OrgUnitDAO maintains the following structural and aux object classes:
- * <h4>1. organizationalUnit Structural Object Class is used to store basic attributes like ou and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.5.6.5 NAME 'organizationalUnit'</code>
- * <li> <code>DESC 'RFC2256: an organizational unit'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST ou</code>
- * <li> <code>MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $</code>
- * <li> <code>x121Address $ registeredAddress $ destinationIndicator $</code>
- * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
- * <li> <code>telephoneNumber $ internationaliSDNNumber $</code>
- * <li> <code>facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $</code>
- * <li> <code>postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftOrgUnit Structural objectclass is used to store the OrgUnit internal id</h4>
- * <ul> org.apache.directory.fortress.arbac.
- * <li> ------------------------------------------
- * <li> <code> objectclass ( 1.3.6.1.4.1.38088.2.6</code>
- * <li> <code>NAME 'ftOrgUnit'</code>
- * <li> <code>DESC 'Fortress OrgUnit Class'</code>
- * <li> <code>SUP organizationalunit</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Emmanuel Lecharny
- */
-public interface OrgUnitDAO
-{
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- OrgUnit create( OrgUnit entity ) throws CreateException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- OrgUnit update( OrgUnit entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- void deleteParent( OrgUnit entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- OrgUnit remove( OrgUnit entity ) throws RemoveException;
-
-
- /**
- * @param entity
- * @return
- * @throws FinderException
- *
- */
- OrgUnit findByKey( OrgUnit entity ) throws FinderException;
-
-
- /**
- * @param orgUnit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<OrgUnit> findOrgs( OrgUnit orgUnit ) throws FinderException;
-
-
- /**
- *
- * @param orgUnit
- * @return
- * @throws FinderException
- */
- Set<String> getOrgs( OrgUnit orgUnit ) throws FinderException;
-
-
- /**
- *
- * @param orgUnit
- * @return
- * @throws FinderException
- */
- List<Graphable> getAllDescendants( OrgUnit orgUnit ) throws FinderException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java
deleted file mode 100644
index d526e8c..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/PermDAO.java
+++ /dev/null
@@ -1,317 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PermObj;
-import org.apache.directory.fortress.core.rbac.Permission;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-
-
-/**
- * Permission data access class for LDAP.
- * <p/>
- * This DAO class maintains the PermObj and Permission entities.
- * <h3>The Fortress PermObj Entity Class is a composite of 3 LDAP Schema object classes</h2>
- * <h4>PermObj Base - ftObject STRUCTURAL Object Class is used to store object name, id and type variables on target entity.</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.2</code>
- * <li> <code>NAME 'ftObject'</code>
- * <li> <code>DESC 'Fortress Permission Object Class'</code>
- * <li> <code>SUP organizationalunit</code> GlobalIds
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST (</code>
- * <li> <code>ftId $ ftObjNm ) </code>
- * <li> <code>MAY ( ftType ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>PermObj - ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.</h4>
- * <code>This aux object class can be used to store custom attributes.</code><br />
- * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>PermObj - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h3>The Fortress Permission Entity Class is composite of 3 LDAP Schema object classes</h3>
- * The Permission entity extends a single OpenLDAP standard structural object class, 'organizationalRole' with
- * one extension structural class, ftOperation, and two auxiliary object classes, ftProperties, ftMods.
- * The following 4 LDAP object classes will be mapped into this entity:
- * <h4>Permission Base - 'ftOperation' STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked</h4>
- * using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.3</code>
- * <li> <code>NAME 'ftOperation'</code>
- * <li> <code>DESC 'Fortress Permission Operation Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftPermName $</code>
- * <li> <code>ftObjNm $ ftOpNm )</code>
- * <li> <code>MAY ( ftRoles $ ftUsers $</code>
- * <li> <code> ftObjId $ ftType) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>Permission Aux - ftProperties AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.</h4>
- * <code>This aux object class can be used to store custom attributes.</code><br />
- * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>Permission Aux - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * This class is thread safe.
- * <p/>
- *
- * @author Emmanuel Lecharny
- */
-public interface PermDAO
-{
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- PermObj createObject( PermObj entity ) throws CreateException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- PermObj updateObj( PermObj entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- void deleteObj( PermObj entity ) throws RemoveException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- Permission createOperation( Permission entity ) throws CreateException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- Permission updateOperation( Permission entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- void deleteOperation( Permission entity ) throws RemoveException;
-
-
- /**
- * @param pOp
- * @param role
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- void grant( Permission pOp, Role role ) throws UpdateException;
-
-
- /**
- * @param pOp
- * @param role
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- void revoke( Permission pOp, Role role ) throws UpdateException, FinderException;
-
-
- /**
- * @param pOp
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- void grant( Permission pOp, User user ) throws UpdateException;
-
-
- /**
- * @param pOp
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- void revoke( Permission pOp, User user ) throws UpdateException, FinderException;
-
-
- /**
- * @param permission
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- Permission getPerm( Permission permission ) throws FinderException;
-
-
- /**
- * @param permObj
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- PermObj getPerm( PermObj permObj ) throws FinderException;
-
-
- /**
- * This method performs fortress authorization using data passed in (session) and stored on ldap server (permission). It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
- * It performs ldap operations: read and (optionally) compare. The first is to pull back the permission to see if user has access or not. The second is to trigger audit
- * record storage on ldap server but can be disabled.
- *
- * @param session contains {@link Session#getUserId()}, for rbac check {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
- * @param inPerm must contain required attributes {@link Permission#objName} and {@link Permission#opName}. {@link Permission#objectId} is optional.
- * @return boolean containing result of check.
- * @throws org.apache.directory.fortress.core.FinderException
- * In the event system error occurs looking up data on ldap server.
- */
- boolean checkPermission( Session session, Permission inPerm ) throws FinderException;
-
-
- /**
- * @param permission
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Permission> findPermissions( Permission permission ) throws FinderException;
-
-
- /**
- * @param permObj
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<PermObj> findPermissions( PermObj permObj ) throws FinderException;
-
-
- /**
- * @param ou
- * @return
- * @throws FinderException
- */
- List<PermObj> findPermissions( OrgUnit ou, boolean limitSize ) throws FinderException;
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Permission> findPermissions( Role role ) throws FinderException;
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Permission> findPermissions( User user ) throws FinderException;
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Permission> findUserPermissions( User user ) throws FinderException;
-
-
- /**
- * @param session
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Permission> findPermissions( Session session, boolean isAdmin ) throws FinderException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java
deleted file mode 100644
index 666406b..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/PolicyDAO.java
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.PwPolicy;
-
-
-/**
- * This DAO class maintains the OpenLDAP Password Policy entity which is a composite of the following structural and aux object classes:
- * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code> objectclass ( 2.5.6.14 NAME 'device'</code>
- * <li> <code>DESC 'RFC2256: a device'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST cn</code>
- * <li> <code>MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
- * <li> <code>NAME 'pwdPolicy'</code>
- * <li> <code>SUP top</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MUST ( pwdAttribute )</code>
- * <li> <code>MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $</code>
- * <li> <code>pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $</code>
- * <li> <code>pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $</code>
- * <li> <code>pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )</code>
- * <li> <code></code>
- * <li> <code></code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public interface PolicyDAO
-{
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- PwPolicy create( PwPolicy entity ) throws CreateException;
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- void update( PwPolicy entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- */
- void remove( PwPolicy entity ) throws RemoveException;
-
-
- /**
- * @param policy
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- PwPolicy getPolicy( PwPolicy policy ) throws FinderException;
-
-
- /**
- * @param policy
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<PwPolicy> findPolicy( PwPolicy policy ) throws FinderException;
-
-
- /**
- * @return
- * @throws FinderException
- */
- Set<String> getPolicies( String contextId ) throws FinderException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java
deleted file mode 100644
index 2cd573d..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/RoleDAO.java
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.Role;
-
-
-/**
- * This class perform data access for Fortress Role entity.
- * <p/>
- * The Fortress Role entity is a composite of the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Emmanuel Lecharny
- */
-public interface RoleDAO
-{
- /**
- * @param entity
- * @return
- * @throws CreateException
- */
- Role create( Role entity ) throws CreateException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- Role update( Role entity ) throws UpdateException;
-
-
- /**
- *
- * @param entity
- * @throws UpdateException
- */
- void deleteParent( Role entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @param userDn
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- Role assign( Role entity, String userDn ) throws UpdateException;
-
-
- /**
- * @param entity
- * @param userDn
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- Role deassign( Role entity, String userDn ) throws UpdateException;
-
-
- /**
- * @param role
- * @throws RemoveException
- */
- void remove( Role role ) throws RemoveException;
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- Role getRole( Role role ) throws FinderException;
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<Role> findRoles( Role role ) throws FinderException;
-
-
- /**
- * @param role
- * @param limit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- List<String> findRoles( Role role, int limit ) throws FinderException;
-
-
- /**
- *
- * @param userDn
- * @param contextId
- * @return
- * @throws FinderException
- */
- List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException;
-
-
- /**
- *
- * @param contextId
- * @return
- * @throws FinderException
- */
- List<Graphable> getAllDescendants( String contextId ) throws FinderException;
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java
deleted file mode 100644
index 53eb10f..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/SdDAO.java
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.SDSet;
-
-
-/**
- * This class performs persistence on the RBAC Static Separation of Duties and Dynamic Separation of Duties data sets.
- * <p/>
- * The Fortress SDSet entity is a composite of the following other Fortress structural and aux object classes:
- * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.5.6.8 NAME 'organizationalRole'</code>
- * <li> <code>DESC 'RFC2256: an organizational role'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST cn</code>
- * <li> <code>MAY ( x121Address $ registeredAddress $ destinationIndicator $</code>
- * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
- * <li> <code>telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $</code>
- * <li> <code>seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $</code>
- * <li> <code>postOfficeBox $ postalCode $ postalAddress $</code>
- * <li> <code>physicalDeliveryOfficeName $ ou $ st $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. The RBAC Separation of Duties</h4>
- * <ul>
- * <li> ---Static Separation of Duties Set-------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.4</code>
- * <li> <code>NAME 'ftSSDSet'</code>
- * <li> <code>DESC 'Fortress Role Static Separation of Duty Set Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
- * <li> <code>MAY ( ftRoles $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * OR
- * <h4>Dynamic Separation of Duties Set</h4>
- * <ul>
- * <li>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.5</code>
- * <li> <code>NAME 'ftDSDSet'</code>
- * <li> <code>DESC 'Fortress Role Dynamic Separation of Duty Set Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
- * <li> <code>MAY ( ftRoles $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public interface SdDAO
-{
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- */
- SDSet create( SDSet entity ) throws CreateException;
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- */
- SDSet update( SDSet entity ) throws UpdateException;
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- */
- SDSet remove( SDSet entity ) throws RemoveException;
-
-
- /**
- * @param sdSet
- * @return
- * @throws FinderException
- */
- SDSet getSD( SDSet sdSet ) throws FinderException;
-
-
- /**
- * Given an SSD name and type, find matching object in the directory.
- * @param sdset requires name and type.
- * @return List of matching SDSets.
- * @throws org.apache.directory.fortress.core.FinderException
- */
- List<SDSet> search( SDSet sdset ) throws FinderException;
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- List<SDSet> search( Role role, SDSet.SDType type ) throws FinderException;
-
-
- /**
- * @param roles
- * @param sdSet
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- Set<SDSet> search( Set<String> roles, SDSet sdSet ) throws FinderException;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java
deleted file mode 100644
index abf4960..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/UserDAO.java
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao;
-
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.rbac.UserAdminRole;
-import org.apache.directory.fortress.core.rbac.UserRole;
-
-
-/**
- * Data access class for LDAP User entity.
- * <p/>
- * <p/>
- * The Fortress User LDAP schema follows:
- * <p/>
- * <h4>1. InetOrgPerson Structural Object Class </h4>
- * <code># The inetOrgPerson represents people who are associated with an</code><br />
- * <code># organization in some way. It is a structural class and is derived</code><br />
- * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
- * <li> <code>NAME 'inetOrgPerson'</code>
- * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
- * <li> <code>SUP organizationalPerson</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
- * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
- * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
- * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
- * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
- * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
- * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
- * <li> <code>NAME 'ftUserAttrs'</code>
- * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MUST ( ftId )</code>
- * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Emmanuel Lecharny
- */
-public interface UserDAO
-{
- List<User> findUsers( OrgUnit ou, boolean limitSize ) throws FinderException;
-
-
- List<User> findUsers( User user ) throws FinderException;
-
-
- List<String> findUsers( User user, int limit ) throws FinderException;
-
-
- String assign( UserRole uRole ) throws UpdateException, FinderException;
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- String assign( UserAdminRole uRole ) throws UpdateException, FinderException;
-
-
- boolean changePassword( User entity, char[] newPassword ) throws SecurityException;
-
-
- Session checkPassword( User user ) throws FinderException;
-
-
- List<User> getAuthorizedUsers( Role role ) throws FinderException;
-
-
- User update( User entity ) throws UpdateException;
-
-
- void lock( User user ) throws UpdateException;
-
-
- void unlock( User user ) throws UpdateException;
-
-
- User create( User entity ) throws CreateException;
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- String deassign( UserAdminRole uRole ) throws UpdateException, FinderException;
-
-
- String deassign( UserRole uRole ) throws UpdateException, FinderException;
-
-
- void resetUserPassword( User user ) throws UpdateException;
-
-
- User updateProps( User entity, boolean replace ) throws UpdateException;
-
-
- String remove( User user ) throws RemoveException;
-
-
- String deletePwPolicy( User user ) throws UpdateException;
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- */
- List<User> getAssignedUsers( AdminRole role ) throws FinderException;
-
-
- List<User> getAssignedUsers( Role role ) throws FinderException;
-
-
- List<String> getRoles( User user ) throws FinderException;
-
-
- User getUser( User user, boolean isRoles ) throws FinderException;
-
-
- Set<String> getAssignedUsers( Set<String> roles, String contextId ) throws FinderException;
-
-
- List<String> getAuthorizedUsers( Role role, int limit ) throws FinderException;
-}
\ No newline at end of file
[16/16] git commit: Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
Remove the unboundid daos classes and lib, move the apache dao's into rbac package and make its classes and methods package private.
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/49e82a58
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/49e82a58
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/49e82a58
Branch: refs/heads/master
Commit: 49e82a58b817e65b8a9098b9ad8fd4a45faf7464
Parents: 687ee1a
Author: Shawn <sm...@apache.org>
Authored: Wed Oct 22 12:47:59 2014 -0500
Committer: Shawn <sm...@apache.org>
Committed: Wed Oct 22 12:47:59 2014 -0500
----------------------------------------------------------------------
NOTICE.txt | 11 +-
build.properties | 2 -
build.xml | 4 -
ivy.xml | 1 -
ldap/setup/HierarchicalAdminRoleExample.xml | 20 +-
ldap/setup/HierarchicalRoleExample.xml | 19 +-
ldap/setup/OrgUnitExample.xml | 20 +-
lib/LICENSE-UnboundID-LDAPSDK.txt | 91 -
lib/LICENSE-unboundid-ldapsdk-2.1.0-se.txt | 17 -
pom.xml | 6 -
.../core/ldap/ApacheDsDataProvider.java | 4 +-
.../fortress/core/ldap/ConnectionPool.java | 664 -----
.../directory/fortress/core/ldap/PoolMgr.java | 619 -----
.../core/ldap/UnboundIdDataProvider.java | 1277 ----------
.../core/ldap/openldap/OLPWControlImpl.java | 417 ---
.../directory/fortress/core/ldap/package.html | 2 +-
.../directory/fortress/core/overview.html | 1 -
.../fortress/core/rbac/AccelMgrImpl.java | 3 +-
.../fortress/core/rbac/AcceleratorDAO.java | 373 +++
.../directory/fortress/core/rbac/AdminRole.java | 2 -
.../fortress/core/rbac/AdminRoleDAO.java | 694 +++++
.../fortress/core/rbac/AdminRoleP.java | 4 +-
.../directory/fortress/core/rbac/AuditDAO.java | 780 ++++++
.../directory/fortress/core/rbac/AuditP.java | 1 -
.../directory/fortress/core/rbac/OrgUnit.java | 4 -
.../fortress/core/rbac/OrgUnitDAO.java | 702 ++++++
.../directory/fortress/core/rbac/OrgUnitP.java | 4 +-
.../directory/fortress/core/rbac/PermDAO.java | 1504 +++++++++++
.../directory/fortress/core/rbac/PermObj.java | 6 +-
.../directory/fortress/core/rbac/PermP.java | 4 +-
.../fortress/core/rbac/Permission.java | 5 +-
.../directory/fortress/core/rbac/PolicyDAO.java | 685 +++++
.../directory/fortress/core/rbac/PolicyP.java | 1 -
.../fortress/core/rbac/PwPolicyControl.java | 4 +-
.../directory/fortress/core/rbac/Role.java | 4 +-
.../directory/fortress/core/rbac/RoleDAO.java | 657 +++++
.../directory/fortress/core/rbac/RoleP.java | 4 +-
.../directory/fortress/core/rbac/SdDAO.java | 633 +++++
.../directory/fortress/core/rbac/SdP.java | 3 +-
.../directory/fortress/core/rbac/User.java | 1 -
.../directory/fortress/core/rbac/UserAudit.java | 2 -
.../directory/fortress/core/rbac/UserDAO.java | 2375 +++++++++++++++++
.../directory/fortress/core/rbac/UserP.java | 4 +-
.../fortress/core/rbac/dao/AcceleratorDAO.java | 39 -
.../fortress/core/rbac/dao/AdminRoleDAO.java | 200 --
.../fortress/core/rbac/dao/AuditDAO.java | 193 --
.../fortress/core/rbac/dao/DAOType.java | 27 -
.../fortress/core/rbac/dao/DaoFactory.java | 272 --
.../fortress/core/rbac/dao/OrgUnitDAO.java | 152 --
.../fortress/core/rbac/dao/PermDAO.java | 317 ---
.../fortress/core/rbac/dao/PolicyDAO.java | 127 -
.../fortress/core/rbac/dao/RoleDAO.java | 177 --
.../directory/fortress/core/rbac/dao/SdDAO.java | 154 --
.../fortress/core/rbac/dao/UserDAO.java | 200 --
.../core/rbac/dao/apache/AcceleratorDAO.java | 379 ---
.../core/rbac/dao/apache/AdminRoleDAO.java | 694 -----
.../fortress/core/rbac/dao/apache/AuditDAO.java | 784 ------
.../core/rbac/dao/apache/OrgUnitDAO.java | 706 ------
.../fortress/core/rbac/dao/apache/PermDAO.java | 1513 -----------
.../core/rbac/dao/apache/PolicyDAO.java | 685 -----
.../fortress/core/rbac/dao/apache/RoleDAO.java | 657 -----
.../fortress/core/rbac/dao/apache/SdDAO.java | 633 -----
.../fortress/core/rbac/dao/apache/UserDAO.java | 2383 ------------------
.../core/rbac/dao/unboundid/AdminRoleDAO.java | 656 -----
.../core/rbac/dao/unboundid/AuditDAO.java | 835 ------
.../core/rbac/dao/unboundid/OrgUnitDAO.java | 621 -----
.../core/rbac/dao/unboundid/PermDAO.java | 1405 -----------
.../core/rbac/dao/unboundid/PolicyDAO.java | 623 -----
.../core/rbac/dao/unboundid/RoleDAO.java | 593 -----
.../fortress/core/rbac/dao/unboundid/SdDAO.java | 557 ----
.../core/rbac/dao/unboundid/UserDAO.java | 2365 -----------------
.../fortress/core/util/attr/AttrHelper.java | 10 +-
src/test/build.xml | 2 -
.../fortress/core/ant/TestAddUsers.xml | 16 +-
.../fortress/core/example/ExampleDAO.java | 138 +-
.../fortress/core/rbac/FortressJUnitTest.java | 4 +-
.../core/rbac/accelerator/TestAccelerator.java | 2 +-
.../apacheds/FortressJUnitApachedsTest.java | 18 +-
.../fortress/core/samples/overview.html | 1 -
79 files changed, 8509 insertions(+), 21263 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/NOTICE.txt
----------------------------------------------------------------------
diff --git a/NOTICE.txt b/NOTICE.txt
index a6372e8..924547b 100755
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -22,9 +22,8 @@ The purpose of this NOTICE.txt file is to include notices that are required by t
This product includes software developed by:
1. The Apache Software Foundation (http://www.apache.org/)
-2. UnBoundID Corp (http://www.unboundid.com/)
-3. The Eigenbase Project (http://www.eigenbase.org/)
-4. JUnit.org (http://www.junit.org/)
-5. The Java Community Process (http://www.jcp.org/)
-6. SLF4J (http://www.slf4j.org/)
-7. Terracotta (http://www.terracotta.org/TPL)
+2. The Eigenbase Project (http://www.eigenbase.org/)
+3. JUnit.org (http://www.junit.org/)
+4. The Java Community Process (http://www.jcp.org/)
+5. SLF4J (http://www.slf4j.org/)
+6. Terracotta (http://www.terracotta.org/TPL)
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/build.properties
----------------------------------------------------------------------
diff --git a/build.properties b/build.properties
index c7a3583..cae71aa 100644
--- a/build.properties
+++ b/build.properties
@@ -66,8 +66,6 @@ http.protocol=http
#ldap.server.type=openldap
#ldap.server.type=apacheds
# This is the default:
-#ldap.client.type=unboundid
-# To override and use apache ldap API uncomment this:
ldap.client.type=apache
# These parameters point fortress to LDAP host:
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/build.xml
----------------------------------------------------------------------
diff --git a/build.xml b/build.xml
index 3a26e68..4160b27 100644
--- a/build.xml
+++ b/build.xml
@@ -154,7 +154,6 @@
<property name="commons-io.jar" value="${lib.dir}/commons-io-2.4.jar"/>
<property name="cxf-common-utilities.jar" value="${lib.dir}/cxf-common-utilities-2.5.0.jar"/>
<property name="commons-codec.jar" value="${lib.dir}/commons-codec-1.2.jar"/>
- <property name="unboundsdk.jar" value="${lib.dir}/unboundid-ldapsdk-2.1.0.jar"/>
<property name="jgraph.jar" value="${lib.dir}/jgrapht-jdk1.5-0.7.3.jar"/>
<property name="log4j.jar" value="${lib.dir}/log4j-1.2.17.jar"/>
<property name="junit.jar" value="${lib.dir}/junit-4.11.jar"/>
@@ -180,7 +179,6 @@
<path id="build.class.path">
<pathelement location="${build.classes.dir}"/>
<pathelement location="${jgraph.jar}"/>
- <pathelement location="${unboundsdk.jar}"/>
<pathelement location="${junit.jar}"/>
<pathelement location="${commons-config.jar}"/>
<pathelement location="${commons-lang.jar}"/>
@@ -213,7 +211,6 @@
<pathelement location="${build.test-classes.dir}"/>
<pathelement location="${dist.jar}"/>
<pathelement location="${jgraph.jar}"/>
- <pathelement location="${unboundsdk.jar}"/>
<pathelement location="${junit.jar}"/>
<pathelement location="${log4j.jar}"/>
<pathelement location="${commons-config.jar}"/>
@@ -251,7 +248,6 @@
<path location="${config.bootstrap.dir}"/>
<pathelement location="${build.classes.dir}"/>
<pathelement location="${jgraph.jar}"/>
- <pathelement location="${unboundsdk.jar}"/>
<pathelement location="${junit.jar}"/>
<pathelement location="${log4j.jar}"/>
<pathelement location="${commons-config.jar}"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/ivy.xml
----------------------------------------------------------------------
diff --git a/ivy.xml b/ivy.xml
index f4a37b3..465f3ba 100755
--- a/ivy.xml
+++ b/ivy.xml
@@ -32,7 +32,6 @@
<dependency org="commons-logging" name="commons-logging" rev="1.1.1" conf="default->master"/>
<dependency org="commons-codec" name="commons-codec" rev="1.2" conf="default->master"/>
<dependency org="commons-io" name="commons-io" rev="2.4" conf="default->master"/>
- <dependency org="com.unboundid" name="unboundid-ldapsdk" rev="2.1.0" conf="default->master"/>
<dependency org="junit" name="junit" rev="4.11" conf="default->master"/>
<dependency org="log4j" name="log4j" rev="1.2.17" conf="default->master"/>
<dependency org="org.jasypt" name="jasypt" rev="1.8" conf="default->master"/>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/ldap/setup/HierarchicalAdminRoleExample.xml
----------------------------------------------------------------------
diff --git a/ldap/setup/HierarchicalAdminRoleExample.xml b/ldap/setup/HierarchicalAdminRoleExample.xml
index 25989ce..60291c8 100755
--- a/ldap/setup/HierarchicalAdminRoleExample.xml
+++ b/ldap/setup/HierarchicalAdminRoleExample.xml
@@ -18,26 +18,8 @@
under the License.
-->
<project basedir="." default="all" name="Fortress Sample Data">
- <!--property name="version" value="${version}"/-->
- <property name="version" value="1.0-RC24"/>
- <property name="home.dir" value = "../../" />
- <property name="lib.dir" value = "${home.dir}/lib" />
- <property name="dist.dir" value = "${home.dir}/dist" />
- <property name="config" value="${home.dir}/config"/>
- <property name="Fortress.jar" value="${dist.dir}/fortress-${version}.jar"/>
- <property name="log4j.jar" value="${lib.dir}/log4j-1.2.17.jar"/>
- <property name="ldapjdk.jar" value="${lib.dir}/unboundid-ldapsdk-2.1.0.jar"/>
- <property name="jgrapht.jar" value="${lib.dir}/jgrapht-jdk1.5-0.7.3.jar"/>
- <property name="jasypt.jar" value="${lib.dir}/jasypt-1.8.jar"/>
- <property name="commons-configuration.jar" value="${lib.dir}/commons-configuration-1.6.jar"/>
- <property name="commons-lang.jar" value="${lib.dir}/commons-lang-2.4.jar"/>
- <property name="commons-collections.jar" value="${lib.dir}/commons-collections-3.2.1.jar"/>
- <property name="commons-logging.jar" value="${lib.dir}/commons-logging-1.1.1.jar"/>
- <property name="ehcache-core.jar" value="${lib.dir}/ehcache-core-2.6.5.jar"/>
- <property name="slf4j-api.jar" value="${lib.dir}/slf4j-api-1.7.5.jar"/>
- <property name="slf4j-log4j.jar" value="${lib.dir}/slf4j-log4j12-1.7.5.jar"/>
<taskdef classname="org.apache.directory.fortress.core.ant.FortressAntTask" name="FortressAdmin" >
- <classpath path="${config}:${Fortress.jar}:${log4j.jar}:${ldapjdk.jar}:${jgrapht.jar}:${jasypt.jar}:${commons-configuration.jar}:${commons-lang.jar}:${commons-collections.jar}:${commons-logging.jar}:${ehcache-core.jar}:${slf4j-api.jar}:${slf4j-log4j.jar}"/>
+ <classpath path="${java.class.path}"/>
</taskdef>
<target name="all">
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/ldap/setup/HierarchicalRoleExample.xml
----------------------------------------------------------------------
diff --git a/ldap/setup/HierarchicalRoleExample.xml b/ldap/setup/HierarchicalRoleExample.xml
index 55022f4..5212cd0 100755
--- a/ldap/setup/HierarchicalRoleExample.xml
+++ b/ldap/setup/HierarchicalRoleExample.xml
@@ -18,25 +18,8 @@
under the License.
-->
<project basedir="." default="all" name="Fortress Sample Data">
- <!--<property name="version" value="1.0.0-rc11"/>-->
- <property name="home.dir" value = "../../" />
- <property name="lib.dir" value = "${home.dir}/lib" />
- <property name="dist.dir" value = "${home.dir}/dist" />
- <property name="config" value="${home.dir}/config"/>
- <property name="Fortress.jar" value="${dist.dir}/fortress-${version}.jar"/>
- <property name="log4j.jar" value="${lib.dir}/log4j-1.2.17.jar"/>
- <property name="ldapjdk.jar" value="${lib.dir}/unboundid-ldapsdk-2.1.0.jar"/>
- <property name="jgrapht.jar" value="${lib.dir}/jgrapht-jdk1.5-0.7.3.jar"/>
- <property name="jasypt.jar" value="${lib.dir}/jasypt-1.8.jar"/>
- <property name="commons-configuration.jar" value="${lib.dir}/commons-configuration-1.6.jar"/>
- <property name="commons-lang.jar" value="${lib.dir}/commons-lang-2.4.jar"/>
- <property name="commons-collections.jar" value="${lib.dir}/commons-collections-3.2.1.jar"/>
- <property name="commons-logging.jar" value="${lib.dir}/commons-logging-1.1.1.jar"/>
- <property name="ehcache-core.jar" value="${lib.dir}/ehcache-core-2.6.5.jar"/>
- <property name="slf4j-api.jar" value="${lib.dir}/slf4j-api-1.7.5.jar"/>
- <property name="slf4j-log4j.jar" value="${lib.dir}/slf4j-log4j12-1.7.5.jar"/>
<taskdef classname="org.apache.directory.fortress.core.ant.FortressAntTask" name="FortressAdmin" >
- <classpath path="${config}:${Fortress.jar}:${log4j.jar}:${ldapjdk.jar}:${jgrapht.jar}:${jasypt.jar}:${commons-configuration.jar}:${commons-lang.jar}:${commons-collections.jar}:${commons-logging.jar}:${ehcache-core.jar}:${slf4j-api.jar}:${slf4j-log4j.jar}"/>
+ <classpath path="${java.class.path}"/>
</taskdef>
<target name="all">
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/ldap/setup/OrgUnitExample.xml
----------------------------------------------------------------------
diff --git a/ldap/setup/OrgUnitExample.xml b/ldap/setup/OrgUnitExample.xml
index 09d94c1..25f3031 100755
--- a/ldap/setup/OrgUnitExample.xml
+++ b/ldap/setup/OrgUnitExample.xml
@@ -18,26 +18,8 @@
under the License.
-->
<project basedir="." default="all" name="Fortress Sample Data">
- <!--<property name="version" value="1.0.0-rc11"/>-->
- <property name="version" value="${version}"/>
- <property name="home.dir" value = "../../" />
- <property name="lib.dir" value = "${home.dir}/lib" />
- <property name="dist.dir" value = "${home.dir}/dist" />
- <property name="config" value="${home.dir}/config"/>
- <property name="Fortress.jar" value="${dist.dir}/fortress-${version}.jar"/>
- <property name="log4j.jar" value="${lib.dir}/log4j-1.2.17.jar"/>
- <property name="ldapjdk.jar" value="${lib.dir}/unboundid-ldapsdk-2.1.0.jar"/>
- <property name="jgrapht.jar" value="${lib.dir}/jgrapht-jdk1.5-0.7.3.jar"/>
- <property name="jasypt.jar" value="${lib.dir}/jasypt-1.8.jar"/>
- <property name="commons-configuration.jar" value="${lib.dir}/commons-configuration-1.6.jar"/>
- <property name="commons-lang.jar" value="${lib.dir}/commons-lang-2.4.jar"/>
- <property name="commons-collections.jar" value="${lib.dir}/commons-collections-3.2.1.jar"/>
- <property name="commons-logging.jar" value="${lib.dir}/commons-logging-1.1.1.jar"/>
- <property name="ehcache-core.jar" value="${lib.dir}/ehcache-core-2.6.5.jar"/>
- <property name="slf4j-api.jar" value="${lib.dir}/slf4j-api-1.7.5.jar"/>
- <property name="slf4j-log4j.jar" value="${lib.dir}/slf4j-log4j12-1.7.5.jar"/>
<taskdef classname="org.apache.directory.fortress.core.ant.FortressAntTask" name="FortressAdmin" >
- <classpath path="${config}:${Fortress.jar}:${log4j.jar}:${ldapjdk.jar}:${jgrapht.jar}:${jasypt.jar}:${commons-configuration.jar}:${commons-lang.jar}:${commons-collections.jar}:${commons-logging.jar}:${ehcache-core.jar}:${slf4j-api.jar}:${slf4j-log4j.jar}"/>
+ <classpath path="${java.class.path}"/>
</taskdef>
<target name="all">
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/lib/LICENSE-UnboundID-LDAPSDK.txt
----------------------------------------------------------------------
diff --git a/lib/LICENSE-UnboundID-LDAPSDK.txt b/lib/LICENSE-UnboundID-LDAPSDK.txt
deleted file mode 100755
index e57554e..0000000
--- a/lib/LICENSE-UnboundID-LDAPSDK.txt
+++ /dev/null
@@ -1,91 +0,0 @@
- UnboundID LDAP SDK Free Use License
-
-THIS IS AN AGREEMENT BETWEEN YOU ("YOU") AND UNBOUNDID CORP. ("UNBOUNDID")
-REGARDING YOUR USE OF UNBOUNDID LDAP SDK FOR JAVA AND ANY ASSOCIATED
-DOCUMENTATION, OBJECT CODE, COMPILED LIBRARIES, SOURCE CODE AND SOURCE FILES OR
-OTHER MATERIALS MADE AVAILABLE BY UNBOUNDID (COLLECTIVELY REFERRED TO IN THIS
-AGREEMENT AS THE ("SDK").
-
-BY INSTALLING, ACCESSING OR OTHERWISE USING THE SDK, YOU ACCEPT THE TERMS OF
-THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT
-INSTALL, ACCESS OR USE THE SDK.
-
-USE OF THE SDK. Subject to your compliance with this Agreement, UnboundID
-grants to You a non-exclusive, royalty-free license, under UnboundID's
-intellectual property rights in the SDK, to use, reproduce, modify and
-distribute this release of the SDK; provided that no license is granted herein
-under any patents that may be infringed by your modifications, derivative works
-or by other works in which the SDK may be incorporated (collectively, your
-"Applications"). You may reproduce and redistribute the SDK with your
-Applications provided that you (i) include this license file and an
-unmodified copy of the unboundid-ldapsdk-se.jar file; and (ii) such
-redistribution is subject to a license whose terms do not conflict with or
-contradict the terms of this Agreement. You may also reproduce and redistribute
-the SDK without your Applications provided that you redistribute the SDK
-complete and unmodified (i.e., with all "read me" files, copyright notices, and
-other legal notices and terms that UnboundID has included in the SDK).
-
-SCOPE OF LICENSES. This Agreement does not grant You the right to use any
-UnboundID intellectual property which is not included as part of the SDK. The
-SDK is licensed, not sold. This Agreement only gives You some rights to use
-the SDK. UnboundID reserves all other rights. Unless applicable law gives You
-more rights despite this limitation, You may use the SDK only as expressly
-permitted in this Agreement.
-
-SUPPORT. UnboundID is not obligated to provide any technical or other support
-("Support Services") for the SDK to You under this Agreement. However, if
-UnboundID chooses to provide any Support Services to You, Your use of such
-Support Services will be governed by then-current UnboundID support policies.
-
-TERMINATION. UnboundID reserves the right to discontinue offering the SDK and
-to modify the SDK at any time in its sole discretion. Notwithstanding anything
-contained in this Agreement to the contrary, UnboundID may also, in its sole
-discretion, terminate or suspend access to the SDK to You or any end user at
-any time. In addition, if you fail to comply with the terms of this Agreement,
-then any rights granted herein will be automatically terminated if such failure
-is not corrected within 30 days of the initial notification of such failure.
-You acknowledge that termination and/or monetary damages may not be a
-sufficient remedy if You breach this Agreement and that UnboundID will be
-entitled, without waiving any other rights or remedies, to injunctive or
-equitable relief as may be deemed proper by a court of competent jurisdiction
-in the event of a breach. UnboundID may also terminate this Agreement if the
-SDK becomes, or in UnboundID?s reasonable opinion is likely to become, the
-subject of a claim of intellectual property infringement or trade secret
-misappropriation. All rights and licenses granted herein will simultaneously
-and automatically terminate upon termination of this Agreement for any reason.
-
-DISCLAIMER OF WARRANTY. THE SDK IS PROVIDED "AS IS" AND UNBOUNDID DOES NOT
-WARRANT THAT THE SDK WILL BE ERROR-FREE, VIRUS-FREE, WILL PERFORM IN AN
-UNINTERRUPTED, SECURE OR TIMELY MANNER, OR WILL INTEROPERATE WITH OTHER
-HARDWARE, SOFTWARE, SYSTEMS OR DATA. TO THE MAXIMUM EXTENT ALLOWED BY LAW, ALL
-CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY
-OR OTHERWISE INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (EVEN IF UNBOUNDID HAD BEEN
-INFORMED OF SUCH PURPOSE), OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS ARE HEREBY
-DISCLAIMED.
-
-LIMITATION OF LIABILITY. IN NO EVENT WILL UNBOUNDID OR ITS SUPPLIERS BE LIABLE
-FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS,
-REVENUE, DATA OR DATA USE, BUSINESS INTERRUPTION, COST OF COVER, DIRECT,
-INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND)
-ARISING OUT OF THE USE OF OR INABILITY TO USE THE SDK OR IN ANY WAY RELATED TO
-THIS AGREEMENT, EVEN IF UNBOUNDID HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGES.
-
-ADDITIONAL RIGHTS. Certain states do not allow the exclusion of implied
-warranties or limitation of liability for certain kinds of damages, so the
-exclusion of limited warranties and limitation of liability set forth above may
-not apply to You.
-
-EXPORT RESTRICTIONS. The SDK is subject to United States export control laws.
-You acknowledge and agree that You are responsible for compliance with all
-domestic and international export laws and regulations that apply to the SDK.
-
-MISCELLANEOUS. This Agreement constitutes the entire agreement with respect to
-the SDK. If any provision of this Agreement shall be held to be invalid,
-illegal or unenforceable, the validity, legality and enforceability of the
-remaining provisions shall in no way be affected or impaired thereby. This
-Agreement and performance hereunder shall be governed by and construed in
-accordance with the laws of the State of Texas without regard to its conflict
-of laws rules. Any disputes related to this Agreement shall be exclusively
-litigated in the state or federal courts located in Travis County, Texas.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/lib/LICENSE-unboundid-ldapsdk-2.1.0-se.txt
----------------------------------------------------------------------
diff --git a/lib/LICENSE-unboundid-ldapsdk-2.1.0-se.txt b/lib/LICENSE-unboundid-ldapsdk-2.1.0-se.txt
deleted file mode 100755
index 4da9120..0000000
--- a/lib/LICENSE-unboundid-ldapsdk-2.1.0-se.txt
+++ /dev/null
@@ -1,17 +0,0 @@
-UnboundID LDAP SDK for Java (Standard Edition)
-Copyright 2007-2011 UnboundID Corp.
-
-
-The Standard Edition of the UnboundID LDAP SDK for Java is available under
-three licenses: the GNU General Public License version 2 (GPLv2), the GNU
-Lesser General Public License version 2.1 (LGPLv2.1) and a free-right-to-use
-use license created by UnboundID Corp.
-
-See the LICENSE-GPLv2.txt file for the GNU General Public License version 2.
-
-See the LICENSE-LGPLv2.1.txt file for the GNU Lesser General Public License
-version 2.1.
-
-See the LICENSE-UnboundID-LDAPSDK.txt file for the UnboundID LDAP SDK Free Use
-License.
-
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index eabaff0..60e1424 100644
--- a/pom.xml
+++ b/pom.xml
@@ -100,12 +100,6 @@
<version>3.1</version>
</dependency>
- <dependency>
- <groupId>com.unboundid</groupId>
- <artifactId>unboundid-ldapsdk</artifactId>
- <version>2.3.3</version>
- </dependency>
-
<!-- Logging dependencies -->
<dependency>
<groupId>org.slf4j</groupId>
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
index 8a499be..d38f573 100644
--- a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
+++ b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java
@@ -78,8 +78,8 @@ import org.slf4j.LoggerFactory;
/**
* Abstract class contains methods to perform low-level entity to ldap persistence. These methods are called by the
- * Fortress DAO's, i.e. {@link org.apache.directory.fortress.core.rbac.dao.apache.UserDAO}. {@link org.apache.directory.fortress.core.rbac.dao.apache
- * .RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.apache.PermDAO}, ....
+ * Fortress DAO's, i.e. {@link org.apache.directory.fortress.core.rbac.UserDAO}. {@link org.apache.directory.fortress.core.rbac.dao.apache
+ * .RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO}, ....
* These are low-level data utilities, very little if any data validations are performed here.
* <p/>
* This class is thread safe.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/ldap/ConnectionPool.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/ConnectionPool.java b/src/main/java/org/apache/directory/fortress/core/ldap/ConnectionPool.java
deleted file mode 100755
index c6dc457..0000000
--- a/src/main/java/org/apache/directory/fortress/core/ldap/ConnectionPool.java
+++ /dev/null
@@ -1,664 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.ldap;
-
-
-import java.security.GeneralSecurityException;
-import java.util.Date;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.JavaToLDAPSocketFactory;
-import com.unboundid.util.ssl.SSLUtil;
-import com.unboundid.util.ssl.TrustStoreTrustManager;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-
-import javax.net.ssl.SSLSocketFactory;
-
-
-/**
- * This connection pool class is used by Fortress {@link PoolMgr}.
- * PoolMgr operations utilize multiple instances of this class to connections for different purposes.
- * For example the 'admin' pool contains connections that have privileges to make modifications to the directory data during administrative operations {@link org.apache.directory.fortress.core.AdminMgr}.
- * The 'user' pool contain unprivileged connections used for authentication processing only, {@link org.apache.directory.fortress.core.AccessMgr}.
- * A 3rd pool, may be used to interrogate data stored by OpenLDAP's slapo access log info, This is used interrogating the fortress audit log events, {@link org.apache.directory.fortress.core.AuditMgr}.
- * The contents of this file have been derived from the original, Mozilla Java LDAP SDK, and are subject to the Netscape Public License Version 1.1 (the "License")
- * as described at the top of this file;
- * The code mods include additional functionality to enable SSL connections in pool. There have been other updates to the original functions to integrate with UnboundID's Java LDAP SDK.
- * </p>
- * Original Mozilla javadoc:
- * Class to maintain a pool of individual connections to the
- * same server. Specify the initial size and the max size
- * when constructing a pool. Call getConnection() to obtain
- * a connection from the pool and close() to return it. If
- * the pool is fully extended and there are no free connections,
- * getConnection() blocks until a connection has been returned
- * to the pool.<BR>
- * Call destroy() to release all connections.
- * <BR><BR>Example:<BR>
- * <PRE>
- * ConnectionPool pool = null;
- * try {
- * pool = new ConnectionPool( 10, 30,
- * "foo.acme.com",389,
- * "uid=me, o=acme.com",
- * "password" );
- * } catch ( LDAPException e ) {
- * System.err.println( "Unable to create connection pool" );
- * System.exit( 1 );
- * }
- * while ( clientsKnocking ) {
- * String filter = getSearchFilter();
- * LDAPConnection ld = pool.getConnection();
- * try {
- * LDAPSearchResults res = ld.search( BASE, ld.SCOPE_SUB,
- * filter, attrs,
- * false );
- * pool.close( ld );
- * while( res.hasMoreElements() ) {
- * ...
- * </PRE>
- */
-class ConnectionPool
-{
- // Logging
- private static final String CLS_NM = ConnectionPool.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
-
-
- /**
- * Create a new instance of connection pool with specified parameters. These connections will be used by the Fortress DAO
- * methods for processing ldap server operations.
- *
- * @param min initial number of connections
- * @param max maximum number of connections
- * @param host hostname of LDAP server
- * @param port port number of LDAP server
- * @param authdn DN to authenticate as
- * @param authpw password for authentication
- * @throws LDAPException on failure to create connections
- */
- ConnectionPool( int min, int max,
- String host, int port,
- String authdn, String authpw )
- throws LDAPException
- {
- this( min, max, host, port, authdn, authpw, null );
- }
-
-
- /*
- * Constructor for using an existing connection to clone
- * from
- *
- * @param min initial number of connections
- * @param max maximum number of connections
- * @param host hostname of LDAP server
- * @param port port number of LDAP server
- * @param authdn DN to authenticate as
- * @param authpw password for authentication
- * @param ldc connection to clone
- * @exception LDAPException on failure to create connections
- */
- private ConnectionPool( int min, int max,
- String host, int port,
- String authdn, String authpw,
- LDAPConnection ldc )
- throws LDAPException
- {
- this.poolSize = min;
- this.poolMax = max;
- this.host = host;
- this.port = port;
- this.authdn = authdn;
- this.authpw = authpw;
- this.ldc = ldc;
- this.debugMode = false;
- createPool();
- }
-
-
- /**
- * Destroy the whole pool - called during a shutdown
- */
- void destroy()
- {
- for ( int i = 0; i < pool.size(); i++ )
- {
- disconnect( ( LDAPConnectionObject ) pool.elementAt( i ) );
- }
- pool.removeAllElements();
- }
-
-
- /**
- * Gets a connection from the pool
- * <p/>
- * If no connections are available, the pool will be
- * extended if the number of connections is less than
- * the maximum; if the pool cannot be extended, the method
- * blocks until a free connection becomes available.
- *
- * @return an active connection.
- */
- LDAPConnection getConnection()
- {
- LDAPConnection con;
-
- while ( ( con = getConnFromPool() ) == null )
- {
- synchronized ( pool )
- {
- try
- {
- pool.wait();
- }
- catch ( InterruptedException e )
- {
- LOG.warn( "getConnection caught InterruptedException" );
- }
- }
- }
- return con;
- }
-
-
- /**
- * Gets a connection from the pool within a time limit.
- * <p/>
- * If no connections are available, the pool will be
- * extended if the number of connections is less than
- * the maximum; if the pool cannot be extended, the method
- * blocks until a free connection becomes available or the
- * time limit is exceeded.
- *
- * @param timeout timeout in milliseconds
- * @return an active connection or <CODE>null</CODE> if timed out.
- */
- LDAPConnection getConnection( int timeout )
- {
- LDAPConnection con;
-
- while ( ( con = getConnFromPool() ) == null )
- {
- long t1, t0 = System.currentTimeMillis();
-
- if ( timeout <= 0 )
- {
- return con;
- }
-
- synchronized ( pool )
- {
- try
- {
- pool.wait( timeout );
- }
- catch ( InterruptedException e )
- {
- LOG.warn( "getConnection caught InterruptedException for timeout: " + timeout );
- return null;
- }
- }
-
- t1 = System.currentTimeMillis();
- timeout -= ( t1 - t0 );
- }
- return con;
- }
-
-
- /**
- * Gets a connection from the pool
- * <p/>
- * If no connections are available, the pool will be
- * extended if the number of connections is less than
- * the maximum; if the pool cannot be extended, the method
- * returns null.
- *
- * @return an active connection or null.
- */
- synchronized LDAPConnection getConnFromPool()
- {
- LDAPConnection con = null;
- LDAPConnectionObject ldapconnobj = null;
-
- int pSize = pool.size();
-
- // Get an available connection
- for ( int i = 0; i < pSize; i++ )
- {
-
- // Get the ConnectionObject from the pool
- LDAPConnectionObject co =
- ( LDAPConnectionObject ) pool.elementAt( i );
-
- if ( co.isAvailable() )
- { // Conn available?
- ldapconnobj = co;
- break;
- }
- }
-
- if ( ldapconnobj == null )
- {
- // If there there were no conns in pool, can we grow
- // the pool?
- if ( ( poolMax < 0 ) ||
- ( ( poolMax > 0 ) &&
- ( pSize < poolMax ) ) )
- {
-
- // Yes we can grow it
- int i = addConnection();
-
- // If a new connection was created, use it
- if ( i >= 0 )
- {
- ldapconnobj =
- ( LDAPConnectionObject ) pool.elementAt( i );
- }
- }
- else
- {
- debug( "All pool connections in use" );
- }
- }
-
- if ( ldapconnobj != null )
- {
- ldapconnobj.setInUse( true ); // Mark as in use
- con = ldapconnobj.getLDAPConn();
- }
- return con;
- }
-
-
- /**
- * This is our soft close - all we do is mark
- * the connection as available for others to use.
- * We also reset the auth credentials in case
- * they were changed by the caller.
- *
- * @param ld a connection to return to the pool
- */
- synchronized void close( LDAPConnection ld )
- {
-
- int index = find( ld );
- if ( index != -1 )
- {
- LDAPConnectionObject co =
- ( LDAPConnectionObject ) pool.elementAt( index );
- // Reset the auth if necessary
- if ( ldc == null )
- {
- boolean reauth = false;
- //if user bound anon then getAuthenticationDN is null
- if ( ld.getAuthenticationDN() == null )
- {
- reauth = ( authdn != null );
- }
- else if ( !ld.getAuthenticationDN().equalsIgnoreCase( authdn ) )
- {
- reauth = true;
- }
- }
- co.setInUse( false ); // Mark as available
- synchronized ( pool )
- {
- pool.notifyAll();
- }
- }
- }
-
-
- /**
- * Debug method to print the contents of the pool
- */
- public void printPool()
- {
- System.out.println( "--ConnectionPool--" );
- for ( int i = 0; i < pool.size(); i++ )
- {
- LDAPConnectionObject co =
- ( LDAPConnectionObject ) pool.elementAt( i );
- String msg = "" + i + "=" + co;
- LOG.info( "printPool: " + msg );
- }
- }
-
-
- private void disconnect(
- LDAPConnectionObject ldapconnObject )
- {
- if ( ldapconnObject != null )
- {
- if ( ldapconnObject.isAvailable() )
- {
- LDAPConnection ld = ldapconnObject.getLDAPConn();
- if ( ( ld != null ) && ( ld.isConnected() ) )
- {
- try
- {
- ld.disconnect();
- }
- catch ( LDAPException e )
- {
- debug( "disconnect: " + e.toString() );
- LOG.warn( "disconnect caught LDAPException: " + e.getMessage() );
- }
- }
- ldapconnObject.setLDAPConn( null ); // Clear conn
- }
- }
- }
-
-
- private void createPool() throws LDAPException
- {
- // Called by the constructors
- if ( poolSize <= 0 )
- {
- throw new LDAPException( "ConnectionPoolSize invalid" );
- }
- if ( poolMax < poolSize )
- {
- debug( "ConnectionPoolMax is invalid, set to " +
- poolSize );
- poolMax = poolSize;
- }
-
- debug( "****Initializing LDAP Pool****" );
- debug( "LDAP host = " + host + " on port " + port );
- debug( "Number of connections=" + poolSize );
- debug( "Maximum number of connections=" + poolMax );
- debug( "******" );
-
- pool = new java.util.Vector(); // Create pool vector
- setUpPool( poolSize ); // Initialize it
- }
-
-
- private int addConnection()
- {
- int index = -1;
-
- debug( "adding a connection to pool..." );
- try
- {
- int size = pool.size() + 1; // Add one connection
- setUpPool( size );
-
- if ( size == pool.size() )
- {
- // New size is size requested?
- index = size - 1;
- }
- }
- catch ( Exception ex )
- {
- debug( "Adding a connection: " + ex.toString() );
- LOG.warn( "addConnection caught Exception: " + ex.getMessage() );
- }
- return index;
- }
-
-
- /**
- * *** FORTRESS MOD ****
- *
- * Create pool of LDAP connections to server. Add SSL capability using unboundId's compatibility utility.
- *
- * @param size number of connections to generate and store in pool
- * @throws LDAPException in the event of system error.
- */
- private synchronized void setUpPool( int size )
- throws LDAPException
- {
- // Loop on creating connections
- while ( pool.size() < size )
- {
- LDAPConnectionObject co =
- new LDAPConnectionObject();
-
- LDAPConnection newConn = createConnection( );
- newConn.connect( host, port, authdn, authpw );
- co.setLDAPConn( newConn );
- co.setInUse( false ); // Mark not in use
- pool.addElement( co );
- }
- }
-
- /**
- * Used to manage trust store properties. If enabled, create SSL connection.
- *
- */
- private static final String ENABLE_LDAP_SSL = "enable.ldap.ssl";
- private static final String ENABLE_LDAP_SSL_DEBUG = "enable.ldap.ssl.debug";
- private static final String TRUST_STORE = Config.getProperty( "trust.store" );
- private static final String TRUST_STORE_PW = Config.getProperty( "trust.store.password" );
- private static final boolean IS_SSL = (
- Config.getProperty( ENABLE_LDAP_SSL ) != null &&
- Config.getProperty( ENABLE_LDAP_SSL ).equalsIgnoreCase( "true" ) &&
- TRUST_STORE != null &&
- TRUST_STORE_PW != null );
-
- private static final String SET_TRUST_STORE_PROP = "trust.store.set.prop";
- private static final boolean IS_SET_TRUST_STORE_PROP = (
- IS_SSL &&
- Config.getProperty( SET_TRUST_STORE_PROP ) != null &&
- Config.getProperty( SET_TRUST_STORE_PROP ).equalsIgnoreCase( "true" ));
-
- private static final boolean IS_SSL_DEBUG = ( ( Config.getProperty( ENABLE_LDAP_SSL_DEBUG ) != null ) && ( Config
- .getProperty( ENABLE_LDAP_SSL_DEBUG ).equalsIgnoreCase( "true" ) ) );
-
- static
- {
- if(IS_SET_TRUST_STORE_PROP)
- {
- LOG.info( "Set JSSE truststore properties:");
- LOG.info( "javax.net.ssl.trustStore: " + TRUST_STORE );
- LOG.info( "javax.net.debug: " + new Boolean( IS_SSL_DEBUG ).toString());
- System.setProperty( "javax.net.ssl.trustStore", TRUST_STORE );
- System.setProperty( "javax.net.ssl.trustStorePassword", TRUST_STORE_PW );
- System.setProperty( "javax.net.debug", new Boolean( IS_SSL_DEBUG ).toString() );
- }
- }
-
- /**
- * *** FORTRESS MOD ****
- *
- * If enabled, use Unbound compatibility lib to create SSL connection.
- *
- * @return handle to LDAPConnection
- * @throws LDAPException wrap GeneralSecurityException or throws ldapexcep.
- */
- private LDAPConnection createConnection() throws LDAPException
- {
- LDAPConnection newConn = null;
- if( IS_SSL)
- {
- // Generate SSL Connection using Unbound compatibility lib utils:
- // http://stackoverflow.com/questions/22672477/unboundid-ldap-jdk-migration
- SSLSocketFactory sslSocketFactory;
- //SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
- // These config values set in fortress.properties
- SSLUtil sslUtil = new SSLUtil(
- new TrustStoreTrustManager(
- TRUST_STORE,
- TRUST_STORE_PW.toCharArray() , null, true ) );
- try
- {
- sslSocketFactory = sslUtil.createSSLSocketFactory();
- }
- catch(GeneralSecurityException e)
- {
- String error = "GeneralSecurityException while creating SSL socket factory=" + e;
- throw new LDAPException( error, LDAPException.CONNECT_ERROR );
- }
- JavaToLDAPSocketFactory ldapSocketFactory =
- new JavaToLDAPSocketFactory(sslSocketFactory);
- newConn = new LDAPConnection(ldapSocketFactory);
- }
- else
- {
- // Make LDAP connection, using template if available
- newConn = new LDAPConnection();
- }
- return newConn;
- }
-
- private int find( LDAPConnection con )
- {
- // Find the matching Connection in the pool
- if ( con != null )
- {
- for ( int i = 0; i < pool.size(); i++ )
- {
- LDAPConnectionObject co =
- ( LDAPConnectionObject ) pool.elementAt( i );
- if ( co.getLDAPConn() == con )
- {
- return i;
- }
- }
- }
- return -1;
- }
-
-
- /**
- * Sets the debug printout mode.
- *
- * @param mode debug mode to use
- */
- public synchronized void setDebug( boolean mode )
- {
- debugMode = mode;
- }
-
-
- /**
- * Reports the debug printout mode.
- *
- * @return debug mode in use.
- */
- public boolean getDebug()
- {
- return debugMode;
- }
-
-
- private void debug( String s )
- {
- if ( debugMode )
- System.out.println( "ConnectionPool (" +
- new Date() + ") : " + s );
- }
-
-
- private void debug( String s, boolean severe )
- {
- if ( debugMode || severe )
- {
- System.out.println( "ConnectionPool (" +
- new Date() + ") : " + s );
- }
- }
-
- /**
- * Wrapper for LDAPConnection object in pool
- */
- class LDAPConnectionObject
- {
-
- /**
- * Returns the associated LDAPConnection.
- *
- * @return the LDAPConnection.
- */
- LDAPConnection getLDAPConn()
- {
- return this.ld;
- }
-
-
- /**
- * Sets the associated LDAPConnection
- *
- * @param ld the LDAPConnection
- */
- void setLDAPConn( LDAPConnection ld )
- {
- this.ld = ld;
- }
-
-
- /**
- * Marks a connection in use or available
- *
- * @param inUse <code>true</code> to mark in use, <code>false</code> if available
- */
- void setInUse( boolean inUse )
- {
- this.inUse = inUse;
- }
-
-
- /**
- * Returns whether the connection is available
- * for use by another user.
- *
- * @return <code>true</code> if available.
- */
- boolean isAvailable()
- {
- return !inUse;
- }
-
-
- /**
- * Debug method
- *
- * @return s user-friendly rendering of the object.
- */
- public String toString()
- {
- return "LDAPConnection=" + ld + ",inUse=" + inUse;
- }
-
- private LDAPConnection ld; // LDAP Connection
- private boolean inUse; // In use? (true = yes)
- }
-
- private final int poolSize; // Min pool size
- private int poolMax; // Max pool size
- private final String host; // LDAP host
- private final int port; // Port to connect at
- private final String authdn; // Identity of connections
- private final String authpw; // Password for authdn
- private LDAPConnection ldc = null; // Connection to clone
- private java.util.Vector pool; // the actual pool
- private boolean debugMode;
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/ldap/PoolMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/PoolMgr.java b/src/main/java/org/apache/directory/fortress/core/ldap/PoolMgr.java
deleted file mode 100755
index e960ad3..0000000
--- a/src/main/java/org/apache/directory/fortress/core/ldap/PoolMgr.java
+++ /dev/null
@@ -1,619 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.ldap;
-
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.util.crypto.EncryptUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPControl;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConstraints;
-
-/**
- * This class uses {@link ConnectionPool} to manage pools of {@code com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection}
- * to supply resource connections to Fortress DAO utilities. The methods in the class are used by internal Fortress functions
- * and are not intended for used by external clients. This class maintains 3 pools of connections.
- * <ol>
- * <li>Connections of type, {@link PoolMgr.ConnType#USER}, use {@link #connPoolUser} for user authentication and password change operations.</li>
- * <li>Connections of type, {@link PoolMgr.ConnType#ADMIN}, use {@link #connPoolAdmin} and are used for maintenance and interrogation of ldap server objects.</li>
- * <li>Connections of type, {@link PoolMgr.ConnType#LOG}, use {@link #connPoolLog} and used for pulling slapd log data from the server, </li>
- * </ol>
- * <p/>
- * This class uses <a href="http://www.unboundid.com/products/ldap-sdk/">UnboundID LDAP SDK for Java</a> as client to
- * process LDAP operations. The UnboundID SDK is distributed under 3 open source licenses and is free to use and distribute in
- * other open source or proprietary software packages. For more info see, <a href="http://www.unboundid.com/products/ldap-sdk/docs/">LDAP SDK for Java</a>
- * <p/>
- * The {@link ConnectionPool} class derives source code from the Mozilla Java LDAP SDK. For more
- * info on the license this derived code adheres, see: <a href="http://www.mozilla.org/MPL/MPL-1.1.html/">Mozilla Public License Version 1.1</a>
- * <p/>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-class PoolMgr
-{
- // Property names for ldap connection pools:
- private static final String LDAP_ADMIN_POOL_UID = "admin.user";
- private static final String LDAP_ADMIN_POOL_PW = "admin.pw";
- private static final String LDAP_LOG_POOL_UID = "log.admin.user";
- private static final String LDAP_LOG_POOL_PW = "log.admin.pw";
- private static final String LDAP_ADMIN_POOL_MIN = "min.admin.conn";
- private static final String LDAP_ADMIN_POOL_MAX = "max.admin.conn";
- private static final String LDAP_USER_POOL_MIN = "min.user.conn";
- private static final String LDAP_USER_POOL_MAX = "max.user.conn";
- private static final String LDAP_LOG_POOL_MIN = "min.log.conn";
- private static final String LDAP_LOG_POOL_MAX = "max.log.conn";
- private static final String LDAP_VERSION = "ldapVersion";
- private static final String LDAP_CONNECTION_TIMEOUT = "connTimeout";
- private static final String LDAP_DEBUG_FLAG = "debug.ldap.pool";
- private static final String LDAP_HOST = "host";
- private static final String LDAP_PORT = "port";
-
- // 3 types of connection pools are managed by ths class:
- static enum ConnType
- {
- /**
- * Admin connections used for most of the Fortress internal operations. Internal bind on connection
- * will be performed using config param found {@link #LDAP_ADMIN_POOL_UID}
- */
- ADMIN,
-
- /**
- * User connections for non-admin binds and password mods. Connections will not be bound
- * to user prior to returning to caller.
- */
- USER,
-
- /**
- * All slapd log operations use this connection pool. Internal bind on connection
- * will be performed using config param found {@link #LDAP_LOG_POOL_UID}
- */
- LOG
- }
-
- // Used to synch the getConnection method:
- private static final Object adminSynchLock = new Object();
- private static final Object userSynchLock = new Object();
- private static final Object logSynchLock = new Object();
-
- // Canaries in the coal mine:
- private static LDAPConnection testAdminConn;
- private static LDAPConnection testUConn;
- private static LDAPConnection testLConn;
-
- // Logging
- private static final String CLS_NM = PoolMgr.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
-
- // Declare the index for connection pool array:
- private static final int ADMIN = 0;
- private static final int USER = 1;
- private static final int AUDIT = 2;
-
- // Contains the adminUserId LDAP connections:
- private static final ConnectionPool connPoolAdmin = null;
- private static final ConnectionPool connPoolUser = null;
- private static final ConnectionPool connPoolLog = null;
- private static final ConnectionPool[] connPool = {connPoolAdmin, connPoolUser, connPoolLog};
-
- // this modules uses openldap pw policies
- private static final LDAPControl pwPolicyControl = new LDAPControl(GlobalIds.OPENLDAP_PW_RESPONSE_CONTROL, false, null);
- private static String adminPw;
- private static String adminUserId = null;
- private static final boolean isDebugEnabled = Config.getBoolean(LDAP_DEBUG_FLAG, false);
- private static int connectionTimeout ;
- private static int ldapRevision;
-
- // Load all of the static member variables of this class & initialize the admin connection pools:
- static
- {
- try
- {
- adminUserId = Config.getProperty(LDAP_ADMIN_POOL_UID);
- if(EncryptUtil.isEnabled())
- {
- adminPw = EncryptUtil.decrypt(Config.getProperty(LDAP_ADMIN_POOL_PW));
- }
- else
- {
- adminPw = Config.getProperty(LDAP_ADMIN_POOL_PW);
- }
-
- // Default ldap version to v3:
- ldapRevision = Config.getInt(LDAP_VERSION, 3);
- // Default 10 seconds for client wait on new connection requests from pool:
- connectionTimeout = Config.getInt(LDAP_CONNECTION_TIMEOUT, 10000);
- createAdminPool();
- }
-
- // If we can't initialize the connection pools we're dead in the water.
- catch (com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException le)
- {
- String error = " Static Initializer Block caught com.unboundid.ldap.sdk.migrate.ldapjdk.LdapException=" + le;
- LOG.error( error );
- }
- catch (Exception e)
- {
- String error = " Static Initializer Block caught java.lang.Exception=" + e;
- LOG.error( error );
- }
- }
-
-
- /**
- * Method performs an LDAP bind for a user/password combination. This function is valid
- * if and only if the user entity is a member of the USERS data set. The LDAP directory
- * will return the OpenLDAP PW Policy control.
- *
- * @param ld connection to ldap server.
- * @param userId contains the LDAP dn to the user entry.
- * @param password contains the password in clear text.
- * @return boolean value - true if bind successful, false otherwise.
- * @throws LDAPException in the event of LDAP error.
- */
- static boolean bind(LDAPConnection ld, String userId, char[] password)
- throws LDAPException
- {
- return bindUser(userId, password, ld);
- }
-
- /**
- * Close the LDAP connection.
- *
- * @param ld handle to ldap connection object.
- * @param type specifies the type of connection - ADMIN, USER Or LOG.
- */
- static void closeConnection(LDAPConnection ld, ConnType type)
- {
- switch (type)
- {
- case ADMIN:
- if (ld != null)
- {
- connPool[ADMIN].close(ld);
- }
- break;
-
- case USER:
- if (ld != null)
- {
- connPool[USER].close(ld);
- }
- break;
-
- case LOG:
- if (ld != null)
- {
- connPool[AUDIT].close( ld );
- }
- break;
- }
- }
-
- /**
- * Get a connection to the LDAP server.
- *
- * @param type type specifies the type of connection - ADMIN, USER Or LOG.
- * @return ldap connection.
- * @throws LDAPException
- */
- static LDAPConnection getConnection(ConnType type)
- throws LDAPException
- {
- LDAPConnection ld = null;
- ConnectionPool cp = null;
- Object lockObj = null;
- String szType = null;
- switch (type)
- {
- case ADMIN:
- cp = connPool[ADMIN];
- lockObj = adminSynchLock;
- szType = "ADMIN";
- break;
-
- case USER:
- cp = connPool[USER];
- lockObj = userSynchLock;
- szType = "USER";
- break;
-
- case LOG:
- cp = connPool[AUDIT];
- lockObj = logSynchLock;
- szType = "LOG";
- break;
- }
- try
- {
- synchronized (lockObj)
- {
- // check the connection pool reference
- if (cp == null)
- {
- String info = "getConnection " + szType + " initializing pool";
- LOG.info( info );
- cp = recoverPool(type);
- }
- if (connectionTimeout > 0)
- {
- ld = cp.getConnection(connectionTimeout);
- }
- else
- {
- ld = cp.getConnection();
- }
- // Did the pool object return a null value?
- if (ld == null)
- {
- String MSG_HDR = "getConnection " + szType;
- String warning = MSG_HDR + " detected null connection";
- LOG.warn( warning );
- // Is the canary is still alive?
- // todo: recheck this sequence, make sure still good.
- if (!checkConnection(type))
- {
- warning += szType + " attempt to recover pool";
- LOG.warn( warning );
- cp = recoverPool(type);
- ld = cp.getConnection();
- if (ld == null || !ld.isConnected())
- {
- // Give up:
- String error = MSG_HDR + " could not recover";
- LOG.error( error );
- throw new LDAPException(error, LDAPException.LDAP_TIMEOUT);
- }
- }
- // todo: think about this scenario some more. should it attempt recovery of pool here?
- else
- {
- // Cannot establish a good connection, give up:
- String error = MSG_HDR + " could not retrieve connection";
- LOG.error( error );
- throw new LDAPException(error, LDAPException.CONNECT_ERROR);
- }
- }
- // Did the pool object return a bad connection?
- else if (!ld.isConnected())
- {
- String MSG_HDR = "getConnection " + szType;
- String warning = MSG_HDR + " detected bad connection, retry";
- LOG.warn( warning );
- // attempt to reconnect:
- ld.connect(Config.getProperty(LDAP_HOST, "localhost"), Config.getInt(LDAP_PORT, 389));
- // if admin connection type must bind here using stored creds:
- if(type.equals(ConnType.ADMIN))
- {
- ld.bind(ldapRevision, adminUserId, adminPw);
- }
- // Did the reconnect succeed?
- if (!ld.isConnected())
- {
- warning += szType + " cannot reconnect, attempt pool recovery";
- LOG.warn( warning );
- // Try one last ditch effort to recover entire pool.
- cp = recoverPool(type);
- ld = cp.getConnection();
- // Still bad?
- if (ld == null || !ld.isConnected())
- {
- // Give up:
- String error = MSG_HDR + " recovery failed";
- LOG.error( error );
- throw new LDAPException(error, LDAPException.SERVER_DOWN);
- }
- }
- }
- }
- }
- catch (LDAPException e)
- {
- String MSG_HDR = "getConnection " + szType;
- String warning = MSG_HDR + " detected bad connection, retry caught LDAPException=" + e;
- LOG.warn( warning );
- // Todo: Test these scenarios:
- // Did the pool object return a null value or bad conn?
- if (ld != null && !ld.isConnected()
- // Make sure this ldap exception wasn't thrown directly above:
- && e.getLDAPResultCode() != LDAPException.SERVER_DOWN
- && e.getLDAPResultCode() != LDAPException.CONNECT_ERROR
- && e.getLDAPResultCode() != LDAPException.LDAP_TIMEOUT)
- {
- warning += " attempt to reconnect";
- LOG.warn( warning );
- // attempt reconnect:
- ld.connect(Config.getProperty(LDAP_HOST, "localhost"), Config.getInt(LDAP_PORT, 389));
- // if admin connection type must bind here using stored creds:
- if(type.equals(ConnType.ADMIN))
- {
- ld.bind(ldapRevision, adminUserId, adminPw);
- }
- // Did it work?
- if (!ld.isConnected())
- {
- // Give up:
- warning = MSG_HDR + " failed to reconnect";
- LOG.error( warning );
- throw e;
- }
- }
- else
- {
- // Give up
- warning = MSG_HDR + " failed";
- LOG.error( warning );
- throw e;
- }
- }
- return ld;
- }
-
-
- /**
- * Internal function is used to create a new pool of admin connections to ldap server.
- *
- * @throws LDAPException
- */
- private static void createAdminPool()
- throws LDAPException
- {
- String adminUserId = Config.getProperty(LDAP_ADMIN_POOL_UID);
- String adminPw;
- if(EncryptUtil.isEnabled())
- {
- adminPw = EncryptUtil.decrypt(Config.getProperty(LDAP_ADMIN_POOL_PW));
- }
- else
- {
- adminPw = Config.getProperty(LDAP_ADMIN_POOL_PW);
- }
-
- String host = Config.getProperty(LDAP_HOST, "localhost");
- int port = Config.getInt(LDAP_PORT, 389);
- int min = Config.getInt(LDAP_ADMIN_POOL_MIN, 1);
- int max = Config.getInt(LDAP_ADMIN_POOL_MAX, 10);
- LOG.info( "createAdminPool min [" + min + "] max [" + max + "] host [" + host + "] port [" + port
- + "]" );
- testAdminConn = new LDAPConnection();
- connPool[ADMIN] = new ConnectionPool(min, max, host, port, adminUserId, adminPw);
- if (isDebugEnabled)
- {
- connPool[ADMIN].setDebug(true);
- }
- }
-
-
- /**
- * Internal function is used to create a new pool of user connections to ldap server.
- *
- * @throws LDAPException
- */
- private static void createUserPool()
- throws LDAPException
- {
- String host = Config.getProperty(LDAP_HOST, "localhost");
- int port = Config.getInt(LDAP_PORT, 389);
- int min = Config.getInt(LDAP_USER_POOL_MIN, 1);
- int max = Config.getInt(LDAP_USER_POOL_MAX, 5);
- String adminUserId = Config.getProperty(LDAP_ADMIN_POOL_UID);
- String adminPw;
- if(EncryptUtil.isEnabled())
- {
- adminPw = EncryptUtil.decrypt(Config.getProperty(LDAP_ADMIN_POOL_PW));
- }
- else
- {
- adminPw = Config.getProperty(LDAP_ADMIN_POOL_PW);
- }
-
- LOG.info( "createUserPool min [" + min + "] max [" + max + "] host [" + host + "] port [" + port + "]" );
- connPool[USER] = new ConnectionPool(min, max, host, port, adminUserId, adminPw);
- if (isDebugEnabled)
- {
- connPool[USER].setDebug(true);
- }
- }
-
- /**
- * Internal function is used to create a new pool of slapd log connections to ldap server.
- *
- * @throws LDAPException
- */
- private static void createLogPool()
- throws LDAPException
- {
- String logUserId = Config.getProperty(LDAP_LOG_POOL_UID);
- String logUserPw;
- if(EncryptUtil.isEnabled())
- {
- logUserPw = EncryptUtil.decrypt(Config.getProperty(LDAP_LOG_POOL_PW));
- }
- else
- {
- logUserPw = Config.getProperty(LDAP_LOG_POOL_PW);
- }
-
- String host = Config.getProperty(LDAP_HOST, "localhost");
- int port = Config.getInt(LDAP_PORT, 389);
- int min = Config.getInt(LDAP_LOG_POOL_MIN, 1);
- int max = Config.getInt(LDAP_LOG_POOL_MAX, 5);
- LOG.info( "createLogPool min [" + min + "] max [" + max + "] host [" + host + "] port [" + port + "]" );
- connPool[AUDIT] = new ConnectionPool(min, max, host, port, logUserId, logUserPw);
- if (isDebugEnabled)
- {
- connPool[AUDIT].setDebug( true );
- }
- }
-
- /**
- * Method is used to perform a bind operation on the given connection object. Connection will contain the
- * password policy control.
- *
- * @param userId contains the LDAP dn to the user entry.
- * @param password contains the password in clear text.
- * @param ld contains a valid ldap connection.
- * @return boolean value - true if bind successful, false otherwise.
- * @throws LDAPException in the event of LDAP error.
- */
- private static boolean bindUser(String userId, char[] password, LDAPConnection ld)
- throws LDAPException
- {
- boolean result;
- if (ld == null)
- {
- String error = "bindUser detected null ldap connection";
- LOG.error( error );
- throw new LDAPException(error, LDAPException.CONNECT_ERROR);
- }
- if (GlobalIds.IS_OPENLDAP)
- {
- LDAPConstraints lCon = new LDAPConstraints();
- lCon.setServerControls(pwPolicyControl);
- ld.authenticate(ldapRevision, userId, new String(password), lCon);
- result = true;
- }
- else
- {
- ld.authenticate(ldapRevision, userId, new String(password));
- result = true;
- }
- return result;
- }
-
- /**
- * This method will recover a connection pool in the event the connections become stale due to some network
- * or system issue.
- *
- * @param type contains connection type of request.
- * @return ConnectionPool reference to newly created connection pool.
- * @throws LDAPException in the event of ldap system error or the routine fails to reestablish the pool successfully.
- */
- private static ConnectionPool recoverPool(ConnType type) throws LDAPException
- {
- ConnectionPool cp = null;
- switch (type)
- {
- case ADMIN:
- if (connPool[ADMIN] != null)
- {
- connPool[ADMIN].destroy();
- }
- createAdminPool();
- if (connPool[ADMIN] == null)
- {
- String error = "recoverPool LDAP_ADMIN_POOL_UID failed";
- LOG.error(error);
- throw new LDAPException(error, LDAPException.CONNECT_ERROR);
- }
- cp = connPool[ADMIN];
- break;
-
- case USER:
- if (connPool[USER] != null)
- {
- connPool[USER].destroy();
- }
- createUserPool();
- if (connPool[USER] == null)
- {
- String error = "recoverPool USER failed";
- LOG.error(error);
- throw new LDAPException(error, LDAPException.CONNECT_ERROR);
- }
- cp = connPool[USER];
- break;
- case LOG:
- if (connPool[AUDIT] != null)
- {
- connPool[AUDIT].destroy();
- }
- createLogPool();
- if (connPool[AUDIT] == null)
- {
- String error = "recoverPool LOG failed";
- LOG.error(error);
- throw new LDAPException(error, LDAPException.CONNECT_ERROR);
- }
- cp = connPool[AUDIT];
- break;
- }
- return cp;
- }
-
- /**
- * System health method will determine the integrity of a given connection associated with a specified pool is good.
- *
- * @param type specifies the type of connection - ADMIN, USER Or LOG.
- * @return true if connection is good, false otherwise.
- * @throws LDAPException in the event of ldap error.
- */
- private static boolean checkConnection(ConnType type)
- throws LDAPException
- {
- boolean rc = false;
- LDAPConnection conn = null;
- String szType = null;
- switch (type)
- {
- case ADMIN:
- conn = testAdminConn;
- szType = "LDAP_ADMIN_POOL_UID";
- break;
- case USER:
- conn = testUConn;
- szType = "USER";
- break;
- case LOG:
- conn = testLConn;
- szType = "LOG";
- break;
- }
- String info = "checkConnection is checking " + szType + " Connection";
- LOG.info( info );
- if (conn != null)
- {
- if (conn.isConnected())
- {
- LOG.debug( "checkConnection for type: {}, is good", szType );
- rc = true;
- }
- else
- {
- info = "checkConnection - " + szType + " connection bad";
- LOG.info( info );
- conn.reconnect();
- if (conn.isConnected())
- {
- info = "checkConnection - " + szType + " connection reestablished";
- LOG.info( info );
- rc = true;
- }
- }
- }
- info = "checkConnetion status code=" + rc;
- LOG.info( info );
- return rc;
- }
-}
\ No newline at end of file
[05/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AdminRoleDAO.java
deleted file mode 100755
index db33695..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AdminRoleDAO.java
+++ /dev/null
@@ -1,656 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.AdminRoleP;
-import org.apache.directory.fortress.core.rbac.AdminRoleUtil;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * The AdminRoleDAO is called by {@link AdminRoleP} and processes data via its entity {@link AdminRole}.
- * <p/>
- * The Fortress AdminRoleDAO uses the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.3</code>
- * <li> <code>NAME 'ftPools'</code>
- * <li> <code>DESC 'Fortress Pools AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftOSU $ ftOSP ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class AdminRoleDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO
-{
- private static final String ROLE_OCCUPANT = "roleOccupant";
- private static final String ROLE_OSP = "ftOSP";
- private static final String ROLE_OSU = "ftOSU";
- private static final String ROLE_RANGE = "ftRange";
- private static final String POOLS_AUX_OBJECT_CLASS_NAME = "ftPools";
- private static final String ADMIN_ROLE_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- GlobalIds.ROLE_OBJECT_CLASS_NM,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- POOLS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
- private static final String ROLE_NM = "ftRoleName";
- private static final String[] ROLE_NM_ATR =
- {
- ROLE_NM
- };
-
- private static final String[] ROLE_ATRS =
- {
- GlobalIds.FT_IID,
- ROLE_NM,
- GlobalIds.DESC,
- GlobalIds.CONSTRAINT,
- ROLE_OCCUPANT,
- ROLE_OSP,
- ROLE_OSU,
- ROLE_RANGE,
- GlobalIds.PARENT_NODES
- };
-
-
- /**
- * Create a new AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains AdminRole data. Null attributes will be ignored.
- * @return input record back to client.
- * @throws org.apache.directory.fortress.core.CreateException in the event LDAP errors occur.
- */
- public final AdminRole create( AdminRole entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, ADMIN_ROLE_OBJ_CLASS ) );
- entity.setId();
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getId() ) );
- attrs.add( createAttribute( ROLE_NM, entity.getName() ) );
- // description field is optional on this object class:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- }
- // CN attribute is required for this object class:
- attrs.add( createAttribute( GlobalIds.CN, entity.getName() ) );
- attrs.add( createAttribute( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) ) );
- loadAttrs( entity.getOsP(), attrs, ROLE_OSP );
- loadAttrs( entity.getOsU(), attrs, ROLE_OSU );
- String szRaw = entity.getRoleRangeRaw();
- if ( VUtil.isNotNullOrEmpty( szRaw ) )
- {
- attrs.add( createAttribute( ROLE_RANGE, szRaw ) );
- }
- // These multi-valued attributes are optional. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getParents(), attrs, GlobalIds.PARENT_NODES );
-
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- }
- catch ( LDAPException e )
- {
- String error = "create role [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new CreateException( GlobalErrIds.ARLE_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * Update existing AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains AdminRole data. Null attributes will be ignored.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- public final AdminRole update( AdminRole entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC, entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getOccupants() ) )
- {
- for ( String name : entity.getOccupants() )
- {
- LDAPAttribute occupant = new LDAPAttribute( ROLE_OCCUPANT, name );
- mods.add( LDAPModification.REPLACE, occupant );
- }
- }
- if ( entity.isTemporalSet() )
- {
- String szRawData = CUtil.setConstraint( entity );
- if ( VUtil.isNotNullOrEmpty( szRawData ) )
- {
- LDAPAttribute constraint = new LDAPAttribute( GlobalIds.CONSTRAINT, szRawData );
- mods.add( LDAPModification.REPLACE, constraint );
- }
- }
- loadAttrs( entity.getOsU(), mods, ROLE_OSU );
- loadAttrs( entity.getOsP(), mods, ROLE_OSP );
- String szRaw = entity.getRoleRangeRaw();
- if ( VUtil.isNotNullOrEmpty( szRaw ) )
- {
- LDAPAttribute raw = new LDAPAttribute( ROLE_RANGE, szRaw );
- mods.add( LDAPModification.REPLACE, raw );
- }
- loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LDAPException e )
- {
- String error = "update name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- *
- * @param entity
- * @throws UpdateException
- */
- public final void deleteParent( AdminRole entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( GlobalIds.PARENT_NODES );
- mods.add( LDAPModification.DELETE, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deleteParent name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_REMOVE_PARENT_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * This method will add the supplied DN as a role occupant to the target record.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
- * @param userDn contains the DN for userId who is being assigned.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- public final AdminRole assign( AdminRole entity, String userDn )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( ROLE_OCCUPANT, userDn );
- mods.add( LDAPModification.ADD, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_USER_ASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * This method will remove the supplied DN as a role occupant to the target record.
- * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
- * @param userDn contains the DN for userId who is being deassigned.
- * @return input record back to client.
- * @throws UpdateException in the event LDAP errors occur.
- */
- public final AdminRole deassign( AdminRole entity, String userDn )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( ROLE_OCCUPANT, userDn );
- mods.add( LDAPModification.DELETE, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_USER_DEASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * This method will completely remove the AdminRole from the directory. It will use {@link AdminRole#name} as key.
- * This operation is performed on the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
- *
- * @param role record contains {@link AdminRole#name}.
- * @throws RemoveException in the event LDAP errors occur.
- */
- public final void remove( AdminRole role )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getDn( role );
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, role );
- }
- catch ( LDAPException e )
- {
- String error = "remove role name=" + role.getName() + " LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new RemoveException( GlobalErrIds.ARLE_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * This method will retrieve the AdminRole from {@link GlobalIds#ADMIN_ROLE_ROOT} container by name.
- *
- * @param adminRole maps to {@link AdminRole#name}.
- * @return AdminRole back to client.
- * @throws FinderException in the event LDAP errors occur.
- */
- public final AdminRole getRole( AdminRole adminRole )
- throws FinderException
- {
- AdminRole entity = null;
- LDAPConnection ld = null;
- String dn = getDn( adminRole );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, ROLE_ATRS );
- entity = unloadLdapEntry( findEntry, 0, adminRole.getContextId() );
- if ( entity == null )
- {
- String warning = "getRole name [" + adminRole.getName() + "] no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
- }
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getRole name [" + adminRole.getName() + "] Obj COULD NOT FIND ENTRY for dn [" + dn
- + "]";
- throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
- }
- String error = "getRole dn [" + dn + "] LEXCD=" + e.getLDAPResultCode() + " LEXMSG=" + e;
- throw new FinderException( GlobalErrIds.ARLE_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param adminRole
- * @return
- * @throws FinderException
- *
- */
- public final List<AdminRole> findRoles( AdminRole adminRole )
- throws FinderException
- {
- List<AdminRole> roleList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
- String filter;
- try
- {
- String searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- roleList.add( unloadLdapEntry( searchResults.next(), sequence++, adminRole.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findRoles name [" + adminRole.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roleList;
- }
-
-
- /**
- * @param adminRole
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- public final List<String> findRoles( AdminRole adminRole, int limit )
- throws FinderException
- {
- List<String> roleList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
- String filter;
- String searchVal = null;
- try
- {
- searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
- while ( searchResults.hasMoreElements() )
- {
- LDAPEntry entry = searchResults.next();
- roleList.add( getAttribute( entry, ROLE_NM ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findRoles name [" + searchVal + "] caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roleList;
- }
-
-
- /**
- * @param userDn
- * @return
- * @throws FinderException
- */
- public final List<String> findAssignedRoles( String userDn, String contextId )
- throws FinderException
- {
- List<String> roleNameList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
- filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
- while ( searchResults.hasMoreElements() )
- {
- roleNameList.add( getAttribute( searchResults.next(), ROLE_NM ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findAssignedRoles userDn [" + userDn + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roleNameList;
- }
-
-
- /**
- *
- * @param contextId
- * @return
- * @throws FinderException
- */
- public final List<Graphable> getAllDescendants( String contextId )
- throws FinderException
- {
- String[] DESC_ATRS =
- { ROLE_NM, GlobalIds.PARENT_NODES };
- List<Graphable> descendants = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
- String filter = null;
- try
- {
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + GlobalIds.PARENT_NODES + "=*))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- descendants.add( unloadDescendants( searchResults.next(), sequence++, contextId ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return descendants;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LDAPException
- */
- private Graphable unloadDescendants( LDAPEntry le, long sequence, String contextId )
- {
- Role entity = new ObjectFactory().createRole();
- entity.setSequenceId( sequence );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- return entity;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LDAPException
- */
- private AdminRole unloadLdapEntry( LDAPEntry le, long sequence, String contextId )
- {
- AdminRole entity = new ObjectFactory().createAdminRole();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
- entity.setOsP( getAttributeSet( le, ROLE_OSP ) );
- entity.setOsU( getAttributeSet( le, ROLE_OSU ) );
- unloadTemporal( le, entity );
- entity.setRoleRangeRaw( getAttribute( le, ROLE_RANGE ) );
- //entity.setParents(AdminRoleUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- entity.setChildren( AdminRoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- return entity;
- }
-
-
- private String getDn( AdminRole adminRole )
- {
- return GlobalIds.CN + "=" + adminRole.getName() + ","
- + getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AuditDAO.java
deleted file mode 100755
index ea7e16c..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/AuditDAO.java
+++ /dev/null
@@ -1,835 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.AuthZ;
-import org.apache.directory.fortress.core.rbac.Bind;
-import org.apache.directory.fortress.core.rbac.Mod;
-import org.apache.directory.fortress.core.rbac.UserAudit;
-import org.apache.directory.fortress.core.util.attr.AttrHelper;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * This class performs data access for OpenLDAP synch repl log data
- * <p/>
- * <h3>1. Binds</h3>
- * <p/>
- * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
- * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
- * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
- * <code># which contains the Bind Method used in the Bind. This will be the string</code>
- * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
- * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
- * <code># the current database will be logged:</code>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
- * <li> <code>DESC 'Bind operation'</code>
- * <li> <code>SUP auditObject STRUCTURAL</code>
- * <li> <code>MUST ( reqVersion $ reqMethod ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h3>2. Authorizations</h3>
- * <code>For the Search class the reqScope attribute contains the scope of the</code><br />
- * <code>original search request, using the values specified for the LDAP URL</code><br />
- * <code>format. I.e. base, one, sub, or subord. The reqDerefAliases attribute</code><br />
- * <code>is one of never, finding, searching, or always, denoting how aliases</code><br />
- * <code>will be processed during the search. The reqAttrsOnly attribute is a</code><br />
- * <code>Boolean value showing TRUE if only attribute names were requested, or</code><br />
- * <code>FALSE if attributes and their values were requested. The reqFilter</code><br />
- * <code>attribute carries the filter used in the search request. The reqAttr</code><br />
- * <code>attribute lists the requested attributes if specific attributes were</code><br />
- * <code>requested. The reqEntries attribute is the integer count of how many</code><br />
- * <code>entries were returned by this search request. The reqSizeLimit and</code><br />
- * <code>reqTimeLimit attributes indicate what limits were requested on the</code><br />
- * <code>search operation.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.11</code>
- * <li> <code>NAME 'auditSearch'</code>
- * <li> <code>DESC 'Search operation'</code>
- * <li> <code>SUP auditReadObject STRUCTURAL</code>
- * <li> <code>MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )</code>
- * <li> <code>MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $</code>
- * <li> <code>reqTimeLimit ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * <p/>
- * <h3>3. Modifications</h3>
- * The auditModify Structural object class is used to store Fortress update and delete events that can later be queried via ldap API.<br />
- * The deletions can be recorded in this manner and associated with Fortress context because deletions will perform a modification first
- * if audit is enabled.
- * <p/>
- * <code>The Modify operation contains a description of modifications in the</code><br />
- * <code>reqMod attribute, which was already described above in the Add</code><br />
- * <code>operation. It may optionally contain the previous contents of any</code><br />
- * <code>modified attributes in the reqOld attribute, using the same format as</code><br />
- * <code>described above for the Delete operation. The reqOld attribute is only</code><br />
- * <code>populated if the entry being modified matches the configured logold</code><br />
- * <code>filter.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.9</code>
- * <li> <code>NAME 'auditModify'</code>
- * <li> <code>DESC 'Modify operation'</code>
- * <li> <code>SUP auditWriteObject STRUCTURAL</code>
- * <li> <code>MAY reqOld MUST reqMod )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * Note this class used descriptions pulled from man pages on slapd access log.
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class AuditDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.AuditDAO
-{
- private static final String CREATETIMESTAMP = "createTimestamp";
- private static final String CREATORSNAME = "creatorsName";
- private static final String ENTRYCSN = "entryCSN";
- private static final String ENTRYDN = "entryDN";
- private static final String ENTRYUUID = "entryUUID";
- private static final String HASSUBORDINATES = "hasSubordinates";
- private static final String MODIFIERSNAME = "modifiersName";
- private static final String MODIFYTIMESTAMP = "modifyTimestamp";
- private static final String OBJECTCLASS = "objectClass";
- private static final String REQUAUTHZID = "reqAuthzID";
- private static final String REQCONTROLS = "reqControls";
- private static final String REQDN = "reqDN";
- private static final String REQEND = "reqEnd";
- private static final String REQMETHOD = "reqMethod";
- private static final String REQRESULT = "reqResult";
- private static final String REQSESSION = "reqSession";
- private static final String REQSTART = "reqStart";
- private static final String REQTYPE = "reqType";
- private static final String REQVERSION = "reqVersion";
- private static final String REQMOD = "reqMod";
- private static final String STRUCTURALOBJECTCLASS = "structuralObjectClass";
- private static final String SUBSCHEMAENTRY = "subschemaSubentry";
- private static final String REQATTR = "reqAttr";
- private static final String REQATTRSONLY = "reqAttrsOnly";
- private static final String REQDREFALIASES = "reqDerefAliases";
- private static final String REQENTRIES = "reqEntries";
- private static final String REQFILTER = "reqFilter";
- private static final String REQSCOPE = "reqScope";
- private static final String REQSIZELIMIT = "reqSizeLimit";
- private static final String REQTIMELIMIT = "reqTimeLimit";
- private static final String REQASSERTION = "reqAssertion";
- private static final String ACCESS_BIND_CLASS_NM = "auditBind";
- //private static final String ACCESS_AUTHZ_CLASS_NM = "auditSearch";
- private static final String ACCESS_AUTHZ_CLASS_NM = "auditCompare";
- private static final String ACCESS_MOD_CLASS_NM = "auditModify";
- private static final String ACCESS_ADD_CLASS_NM = "auditAdd";
- private static final String AUDIT_ROOT = "audit.root";
-
- private static final String[] AUDIT_AUTHZ_ATRS =
- {
- CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
- MODIFYTIMESTAMP, OBJECTCLASS, REQATTR, REQATTRSONLY, REQUAUTHZID, REQCONTROLS, REQDN, REQDREFALIASES,
- REQEND, REQENTRIES, REQFILTER, REQRESULT, REQSCOPE, REQSESSION, REQSIZELIMIT, REQSTART, REQTIMELIMIT,
- REQTYPE, REQASSERTION, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
- };
-
- private static final String[] AUDIT_BIND_ATRS =
- {
- CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
- MODIFYTIMESTAMP, OBJECTCLASS, REQUAUTHZID, REQCONTROLS, REQDN, REQEND, REQMETHOD, REQRESULT,
- REQSESSION, REQSTART, REQTYPE, REQVERSION, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
- };
-
- private static final String[] AUDIT_MOD_ATRS =
- {
- OBJECTCLASS, REQUAUTHZID, REQDN, REQEND, REQRESULT, REQSESSION, REQSTART, REQTYPE, REQMOD
- };
-
-
- /**
- * This method returns failed authentications where the userid is not present in the directory. This
- * is possible because Fortress performs read on user before the bind.
- * User:
- * dn: reqStart=20101014235402.000000Z, cn=log
- * reqStart: 20101014235402.000000Z
- * reqEnd: 20101014235402.000001Z
- * reqAuthzID: cn=Manager,dc=jts,dc=com
- * reqDerefAliases: never
- * reqSession: 84
- * reqAttrsOnly: FALSE
- * reqSizeLimit: -1
- * objectClass: auditSearch
- * reqResult: 32
- * reqAttr: ftId
- * reqAttr: uid
- * reqAttr: userpassword
- * reqAttr: description
- * reqAttr: ou
- * reqAttr: cn
- * reqAttr: sn
- * reqAttr: ftRoleCstr
- * reqAttr: ftCstr
- * reqAttr: ftRoleAsgn
- * reqAttr: pwdReset
- * reqAttr: pwdAccountLockedTime
- * reqAttr: ftProps
- * reqEntries: 0
- * reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
- * reqType: search
- * reqDN: uid=foo,ou=People,dc=jts,dc=com /cal/cal2.jsp
- * reqTimeLimit: -1
- * reqScope: base
- *
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<AuthZ> searchInvalidAuthNs( UserAudit audit )
- throws FinderException
- {
- List<AuthZ> auditList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String userRoot = Config.getProperty( GlobalIds.USER_ROOT );
- try
- {
- // use wildcard for user if not passed in:
- //reqDN: uid=foo,ou=People,dc=jts,dc=com
- //(&
- // (objectclass=auditSearch)
- // (reqDN=uid=*,ou=People,dc=jts,dc=com)
- // (reqAuthzID=cn=Manager,dc=jts,dc=com)
- // (reqEntries=0)
- // )
-
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
- String userId;
- if ( VUtil.isNotNullOrEmpty( audit.getUserId() ) )
- {
- userId = audit.getUserId();
- filter += REQDN + "=" + GlobalIds.UID + "=" + userId + "," + userRoot + ")(" +
- REQUAUTHZID + "=" + "cn=Manager," + Config.getProperty( GlobalIds.SUFFIX ) + ")";
- }
- else
- {
- // pull back all failed authN attempts for all users:
- filter += REQATTR + "=" + GlobalIds.UID + ")(" +
- REQUAUTHZID + "=" + "cn=Manager," + Config.getProperty( GlobalIds.SUFFIX ) + ")";
- }
-
- if ( audit.isFailedOnly() )
- {
- filter += "(" + REQENTRIES + "=" + 0 + ")";
- }
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- filter += ")";
-
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- searchResults = search( ld, auditRoot,
- LDAPConnection.SCOPE_ONE, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- AuthZ authZ = getAuthzEntityFromLdapEntry( searchResults.next(), sequence++ );
- // todo: fix this workaround. This search will return failed role assign searches as well.
- // Work around is to remove the ou=People failed searches from user failed searches on authN.
- if ( !AttrHelper.getAuthZId( authZ.getReqDN() ).equalsIgnoreCase( "People" ) )
- auditList.add( authZ );
- }
- }
- catch ( LDAPException e )
- {
- String error = "LDAPException in AuditDAO.searchAuthZs id=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
- return auditList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<AuthZ> searchAuthZs( UserAudit audit )
- throws FinderException
- {
- List<AuthZ> auditList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String permRoot = getRootDn( audit.isAdmin(), audit.getContextId() );
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
- try
- {
- String reqDn = PermDAO.getOpRdn( audit.getOpName(), audit.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + audit.getObjName() + "," + permRoot;
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(" + REQDN + "=" +
- reqDn + ")(" + REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
-/*
- todo: fixme (can't search on reqAssertion attribute):
- if ( audit.isFailedOnly() )
- {
- //filter += "(!(" + REQRESULT + "=" + 6 + "))";
- filter += "(" + REQASSERTION + "=" + GlobalIds.AUTH_Z_FAILED_VALUE + ")";
- }
-*/
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- filter += ")";
-
- //System.out.println("filter=" + filter);
- ld = getLogConnection();
- searchResults = search( ld, auditRoot,
- LDAPConnection.SCOPE_ONE, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- auditList.add( getAuthzEntityFromLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "LDAPException in AuditDAO.searchAuthZs id=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
- return auditList;
- }
-
-
- private String getRootDn( boolean isAdmin, String contextId )
- {
- String dn;
- if ( isAdmin )
- {
- dn = getRootDn( contextId, GlobalIds.ADMIN_PERM_ROOT );
- }
- else
- {
- dn = getRootDn( contextId, GlobalIds.PERM_ROOT );
- }
- return dn;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<AuthZ> getAllAuthZs( UserAudit audit )
- throws FinderException
- {
- List<AuthZ> auditList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
- if (VUtil.isNotNullOrEmpty( audit.getUserId() ) )
- {
- filter += REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
- }
- else
- {
- // have to limit the query to only authorization entries.
- // TODO: determine why the cn=Manager user is showing up in this search:
- filter += REQUAUTHZID + "=*)(!(" + REQUAUTHZID + "=cn=Manager," + Config.getProperty(GlobalIds.SUFFIX) + "))";
- }
- //if( VUtil.isNotNullOrEmpty( audit.getObjName() ) && VUtil.isNotNullOrEmpty( audit.getOpName() ) )
- if( VUtil.isNotNullOrEmpty( audit.getDn() ) )
- {
- //filter += "(" + REQDN + "=" + GlobalIds.POP_NAME + "=" + audit.getOpName() + "," + GlobalIds.POBJ_NAME + "=" + audit.getObjName() + ",*)";
- filter += "(" + REQDN + "=" + audit.getDn() + ")";
- }
-/*
- todo: fixme (can't search on reqAssertion attribute):
- if (audit.isFailedOnly())
- {
- //filter += "(!(" + REQRESULT + "=" + 6 + "))";
- filter += "(" + REQASSERTION + "=" + GlobalIds.AUTH_Z_FAILED_VALUE + ")";
- }
-*/
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- if (audit.getEndDate() != null)
- {
- String szTime = AttrHelper.encodeGeneralizedTime(audit.getEndDate());
- filter += "(" + REQEND + "<=" + szTime + ")";
- }
- filter += ")";
-
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- searchResults = search( ld, auditRoot,
- LDAPConnection.SCOPE_ONE, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- auditList.add( getAuthzEntityFromLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "LDAPException in AuditDAO.getAllAuthZs id=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
- return auditList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Bind> searchBinds( UserAudit audit )
- throws FinderException
- {
- List<Bind> auditList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter;
- if ( audit.getUserId() != null && audit.getUserId().length() > 0 )
- {
- filter = GlobalIds.FILTER_PREFIX + ACCESS_BIND_CLASS_NM + ")(" +
- REQDN + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
- if ( audit.isFailedOnly() )
- {
- filter += "(" + REQRESULT + ">=" + 1 + ")";
- }
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- filter += ")";
- }
- else
- {
- filter = GlobalIds.FILTER_PREFIX + ACCESS_BIND_CLASS_NM + ")";
- if ( audit.isFailedOnly() )
- {
- filter += "(" + REQRESULT + ">=" + 1 + ")";
- }
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- filter += ")";
- }
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- searchResults = search( ld, auditRoot,
- LDAPConnection.SCOPE_ONE, filter, AUDIT_BIND_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- auditList.add( getBindEntityFromLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "LDAPException in AuditDAO.searchBinds id=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_BIND_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
- return auditList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Mod> searchUserMods( UserAudit audit )
- throws FinderException
- {
- List<Mod> modList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
-
- String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + ACCESS_MOD_CLASS_NM + ")(" +
- REQDN + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- filter += ")";
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- searchResults = search( ld, auditRoot,
- LDAPConnection.SCOPE_ONE, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- modList.add( getModEntityFromLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "searchUserMods caught LDAPException id=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
- return modList;
- }
-
-
- /**
- * @param audit
- * @return
- * @throws FinderException
- */
- public final List<Mod> searchAdminMods( UserAudit audit )
- throws FinderException
- {
- List<Mod> modList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String auditRoot = Config.getProperty( AUDIT_ROOT );
-
- try
- {
- /*
- # 20110117075053.000006Z, log
- dn: reqStart=20110117075053.000006Z,cn=log
- objectClass: auditModify
- reqStart: 20110117075053.000006Z
- reqEnd: 20110117075053.000007Z
- reqType: modify
- reqSession: 12
- reqAuthzID: cn=Manager,dc=jts,dc=com
- reqDN: ftObjId=004+ftOpNm=TOP2_4,ftObjNm=TOB2_3,ou=Permissions,ou=RBAC,dc=m
- ims,dc=com
- reqResult: 0
- reqMod: ftRoles:- ftT2ROLE5
- reqMod: ftModifier:= -42f31b5d:12d92f18440:-7eb8
- reqMod: ftModCode:= AdminMgrImpl.revokePermission
- reqMod: ftModId:= -42f31b5d:12d92f18440:-6674
- reqMod: entryCSN:= 20110117075053.093893Z#000000#000#000000
- reqMod: modifiersName:= cn=Manager,dc=jts,dc=com
- reqMod: modifyTimestamp:= 20110117075053Z
-
- ldapsearch -x -D "cn=Manager,cn=log" -w secret -b 'cn=log' -s SUB -h localhost -p 389 '(&(objectclass=auditModify)(reqMod=ftModCode:= AdminMgrImpl.addDescendant)(reqMod=ftModifier:= -6a20c261:12d92e15581:-7eb8))'
-
- # limit search by dn works:
- ldapsearch -x -D "cn=Manager,cn=log" -w secret -b 'cn=log' -s SUB -h localhost -p 389 '(&(objectclass=auditModify)(reqDN=cn=Hierarchies,ou=Roles,ou=RBAC,dc=jts,dc=com))'
-
- # wild card works on reqMod:
- ldapsearch -x -D "cn=Manager,cn=log" -w secret -b 'cn=log' -s SUB -h localhost -p 389 '(&(objectclass=auditModify)(reqMod=ftModCode:= AdminMgrImpl.add*)(reqMod=ftModifier:= -6a20c261:12d92e15581:-7eb8))'
-
- */
- String filter = "(&(|(objectclass=" + ACCESS_MOD_CLASS_NM + ")";
- filter += "(objectclass=" + ACCESS_ADD_CLASS_NM + "))";
- if ( VUtil.isNotNullOrEmpty( audit.getDn() ) )
- {
- filter += "(" + REQDN + "=" + audit.getDn() + ")";
- }
- if ( VUtil.isNotNullOrEmpty( audit.getObjName() ) )
- {
- filter += "(|(" + REQMOD + "=" + GlobalIds.FT_MODIFIER_CODE + ":= " + audit.getObjName() + ".";
- if ( VUtil.isNotNullOrEmpty( audit.getOpName() ) )
- {
- filter += audit.getOpName();
- }
- filter += "*)";
- filter += "(" + REQMOD + "=" + GlobalIds.FT_MODIFIER_CODE + ":+ " + audit.getObjName() + ".";
- if ( VUtil.isNotNullOrEmpty( audit.getOpName() ) )
- {
- filter += audit.getOpName();
- }
- filter += "*))";
- }
- if ( VUtil.isNotNullOrEmpty( audit.getInternalUserId() ) )
- {
- filter += "(|(" + REQMOD + "=" + GlobalIds.FT_MODIFIER + ":= " + audit.getInternalUserId() + ")";
- filter += "(" + REQMOD + "=" + GlobalIds.FT_MODIFIER + ":+ " + audit.getInternalUserId() + "))";
- }
- if ( audit.getBeginDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
- filter += "(" + REQEND + ">=" + szTime + ")";
- }
- if ( audit.getEndDate() != null )
- {
- String szTime = AttrHelper.encodeGeneralizedTime( audit.getEndDate() );
- filter += "(" + REQEND + "<=" + szTime + ")";
- }
-
- filter += ")";
- //log.warn("filter=" + filter);
- ld = getLogConnection();
- searchResults = search( ld, auditRoot,
- LDAPConnection.SCOPE_ONE, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- modList.add( getModEntityFromLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "searchAdminMods caught LDAPException id=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.AUDT_MOD_ADMIN_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeLogConnection( ld );
- }
- return modList;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LDAPException
- */
- private Bind getBindEntityFromLdapEntry( LDAPEntry le, long sequence )
- {
-
- /*
- public class Bind
- private String createTimestamp;
- private String creatorsName;
- private String entryCSN;
- private String entryDN;
- private String entryUUID;
- private String hasSubordinates;
- private String modifiersName;
- private String modifyTimestamp;
- private String objectClass;
- private String reqAuthzID;
- private String reqControls;
- private String reqDN;
- private String reqEnd;
- private String reqMethod;
- private String reqResult;
- private String reqSession;
- private String reqStart;
- private String reqType;
- private String reqVersion;
- private String structuralObjectClass;
- */
-
- Bind auditBind = new ObjectFactory().createBind();
- auditBind.setSequenceId( sequence );
- auditBind.setCreateTimestamp( getAttribute( le, CREATETIMESTAMP ) );
- auditBind.setCreatorsName( getAttribute( le, CREATORSNAME ) );
- auditBind.setEntryCSN( getAttribute( le, ENTRYCSN ) );
- auditBind.setEntryDN( getAttribute( le, ENTRYDN ) );
- auditBind.setEntryUUID( getAttribute( le, ENTRYUUID ) );
- auditBind.setHasSubordinates( getAttribute( le, HASSUBORDINATES ) );
- auditBind.setModifiersName( getAttribute( le, MODIFIERSNAME ) );
- auditBind.setModifyTimestamp( getAttribute( le, MODIFYTIMESTAMP ) );
- auditBind.setObjectClass( getAttribute( le, OBJECTCLASS ) );
- auditBind.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
- auditBind.setReqControls( getAttribute( le, REQCONTROLS ) );
- auditBind.setReqDN( getAttribute( le, REQDN ) );
- auditBind.setReqEnd( getAttribute( le, REQEND ) );
- auditBind.setReqMethod( getAttribute( le, REQMETHOD ) );
- auditBind.setReqResult( getAttribute( le, REQRESULT ) );
- auditBind.setReqSession( getAttribute( le, REQSESSION ) );
- auditBind.setReqStart( getAttribute( le, REQSTART ) );
- auditBind.setReqType( getAttribute( le, REQTYPE ) );
- auditBind.setReqVersion( getAttribute( le, REQVERSION ) );
- auditBind.setStructuralObjectClass( getAttribute( le, STRUCTURALOBJECTCLASS ) );
- return auditBind;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LDAPException
- */
- private AuthZ getAuthzEntityFromLdapEntry( LDAPEntry le, long sequence )
- {
-
- /*
- public class AuthZ
- {
- private String createTimestamp;
- private String creatorsName;
- private String entryCSN;
- private String entryDN;
- private String entryUUID;
- private String hasSubordinates;
- private String modifiersName;
- private String modifyTimestamp;
- private String objectClass;
- private String reqAttr;
- private String reqAttrsOnly;
- private String reqAuthzID;
- private String reqControls;
- private String reqDN;
- private String reqDerefAliases;
- private String reqEnd;
- private String reqEntries;
- private String reqFilter;
- private String reqResult;
- private String reqScope;
- private String reqSession;
- private String reqSizeLimit;
- private String reqStart;
- private String reqTimeLimit;
- private String reqType;
- private String reqAssertion;
- private String structuralObjectClass;
- private String subschemaSubentry;
- }*/
- // these attrs also on audit bind OC:
- AuthZ authZ = new ObjectFactory().createAuthZ();
- authZ.setSequenceId( sequence );
- authZ.setCreateTimestamp( getAttribute( le, CREATETIMESTAMP ) );
- authZ.setCreatorsName( getAttribute( le, CREATORSNAME ) );
- authZ.setEntryCSN( getAttribute( le, ENTRYCSN ) );
- authZ.setEntryDN( getAttribute( le, ENTRYDN ) );
- authZ.setEntryUUID( getAttribute( le, ENTRYUUID ) );
- authZ.setHasSubordinates( getAttribute( le, HASSUBORDINATES ) );
- authZ.setModifiersName( getAttribute( le, MODIFIERSNAME ) );
- authZ.setModifyTimestamp( getAttribute( le, MODIFYTIMESTAMP ) );
- authZ.setObjectClass( getAttribute( le, OBJECTCLASS ) );
- authZ.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
- authZ.setReqControls( getAttribute( le, REQCONTROLS ) );
- authZ.setReqDN( getAttribute( le, REQDN ) );
- authZ.setReqEnd( getAttribute( le, REQEND ) );
- authZ.setReqResult( getAttribute( le, REQRESULT ) );
- authZ.setReqSession( getAttribute( le, REQSESSION ) );
- authZ.setReqStart( getAttribute( le, REQSTART ) );
- authZ.setReqType( getAttribute( le, REQTYPE ) );
- authZ.setStructuralObjectClass( getAttribute( le, STRUCTURALOBJECTCLASS ) );
-
- // these attrs only on audit search OC:
- authZ.setReqAttr( getAttribute( le, REQATTR ) );
- authZ.setReqAttrsOnly( getAttribute( le, REQATTRSONLY ) );
- authZ.setReqDerefAliases( getAttribute( le, REQDREFALIASES ) );
- authZ.setReqEntries( getAttribute( le, REQENTRIES ) );
- authZ.setReqFilter( getAttribute( le, REQFILTER ) );
- authZ.setReqScope( getAttribute( le, REQSCOPE ) );
- authZ.setReqSizeLimit( getAttribute( le, REQSIZELIMIT ) );
- authZ.setReqTimeLimit( getAttribute( le, REQTIMELIMIT ) );
- authZ.setReqAssertion( getAttribute( le, REQASSERTION ) );
- return authZ;
- }
-
-
- private Mod getModEntityFromLdapEntry( LDAPEntry le, long sequence )
- {
- /*
- public class Mod
- {
- private String reqSession;
- private String objectClass;
- private String reqAuthzID;
- private String reqDN;
- private String reqResult;
- private String reqStart;
- private String reqEnd;
- private String reqType;
- private String[] reqMod;
- }
- */
-
- Mod mod = new ObjectFactory().createMod();
- mod.setSequenceId( sequence );
- mod.setObjectClass( getAttribute( le, OBJECTCLASS ) );
- mod.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
- mod.setReqDN( getAttribute( le, REQDN ) );
- mod.setReqEnd( getAttribute( le, REQEND ) );
- mod.setReqResult( getAttribute( le, REQRESULT ) );
- mod.setReqSession( getAttribute( le, REQSESSION ) );
- mod.setReqStart( getAttribute( le, REQSTART ) );
- mod.setReqType( getAttribute( le, REQTYPE ) );
- mod.setReqMod( getAttributes( le, REQMOD ) );
- return mod;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/OrgUnitDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/OrgUnitDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/OrgUnitDAO.java
deleted file mode 100755
index b0d66fc..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/OrgUnitDAO.java
+++ /dev/null
@@ -1,621 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PsoUtil;
-import org.apache.directory.fortress.core.rbac.UsoUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * This class provides dataaccess to the OrgUnit datasets in LDAP.
- * <p/>
- * The OrgUnitDAO maintains the following structural and aux object classes:
- * <h4>1. organizationalUnit Structural Object Class is used to store basic attributes like ou and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.5.6.5 NAME 'organizationalUnit'</code>
- * <li> <code>DESC 'RFC2256: an organizational unit'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST ou</code>
- * <li> <code>MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $</code>
- * <li> <code>x121Address $ registeredAddress $ destinationIndicator $</code>
- * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
- * <li> <code>telephoneNumber $ internationaliSDNNumber $</code>
- * <li> <code>facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $</code>
- * <li> <code>postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftOrgUnit Structural objectclass is used to store the OrgUnit internal id</h4>
- * <ul> org.apache.directory.fortress.arbac.
- * <li> ------------------------------------------
- * <li> <code> objectclass ( 1.3.6.1.4.1.38088.2.6</code>
- * <li> <code>NAME 'ftOrgUnit'</code>
- * <li> <code>DESC 'Fortress OrgUnit Class'</code>
- * <li> <code>SUP organizationalunit</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- * @created September 18, 2010
- */
-public final class OrgUnitDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO
-{
- private static final String CLS_NM = OrgUnitDAO.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
- private static final String ORGUNIT_OBJECT_CLASS_NM = "ftOrgUnit";
-
- private static final String ORGUNIT_OBJ_CLASS[] =
- {
- GlobalIds.TOP, ORGUNIT_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
- private static final String[] ORGUNIT_ATRS =
- {
- GlobalIds.FT_IID, GlobalIds.OU, GlobalIds.DESC, GlobalIds.PARENT_NODES
- };
-
- private static final String[] ORGUNIT_ATR =
- {
- GlobalIds.OU
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final OrgUnit create( OrgUnit entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, ORGUNIT_OBJ_CLASS ) );
- entity.setId();
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getId() ) );
- if ( entity.getDescription() != null && entity.getDescription().length() > 0 )
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- // organizational name requires OU attribute:
- attrs.add( createAttribute( GlobalIds.OU, entity.getName() ) );
-
- // These multi-valued attributes are optional. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getParents(), attrs, GlobalIds.PARENT_NODES );
-
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- }
- catch ( LDAPException e )
- {
- String error = "create orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LDAPException=" + e;
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_ADD_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_ADD_FAILED_USER;
-
- }
- throw new CreateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final OrgUnit update( OrgUnit entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( entity.getDescription() != null && entity.getDescription().length() > 0 )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC, entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
- loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LDAPException e )
- {
- String error = "update orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LDAPException=" + e;
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_UPDATE_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_UPDATE_FAILED_USER;
- }
-
- throw new UpdateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final void deleteParent( OrgUnit entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( GlobalIds.PARENT_NODES );
- mods.add( LDAPModification.DELETE, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deleteParent orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LDAPException=" + e;
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_REMOVE_PARENT_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_REMOVE_PARENT_FAILED_USER;
- }
-
- throw new UpdateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- public final OrgUnit remove( OrgUnit entity )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, entity );
- }
- catch ( LDAPException e )
- {
- String error = "remove orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LDAPException=" + e;
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_DELETE_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_DELETE_FAILED_USER;
- }
-
- throw new RemoveException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws FinderException
- *
- */
- public final OrgUnit findByKey( OrgUnit entity )
- throws FinderException
- {
- OrgUnit oe = null;
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, ORGUNIT_ATRS );
- if ( findEntry == null )
- {
- String warning = "findByKey orgUnit name [" + entity.getName() + "] type ["
- + entity.getType() + "] COULD NOT FIND ENTRY for dn [" + dn + "]";
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_USER;
- }
- throw new FinderException( errCode, warning );
- }
- oe = getEntityFromLdapEntry( findEntry, 0, entity.getContextId() );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "findByKey orgUnit name [" + entity.getName() + "] type ["
- + entity.getType() + "] COULD NOT FIND ENTRY for dn [" + dn + "]";
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_USER;
- }
- throw new FinderException( errCode, warning );
- }
- else
- {
- String error = "findByKey orgUnitName [" + entity.getName() + "] type [" + entity.getType()
- + "] dn [" + dn + "] caught LDAPException=" + e;
- int errCode;
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_READ_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_READ_FAILED_USER;
- }
- throw new FinderException( errCode, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return oe;
- }
-
-
- /**
- * @param orgUnit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<OrgUnit> findOrgs( OrgUnit orgUnit )
- throws FinderException
- {
- List<OrgUnit> orgUnitList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String orgUnitRoot = getOrgRoot( orgUnit );
- try
- {
- String searchVal = encodeSafeText( orgUnit.getName(), GlobalIds.ROLE_LEN );
- String filter = GlobalIds.FILTER_PREFIX + ORGUNIT_OBJECT_CLASS_NM + ")("
- + GlobalIds.OU + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, orgUnitRoot,
- LDAPConnection.SCOPE_ONE, filter, ORGUNIT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- orgUnitList.add( getEntityFromLdapEntry( searchResults.next(), sequence++, orgUnit.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findOrgs search val [" + orgUnit.getName() + "] type [" + orgUnit.getType()
- + "] root [" + orgUnitRoot + "] caught LDAPException=" + e;
- int errCode;
- if ( orgUnit.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_SEARCH_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_SEARCH_FAILED_USER;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return orgUnitList;
- }
-
-
- /**
- *
- * @param orgUnit
- * @return
- * @throws FinderException
- */
- public final Set<String> getOrgs( OrgUnit orgUnit )
- throws FinderException
- {
- Set<String> ouSet = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
- LDAPConnection ld = null;
- String orgUnitRoot = getOrgRoot( orgUnit );
- try
- {
- String filter = "(objectclass=" + ORGUNIT_OBJECT_CLASS_NM + ")";
- ld = getAdminConnection();
- LDAPSearchResults searchResults = search( ld, orgUnitRoot,
- LDAPConnection.SCOPE_ONE, filter, ORGUNIT_ATR, false, GlobalIds.BATCH_SIZE );
- while ( searchResults.hasMoreElements() )
- {
- ouSet.add( getAttribute( searchResults.next(), GlobalIds.OU ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "getOrgs type [" + orgUnit.getType() + "] root [" + orgUnitRoot
- + "] caught LDAPException=" + e;
- int errCode;
- if ( orgUnit.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_GET_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_GET_FAILED_USER;
- }
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return ouSet;
- }
-
-
- /**
- *
- * @param orgUnit
- * @return
- * @throws FinderException
- */
- public final List<Graphable> getAllDescendants( OrgUnit orgUnit )
- throws FinderException
- {
- String orgUnitRoot = getOrgRoot( orgUnit );
- String[] DESC_ATRS =
- { GlobalIds.OU, GlobalIds.PARENT_NODES };
- List<Graphable> descendants = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String filter = null;
- try
- {
- filter = GlobalIds.FILTER_PREFIX + ORGUNIT_OBJECT_CLASS_NM + ")("
- + GlobalIds.PARENT_NODES + "=*))";
- ld = getAdminConnection();
- searchResults = search( ld, orgUnitRoot,
- LDAPConnection.SCOPE_ONE, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- descendants.add( unloadDescendants( searchResults.next(), sequence++, orgUnit.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return descendants;
- }
-
-
- /**
- * @param orgUnit
- * @return
- */
- private String getDn( OrgUnit orgUnit )
- {
- String dn = null;
- switch ( orgUnit.type )
- {
- case USER:
- dn = GlobalIds.OU + "=" + orgUnit.getName() + ","
- + getRootDn( orgUnit.getContextId(), GlobalIds.OSU_ROOT );
- break;
- case PERM:
- dn = GlobalIds.OU + "=" + orgUnit.getName() + ","
- + getRootDn( orgUnit.getContextId(), GlobalIds.PSU_ROOT );
- break;
- default:
- String warning = "getDn invalid type";
- LOG.warn( warning );
- break;
- }
- return dn;
- }
-
-
- /**
- *
- * @param orgUnit
- * @return
- */
- private String getOrgRoot( OrgUnit orgUnit )
- {
- String dn = null;
- switch ( orgUnit.type )
- {
- case USER:
- dn = getRootDn( orgUnit.getContextId(), GlobalIds.OSU_ROOT );
- break;
- case PERM:
- dn = getRootDn( orgUnit.getContextId(), GlobalIds.PSU_ROOT );
- break;
- default:
- String warning = "getOrgRootDn invalid type";
- LOG.warn( warning );
- break;
- }
- return dn;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LDAPException
- */
- private Graphable unloadDescendants( LDAPEntry le, long sequence, String contextId )
- {
- OrgUnit entity = new ObjectFactory().createOrgUnit();
- entity.setSequenceId( sequence );
- entity.setName( getAttribute( le, GlobalIds.OU ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- return entity;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LDAPException
- */
- private OrgUnit getEntityFromLdapEntry( LDAPEntry le, long sequence, String contextId )
- {
- OrgUnit entity = new ObjectFactory().createOrgUnit();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, GlobalIds.OU ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- String dn = le.getDN();
- if ( dn.contains( getRootDn( contextId, GlobalIds.PSU_ROOT ) ) )
- {
- entity.setType( OrgUnit.Type.PERM );
- //entity.setParents(PsoUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setChildren( PsoUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- }
- else if ( dn.contains( getRootDn( contextId, GlobalIds.OSU_ROOT ) ) )
- {
- entity.setType( OrgUnit.Type.USER );
- //entity.setParents(UsoUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setChildren( UsoUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- }
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- return entity;
- }
-}
\ No newline at end of file
[13/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitDAO.java
new file mode 100755
index 0000000..90fd98f
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitDAO.java
@@ -0,0 +1,702 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+
+
+/**
+ * This class provides dataaccess to the OrgUnit datasets in LDAP.
+ * <p/>
+ * The OrgUnitDAO maintains the following structural and aux object classes:
+ * <h4>1. organizationalUnit Structural Object Class is used to store basic attributes like ou and description</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 2.5.6.5 NAME 'organizationalUnit'</code>
+ * <li> <code>DESC 'RFC2256: an organizational unit'</code>
+ * <li> <code>SUP top STRUCTURAL</code>
+ * <li> <code>MUST ou</code>
+ * <li> <code>MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $</code>
+ * <li> <code>x121Address $ registeredAddress $ destinationIndicator $</code>
+ * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
+ * <li> <code>telephoneNumber $ internationaliSDNNumber $</code>
+ * <li> <code>facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $</code>
+ * <li> <code>postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. ftOrgUnit Structural objectclass is used to store the OrgUnit internal id</h4>
+ * <ul> org.apache.directory.fortress.arbac.
+ * <li> ------------------------------------------
+ * <li> <code> objectclass ( 1.3.6.1.4.1.38088.2.6</code>
+ * <li> <code>NAME 'ftOrgUnit'</code>
+ * <li> <code>DESC 'Fortress OrgUnit Class'</code>
+ * <li> <code>SUP organizationalunit</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ * @created September 18, 2010
+ */
+final class OrgUnitDAO extends ApacheDsDataProvider
+{
+ private static final String CLS_NM = OrgUnitDAO.class.getName();
+ private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+ private static final String ORGUNIT_OBJECT_CLASS_NM = "ftOrgUnit";
+
+ private static final String ORGUNIT_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP, ORGUNIT_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+ private static final String[] ORGUNIT_ATRS =
+ {
+ GlobalIds.FT_IID, GlobalIds.OU, GlobalIds.DESC, GlobalIds.PARENT_NODES
+ };
+
+ private static final String[] ORGUNIT_ATR =
+ {
+ GlobalIds.OU
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.CreateException
+ *
+ */
+ final OrgUnit create( OrgUnit entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+ entry.add( GlobalIds.OBJECT_CLASS, ORGUNIT_OBJ_CLASS );
+ entity.setId();
+ entry.add( GlobalIds.FT_IID, entity.getId() );
+
+ if ( entity.getDescription() != null && entity.getDescription().length() > 0 )
+ {
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // organizational name requires OU attribute:
+ entry.add( GlobalIds.OU, entity.getName() );
+
+ // These multi-valued attributes are optional. The utility function will return quietly if no items are loaded into collection:
+ loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
+
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "create orgUnit name [" + entity.getName() + "] type [" + entity.getType()
+ + "] root [" + dn + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_ADD_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_ADD_FAILED_USER;
+
+ }
+
+ throw new CreateException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final OrgUnit update( OrgUnit entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( entity.getDescription() != null && entity.getDescription().length() > 0 )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "update orgUnit name [" + entity.getName() + "] type [" + entity.getType()
+ + "] root [" + dn + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_UPDATE_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_UPDATE_FAILED_USER;
+ }
+
+ throw new UpdateException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final void deleteParent( OrgUnit entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.PARENT_NODES ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deleteParent orgUnit name [" + entity.getName() + "] type [" + entity.getType()
+ + "] root [" + dn + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_REMOVE_PARENT_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_REMOVE_PARENT_FAILED_USER;
+ }
+
+ throw new UpdateException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.RemoveException
+ *
+ */
+ final OrgUnit remove( OrgUnit entity ) throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, dn, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "remove orgUnit name [" + entity.getName() + "] type [" + entity.getType()
+ + "] root [" + dn + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_DELETE_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_DELETE_FAILED_USER;
+ }
+
+ throw new RemoveException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws FinderException
+ *
+ */
+ final OrgUnit findByKey( OrgUnit entity ) throws FinderException
+ {
+ OrgUnit oe = null;
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, ORGUNIT_ATRS );
+
+ if ( findEntry == null )
+ {
+ String warning = "findByKey orgUnit name [" + entity.getName() + "] type ["
+ + entity.getType() + "] COULD NOT FIND ENTRY for dn [" + dn + "]";
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_NOT_FOUND_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_NOT_FOUND_USER;
+ }
+
+ throw new FinderException( errCode, warning );
+ }
+
+ oe = getEntityFromLdapEntry( findEntry, 0, entity.getContextId() );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "findByKey orgUnit name [" + entity.getName() + "] type ["
+ + entity.getType() + "] COULD NOT FIND ENTRY for dn [" + dn + "]";
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_NOT_FOUND_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_NOT_FOUND_USER;
+ }
+ throw new FinderException( errCode, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "findByKey orgUnitName [" + entity.getName() + "] type [" + entity.getType()
+ + "] dn [" + dn + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( entity.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_READ_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_READ_FAILED_USER;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return oe;
+ }
+
+
+ /**
+ * @param orgUnit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<OrgUnit> findOrgs( OrgUnit orgUnit ) throws FinderException
+ {
+ List<OrgUnit> orgUnitList = new ArrayList<>();
+ LdapConnection ld = null;
+ String orgUnitRoot = getOrgRoot( orgUnit );
+
+ try
+ {
+ String searchVal = encodeSafeText( orgUnit.getName(), GlobalIds.ROLE_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + ORGUNIT_OBJECT_CLASS_NM + ")("
+ + GlobalIds.OU + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, orgUnitRoot,
+ SearchScope.ONELEVEL, filter, ORGUNIT_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ orgUnitList
+ .add( getEntityFromLdapEntry( searchResults.getEntry(), sequence++, orgUnit.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findOrgs search val [" + orgUnit.getName() + "] type [" + orgUnit.getType()
+ + "] root [" + orgUnitRoot + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( orgUnit.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_SEARCH_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_SEARCH_FAILED_USER;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findOrgs search val [" + orgUnit.getName() + "] type [" + orgUnit.getType()
+ + "] root [" + orgUnitRoot + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( orgUnit.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_SEARCH_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_SEARCH_FAILED_USER;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return orgUnitList;
+ }
+
+
+ /**
+ *
+ * @param orgUnit
+ * @return
+ * @throws FinderException
+ */
+ final Set<String> getOrgs( OrgUnit orgUnit ) throws FinderException
+ {
+ Set<String> ouSet = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+ LdapConnection ld = null;
+ String orgUnitRoot = getOrgRoot( orgUnit );
+
+ try
+ {
+ String filter = "(objectclass=" + ORGUNIT_OBJECT_CLASS_NM + ")";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, orgUnitRoot,
+ SearchScope.ONELEVEL, filter, ORGUNIT_ATR, false, GlobalIds.BATCH_SIZE );
+
+ while ( searchResults.next() )
+ {
+ ouSet.add( getAttribute( searchResults.getEntry(), GlobalIds.OU ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "getOrgs type [" + orgUnit.getType() + "] root [" + orgUnitRoot
+ + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( orgUnit.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_GET_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_GET_FAILED_USER;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "getOrgs type [" + orgUnit.getType() + "] root [" + orgUnitRoot
+ + "] caught LdapException=" + e;
+ int errCode;
+
+ if ( orgUnit.getType() == OrgUnit.Type.PERM )
+ {
+ errCode = GlobalErrIds.ORG_GET_FAILED_PERM;
+ }
+ else
+ {
+ errCode = GlobalErrIds.ORG_GET_FAILED_USER;
+ }
+
+ throw new FinderException( errCode, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return ouSet;
+ }
+
+
+ /**
+ *
+ * @param orgUnit
+ * @return
+ * @throws FinderException
+ */
+ final List<Graphable> getAllDescendants( OrgUnit orgUnit ) throws FinderException
+ {
+ String orgUnitRoot = getOrgRoot( orgUnit );
+ String[] DESC_ATRS =
+ { GlobalIds.OU, GlobalIds.PARENT_NODES };
+ List<Graphable> descendants = new ArrayList<>();
+ LdapConnection ld = null;
+ String filter = null;
+
+ try
+ {
+ filter = GlobalIds.FILTER_PREFIX + ORGUNIT_OBJECT_CLASS_NM + ")("
+ + GlobalIds.PARENT_NODES + "=*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, orgUnitRoot,
+ SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ descendants.add( unloadDescendants( searchResults.getEntry(), sequence++, orgUnit.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "getAllDescendants filter [" + filter + "] caught LdapException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "getAllDescendants filter [" + filter + "] caught LdapException="
+ + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return descendants;
+ }
+
+
+ /**
+ * @param orgUnit
+ * @return
+ */
+ private String getDn( OrgUnit orgUnit )
+ {
+ String dn = null;
+
+ switch ( orgUnit.type )
+ {
+ case USER:
+ dn = GlobalIds.OU + "=" + orgUnit.getName() + ","
+ + getRootDn( orgUnit.getContextId(), GlobalIds.OSU_ROOT );
+ break;
+
+ case PERM:
+ dn = GlobalIds.OU + "=" + orgUnit.getName() + ","
+ + getRootDn( orgUnit.getContextId(), GlobalIds.PSU_ROOT );
+ break;
+
+ default:
+ String warning = "getDn invalid type";
+ LOG.warn( warning );
+ break;
+ }
+
+ return dn;
+ }
+
+
+ /**
+ *
+ * @param orgUnit
+ * @return
+ */
+ private String getOrgRoot( OrgUnit orgUnit )
+ {
+ String dn = null;
+
+ switch ( orgUnit.type )
+ {
+ case USER:
+ dn = getRootDn( orgUnit.getContextId(), GlobalIds.OSU_ROOT );
+ break;
+
+ case PERM:
+ dn = getRootDn( orgUnit.getContextId(), GlobalIds.PSU_ROOT );
+ break;
+
+ default:
+ String warning = "getOrgRootDn invalid type";
+ LOG.warn( warning );
+ break;
+ }
+
+ return dn;
+ }
+
+
+ /**
+ *
+ * @param le
+ * @param sequence
+ * @param contextId
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private Graphable unloadDescendants( Entry le, long sequence, String contextId )
+ throws LdapInvalidAttributeValueException
+ {
+ OrgUnit entity = new ObjectFactory().createOrgUnit();
+ entity.setSequenceId( sequence );
+ entity.setName( getAttribute( le, GlobalIds.OU ) );
+ entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+
+ return entity;
+ }
+
+
+ /**
+ *
+ * @param le
+ * @param sequence
+ * @param contextId
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private OrgUnit getEntityFromLdapEntry( Entry le, long sequence, String contextId )
+ throws LdapInvalidAttributeValueException
+ {
+ OrgUnit entity = new ObjectFactory().createOrgUnit();
+ entity.setSequenceId( sequence );
+ entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setName( getAttribute( le, GlobalIds.OU ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ String dn = le.getDn().getName();
+
+ if ( dn.contains( getRootDn( contextId, GlobalIds.PSU_ROOT ) ) )
+ {
+ entity.setType( OrgUnit.Type.PERM );
+ //entity.setParents(PsoUtil.getParents(entity.getName().toUpperCase(), contextId));
+ entity.setChildren( PsoUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
+ }
+ else if ( dn.contains( getRootDn( contextId, GlobalIds.OSU_ROOT ) ) )
+ {
+ entity.setType( OrgUnit.Type.USER );
+ //entity.setParents(UsoUtil.getParents(entity.getName().toUpperCase(), contextId));
+ entity.setChildren( UsoUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
+ }
+
+ entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+
+ return entity;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
index 7a53ea8..da019f3 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
@@ -29,8 +29,6 @@ import org.slf4j.LoggerFactory;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
-import org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
import org.apache.directory.fortress.core.util.cache.Cache;
import org.apache.directory.fortress.core.util.cache.CacheMgr;
@@ -69,7 +67,7 @@ public final class OrgUnitP
private static Cache ouCache;
// DAO class for OU data sets must be initializer before the other statics:
- private static final OrgUnitDAO oDao = DaoFactory.createOrgUnitDAO();
+ private static final OrgUnitDAO oDao = new OrgUnitDAO();
private static final String USER_OUS = "user.ous";
private static final String PERM_OUS = "perm.ous";
private static final String FORTRESS_OUS = "fortress.ous";
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
new file mode 100755
index 0000000..c7bce1b
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java
@@ -0,0 +1,1504 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.io.UnsupportedEncodingException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapAttributeInUseException;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.util.attr.AttrHelper;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * Permission data access class for LDAP.
+ * <p/>
+ * This DAO class maintains the PermObj and Permission entities.
+ * <h3>The Fortress PermObj Entity Class is a composite of 3 LDAP Schema object classes</h2>
+ * <h4>PermObj Base - ftObject STRUCTURAL Object Class is used to store object name, id and type variables on target entity.</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.2</code>
+ * <li> <code>NAME 'ftObject'</code>
+ * <li> <code>DESC 'Fortress Permission Object Class'</code>
+ * <li> <code>SUP organizationalunit</code> GlobalIds
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST (</code>
+ * <li> <code>ftId $ ftObjNm ) </code>
+ * <li> <code>MAY ( ftType ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>PermObj - ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.</h4>
+ * <code>This aux object class can be used to store custom attributes.</code><br />
+ * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>PermObj - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h3>The Fortress Permission Entity Class is composite of 3 LDAP Schema object classes</h3>
+ * The Permission entity extends a single OpenLDAP standard structural object class, 'organizationalRole' with
+ * one extension structural class, ftOperation, and two auxiliary object classes, ftProperties, ftMods.
+ * The following 4 LDAP object classes will be mapped into this entity:
+ * <h4>Permission Base - 'ftOperation' STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked</h4>
+ * using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.3</code>
+ * <li> <code>NAME 'ftOperation'</code>
+ * <li> <code>DESC 'Fortress Permission Operation Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftPermName $</code>
+ * <li> <code>ftObjNm $ ftOpNm )</code>
+ * <li> <code>MAY ( ftRoles $ ftUsers $</code>
+ * <li> <code> ftObjId $ ftType) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>Permission Aux - ftProperties AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.</h4>
+ * <code>This aux object class can be used to store custom attributes.</code><br />
+ * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>Permission Aux - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * This class is thread safe.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+final class PermDAO extends ApacheDsDataProvider
+{
+ /*
+ * *************************************************************************
+ * ** OpenAccessMgr PERMISSION STATICS
+ * ************************************************************************
+ */
+ private static final String TYPE = "ftType";
+ private static final String PERM_OBJ_OBJECT_CLASS_NAME = "ftObject";
+ private static final String PERM_OP_OBJECT_CLASS_NAME = "ftOperation";
+
+ private static final String PERM_OBJ_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP,
+ "organizationalunit",
+ PERM_OBJ_OBJECT_CLASS_NAME,
+ GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+
+ private static final String PERM_OP_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP,
+ "organizationalrole",
+ PERM_OP_OBJECT_CLASS_NAME,
+ GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+
+ private static final String PERM_NAME = "ftPermName";
+ private static final String POBJ_ID = "ftObjId";
+ private static final String ROLES = "ftRoles";
+ private static final String USERS = "ftUsers";
+ private static final String[] PERMISSION_OP_ATRS =
+ {
+ GlobalIds.FT_IID, PERM_NAME, GlobalIds.POBJ_NAME, GlobalIds.POP_NAME, GlobalIds.DESC, GlobalIds.OU,
+ POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS
+ };
+
+ private static final String[] PERMISION_OBJ_ATRS =
+ {
+ GlobalIds.FT_IID, GlobalIds.POBJ_NAME, GlobalIds.DESC, GlobalIds.OU, TYPE,
+ GlobalIds.PROPS
+ };
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.CreateException
+ *
+ */
+ final PermObj createObject( PermObj entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity, entity.getContextId() );
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+ entry.add( GlobalIds.OBJECT_CLASS, PERM_OBJ_OBJ_CLASS );
+ entry.add( GlobalIds.POBJ_NAME, entity.getObjName() );
+
+ // this will generatre a new random, unique id on this entity:
+ entity.setInternalId();
+
+ // create the rDN:
+ entry.add( GlobalIds.FT_IID, entity.getInternalId() );
+
+ // ou is required:
+ entry.add( GlobalIds.OU, entity.getOu() );
+
+ // description is optional:
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // type is optional:
+ if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
+ {
+ entry.add( TYPE, entity.getType() );
+ }
+
+ // props are optional as well:
+ //if the props is null don't try to load these attributes
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), entry, GlobalIds.PROPS );
+ }
+
+ // now add the new entry to directory:
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ entity.setDn( dn );
+ }
+ catch ( LdapException e )
+ {
+ String error = "createObject perm obj [" + entity.getObjName() + "] caught LdapException="
+ + e.getMessage();
+ throw new CreateException( GlobalErrIds.PERM_ADD_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final PermObj updateObj( PermObj entity )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity, entity.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.OU, entity.getOu() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, TYPE, entity.getType() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
+ }
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ entity.setDn( dn );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "updateObj objName [" + entity.getObjName() + "] caught LdapException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.PERM_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @throws org.apache.directory.fortress.core.RemoveException
+ *
+ */
+ final void deleteObj( PermObj entity ) throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity, entity.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ deleteRecursive( ld, dn, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deleteObj objName [" + entity.getObjName() + "] caught LdapException="
+ + e.getMessage();
+ throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "deleteObj objName [" + entity.getObjName() + "] caught LdapException="
+ + e.getMessage();
+ throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.CreateException
+ *
+ */
+ final Permission createOperation( Permission entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity, entity.getContextId() );
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+
+ entry.add( GlobalIds.OBJECT_CLASS, PERM_OP_OBJ_CLASS );
+ entry.add( GlobalIds.POP_NAME, entity.getOpName() );
+ entry.add( GlobalIds.POBJ_NAME, entity.getObjName() );
+ entity.setAbstractName( entity.getObjName() + "." + entity.getOpName() );
+
+ // this will generate a new random, unique id on this entity:
+ entity.setInternalId();
+
+ // create the internal id:
+ entry.add( GlobalIds.FT_IID, entity.getInternalId() );
+
+ // description is optional:
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // the abstract name is the human readable identifier:
+ entry.add( PERM_NAME, entity.getAbstractName() );
+
+ // organizational name requires CN attribute:
+ entry.add( GlobalIds.CN, entity.getAbstractName() );
+
+ // objectid is optional:
+ if ( VUtil.isNotNullOrEmpty( entity.getObjId() ) )
+ {
+ entry.add( POBJ_ID, entity.getObjId() );
+ }
+
+ // type is optional:
+ if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
+ {
+ entry.add( TYPE, entity.getType() );
+ }
+
+ // These are multi-valued attributes, use the util function to load:
+ // These items are optional as well. The utility function will return quietly if no items are loaded into collection:
+ loadAttrs( entity.getRoles(), entry, ROLES );
+ loadAttrs( entity.getUsers(), entry, USERS );
+
+ // props are optional as well:
+ //if the props is null don't try to load these attributes
+ if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
+ {
+ loadProperties( entity.getProperties(), entry, GlobalIds.PROPS );
+ }
+
+ // now add the new entry to directory:
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ entity.setDn( dn );
+ }
+ catch ( LdapException e )
+ {
+ String error = "createOperation objName [" + entity.getObjName() + "] opName ["
+ + entity.getOpName() + "] caught LdapException=" + e.getMessage();
+ throw new CreateException( GlobalErrIds.PERM_ADD_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @return
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ */
+ final Permission updateOperation( Permission entity )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity, entity.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getAbstractName() ) )
+ {
+ // the abstract name is the human readable identifier:
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, PERM_NAME, entity.getAbstractName() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
+ {
+
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, TYPE, entity.getType() ) );
+ }
+
+ // These are multi-valued attributes, use the util function to load:
+ loadAttrs( entity.getRoles(), mods, ROLES );
+ loadAttrs( entity.getUsers(), mods, USERS );
+ loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ entity.setDn( dn );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "updateOperation objName [" + entity.getObjName() + "] opName ["
+ + entity.getOpName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.PERM_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param entity
+ * @throws org.apache.directory.fortress.core.RemoveException
+ *
+ */
+ final void deleteOperation( Permission entity ) throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getOpRdn( entity.getOpName(), entity.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
+ + entity.getObjName() + "," + getRootDn( entity.isAdmin(), entity.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ deleteRecursive( ld, dn, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deleteOperation objName [" + entity.getObjName() + "] opName ["
+ + entity.getOpName() + "] caught LdapException=" + e.getMessage();
+ throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "deleteOperation objName [" + entity.getObjName() + "] opName ["
+ + entity.getOpName() + "] caught LdapException=" + e.getMessage();
+ throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param pOp
+ * @param role
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final void grant( Permission pOp, Role role )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( pOp, pOp.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE, ROLES, role.getName() ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, pOp );
+ }
+ catch ( LdapAttributeInUseException e )
+ {
+ String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] role [" + role.getName() + "] assignment already exists, Fortress rc="
+ + GlobalErrIds.PERM_ROLE_EXIST;
+ throw new UpdateException( GlobalErrIds.PERM_ROLE_EXIST, warning );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] role [" + role.getName() + "] perm not found, Fortress rc="
+ + GlobalErrIds.PERM_OP_NOT_FOUND;
+ throw new UpdateException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "grant perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] name [" + role.getName() + "] caught LdapException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.PERM_GRANT_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param pOp
+ * @param role
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final void revoke( Permission pOp, Role role )
+ throws UpdateException, FinderException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( pOp, pOp.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification(
+ ModificationOperation.REMOVE_ATTRIBUTE, ROLES, role.getName() ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, pOp );
+ }
+ catch ( LdapNoSuchAttributeException e )
+ {
+ String warning = "revoke perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] name [" + role.getName() + "] assignment does not exist.";
+ throw new FinderException( GlobalErrIds.PERM_ROLE_NOT_EXIST, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "revoke perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] name [" + role.getName() + "] caught LdapException=" +
+ e.getMessage();
+ throw new UpdateException( GlobalErrIds.PERM_REVOKE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param pOp
+ * @param user
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final void grant( Permission pOp, User user )
+ throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( pOp, pOp.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification(
+ ModificationOperation.ADD_ATTRIBUTE, USERS, user.getUserId() ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, pOp );
+ }
+ catch ( LdapAttributeInUseException e )
+ {
+ String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment already exists, Fortress rc="
+ + GlobalErrIds.PERM_USER_EXIST;
+
+ throw new UpdateException( GlobalErrIds.PERM_USER_EXIST, warning );
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] userId [" + user.getUserId() + "] perm not found, Fortress rc="
+ + GlobalErrIds.PERM_OP_NOT_FOUND;
+ throw new UpdateException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "grant perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LdapException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.PERM_GRANT_USER_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param pOp
+ * @param user
+ * @throws org.apache.directory.fortress.core.UpdateException
+ *
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final void revoke( Permission pOp, User user )
+ throws UpdateException, FinderException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( pOp, pOp.getContextId() );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE,
+ USERS, user.getUserId() ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, pOp );
+ }
+ catch ( LdapNoSuchAttributeException e )
+ {
+ String warning = "revoke perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment does not exist.";
+ throw new FinderException( GlobalErrIds.PERM_USER_NOT_EXIST, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "revoke perm object [" + pOp.getObjName() + "] operation ["
+ + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LdapException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.PERM_REVOKE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * @param permission
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final Permission getPerm( Permission permission )
+ throws FinderException
+ {
+ Permission entity = null;
+ LdapConnection ld = null;
+ String dn = getOpRdn( permission.getOpName(), permission.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
+ + permission.getObjName() + "," + getRootDn( permission.isAdmin(), permission.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, PERMISSION_OP_ATRS );
+ entity = unloadPopLdapEntry( findEntry, 0, permission.isAdmin() );
+
+ if ( entity == null )
+ {
+ String warning = "getPerm no entry found dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
+ }
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getPerm Op COULD NOT FIND ENTRY for dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getUser [" + dn + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return entity;
+ }
+
+
+ /**
+ * @param permObj
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final PermObj getPerm( PermObj permObj )
+ throws FinderException
+ {
+ PermObj entity = null;
+ LdapConnection ld = null;
+ String dn = GlobalIds.POBJ_NAME + "=" + permObj.getObjName() + ","
+ + getRootDn( permObj.isAdmin(), permObj.getContextId() );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, PERMISION_OBJ_ATRS );
+ entity = unloadPobjLdapEntry( findEntry, 0,permObj.isAdmin() );
+
+ if ( entity == null )
+ {
+ String warning = "getPerm Obj no entry found dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.PERM_OBJ_NOT_FOUND, warning );
+ }
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getPerm Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.PERM_OBJ_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getPerm Obj dn [" + dn + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_READ_OBJ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * This method performs fortress authorization using data passed in (session) and stored on ldap server (permission). It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
+ * It performs ldap operations: read and (optionally) compare. The first is to pull back the permission to see if user has access or not. The second is to trigger audit
+ * record storage on ldap server but can be disabled.
+ *
+ * @param session contains {@link Session#getUserId()}, for rbac check {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
+ * @param inPerm must contain required attributes {@link Permission#objName} and {@link Permission#opName}. {@link Permission#objId} is optional.
+ * @return boolean containing result of check.
+ * @throws org.apache.directory.fortress.core.FinderException
+ * In the event system error occurs looking up data on ldap server.
+ */
+ final boolean checkPermission( Session session, Permission inPerm ) throws FinderException
+ {
+ boolean isAuthZd = false;
+ LdapConnection ld = null;
+ String dn = getOpRdn( inPerm.getOpName(), inPerm.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
+ + inPerm.getObjName() + "," + getRootDn( inPerm.isAdmin(), inPerm.getContextId() );
+
+ try
+ {
+ // Use unauthenticated connection because we want to assert the end user identity onto ldap hop:
+ ld = getUserConnection();
+
+ // LDAP Operation #1: Read the targeted permission from ldap server
+ //LDAPEntry entry = read(ld, dn, PERMISSION_OP_ATRS, session.getUser().getDn());
+ Entry entry = read( ld, dn, PERMISSION_OP_ATRS );
+ if(entry == null)
+ {
+ // if permission not found, cannot continue.
+ String error = "checkPermission DOES NOT EXIST : obj name [" + inPerm.getObjName() + "], obj id [" + inPerm.getObjId() + "], op name [" + inPerm.getOpName() + "], idAdmin [" + inPerm.isAdmin() + "]";
+ throw new FinderException( GlobalErrIds.PERM_NOT_EXIST, error );
+ }
+
+ // load the permission entity with data retrieved from the permission node:
+ Permission outPerm = unloadPopLdapEntry( entry, 0, inPerm.isAdmin() );
+
+ // The admin flag will be set to 'true' if this is an administrative permission:
+ outPerm.setAdmin( inPerm.isAdmin() );
+
+ // Pass the tenant id along:
+ outPerm.setContextId( inPerm.getContextId() );
+
+ // The objective of these next steps is to evaluate the outcome of authorization attempt and trigger a write to slapd access logger containing the result.
+ // The objectClass triggered by slapd access log write for upcoming ldap op is 'auditCompare'.
+ // Set this attribute either with actual operation name that will succeed compare (for authZ success) or bogus value which will fail compare (for authZ failure):
+ String attributeValue;
+
+ // This method determines if the user is authorized for this permission:
+ isAuthZd = isAuthorized( session, outPerm );
+
+ // This is done to leave an audit trail in ldap server log:
+ if ( isAuthZd )
+ {
+ // Yes, set the operation name onto this attribute for storage into audit trail:
+ attributeValue = outPerm.getOpName();
+ }
+ else
+ {
+ // No, set a simple error message onto this attribute for storage into audit trail:
+ attributeValue = "AuthZ Failed";
+ }
+
+ // There is a switch in fortress config to disable audit ops like this one.
+ // But if used the compare method will use OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection.
+ // LDAP Operation #2: Compare.
+ addAuthZAudit( ld, dn, session.getUser().getDn(), attributeValue );
+ }
+ catch ( LdapException e )
+ {
+ if ( !( e instanceof LdapNoSuchObjectException ) )
+ {
+ String error = "checkPermission caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
+ }
+
+ // There is a switch in fortress config to disable the audit ops.
+ addAuthZAudit( ld, dn, session.getUser().getDn(), "AuthZ Invalid" );
+ }
+ finally
+ {
+ closeUserConnection( ld );
+ }
+
+ return isAuthZd;
+ }
+
+
+ /**
+ * Perform LDAP compare operation here to associate audit record with user authorization event.
+ *
+ * @param ld this method expects the ldap connection to be good
+ * @param permDn contains distinguished name of the permission object.
+ * @param userDn contains the distinguished name of the user object.
+ * @param attributeValue string value will be associated with the 'audit' record stored in ldap.
+ * @throws FinderException in the event ldap system exception occurs.
+ */
+ private void addAuthZAudit( LdapConnection ld, String permDn, String userDn, String attributeValue )
+ throws FinderException
+ {
+ // Audit can be turned off here with fortress config param: 'enable.audit=false'
+ if ( GlobalIds.IS_AUDIT && GlobalIds.IS_OPENLDAP )
+ {
+ try
+ {
+ // The compare method uses OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection:
+ // LDAP Operation #2: Compare:
+ compareNode( ld, permDn, userDn, new DefaultAttribute( GlobalIds.POP_NAME, attributeValue ) );
+ }
+ catch ( UnsupportedEncodingException ee )
+ {
+ String error = "addAuthZAudit caught UnsupportedEncodingException=" + ee.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, ee );
+ }
+ catch ( LdapException e )
+ {
+ if ( !( e instanceof LdapNoSuchObjectException ) )
+ {
+ String error = "addAuthZAudit caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, e );
+ }
+ }
+ }
+ }
+
+
+ /**
+ * This function will first compare the userId from the session object with the list of users attached to permission object.
+ * If match does not occur there, determine if there is a match between the authorized roles of user with roles attached to permission object.
+ * For this use {@link org.apache.directory.fortress.core.rbac.Permission#isAdmin()} to determine if admin permissions or normal permissions have been passed in by caller.
+ *
+ * @param session contains the {@link org.apache.directory.fortress.core.rbac.Session#getUserId()},{@link Session#getRoles()} or {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
+ * @param permission contains {@link org.apache.directory.fortress.core.rbac.Permission#getUsers()} and {@link Permission#getRoles()}.
+ * @return binary result.
+ */
+ private boolean isAuthorized( Session session, Permission permission )
+ {
+ boolean result = false;
+ Set<String> userIds = permission.getUsers();
+
+ if ( VUtil.isNotNullOrEmpty( userIds ) && userIds.contains( session.getUserId() ) )
+ {
+ // user is assigned directly to this permission, no need to look further.
+ return true;
+ }
+
+ Set<String> roles = permission.getRoles();
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ if ( permission.isAdmin() )
+ {
+ // ARBAC Permission check include's User's inherited admin roles:
+ Set<String> activatedRoles = AdminRoleUtil.getInheritedRoles( session.getAdminRoles(),
+ permission.getContextId() );
+
+ for ( String role : roles )
+ {
+ // This is case insensitive op determines if user has matching admin role to the admin permission::
+ if ( activatedRoles.contains( role ) )
+ {
+ result = true;
+ break;
+ }
+ }
+ }
+ else
+ {
+ // RBAC Permission check include's User's inherited roles:
+ Set<String> activatedRoles = RoleUtil.getInheritedRoles( session.getRoles(), permission.getContextId() );
+
+ for ( String role : roles )
+ {
+ // This is case insensitive op determines if user has matching role:
+ if ( activatedRoles.contains( role ) )
+ {
+ result = true;
+ break;
+ }
+ }
+ }
+ }
+
+ return result;
+ }
+
+
+ /**
+ * @param le
+ * @param sequence
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private Permission unloadPopLdapEntry( Entry le, long sequence, boolean isAdmin ) throws LdapInvalidAttributeValueException
+ {
+ Permission entity = new ObjectFactory().createPermission();
+ entity.setSequenceId( sequence );
+ entity.setAbstractName( getAttribute( le, PERM_NAME ) );
+ entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
+ entity.setObjId( getAttribute( le, POBJ_ID ) );
+ entity.setOpName( getAttribute( le, GlobalIds.POP_NAME ) );
+ entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setRoles( getAttributeSet( le, ROLES ) );
+ entity.setUsers( getAttributeSet( le, USERS ) );
+ entity.setType( getAttribute( le, TYPE ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
+ entity.setAdmin( isAdmin );
+
+ // TODO: find out the correct way to do this:
+ if(le != null)
+ {
+ entity.setDn( le.getDn().getNormName() );
+ }
+ return entity;
+ }
+
+
+ /**
+ * @param le
+ * @param sequence
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private PermObj unloadPobjLdapEntry( Entry le, long sequence, boolean isAdmin ) throws LdapInvalidAttributeValueException
+ {
+ PermObj entity = new ObjectFactory().createPermObj();
+ entity.setSequenceId( sequence );
+ entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
+ entity.setOu( getAttribute( le, GlobalIds.OU ) );
+ entity.setDn( le.getDn().getName() );
+ entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setType( getAttribute( le, TYPE ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
+ entity.setAdmin( isAdmin );
+ return entity;
+ }
+
+
+ /**
+ * @param permission
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Permission> findPermissions( Permission permission )
+ throws FinderException
+ {
+ List<Permission> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot = getRootDn( permission.isAdmin(), permission.getContextId() );
+
+ try
+ {
+ String permObjVal = encodeSafeText( permission.getObjName(), GlobalIds.PERM_LEN );
+ String permOpVal = encodeSafeText( permission.getOpName(), GlobalIds.PERM_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.POBJ_NAME + "=" + permObjVal + "*)("
+ + GlobalIds.POP_NAME + "=" + permOpVal + "*))";
+
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, permission.isAdmin() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return permList;
+ }
+
+
+ /**
+ * @param permObj
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<PermObj> findPermissions( PermObj permObj )
+ throws FinderException
+ {
+ List<PermObj> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot = getRootDn( permObj.isAdmin(), permObj.getContextId() );
+
+ try
+ {
+ String permObjVal = encodeSafeText( permObj.getObjName(), GlobalIds.PERM_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OBJ_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.POBJ_NAME + "=" + permObjVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISION_OBJ_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPobjLdapEntry( searchResults.getEntry(), sequence++, permObj.isAdmin() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return permList;
+ }
+
+
+ /**
+ * @param ou
+ * @return
+ * @throws FinderException
+ */
+ final List<PermObj> findPermissions( OrgUnit ou, boolean limitSize ) throws FinderException
+ {
+ List<PermObj> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot = getRootDn( ou.getContextId(), GlobalIds.PERM_ROOT );
+
+ try
+ {
+ String ouVal = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OBJ_OBJECT_CLASS_NAME + ")("
+ + GlobalIds.OU + "=" + ouVal + "*))";
+ int maxLimit;
+
+ if ( limitSize )
+ {
+ maxLimit = 10;
+ }
+ else
+ {
+ maxLimit = 0;
+ }
+
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISION_OBJ_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPobjLdapEntry( searchResults.getEntry(), sequence++, false ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return permList;
+ }
+
+
+ /**
+ * @param role
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Permission> findPermissions( Role role ) throws FinderException
+ {
+ List<Permission> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot;
+
+ boolean isAdmin = false;
+ if ( role.getClass().equals( AdminRole.class ) )
+ {
+ permRoot = getRootDn( role.getContextId(), GlobalIds.ADMIN_PERM_ROOT );
+ isAdmin = true;
+ }
+ else
+ {
+ permRoot = getRootDn( role.getContextId(), GlobalIds.PERM_ROOT );
+ }
+
+ try
+ {
+ String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(";
+ Set<String> roles;
+
+ if ( role.getClass().equals( AdminRole.class ) )
+ {
+ roles = AdminRoleUtil.getAscendants( role.getName(), role.getContextId() );
+ }
+ else
+ {
+ roles = RoleUtil.getAscendants( role.getName(), role.getContextId() );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ filter += "|(" + ROLES + "=" + roleVal + ")";
+
+ for ( String uRole : roles )
+ {
+ filter += "(" + ROLES + "=" + uRole + ")";
+ }
+
+ filter += ")";
+ }
+ else
+ {
+ filter += ROLES + "=" + roleVal + ")";
+ }
+
+ filter += ")";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, isAdmin ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_ROLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPermissions caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_ROLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return permList;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Permission> findPermissions( User user ) throws FinderException
+ {
+ List<Permission> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot = getRootDn( user.getContextId(), GlobalIds.PERM_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(|";
+ Set<String> roles = RoleUtil.getInheritedRoles( user.getRoles(), user.getContextId() );
+
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ for ( String uRole : roles )
+ {
+ filter += "(" + ROLES + "=" + uRole + ")";
+ }
+ }
+
+ filter += "(" + USERS + "=" + user.getUserId() + ")))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++,false ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPermissions user [" + user.getUserId()
+ + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPermissions user [" + user.getUserId()
+ + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return permList;
+ }
+
+
+ /**
+ * @param user
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Permission> findUserPermissions( User user ) throws FinderException
+ {
+ List<Permission> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot = getRootDn( user.getContextId(), GlobalIds.PERM_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")";
+ filter += "(" + USERS + "=" + user.getUserId() + "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, false ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findUserPermissions user [" + user.getUserId()
+ + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findUserPermissions user [" + user.getUserId()
+ + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return permList;
+ }
+
+
+ /**
+ * @param session
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Permission> findPermissions( Session session, boolean isAdmin ) throws FinderException
+ {
+ List<Permission> permList = new ArrayList<>();
+ LdapConnection ld = null;
+ String permRoot = getRootDn( isAdmin, session.getContextId() );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(|";
+ filter += "(" + USERS + "=" + session.getUserId() + ")";
+ Set<String> roles;
+ if(isAdmin)
+ {
+ roles = AdminRoleUtil.getInheritedRoles( session.getAdminRoles(), session.getContextId() );
+ }
+ else
+ {
+ roles = RoleUtil.getInheritedRoles( session.getRoles(), session.getContextId() );
+ }
+ if ( VUtil.isNotNullOrEmpty( roles ) )
+ {
+ for ( String uRole : roles )
+ {
+ filter += "(" + ROLES + "=" + uRole + ")";
+ }
+ }
+
+ filter += "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, permRoot,
+ SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, isAdmin ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findPermissions user [" + session.getUserId()
+ + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SESS_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findPermissions user [" + session.getUserId()
+ + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.PERM_SESS_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return permList;
+ }
+
+
+ /**
+ * @param opName
+ * @param objId
+ * @return
+ */
+ static String getOpRdn( String opName, String objId )
+ {
+ String rDn;
+
+ if ( objId != null && objId.length() > 0 )
+ {
+ rDn = GlobalIds.POP_NAME + "=" + opName + "+" + POBJ_ID + "=" + objId;
+ }
+ else
+ {
+ rDn = GlobalIds.POP_NAME + "=" + opName;
+ }
+
+ return rDn;
+ }
+
+
+ private String getDn( Permission pOp, String contextId )
+ {
+ return getOpRdn( pOp.getOpName(), pOp.getObjId() ) + "," + GlobalIds.POBJ_NAME + "=" + pOp.getObjName()
+ + "," + getRootDn( pOp.isAdmin(), contextId );
+ }
+
+
+ private String getDn( PermObj pObj, String contextId )
+ {
+ return GlobalIds.POBJ_NAME + "=" + pObj.getObjName() + "," + getRootDn( pObj.isAdmin(), contextId );
+ }
+
+
+ private String getRootDn( boolean isAdmin, String contextId )
+ {
+ String dn;
+
+ if ( isAdmin )
+ {
+ dn = getRootDn( contextId, GlobalIds.ADMIN_PERM_ROOT );
+ }
+ else
+ {
+ dn = getRootDn( contextId, GlobalIds.PERM_ROOT );
+ }
+
+ return dn;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
index 17e9fb8..af60b80 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
@@ -32,10 +32,6 @@ import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlTransient;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
-import org.apache.directory.fortress.core.rbac.dao.UserDAO;
-
-
/**
* All entities ({@link org.apache.directory.fortress.core.rbac.User}, {@link org.apache.directory.fortress.core.rbac.Role}, {@link Permission},
* {@link PwPolicy} {@link org.apache.directory.fortress.core.rbac.SDSet} etc...) are used to carry data between three Fortress
@@ -45,7 +41,7 @@ import org.apache.directory.fortress.core.rbac.dao.UserDAO;
* <ol>
* <li>Manager layer: {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...</li>
* <li>Process layer: {@link org.apache.directory.fortress.core.rbac.UserP}, {@link org.apache.directory.fortress.core.rbac.RoleP}, {@link org.apache.directory.fortress.core.rbac.PermP},...</li>
- * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...</li>
+ * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...</li>
* </ol>
* Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs. The caller must
* provide enough information to uniquely identity the entity target within ldap.<br />
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
index d38da50..ff58020 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
@@ -27,8 +27,6 @@ import org.apache.directory.fortress.core.FinderException;
import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.SecurityException;
import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
-import org.apache.directory.fortress.core.rbac.dao.PermDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
@@ -56,7 +54,7 @@ public final class PermP
* Description of the Field
*/
private static final String CLS_NM = PermP.class.getName();
- private static final PermDAO pDao = DaoFactory.createPermDAO();
+ private static final PermDAO pDao = new PermDAO();
private final OrgUnitP orgUnitP = new OrgUnitP();
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java b/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
index d8ed919..ae81288 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java
@@ -33,9 +33,6 @@ import javax.xml.bind.annotation.XmlElement;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
-import org.apache.directory.fortress.core.rbac.dao.UserDAO;
-
/*
## OC2: Fortress Permission Structural Object Class
objectclass ( 1.3.6.1.4.1.38088.2.2
@@ -61,7 +58,7 @@ import org.apache.directory.fortress.core.rbac.dao.UserDAO;
* <ol>
* <li>Manager layer: {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...</li>
* <li>Process layer: {@link org.apache.directory.fortress.core.rbac.UserP}, {@link org.apache.directory.fortress.core.rbac.RoleP}, {@link org.apache.directory.fortress.core.rbac.PermP},...</li>
- * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...</li>
+ * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...</li>
* </ol>
* Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs. The caller must
* provide enough information to uniquely identity the entity target within ldap.<br />
[03/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/RoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/RoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/RoleDAO.java
deleted file mode 100755
index b11d15d..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/RoleDAO.java
+++ /dev/null
@@ -1,593 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * This class perform data access for Fortress Role entity.
- * <p/>
- * The Fortress Role entity is a composite of the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the Role information like name and temporal constraint attributes</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Kevin McKinney
- */
-public final class RoleDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.RoleDAO
-{
- /*
- * *************************************************************************
- * ** OpenAccessMgr ROLE STATICS
- * ************************************************************************
- */
- private static final String ROLE_OCCUPANT = "roleOccupant";
- private static final String ROLE_NM = "ftRoleName";
-
- private static final String[] ROLE_NM_ATR =
- {
- ROLE_NM
- };
- private static final String[] ROLE_ATRS =
- {
- GlobalIds.FT_IID, ROLE_NM, GlobalIds.DESC, GlobalIds.CONSTRAINT, ROLE_OCCUPANT, GlobalIds.PARENT_NODES
- };
-
-
- /**
- * @param entity
- * @return
- * @throws CreateException
- */
- public final Role create( Role entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, GlobalIds.ROLE_OBJ_CLASS ) );
- entity.setId();
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getId() ) );
- attrs.add( createAttribute( ROLE_NM, entity.getName() ) );
- // description field is optional on this object class:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- }
- // CN attribute is required for this object class:
- attrs.add( createAttribute( GlobalIds.CN, entity.getName() ) );
- attrs.add( createAttribute( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) ) );
-
- // These multi-valued attributes are optional. The utility function will return quietly if items are not loaded into collection:
- loadAttrs( entity.getParents(), attrs, GlobalIds.PARENT_NODES );
-
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- }
- catch ( LDAPException e )
- {
- String error = "create role [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new CreateException( GlobalErrIds.ROLE_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Role update( Role entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC, entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
- if ( entity.isTemporalSet() )
- {
- String szRawData = CUtil.setConstraint( entity );
- if ( VUtil.isNotNullOrEmpty( szRawData ) )
- {
- LDAPAttribute constraint = new LDAPAttribute( GlobalIds.CONSTRAINT, szRawData );
- mods.add( LDAPModification.REPLACE, constraint );
- }
- }
- loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LDAPException e )
- {
- String error = "update name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- *
- * @param entity
- * @throws UpdateException
- */
- public final void deleteParent( Role entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( GlobalIds.PARENT_NODES );
- mods.add( LDAPModification.DELETE, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deleteParent name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_REMOVE_PARENT_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @param userDn
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Role assign( Role entity, String userDn )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- //ld = getAdminConnection();
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( ROLE_OCCUPANT, userDn );
- mods.add( LDAPModification.ADD, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_USER_ASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @param userDn
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Role deassign( Role entity, String userDn )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute occupant = new LDAPAttribute( ROLE_OCCUPANT, userDn );
- mods.add( LDAPModification.DELETE, occupant );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ROLE_USER_DEASSIGN_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param role
- * @throws RemoveException
- */
- public final void remove( Role role )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getDn( role.getName(), role.getContextId() );
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, role );
- }
- catch ( LDAPException e )
- {
- String error = "remove role name=" + role.getName() + " LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new RemoveException( GlobalErrIds.ROLE_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final Role getRole( Role role )
- throws FinderException
- {
- Role entity = null;
- LDAPConnection ld = null;
- String dn = getDn( role.getName(), role.getContextId() );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, ROLE_ATRS );
- entity = unloadLdapEntry( findEntry, 0, role.getContextId() );
- if ( entity == null )
- {
- String warning = "getRole no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
- }
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getRole Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.ROLE_NOT_FOUND, warning );
- }
- String error = "getRole dn [" + dn + "] LEXCD=" + e.getLDAPResultCode() + " LEXMSG=" + e;
- throw new FinderException( GlobalErrIds.ROLE_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Role> findRoles( Role role )
- throws FinderException
- {
- List<Role> roleList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( role.getContextId(), GlobalIds.ROLE_ROOT );
- String filter = null;
- try
- {
- String searchVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- roleList.add( unloadLdapEntry( searchResults.next(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findRoles filter [" + filter + "] caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roleList;
- }
-
-
- /**
- * @param role
- * @param limit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<String> findRoles( Role role, int limit )
- throws FinderException
- {
- List<String> roleList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( role.getContextId(), GlobalIds.ROLE_ROOT );
- String filter = null;
- try
- {
- String searchVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + ROLE_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
- while ( searchResults.hasMoreElements() )
- {
- LDAPEntry entry = searchResults.next();
- roleList.add( getAttribute( entry, ROLE_NM ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findRoles filter [" + filter + "] caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roleList;
- }
-
-
- /**
- *
- * @param userDn
- * @param contextId
- * @return
- * @throws FinderException
- */
- public final List<String> findAssignedRoles( String userDn, String contextId )
- throws FinderException
- {
- List<String> roleNameList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( contextId, GlobalIds.ROLE_ROOT );
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
- filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
- while ( searchResults.hasMoreElements() )
- {
- roleNameList.add( getAttribute( searchResults.next(), ROLE_NM ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findAssignedRoles userDn [" + userDn + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_OCCUPANT_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return roleNameList;
- }
-
-
- /**
- *
- * @param contextId
- * @return
- * @throws FinderException
- */
- public final List<Graphable> getAllDescendants( String contextId )
- throws FinderException
- {
- String[] DESC_ATRS =
- { ROLE_NM, GlobalIds.PARENT_NODES };
- List<Graphable> descendants = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String roleRoot = getRootDn( contextId, GlobalIds.ROLE_ROOT );
- String filter = null;
- try
- {
- filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
- + GlobalIds.PARENT_NODES + "=*))";
- ld = getAdminConnection();
- searchResults = search( ld, roleRoot,
- LDAPConnection.SCOPE_ONE, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- descendants.add( unloadDescendants( searchResults.next(), sequence++, contextId ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return descendants;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LDAPException
- */
- private Graphable unloadDescendants( LDAPEntry le, long sequence, String contextId )
- {
- Role entity = new ObjectFactory().createRole();
- entity.setSequenceId( sequence );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- return entity;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LDAPException
- */
- private Role unloadLdapEntry( LDAPEntry le, long sequence, String contextId )
- {
- Role entity = new ObjectFactory().createRole();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, ROLE_NM ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
- //entity.setParents(RoleUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setChildren( RoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
- unloadTemporal( le, entity );
- return entity;
- }
-
-
- private String getDn( String name, String contextId )
- {
- return GlobalIds.CN + "=" + name + "," + getRootDn( contextId, GlobalIds.ROLE_ROOT );
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/SdDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/SdDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/SdDAO.java
deleted file mode 100755
index 84008c1..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/SdDAO.java
+++ /dev/null
@@ -1,557 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.rbac.SDSet;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * This class performs persistence on the RBAC Static Separation of Duties and Dynamic Separation of Duties data sets.
- * <p/>
- * The Fortress SDSet entity is a composite of the following other Fortress structural and aux object classes:
- * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.5.6.8 NAME 'organizationalRole'</code>
- * <li> <code>DESC 'RFC2256: an organizational role'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST cn</code>
- * <li> <code>MAY ( x121Address $ registeredAddress $ destinationIndicator $</code>
- * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
- * <li> <code>telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $</code>
- * <li> <code>seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $</code>
- * <li> <code>postOfficeBox $ postalCode $ postalAddress $</code>
- * <li> <code>physicalDeliveryOfficeName $ ou $ st $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. The RBAC Separation of Duties</h4>
- * <ul>
- * <li> ---Static Separation of Duties Set-------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.4</code>
- * <li> <code>NAME 'ftSSDSet'</code>
- * <li> <code>DESC 'Fortress Role Static Separation of Duty Set Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
- * <li> <code>MAY ( ftRoles $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * OR
- * <h4>Dynamic Separation of Duties Set</h4>
- * <ul>
- * <li>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.5</code>
- * <li> <code>NAME 'ftDSDSet'</code>
- * <li> <code>DESC 'Fortress Role Dynamic Separation of Duty Set Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftSetName $ ftSetCardinality )</code>
- * <li> <code>MAY ( ftRoles $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public final class SdDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.SdDAO
-
-{
- private static final String SD_SET_NM = "ftSetName";
- private static final String ROLES = "ftRoles";
- private static final String SD_SET_CARDINALITY = "ftSetCardinality";
-
- private static final String SSD_OBJECT_CLASS_NM = "ftSSDSet";
- private static final String SSD_OBJ_CLASS[] =
- {
- GlobalIds.TOP, SSD_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String DSD_OBJECT_CLASS_NM = "ftDSDSet";
- private static final String DSD_OBJ_CLASS[] =
- {
- GlobalIds.TOP, DSD_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String[] SD_SET_ATRS =
- {
- GlobalIds.FT_IID, SD_SET_NM, GlobalIds.DESC, ROLES, SD_SET_CARDINALITY
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- */
- public final SDSet create( SDSet entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- String[] objectClass = SSD_OBJ_CLASS;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJ_CLASS;
- }
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, objectClass ) );
- entity.setId();
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getId() ) );
- attrs.add( createAttribute( SD_SET_NM, entity.getName() ) );
- // description field is optional on this object class:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- }
- // CN attribute is required for this object class:
- attrs.add( createAttribute( GlobalIds.CN, entity.getName() ) );
- loadAttrs( entity.getMembers(), attrs, ROLES );
- attrs.add( createAttribute( SD_SET_CARDINALITY, "" + entity.getCardinality() ) );
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- }
- catch ( LDAPException e )
- {
- String error = "create SD set name [" + entity.getName() + "] type [" + entity.getType()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- int errCode;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_ADD_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_ADD_FAILED;
- }
-
- throw new CreateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- */
- public final SDSet update( SDSet entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC, entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
- if ( entity.getCardinality() != null )
- {
- LDAPAttribute cardinality = new LDAPAttribute( SD_SET_CARDINALITY, "" + entity.getCardinality() );
- mods.add( LDAPModification.REPLACE, cardinality );
- }
- loadAttrs( entity.getMembers(), mods, ROLES );
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LDAPException e )
- {
- String error = "update name [" + entity.getName() + "] type [" + entity.getType()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- int errCode;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_UPDATE_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_UPDATE_FAILED;
- }
-
- throw new UpdateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- */
- public final SDSet remove( SDSet entity )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity.getName(), entity.getContextId() );
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, entity );
- }
- catch ( LDAPException e )
- {
- String error = "remove SD name=" + entity.getName() + " type [" + entity.getType() + "] LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- int errCode;
- if ( entity.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_DELETE_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_DELETE_FAILED;
- }
-
- throw new RemoveException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param sdSet
- * @return
- * @throws FinderException
- */
- public final SDSet getSD( SDSet sdSet )
- throws FinderException
- {
- SDSet entity = null;
- LDAPConnection ld = null;
- String dn = getDn( sdSet.getName(), sdSet.getContextId() );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, SD_SET_ATRS );
- entity = unloadLdapEntry( findEntry, 0 );
- if ( entity == null )
- {
- String warning = "getSD no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, warning );
- }
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getSD Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.SSD_NOT_FOUND, warning );
- }
- String error = "getSSD dn [" + dn + "] LEXCD=" + e.getLDAPResultCode() + " LEXMSG=" + e;
- int errCode;
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_READ_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_READ_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * Given an SSD name and type, find matching object in the directory.
- * @param sdset requires name and type.
- * @return List of matching SDSets.
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final List<SDSet> search( SDSet sdset )
- throws FinderException
- {
- List<SDSet> sdList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String ssdRoot = getSdRoot( sdset.getContextId() );
- String objectClass = SSD_OBJECT_CLASS_NM;
- if ( sdset.getType() == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJECT_CLASS_NM;
- }
- try
- {
- String searchVal = encodeSafeText( sdset.getName(), GlobalIds.ROLE_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(" + SD_SET_NM + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, ssdRoot,
- LDAPConnection.SCOPE_SUB, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- sdList.add( unloadLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "search sdset name [" + sdset.getName() + "] type [" + sdset.getType()
- + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- int errCode;
- if ( sdset.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return sdList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final List<SDSet> search( Role role, SDSet.SDType type )
- throws FinderException
- {
- List<SDSet> sdList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String ssdRoot = getSdRoot( role.getContextId() );
- String objectClass = SSD_OBJECT_CLASS_NM;
- if ( type == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJECT_CLASS_NM;
- }
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- //String filter = GlobalIds.FILTER_PREFIX + SSD_OBJECT_CLASS_NM + ")(" + ROLES + "=" + roleVal + "))";
- String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(";
- // Include any parents target role may have:
- Set<String> roles = RoleUtil.getAscendants( role.getName(), role.getContextId() );
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- filter += "|(" + ROLES + "=" + roleVal + ")";
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- filter += ")";
- }
- else
- {
- filter += ROLES + "=" + roleVal + ")";
- }
- filter += ")";
- ld = getAdminConnection();
- searchResults = search( ld, ssdRoot,
- LDAPConnection.SCOPE_SUB, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
-
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- sdList.add( unloadLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "search role [" + role.getName() + "] type [" + type + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- int errCode;
- if ( type == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return sdList;
- }
-
-
- /**
- * @param roles
- * @param sdSet
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final Set<SDSet> search( Set<String> roles, SDSet sdSet )
- throws FinderException
- {
- Set<SDSet> sdList = new HashSet<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String ssdRoot = getSdRoot( sdSet.getContextId() );
- String objectClass = SSD_OBJECT_CLASS_NM;
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- objectClass = DSD_OBJECT_CLASS_NM;
- }
- try
- {
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- String filter = GlobalIds.FILTER_PREFIX + objectClass + ")(|";
- for ( String rle : roles )
- {
- filter += "(" + ROLES + "=" + rle + ")";
- }
- filter += "))";
- ld = getAdminConnection();
- searchResults = search( ld, ssdRoot,
- LDAPConnection.SCOPE_SUB, filter, SD_SET_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- sdList.add( unloadLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- }
- catch ( LDAPException e )
- {
- String error = "search type [" + sdSet.getType() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- int errCode;
- if ( sdSet.getType() == SDSet.SDType.DYNAMIC )
- {
- errCode = GlobalErrIds.DSD_SEARCH_FAILED;
- }
- else
- {
- errCode = GlobalErrIds.SSD_SEARCH_FAILED;
- }
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return sdList;
- }
-
-
- /**
- * @param le
- * @return
- * @throws LDAPException
- */
- private SDSet unloadLdapEntry( LDAPEntry le, long sequence )
- {
- SDSet entity = new ObjectFactory().createSDset();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, SD_SET_NM ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setMembers( getAttributeSet( le, ROLES ) );
- String szCard = getAttribute( le, SD_SET_CARDINALITY );
- entity.setCardinality( new Integer( szCard ) );
- return entity;
- }
-
-
- private String getDn( String name, String contextId )
- {
- return GlobalIds.CN + "=" + name + "," + getSdRoot( contextId );
- }
-
-
- private String getSdRoot( String contextId )
- {
- return getRootDn( contextId, GlobalIds.SD_ROOT );
- }
-}
[08/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/OrgUnitDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/OrgUnitDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/OrgUnitDAO.java
deleted file mode 100755
index 2641be5..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/OrgUnitDAO.java
+++ /dev/null
@@ -1,706 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.Graphable;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PsoUtil;
-import org.apache.directory.fortress.core.rbac.UsoUtil;
-
-
-/**
- * This class provides dataaccess to the OrgUnit datasets in LDAP.
- * <p/>
- * The OrgUnitDAO maintains the following structural and aux object classes:
- * <h4>1. organizationalUnit Structural Object Class is used to store basic attributes like ou and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.5.6.5 NAME 'organizationalUnit'</code>
- * <li> <code>DESC 'RFC2256: an organizational unit'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST ou</code>
- * <li> <code>MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $</code>
- * <li> <code>x121Address $ registeredAddress $ destinationIndicator $</code>
- * <li> <code>preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $</code>
- * <li> <code>telephoneNumber $ internationaliSDNNumber $</code>
- * <li> <code>facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $</code>
- * <li> <code>postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftOrgUnit Structural objectclass is used to store the OrgUnit internal id</h4>
- * <ul> org.apache.directory.fortress.arbac.
- * <li> ------------------------------------------
- * <li> <code> objectclass ( 1.3.6.1.4.1.38088.2.6</code>
- * <li> <code>NAME 'ftOrgUnit'</code>
- * <li> <code>DESC 'Fortress OrgUnit Class'</code>
- * <li> <code>SUP organizationalunit</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- * @created September 18, 2010
- */
-public final class OrgUnitDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO
-{
- private static final String CLS_NM = OrgUnitDAO.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
- private static final String ORGUNIT_OBJECT_CLASS_NM = "ftOrgUnit";
-
- private static final String ORGUNIT_OBJ_CLASS[] =
- {
- GlobalIds.TOP, ORGUNIT_OBJECT_CLASS_NM, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
- private static final String[] ORGUNIT_ATRS =
- {
- GlobalIds.FT_IID, GlobalIds.OU, GlobalIds.DESC, GlobalIds.PARENT_NODES
- };
-
- private static final String[] ORGUNIT_ATR =
- {
- GlobalIds.OU
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final OrgUnit create( OrgUnit entity ) throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- Entry entry = new DefaultEntry( dn );
- entry.add( GlobalIds.OBJECT_CLASS, ORGUNIT_OBJ_CLASS );
- entity.setId();
- entry.add( GlobalIds.FT_IID, entity.getId() );
-
- if ( entity.getDescription() != null && entity.getDescription().length() > 0 )
- {
- entry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // organizational name requires OU attribute:
- entry.add( GlobalIds.OU, entity.getName() );
-
- // These multi-valued attributes are optional. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
-
- ld = getAdminConnection();
- add( ld, entry, entity );
- }
- catch ( LdapException e )
- {
- String error = "create orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LdapException=" + e;
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_ADD_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_ADD_FAILED_USER;
-
- }
-
- throw new CreateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final OrgUnit update( OrgUnit entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( entity.getDescription() != null && entity.getDescription().length() > 0 )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
- }
-
- loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LdapException e )
- {
- String error = "update orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LdapException=" + e;
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_UPDATE_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_UPDATE_FAILED_USER;
- }
-
- throw new UpdateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final void deleteParent( OrgUnit entity ) throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.PARENT_NODES ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- catch ( LdapException e )
- {
- String error = "deleteParent orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LdapException=" + e;
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_REMOVE_PARENT_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_REMOVE_PARENT_FAILED_USER;
- }
-
- throw new UpdateException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- public final OrgUnit remove( OrgUnit entity ) throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, entity );
- }
- catch ( LdapException e )
- {
- String error = "remove orgUnit name [" + entity.getName() + "] type [" + entity.getType()
- + "] root [" + dn + "] caught LdapException=" + e;
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_DELETE_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_DELETE_FAILED_USER;
- }
-
- throw new RemoveException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws FinderException
- *
- */
- public final OrgUnit findByKey( OrgUnit entity ) throws FinderException
- {
- OrgUnit oe = null;
- LdapConnection ld = null;
- String dn = getDn( entity );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, ORGUNIT_ATRS );
-
- if ( findEntry == null )
- {
- String warning = "findByKey orgUnit name [" + entity.getName() + "] type ["
- + entity.getType() + "] COULD NOT FIND ENTRY for dn [" + dn + "]";
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_USER;
- }
-
- throw new FinderException( errCode, warning );
- }
-
- oe = getEntityFromLdapEntry( findEntry, 0, entity.getContextId() );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "findByKey orgUnit name [" + entity.getName() + "] type ["
- + entity.getType() + "] COULD NOT FIND ENTRY for dn [" + dn + "]";
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_NOT_FOUND_USER;
- }
- throw new FinderException( errCode, warning );
- }
- catch ( LdapException e )
- {
- String error = "findByKey orgUnitName [" + entity.getName() + "] type [" + entity.getType()
- + "] dn [" + dn + "] caught LdapException=" + e;
- int errCode;
-
- if ( entity.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_READ_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_READ_FAILED_USER;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return oe;
- }
-
-
- /**
- * @param orgUnit
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<OrgUnit> findOrgs( OrgUnit orgUnit ) throws FinderException
- {
- List<OrgUnit> orgUnitList = new ArrayList<>();
- LdapConnection ld = null;
- String orgUnitRoot = getOrgRoot( orgUnit );
-
- try
- {
- String searchVal = encodeSafeText( orgUnit.getName(), GlobalIds.ROLE_LEN );
- String filter = GlobalIds.FILTER_PREFIX + ORGUNIT_OBJECT_CLASS_NM + ")("
- + GlobalIds.OU + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, orgUnitRoot,
- SearchScope.ONELEVEL, filter, ORGUNIT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- orgUnitList
- .add( getEntityFromLdapEntry( searchResults.getEntry(), sequence++, orgUnit.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findOrgs search val [" + orgUnit.getName() + "] type [" + orgUnit.getType()
- + "] root [" + orgUnitRoot + "] caught LdapException=" + e;
- int errCode;
-
- if ( orgUnit.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_SEARCH_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_SEARCH_FAILED_USER;
- }
-
- throw new FinderException( errCode, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findOrgs search val [" + orgUnit.getName() + "] type [" + orgUnit.getType()
- + "] root [" + orgUnitRoot + "] caught LdapException=" + e;
- int errCode;
-
- if ( orgUnit.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_SEARCH_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_SEARCH_FAILED_USER;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return orgUnitList;
- }
-
-
- /**
- *
- * @param orgUnit
- * @return
- * @throws FinderException
- */
- public final Set<String> getOrgs( OrgUnit orgUnit ) throws FinderException
- {
- Set<String> ouSet = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
- LdapConnection ld = null;
- String orgUnitRoot = getOrgRoot( orgUnit );
-
- try
- {
- String filter = "(objectclass=" + ORGUNIT_OBJECT_CLASS_NM + ")";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, orgUnitRoot,
- SearchScope.ONELEVEL, filter, ORGUNIT_ATR, false, GlobalIds.BATCH_SIZE );
-
- while ( searchResults.next() )
- {
- ouSet.add( getAttribute( searchResults.getEntry(), GlobalIds.OU ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "getOrgs type [" + orgUnit.getType() + "] root [" + orgUnitRoot
- + "] caught LdapException=" + e;
- int errCode;
-
- if ( orgUnit.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_GET_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_GET_FAILED_USER;
- }
-
- throw new FinderException( errCode, error, e );
- }
- catch ( CursorException e )
- {
- String error = "getOrgs type [" + orgUnit.getType() + "] root [" + orgUnitRoot
- + "] caught LdapException=" + e;
- int errCode;
-
- if ( orgUnit.getType() == OrgUnit.Type.PERM )
- {
- errCode = GlobalErrIds.ORG_GET_FAILED_PERM;
- }
- else
- {
- errCode = GlobalErrIds.ORG_GET_FAILED_USER;
- }
-
- throw new FinderException( errCode, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return ouSet;
- }
-
-
- /**
- *
- * @param orgUnit
- * @return
- * @throws FinderException
- */
- public final List<Graphable> getAllDescendants( OrgUnit orgUnit ) throws FinderException
- {
- String orgUnitRoot = getOrgRoot( orgUnit );
- String[] DESC_ATRS =
- { GlobalIds.OU, GlobalIds.PARENT_NODES };
- List<Graphable> descendants = new ArrayList<>();
- LdapConnection ld = null;
- String filter = null;
-
- try
- {
- filter = GlobalIds.FILTER_PREFIX + ORGUNIT_OBJECT_CLASS_NM + ")("
- + GlobalIds.PARENT_NODES + "=*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, orgUnitRoot,
- SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- descendants.add( unloadDescendants( searchResults.getEntry(), sequence++, orgUnit.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LdapException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "getAllDescendants filter [" + filter + "] caught LdapException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return descendants;
- }
-
-
- /**
- * @param orgUnit
- * @return
- */
- private String getDn( OrgUnit orgUnit )
- {
- String dn = null;
-
- switch ( orgUnit.type )
- {
- case USER:
- dn = GlobalIds.OU + "=" + orgUnit.getName() + ","
- + getRootDn( orgUnit.getContextId(), GlobalIds.OSU_ROOT );
- break;
-
- case PERM:
- dn = GlobalIds.OU + "=" + orgUnit.getName() + ","
- + getRootDn( orgUnit.getContextId(), GlobalIds.PSU_ROOT );
- break;
-
- default:
- String warning = "getDn invalid type";
- LOG.warn( warning );
- break;
- }
-
- return dn;
- }
-
-
- /**
- *
- * @param orgUnit
- * @return
- */
- private String getOrgRoot( OrgUnit orgUnit )
- {
- String dn = null;
-
- switch ( orgUnit.type )
- {
- case USER:
- dn = getRootDn( orgUnit.getContextId(), GlobalIds.OSU_ROOT );
- break;
-
- case PERM:
- dn = getRootDn( orgUnit.getContextId(), GlobalIds.PSU_ROOT );
- break;
-
- default:
- String warning = "getOrgRootDn invalid type";
- LOG.warn( warning );
- break;
- }
-
- return dn;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private Graphable unloadDescendants( Entry le, long sequence, String contextId )
- throws LdapInvalidAttributeValueException
- {
- OrgUnit entity = new ObjectFactory().createOrgUnit();
- entity.setSequenceId( sequence );
- entity.setName( getAttribute( le, GlobalIds.OU ) );
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
-
- return entity;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @param contextId
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private OrgUnit getEntityFromLdapEntry( Entry le, long sequence, String contextId )
- throws LdapInvalidAttributeValueException
- {
- OrgUnit entity = new ObjectFactory().createOrgUnit();
- entity.setSequenceId( sequence );
- entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setName( getAttribute( le, GlobalIds.OU ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- String dn = le.getDn().getName();
-
- if ( dn.contains( getRootDn( contextId, GlobalIds.PSU_ROOT ) ) )
- {
- entity.setType( OrgUnit.Type.PERM );
- //entity.setParents(PsoUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setChildren( PsoUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- }
- else if ( dn.contains( getRootDn( contextId, GlobalIds.OSU_ROOT ) ) )
- {
- entity.setType( OrgUnit.Type.USER );
- //entity.setParents(UsoUtil.getParents(entity.getName().toUpperCase(), contextId));
- entity.setChildren( UsoUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
- }
-
- entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
-
- return entity;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PermDAO.java
deleted file mode 100755
index 896ee12..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/PermDAO.java
+++ /dev/null
@@ -1,1513 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.io.UnsupportedEncodingException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapAttributeInUseException;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.AdminRoleUtil;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PermObj;
-import org.apache.directory.fortress.core.rbac.Permission;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.util.attr.AttrHelper;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-
-/**
- * Permission data access class for LDAP.
- * <p/>
- * This DAO class maintains the PermObj and Permission entities.
- * <h3>The Fortress PermObj Entity Class is a composite of 3 LDAP Schema object classes</h2>
- * <h4>PermObj Base - ftObject STRUCTURAL Object Class is used to store object name, id and type variables on target entity.</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.2</code>
- * <li> <code>NAME 'ftObject'</code>
- * <li> <code>DESC 'Fortress Permission Object Class'</code>
- * <li> <code>SUP organizationalunit</code> GlobalIds
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST (</code>
- * <li> <code>ftId $ ftObjNm ) </code>
- * <li> <code>MAY ( ftType ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>PermObj - ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.</h4>
- * <code>This aux object class can be used to store custom attributes.</code><br />
- * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>PermObj - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h3>The Fortress Permission Entity Class is composite of 3 LDAP Schema object classes</h3>
- * The Permission entity extends a single OpenLDAP standard structural object class, 'organizationalRole' with
- * one extension structural class, ftOperation, and two auxiliary object classes, ftProperties, ftMods.
- * The following 4 LDAP object classes will be mapped into this entity:
- * <h4>Permission Base - 'ftOperation' STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked</h4>
- * using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.3</code>
- * <li> <code>NAME 'ftOperation'</code>
- * <li> <code>DESC 'Fortress Permission Operation Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftPermName $</code>
- * <li> <code>ftObjNm $ ftOpNm )</code>
- * <li> <code>MAY ( ftRoles $ ftUsers $</code>
- * <li> <code> ftObjId $ ftType) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>Permission Aux - ftProperties AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.</h4>
- * <code>This aux object class can be used to store custom attributes.</code><br />
- * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>Permission Aux - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public final class PermDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.PermDAO
-{
- /*
- * *************************************************************************
- * ** OpenAccessMgr PERMISSION STATICS
- * ************************************************************************
- */
- private static final String TYPE = "ftType";
- private static final String PERM_OBJ_OBJECT_CLASS_NAME = "ftObject";
- private static final String PERM_OP_OBJECT_CLASS_NAME = "ftOperation";
-
- private static final String PERM_OBJ_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- "organizationalunit",
- PERM_OBJ_OBJECT_CLASS_NAME,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String PERM_OP_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- "organizationalrole",
- PERM_OP_OBJECT_CLASS_NAME,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String PERM_NAME = "ftPermName";
- private static final String POBJ_ID = "ftObjId";
- private static final String ROLES = "ftRoles";
- private static final String USERS = "ftUsers";
- private static final String[] PERMISSION_OP_ATRS =
- {
- GlobalIds.FT_IID, PERM_NAME, GlobalIds.POBJ_NAME, GlobalIds.POP_NAME, GlobalIds.DESC, GlobalIds.OU,
- POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS
- };
-
- private static final String[] PERMISION_OBJ_ATRS =
- {
- GlobalIds.FT_IID, GlobalIds.POBJ_NAME, GlobalIds.DESC, GlobalIds.OU, TYPE,
- GlobalIds.PROPS
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final PermObj createObject( PermObj entity ) throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
-
- try
- {
- Entry entry = new DefaultEntry( dn );
- entry.add( GlobalIds.OBJECT_CLASS, PERM_OBJ_OBJ_CLASS );
- entry.add( GlobalIds.POBJ_NAME, entity.getObjName() );
-
- // this will generatre a new random, unique id on this entity:
- entity.setInternalId();
-
- // create the rDN:
- entry.add( GlobalIds.FT_IID, entity.getInternalId() );
-
- // ou is required:
- entry.add( GlobalIds.OU, entity.getOu() );
-
- // description is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- entry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // type is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- entry.add( TYPE, entity.getType() );
- }
-
- // props are optional as well:
- //if the props is null don't try to load these attributes
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), entry, GlobalIds.PROPS );
- }
-
- // now add the new entry to directory:
- ld = getAdminConnection();
- add( ld, entry, entity );
- entity.setDn( dn );
- }
- catch ( LdapException e )
- {
- String error = "createObject perm obj [" + entity.getObjName() + "] caught LdapException="
- + e.getMessage();
- throw new CreateException( GlobalErrIds.PERM_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final PermObj updateObj( PermObj entity )
- throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.OU, entity.getOu() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, TYPE, entity.getType() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
- }
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- entity.setDn( dn );
- }
- }
- catch ( LdapException e )
- {
- String error = "updateObj objName [" + entity.getObjName() + "] caught LdapException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- public final void deleteObj( PermObj entity ) throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- deleteRecursive( ld, dn, entity );
- }
- catch ( LdapException e )
- {
- String error = "deleteObj objName [" + entity.getObjName() + "] caught LdapException="
- + e.getMessage();
- throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "deleteObj objName [" + entity.getObjName() + "] caught LdapException="
- + e.getMessage();
- throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final Permission createOperation( Permission entity ) throws CreateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
-
- try
- {
- Entry entry = new DefaultEntry( dn );
-
- entry.add( GlobalIds.OBJECT_CLASS, PERM_OP_OBJ_CLASS );
- entry.add( GlobalIds.POP_NAME, entity.getOpName() );
- entry.add( GlobalIds.POBJ_NAME, entity.getObjName() );
- entity.setAbstractName( entity.getObjName() + "." + entity.getOpName() );
-
- // this will generate a new random, unique id on this entity:
- entity.setInternalId();
-
- // create the internal id:
- entry.add( GlobalIds.FT_IID, entity.getInternalId() );
-
- // description is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- entry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // the abstract name is the human readable identifier:
- entry.add( PERM_NAME, entity.getAbstractName() );
-
- // organizational name requires CN attribute:
- entry.add( GlobalIds.CN, entity.getAbstractName() );
-
- // objectid is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getObjId() ) )
- {
- entry.add( POBJ_ID, entity.getObjId() );
- }
-
- // type is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- entry.add( TYPE, entity.getType() );
- }
-
- // These are multi-valued attributes, use the util function to load:
- // These items are optional as well. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getRoles(), entry, ROLES );
- loadAttrs( entity.getUsers(), entry, USERS );
-
- // props are optional as well:
- //if the props is null don't try to load these attributes
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), entry, GlobalIds.PROPS );
- }
-
- // now add the new entry to directory:
- ld = getAdminConnection();
- add( ld, entry, entity );
- entity.setDn( dn );
- }
- catch ( LdapException e )
- {
- String error = "createOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LdapException=" + e.getMessage();
- throw new CreateException( GlobalErrIds.PERM_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Permission updateOperation( Permission entity )
- throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getAbstractName() ) )
- {
- // the abstract name is the human readable identifier:
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, PERM_NAME, entity.getAbstractName() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
-
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, TYPE, entity.getType() ) );
- }
-
- // These are multi-valued attributes, use the util function to load:
- loadAttrs( entity.getRoles(), mods, ROLES );
- loadAttrs( entity.getUsers(), mods, USERS );
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- entity.setDn( dn );
- }
- }
- catch ( LdapException e )
- {
- String error = "updateOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LdapException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- public final void deleteOperation( Permission entity ) throws RemoveException
- {
- LdapConnection ld = null;
- String dn = getOpRdn( entity.getOpName(), entity.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + entity.getObjName() + "," + getRootDn( entity.isAdmin(), entity.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- deleteRecursive( ld, dn, entity );
- }
- catch ( LdapException e )
- {
- String error = "deleteOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LdapException=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "deleteOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LdapException=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param role
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void grant( Permission pOp, Role role )
- throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE, ROLES, role.getName() ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LdapAttributeInUseException e )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] role [" + role.getName() + "] assignment already exists, Fortress rc="
- + GlobalErrIds.PERM_ROLE_EXIST;
- throw new UpdateException( GlobalErrIds.PERM_ROLE_EXIST, warning );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] role [" + role.getName() + "] perm not found, Fortress rc="
- + GlobalErrIds.PERM_OP_NOT_FOUND;
- throw new UpdateException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] name [" + role.getName() + "] caught LdapException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_GRANT_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param role
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void revoke( Permission pOp, Role role )
- throws UpdateException, FinderException
- {
- LdapConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification(
- ModificationOperation.REMOVE_ATTRIBUTE, ROLES, role.getName() ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LdapNoSuchAttributeException e )
- {
- String warning = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] name [" + role.getName() + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.PERM_ROLE_NOT_EXIST, warning );
- }
- catch ( LdapException e )
- {
- String error = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] name [" + role.getName() + "] caught LdapException=" +
- e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_REVOKE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void grant( Permission pOp, User user )
- throws UpdateException
- {
- LdapConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE, USERS, user.getUserId() ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LdapAttributeInUseException e )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment already exists, Fortress rc="
- + GlobalErrIds.PERM_USER_EXIST;
-
- throw new UpdateException( GlobalErrIds.PERM_USER_EXIST, warning );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] perm not found, Fortress rc="
- + GlobalErrIds.PERM_OP_NOT_FOUND;
- throw new UpdateException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LdapException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_GRANT_USER_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void revoke( Permission pOp, User user )
- throws UpdateException, FinderException
- {
- LdapConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE,
- USERS, user.getUserId() ) );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LdapNoSuchAttributeException e )
- {
- String warning = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.PERM_USER_NOT_EXIST, warning );
- }
- catch ( LdapException e )
- {
- String error = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LdapException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_REVOKE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param permission
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final Permission getPerm( Permission permission )
- throws FinderException
- {
- Permission entity = null;
- LdapConnection ld = null;
- String dn = getOpRdn( permission.getOpName(), permission.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + permission.getObjName() + "," + getRootDn( permission.isAdmin(), permission.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, PERMISSION_OP_ATRS );
- entity = unloadPopLdapEntry( findEntry, 0, permission.isAdmin() );
-
- if ( entity == null )
- {
- String warning = "getPerm no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getPerm Op COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getUser [" + dn + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param permObj
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final PermObj getPerm( PermObj permObj )
- throws FinderException
- {
- PermObj entity = null;
- LdapConnection ld = null;
- String dn = GlobalIds.POBJ_NAME + "=" + permObj.getObjName() + ","
- + getRootDn( permObj.isAdmin(), permObj.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, dn, PERMISION_OBJ_ATRS );
- entity = unloadPobjLdapEntry( findEntry, 0,permObj.isAdmin() );
-
- if ( entity == null )
- {
- String warning = "getPerm Obj no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OBJ_NOT_FOUND, warning );
- }
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getPerm Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OBJ_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getPerm Obj dn [" + dn + "] caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OBJ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * This method performs fortress authorization using data passed in (session) and stored on ldap server (permission). It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
- * It performs ldap operations: read and (optionally) compare. The first is to pull back the permission to see if user has access or not. The second is to trigger audit
- * record storage on ldap server but can be disabled.
- *
- * @param session contains {@link Session#getUserId()}, for rbac check {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
- * @param inPerm must contain required attributes {@link Permission#objName} and {@link Permission#opName}. {@link Permission#objId} is optional.
- * @return boolean containing result of check.
- * @throws org.apache.directory.fortress.core.FinderException
- * In the event system error occurs looking up data on ldap server.
- */
- public final boolean checkPermission( Session session, Permission inPerm ) throws FinderException
- {
- boolean isAuthZd = false;
- LdapConnection ld = null;
- String dn = getOpRdn( inPerm.getOpName(), inPerm.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + inPerm.getObjName() + "," + getRootDn( inPerm.isAdmin(), inPerm.getContextId() );
-
- try
- {
- // Use unauthenticated connection because we want to assert the end user identity onto ldap hop:
- ld = getUserConnection();
-
- // LDAP Operation #1: Read the targeted permission from ldap server
- //LDAPEntry entry = read(ld, dn, PERMISSION_OP_ATRS, session.getUser().getDn());
- Entry entry = read( ld, dn, PERMISSION_OP_ATRS );
- if(entry == null)
- {
- // if permission not found, cannot continue.
- String error = "checkPermission DOES NOT EXIST : obj name [" + inPerm.getObjName() + "], obj id [" + inPerm.getObjId() + "], op name [" + inPerm.getOpName() + "], idAdmin [" + inPerm.isAdmin() + "]";
- throw new FinderException( GlobalErrIds.PERM_NOT_EXIST, error );
- }
-
- // load the permission entity with data retrieved from the permission node:
- Permission outPerm = unloadPopLdapEntry( entry, 0, inPerm.isAdmin() );
-
- // The admin flag will be set to 'true' if this is an administrative permission:
- outPerm.setAdmin( inPerm.isAdmin() );
-
- // Pass the tenant id along:
- outPerm.setContextId( inPerm.getContextId() );
-
- // The objective of these next steps is to evaluate the outcome of authorization attempt and trigger a write to slapd access logger containing the result.
- // The objectClass triggered by slapd access log write for upcoming ldap op is 'auditCompare'.
- // Set this attribute either with actual operation name that will succeed compare (for authZ success) or bogus value which will fail compare (for authZ failure):
- String attributeValue;
-
- // This method determines if the user is authorized for this permission:
- isAuthZd = isAuthorized( session, outPerm );
-
- // This is done to leave an audit trail in ldap server log:
- if ( isAuthZd )
- {
- // Yes, set the operation name onto this attribute for storage into audit trail:
- attributeValue = outPerm.getOpName();
- }
- else
- {
- // No, set a simple error message onto this attribute for storage into audit trail:
- attributeValue = "AuthZ Failed";
- }
-
- // There is a switch in fortress config to disable audit ops like this one.
- // But if used the compare method will use OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection.
- // LDAP Operation #2: Compare.
- addAuthZAudit( ld, dn, session.getUser().getDn(), attributeValue );
- }
- catch ( LdapException e )
- {
- if ( !( e instanceof LdapNoSuchObjectException ) )
- {
- String error = "checkPermission caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
- }
-
- // There is a switch in fortress config to disable the audit ops.
- addAuthZAudit( ld, dn, session.getUser().getDn(), "AuthZ Invalid" );
- }
- finally
- {
- closeUserConnection( ld );
- }
-
- return isAuthZd;
- }
-
-
- /**
- * Perform LDAP compare operation here to associate audit record with user authorization event.
- *
- * @param ld this method expects the ldap connection to be good
- * @param permDn contains distinguished name of the permission object.
- * @param userDn contains the distinguished name of the user object.
- * @param attributeValue string value will be associated with the 'audit' record stored in ldap.
- * @throws FinderException in the event ldap system exception occurs.
- */
- private void addAuthZAudit( LdapConnection ld, String permDn, String userDn, String attributeValue )
- throws FinderException
- {
- // Audit can be turned off here with fortress config param: 'enable.audit=false'
- if ( GlobalIds.IS_AUDIT && GlobalIds.IS_OPENLDAP )
- {
- try
- {
- // The compare method uses OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection:
- // LDAP Operation #2: Compare:
- compareNode( ld, permDn, userDn, new DefaultAttribute( GlobalIds.POP_NAME, attributeValue ) );
- }
- catch ( UnsupportedEncodingException ee )
- {
- String error = "addAuthZAudit caught UnsupportedEncodingException=" + ee.getMessage();
- throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, ee );
- }
- catch ( LdapException e )
- {
- if ( !( e instanceof LdapNoSuchObjectException ) )
- {
- String error = "addAuthZAudit caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, e );
- }
- }
- }
- }
-
-
- /**
- * This function will first compare the userId from the session object with the list of users attached to permission object.
- * If match does not occur there, determine if there is a match between the authorized roles of user with roles attached to permission object.
- * For this use {@link org.apache.directory.fortress.core.rbac.Permission#isAdmin()} to determine if admin permissions or normal permissions have been passed in by caller.
- *
- * @param session contains the {@link org.apache.directory.fortress.core.rbac.Session#getUserId()},{@link Session#getRoles()} or {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
- * @param permission contains {@link org.apache.directory.fortress.core.rbac.Permission#getUsers()} and {@link Permission#getRoles()}.
- * @return binary result.
- */
- private boolean isAuthorized( Session session, Permission permission )
- {
- boolean result = false;
- Set<String> userIds = permission.getUsers();
-
- if ( VUtil.isNotNullOrEmpty( userIds ) && userIds.contains( session.getUserId() ) )
- {
- // user is assigned directly to this permission, no need to look further.
- return true;
- }
-
- Set<String> roles = permission.getRoles();
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- if ( permission.isAdmin() )
- {
- // ARBAC Permission check include's User's inherited admin roles:
- Set<String> activatedRoles = AdminRoleUtil.getInheritedRoles( session.getAdminRoles(),
- permission.getContextId() );
-
- for ( String role : roles )
- {
- // This is case insensitive op determines if user has matching admin role to the admin permission::
- if ( activatedRoles.contains( role ) )
- {
- result = true;
- break;
- }
- }
- }
- else
- {
- // RBAC Permission check include's User's inherited roles:
- Set<String> activatedRoles = RoleUtil.getInheritedRoles( session.getRoles(), permission.getContextId() );
-
- for ( String role : roles )
- {
- // This is case insensitive op determines if user has matching role:
- if ( activatedRoles.contains( role ) )
- {
- result = true;
- break;
- }
- }
- }
- }
-
- return result;
- }
-
-
- /**
- * @param le
- * @param sequence
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private Permission unloadPopLdapEntry( Entry le, long sequence, boolean isAdmin ) throws LdapInvalidAttributeValueException
- {
- Permission entity = new ObjectFactory().createPermission();
- entity.setSequenceId( sequence );
- entity.setAbstractName( getAttribute( le, PERM_NAME ) );
- entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
- entity.setObjId( getAttribute( le, POBJ_ID ) );
- entity.setOpName( getAttribute( le, GlobalIds.POP_NAME ) );
- entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setRoles( getAttributeSet( le, ROLES ) );
- entity.setUsers( getAttributeSet( le, USERS ) );
- entity.setType( getAttribute( le, TYPE ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
- entity.setAdmin( isAdmin );
-
- // TODO: find out the correct way to do this:
- if(le != null)
- {
- entity.setDn( le.getDn().getNormName() );
- }
- return entity;
- }
-
-
- /**
- * @param le
- * @param sequence
- * @return
- * @throws LdapInvalidAttributeValueException
- * @throws LdapException
- */
- private PermObj unloadPobjLdapEntry( Entry le, long sequence, boolean isAdmin ) throws LdapInvalidAttributeValueException
- {
- PermObj entity = new ObjectFactory().createPermObj();
- entity.setSequenceId( sequence );
- entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
- entity.setOu( getAttribute( le, GlobalIds.OU ) );
- entity.setDn( le.getDn().getName() );
- entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setType( getAttribute( le, TYPE ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
- entity.setAdmin( isAdmin );
- return entity;
- }
-
-
- /**
- * @param permission
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( Permission permission )
- throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot = getRootDn( permission.isAdmin(), permission.getContextId() );
-
- try
- {
- String permObjVal = encodeSafeText( permission.getObjName(), GlobalIds.PERM_LEN );
- String permOpVal = encodeSafeText( permission.getOpName(), GlobalIds.PERM_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")("
- + GlobalIds.POBJ_NAME + "=" + permObjVal + "*)("
- + GlobalIds.POP_NAME + "=" + permOpVal + "*))";
-
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, permission.isAdmin() ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param permObj
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<PermObj> findPermissions( PermObj permObj )
- throws FinderException
- {
- List<PermObj> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot = getRootDn( permObj.isAdmin(), permObj.getContextId() );
-
- try
- {
- String permObjVal = encodeSafeText( permObj.getObjName(), GlobalIds.PERM_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OBJ_OBJECT_CLASS_NAME + ")("
- + GlobalIds.POBJ_NAME + "=" + permObjVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISION_OBJ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPobjLdapEntry( searchResults.getEntry(), sequence++, permObj.isAdmin() ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return permList;
- }
-
-
- /**
- * @param ou
- * @return
- * @throws FinderException
- */
- public final List<PermObj> findPermissions( OrgUnit ou, boolean limitSize ) throws FinderException
- {
- List<PermObj> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot = getRootDn( ou.getContextId(), GlobalIds.PERM_ROOT );
-
- try
- {
- String ouVal = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OBJ_OBJECT_CLASS_NAME + ")("
- + GlobalIds.OU + "=" + ouVal + "*))";
- int maxLimit;
-
- if ( limitSize )
- {
- maxLimit = 10;
- }
- else
- {
- maxLimit = 0;
- }
-
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISION_OBJ_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPobjLdapEntry( searchResults.getEntry(), sequence++, false ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return permList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( Role role ) throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot;
-
- boolean isAdmin = false;
- if ( role.getClass().equals( AdminRole.class ) )
- {
- permRoot = getRootDn( role.getContextId(), GlobalIds.ADMIN_PERM_ROOT );
- isAdmin = true;
- }
- else
- {
- permRoot = getRootDn( role.getContextId(), GlobalIds.PERM_ROOT );
- }
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(";
- Set<String> roles;
-
- if ( role.getClass().equals( AdminRole.class ) )
- {
- roles = AdminRoleUtil.getAscendants( role.getName(), role.getContextId() );
- }
- else
- {
- roles = RoleUtil.getAscendants( role.getName(), role.getContextId() );
- }
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- filter += "|(" + ROLES + "=" + roleVal + ")";
-
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
-
- filter += ")";
- }
- else
- {
- filter += ROLES + "=" + roleVal + ")";
- }
-
- filter += ")";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, isAdmin ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_ROLE_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPermissions caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return permList;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( User user ) throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot = getRootDn( user.getContextId(), GlobalIds.PERM_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(|";
- Set<String> roles = RoleUtil.getInheritedRoles( user.getRoles(), user.getContextId() );
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- }
-
- filter += "(" + USERS + "=" + user.getUserId() + ")))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++,false ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPermissions user [" + user.getUserId()
- + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPermissions user [" + user.getUserId()
- + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return permList;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findUserPermissions( User user ) throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot = getRootDn( user.getContextId(), GlobalIds.PERM_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")";
- filter += "(" + USERS + "=" + user.getUserId() + "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, false ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findUserPermissions user [" + user.getUserId()
- + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findUserPermissions user [" + user.getUserId()
- + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return permList;
- }
-
-
- /**
- * @param session
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( Session session, boolean isAdmin ) throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LdapConnection ld = null;
- String permRoot = getRootDn( isAdmin, session.getContextId() );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(|";
- filter += "(" + USERS + "=" + session.getUserId() + ")";
- Set<String> roles;
- if(isAdmin)
- {
- roles = AdminRoleUtil.getInheritedRoles( session.getAdminRoles(), session.getContextId() );
- }
- else
- {
- roles = RoleUtil.getInheritedRoles( session.getRoles(), session.getContextId() );
- }
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- }
-
- filter += "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, permRoot,
- SearchScope.SUBTREE, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- permList.add( unloadPopLdapEntry( searchResults.getEntry(), sequence++, isAdmin ) );
- }
- }
- catch ( LdapException e )
- {
- String error = "findPermissions user [" + session.getUserId()
- + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SESS_SEARCH_FAILED, error, e );
- }
- catch ( CursorException e )
- {
- String error = "findPermissions user [" + session.getUserId()
- + "] caught LdapException in PermDAO.findPermissions=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SESS_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return permList;
- }
-
-
- /**
- * @param opName
- * @param objId
- * @return
- */
- static String getOpRdn( String opName, String objId )
- {
- String rDn;
-
- if ( objId != null && objId.length() > 0 )
- {
- rDn = GlobalIds.POP_NAME + "=" + opName + "+" + POBJ_ID + "=" + objId;
- }
- else
- {
- rDn = GlobalIds.POP_NAME + "=" + opName;
- }
-
- return rDn;
- }
-
-
- private String getDn( Permission pOp, String contextId )
- {
- return getOpRdn( pOp.getOpName(), pOp.getObjId() ) + "," + GlobalIds.POBJ_NAME + "=" + pOp.getObjName()
- + "," + getRootDn( pOp.isAdmin(), contextId );
- }
-
-
- private String getDn( PermObj pObj, String contextId )
- {
- return GlobalIds.POBJ_NAME + "=" + pObj.getObjName() + "," + getRootDn( pObj.isAdmin(), contextId );
- }
-
-
- private String getRootDn( boolean isAdmin, String contextId )
- {
- String dn;
-
- if ( isAdmin )
- {
- dn = getRootDn( contextId, GlobalIds.ADMIN_PERM_ROOT );
- }
- else
- {
- dn = getRootDn( contextId, GlobalIds.PERM_ROOT );
- }
-
- return dn;
- }
-}
\ No newline at end of file
[04/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PermDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PermDAO.java
deleted file mode 100755
index afdc79a..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PermDAO.java
+++ /dev/null
@@ -1,1405 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.io.UnsupportedEncodingException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.AdminRoleUtil;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PermObj;
-import org.apache.directory.fortress.core.rbac.Permission;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.util.attr.AttrHelper;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * Permission data access class for LDAP.
- * <p/>
- * This DAO class maintains the PermObj and Permission entities.
- * <h3>The Fortress PermObj Entity Class is a composite of 3 LDAP Schema object classes</h2>
- * <h4>PermObj Base - ftObject STRUCTURAL Object Class is used to store object name, id and type variables on target entity.</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.2</code>
- * <li> <code>NAME 'ftObject'</code>
- * <li> <code>DESC 'Fortress Permission Object Class'</code>
- * <li> <code>SUP organizationalunit</code> GlobalIds
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST (</code>
- * <li> <code>ftId $ ftObjNm ) </code>
- * <li> <code>MAY ( ftType ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>PermObj - ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.</h4>
- * <code>This aux object class can be used to store custom attributes.</code><br />
- * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>PermObj - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h3>The Fortress Permission Entity Class is composite of 3 LDAP Schema object classes</h3>
- * The Permission entity extends a single OpenLDAP standard structural object class, 'organizationalRole' with
- * one extension structural class, ftOperation, and two auxiliary object classes, ftProperties, ftMods.
- * The following 4 LDAP object classes will be mapped into this entity:
- * <h4>Permission Base - 'ftOperation' STRUCTURAL Object Class is assigned roles and/or users which grants permissions which can be later checked</h4>
- * using either 'checkAccess' or 'sessionPermissions APIs both methods that reside in the 'AccessMgrImpl' class.
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.3</code>
- * <li> <code>NAME 'ftOperation'</code>
- * <li> <code>DESC 'Fortress Permission Operation Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftPermName $</code>
- * <li> <code>ftObjNm $ ftOpNm )</code>
- * <li> <code>MAY ( ftRoles $ ftUsers $</code>
- * <li> <code> ftObjId $ ftType) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>Permission Aux - ftProperties AUXILIARY Object Class is used to store optional client or otherwise custom name/value pairs on target entity.</h4>
- * <code>This aux object class can be used to store custom attributes.</code><br />
- * <code>The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>Permission Aux - ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * This class is thread safe.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public final class PermDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.PermDAO
-{
- /*
- * *************************************************************************
- * ** OpenAccessMgr PERMISSION STATICS
- * ************************************************************************
- */
- private static final String TYPE = "ftType";
- private static final String PERM_OBJ_OBJECT_CLASS_NAME = "ftObject";
- private static final String PERM_OP_OBJECT_CLASS_NAME = "ftOperation";
-
- private static final String PERM_OBJ_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- "organizationalunit",
- PERM_OBJ_OBJECT_CLASS_NAME,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String PERM_OP_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- "organizationalrole",
- PERM_OP_OBJECT_CLASS_NAME,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String PERM_NAME = "ftPermName";
- private static final String POBJ_ID = "ftObjId";
- private static final String ROLES = "ftRoles";
- private static final String USERS = "ftUsers";
- private static final String[] PERMISSION_OP_ATRS =
- {
- GlobalIds.FT_IID, PERM_NAME, GlobalIds.POBJ_NAME, GlobalIds.POP_NAME, GlobalIds.DESC, GlobalIds.OU,
- POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS
- };
-
- private static final String[] PERMISION_OBJ_ATRS =
- {
- GlobalIds.FT_IID, GlobalIds.POBJ_NAME, GlobalIds.DESC, GlobalIds.OU, TYPE,
- GlobalIds.PROPS
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final PermObj createObject( PermObj entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, PERM_OBJ_OBJ_CLASS ) );
- attrs.add( createAttribute( GlobalIds.POBJ_NAME, entity.getObjName() ) );
-
- // this will generatre a new random, unique id on this entity:
- entity.setInternalId();
- // create the rDN:
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getInternalId() ) );
- // ou is required:
- attrs.add( createAttribute( GlobalIds.OU, entity.getOu() ) );
-
- // description is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- }
- // type is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- attrs.add( createAttribute( TYPE, entity.getType() ) );
- }
- // props are optional as well:
- //if the props is null don't try to load these attributes
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), attrs, GlobalIds.PROPS );
- }
-
- // create the new entry:
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- entity.setDn( dn );
-
- // now add the new entry to directory:
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- }
- catch ( LDAPException e )
- {
- String error = "createObject perm obj [" + entity.getObjName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new CreateException( GlobalErrIds.PERM_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final PermObj updateObj( PermObj entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
- {
- LDAPAttribute ou = new LDAPAttribute( GlobalIds.OU, entity.getOu() );
- mods.add( LDAPModification.REPLACE, ou );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC,
- entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- LDAPAttribute type = new LDAPAttribute( TYPE,
- entity.getType() );
- mods.add( LDAPModification.REPLACE, type );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
- }
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- entity.setDn( dn );
- }
- }
- catch ( LDAPException e )
- {
- String error = "updateObj objName [" + entity.getObjName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- public final void deleteObj( PermObj entity )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
- try
- {
- ld = getAdminConnection();
- deleteRecursive( ld, dn, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deleteObj objName [" + entity.getObjName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final Permission createOperation( Permission entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, PERM_OP_OBJ_CLASS ) );
- attrs.add( createAttribute( GlobalIds.POP_NAME, entity.getOpName() ) );
- attrs.add( createAttribute( GlobalIds.POBJ_NAME, entity.getObjName() ) );
- entity.setAbstractName( entity.getObjName() + "." + entity.getOpName() );
-
- // this will generatre a new random, unique id on this entity:
- entity.setInternalId();
- // create the internal id:
- attrs.add( createAttribute( GlobalIds.FT_IID, entity.getInternalId() ) );
- // the abstract name is the human readable identifier:
- attrs.add( createAttribute( PERM_NAME, entity.getAbstractName() ) );
- // organizational name requires CN attribute:
- attrs.add( createAttribute( GlobalIds.CN, entity.getAbstractName() ) );
-
- // objectid is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getObjId() ) )
- {
- attrs.add( createAttribute( POBJ_ID, entity.getObjId() ) );
- }
- // description is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- attrs.add( createAttribute( GlobalIds.DESC, entity.getDescription() ) );
- }
- // type is optional:
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- attrs.add( createAttribute( TYPE, entity.getType() ) );
- }
- // These are multi-valued attributes, use the util function to load:
- // These items are optional as well. The utility function will return quietly if no items are loaded into collection:
- loadAttrs( entity.getRoles(), attrs, ROLES );
- loadAttrs( entity.getUsers(), attrs, USERS );
-
- // props are optional as well:
- //if the props is null don't try to load these attributes
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), attrs, GlobalIds.PROPS );
- }
- // create the new entry:
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- // now add the new entry to directory:
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- entity.setDn( dn );
- }
- catch ( LDAPException e )
- {
- String error = "createOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new CreateException( GlobalErrIds.PERM_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final Permission updateOperation( Permission entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity, entity.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- LDAPAttribute desc = new LDAPAttribute( GlobalIds.DESC,
- entity.getDescription() );
- mods.add( LDAPModification.REPLACE, desc );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getAbstractName() ) )
- {
- // the abstract name is the human readable identifier:
- LDAPAttribute abstractName = new LDAPAttribute( PERM_NAME,
- entity.getAbstractName() );
- mods.add( LDAPModification.REPLACE, abstractName );
- }
- if ( VUtil.isNotNullOrEmpty( entity.getType() ) )
- {
- LDAPAttribute type = new LDAPAttribute( TYPE,
- entity.getType() );
- mods.add( LDAPModification.REPLACE, type );
- }
-
- // These are multi-valued attributes, use the util function to load:
- loadAttrs( entity.getRoles(), mods, ROLES );
- loadAttrs( entity.getUsers(), mods, USERS );
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- entity.setDn( dn );
- }
- }
- catch ( LDAPException e )
- {
- String error = "updateOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- *
- */
- public final void deleteOperation( Permission entity )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getOpRdn( entity.getOpName(), entity.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + entity.getObjName() + "," + getRootDn( entity.isAdmin(), entity.getContextId() );
- try
- {
- ld = getAdminConnection();
- deleteRecursive( ld, dn, entity );
- }
- catch ( LDAPException e )
- {
- String error = "deleteOperation objName [" + entity.getObjName() + "] opName ["
- + entity.getOpName() + "] caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.PERM_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param role
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void grant( Permission pOp, Role role )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute attr = new LDAPAttribute( ROLES, role.getName() );
- mods.add( LDAPModification.ADD, attr );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] role [" + role.getName() + "] assignment already exists, Fortress rc="
- + GlobalErrIds.PERM_ROLE_EXIST;
- throw new UpdateException( GlobalErrIds.PERM_ROLE_EXIST, warning );
- }
- else if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] role [" + role.getName() + "] perm not found, Fortress rc="
- + GlobalErrIds.PERM_OP_NOT_FOUND;
- throw new UpdateException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- else
- {
- String error = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] name [" + role.getName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_GRANT_FAILED, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param role
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void revoke( Permission pOp, Role role )
- throws UpdateException, FinderException
- {
- LDAPConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute attr = new LDAPAttribute( ROLES, role.getName() );
- mods.add( LDAPModification.DELETE, attr );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_ATTRIBUTE )
- {
- String warning = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] name [" + role.getName() + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.PERM_ROLE_NOT_EXIST, warning );
- }
- else
- {
- String error = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] name [" + role.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_REVOKE_FAILED, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void grant( Permission pOp, User user )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute attr = new LDAPAttribute( USERS, user.getUserId() );
- mods.add( LDAPModification.ADD, attr );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment already exists, Fortress rc="
- + GlobalErrIds.PERM_USER_EXIST;
- throw new UpdateException( GlobalErrIds.PERM_USER_EXIST, warning );
- }
- else if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] perm not found, Fortress rc="
- + GlobalErrIds.PERM_OP_NOT_FOUND;
- throw new UpdateException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- else
- {
- String error = "grant perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_GRANT_USER_FAILED, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param pOp
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final void revoke( Permission pOp, User user )
- throws UpdateException, FinderException
- {
- LDAPConnection ld = null;
- String dn = getDn( pOp, pOp.getContextId() );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- LDAPAttribute attr = new LDAPAttribute( USERS, user.getUserId() );
- mods.add( LDAPModification.DELETE, attr );
- ld = getAdminConnection();
- modify( ld, dn, mods, pOp );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_ATTRIBUTE )
- {
- String warning = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.PERM_USER_NOT_EXIST, warning );
- }
- else
- {
- String error = "revoke perm object [" + pOp.getObjName() + "] operation ["
- + pOp.getOpName() + "] userId [" + user.getUserId() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PERM_REVOKE_FAILED, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param permission
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final Permission getPerm( Permission permission )
- throws FinderException
- {
- Permission entity = null;
- LDAPConnection ld = null;
- String dn = getOpRdn( permission.getOpName(), permission.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + permission.getObjName() + "," + getRootDn( permission.isAdmin(), permission.getContextId() );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, PERMISSION_OP_ATRS );
- entity = unloadPopLdapEntry( findEntry, 0, permission.isAdmin() );
- if ( entity == null )
- {
- String warning = "getPerm no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getPerm Op COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OP_NOT_FOUND, warning );
- }
-
- String error = "getUser [" + dn + "] caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param permObj
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final PermObj getPerm( PermObj permObj )
- throws FinderException
- {
- PermObj entity = null;
- LDAPConnection ld = null;
- String dn = GlobalIds.POBJ_NAME + "=" + permObj.getObjName() + ","
- + getRootDn( permObj.isAdmin(), permObj.getContextId() );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, PERMISION_OBJ_ATRS );
- entity = unloadPobjLdapEntry( findEntry, 0, permObj.isAdmin() );
- if ( entity == null )
- {
- String warning = "getPerm Obj no entry found dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OBJ_NOT_FOUND, warning );
- }
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getPerm Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PERM_OBJ_NOT_FOUND, warning );
- }
- String error = "getPerm Obj dn [" + dn + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OBJ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * This method performs fortress authorization using data passed in (session) and stored on ldap server (permission). It has been recently changed to use ldap compare operations in order to trigger slapd access log updates in directory.
- * It performs ldap operations: read and (optionally) compare. The first is to pull back the permission to see if user has access or not. The second is to trigger audit
- * record storage on ldap server but can be disabled.
- *
- * @param session contains {@link Session#getUserId()}, for rbac check {@link org.apache.directory.fortress.core.rbac.Session#getRoles()}, for arbac check: {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
- * @param inPerm must contain required attributes {@link Permission#objName} and {@link Permission#opName}. {@link Permission#objId} is optional.
- * @return boolean containing result of check.
- * @throws org.apache.directory.fortress.core.FinderException
- * In the event system error occurs looking up data on ldap server.
- */
- public final boolean checkPermission( Session session, Permission inPerm )
- throws FinderException
- {
- boolean isAuthZd = false;
- LDAPConnection ld = null;
- String dn = getOpRdn( inPerm.getOpName(), inPerm.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
- + inPerm.getObjName() + "," + getRootDn( inPerm.isAdmin(), inPerm.getContextId() );
- try
- {
- // Use unauthenticated connection because we want to assert the end user identity onto ldap hop:
- ld = getAdminConnection();
- // LDAP Operation #1: Read the targeted permission from ldap server
- LDAPEntry entry = read( ld, dn, PERMISSION_OP_ATRS );
- if(entry == null)
- {
- // if permission not found, cannot continue.
- String error = "checkPermission DOES NOT EXIST : obj name [" + inPerm.getObjName() + "], obj id [" + inPerm.getObjId() + "], op name [" + inPerm.getOpName() + "], idAdmin [" + inPerm.isAdmin() + "]";
- throw new FinderException( GlobalErrIds.PERM_NOT_EXIST, error );
- }
-
- // load the permission entity with data retrieved from the permission node:
- Permission outPerm = unloadPopLdapEntry( entry, 0, inPerm.isAdmin() );
- // The admin flag will be set to 'true' if this is an administrative permission:
- outPerm.setAdmin( inPerm.isAdmin() );
- // Pass the tenant id along:
- outPerm.setContextId( inPerm.getContextId() );
- // The objective of these next steps is to evaluate the outcome of authorization attempt and trigger a write to slapd access logger containing the result.
- // The objectClass triggered by slapd access log write for upcoming ldap op is 'auditCompare'.
- // Set this attribute either with actual operation name that will succeed compare (for authZ success) or bogus value which will fail compare (for authZ failure):
- String attributeValue;
- // This method determines if the user is authorized for this permission:
- isAuthZd = isAuthorized( session, outPerm );
- // This is done to leave an audit trail in ldap server log:
- if ( isAuthZd )
- {
- // Yes, set the operation name onto this attribute for storage into audit trail:
- attributeValue = outPerm.getOpName();
- }
- else
- {
- // No, set a simple error message onto this attribute for storage into audit trail:
- attributeValue = GlobalIds.AUTH_Z_FAILED;
- }
- // There is a switch in fortress config to disable audit ops like this one.
- // But if used the compare method will use OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection.
- // LDAP Operation #2: Compare.
- addAuthZAudit( ld, dn, session.getUser().getDn(), attributeValue );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() != LDAPException.NO_RESULTS_RETURNED
- && e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT )
- {
- String error = "checkPermission caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_READ_OP_FAILED, error, e );
- }
- // There is a switch in fortress config to disable the audit ops.
- addAuthZAudit( ld, dn, session.getUser().getDn(), "AuthZ Invalid" );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return isAuthZd;
- }
-
-
- /**
- * Perform LDAP compare operation here to associate audit record with user authorization event.
- *
- * @param ld this method expects the ldap connection to be good
- * @param permDn contains distinguished name of the permission object.
- * @param userDn contains the distinguished name of the user object.
- * @param attributeValue string value will be associated with the 'audit' record stored in ldap.
- * @throws FinderException in the event ldap system exception occurs.
- */
- private void addAuthZAudit( LDAPConnection ld, String permDn, String userDn, String attributeValue )
- throws FinderException
- {
- // Audit can be turned off here with fortress config param: 'enable.audit=false'
- if ( GlobalIds.IS_AUDIT && GlobalIds.IS_OPENLDAP )
- {
- try
- {
- // The compare method uses OpenLDAP's Proxy Authorization Control to assert identity of end user onto connection:
- // LDAP Operation #2: Compare:
- compareNode( ld, permDn, userDn, createAttribute( GlobalIds.POP_NAME, attributeValue ) );
- }
- catch ( UnsupportedEncodingException ee )
- {
- String error = "addAuthZAudit caught UnsupportedEncodingException=" + ee.getMessage();
- throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, ee );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() != LDAPException.NO_RESULTS_RETURNED
- && e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT )
- {
- String error = "addAuthZAudit caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_COMPARE_OP_FAILED, error, e );
- }
- }
- }
- }
-
-
- /**
- * This function will first compare the userId from the session object with the list of users attached to permission object.
- * If match does not occur there, determine if there is a match between the authorized roles of user with roles attached to permission object.
- * For this use {@link org.apache.directory.fortress.core.rbac.Permission#isAdmin()} to determine if admin permissions or normal permissions have been passed in by caller.
- *
- * @param session contains the {@link org.apache.directory.fortress.core.rbac.Session#getUserId()},{@link Session#getRoles()} or {@link org.apache.directory.fortress.core.rbac.Session#getAdminRoles()}.
- * @param permission contains {@link org.apache.directory.fortress.core.rbac.Permission#getUsers()} and {@link Permission#getRoles()}.
- * @return binary result.
- */
- private boolean isAuthorized( Session session, Permission permission )
- {
- boolean result = false;
- Set<String> userIds = permission.getUsers();
- if ( VUtil.isNotNullOrEmpty( userIds ) && userIds.contains( session.getUserId() ) )
- {
- // user is assigned directly to this permission, no need to look further.
- return true;
- }
- Set<String> roles = permission.getRoles();
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- if ( permission.isAdmin() )
- {
- // ARBAC Permission check include's User's inherited admin roles:
- Set<String> activatedRoles = AdminRoleUtil.getInheritedRoles( session.getAdminRoles(),
- permission.getContextId() );
- for ( String role : roles )
- {
- // This is case insensitive op determines if user has matching admin role to the admin permission::
- if ( activatedRoles.contains( role ) )
- {
- result = true;
- break;
- }
- }
- }
- else
- {
- // RBAC Permission check include's User's inherited roles:
- Set<String> activatedRoles = RoleUtil.getInheritedRoles( session.getRoles(), permission.getContextId() );
- for ( String role : roles )
- {
- // This is case insensitive op determines if user has matching role:
- if ( activatedRoles.contains( role ) )
- {
- result = true;
- break;
- }
- }
- }
- }
- return result;
- }
-
-
- /**
- * @param le
- * @param sequence
- * @return
- * @throws LDAPException
- */
- private Permission unloadPopLdapEntry( LDAPEntry le, long sequence, boolean isAdmin )
- {
- Permission entity = new ObjectFactory().createPermission();
- entity.setDn( le.getDN() );
- entity.setSequenceId( sequence );
- entity.setAbstractName( getAttribute( le, PERM_NAME ) );
- entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
- entity.setObjId( getAttribute( le, POBJ_ID ) );
- entity.setOpName( getAttribute( le, GlobalIds.POP_NAME ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setRoles( getAttributeSet( le, ROLES ) );
- entity.setUsers( getAttributeSet( le, USERS ) );
- entity.setType( getAttribute( le, TYPE ) );
- entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
- entity.setAdmin( isAdmin );
- return entity;
- }
-
-
- /**
- * @param le
- * @param sequence
- * @return
- * @throws LDAPException
- */
- private PermObj unloadPobjLdapEntry( LDAPEntry le, long sequence, boolean isAdmin )
- {
- PermObj entity = new ObjectFactory().createPermObj();
- entity.setSequenceId( sequence );
- entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) );
- entity.setOu( getAttribute( le, GlobalIds.OU ) );
- entity.setDn( le.getDN() );
- entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) );
- entity.setType( getAttribute( le, TYPE ) );
- entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
- entity.addProperties( AttrHelper.getProperties( getAttributes( le, GlobalIds.PROPS ) ) );
- entity.setAdmin( isAdmin );
- return entity;
- }
-
-
- /**
- * @param permission
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( Permission permission )
- throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot = getRootDn( permission.isAdmin(), permission.getContextId() );
- try
- {
- String permObjVal = encodeSafeText( permission.getObjName(), GlobalIds.PERM_LEN );
- String permOpVal = encodeSafeText( permission.getOpName(), GlobalIds.PERM_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")("
- + GlobalIds.POBJ_NAME + "=" + permObjVal + "*)("
- + GlobalIds.POP_NAME + "=" + permOpVal + "*))";
-
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPopLdapEntry( searchResults.next(), sequence++, permission.isAdmin() ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPermissions caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param permObj
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<PermObj> findPermissions( PermObj permObj )
- throws FinderException
- {
- List<PermObj> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot = getRootDn( permObj.isAdmin(), permObj.getContextId() );
- try
- {
- String permObjVal = encodeSafeText( permObj.getObjName(), GlobalIds.PERM_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OBJ_OBJECT_CLASS_NAME + ")("
- + GlobalIds.POBJ_NAME + "=" + permObjVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISION_OBJ_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPobjLdapEntry( searchResults.next(), sequence++, permObj.isAdmin() ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPermissions caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param ou
- * @return
- * @throws FinderException
- */
- public final List<PermObj> findPermissions( OrgUnit ou, boolean limitSize )
- throws FinderException
- {
- List<PermObj> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot = getRootDn( ou.getContextId(), GlobalIds.PERM_ROOT );
- try
- {
- String ouVal = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OBJ_OBJECT_CLASS_NAME + ")("
- + GlobalIds.OU + "=" + ouVal + "*))";
- int maxLimit;
- if ( limitSize )
- {
- maxLimit = 10;
- }
- else
- {
- maxLimit = 0;
- }
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISION_OBJ_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPobjLdapEntry( searchResults.next(), sequence++, false ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPermissions caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( Role role )
- throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot;
- boolean isAdmin = false;
- if ( role.getClass().equals( AdminRole.class ) )
- {
- permRoot = getRootDn( role.getContextId(), GlobalIds.ADMIN_PERM_ROOT );
- isAdmin = true;
- }
- else
- {
- permRoot = getRootDn( role.getContextId(), GlobalIds.PERM_ROOT );
- }
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.ROLE_LEN );
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(";
- Set<String> roles;
- if ( role.getClass().equals( AdminRole.class ) )
- {
- roles = AdminRoleUtil.getAscendants( role.getName(), role.getContextId() );
- }
- else
- {
- roles = RoleUtil.getAscendants( role.getName(), role.getContextId() );
- }
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- filter += "|(" + ROLES + "=" + roleVal + ")";
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- filter += ")";
- }
- else
- {
- filter += ROLES + "=" + roleVal + ")";
- }
- filter += ")";
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPopLdapEntry( searchResults.next(), sequence++, isAdmin ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPermissions caught LDAPException=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_ROLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( User user )
- throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot = getRootDn( user.getContextId(), GlobalIds.PERM_ROOT );
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(|";
- Set<String> roles = RoleUtil.getInheritedRoles( user.getRoles(), user.getContextId() );
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- }
- filter += "(" + USERS + "=" + user.getUserId() + ")))";
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPopLdapEntry( searchResults.next(), sequence++, false ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPermissions user [" + user.getUserId()
- + "] caught LDAPException in PermDAO.findPermissions=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findUserPermissions( User user )
- throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot = getRootDn( user.getContextId(), GlobalIds.PERM_ROOT );
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")";
- filter += "(" + USERS + "=" + user.getUserId() + "))";
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPopLdapEntry( searchResults.next(), sequence++, false ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findUserPermissions user [" + user.getUserId()
- + "] caught LDAPException in PermDAO.findPermissions=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_USER_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param session
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<Permission> findPermissions( Session session, boolean isAdmin )
- throws FinderException
- {
- List<Permission> permList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String permRoot = getRootDn( isAdmin, session.getContextId() );
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + PERM_OP_OBJECT_CLASS_NAME + ")(|";
- filter += "(" + USERS + "=" + session.getUserId() + ")";
- //Set<String> roles = RoleUtil.getInheritedRoles( session.getRoles(), session.getContextId() );
- Set<String> roles;
- if(isAdmin)
- {
- roles = AdminRoleUtil.getInheritedRoles( session.getAdminRoles(), session.getContextId() );
- }
- else
- {
- roles = RoleUtil.getInheritedRoles( session.getRoles(), session.getContextId() );
- }
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- for ( String uRole : roles )
- {
- filter += "(" + ROLES + "=" + uRole + ")";
- }
- }
- filter += "))";
- ld = getAdminConnection();
- searchResults = search( ld, permRoot,
- LDAPConnection.SCOPE_SUB, filter, PERMISSION_OP_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- permList.add( unloadPopLdapEntry( searchResults.next(), sequence++, isAdmin ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPermissions user [" + session.getUserId()
- + "] caught LDAPException in PermDAO.findPermissions=" + e.getLDAPResultCode() + " msg="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.PERM_SESS_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return permList;
- }
-
-
- /**
- * @param opName
- * @param objId
- * @return
- */
- static String getOpRdn( String opName, String objId )
- {
- String rDn;
- if ( objId != null && objId.length() > 0 )
- rDn = GlobalIds.POP_NAME + "=" + opName + "+" + POBJ_ID + "=" + objId;
- else
- rDn = GlobalIds.POP_NAME + "=" + opName;
- return rDn;
- }
-
-
- private String getDn( Permission pOp, String contextId )
- {
- return getOpRdn( pOp.getOpName(), pOp.getObjId() ) + "," + GlobalIds.POBJ_NAME + "=" + pOp.getObjName()
- + "," + getRootDn( pOp.isAdmin(), contextId );
- }
-
-
- private String getDn( PermObj pObj, String contextId )
- {
- return GlobalIds.POBJ_NAME + "=" + pObj.getObjName() + "," + getRootDn( pObj.isAdmin(), contextId );
- }
-
-
- private String getRootDn( boolean isAdmin, String contextId )
- {
- String dn;
- if ( isAdmin )
- {
- dn = getRootDn( contextId, GlobalIds.ADMIN_PERM_ROOT );
- }
- else
- {
- dn = getRootDn( contextId, GlobalIds.PERM_ROOT );
- }
- return dn;
- }
-}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PolicyDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PolicyDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PolicyDAO.java
deleted file mode 100755
index 33bda6d..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/unboundid/PolicyDAO.java
+++ /dev/null
@@ -1,623 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.unboundid;
-
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.UnboundIdDataProvider;
-import org.apache.directory.fortress.core.rbac.PwPolicy;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttribute;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPAttributeSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPConnection;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPEntry;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModification;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPModificationSet;
-import com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPSearchResults;
-
-
-/**
- * This DAO class maintains the OpenLDAP Password Policy entity which is a composite of the following structural and aux object classes:
- * <h4>1. organizationalRole Structural Object Class is used to store basic attributes like cn and description</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code> objectclass ( 2.5.6.14 NAME 'device'</code>
- * <li> <code>DESC 'RFC2256: a device'</code>
- * <li> <code>SUP top STRUCTURAL</code>
- * <li> <code>MUST cn</code>
- * <li> <code>MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. pwdPolicy AUXILIARY Object Class is used to store OpenLDAP Password Policies</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1</code>
- * <li> <code>NAME 'pwdPolicy'</code>
- * <li> <code>SUP top</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MUST ( pwdAttribute )</code>
- * <li> <code>MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $</code>
- * <li> <code>pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $</code>
- * <li> <code>pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $</code>
- * <li> <code>pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )</code>
- * <li> <code></code>
- * <li> <code></code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- */
-public final class PolicyDAO extends UnboundIdDataProvider implements org.apache.directory.fortress.core.rbac.dao.PolicyDAO
-{
- /*
- * *************************************************************************
- * ** OPENLDAP PW POLICY ATTRIBUTES AND CONSTANTS
- * ************************************************************************
- */
- private static final String OLPW_POLICY_EXTENSION = "2.5.4.35";
- private static final String OLPW_POLICY_CLASS = "pwdPolicy";
- /**
- * This object class combines OpenLDAP PW Policy schema with the Fortress audit context.
- */
- private static final String OAM_PWPOLICY_OBJ_CLASS[] =
- {
- GlobalIds.TOP, "device", OLPW_POLICY_CLASS, GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
- };
-
- private static final String OLPW_ATTRIBUTE = "pwdAttribute";
- private static final String OLPW_MIN_AGE = "pwdMinAge";
- private static final String OLPW_MAX_AGE = "pwdMaxAge";
- private static final String OLPW_IN_HISTORY = "pwdInHistory";
- private static final String OLPW_CHECK_QUALITY = "pwdCheckQuality";
- private static final String OLPW_MIN_LENGTH = "pwdMinLength";
- private static final String OLPW_EXPIRE_WARNING = "pwdExpireWarning";
- private static final String OLPW_GRACE_LOGIN_LIMIT = "pwdGraceAuthNLimit";
- private static final String OLPW_LOCKOUT = "pwdLockout";
- private static final String OLPW_LOCKOUT_DURATION = "pwdLockoutDuration";
- private static final String OLPW_MAX_FAILURE = "pwdMaxFailure";
- private static final String OLPW_FAILURE_COUNT_INTERVAL = "pwdFailureCountInterval";
- private static final String OLPW_MUST_CHANGE = "pwdMustChange";
- private static final String OLPW_ALLOW_USER_CHANGE = "pwdAllowUserChange";
- private static final String OLPW_SAFE_MODIFY = "pwdSafeModify";
- private static final String[] PASSWORD_POLICY_ATRS =
- {
- OLPW_MIN_AGE, OLPW_MAX_AGE, OLPW_IN_HISTORY, OLPW_CHECK_QUALITY,
- OLPW_MIN_LENGTH, OLPW_EXPIRE_WARNING, OLPW_GRACE_LOGIN_LIMIT, OLPW_LOCKOUT,
- OLPW_LOCKOUT_DURATION, OLPW_MAX_FAILURE, OLPW_FAILURE_COUNT_INTERVAL,
- OLPW_MUST_CHANGE, OLPW_ALLOW_USER_CHANGE, OLPW_SAFE_MODIFY,
- };
-
- private static final String[] PASSWORD_POLICY_NAME_ATR =
- {
- GlobalIds.CN
- };
-
-
- /**
- * @param entity
- * @return
- * @throws org.apache.directory.fortress.core.CreateException
- *
- */
- public final PwPolicy create( PwPolicy entity )
- throws CreateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPAttributeSet attrs = new LDAPAttributeSet();
- attrs.add( createAttributes( GlobalIds.OBJECT_CLASS, OAM_PWPOLICY_OBJ_CLASS ) );
- attrs.add( createAttribute( GlobalIds.CN, entity.getName() ) );
- attrs.add( createAttribute( OLPW_ATTRIBUTE, OLPW_POLICY_EXTENSION ) );
- if ( entity.getMinAge() != null )
- {
- attrs.add( createAttribute( OLPW_MIN_AGE, entity.getMinAge().toString() ) );
- }
- if ( entity.getMaxAge() != null )
- {
- attrs.add( createAttribute( OLPW_MAX_AGE, entity.getMaxAge().toString() ) );
- }
- if ( entity.getInHistory() != null )
- {
- attrs.add( createAttribute( OLPW_IN_HISTORY, entity.getInHistory().toString() ) );
- }
- if ( entity.getCheckQuality() != null )
- {
- attrs.add( createAttribute( OLPW_CHECK_QUALITY, entity.getCheckQuality().toString() ) );
- }
- if ( entity.getMinLength() != null )
- {
- attrs.add( createAttribute( OLPW_MIN_LENGTH, entity.getMinLength().toString() ) );
- }
- if ( entity.getExpireWarning() != null )
- {
- attrs.add( createAttribute( OLPW_EXPIRE_WARNING, entity.getExpireWarning().toString() ) );
- }
- if ( entity.getGraceLoginLimit() != null )
- {
- attrs.add( createAttribute( OLPW_GRACE_LOGIN_LIMIT, entity.getGraceLoginLimit().toString() ) );
- }
- if ( entity.getLockout() != null )
- {
- /**
- * For some reason OpenLDAP requires the pwdLockout boolean value to be upper case:
- */
- attrs.add( createAttribute( OLPW_LOCKOUT, entity.getLockout().toString().toUpperCase() ) );
- }
- if ( entity.getLockoutDuration() != null )
- {
- attrs.add( createAttribute( OLPW_LOCKOUT_DURATION, entity.getLockoutDuration().toString() ) );
- }
- if ( entity.getMaxFailure() != null )
- {
- attrs.add( createAttribute( OLPW_MAX_FAILURE, entity.getMaxFailure().toString() ) );
- }
- if ( entity.getFailureCountInterval() != null )
- {
- attrs.add( createAttribute( OLPW_FAILURE_COUNT_INTERVAL, entity.getFailureCountInterval().toString() ) );
- }
- if ( entity.getMustChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- attrs.add( createAttribute( OLPW_MUST_CHANGE, entity.getMustChange().toString().toUpperCase() ) );
- }
- if ( entity.getAllowUserChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- attrs.add( createAttribute( OLPW_ALLOW_USER_CHANGE, entity.getAllowUserChange().toString()
- .toUpperCase() ) );
- }
- if ( entity.getSafeModify() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- attrs.add( createAttribute( OLPW_SAFE_MODIFY, entity.getSafeModify().toString().toUpperCase() ) );
- }
-
- LDAPEntry myEntry = new LDAPEntry( dn, attrs );
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- }
- catch ( LDAPException e )
- {
- String error = "create name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new CreateException( GlobalErrIds.PSWD_CREATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final void update( PwPolicy entity )
- throws UpdateException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- LDAPModificationSet mods = new LDAPModificationSet();
- if ( entity.getMinAge() != null )
- {
- LDAPAttribute minAge = new LDAPAttribute( OLPW_MIN_AGE, entity.getMinAge().toString() );
- mods.add( LDAPModification.REPLACE, minAge );
- }
- if ( entity.getMaxAge() != null )
- {
- LDAPAttribute maxAge = new LDAPAttribute( OLPW_MAX_AGE, entity.getMaxAge().toString() );
- mods.add( LDAPModification.REPLACE, maxAge );
- }
- if ( entity.getInHistory() != null )
- {
- LDAPAttribute inHistory = new LDAPAttribute( OLPW_IN_HISTORY, entity.getInHistory().toString() );
- mods.add( LDAPModification.REPLACE, inHistory );
- }
- if ( entity.getCheckQuality() != null )
- {
- LDAPAttribute checkQuality = new LDAPAttribute( OLPW_CHECK_QUALITY, entity.getCheckQuality().toString() );
- mods.add( LDAPModification.REPLACE, checkQuality );
- }
- if ( entity.getMinLength() != null )
- {
- LDAPAttribute minLength = new LDAPAttribute( OLPW_MIN_LENGTH, entity.getMinLength().toString() );
- mods.add( LDAPModification.REPLACE, minLength );
- }
- if ( entity.getExpireWarning() != null )
- {
- LDAPAttribute expireWarning = new LDAPAttribute( OLPW_EXPIRE_WARNING, entity.getExpireWarning()
- .toString() );
- mods.add( LDAPModification.REPLACE, expireWarning );
- }
- if ( entity.getGraceLoginLimit() != null )
- {
- LDAPAttribute graceLoginLimit = new LDAPAttribute( OLPW_GRACE_LOGIN_LIMIT, entity.getGraceLoginLimit()
- .toString() );
- mods.add( LDAPModification.REPLACE, graceLoginLimit );
- }
- if ( entity.getLockout() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- LDAPAttribute lockout = new LDAPAttribute( OLPW_LOCKOUT, entity.getLockout().toString().toUpperCase() );
- mods.add( LDAPModification.REPLACE, lockout );
- }
- if ( entity.getLockoutDuration() != null )
- {
- LDAPAttribute lockoutDuration = new LDAPAttribute( OLPW_LOCKOUT_DURATION, entity.getLockoutDuration()
- .toString() );
- mods.add( LDAPModification.REPLACE, lockoutDuration );
- }
- if ( entity.getMaxFailure() != null )
- {
- LDAPAttribute maxFailure = new LDAPAttribute( OLPW_MAX_FAILURE, entity.getMaxFailure().toString() );
- mods.add( LDAPModification.REPLACE, maxFailure );
- }
- if ( entity.getFailureCountInterval() != null )
- {
- LDAPAttribute failureCountInterval = new LDAPAttribute( OLPW_FAILURE_COUNT_INTERVAL, entity
- .getFailureCountInterval().toString() );
- mods.add( LDAPModification.REPLACE, failureCountInterval );
- }
- if ( entity.getMustChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- LDAPAttribute mustChange = new LDAPAttribute( OLPW_MUST_CHANGE, entity.getMustChange().toString()
- .toUpperCase() );
- mods.add( LDAPModification.REPLACE, mustChange );
- }
- if ( entity.getAllowUserChange() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- LDAPAttribute allowUserChange = new LDAPAttribute( OLPW_ALLOW_USER_CHANGE, entity.getAllowUserChange()
- .toString().toUpperCase() );
- mods.add( LDAPModification.REPLACE, allowUserChange );
- }
- if ( entity.getSafeModify() != null )
- {
- /**
- * OpenLDAP requires the boolean values to be upper case:
- */
- LDAPAttribute safeModify = new LDAPAttribute( OLPW_SAFE_MODIFY, entity.getSafeModify().toString()
- .toUpperCase() );
- mods.add( LDAPModification.REPLACE, safeModify );
- }
- if ( mods != null && mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, dn, mods, entity );
- }
- }
- catch ( LDAPException e )
- {
- String error = "update name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.PSWD_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param entity
- * @throws org.apache.directory.fortress.core.RemoveException
- */
- public final void remove( PwPolicy entity )
- throws RemoveException
- {
- LDAPConnection ld = null;
- String dn = getDn( entity );
- try
- {
- ld = getAdminConnection();
- delete( ld, dn, entity );
- }
- catch ( LDAPException e )
- {
- String error = "remove name [" + entity.getName() + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new RemoveException( GlobalErrIds.PSWD_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param policy
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final PwPolicy getPolicy( PwPolicy policy )
- throws FinderException
- {
- PwPolicy entity = null;
- LDAPConnection ld = null;
- String dn = getDn( policy );
- try
- {
- ld = getAdminConnection();
- LDAPEntry findEntry = read( ld, dn, PASSWORD_POLICY_ATRS );
- entity = unloadLdapEntry( findEntry, 0 );
- }
- catch ( LDAPException e )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- if ( e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT )
- {
- String warning = "getPolicy Obj COULD NOT FIND ENTRY for dn [" + dn + "]";
- throw new FinderException( GlobalErrIds.PSWD_NOT_FOUND, warning );
- }
- }
- else
- {
- String error = "getPolicy name [" + policy.getName() + "] caught LDAPException="
- + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_READ_FAILED, error, e );
- }
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return entity;
- }
-
-
- /**
- *
- * @param le
- * @param sequence
- * @return
- * @throws LDAPException
- */
- private PwPolicy unloadLdapEntry( LDAPEntry le, long sequence )
- {
- PwPolicy entity = new ObjectFactory().createPswdPolicy();
- entity.setSequenceId( sequence );
- entity.setName( getRdn( le.getDN() ) );
- //entity.setAttribute(getAttribute(le, OLPW_ATTRIBUTE));
- String val = getAttribute( le, OLPW_MIN_AGE );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMinAge( new Integer( val ) );
- }
- val = getAttribute( le, OLPW_MAX_AGE );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMaxAge( new Long( val ) );
- }
-
- val = getAttribute( le, OLPW_IN_HISTORY );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setInHistory( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_CHECK_QUALITY );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setCheckQuality( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_MIN_LENGTH );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMinLength( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_EXPIRE_WARNING );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setExpireWarning( new Long( val ) );
- }
-
- val = getAttribute( le, OLPW_GRACE_LOGIN_LIMIT );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setGraceLoginLimit( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_LOCKOUT );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setLockout( Boolean.valueOf( val ) );
- }
-
- val = getAttribute( le, OLPW_LOCKOUT_DURATION );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setLockoutDuration( new Integer( val ) );
- }
-
- val = getAttribute( le, OLPW_MAX_FAILURE );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setMaxFailure( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_FAILURE_COUNT_INTERVAL );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setFailureCountInterval( new Short( val ) );
- }
-
- val = getAttribute( le, OLPW_MUST_CHANGE );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- //noinspection BooleanConstructorCall
- entity.setMustChange( Boolean.valueOf( val ) );
- }
-
- val = getAttribute( le, OLPW_ALLOW_USER_CHANGE );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setAllowUserChange( Boolean.valueOf( val ) );
- }
-
- val = getAttribute( le, OLPW_SAFE_MODIFY );
- if ( VUtil.isNotNullOrEmpty( val ) )
- {
- entity.setSafeModify( Boolean.valueOf( val ) );
- }
- return entity;
- }
-
-
- /**
- * @param policy
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<PwPolicy> findPolicy( PwPolicy policy )
- throws FinderException
- {
- List<PwPolicy> policyArrayList = new ArrayList<>();
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String policyRoot = getPolicyRoot( policy.getContextId() );
- String searchVal = null;
- try
- {
- searchVal = encodeSafeText( policy.getName(), GlobalIds.PWPOLICY_NAME_LEN );
- String filter = GlobalIds.FILTER_PREFIX + OLPW_POLICY_CLASS + ")("
- + GlobalIds.POLICY_NODE_TYPE + "=" + searchVal + "*))";
- ld = getAdminConnection();
- searchResults = search( ld, policyRoot,
- LDAPConnection.SCOPE_ONE, filter, PASSWORD_POLICY_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
- while ( searchResults.hasMoreElements() )
- {
- policyArrayList.add( unloadLdapEntry( searchResults.next(), sequence++ ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "findPolicy name [" + searchVal + "] caught LDAPException=" + e.getLDAPResultCode()
- + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return policyArrayList;
- }
-
-
- /**
- * @return
- * @throws FinderException
- */
- public final Set<String> getPolicies( String contextId )
- throws FinderException
- {
- Set<String> policySet = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
- LDAPConnection ld = null;
- LDAPSearchResults searchResults;
- String policyRoot = getPolicyRoot( contextId );
- try
- {
- String filter = "(objectclass=" + OLPW_POLICY_CLASS + ")";
- ld = getAdminConnection();
- searchResults = search( ld, policyRoot,
- LDAPConnection.SCOPE_ONE, filter, PASSWORD_POLICY_NAME_ATR, false, GlobalIds.BATCH_SIZE );
- while ( searchResults.hasMoreElements() )
- {
- policySet.add( getAttribute( searchResults.next(), GlobalIds.CN ) );
- }
- }
- catch ( LDAPException e )
- {
- String error = "getPolicies caught LDAPException=" + e.getLDAPResultCode() + " msg=" + e.getMessage();
- throw new FinderException( GlobalErrIds.PSWD_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- return policySet;
- }
-
-
- private String getDn( PwPolicy policy )
- {
- return GlobalIds.POLICY_NODE_TYPE + "=" + policy.getName() + "," + getPolicyRoot( policy.getContextId() );
- }
-
-
- private String getPolicyRoot( String contextId )
- {
- return getRootDn( contextId, GlobalIds.PPOLICY_ROOT );
- }
-}
[14/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java
new file mode 100644
index 0000000..b01b5a3
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java
@@ -0,0 +1,373 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.openldap.accelerator.api.addRole.RbacAddRoleRequest;
+import org.openldap.accelerator.api.addRole.RbacAddRoleRequestImpl;
+import org.openldap.accelerator.api.addRole.RbacAddRoleResponse;
+import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequest;
+import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequestImpl;
+import org.openldap.accelerator.api.checkAccess.RbacCheckAccessResponse;
+import org.openldap.accelerator.api.createSession.RbacCreateSessionRequest;
+import org.openldap.accelerator.api.createSession.RbacCreateSessionRequestImpl;
+import org.openldap.accelerator.api.createSession.RbacCreateSessionResponse;
+import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequest;
+import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequestImpl;
+import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionResponse;
+import org.openldap.accelerator.api.dropRole.RbacDropRoleRequest;
+import org.openldap.accelerator.api.dropRole.RbacDropRoleRequestImpl;
+import org.openldap.accelerator.api.dropRole.RbacDropRoleResponse;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequest;
+import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequestImpl;
+import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+import java.util.ArrayList;
+import java.util.List;
+
+
+/**
+ * Data access class for invoking RBAC Accelerator server-side operations. This class utilizes the openldap accelerator component for LDAPv3 extended operations.
+ * This class follows the pattern of {@link org.apache.directory.fortress.core.AccessMgr} except policy decisions are session state are made/stored on server-side and not client-side.
+ * Its methods are not intended to be invoked by outside clients that should instead use {@link org.apache.directory.fortress.core.rbac.AccelMgrImpl}.
+ *
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+final class AcceleratorDAO extends ApacheDsDataProvider
+
+{
+ private static final Logger LOG = LoggerFactory.getLogger( AcceleratorDAO.class.getName() );
+
+ /**
+ * Authenticate user and return sessionId inside {@link Session#sessionId}.
+ * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#createSession(org.apache.directory.fortress.core.rbac.User, boolean)}
+ * Success will result in rbac session state, i.e. {@link org.apache.directory.fortress.core.rbac.Session}, to be stored on server-side.
+ * Result may be stored inside RBAC server-side audit record and retrieved with {@link org.apache.directory.fortress.core.AuditMgr#searchBinds(org.apache.directory.fortress.core.rbac.UserAudit)}
+ *
+ * It uses the {@link RbacCreateSessionRequest} and {@link RbacCreateSessionResponse} accelerator APIs.
+ *
+ * todo: this method does not yet, but will soon, return password policy decisions.
+ *
+ * @param user
+ * @return session contains a valid sessionId captured from accelerator createSession method.
+ *
+ * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CREATE_SESSION_ERR}.
+ *
+ */
+ final Session createSession( User user ) throws SecurityException
+ {
+ Session session = null;
+ LdapConnection ld = null;
+ try
+ {
+ ld = getAdminConnection();
+ ld.setTimeOut( 0 );
+ // Create a new RBAC session
+ RbacCreateSessionRequest rbacCreateSessionRequest = new RbacCreateSessionRequestImpl();
+ //rbacCreateSessionRequest.setTenantId( "jts" );
+ rbacCreateSessionRequest.setTenantId( user.getContextId() );
+ rbacCreateSessionRequest.setUserIdentity( user.getUserId() );
+ rbacCreateSessionRequest.setPassword( new String(user.getPassword()) );
+ if( VUtil.isNotNullOrEmpty( user.getRoles() ))
+ {
+ for ( UserRole userRole : user.getRoles())
+ {
+ rbacCreateSessionRequest.addRole( userRole.getName() );
+ }
+ }
+ // Send the request
+ RbacCreateSessionResponse rbacCreateSessionResponse = ( RbacCreateSessionResponse ) ld.extended(
+ rbacCreateSessionRequest );
+ LOG.debug( "createSession userId: " + user.getUserId() + ", sessionId: " + rbacCreateSessionResponse.getSessionId() + ", resultCode: " + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode());
+ session = new Session( user, rbacCreateSessionResponse.getSessionId() );
+ if(rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode() == 0)
+ {
+ session.setAuthenticated(true);
+ }
+ else
+ {
+ session.setAuthenticated(false);
+ String info = "createSession UserId [" + user.getUserId() + "] failed: " + rbacCreateSessionResponse.getLdapResult() + " , resultCode: " + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode();
+ throw new SecurityException( GlobalErrIds.USER_PW_INVLD, info );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "createSession userId [" + user.getUserId() + "] caught LDAPException=" + " msg=" + e
+ .getMessage();
+ throw new SecurityException( GlobalErrIds.ACEL_CREATE_SESSION_ERR, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return session;
+ }
+
+
+ /**
+ * Perform user rbac authorization. This function returns a Boolean value meaning whether the subject of a given session is
+ * allowed or not to perform a given operation on a given object. The function is valid if and
+ * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The session's subject has the permission
+ * to perform the operation on that object if and only if that permission is assigned to (at least)
+ * one of the session's active roles. This implementation will verify the roles or userId correspond
+ * to the subject's active roles are registered in the object's access control list.
+ * It uses the {@link RbacCheckAccessRequest} and {@link RbacCheckAccessResponse} accelerator APIs.
+ *
+ * @param session This object must be instantiated by calling {@link #createSession} method before passing into the method. No variables need to be set by client after returned from createSession.
+ * @param perm must contain the object, {@link org.apache.directory.fortress.core.rbac.Permission#objName}, and operation, {@link org.apache.directory.fortress.core.rbac.Permission#opName}, of permission User is trying to access.
+ * @return True if user has access, false otherwise.
+ * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CHECK_ACCESS_ERR}.
+ */
+ boolean checkAccess( Session session, Permission perm )
+ throws SecurityException
+ {
+ boolean result = false;
+ LdapConnection ld = null;
+ try
+ {
+ ld = getAdminConnection();
+ RbacCheckAccessRequest rbacCheckAccessRequest = new RbacCheckAccessRequestImpl();
+ rbacCheckAccessRequest.setSessionId( session.getSessionId() );
+ rbacCheckAccessRequest.setObject( perm.getObjName() );
+ // objectId is optional
+ if(VUtil.isNotNullOrEmpty( perm.getObjId()))
+ {
+ rbacCheckAccessRequest.setObjectId( perm.getObjId() );
+ }
+ rbacCheckAccessRequest.setOperation( perm.getOpName() );
+ // Send the request
+ RbacCheckAccessResponse rbacCheckAccessResponse = ( RbacCheckAccessResponse ) ld.extended(
+ rbacCheckAccessRequest );
+ LOG.debug( "checkAccess result: {}", rbacCheckAccessResponse.getLdapResult().getResultCode().getResultCode());
+ if(rbacCheckAccessResponse.getLdapResult().getResultCode().getResultCode() == 0)
+ {
+ result = true;
+ }
+ else
+ {
+ result = false;
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "checkAccess perm obj [" + perm.getObjName() + "], operation [" + perm.getOpName() + "] caught LDAPException=" + " msg=" + e
+ .getMessage();
+ throw new SecurityException( GlobalErrIds.ACEL_CHECK_ACCESS_ERR, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return result;
+ }
+
+
+ /**
+ * Deactivate user role from rbac session
+ * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#dropActiveRole(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.UserRole)}.
+ * Success will result in rbac session state to be modified inside server-side cache.
+ * It uses the {@link RbacDropRoleRequest} and {@link RbacDropRoleResponse} accelerator APIs.
+ *
+ * @param session contains a valid sessionId captured from accelerator createSession method.
+ * @param userRole both the {@link UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
+ * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DROP_ROLE_ERR}.
+ */
+ void dropActiveRole( Session session, UserRole userRole ) throws SecurityException
+ {
+ LdapConnection ld = null;
+ try
+ {
+ ld = getAdminConnection();
+ RbacDropRoleRequest dropRoleRequest = new RbacDropRoleRequestImpl();
+ dropRoleRequest.setSessionId( session.getSessionId() );
+ dropRoleRequest.setRole( userRole.getName() );
+ dropRoleRequest.setUserIdentity( userRole.getUserId() );
+ // Send the request
+ RbacDropRoleResponse rbacDropRoleResponse = ( RbacDropRoleResponse ) ld.extended(
+ dropRoleRequest );
+ LOG.debug( "dropActiveRole result: {}", rbacDropRoleResponse.getLdapResult().getResultCode().getResultCode());
+ if(rbacDropRoleResponse.getLdapResult().getResultCode().getResultCode() != 0)
+ {
+ String info = "dropActiveRole Role [" + userRole.getName() + "] User ["
+ + session.getUserId() + "], not previously activated.";
+ throw new SecurityException( GlobalErrIds.URLE_NOT_ACTIVE, info );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "dropActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e
+ .getMessage();
+ throw new SecurityException( GlobalErrIds.ACEL_DROP_ROLE_ERR, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+ /**
+ * Activate user role into rbac session
+ * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#addActiveRole(org.apache.directory.fortress.core.rbac.Session, org.apache.directory.fortress.core.rbac.UserRole)}.
+ * Success will result in rbac session state to be modified inside server-side cache.
+ * It uses the {@link RbacAddRoleRequest} and {@link RbacAddRoleResponse} accelerator APIs.
+ *
+ * @param session contains a valid sessionId captured from accelerator createSession method.
+ * @param userRole both the {@link UserRole#userId} and {@link UserRole#name} fields must be set before invoking.
+ * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_ADD_ROLE_ERR}.
+ */
+ void addActiveRole( Session session, UserRole userRole ) throws SecurityException
+ {
+ LdapConnection ld = null;
+ try
+ {
+ ld = getAdminConnection();
+ RbacAddRoleRequest addRoleRequest = new RbacAddRoleRequestImpl();
+ addRoleRequest.setSessionId( session.getSessionId() );
+ addRoleRequest.setRole( userRole.getName() );
+ addRoleRequest.setUserIdentity( userRole.getUserId() );
+ // Send the request
+ RbacAddRoleResponse rbacAddRoleResponse = ( RbacAddRoleResponse ) ld.extended(
+ addRoleRequest );
+ LOG.debug( "addActiveRole result: {}", rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode());
+ if(rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode() != 0)
+ {
+ String info;
+ int rc;
+ if(rbacAddRoleResponse.getLdapResult().getResultCode().getResultCode() == 20)
+ {
+ info = "addActiveRole Role [" + userRole.getName() + "] User ["
+ + session.getUserId() + "], already activated.";
+ rc = GlobalErrIds.URLE_ALREADY_ACTIVE;
+ }
+ else
+ {
+ info = "addActiveRole Role [" + userRole.getName() + "] User ["
+ + session.getUserId() + "], not authorized for user.";
+ rc = GlobalErrIds.URLE_ACTIVATE_FAILED;
+ }
+ throw new SecurityException( rc, info );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "addActiveRole role name [" + userRole.getName() + "] caught LDAPException=" + " msg=" + e
+ .getMessage();
+ throw new SecurityException( GlobalErrIds.ACEL_ADD_ROLE_ERR, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+ /**
+ * Delete the stored session on rbac accelerator server.
+ * It uses the {@link RbacDeleteSessionRequest} and {@link RbacDeleteSessionResponse} accelerator APIs.
+ *
+ * @param session contains a valid sessionId captured from accelerator createSession method.
+ * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DELETE_SESSION_ERR}.
+ */
+ void deleteSession( Session session ) throws SecurityException
+ {
+ LdapConnection ld = null;
+ try
+ {
+ ld = getAdminConnection();
+ RbacDeleteSessionRequest deleteSessionRequest = new RbacDeleteSessionRequestImpl();
+ deleteSessionRequest.setSessionId( session.getSessionId() );
+ deleteSessionRequest.setUserIdentity( session.getUserId() );
+ // Send the request
+ RbacDeleteSessionResponse deleteSessionResponse = ( RbacDeleteSessionResponse ) ld.extended(
+ deleteSessionRequest );
+ LOG.debug( "deleteSession result: {}", deleteSessionResponse.getLdapResult().getResultCode().getResultCode());
+ }
+ catch ( LdapException e )
+ {
+ String error = "deleteSession caught LDAPException=" + " msg=" + e
+ .getMessage();
+ throw new SecurityException( GlobalErrIds.ACEL_DELETE_SESSION_ERR, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * SessionRoles returns a list of UserRole's activated for user on rbac server.
+ * It uses the {@link RbacSessionRolesRequest} and {@link RbacSessionRolesResponse} accelerator APIs.
+ *
+ * todo: This method does not yet, but will soon populate temporal constraints associated with entities returned.
+ *
+ * @param session contains a valid sessionId captured from accelerator createSession method.
+ * @return List of type UserRole. May be null if user has no roles activated in session stored - server side.
+ * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_SESSION_ROLES_ERR}.
+ */
+ List<UserRole> sessionRoles( Session session ) throws SecurityException
+ {
+ LdapConnection ld = null;
+ List<UserRole> userRoleList = null;
+ try
+ {
+ ld = getAdminConnection();
+ RbacSessionRolesRequest sessionRolesRequest = new RbacSessionRolesRequestImpl();
+ sessionRolesRequest.setSessionId( session.getSessionId() );
+ sessionRolesRequest.setUserIdentity( session.getUserId() );
+ // Send the request
+ RbacSessionRolesResponse sessionRolesResponse = ( RbacSessionRolesResponse ) ld.extended(
+ sessionRolesRequest );
+ LOG.debug( "sessionRoles result: {}", sessionRolesResponse.getLdapResult().getResultCode().getResultCode());
+ if(VUtil.isNotNullOrEmpty( sessionRolesResponse.getRoles() ) )
+ {
+ userRoleList = new ArrayList<>( );
+ for( String roleNm : sessionRolesResponse.getRoles() )
+ {
+ userRoleList.add( new UserRole( session.getUserId(), roleNm ) );
+ // todo: add temporal constraints here
+ }
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "sessionRoles caught LDAPException=" + " msg=" + e
+ .getMessage();
+ throw new SecurityException( GlobalErrIds.ACEL_SESSION_ROLES_ERR, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return userRoleList;
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
index 88bf87f..07a35ee 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRole.java
@@ -28,8 +28,6 @@ import javax.xml.bind.annotation.XmlAccessorType;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO;
-import org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO;
import org.apache.directory.fortress.core.util.attr.VUtil;
import org.apache.directory.fortress.core.util.time.CUtil;
import org.apache.directory.fortress.core.util.time.Constraint;
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java
new file mode 100755
index 0000000..e0dfdaa
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java
@@ -0,0 +1,694 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.rbac.AdminRole;
+import org.apache.directory.fortress.core.rbac.AdminRoleP;
+import org.apache.directory.fortress.core.rbac.AdminRoleUtil;
+import org.apache.directory.fortress.core.rbac.Graphable;
+import org.apache.directory.fortress.core.rbac.Role;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+
+
+/**
+ * The AdminRoleDAO is called by {@link AdminRoleP} and processes data via its entity {@link AdminRole}.
+ * <p/>
+ * The Fortress AdminRoleDAO uses the following other Fortress structural and aux object classes:
+ * <h4>1. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.2.1</code>
+ * <li> <code>NAME 'ftRls'</code>
+ * <li> <code>DESC 'Fortress Role Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftRoleName )</code>
+ * <li> <code>MAY ( description $ ftCstr ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>3. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity</h4>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.3</code>
+ * <li> <code>NAME 'ftPools'</code>
+ * <li> <code>DESC 'Fortress Pools AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftOSU $ ftOSP ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+final class AdminRoleDAO extends ApacheDsDataProvider
+{
+ private static final String ROLE_OCCUPANT = "roleOccupant";
+ private static final String ROLE_OSP = "ftOSP";
+ private static final String ROLE_OSU = "ftOSU";
+ private static final String ROLE_RANGE = "ftRange";
+ private static final String POOLS_AUX_OBJECT_CLASS_NAME = "ftPools";
+ private static final String ADMIN_ROLE_OBJ_CLASS[] =
+ {
+ GlobalIds.TOP,
+ GlobalIds.ROLE_OBJECT_CLASS_NM,
+ GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+ POOLS_AUX_OBJECT_CLASS_NAME,
+ GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+ };
+ private static final String ROLE_NM = "ftRoleName";
+ private static final String[] ROLE_NM_ATR =
+ {
+ ROLE_NM
+ };
+
+ private static final String[] ROLE_ATRS =
+ {
+ GlobalIds.FT_IID,
+ ROLE_NM,
+ GlobalIds.DESC,
+ GlobalIds.CONSTRAINT,
+ ROLE_OCCUPANT,
+ ROLE_OSP,
+ ROLE_OSU,
+ ROLE_RANGE,
+ GlobalIds.PARENT_NODES
+ };
+
+
+ /**
+ * Create a new AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
+ * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+ *
+ * @param entity record contains AdminRole data. Null attributes will be ignored.
+ * @return input record back to client.
+ * @throws org.apache.directory.fortress.core.CreateException in the event LDAP errors occur.
+ */
+ final AdminRole create( AdminRole entity ) throws CreateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ Entry entry = new DefaultEntry( dn );
+
+ entry.add( GlobalIds.OBJECT_CLASS, ADMIN_ROLE_OBJ_CLASS );
+ entity.setId();
+ entry.add( GlobalIds.FT_IID, entity.getId() );
+ entry.add( ROLE_NM, entity.getName() );
+
+ // description field is optional on this object class:
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ entry.add( GlobalIds.DESC, entity.getDescription() );
+ }
+
+ // CN attribute is required for this object class:
+ entry.add( GlobalIds.CN, entity.getName() );
+ entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+ loadAttrs( entity.getOsP(), entry, ROLE_OSP );
+ loadAttrs( entity.getOsU(), entry, ROLE_OSU );
+ String szRaw = entity.getRoleRangeRaw();
+
+ if ( VUtil.isNotNullOrEmpty( szRaw ) )
+ {
+ entry.add( ROLE_RANGE, szRaw );
+ }
+
+ // These multi-valued attributes are optional. The utility function will return quietly if no items are loaded into collection:
+ loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
+
+ ld = getAdminConnection();
+ add( ld, entry, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "create role [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new CreateException( GlobalErrIds.ARLE_ADD_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * Update existing AdminRole entity using supplied data. Required attribute is {@link AdminRole#name}.
+ * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+ *
+ * @param entity record contains AdminRole data. Null attributes will be ignored.
+ * @return input record back to client.
+ * @throws UpdateException in the event LDAP errors occur.
+ */
+ final AdminRole update( AdminRole entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+
+ if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE,
+ GlobalIds.DESC, entity.getDescription() ) );
+ }
+
+ if ( VUtil.isNotNullOrEmpty( entity.getOccupants() ) )
+ {
+ for ( String name : entity.getOccupants() )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, ROLE_OCCUPANT, name ) );
+ }
+ }
+
+ if ( entity.isTemporalSet() )
+ {
+ String szRawData = CUtil.setConstraint( entity );
+ if ( VUtil.isNotNullOrEmpty( szRawData ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
+ }
+ }
+
+ loadAttrs( entity.getOsU(), mods, ROLE_OSU );
+ loadAttrs( entity.getOsP(), mods, ROLE_OSP );
+ String szRaw = entity.getRoleRangeRaw();
+
+ if ( VUtil.isNotNullOrEmpty( szRaw ) )
+ {
+ mods.add( new DefaultModification(
+ ModificationOperation.REPLACE_ATTRIBUTE, ROLE_RANGE, szRaw ) );
+ }
+
+ loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
+
+ if ( mods.size() > 0 )
+ {
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_UPDATE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ *
+ * @param entity
+ * @throws UpdateException
+ */
+ final void deleteParent( AdminRole entity ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.PARENT_NODES ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deleteParent name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_REMOVE_PARENT_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * This method will add the supplied DN as a role occupant to the target record.
+ * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+ *
+ * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
+ * @param userDn contains the DN for userId who is being assigned.
+ * @return input record back to client.
+ * @throws UpdateException in the event LDAP errors occur.
+ */
+ final AdminRole assign( AdminRole entity, String userDn ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification( ModificationOperation.ADD_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LdapException="
+ + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_USER_ASSIGN_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * This method will remove the supplied DN as a role occupant to the target record.
+ * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+ *
+ * @param entity record contains {@link AdminRole#name}. Null attributes will be ignored.
+ * @param userDn contains the DN for userId who is being deassigned.
+ * @return input record back to client.
+ * @throws UpdateException in the event LDAP errors occur.
+ */
+ final AdminRole deassign( AdminRole entity, String userDn ) throws UpdateException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( entity );
+ try
+ {
+ List<Modification> mods = new ArrayList<Modification>();
+ mods.add( new DefaultModification(
+ ModificationOperation.REMOVE_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
+ ld = getAdminConnection();
+ modify( ld, dn, mods, entity );
+ }
+ catch ( LdapException e )
+ {
+ String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
+ + "] caught LdapException=" + e.getMessage();
+ throw new UpdateException( GlobalErrIds.ARLE_USER_DEASSIGN_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ return entity;
+ }
+
+
+ /**
+ * This method will completely remove the AdminRole from the directory. It will use {@link AdminRole#name} as key.
+ * This operation is performed on the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+ *
+ * @param role record contains {@link AdminRole#name}.
+ * @throws RemoveException in the event LDAP errors occur.
+ */
+ final void remove( AdminRole role ) throws RemoveException
+ {
+ LdapConnection ld = null;
+ String dn = getDn( role );
+
+ try
+ {
+ ld = getAdminConnection();
+ delete( ld, dn, role );
+ }
+ catch ( LdapException e )
+ {
+ String error = "remove role name=" + role.getName() + " LdapException=" + e.getMessage();
+ throw new RemoveException( GlobalErrIds.ARLE_DELETE_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+ }
+
+
+ /**
+ * This method will retrieve the AdminRole from {@link GlobalIds#ADMIN_ROLE_ROOT} container by name.
+ *
+ * @param adminRole maps to {@link AdminRole#name}.
+ * @return AdminRole back to client.
+ * @throws FinderException in the event LDAP errors occur.
+ */
+ final AdminRole getRole( AdminRole adminRole ) throws FinderException
+ {
+ AdminRole entity = null;
+ LdapConnection ld = null;
+ String dn = getDn( adminRole );
+
+ try
+ {
+ ld = getAdminConnection();
+ Entry findEntry = read( ld, dn, ROLE_ATRS );
+ entity = unloadLdapEntry( findEntry, 0, adminRole.getContextId() );
+
+ if ( entity == null )
+ {
+ String warning = "getRole name [" + adminRole.getName() + "] no entry found dn [" + dn + "]";
+ throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
+ }
+ }
+ catch ( LdapNoSuchObjectException e )
+ {
+ String warning = "getRole name [" + adminRole.getName() + "] Obj COULD NOT FIND ENTRY for dn [" + dn
+ + "]";
+ throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
+ }
+ catch ( LdapException e )
+ {
+ String error = "getRole dn [" + dn + "] LEXCD=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_READ_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return entity;
+ }
+
+
+ /**
+ * @param adminRole
+ * @return
+ * @throws FinderException
+ *
+ */
+ final List<AdminRole> findRoles( AdminRole adminRole ) throws FinderException
+ {
+ List<AdminRole> roleList = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
+ String filter;
+
+ try
+ {
+ String searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
+ filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+ + ROLE_NM + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ roleList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, adminRole.getContextId() ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findRoles name [" + adminRole.getName() + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findRoles name [" + adminRole.getName() + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roleList;
+ }
+
+
+ /**
+ * @param adminRole
+ * @param limit
+ * @return
+ * @throws FinderException
+ *
+ */
+ final List<String> findRoles( AdminRole adminRole, int limit ) throws FinderException
+ {
+ List<String> roleList = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
+ String filter;
+ String searchVal = null;
+
+ try
+ {
+ searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
+ filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+ + ROLE_NM + "=" + searchVal + "*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
+
+ while ( searchResults.next() )
+ {
+ Entry entry = searchResults.getEntry();
+ roleList.add( getAttribute( entry, ROLE_NM ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findRoles name [" + searchVal + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findRoles name [" + searchVal + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roleList;
+ }
+
+
+ /**
+ * @param userDn
+ * @return
+ * @throws FinderException
+ */
+ final List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException
+ {
+ List<String> roleNameList = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
+ filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
+
+ while ( searchResults.next() )
+ {
+ roleNameList.add( getAttribute( searchResults.getEntry(), ROLE_NM ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return roleNameList;
+ }
+
+
+ /**
+ *
+ * @param contextId
+ * @return
+ * @throws FinderException
+ */
+ final List<Graphable> getAllDescendants( String contextId )
+ throws FinderException
+ {
+ String[] DESC_ATRS =
+ { ROLE_NM, GlobalIds.PARENT_NODES };
+ List<Graphable> descendants = new ArrayList<>();
+ LdapConnection ld = null;
+ String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
+ String filter = null;
+
+ try
+ {
+ filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+ + GlobalIds.PARENT_NODES + "=*))";
+ ld = getAdminConnection();
+ SearchCursor searchResults = search( ld, roleRoot,
+ SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ descendants.add( unloadDescendants( searchResults.getEntry(), sequence++, contextId ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeAdminConnection( ld );
+ }
+
+ return descendants;
+ }
+
+
+ /**
+ *
+ * @param le
+ * @param sequence
+ * @param contextId
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private Graphable unloadDescendants( Entry le, long sequence, String contextId )
+ throws LdapInvalidAttributeValueException
+ {
+ Role entity = new ObjectFactory().createRole();
+ entity.setSequenceId( sequence );
+ entity.setName( getAttribute( le, ROLE_NM ) );
+ entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+ return entity;
+ }
+
+
+ /**
+ * @param le
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private AdminRole unloadLdapEntry( Entry le, long sequence, String contextId )
+ throws LdapInvalidAttributeValueException
+ {
+ AdminRole entity = new ObjectFactory().createAdminRole();
+ entity.setSequenceId( sequence );
+ entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
+ entity.setName( getAttribute( le, ROLE_NM ) );
+ entity.setDescription( getAttribute( le, GlobalIds.DESC ) );
+ entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
+ entity.setOsP( getAttributeSet( le, ROLE_OSP ) );
+ entity.setOsU( getAttributeSet( le, ROLE_OSU ) );
+ unloadTemporal( le, entity );
+ entity.setRoleRangeRaw( getAttribute( le, ROLE_RANGE ) );
+ //entity.setParents(AdminRoleUtil.getParents(entity.getName().toUpperCase(), contextId));
+ entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+ entity.setChildren( AdminRoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
+ return entity;
+ }
+
+
+ private String getDn( AdminRole adminRole )
+ {
+ return GlobalIds.CN + "=" + adminRole.getName() + ","
+ + getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
+ }
+}
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
index d589b3c..35aece2 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
@@ -30,8 +30,6 @@ import org.apache.directory.fortress.core.GlobalErrIds;
import org.apache.directory.fortress.core.GlobalIds;
import org.apache.directory.fortress.core.RemoveException;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO;
-import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
import org.apache.directory.fortress.core.util.attr.VUtil;
@@ -57,7 +55,7 @@ public final class AdminRoleP
{
private static final String CLS_NM = AdminRoleP.class.getName();
private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
- private static final AdminRoleDAO rDao = DaoFactory.createAdminRoleDAO();
+ private static final AdminRoleDAO rDao = new AdminRoleDAO();
private static final OrgUnitP op = new OrgUnitP();
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
new file mode 100755
index 0000000..1f0858c
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java
@@ -0,0 +1,780 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.ObjectFactory;
+import org.apache.directory.fortress.core.cfg.Config;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.util.attr.AttrHelper;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * This class performs data access for OpenLDAP synch repl log data
+ * <p/>
+ * <h3>1. Binds</h3>
+ * <p/>
+ * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
+ * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
+ * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
+ * <code># which contains the Bind Method used in the Bind. This will be the string</code>
+ * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
+ * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
+ * <code># the current database will be logged:</code>
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
+ * <li> <code>DESC 'Bind operation'</code>
+ * <li> <code>SUP auditObject STRUCTURAL</code>
+ * <li> <code>MUST ( reqVersion $ reqMethod ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <h3>2. Authorizations</h3>
+ * <code>For the Search class the reqScope attribute contains the scope of the</code><br />
+ * <code>original search request, using the values specified for the LDAP URL</code><br />
+ * <code>format. I.e. base, one, sub, or subord. The reqDerefAliases attribute</code><br />
+ * <code>is one of never, finding, searching, or always, denoting how aliases</code><br />
+ * <code>will be processed during the search. The reqAttrsOnly attribute is a</code><br />
+ * <code>Boolean value showing TRUE if only attribute names were requested, or</code><br />
+ * <code>FALSE if attributes and their values were requested. The reqFilter</code><br />
+ * <code>attribute carries the filter used in the search request. The reqAttr</code><br />
+ * <code>attribute lists the requested attributes if specific attributes were</code><br />
+ * <code>requested. The reqEntries attribute is the integer count of how many</code><br />
+ * <code>entries were returned by this search request. The reqSizeLimit and</code><br />
+ * <code>reqTimeLimit attributes indicate what limits were requested on the</code><br />
+ * <code>search operation.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.11</code>
+ * <li> <code>NAME 'auditSearch'</code>
+ * <li> <code>DESC 'Search operation'</code>
+ * <li> <code>SUP auditReadObject STRUCTURAL</code>
+ * <li> <code>MUST ( reqScope $ reqDerefAliases $ reqAttrsOnly )</code>
+ * <li> <code>MAY ( reqFilter $ reqAttr $ reqEntries $ reqSizeLimit $</code>
+ * <li> <code>reqTimeLimit ) )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * <p/>
+ * <h3>3. Modifications</h3>
+ * The auditModify Structural object class is used to store Fortress update and delete events that can later be queried via ldap API.<br />
+ * The deletions can be recorded in this manner and associated with Fortress context because deletions will perform a modification first
+ * if audit is enabled.
+ * <p/>
+ * <code>The Modify operation contains a description of modifications in the</code><br />
+ * <code>reqMod attribute, which was already described above in the Add</code><br />
+ * <code>operation. It may optionally contain the previous contents of any</code><br />
+ * <code>modified attributes in the reqOld attribute, using the same format as</code><br />
+ * <code>described above for the Delete operation. The reqOld attribute is only</code><br />
+ * <code>populated if the entry being modified matches the configured logold</code><br />
+ * <code>filter.</code><br />
+ * <ul>
+ * <li> ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.4203.666.11.5.2.9</code>
+ * <li> <code>NAME 'auditModify'</code>
+ * <li> <code>DESC 'Modify operation'</code>
+ * <li> <code>SUP auditWriteObject STRUCTURAL</code>
+ * <li> <code>MAY reqOld MUST reqMod )</code>
+ * <li> ------------------------------------------
+ * </ul>
+ * <p/>
+ * Note this class used descriptions pulled from man pages on slapd access log.
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+final class AuditDAO extends ApacheDsDataProvider
+{
+ private static final String CREATETIMESTAMP = "createTimestamp";
+ private static final String CREATORSNAME = "creatorsName";
+ private static final String ENTRYCSN = "entryCSN";
+ private static final String ENTRYDN = "entryDN";
+ private static final String ENTRYUUID = "entryUUID";
+ private static final String HASSUBORDINATES = "hasSubordinates";
+ private static final String MODIFIERSNAME = "modifiersName";
+ private static final String MODIFYTIMESTAMP = "modifyTimestamp";
+ private static final String OBJECTCLASS = "objectClass";
+ private static final String REQUAUTHZID = "reqAuthzID";
+ private static final String REQCONTROLS = "reqControls";
+ private static final String REQDN = "reqDN";
+ private static final String REQEND = "reqEnd";
+ private static final String REQMETHOD = "reqMethod";
+ private static final String REQRESULT = "reqResult";
+ private static final String REQSESSION = "reqSession";
+ private static final String REQSTART = "reqStart";
+ private static final String REQTYPE = "reqType";
+ private static final String REQVERSION = "reqVersion";
+ private static final String REQMOD = "reqMod";
+ private static final String STRUCTURALOBJECTCLASS = "structuralObjectClass";
+ private static final String SUBSCHEMAENTRY = "subschemaSubentry";
+ private static final String REQATTR = "reqAttr";
+ private static final String REQATTRSONLY = "reqAttrsOnly";
+ private static final String REQDREFALIASES = "reqDerefAliases";
+ private static final String REQENTRIES = "reqEntries";
+ private static final String REQFILTER = "reqFilter";
+ private static final String REQSCOPE = "reqScope";
+ private static final String REQSIZELIMIT = "reqSizeLimit";
+ private static final String REQTIMELIMIT = "reqTimeLimit";
+ private static final String REQASSERTION = "reqAssertion";
+ private static final String ACCESS_BIND_CLASS_NM = "auditBind";
+ //private static final String ACCESS_AUTHZ_CLASS_NM = "auditSearch";
+ private static final String ACCESS_AUTHZ_CLASS_NM = "auditCompare";
+ private static final String ACCESS_MOD_CLASS_NM = "auditModify";
+ private static final String ACCESS_ADD_CLASS_NM = "auditAdd";
+ private static final String AUDIT_ROOT = "audit.root";
+
+ private static final String[] AUDIT_AUTHZ_ATRS =
+ {
+ CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
+ MODIFYTIMESTAMP, OBJECTCLASS, REQATTR, REQATTRSONLY, REQUAUTHZID, REQCONTROLS, REQDN, REQDREFALIASES,
+ REQEND, REQENTRIES, REQFILTER, REQRESULT, REQSCOPE, REQSESSION, REQSIZELIMIT, REQSTART, REQTIMELIMIT,
+ REQTYPE, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
+ };
+
+ private static final String[] AUDIT_BIND_ATRS =
+ {
+ CREATETIMESTAMP, CREATORSNAME, ENTRYCSN, ENTRYDN, ENTRYUUID, HASSUBORDINATES, MODIFIERSNAME,
+ MODIFYTIMESTAMP, OBJECTCLASS, REQUAUTHZID, REQCONTROLS, REQDN, REQEND, REQMETHOD, REQRESULT,
+ REQSESSION, REQSTART, REQTYPE, REQVERSION, STRUCTURALOBJECTCLASS, SUBSCHEMAENTRY
+ };
+
+ private static final String[] AUDIT_MOD_ATRS =
+ {
+ OBJECTCLASS, REQUAUTHZID, REQDN, REQEND, REQRESULT, REQSESSION, REQSTART, REQTYPE, REQMOD
+ };
+
+
+ /**
+ * This method returns failed authentications where the userid is not present in the directory. This
+ * is possible because Fortress performs read on user before the bind.
+ * User:
+ * dn: reqStart=20101014235402.000000Z, cn=log
+ * reqStart: 20101014235402.000000Z
+ * reqEnd: 20101014235402.000001Z
+ * reqAuthzID: cn=Manager,dc=jts,dc=com
+ * reqDerefAliases: never
+ * reqSession: 84
+ * reqAttrsOnly: FALSE
+ * reqSizeLimit: -1
+ * objectClass: auditSearch
+ * reqResult: 32
+ * reqAttr: ftId
+ * reqAttr: uid
+ * reqAttr: userpassword
+ * reqAttr: description
+ * reqAttr: ou
+ * reqAttr: cn
+ * reqAttr: sn
+ * reqAttr: ftRoleCstr
+ * reqAttr: ftCstr
+ * reqAttr: ftRoleAsgn
+ * reqAttr: pwdReset
+ * reqAttr: pwdAccountLockedTime
+ * reqAttr: ftProps
+ * reqEntries: 0
+ * reqFilter: (|(objectClass=*)(?objectClass=ldapSubentry))
+ * reqType: search
+ * reqDN: uid=foo,ou=People,dc=jts,dc=com /cal/cal2.jsp
+ * reqTimeLimit: -1
+ * reqScope: base
+ *
+ * @param audit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<AuthZ> searchInvalidAuthNs( UserAudit audit ) throws FinderException
+ {
+ List<AuthZ> auditList = new ArrayList<>();
+ LdapConnection ld = null;
+ String auditRoot = Config.getProperty( AUDIT_ROOT );
+ String userRoot = Config.getProperty( GlobalIds.USER_ROOT );
+
+ try
+ {
+ // use wildcard for user if not passed in:
+ //reqDN: uid=foo,ou=People,dc=jts,dc=com
+ //(&
+ // (objectclass=auditSearch)
+ // (reqDN=uid=*,ou=People,dc=jts,dc=com)
+ // (reqAuthzID=cn=Manager,dc=jts,dc=com)
+ // (reqEntries=0)
+ // )
+
+ String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
+ String userId;
+
+ if ( VUtil.isNotNullOrEmpty( audit.getUserId() ) )
+ {
+ userId = audit.getUserId();
+ filter += REQDN + "=" + GlobalIds.UID + "=" + userId + "," + userRoot + ")(" +
+ REQUAUTHZID + "=" + "cn=Manager," + Config.getProperty( GlobalIds.SUFFIX ) + ")";
+ }
+ else
+ {
+ // pull back all failed authN attempts for all users:
+ filter += REQATTR + "=" + GlobalIds.UID + ")(" +
+ REQUAUTHZID + "=" + "cn=Manager," + Config.getProperty( GlobalIds.SUFFIX ) + ")";
+ }
+
+ if ( audit.isFailedOnly() )
+ {
+ filter += "(" + REQENTRIES + "=" + 0 + ")";
+ }
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ filter += ")";
+
+ //log.warn("filter=" + filter);
+ ld = getLogConnection();
+ SearchCursor searchResults = search( ld, auditRoot,
+ SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ AuthZ authZ = getAuthzEntityFromLdapEntry( searchResults.getEntry(), sequence++ );
+ // todo: fix this workaround. This search will return failed role assign searches as well.
+ // Work around is to remove the ou=People failed searches from user failed searches on authN.
+ if ( !AttrHelper.getAuthZId( authZ.getReqDN() ).equalsIgnoreCase( "People" ) )
+ auditList.add( authZ );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_AUTHN_INVALID_FAILED, error, e );
+ }
+ finally
+ {
+ closeLogConnection( ld );
+ }
+
+ return auditList;
+ }
+
+
+ /**
+ * @param audit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<AuthZ> searchAuthZs( UserAudit audit ) throws FinderException
+ {
+ List<AuthZ> auditList = new ArrayList<>();
+ LdapConnection ld = null;
+ String auditRoot = Config.getProperty( AUDIT_ROOT );
+ String permRoot = getRootDn( audit.isAdmin(), audit.getContextId() );
+ String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String reqDn = PermDAO.getOpRdn( audit.getOpName(), audit.getObjId() ) + "," + GlobalIds.POBJ_NAME + "="
+ + audit.getObjName() + "," + permRoot;
+ String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(" + REQDN + "=" +
+ reqDn + ")(" + REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
+
+ if ( audit.isFailedOnly() )
+ {
+ filter += "(!(" + REQRESULT + "=" + 6 + "))";
+ }
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ filter += ")";
+
+ //System.out.println("filter=" + filter);
+ ld = getLogConnection();
+ SearchCursor searchResults = search( ld, auditRoot,
+ SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ auditList.add( getAuthzEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "LdapException in AuditDAO.searchAuthZs id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeLogConnection( ld );
+ }
+
+ return auditList;
+ }
+
+
+ private String getRootDn( boolean isAdmin, String contextId )
+ {
+ String dn;
+
+ if ( isAdmin )
+ {
+ dn = getRootDn( contextId, GlobalIds.ADMIN_PERM_ROOT );
+ }
+ else
+ {
+ dn = getRootDn( contextId, GlobalIds.PERM_ROOT );
+ }
+
+ return dn;
+ }
+
+
+ /**
+ * @param audit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<AuthZ> getAllAuthZs( UserAudit audit ) throws FinderException
+ {
+ List<AuthZ> auditList = new ArrayList<>();
+ LdapConnection ld = null;
+ String auditRoot = Config.getProperty( AUDIT_ROOT );
+ String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + ACCESS_AUTHZ_CLASS_NM + ")(";
+
+ if ( audit.getUserId() != null && audit.getUserId().length() > 0 )
+ {
+ filter += REQUAUTHZID + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
+ }
+ else
+ {
+ // have to limit the query to only authorization entries.
+ // TODO: determine why the cn=Manager user is showing up in this search:
+ filter += REQUAUTHZID + "=*)(!(" + REQUAUTHZID + "=cn=Manager," + Config.getProperty( GlobalIds.SUFFIX )
+ + "))";
+
+ // TODO: fix this so filter by only the Fortress AuthZ entries and not the others:
+ if ( audit.isFailedOnly() )
+ {
+ filter += "(!(" + REQRESULT + "=" + 6 + "))";
+ }
+ }
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ filter += ")";
+
+ //log.warn("filter=" + filter);
+ ld = getLogConnection();
+ SearchCursor searchResults = search( ld, auditRoot,
+ SearchScope.ONELEVEL, filter, AUDIT_AUTHZ_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ auditList.add( getAuthzEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "LdapException in AuditDAO.getAllAuthZs id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "LdapException in AuditDAO.getAllAuthZs id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_AUTHZ_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeLogConnection( ld );
+ }
+
+ return auditList;
+ }
+
+
+ /**
+ * @param audit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Bind> searchBinds( UserAudit audit ) throws FinderException
+ {
+ List<Bind> auditList = new ArrayList<>();
+ LdapConnection ld = null;
+ String auditRoot = Config.getProperty( AUDIT_ROOT );
+ String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter;
+
+ if ( audit.getUserId() != null && audit.getUserId().length() > 0 )
+ {
+ filter = GlobalIds.FILTER_PREFIX + ACCESS_BIND_CLASS_NM + ")(" +
+ REQDN + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
+
+ if ( audit.isFailedOnly() )
+ {
+ filter += "(" + REQRESULT + ">=" + 1 + ")";
+ }
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ filter += ")";
+ }
+ else
+ {
+ filter = GlobalIds.FILTER_PREFIX + ACCESS_BIND_CLASS_NM + ")";
+
+ if ( audit.isFailedOnly() )
+ {
+ filter += "(" + REQRESULT + ">=" + 1 + ")";
+ }
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ filter += ")";
+ }
+
+ //log.warn("filter=" + filter);
+ ld = getLogConnection();
+ SearchCursor searchResults = search( ld, auditRoot,
+ SearchScope.ONELEVEL, filter, AUDIT_BIND_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ auditList.add( getBindEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "LdapException in AuditDAO.searchBinds id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_BIND_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "LdapException in AuditDAO.searchBinds id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_BIND_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeLogConnection( ld );
+ }
+
+ return auditList;
+ }
+
+
+ /**
+ * @param audit
+ * @return
+ * @throws org.apache.directory.fortress.core.FinderException
+ *
+ */
+ final List<Mod> searchUserMods( UserAudit audit ) throws FinderException
+ {
+ List<Mod> modList = new ArrayList<>();
+ LdapConnection ld = null;
+ String auditRoot = Config.getProperty( AUDIT_ROOT );
+
+ String userRoot = getRootDn( audit.getContextId(), GlobalIds.USER_ROOT );
+
+ try
+ {
+ String filter = GlobalIds.FILTER_PREFIX + ACCESS_MOD_CLASS_NM + ")(" +
+ REQDN + "=" + GlobalIds.UID + "=" + audit.getUserId() + "," + userRoot + ")";
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ filter += ")";
+ //log.warn("filter=" + filter);
+ ld = getLogConnection();
+ SearchCursor searchResults = search( ld, auditRoot,
+ SearchScope.ONELEVEL, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ modList.add( getModEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "searchUserMods caught LdapException id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "searchUserMods caught LdapException id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_MOD_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeLogConnection( ld );
+ }
+
+ return modList;
+ }
+
+
+ /**
+ * @param audit
+ * @return
+ * @throws FinderException
+ */
+ final List<Mod> searchAdminMods( UserAudit audit ) throws FinderException
+ {
+ List<Mod> modList = new ArrayList<>();
+ LdapConnection ld = null;
+ String auditRoot = Config.getProperty( AUDIT_ROOT );
+
+ try
+ {
+ String filter = "(&(|(objectclass=" + ACCESS_MOD_CLASS_NM + ")";
+ filter += "(objectclass=" + ACCESS_ADD_CLASS_NM + "))";
+
+ if ( VUtil.isNotNullOrEmpty( audit.getDn() ) )
+ {
+ filter += "(" + REQDN + "=" + audit.getDn() + ")";
+ }
+
+ if ( VUtil.isNotNullOrEmpty( audit.getObjName() ) )
+ {
+ filter += "(|(" + REQMOD + "=" + GlobalIds.FT_MODIFIER_CODE + ":= " + audit.getObjName() + ".";
+
+ if ( VUtil.isNotNullOrEmpty( audit.getOpName() ) )
+ {
+ filter += audit.getOpName();
+ }
+
+ filter += "*)";
+ filter += "(" + REQMOD + "=" + GlobalIds.FT_MODIFIER_CODE + ":+ " + audit.getObjName() + ".";
+
+ if ( VUtil.isNotNullOrEmpty( audit.getOpName() ) )
+ {
+ filter += audit.getOpName();
+ }
+
+ filter += "*))";
+ }
+
+ if ( VUtil.isNotNullOrEmpty( audit.getInternalUserId() ) )
+ {
+ filter += "(|(" + REQMOD + "=" + GlobalIds.FT_MODIFIER + ":= " + audit.getInternalUserId() + ")";
+ filter += "(" + REQMOD + "=" + GlobalIds.FT_MODIFIER + ":+ " + audit.getInternalUserId() + "))";
+ }
+
+ if ( audit.getBeginDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getBeginDate() );
+ filter += "(" + REQEND + ">=" + szTime + ")";
+ }
+
+ if ( audit.getEndDate() != null )
+ {
+ String szTime = AttrHelper.encodeGeneralizedTime( audit.getEndDate() );
+ filter += "(" + REQEND + "<=" + szTime + ")";
+ }
+
+ filter += ")";
+ //log.warn("filter=" + filter);
+ ld = getLogConnection();
+ SearchCursor searchResults = search( ld, auditRoot,
+ SearchScope.ONELEVEL, filter, AUDIT_MOD_ATRS, false, GlobalIds.BATCH_SIZE );
+ long sequence = 0;
+
+ while ( searchResults.next() )
+ {
+ modList.add( getModEntityFromLdapEntry( searchResults.getEntry(), sequence++ ) );
+ }
+ }
+ catch ( LdapException e )
+ {
+ String error = "searchAdminMods caught LdapException id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_MOD_ADMIN_SEARCH_FAILED, error, e );
+ }
+ catch ( CursorException e )
+ {
+ String error = "searchAdminMods caught LdapException id=" + e.getMessage();
+ throw new FinderException( GlobalErrIds.AUDT_MOD_ADMIN_SEARCH_FAILED, error, e );
+ }
+ finally
+ {
+ closeLogConnection( ld );
+ }
+
+ return modList;
+ }
+
+
+ /**
+ * @param le
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private Bind getBindEntityFromLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
+ {
+
+ Bind auditBind = new ObjectFactory().createBind();
+ auditBind.setSequenceId( sequence );
+ auditBind.setCreateTimestamp( getAttribute( le, CREATETIMESTAMP ) );
+ auditBind.setCreatorsName( getAttribute( le, CREATORSNAME ) );
+ auditBind.setEntryCSN( getAttribute( le, ENTRYCSN ) );
+ auditBind.setEntryDN( getAttribute( le, ENTRYDN ) );
+ auditBind.setEntryUUID( getAttribute( le, ENTRYUUID ) );
+ auditBind.setHasSubordinates( getAttribute( le, HASSUBORDINATES ) );
+ auditBind.setModifiersName( getAttribute( le, MODIFIERSNAME ) );
+ auditBind.setModifyTimestamp( getAttribute( le, MODIFYTIMESTAMP ) );
+ auditBind.setObjectClass( getAttribute( le, OBJECTCLASS ) );
+ auditBind.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
+ auditBind.setReqControls( getAttribute( le, REQCONTROLS ) );
+ auditBind.setReqDN( getAttribute( le, REQDN ) );
+ auditBind.setReqEnd( getAttribute( le, REQEND ) );
+ auditBind.setReqMethod( getAttribute( le, REQMETHOD ) );
+ auditBind.setReqResult( getAttribute( le, REQRESULT ) );
+ auditBind.setReqSession( getAttribute( le, REQSESSION ) );
+ auditBind.setReqStart( getAttribute( le, REQSTART ) );
+ auditBind.setReqType( getAttribute( le, REQTYPE ) );
+ auditBind.setReqVersion( getAttribute( le, REQVERSION ) );
+ auditBind.setStructuralObjectClass( getAttribute( le, STRUCTURALOBJECTCLASS ) );
+
+ return auditBind;
+ }
+
+
+ /**
+ * @param le
+ * @return
+ * @throws LdapInvalidAttributeValueException
+ * @throws LdapException
+ */
+ private AuthZ getAuthzEntityFromLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
+ {
+
+ // these attrs also on audit bind OC:
+ AuthZ authZ = new ObjectFactory().createAuthZ();
+ authZ.setSequenceId( sequence );
+ authZ.setCreateTimestamp( getAttribute( le, CREATETIMESTAMP ) );
+ authZ.setCreatorsName( getAttribute( le, CREATORSNAME ) );
+ authZ.setEntryCSN( getAttribute( le, ENTRYCSN ) );
+ authZ.setEntryDN( getAttribute( le, ENTRYDN ) );
+ authZ.setEntryUUID( getAttribute( le, ENTRYUUID ) );
+ authZ.setHasSubordinates( getAttribute( le, HASSUBORDINATES ) );
+ authZ.setModifiersName( getAttribute( le, MODIFIERSNAME ) );
+ authZ.setModifyTimestamp( getAttribute( le, MODIFYTIMESTAMP ) );
+ authZ.setObjectClass( getAttribute( le, OBJECTCLASS ) );
+ authZ.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
+ authZ.setReqControls( getAttribute( le, REQCONTROLS ) );
+ authZ.setReqDN( getAttribute( le, REQDN ) );
+ authZ.setReqEnd( getAttribute( le, REQEND ) );
+ authZ.setReqResult( getAttribute( le, REQRESULT ) );
+ authZ.setReqSession( getAttribute( le, REQSESSION ) );
+ authZ.setReqStart( getAttribute( le, REQSTART ) );
+ authZ.setReqType( getAttribute( le, REQTYPE ) );
+ authZ.setStructuralObjectClass( getAttribute( le, STRUCTURALOBJECTCLASS ) );
+
+ // these attrs only on audit search OC:
+ authZ.setReqAttr( getAttribute( le, REQATTR ) );
+ authZ.setReqAttrsOnly( getAttribute( le, REQATTRSONLY ) );
+ authZ.setReqDerefAliases( getAttribute( le, REQDREFALIASES ) );
+ authZ.setReqEntries( getAttribute( le, REQENTRIES ) );
+ authZ.setReqFilter( getAttribute( le, REQFILTER ) );
+ authZ.setReqScope( getAttribute( le, REQSCOPE ) );
+ authZ.setReqSizeLimit( getAttribute( le, REQSIZELIMIT ) );
+ authZ.setReqTimeLimit( getAttribute( le, REQTIMELIMIT ) );
+
+ return authZ;
+ }
+
+
+ private Mod getModEntityFromLdapEntry( Entry le, long sequence ) throws LdapInvalidAttributeValueException
+ {
+ Mod mod = new ObjectFactory().createMod();
+ mod.setSequenceId( sequence );
+ mod.setObjectClass( getAttribute( le, OBJECTCLASS ) );
+ mod.setReqAuthzID( getAttribute( le, REQUAUTHZID ) );
+ mod.setReqDN( getAttribute( le, REQDN ) );
+ mod.setReqEnd( getAttribute( le, REQEND ) );
+ mod.setReqResult( getAttribute( le, REQRESULT ) );
+ mod.setReqSession( getAttribute( le, REQSESSION ) );
+ mod.setReqStart( getAttribute( le, REQSTART ) );
+ mod.setReqType( getAttribute( le, REQTYPE ) );
+ mod.setReqMod( getAttributes( le, REQMOD ) );
+
+ return mod;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
index fd4a8ee..0fd7e17 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
@@ -23,7 +23,6 @@ package org.apache.directory.fortress.core.rbac;
import java.util.List;
import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.rbac.dao.unboundid.AuditDAO;
/**
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnit.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnit.java b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnit.java
index ddb20bd..a1db133 100755
--- a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnit.java
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnit.java
@@ -31,10 +31,6 @@ import javax.xml.bind.annotation.XmlEnum;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;
-import org.apache.directory.fortress.core.rbac.dao.AdminRoleDAO;
-import org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO;
-
-
/**
* All entities ({@link AdminRole}, {@link OrgUnit},
* {@link org.apache.directory.fortress.core.rbac.SDSet} etc...) are used to carry data between three Fortress
[06/16] Remove the unboundid daos classes and lib,
move the apache dao's into rbac package and make its classes and
methods package private.
Posted by sm...@apache.org.
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/49e82a58/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/UserDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/UserDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/UserDAO.java
deleted file mode 100755
index 8f4d973..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/dao/apache/UserDAO.java
+++ /dev/null
@@ -1,2383 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac.dao.apache;
-
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.Attribute;
-import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapAttributeInUseException;
-import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoPermissionException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchAttributeException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.ldap.client.api.LdapConnection;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.ObjectFactory;
-import org.apache.directory.fortress.core.PasswordException;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.cfg.Config;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.ldap.openldap.OLPWControlImpl;
-import org.apache.directory.fortress.core.rbac.Address;
-import org.apache.directory.fortress.core.rbac.AdminRole;
-import org.apache.directory.fortress.core.rbac.GlobalPwMsgIds;
-import org.apache.directory.fortress.core.rbac.OrgUnit;
-import org.apache.directory.fortress.core.rbac.PwMessage;
-import org.apache.directory.fortress.core.rbac.PwPolicyControl;
-import org.apache.directory.fortress.core.rbac.Role;
-import org.apache.directory.fortress.core.rbac.RoleUtil;
-import org.apache.directory.fortress.core.rbac.Session;
-import org.apache.directory.fortress.core.rbac.User;
-import org.apache.directory.fortress.core.rbac.UserAdminRole;
-import org.apache.directory.fortress.core.rbac.UserRole;
-import org.apache.directory.fortress.core.rbac.Warning;
-import org.apache.directory.fortress.core.util.attr.AttrHelper;
-import org.apache.directory.fortress.core.util.attr.VUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-
-/**
- * Data access class for LDAP User entity.
- * <p/>
- * <p/>
- * The Fortress User LDAP schema follows:
- * <p/>
- * <h4>1. InetOrgPerson Structural Object Class </h4>
- * <code># The inetOrgPerson represents people who are associated with an</code><br />
- * <code># organization in some way. It is a structural class and is derived</code><br />
- * <code># from the organizationalPerson which is defined in X.521 [X521].</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 2.16.840.1.113730.3.2.2</code>
- * <li> <code>NAME 'inetOrgPerson'</code>
- * <li> <code>DESC 'RFC2798: Internet Organizational Person'</code>
- * <li> <code>SUP organizationalPerson</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MAY ( audio $ businessCategory $ carLicense $ departmentNumber $</code>
- * <li> <code>displayName $ employeeNumber $ employeeType $ givenName $</code>
- * <li> <code>homePhone $ homePostalAddress $ initials $ jpegPhoto $</code>
- * <li> <code>labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $</code>
- * <li> <code>roomNumber $ secretary $ uid $ userCertificate $</code>
- * <li> <code>x500uniqueIdentifier $ preferredLanguage $</code>
- * <li> <code>userSMIMECertificate $ userPKCS12 ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * <h4>3. ftUserAttrs is used to store user RBAC and Admin role assignment and other security attributes on User entity</h4>
- * <ul>
- * <li> ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.1</code>
- * <li> <code>NAME 'ftUserAttrs'</code>
- * <li> <code>DESC 'Fortress User Attribute AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MUST ( ftId )</code>
- * <li> <code>MAY ( ftRC $ ftRA $ ftARC $ ftARA $ ftCstr</code>
- * <li> ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li> ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author Shawn McKinney
- * @created August 30, 2009
- */
-public final class UserDAO extends ApacheDsDataProvider implements org.apache.directory.fortress.core.rbac.dao.UserDAO
-{
- private static final String CLS_NM = UserDAO.class.getName();
- private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
- private static PwPolicyControl pwControl;
-
- /**
- * Initialize the OpenLDAP Pw Policy validator.
- */
- static
- {
- if ( GlobalIds.IS_OPENLDAP )
- {
- pwControl = new OLPWControlImpl();
- }
- }
-
- /*
- * *************************************************************************
- * ** OpenAccessMgr USERS STATICS
- * ************************************************************************
- */
- private static final String USERS_AUX_OBJECT_CLASS_NAME = "ftUserAttrs";
- private static final String ORGANIZATIONAL_PERSON_OBJECT_CLASS_NAME = "organizationalPerson";
- private static final String USER_OBJECT_CLASS = "user.objectclass";
- private static final String USERS_EXTENSIBLE_OBJECT = "extensibleObject";
-
- // The Fortress User entity attributes are stored within standard LDAP object classes along with custom auxiliary object classes:
- private static final String USER_OBJ_CLASS[] =
- {
- GlobalIds.TOP,
- Config.getProperty( USER_OBJECT_CLASS ),
- USERS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
- GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME,
- USERS_EXTENSIBLE_OBJECT
- };
-
- private static final String objectClassImpl = Config.getProperty( USER_OBJECT_CLASS );
- private static final String SN = "sn";
- private static final String PW = "userpassword";
- private static final String SYSTEM_USER = "ftSystem";
-
- /**
- * Constant contains the locale attribute name used within organizationalPerson ldap object classes.
- */
- private static final String L = "l";
-
- /**
- * Constant contains the postal address attribute name used within organizationalPerson ldap object classes.
- */
- private static final String POSTAL_ADDRESS = "postalAddress";
-
- /**
- * Constant contains the state attribute name used within organizationalPerson ldap object classes.
- */
- private static final String STATE = "st";
-
- /**
- * Constant contains the postal code attribute name used within organizationalPerson ldap object classes.
- */
- private static final String POSTAL_CODE = "postalCode";
-
- /**
- * Constant contains the post office box attribute name used within organizationalPerson ldap object classes.
- */
- private static final String POST_OFFICE_BOX = "postOfficeBox";
-
- /**
- * Constant contains the country attribute name used within organizationalPerson ldap object classes.
- */
- private static final String COUNTRY = "c";
-
- /**
- * Constant contains the attribute name used within inetorgperson ldap object classes.
- */
- private static final String PHYSICAL_DELIVERY_OFFICE_NAME = "physicalDeliveryOfficeName";
-
- /**
- * Constant contains the attribute name used within inetorgperson ldap object classes.
- */
- private static final String DEPARTMENT_NUMBER = "departmentNumber";
-
- /**
- * Constant contains the attribute name used within inetorgperson ldap object classes.
- */
- private static final String ROOM_NUMBER = "roomNumber";
-
- /**
- * Constant contains the mobile attribute values used within iNetOrgPerson ldap object classes.
- */
- private static final String MOBILE = "mobile";
-
- /**
- * Constant contains the telephone attribute values used within organizationalPerson ldap object classes.
- */
- private static final String TELEPHONE_NUMBER = "telephoneNumber";
-
- /**
- * Constant contains the attribute name for jpeg images to be stored within inetorgperson ldap object classes.
- */
- private static final String JPEGPHOTO = "jpegPhoto";
-
- /**
- * Constant contains the email attribute values used within iNetOrgPerson ldap object classes.
- */
- private static final String MAIL = "mail";
- private static final String DISPLAY_NAME = "displayName";
- private static final String TITLE = "title";
- private static final String EMPLOYEE_TYPE = "employeeType";
-
- private static final String OPENLDAP_POLICY_SUBENTRY = "pwdPolicySubentry";
- private static final String OPENLDAP_PW_RESET = "pwdReset";
- private static final String OPENLDAP_PW_LOCKED_TIME = "pwdAccountLockedTime";
- private static final String OPENLDAP_ACCOUNT_LOCKED_TIME = "pwdAccountLockedTime";
- private static final String LOCK_VALUE = "000001010000Z";
- private static final String[] USERID =
- { GlobalIds.UID };
- private static final String[] ROLES =
- { GlobalIds.USER_ROLE_ASSIGN };
-
- private static final String[] USERID_ATRS =
- {
- GlobalIds.UID
- };
-
- // This smaller result set of attributes are needed for user validation and authentication operations.
- private static final String[] AUTHN_ATRS =
- {
- GlobalIds.FT_IID,
- GlobalIds.UID, PW,
- GlobalIds.DESC,
- GlobalIds.OU, GlobalIds.CN,
- SN,
- GlobalIds.CONSTRAINT,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
- GlobalIds.PROPS
- };
-
- // This default set of attributes contains all and is used for search operations.
- private static final String[] DEFAULT_ATRS =
- {
- GlobalIds.FT_IID,
- GlobalIds.UID, PW,
- GlobalIds.DESC,
- GlobalIds.OU,
- GlobalIds.CN,
- SN,
- GlobalIds.USER_ROLE_DATA,
- GlobalIds.CONSTRAINT,
- GlobalIds.USER_ROLE_ASSIGN,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_RESET : null,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_PW_LOCKED_TIME : null,
- GlobalIds.IS_OPENLDAP ? OPENLDAP_POLICY_SUBENTRY : null,
- GlobalIds.PROPS,
- GlobalIds.USER_ADMINROLE_ASSIGN,
- GlobalIds.USER_ADMINROLE_DATA,
- POSTAL_ADDRESS,
- L,
- POSTAL_CODE,
- POST_OFFICE_BOX,
- STATE,
- PHYSICAL_DELIVERY_OFFICE_NAME,
- DEPARTMENT_NUMBER,
- ROOM_NUMBER,
- TELEPHONE_NUMBER,
- MOBILE,
- MAIL,
- EMPLOYEE_TYPE,
- TITLE,
- SYSTEM_USER,
- JPEGPHOTO
- };
-
- private static final String[] ROLE_ATR =
- {
- GlobalIds.USER_ROLE_DATA
- };
-
- private static final String[] AROLE_ATR =
- {
- GlobalIds.USER_ADMINROLE_DATA
- };
-
-
- /**
- * @param entity
- * @return
- * @throws CreateException
- *
- */
- public final User create( User entity ) throws CreateException
- {
- LdapConnection ld = null;
-
- try
- {
- entity.setInternalId();
-
- String dn = getDn( entity.getUserId(), entity.getContextId() );
-
- Entry myEntry = new DefaultEntry( dn );
-
- myEntry.add( GlobalIds.OBJECT_CLASS, USER_OBJ_CLASS );
- myEntry.add( GlobalIds.FT_IID, entity.getInternalId() );
- myEntry.add( GlobalIds.UID, entity.getUserId() );
-
- // CN is required on inetOrgPerson object class, if caller did not set, use the userId:
- if ( !VUtil.isNotNullOrEmpty( entity.getCn() ) )
- {
- entity.setCn( entity.getUserId() );
- }
-
- myEntry.add( GlobalIds.CN, entity.getCn() );
-
- // SN is required on inetOrgPerson object class, if caller did not set, use the userId:
- if ( !VUtil.isNotNullOrEmpty( entity.getSn() ) )
- {
- entity.setSn( entity.getUserId() );
- }
-
- myEntry.add( SN, entity.getSn() );
-
- // guard against npe
- myEntry.add( PW,
- VUtil.isNotNullOrEmpty( entity.getPassword() ) ? new String( entity.getPassword() ) : new String(
- new char[]
- {} ) );
- myEntry.add( DISPLAY_NAME, entity.getCn() );
-
- if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
- {
- myEntry.add( TITLE, entity.getTitle() );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
- {
- myEntry.add( EMPLOYEE_TYPE, entity.getEmployeeType() );
- }
-
- // These are multi-valued attributes, use the util function to load.
- // These items are optional. The utility function will return quietly if item list is empty:
- loadAttrs( entity.getPhones(), myEntry, TELEPHONE_NUMBER );
- loadAttrs( entity.getMobiles(), myEntry, MOBILE );
- loadAttrs( entity.getEmails(), myEntry, MAIL );
-
- // The following attributes are optional:
- if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
- {
- myEntry.add( SYSTEM_USER, entity.isSystem().toString().toUpperCase() );
- }
-
- if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
- {
- String pwdPolicyDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
- + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
- myEntry.add( OPENLDAP_POLICY_SUBENTRY, pwdPolicyDn );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
- {
- myEntry.add( GlobalIds.OU, entity.getOu() );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- myEntry.add( GlobalIds.DESC, entity.getDescription() );
- }
-
- // props are optional as well:
- // Add "initial" property here.
- entity.addProperty( "init", "" );
- loadProperties( entity.getProperties(), myEntry, GlobalIds.PROPS );
- // map the userid to the name field in constraint:
- entity.setName( entity.getUserId() );
- myEntry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
- loadAddress( entity.getAddress(), myEntry );
-
- if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
- {
- myEntry.add( JPEGPHOTO, entity.getJpegPhoto() );
- }
-
- ld = getAdminConnection();
- add( ld, myEntry, entity );
- entity.setDn( dn );
- }
- catch ( LdapException e )
- {
- String error = "create userId [" + entity.getUserId() + "] caught LDAPException="
- + e.getMessage();
- throw new CreateException( GlobalErrIds.USER_ADD_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @return
- * @throws UpdateException
- */
- public final User update( User entity )
- throws UpdateException
- {
- LdapConnection ld = null;
- String userDn = getDn( entity.getUserId(), entity.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getCn() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CN, entity.getCn() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getSn() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, SN, entity.getSn() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getOu() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.OU, entity.getOu() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getPassword() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( entity.getPassword() ) ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.DESC, entity.getDescription() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getEmployeeType() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, EMPLOYEE_TYPE, entity.getEmployeeType() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getTitle() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, TITLE, entity.getTitle() ) );
- }
-
- if ( GlobalIds.IS_OPENLDAP && VUtil.isNotNullOrEmpty( entity.getPwPolicy() ) )
- {
- String szDn = GlobalIds.POLICY_NODE_TYPE + "=" + entity.getPwPolicy() + ","
- + getRootDn( entity.getContextId(), GlobalIds.PPOLICY_ROOT );
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_POLICY_SUBENTRY, szDn ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.isSystem() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, SYSTEM_USER, entity.isSystem().toString().toUpperCase() ) );
- }
-
- if ( entity.isTemporalSet() )
- {
- // map the userid to the name field in constraint:
- entity.setName( entity.getUserId() );
- String szRawData = CUtil.setConstraint( entity );
-
- if ( VUtil.isNotNullOrEmpty( szRawData ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
- }
- }
-
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, true );
- }
-
- loadAddress( entity.getAddress(), mods );
-
- // These are multi-valued attributes, use the util function to load:
- loadAttrs( entity.getPhones(), mods, TELEPHONE_NUMBER );
- loadAttrs( entity.getMobiles(), mods, MOBILE );
- loadAttrs( entity.getEmails(), mods, MAIL );
-
- if ( VUtil.isNotNullOrEmpty( entity.getJpegPhoto() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, JPEGPHOTO, entity.getJpegPhoto() ) );
- }
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, userDn, mods, entity );
- entity.setDn( userDn );
- }
-
- entity.setDn( userDn );
- }
- catch ( LdapException e )
- {
- String error = "update userId [" + entity.getUserId() + "] caught LDAPException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param entity
- * @param replace
- * @return
- * @throws UpdateException
- */
- public final User updateProps( User entity, boolean replace )
- throws UpdateException
- {
- LdapConnection ld = null;
- String userDn = getDn( entity.getUserId(), entity.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- if ( VUtil.isNotNullOrEmpty( entity.getProperties() ) )
- {
- loadProperties( entity.getProperties(), mods, GlobalIds.PROPS, replace );
- }
-
- if ( mods.size() > 0 )
- {
- ld = getAdminConnection();
- modify( ld, userDn, mods, entity );
- entity.setDn( userDn );
- }
-
- entity.setDn( userDn );
- }
- catch ( LdapException e )
- {
- String error = "updateProps userId [" + entity.getUserId() + "] isReplace [" + replace
- + "] caught LDAPException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_UPDATE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return entity;
- }
-
-
- /**
- * @param user
- * @throws RemoveException
- */
- public final String remove( User user )
- throws RemoveException
- {
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- delete( ld, userDn, user );
- }
- catch ( LdapException e )
- {
- String error = "remove userId [" + user.getUserId() + "] caught LDAPException="
- + e.getMessage();
- throw new RemoveException( GlobalErrIds.USER_DELETE_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param user
- * @throws org.apache.directory.fortress.core.UpdateException
- *
- */
- public final void lock( User user ) throws UpdateException
- {
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- mods.add( new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_LOCKED_TIME,
- LOCK_VALUE ) );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LdapException e )
- {
- String error = "lock user [" + user.getUserId() + "] caught LDAPException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_LOCK_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param user
- * @throws UpdateException
- *
- */
- public final void unlock( User user )
- throws UpdateException
- {
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- //ld = getAdminConnection();
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, OPENLDAP_PW_LOCKED_TIME ) );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LdapNoSuchAttributeException e )
- {
- LOG.info( "unlock user [" + user.getUserId() + "] no such attribute:"
- + OPENLDAP_ACCOUNT_LOCKED_TIME );
- }
- catch ( LdapException e )
- {
- String error = "unlock user [" + user.getUserId() + "] caught LDAPException= "
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_UNLOCK_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final User getUser( User user, boolean isRoles )
- throws FinderException
- {
- User entity = null;
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- String[] uATTRS;
- // Retrieve role attributes?
-
- if ( isRoles )
- {
- // Retrieve the User's assigned RBAC and Admin Role attributes from directory.
- uATTRS = DEFAULT_ATRS;
-
- }
- else
- {
- // Do not retrieve the User's assigned RBAC and Admin Role attributes from directory.
- uATTRS = AUTHN_ATRS;
- }
-
- Entry findEntry = null;
-
- try
- {
- ld = getAdminConnection();
- findEntry = read( ld, userDn, uATTRS );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getUser COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getUser [" + userDn + "]= caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- try
- {
- if(findEntry != null)
- {
- entity = unloadLdapEntry( findEntry, 0, user.getContextId() );
- }
- }
- catch ( LdapInvalidAttributeValueException e )
- {
- entity = null;
- }
-
- if ( entity == null )
- {
- String warning = "getUser userId [" + user.getUserId() + "] not found, Fortress rc="
- + GlobalErrIds.USER_NOT_FOUND;
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- return entity;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- */
- public final List<UserAdminRole> getUserAdminRoles( User user )
- throws FinderException
- {
- List<UserAdminRole> roles = null;
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, userDn, AROLE_ATR );
- roles = unloadUserAdminRoles( findEntry, user.getUserId(), user.getContextId() );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getUserAdminRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getUserAdminRoles [" + userDn + "]= caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roles;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- */
- public final List<String> getRoles( User user )
- throws FinderException
- {
- List<String> roles = null;
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, userDn, ROLES );
-
- if ( findEntry == null )
- {
- String warning = "getRoles userId [" + user.getUserId() + "] not found, Fortress rc="
- + GlobalErrIds.USER_NOT_FOUND;
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
-
- roles = getAttributes( findEntry, GlobalIds.USER_ROLE_ASSIGN );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getRoles COULD NOT FIND ENTRY for user [" + user.getUserId() + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getRoles [" + userDn + "]= caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roles;
- }
-
-
- /**
- * @param user
- * @return
- * @throws org.apache.directory.fortress.core.FinderException
- *
- * @throws org.apache.directory.fortress.core.SecurityException
- */
- public final Session checkPassword( User user ) throws FinderException
- {
- Session session = null;
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- session = new ObjectFactory().createSession();
- session.setUserId( user.getUserId() );
- ld = getUserConnection();
- boolean result = bind( ld, userDn, user.getPassword() );
-
- if ( result )
- {
- // check openldap password policies here
- checkPwPolicies( ld, session );
-
- if ( session.getErrorId() == 0 )
- {
- session.setAuthenticated( true );
- }
- }
- }
- catch ( LdapAuthenticationException e )
- {
- // Check controls to see if password is locked, expired or out of grace:
- checkPwPolicies( ld, session );
- // if check pw control did not find problem the user entered invalid pw:
- if ( session.getErrorId() == 0 )
- {
- String info = "checkPassword INVALID PASSWORD for userId [" + user.getUserId() + "]";
- session.setMsg( info );
- session.setErrorId( GlobalErrIds.USER_PW_INVLD );
- session.setAuthenticated( false );
- }
- }
- catch ( LdapException e )
- {
- String error = "checkPassword userId [" + user.getUserId() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeUserConnection( ld );
- }
-
- return session;
- }
-
-
- /**
- * @param user
- * @return
- * @throws FinderException
- */
- public final List<User> findUsers( User user ) throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String filter;
-
- if ( VUtil.isNotNullOrEmpty( user.getUserId() ) )
- {
- // place a wild card after the input userId:
- String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
- filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.UID + "=" + searchVal + "*))";
- }
- else if ( VUtil.isNotNullOrEmpty( user.getInternalId() ) )
- {
- // internalUserId search
- String searchVal = encodeSafeText( user.getInternalId(), GlobalIds.USERID_LEN );
- // this is not a wildcard search. Must be exact match.
- filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.FT_IID + "=" + searchVal + "))";
- }
- else
- {
- // Beware - returns ALL users!!:"
- filter = "(objectclass=" + objectClassImpl + ")";
- }
-
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, user.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "findUsers userRoot [" + userRoot + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param user
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- public final List<String> findUsers( User user, int limit ) throws FinderException
- {
- List<String> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( user.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String searchVal = encodeSafeText( user.getUserId(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.UID + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
-
- while ( searchResults.next() )
- {
- Entry entry = searchResults.getEntry();
- userList.add( getAttribute( entry, GlobalIds.UID ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "findUsers caught LdapException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "findUsers caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- *
- */
- public final List<User> getAuthorizedUsers( Role role ) throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(";
- Set<String> roles = RoleUtil.getDescendants( role.getName(), role.getContextId() );
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- filter += "|(" + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
-
- for ( String uRole : roles )
- {
- filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + uRole + ")";
- }
-
- filter += ")";
- }
- else
- {
- filter += GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + ")";
- }
-
- filter += ")";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- */
- public final List<User> getAssignedUsers( Role role )
- throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
- + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "getAssignedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- *
- * @param roles
- * @return
- * @throws FinderException
- */
- public final Set<String> getAssignedUsers( Set<String> roles, String contextId )
- throws FinderException
- {
- Set<String> userSet = new HashSet<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
-
- try
- {
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")(|";
-
- if ( VUtil.isNotNullOrEmpty( roles ) )
- {
- for ( String roleVal : roles )
- {
- String filteredVal = encodeSafeText( roleVal, GlobalIds.USERID_LEN );
- filter += "(" + GlobalIds.USER_ROLE_ASSIGN + "=" + filteredVal + ")";
- }
- }
- else
- {
- return null;
- }
-
- filter += "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, USERID_ATRS, false, GlobalIds.BATCH_SIZE );
-
- while ( searchResults.next() )
- {
- userSet.add( getAttribute( searchResults.getEntry(), GlobalIds.UID ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "getAssignedUsers caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "getAssignedUsers caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userSet;
- }
-
-
- /**
- * @param role
- * @return
- * @throws FinderException
- */
- public final List<User> getAssignedUsers( AdminRole role )
- throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
- + GlobalIds.USER_ADMINROLE_ASSIGN + "=" + roleVal + "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, role.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "getAssignedUsers admin role name [" + role.getName()
- + "] caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "getAssignedUsers admin role name [" + role.getName()
- + "] caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.ARLE_USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param role
- * @param limit
- * @return
- * @throws FinderException
- *
- */
- public final List<String> getAuthorizedUsers( Role role, int limit )
- throws FinderException
- {
- List<String> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( role.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String roleVal = encodeSafeText( role.getName(), GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + USERS_AUX_OBJECT_CLASS_NAME + ")("
- + GlobalIds.USER_ROLE_ASSIGN + "=" + roleVal + "))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, USERID, false, GlobalIds.BATCH_SIZE, limit );
-
- while ( searchResults.next() )
- {
- Entry entry = searchResults.getEntry();
- userList.add( getAttribute( entry, GlobalIds.UID ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "getAuthorizedUsers role name [" + role.getName() + "] caught LDAPException="
- + e.getMessage();
- throw new FinderException( GlobalErrIds.URLE_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param searchVal
- * @return
- * @throws FinderException
- */
- public final List<String> findUsersList( String searchVal, String contextId )
- throws FinderException
- {
- List<String> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( contextId, GlobalIds.USER_ROOT );
-
- try
- {
- searchVal = encodeSafeText( searchVal, GlobalIds.USERID_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.UID + "=" + searchVal + "*))";
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- userList.add( ( unloadLdapEntry( searchResults.getEntry(), sequence++, contextId ) ).getUserId() );
- }
- }
- catch ( LdapException e )
- {
- String warning = "findUsersList caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "findUsersList caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param ou
- * @return
- * @throws FinderException
- */
- public final List<User> findUsers( OrgUnit ou, boolean limitSize )
- throws FinderException
- {
- List<User> userList = new ArrayList<>();
- LdapConnection ld = null;
- String userRoot = getRootDn( ou.getContextId(), GlobalIds.USER_ROOT );
-
- try
- {
- String szOu = encodeSafeText( ou.getName(), GlobalIds.OU_LEN );
- String filter = GlobalIds.FILTER_PREFIX + objectClassImpl + ")("
- + GlobalIds.OU + "=" + szOu + "))";
- int maxLimit;
-
- if ( limitSize )
- {
- maxLimit = 10;
- }
- else
- {
- maxLimit = 0;
- }
-
- ld = getAdminConnection();
- SearchCursor searchResults = search( ld, userRoot,
- SearchScope.ONELEVEL, filter, DEFAULT_ATRS, false, GlobalIds.BATCH_SIZE, maxLimit );
- long sequence = 0;
-
- while ( searchResults.next() )
- {
- userList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, ou.getContextId() ) );
- }
- }
- catch ( LdapException e )
- {
- String warning = "findUsers caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- catch ( CursorException e )
- {
- String warning = "findUsers caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_SEARCH_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userList;
- }
-
-
- /**
- * @param entity
- * @param newPassword
- * @return
- * @throws UpdateException
- *
- * @throws SecurityException
- * @throws PasswordException
- */
- public final boolean changePassword( User entity, char[] newPassword ) throws SecurityException
- {
- boolean rc = true;
- LdapConnection ld = null;
- List<Modification> mods;
- String userDn = getDn( entity.getUserId(), entity.getContextId() );
-
- try
- {
- ld = getUserConnection();
- bind( ld, userDn, entity.getPassword() );
- mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( newPassword ) ) );
-
- modify( ld, userDn, mods );
-
- // The 2nd modify is to update audit attributes on the User entry:
- if ( GlobalIds.IS_AUDIT && ( entity.getAdminSession() != null ) )
- {
- // Because the user modified their own password, set their userId here:
- //(entity.getAdminSession()).setInternalUserId(entity.getUserId());
- mods = new ArrayList<Modification>();
- modify( ld, userDn, mods, entity );
- }
- }
- catch ( LdapInvalidAttributeValueException e )
- {
- String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
-
- warning += " constraint violation, ldap rc=" + e.getMessage()
- + " Fortress rc=" + GlobalErrIds.PSWD_CONST_VIOLATION;
-
- throw new PasswordException( GlobalErrIds.PSWD_CONST_VIOLATION, warning );
- }
- catch ( LdapNoPermissionException e )
- {
- String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
- warning += " user not authorized to change password, ldap rc=" + e.getMessage() + " Fortress rc="
- + GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
- throw new UpdateException( GlobalErrIds.USER_PW_MOD_NOT_ALLOWED, warning );
- }
- catch ( LdapException e )
- {
- String warning = User.class.getName() + ".changePassword user [" + entity.getUserId() + "] ";
- warning += " caught LDAPException rc=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_CHANGE_FAILED, warning, e );
- }
- finally
- {
- closeUserConnection( ld );
- }
-
- return rc;
- }
-
-
- /**
- * @param user
- * @throws UpdateException
- *
- */
- public final void resetUserPassword( User user ) throws UpdateException
- {
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, PW, new String( user.getPassword() ) ) );
-
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, OPENLDAP_PW_RESET, "TRUE" ) );
-
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LdapException e )
- {
- String warning = "resetUserPassword userId [" + user.getUserId() + "] caught LDAPException="
- + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_RESET_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String assign( UserRole uRole ) throws UpdateException, FinderException
- {
- LdapConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- String szUserRole = uRole.getRawData();
-
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE, GlobalIds.USER_ROLE_DATA, szUserRole ) );
-
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE, GlobalIds.USER_ROLE_ASSIGN, uRole.getName() ) );
-
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- catch ( LdapAttributeInUseException e )
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
-
- warning += "assignment already exists.";
- throw new FinderException( GlobalErrIds.URLE_ASSIGN_EXIST, warning );
- }
- catch ( LdapException e )
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName() + "] ";
-
- warning += "caught LDAPException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.URLE_ASSIGN_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String deassign( UserRole uRole )
- throws UpdateException, FinderException
- {
- LdapConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- // read the user's RBAC role assignments to locate target record. Need the raw data before attempting removal:
- List<UserRole> roles = getUserRoles( uRole.getUserId(), uRole.getContextId() );
- int indx = -1;
-
- // Does the user have any roles assigned?
- if ( roles != null )
- {
- // function call will set indx to -1 if name not found:
- indx = roles.indexOf( uRole );
-
- // Is the targeted name assigned to user?
- if ( indx > -1 )
- {
- // Retrieve the targeted name:
- UserRole fRole = roles.get( indx );
- // delete the name assignment attribute using the raw name data:
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification(
- ModificationOperation.REMOVE_ATTRIBUTE,
- GlobalIds.USER_ROLE_DATA, fRole.getRawData() ) );
-
- mods.add( new DefaultModification(
- ModificationOperation.REMOVE_ATTRIBUTE,
- GlobalIds.USER_ROLE_ASSIGN, fRole.getName() ) );
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- }
- // target name not found:
- if ( indx == -1 )
- {
- // The user does not have the target name assigned,
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.URLE_ASSIGN_NOT_EXIST, warning );
- }
- }
- catch ( LdapException e )
- {
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] caught LDAPException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.URLE_DEASSIGN_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String assign( UserAdminRole uRole ) throws UpdateException, FinderException
- {
- LdapConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
- String szUserRole = uRole.getRawData();
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE,
- GlobalIds.USER_ADMINROLE_DATA, szUserRole ) );
-
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE,
- GlobalIds.USER_ADMINROLE_ASSIGN, uRole.getName() ) );
-
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- catch ( LdapAttributeInUseException e )
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] assignment already exists.";
- throw new FinderException( GlobalErrIds.ARLE_ASSIGN_EXIST, warning );
- }
- catch ( LdapException e )
- {
- String warning = "assign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] caught LDAPException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_ASSIGN_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param uRole
- * @return
- * @throws UpdateException
- *
- * @throws FinderException
- *
- */
- public final String deassign( UserAdminRole uRole )
- throws UpdateException, FinderException
- {
- LdapConnection ld = null;
- String userDn = getDn( uRole.getUserId(), uRole.getContextId() );
-
- try
- {
- // read the user's ARBAC roles to locate record. Need the raw data before attempting removal:
- User user = new User( uRole.getUserId() );
- user.setContextId( uRole.getContextId() );
- List<UserAdminRole> roles = getUserAdminRoles( user );
-
- int indx = -1;
-
- // Does the user have any roles assigned?
- if ( roles != null )
- {
- // function call will set index to -1 if name not found:
- indx = roles.indexOf( uRole );
-
- // Is the targeted name assigned to user?
- if ( indx > -1 )
- {
- // Retrieve the targeted name:
- UserRole fRole = roles.get( indx );
- // delete the name assignment attribute using the raw name data:
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification(
- ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_DATA, fRole.getRawData() ) );
-
- mods.add( new DefaultModification(
- ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.USER_ADMINROLE_ASSIGN, fRole.getName() ) );
-
- ld = getAdminConnection();
- modify( ld, userDn, mods, uRole );
- }
- }
-
- // target name not found:
- if ( indx == -1 )
- {
- // The user does not have the target name assigned,
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] assignment does not exist.";
- throw new FinderException( GlobalErrIds.ARLE_DEASSIGN_NOT_EXIST, warning );
- }
- }
- catch ( LdapException e )
- {
- String warning = "deassign userId [" + uRole.getUserId() + "] name [" + uRole.getName()
- + "] caught LDAPException=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.ARLE_DEASSIGN_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param user
- * @return
- * @throws UpdateException
- * @throws Exception
- *
- */
- public final String deletePwPolicy( User user ) throws UpdateException
- {
- LdapConnection ld = null;
- String userDn = getDn( user.getUserId(), user.getContextId() );
-
- try
- {
- List<Modification> mods = new ArrayList<Modification>();
-
- mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, OPENLDAP_POLICY_SUBENTRY ) );
- ld = getAdminConnection();
- modify( ld, userDn, mods, user );
- }
- catch ( LdapException e )
- {
- String warning = "deletePwPolicy userId [" + user.getUserId() + "] caught LDAPException="
- + e.getMessage() + " msg=" + e.getMessage();
- throw new UpdateException( GlobalErrIds.USER_PW_PLCY_DEL_FAILED, warning, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return userDn;
- }
-
-
- /**
- * @param entry
- * @return
- * @throws LdapInvalidAttributeValueException
- */
- private User unloadLdapEntry( Entry entry, long sequence, String contextId )
- throws LdapInvalidAttributeValueException
- {
- User entity = new ObjectFactory().createUser();
- entity.setSequenceId( sequence );
- entity.setInternalId( getAttribute( entry, GlobalIds.FT_IID ) );
- entity.setDescription( getAttribute( entry, GlobalIds.DESC ) );
- entity.setUserId( getAttribute( entry, GlobalIds.UID ) );
- entity.setCn( getAttribute( entry, GlobalIds.CN ) );
- entity.setName( entity.getCn() );
- entity.setSn( getAttribute( entry, SN ) );
- entity.setOu( getAttribute( entry, GlobalIds.OU ) );
- entity.setDn( entry.getDn().getName() );
- entity.setTitle( getAttribute( entry, TITLE ) );
- entity.setEmployeeType( getAttribute( entry, EMPLOYEE_TYPE ) );
- unloadTemporal( entry, entity );
- entity.setRoles( unloadUserRoles( entry, entity.getUserId(), contextId ) );
- entity.setAdminRoles( unloadUserAdminRoles( entry, entity.getUserId(), contextId ) );
- entity.setAddress( unloadAddress( entry ) );
- entity.setPhones( getAttributes( entry, TELEPHONE_NUMBER ) );
- entity.setMobiles( getAttributes( entry, MOBILE ) );
- entity.setEmails( getAttributes( entry, MAIL ) );
- String szBoolean = getAttribute( entry, SYSTEM_USER );
- if ( szBoolean != null )
- {
- entity.setSystem( Boolean.valueOf( szBoolean ) );
- }
-
- entity.addProperties( AttrHelper.getProperties( getAttributes( entry, GlobalIds.PROPS ) ) );
-
- if ( GlobalIds.IS_OPENLDAP )
- {
- szBoolean = getAttribute( entry, OPENLDAP_PW_RESET );
- if ( szBoolean != null && szBoolean.equalsIgnoreCase( "true" ) )
- {
- entity.setReset( true );
- }
- String szPolicy = getAttribute( entry, OPENLDAP_POLICY_SUBENTRY );
- if ( VUtil.isNotNullOrEmpty( szPolicy ) )
- {
- entity.setPwPolicy( getRdn( szPolicy ) );
- }
-
- szBoolean = getAttribute( entry, OPENLDAP_PW_LOCKED_TIME );
-
- if ( szBoolean != null && szBoolean.equals( LOCK_VALUE ) )
- {
- entity.setLocked( true );
- }
- }
-
- entity.setJpegPhoto( getPhoto( entry, JPEGPHOTO ) );
-
- return entity;
- }
-
-
- /**
- * @param userId
- * @return
- * @throws FinderException
- */
- private List<UserRole> getUserRoles( String userId, String contextId )
- throws FinderException
- {
- List<UserRole> roles = null;
- LdapConnection ld = null;
- String userDn = getDn( userId, contextId );
- try
- {
- ld = getAdminConnection();
- Entry findEntry = read( ld, userDn, ROLE_ATR );
- roles = unloadUserRoles( findEntry, userId, contextId );
- }
- catch ( LdapNoSuchObjectException e )
- {
- String warning = "getUserRoles COULD NOT FIND ENTRY for user [" + userId + "]";
- throw new FinderException( GlobalErrIds.USER_NOT_FOUND, warning );
- }
- catch ( LdapException e )
- {
- String error = "getUserRoles [" + userDn + "]= caught LDAPException=" + e.getMessage();
- throw new FinderException( GlobalErrIds.USER_READ_FAILED, error, e );
- }
- finally
- {
- closeAdminConnection( ld );
- }
-
- return roles;
- }
-
-
- /**
- * @param ld
- * @param pwMsg
- */
- private void checkPwPolicies( LdapConnection ld, PwMessage pwMsg )
- {
- int rc = 0;
- boolean success = false;
- String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
-
- if ( ld != null )
- {
- if ( !GlobalIds.IS_OPENLDAP )
- {
- String msg = msgHdr + "OPENLDAP PW POLICY NOT ENABLED";
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalPwMsgIds.NOT_OLPW_POLICY_ENABLED, msg, Warning.Type.PASSWORD ) );
- pwMsg.setErrorId( GlobalPwMsgIds.GOOD );
- LOG.debug( msg );
- return;
- }
- else if ( pwControl != null )
- {
- // ------------> pwControl.checkPasswordPolicy( ld, success, pwMsg );
- }
-
- // OpenLDAP has notified of password violation:
- if ( pwMsg.getErrorId() > 0 )
- {
- String errMsg;
-
- switch ( pwMsg.getErrorId() )
- {
-
- case GlobalPwMsgIds.CHANGE_AFTER_RESET:
- // Don't throw exception if authenticating in J2EE Realm - The Web application must give user a chance to modify their password.
- if ( !GlobalIds.IS_REALM )
- {
- errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
- rc = GlobalErrIds.USER_PW_RESET;
- }
- else
- {
- errMsg = msgHdr
- + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO CONTINUE DUE TO REALM";
- success = true;
- pwMsg.setWarning( new ObjectFactory().createWarning( GlobalErrIds.USER_PW_RESET, errMsg, Warning.Type.PASSWORD ) );
- }
-
- break;
-
- case GlobalPwMsgIds.ACCOUNT_LOCKED:
- errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
- rc = GlobalErrIds.USER_PW_LOCKED;
- break;
-
- case GlobalPwMsgIds.PASSWORD_HAS_EXPIRED:
- errMsg = msgHdr + "PASSWORD HAS EXPIRED";
- rc = GlobalErrIds.USER_PW_EXPIRED;
- break;
-
- case GlobalPwMsgIds.NO_MODIFICATIONS:
- errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
- rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
- break;
-
- case GlobalPwMsgIds.MUST_SUPPLY_OLD:
- errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
- rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
- break;
-
- case GlobalPwMsgIds.INSUFFICIENT_QUALITY:
- errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
- rc = GlobalErrIds.USER_PW_NSF_QUALITY;
- break;
-
- case GlobalPwMsgIds.PASSWORD_TOO_SHORT:
- errMsg = msgHdr + "PASSWORD TOO SHORT";
- rc = GlobalErrIds.USER_PW_TOO_SHORT;
- break;
-
- case GlobalPwMsgIds.PASSWORD_TOO_YOUNG:
- errMsg = msgHdr + "PASSWORD TOO YOUNG";
- rc = GlobalErrIds.USER_PW_TOO_YOUNG;
- break;
-
- case GlobalPwMsgIds.HISTORY_VIOLATION:
- errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
- rc = GlobalErrIds.USER_PW_IN_HISTORY;
- break;
-
- default:
- errMsg = msgHdr + "PASSWORD CHECK FAILED";
- rc = GlobalErrIds.USER_PW_CHK_FAILED;
- break;
- }
-
- pwMsg.setMsg( errMsg );
- pwMsg.setErrorId( rc );
- pwMsg.setAuthenticated( success );
- LOG.debug( errMsg );
- }
- else
- {
- // Checked out good:
- String msg = msgHdr + "PASSWORD CHECK SUCCESS";
- pwMsg.setMsg( msg );
- pwMsg.setErrorId( 0 );
- pwMsg.setAuthenticated( true );
- LOG.debug( msg );
- }
- }
- }
-
-
- /**
- * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
- *
- * @param list contains List of type {@link UserAdminRole} targeted for adding to ldap.
- * @param entry collection of ldap attributes containing ARBAC role assignments in raw ldap format.
- * @throws LdapException
- */
- private void loadUserAdminRoles( List<UserAdminRole> list, Entry entry ) throws LdapException
- {
- if ( list != null )
- {
- Attribute userAdminRoleData = new DefaultAttribute( GlobalIds.USER_ADMINROLE_DATA );
- Attribute userAdminRoleAssign = new DefaultAttribute( GlobalIds.USER_ADMINROLE_ASSIGN );
-
- for ( UserAdminRole userRole : list )
- {
- userAdminRoleData.add( userRole.getRawData() );
- userAdminRoleAssign.add( userRole.getName() );
- }
-
- if ( userAdminRoleData.size() != 0 )
- {
- entry.add( userAdminRoleData );
- entry.add( userAdminRoleAssign );
- }
- }
- }
-
-
- /**
- * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
- *
- * @param list contains List of type {@link UserRole} targeted for updating into ldap.
- * @param mods contains ldap modification set containing RBAC role assignments in raw ldap format to be updated.
- * @throws LdapInvalidAttributeValueException
- */
- private void loadUserRoles( List<UserRole> list, List<Modification> mods )
- throws LdapInvalidAttributeValueException
- {
- Attribute userRoleData = new DefaultAttribute( GlobalIds.USER_ROLE_DATA );
- Attribute userRoleAssign = new DefaultAttribute( GlobalIds.USER_ROLE_ASSIGN );
-
- if ( list != null )
- {
- for ( UserRole userRole : list )
- {
- userRoleData.add( userRole.getRawData() );
- userRoleAssign.add( userRole.getName() );
- }
-
- if ( userRoleData.size() != 0 )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, userRoleData ) );
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, userRoleAssign ) );
- }
- }
- }
-
-
- /**
- * Given a collection of ARBAC roles, {@link UserAdminRole}, convert to raw data format and load into ldap modification set in preparation for ldap modify.
- *
- * @param list contains List of type {@link UserAdminRole} targeted for updating to ldap.
- * @param mods contains ldap modification set containing ARBAC role assignments in raw ldap format to be updated.
- * @throws LdapInvalidAttributeValueException
- */
- private void loadUserAdminRoles( List<UserAdminRole> list, List<Modification> mods )
- throws LdapInvalidAttributeValueException
- {
- Attribute userAdminRoleData = new DefaultAttribute( GlobalIds.USER_ADMINROLE_DATA );
- Attribute userAdminRoleAssign = new DefaultAttribute( GlobalIds.USER_ADMINROLE_ASSIGN );
-
- if ( list != null )
- {
- boolean nameSeen = false;
-
- for ( UserAdminRole userRole : list )
- {
- userAdminRoleData.add( userRole.getRawData() );
-
- if ( !nameSeen )
- {
- userAdminRoleAssign.add( userRole.getName() );
- nameSeen = true;
- }
- }
-
- if ( userAdminRoleData.size() != 0 )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, userAdminRoleData ) );
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, userAdminRoleAssign ) );
- }
- }
- }
-
-
- /**
- * Given a collection of RBAC roles, {@link UserRole}, convert to raw data format and load into ldap attribute set in preparation for ldap add.
- *
- * @param list contains List of type {@link UserRole} targeted for adding to ldap.
- * @param entry ldap entry containing attributes mapping to RBAC role assignments in raw ldap format.
- * @throws LdapException
- */
- private void loadUserRoles( List<UserRole> list, Entry entry ) throws LdapException
- {
- if ( list != null )
- {
- Attribute userRoleData = new DefaultAttribute( GlobalIds.USER_ROLE_DATA );
- Attribute userRoleAssign = new DefaultAttribute( GlobalIds.USER_ROLE_ASSIGN );
-
- for ( UserRole userRole : list )
- {
- userRoleData.add( userRole.getRawData() );
- userRoleAssign.add( userRole.getName() );
- }
-
- if ( userRoleData.size() != 0 )
- {
- entry.add( userRoleData, userRoleAssign );
- }
- }
- }
-
-
- /**
- * Given a User address, {@link Address}, load into ldap attribute set in preparation for ldap add.
- *
- * @param address contains User address {@link Address} targeted for adding to ldap.
- * @param entry collection of ldap attributes containing RBAC role assignments in raw ldap format.
- */
- private void loadAddress( Address address, Entry entry ) throws LdapException
- {
- if ( address != null )
- {
- if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
- {
- for ( String val : address.getAddresses() )
- {
- entry.add( POSTAL_ADDRESS, val );
- }
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
- {
- entry.add( L, address.getCity() );
- }
-
- //if(VUtil.isNotNullOrEmpty(address.getCountry()))
- //{
- // attrs.add(GlobalIds.COUNTRY, address.getAddress1());
- //}
-
- if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
- {
- entry.add( POSTAL_CODE, address.getPostalCode() );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
- {
- entry.add( POST_OFFICE_BOX, address.getPostOfficeBox() );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getState() ) )
- {
- entry.add( STATE, address.getState() );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
- {
- entry.add( PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
- {
- entry.add( DEPARTMENT_NUMBER, address.getDepartmentNumber() );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
- {
- entry.add( ROOM_NUMBER, address.getRoomNumber() );
- }
- }
- }
-
-
- /**
- * Given an address, {@link Address}, load into ldap modification set in preparation for ldap modify.
- *
- * @param address contains entity of type {@link Address} targeted for updating into ldap.
- * @param mods contains ldap modification set contains attributes to be updated in ldap.
- */
- private void loadAddress( Address address, List<Modification> mods )
- {
- if ( address != null )
- {
- if ( VUtil.isNotNullOrEmpty( address.getAddresses() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, POSTAL_ADDRESS ) );
-
- for ( String val : address.getAddresses() )
- {
- mods.add( new DefaultModification(
- ModificationOperation.ADD_ATTRIBUTE, POSTAL_ADDRESS, val ) );
- }
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getCity() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, L, address.getCity() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getPostalCode() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, POSTAL_CODE, address.getPostalCode() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getPostOfficeBox() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, POST_OFFICE_BOX, address.getPostOfficeBox() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getState() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, STATE, address.getState() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getBuilding() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, PHYSICAL_DELIVERY_OFFICE_NAME, address.getBuilding() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getDepartmentNumber() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, DEPARTMENT_NUMBER, address.getDepartmentNumber() ) );
- }
-
- if ( VUtil.isNotNullOrEmpty( address.getRoomNumber() ) )
- {
- mods.add( new DefaultModification(
- ModificationOperation.REPLACE_ATTRIBUTE, ROOM_NUMBER, address.getRoomNumber() ) );
- }
- }
- }
-
-
- /**
- * Given an ldap entry containing organzationalPerson address information, convert to {@link Address}
- *
- * @param entry contains ldap entry to retrieve admin roles from.
- * @return entity of type {@link Address}.
- * @throws LdapInvalidAttributeValueException
- * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
- */
- private Address unloadAddress( Entry entry ) throws LdapInvalidAttributeValueException
- {
- Address addr = new ObjectFactory().createAddress();
- List<String> pAddrs = getAttributes( entry, POSTAL_ADDRESS );
-
- if ( pAddrs != null )
- {
- for ( String pAddr : pAddrs )
- {
- addr.setAddress( pAddr );
- }
- }
-
- addr.setCity( getAttribute( entry, L ) );
- addr.setState( getAttribute( entry, STATE ) );
- addr.setPostalCode( getAttribute( entry, POSTAL_CODE ) );
- addr.setPostOfficeBox( getAttribute( entry, POST_OFFICE_BOX ) );
- addr.setBuilding( getAttribute( entry, PHYSICAL_DELIVERY_OFFICE_NAME ) );
- addr.setDepartmentNumber( getAttribute( entry, DEPARTMENT_NUMBER ) );
- addr.setRoomNumber( getAttribute( entry, ROOM_NUMBER ) );
- // todo: add support for country attribute
- //addr.setCountry(getAttribute(le, GlobalIds.COUNTRY));
-
- return addr;
- }
-
-
- /**
- * Given an ldap entry containing ARBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserAdminRole}
- * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
- *
- * @param entry contains ldap entry to retrieve admin roles from.
- * @param userId attribute maps to {@link UserAdminRole#userId}.
- * @param contextId
- * @return List of type {@link UserAdminRole} containing admin roles assigned to a particular user.
- * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
- */
- private List<UserAdminRole> unloadUserAdminRoles( Entry entry, String userId, String contextId )
- {
- List<UserAdminRole> uRoles = null;
- List<String> roles = getAttributes( entry, GlobalIds.USER_ADMINROLE_DATA );
-
- if ( roles != null )
- {
- long sequence = 0;
- uRoles = new ArrayList<>();
-
- for ( String raw : roles )
- {
- UserAdminRole ure = new ObjectFactory().createUserAdminRole();
- ure.load( raw, contextId );
- ure.setSequenceId( sequence++ );
- ure.setUserId( userId );
- uRoles.add( ure );
- }
- }
-
- return uRoles;
- }
-
-
- /**
- *
- * @param userId
- * @param contextId
- * @return
- */
- private String getDn( String userId, String contextId )
- {
- return GlobalIds.UID + "=" + userId + "," + getRootDn( contextId, GlobalIds.USER_ROOT );
- }
-
-
- /**
- * Given an ldap entry containing RBAC roles assigned to user, retrieve the raw data and convert to a collection of {@link UserRole}
- * including {@link org.apache.directory.fortress.core.util.time.Constraint}.
- *
- * @param entry contains ldap entry to retrieve roles from.
- * @param userId attribute maps to {@link UserRole#userId}.
- * @param contextId
- * @return List of type {@link UserRole} containing RBAC roles assigned to a particular user.
- * @throws com.unboundid.ldap.sdk.migrate.ldapjdk.LDAPException in the event of ldap client error.
- */
- private List<UserRole> unloadUserRoles( Entry entry, String userId, String contextId )
- {
- List<UserRole> uRoles = null;
- List<String> roles = getAttributes( entry, GlobalIds.USER_ROLE_DATA );
-
- if ( roles != null )
- {
- long sequence = 0;
- uRoles = new ArrayList<>();
-
- for ( String raw : roles )
- {
- UserRole ure = new ObjectFactory().createUserRole();
- ure.load( raw, contextId );
- ure.setUserId( userId );
- ure.setSequenceId( sequence++ );
- uRoles.add( ure );
- }
- }
-
- return uRoles;
- }
-}
\ No newline at end of file