directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [25/51] [partial] Rename packages from org.openldap.fortress to org.apache.directory.fortress.core. Change default suffix to org.apache. Switch default ldap api from unbound to apache ldap.
Date Wed, 22 Oct 2014 15:44:44 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
new file mode 100755
index 0000000..7a53ea8
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitP.java
@@ -0,0 +1,370 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
+import org.apache.directory.fortress.core.rbac.dao.OrgUnitDAO;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+import org.apache.directory.fortress.core.util.cache.Cache;
+import org.apache.directory.fortress.core.util.cache.CacheMgr;
+
+
+/**
+ * Process module for the OrgUnit entity. The Fortress OrgUnit data set can be associated with two entities:
+ * {@link org.apache.directory.fortress.core.rbac.User} class or {@link org.apache.directory.fortress.core.rbac.PermObj} class.  The OrgUnit entity itself is stored in two separate locations in the ldap tree one
+ * for each entity listed above.  The type of OU entity is set via the enum attribute {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type} which is equal to 'PERM' or 'USER'.
+ * This class performs data validations.  The methods of this class are called by internal Fortress manager impl classes
+ * {@link DelAdminMgrImpl} and {@link DelReviewMgrImpl} but is also called by {@link org.apache.directory.fortress.core.rbac.PermP#validate} method and {@link org.apache.directory.fortress.core.rbac.UserP#validate} functions
+ * which ensure the entities are related to valid OU entries. This class is not intended to be called external
+ * to Fortress Core itself.  This class will accept Fortress entity {@link org.apache.directory.fortress.core.rbac.OrgUnit}, validate its contents and forward on to it's
+ * corresponding DAO class {@link OrgUnitDAO} for data access.
+ * <p>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
+ * {@link org.apache.directory.fortress.core.CreateException},{@link org.apache.directory.fortress.core.UpdateException},{@link org.apache.directory.fortress.core.RemoveException}),
+ *  or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link GlobalErrIds}.
+ * <p>
+ * This class uses synchronized data sets ({@link #ouCache} but is thread safe.
+ * <p/>
+
+ * @author Shawn McKinney
+ */
+public final class OrgUnitP
+{
+    // init the logger:
+    private static final String CLS_NM = OrgUnitP.class.getName();
+    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+
+    // these fields are used to synchronize access to the above static pools:
+    private static final Object userPoolSynchLock = new Object();
+    private static final Object permPoolSynchLock = new Object();
+    private static Cache ouCache;
+
+    // DAO class for OU data sets must be initializer before the other statics:
+    private static final OrgUnitDAO oDao = DaoFactory.createOrgUnitDAO();
+    private static final String USER_OUS = "user.ous";
+    private static final String PERM_OUS = "perm.ous";
+    private static final String FORTRESS_OUS = "fortress.ous";
+
+    static
+    {
+        CacheMgr cacheMgr = CacheMgr.getInstance();
+        OrgUnitP.ouCache = cacheMgr.getCache( FORTRESS_OUS );
+    }
+
+
+    /**
+     * Package private constructor.
+     */
+    OrgUnitP()
+    {
+    }
+
+
+    /**
+     * This function uses a case insensitive search.
+     * @param entity
+     * @return
+     */
+    final boolean isValid( OrgUnit entity )
+    {
+        boolean result = false;
+        if ( entity.type == OrgUnit.Type.USER )
+        {
+            Set<String> userPool = getOrgSet( entity );
+            if ( userPool != null && entity.getType() == OrgUnit.Type.USER )
+            {
+                result = userPool.contains( entity.getName() );
+            }
+        }
+        else
+        {
+            Set<String> permPool = getOrgSet( entity );
+            if ( permPool != null )
+            {
+                result = permPool.contains( entity.getName() );
+            }
+        }
+        return result;
+    }
+
+
+    /**
+     * @param orgUnit
+     * @return
+     */
+    private static Set<String> loadOrgSet( OrgUnit orgUnit )
+    {
+        Set<String> ouSet = null;
+        try
+        {
+            ouSet = oDao.getOrgs( orgUnit );
+        }
+        catch ( SecurityException se )
+        {
+            String warning = "loadOrgSet static initializer caught SecurityException=" + se;
+            LOG.info( warning, se );
+        }
+        if ( orgUnit.getType() == OrgUnit.Type.USER )
+        {
+            // TODO:  add context id to this cache
+            ouCache.put( getKey( USER_OUS, orgUnit.getContextId() ), ouSet );
+        }
+        else
+        {
+            ouCache.put( getKey( PERM_OUS, orgUnit.getContextId() ), ouSet );
+        }
+
+        return ouSet;
+    }
+
+
+    /**
+     *
+     * @param orgUnit will either be a User or Perm OU.
+     * @return Set containing the OU mapping to a particular type and tenant.
+     */
+    private static Set<String> getOrgSet( OrgUnit orgUnit )
+    {
+        Set<String> orgSet;
+        if ( orgUnit.getType() == OrgUnit.Type.USER )
+        {
+            orgSet = ( Set<String> ) ouCache.get( getKey( USER_OUS, orgUnit.getContextId() ) );
+        }
+        else
+        {
+            orgSet = ( Set<String> ) ouCache.get( getKey( PERM_OUS, orgUnit.getContextId() ) );
+        }
+
+        if ( orgSet == null )
+        {
+            orgSet = loadOrgSet( orgUnit );
+        }
+        return orgSet;
+    }
+
+
+    /**
+     * Return a fully populated OrgUnit entity for a given Perm or User orgUnitId.  If matching record not found a
+     * SecurityException will be thrown.
+     *
+     * @param entity contains full orgUnit name used for User or Perm OU data sets in directory.
+     * @return OrgUnit entity containing all attributes associated with ou in directory.
+     * @throws SecurityException in the event OrgUnit not found or DAO search error.
+     */
+    final OrgUnit read( OrgUnit entity ) throws SecurityException
+    {
+        validate( entity, false );
+        return oDao.findByKey( entity );
+    }
+
+
+    /**
+     * Will search either User or Perm OrgUnit data sets depending on which type is passed.
+     * The search string that contains full or partial OrgUnit name associated with OU node in directory.
+     *
+     * @param orgUnit contains full or partial OU name.
+     * @return List of type OrgUnit containing fully populated matching OU entities.  If no records found this will be empty.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<OrgUnit> search( OrgUnit orgUnit ) throws SecurityException
+    {
+        // Call the finder.
+        return oDao.findOrgs( orgUnit );
+    }
+
+
+    /**
+     * Adds a new OrgUnit to directory. The OrgUnit type enum will determine which data set insertion will
+     * occur - User or Perm.  The OrgUnit entity input will be validated to ensure that:
+     * orgUnit name is present and type is specified, and reasonability checks on all of the other populated values.
+     *
+     * @param entity OrgUnit contains data targeted for insertion.
+     * @return OrgUnit entity copy of input + additional attributes (internalId) that were added by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final OrgUnit add( OrgUnit entity ) throws SecurityException
+    {
+        validate( entity, false );
+        OrgUnit oe = oDao.create( entity );
+        if ( entity.getType() == OrgUnit.Type.USER )
+        {
+            Set<String> userPool = getOrgSet( entity );
+            synchronized ( userPoolSynchLock )
+            {
+                if ( userPool != null )
+                    userPool.add( entity.getName() );
+            }
+        }
+        else
+        {
+            Set<String> permPool = getOrgSet( entity );
+            synchronized ( permPoolSynchLock )
+            {
+                if ( permPool != null )
+                    permPool.add( entity.getName() );
+            }
+        }
+        return oe;
+    }
+
+
+    /**
+     * Updates existing OrgUnit in directory. The OrgUnit type enum will determine which data set insertion will
+     * occur - User or Perm.  The OrgUnit entity input will be validated to ensure that:
+     * orgUnit name is present, and reasonability checks on all of the other populated values.
+     * Null or empty attributes are ignored.
+     *
+     * @param entity OrgUnit contains data targeted for updating.  Null attributes ignored.
+     * @return OrgUnit entity copy of input + additional attributes (internalId) that were updated by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final OrgUnit update( OrgUnit entity ) throws SecurityException
+    {
+        validate( entity, false );
+        return oDao.update( entity );
+    }
+
+
+    /**
+     * Remove the parent attribute from the OrgUnit entry in directory. The OrgUnit type enum will determine which data set insertion will
+     * occur - User or Perm.  The OrgUnit entity input will be validated to ensure that:
+     * orgUnit name is present.
+     *
+     * @param entity OrgUnit contains data targeted for updating.  Null attributes ignored.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final void deleteParent( OrgUnit entity ) throws SecurityException
+    {
+        validate( entity, false );
+        oDao.deleteParent( entity );
+    }
+
+
+    /**
+     * This method performs a "hard" delete.  It completely the OrgUnit node from the ldap directory.
+     * The OrgUnit type enum will determine where deletion will occur - User or Perm OU data sets.
+     * OrgUnit entity must exist in directory prior to making this call else exception will be thrown.
+     *
+     * @param entity Contains the name of the OrgUnit node targeted for deletion.
+     * @return OrgUnit entity copy of input.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final OrgUnit delete( OrgUnit entity ) throws SecurityException
+    {
+        oDao.remove( entity );
+        if ( entity.getType() == OrgUnit.Type.USER )
+        {
+            Set<String> userPool = getOrgSet( entity );
+            synchronized ( userPoolSynchLock )
+            {
+                if ( userPool != null )
+                    userPool.remove( entity.getName() );
+            }
+        }
+        else
+        {
+            Set<String> permPool = getOrgSet( entity );
+            synchronized ( permPoolSynchLock )
+            {
+                if ( permPool != null )
+                    permPool.remove( entity.getName() );
+            }
+        }
+        return entity;
+    }
+
+
+    /**
+     * Return all OrgUnits that have a parent assignment.  This used for hierarchical processing.
+     *
+     * @param orgUnit will either be a User or Perm OU.
+     * @return List of type OrgUnit containing {@link OrgUnit#name} and {@link OrgUnit#parents} populated.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<Graphable> getAllDescendants( OrgUnit orgUnit ) throws SecurityException
+    {
+        return oDao.getAllDescendants( orgUnit );
+    }
+
+
+    /**
+     * Method will perform simple validations to ensure the integrity of the OrgUnit entity targeted for insertion
+     * or updating in directory.  This method will ensure the name and type enum are specified.  It will also perform
+     * reasonability check on description if set.
+     *
+     * @param entity   contains the enum type to validate
+     * @param isUpdate not used at this time.
+     * @throws SecurityException thrown in the event the attribute is null.
+     */
+    private void validate( OrgUnit entity, boolean isUpdate )
+        throws SecurityException
+    {
+        VUtil.safeText( entity.getName(), GlobalIds.OU_LEN );
+        if ( VUtil.isNotNullOrEmpty( entity.getDescription() ) )
+        {
+            VUtil.description( entity.getDescription() );
+        }
+        if ( entity.getType() == null )
+        {
+            String error = "validate null or empty org unit type";
+            int errCode;
+            if ( entity.getType() == OrgUnit.Type.PERM )
+            {
+                errCode = GlobalErrIds.ORG_TYPE_NULL_PERM;
+            }
+            else
+            {
+                errCode = GlobalErrIds.ORG_TYPE_NULL_USER;
+            }
+            throw new SecurityException( errCode, error );
+        }
+    }
+
+
+    /**
+     * Build a key that is composed of the OU type ({@link #USER_OUS} or {@link #PERM_OUS}) and the contextId which is the id of tenant.
+     *
+     * @param type either {@link #USER_OUS} or {@link #PERM_OUS}.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return
+     */
+    private static String getKey( String type, String contextId )
+    {
+        String key = type;
+        if ( VUtil.isNotNullOrEmpty( contextId ) && !contextId.equalsIgnoreCase( GlobalIds.NULL ) )
+        {
+            key += ":" + contextId;
+
+        }
+        return key;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitRelationship.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitRelationship.java b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitRelationship.java
new file mode 100755
index 0000000..3756c93
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/OrgUnitRelationship.java
@@ -0,0 +1,65 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * This entity is used by en masse to communicate parent and child {@link org.apache.directory.fortress.core.rbac.OrgUnit} information to the server.
+ * <p/>
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortOrgUnitRelationship")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "orgrelationship", propOrder = {
+    "child",
+    "parent"
+})
+public class OrgUnitRelationship extends FortEntity
+    implements java.io.Serializable
+{
+    private OrgUnit parent;
+    private OrgUnit child;
+
+    public OrgUnit getParent()
+    {
+        return parent;
+    }
+
+    public void setParent(OrgUnit parent)
+    {
+        this.parent = parent;
+    }
+
+    public OrgUnit getChild()
+    {
+        return child;
+    }
+
+    public void setChild(OrgUnit child)
+    {
+        this.child = child;
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/PermGrant.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermGrant.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermGrant.java
new file mode 100755
index 0000000..42bf322
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermGrant.java
@@ -0,0 +1,169 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * This entity is used by {@link org.apache.directory.fortress.core.ant.FortressAntTask} to add {@link Permission} grants to
+ * RBAC {@link org.apache.directory.fortress.core.rbac.Role}, or ARBAC {@link org.apache.directory.fortress.core.rbac.AdminRole}.
+ * Can also be used to grant Permissions directly to {@link org.apache.directory.fortress.core.rbac.User}s.
+ * This entity is used for Ant and En Masse processing only.
+ * <p/>
+
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortGrant")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "permGrant", propOrder = {
+    "objName",
+    "opName",
+    "objId",
+    "userId",
+    "roleNm",
+    "admin"
+})
+public class PermGrant extends FortEntity
+    implements java.io.Serializable
+{
+    private String objName;
+    private String opName;
+    private String objId;
+    private String userId;
+    private String roleNm;
+    private boolean admin;
+
+    /**
+     * Return the permission object name.
+     * @return maps to 'ftObjNm' attribute on 'ftOperation' object class.
+     */
+    public String getObjName()
+    {
+        return objName;
+    }
+
+    /**
+     * Set the permission object name.
+     * @param objName maps to 'ftObjNm' attribute on 'ftOperation' object class.
+     */
+    public void setObjName(String objName)
+    {
+        this.objName = objName;
+    }
+
+    /**
+     * Return the permission object id.
+     * @return maps to 'ftObjId' attribute on 'ftOperation' object class.
+     */
+    public String getObjId()
+    {
+        return objId;
+    }
+
+    /**
+     * Set the permission object id.
+     * @param objId maps to 'ftObjId' attribute on 'ftOperation' object class.
+     */
+    public void setObjId(String objId)
+    {
+        this.objId = objId;
+    }
+
+    /**
+     * Return the permission operation name.
+     * @return maps to 'ftOpNm' attribute on 'ftOperation' object class.
+     */
+    public String getOpName()
+    {
+        return opName;
+    }
+
+    /**
+     * Set the permission operation name.
+     * @param opName maps to 'ftOpNm' attribute on 'ftOperation' object class.
+     */
+    public void setOpName(String opName)
+    {
+        this.opName = opName;
+    }
+
+    /**
+     * Get the userId attribute from this entity.
+     *
+     * @return maps to 'ftUsers' attribute on 'ftOperation' object class.
+     */
+    public String getUserId()
+    {
+        return userId;
+    }
+
+    /**
+     * Set the userId attribute on this entity.
+     *
+     * @param userId maps to 'ftUsers' attribute on 'ftOperation' object class.
+     */
+    public void setUserId(String userId)
+    {
+        this.userId = userId;
+    }
+
+    /**
+     * Get the role name associated from this entity.
+     *
+     * @return maps to 'ftRoles' attribute on 'ftOperation' object class.
+     */
+    public String getRoleNm()
+    {
+        return roleNm;
+    }
+
+    /**
+     * Set the role name associated with this entity.
+     *
+     * @param roleNm maps to 'ftRoles' attribute on 'ftOperation' object class.
+     */
+    public void setRoleNm(String roleNm)
+    {
+        this.roleNm = roleNm;
+    }
+
+
+    /**
+     * If set to true entity will be stored in ldap subdirectory associated with administrative permissions {@link org.apache.directory.fortress.core.GlobalIds#ADMIN_PERM_ROOT}.
+     * otherwise will be RBAC permissions {@link org.apache.directory.fortress.core.GlobalIds#PERM_ROOT}
+     * @return boolean if administrative entity.
+     */
+    public boolean isAdmin()
+    {
+        return admin;
+    }
+
+    /**
+     * Return boolean value that will be set to true if this entity will be stored in Administrative Permissions.
+     * @param admin will be true if administrative entity.
+     */
+    public void setAdmin(boolean admin)
+    {
+        this.admin = admin;
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
new file mode 100755
index 0000000..17e9fb8
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermObj.java
@@ -0,0 +1,554 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Properties;
+import java.util.UUID;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlTransient;
+import javax.xml.bind.annotation.XmlType;
+
+import org.apache.directory.fortress.core.rbac.dao.RoleDAO;
+import org.apache.directory.fortress.core.rbac.dao.UserDAO;
+
+
+/**
+ * All entities ({@link org.apache.directory.fortress.core.rbac.User}, {@link org.apache.directory.fortress.core.rbac.Role}, {@link Permission},
+ * {@link PwPolicy} {@link org.apache.directory.fortress.core.rbac.SDSet} etc...) are used to carry data between three Fortress
+ * layers.starting with the (1) Manager layer down thru middle (2) Process layer and it's processing rules into
+ * (3) DAO layer where persistence with the OpenLDAP server occurs.
+ * <h4>Fortress Processing Layers</h4>
+ * <ol>
+ * <li>Manager layer:  {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...</li>
+ * <li>Process layer:  {@link org.apache.directory.fortress.core.rbac.UserP}, {@link org.apache.directory.fortress.core.rbac.RoleP}, {@link org.apache.directory.fortress.core.rbac.PermP},...</li>
+ * <li>DAO layer: {@link UserDAO}, {@link RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...</li>
+ * </ol>
+ * Fortress clients first instantiate and populate a data entity before invoking any of the Manager APIs.  The caller must
+ * provide enough information to uniquely identity the entity target within ldap.<br />
+ * For example, this entity requires {@link #objName} and {@link #ou} attributes set before passing into {@link AdminMgrImpl} or  {@link ReviewMgrImpl} APIs.
+ * Create methods usually require more attributes (than Read) due to constraints enforced between entities.
+ * <p/>
+ * <h4>PermObj entity attribute usages include</h4>
+ * <ul>
+ * <li>{@link #setObjName} and {@link #setOu} attributes set before calling {@link AdminMgrImpl#addPermObj(PermObj)}.
+ * <li>{@link #addProperty} may be set before calling {@link AdminMgrImpl#addPermObj(PermObj)}.
+ * <li>{@link #getProperty} may be set after calling {@link ReviewMgrImpl#findPermObjs(PermObj)}.
+ * </ul>
+ * <p/>
+ * <h4>More Permission entity notes</h4>
+ * <ul>
+ * <li>The {@link PermObj} entity is not used for authorization checks, rather contains {@link Permission} which are themselves authorization targets.<br />
+ * <li>This entity must be associated with a valid Perm OU {@link org.apache.directory.fortress.core.rbac.OrgUnit.Type#PERM} that is contained within the {@code ou=OS-P,ou=ARBAC,dc=example,dc=com} location in ldap.
+ * <li>The object to operation pairings enable application resources to be mapped to Fortress permissions in a way that is natural for object oriented programming.
+ * <li>Permissions = Object {@link PermObj} 1<->* Operations {@link Permission}
+ * <p/>
+ * <img src="../doc-files/RbacCore.png">
+ * <li>The unique key to locate an Fortress PermObj entity is {@code PermObj#objName}.
+ * <li>For sample code usages check out {@link Permission} javadoc.
+ * </ul>
+ * <p/>
+ * <h4>PermObj Schema</h4>
+ * The Fortress PermObj Entity Class is a composite of 3 different LDAP Schema object classes:
+ * <p/>
+ * 1. ftObject STRUCTURAL Object Class is used to store object name, id and type variables on target entity.
+ * <pre>
+ * Fortress Permission Structural Object Class
+ * objectclass	( 1.3.6.1.4.1.38088.2.2
+ *  NAME 'ftObject'
+ *  DESC 'Fortress Permission Object Class'
+ *  SUP organizationalunit
+ *  STRUCTURAL
+ *  MUST (
+ *      ftId $
+ *      ftObjNm
+ *  )
+ *  MAY (
+ *      ftType
+ *  )
+ * )
+ * 2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity.
+ * This aux object class can be used to store custom attributes<br />
+ * The properties collections consist of name/value pairs and are not constrainted by Fortress.<br />
+ * <pre>
+ * ------------------------------------------
+ * AC2: Fortress Properties Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.2
+ *  NAME 'ftProperties'
+ *  DESC 'Fortress Properties AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftProps
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * 3. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity.
+ * <pre>
+ * ------------------------------------------
+ * Fortress Audit Modification Auxiliary Object Class
+ * objectclass ( 1.3.6.1.4.1.38088.3.4
+ *  NAME 'ftMods'
+ *  DESC 'Fortress Modifiers AUX Object Class'
+ *  AUXILIARY
+ *  MAY (
+ *      ftModifier $
+ *      ftModCode $
+ *      ftModId
+ *  )
+ * )
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortObject")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "permObj", propOrder =
+    {
+        "objName",
+        "description",
+        "internalId",
+        "ou",
+        "type",
+        "props",
+        "admin"
+})
+public class PermObj extends FortEntity
+    implements java.io.Serializable
+{
+    private boolean admin;
+    private String internalId;
+    private String objName;
+    private String description;
+    @XmlElement(nillable = true)
+    private Props props = new Props();
+    //private Properties props;
+    private String ou;
+    private String type;
+    @XmlTransient
+    private String dn;
+
+
+    /**
+     * Default Constructor used internal to Fortress.
+     */
+    public PermObj()
+    {
+
+    }
+
+
+    /**
+     * Construct an Fortress PermObj entity given an object name.
+     *
+     * @param objName maps to 'ftObjNm' attribute in 'ftObject' object class.
+     */
+    public PermObj( String objName )
+    {
+        this.objName = objName;
+    }
+
+
+    /**
+     * Construct an Fortress PermObj entity given an object and perm ou name.
+     *
+     * @param objName maps to 'ftObjNm' attribute in 'ftObject' object class.
+     * @param ou maps to 'ou' attribute in 'ftObject' object class.
+     */
+    public PermObj( String objName, String ou )
+    {
+        this.objName = objName;
+        this.ou = ou;
+    }
+
+
+    /**
+     * Get the authorization target's object name.  This is typically mapped to the class name for component
+     * that is the target for Fortress authorization check. For example 'PatientRelationshipInquire'.
+     *
+     * @return the name of the object which maps to 'ftObjNm' attribute in 'ftObject' object class.
+     */
+    public String getObjName()
+    {
+        return objName;
+    }
+
+
+    /**
+     * This attribute is required and sets the authorization target object name.  This name is typically derived from the class name
+     * for component that is the target for Fortress authorization check. For example 'CustomerCheckOutPage'.
+     *
+     */
+    public void setObjName( String objName )
+    {
+        this.objName = objName;
+    }
+
+
+    /**
+     * This attribute is required but is set automatically by Fortress DAO class before object is persisted to ldap.
+     * This generated internal id is associated with PermObj.  This method is used by DAO class and
+     * is not available to outside classes.   The generated attribute maps to 'ftId' in 'ftObject' object class.
+     */
+    public void setInternalId()
+    {
+        // generate a unique id that will be used as the rDn for this entry:
+        UUID uuid = UUID.randomUUID();
+        this.internalId = uuid.toString();
+
+        //UID iid = new UID();
+        // assign the unique id to the internal id of the entity:
+        //this.internalId = iid.toString();
+    }
+
+
+    /**
+     * Set the internal id that is associated with PermObj.  This method is used by DAO class and
+     * is generated automatically by Fortress.  Attribute stored in LDAP cannot be changed by external caller.
+     * This method can be used by client for search purposes only.
+     *
+     * @param internalId maps to 'ftId' in 'ftObject' object class.
+     */
+    public void setInternalId( String internalId )
+    {
+        this.internalId = internalId;
+    }
+
+
+    /**
+     * Return the internal id that is associated with PermObj.  This attribute is generated automatically
+     * by Fortress when new PermObj is added to directory and is not known or changeable by external client.
+     *
+     * @return attribute maps to 'ftId' in 'ftObject' object class.
+     */
+    public String getInternalId()
+    {
+        return internalId;
+    }
+
+
+    /**
+     * If set to true, this entity will be loaded into the Admin Permission data set.
+     *
+     * @return boolean indicating if entity is an RBAC (false) or Admin (true) Permission Object.
+     */
+    public boolean isAdmin()
+    {
+        return admin;
+    }
+
+
+    /**
+     * If set to true, this entity will be loaded into the Admin Permission data set.
+     *
+     * @param admin boolean variable indicates if entity is an RBAC or ARBAC Permission Object.
+     */
+
+    public void setAdmin( boolean admin )
+    {
+        this.admin = admin;
+    }
+
+
+    /**
+     * Sets the optional description that is associated with PermObj.  This attribute is validated but not constrained by Fortress.
+     *
+     * @param description that is mapped to same name in 'organizationalUnit' object class.
+     */
+    public void setDescription( String description )
+    {
+        this.description = description;
+    }
+
+
+    /**
+     * Returns optional description that is associated with PermObj.  This attribute is validated but not constrained by Fortress.
+     *
+     * @return value that is mapped to 'description' in 'organizationalUnit' object class.
+     */
+    public String getDescription()
+    {
+        return description;
+    }
+
+
+    /**
+      * Gets the value of the Props property.  This method is used by Fortress and En Masse and should not be called by external programs.
+      *
+      * @return
+      *     possible object is
+      *     {@link Props }
+      *
+      */
+    public Props getProps()
+    {
+        return props;
+    }
+
+
+    /**
+     * Sets the value of the Props property.  This method is used by Fortress and En Masse and should not be called by external programs.
+     *
+     * @param value
+     *     allowed object is
+     *     {@link Props }
+     *
+     */
+    public void setProps( Props value )
+    {
+        this.props = value;
+    }
+
+
+    /**
+     * Add name/value pair to list of properties associated with PermObj.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param key   contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     * @param value
+     */
+    public void addProperty( String key, String value )
+    {
+        Props.Entry entry = new Props.Entry();
+        entry.setKey( key );
+        entry.setValue( value );
+        this.props.getEntry().add( entry );
+    }
+
+
+    /**
+     * Get a name/value pair attribute from list of properties associated with PermObj.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param key contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     * @return value containing name/value pair that maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public String getProperty( String key )
+    {
+        List<Props.Entry> props = this.props.getEntry();
+        Props.Entry keyObj = new Props.Entry();
+        keyObj.setKey( key );
+
+        String value = null;
+        int indx = props.indexOf( keyObj );
+        if ( indx != -1 )
+        {
+            Props.Entry entry = props.get( props.indexOf( keyObj ) );
+            value = entry.getValue();
+        }
+
+        return value;
+    }
+
+
+    /**
+     * Add new collection of name/value pairs to attributes associated with PermObj.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param props contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public void addProperties( Properties props )
+    {
+        if ( props != null )
+        {
+            for ( Enumeration e = props.propertyNames(); e.hasMoreElements(); )
+            {
+                // This LDAP attr is stored as a name-value pair separated by a ':'.
+                String key = ( String ) e.nextElement();
+                String val = props.getProperty( key );
+                addProperty( key, val );
+            }
+        }
+    }
+
+
+    /**
+     * Return the collection of name/value pairs to attributes associated with PermObj.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @return Properties contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    public Properties getProperties()
+    {
+        Properties properties = null;
+        List<Props.Entry> props = this.props.getEntry();
+        if ( props.size() > 0 )
+        {
+            properties = new Properties();
+            //int size = props.size();
+            for ( Props.Entry entry : props )
+            {
+                String key = entry.getKey();
+                String val = entry.getValue();
+                properties.setProperty( key, val );
+            }
+        }
+        return properties;
+    }
+
+
+    /**
+    * Add name/value pair to list of properties associated with PermObj.  These values are not constrained by Fortress.
+    * Properties are optional.
+    *
+    * @param key   contains property name and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+    * @param value
+    */
+    //public void addProperty(String key, String value)
+    //{
+    //    if (props == null)
+    //    {
+    //        props = new Properties();
+    //    }
+
+    //    this.props.setProperty(key, value);
+    //}
+
+    /**
+     * Add new collection of name/value pairs to attributes associated with PermObj.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @param props contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    //public void addProperties(Properties props)
+    //{
+    //    this.props = props;
+    //}
+
+    /**
+     * Return the collection of name/value pairs to attributes associated with PermObj.  These values are not constrained by Fortress.
+     * Properties are optional.
+     *
+     * @return Properties contains collection of name/value pairs and maps to 'ftProps' attribute in 'ftProperties' aux object class.
+     */
+    //public Properties getProperties()
+    //{
+    //    return this.props;
+    //}
+
+    /**
+     * Set the orgUnit name associated with PermObj.  This attribute is validated and constrained by Fortress and must contain name of existing Perm OU.
+     * This attribute is required on add but not on read.
+     *
+     * @param ou mapped to same name in 'ftObject' object class.
+     */
+    public void setOu( String ou )
+    {
+        this.ou = ou;
+    }
+
+
+    /**
+     * Return orgUnit name for PermObj.  This attribute is validated and constrained by Fortress and must contain name of existing Perm OU.
+     * This attribute is required on add but not on read.
+     *
+     * @return value that is mapped to 'ou' in 'ftObject' object class.
+     */
+    public String getOu()
+    {
+        return ou;
+    }
+
+
+    /**
+     * Sets the type attribute of the Perm object.  Currently the type is not constrained to any
+     * preexisting Fortress data set meaning the type is user defined and can be used for grouping like permissions.
+     *
+     * @param type maps to attribute name 'ftType' in 'ftObject' object class.
+     */
+    public void setType( String type )
+    {
+        this.type = type;
+    }
+
+
+    /**
+     * Get the type attribute of the Perm object.  Currently the type is not constrained to any
+     * preexisting Fortress data set meaning the type is user defined and can be used for grouping like permissions.
+     *
+     * @return maps to attribute name 'ftType' in 'ftObject' object class.
+     */
+    public String getType()
+    {
+        return type;
+    }
+
+
+    /**
+     * Set distinguished name associated with PermObj.  This attribute is used by DAO and is not allowed for outside classes.
+     * This attribute should not be set by external callers.
+     *
+     * @param dn that is mapped to same name in 'organizationalUnit' object class.
+     */
+    public void setDn( String dn )
+    {
+        this.dn = dn;
+    }
+
+
+    /**
+     * Returns distinguished name associated with PermObj.  This attribute is generated by DAO and is not allowed for outside classes to modify.
+     * This attribute is for internal user only and need not be processed by external clients.
+     *
+     * @return value that is mapped to 'dn' in 'organizationalUnit' object class.
+     */
+    public String getDn()
+    {
+        return dn;
+    }
+
+
+    /**
+     * Matches the objName from two PermObj entities.
+     *
+     * @param thatObj contains a PermObj entity.
+     * @return boolean indicating both objects contain matching objNames.
+     */
+    public boolean equals( Object thatObj )
+    {
+        if ( this == thatObj )
+            return true;
+        if ( this.getObjName() == null )
+            return false;
+        if ( !( thatObj instanceof PermObj ) )
+            return false;
+        PermObj thatPermObj = ( PermObj ) thatObj;
+        if ( thatPermObj.getObjName() == null )
+            return false;
+        return thatPermObj.getObjName().equalsIgnoreCase( this.getObjName() );
+    }
+
+    @Override
+    public String toString()
+    {
+        return "Permission Object {" +
+            "name='" + objName + '\'' +
+            '}';
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
new file mode 100755
index 0000000..d38da50
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermP.java
@@ -0,0 +1,614 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ValidationException;
+import org.apache.directory.fortress.core.rbac.dao.DaoFactory;
+import org.apache.directory.fortress.core.rbac.dao.PermDAO;
+import org.apache.directory.fortress.core.util.attr.VUtil;
+
+
+/**
+ * Process module for the Permission entity.  This class performs data validations and error mapping.  It is typically called
+ * by internal Fortress manager classes ({@link AdminMgrImpl}, {@link AccessMgrImpl},
+ * {@link ReviewMgrImpl}, ...) and not intended for external non-Fortress clients.  This class will accept,
+ * {@link PermObj} or {@link Permission}, validate its contents and forward on to it's corresponding DAO class {@link org.apache.directory.fortress.core.rbac.dao.PermDAO}.
+ * <p>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
+ * {@link org.apache.directory.fortress.core.CreateException},{@link org.apache.directory.fortress.core.UpdateException},{@link org.apache.directory.fortress.core.RemoveException}),
+ *  or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link org.apache.directory.fortress.core.GlobalErrIds}.
+ * <p>
+ * This class is thread safe.
+ * </p>
+
+ *
+ * @author Shawn McKinney
+ */
+public final class PermP
+{
+    /**
+     * Description of the Field
+     */
+    private static final String CLS_NM = PermP.class.getName();
+    private static final PermDAO pDao = DaoFactory.createPermDAO();
+    private final OrgUnitP orgUnitP = new OrgUnitP();
+
+
+    /**
+     * Package private constructor
+     */
+    PermP()
+    {
+    }
+
+
+    /**
+     * This function returns a Boolean value meaning whether the subject of a given session is
+     * allowed or not to perform a given operation on a given object. The function is valid if and
+     * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+     * and the operation is a member of the OPS data set. The session's subject has the permission
+     * to perform the operation on that object if and only if that permission is assigned to (at least)
+     * one of the session's active roles. This implementation will verify the roles or userId correspond
+     * to the subject's active roles are registered in the object's access control list.
+     *
+     * @param session    This object must be instantiated by calling {@link AccessMgrImpl#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
+     * @param permission object contains obj attribute which is a String and contains the name of the object user is trying to access;
+     *                   perm object contains operation attribute which is also a String and contains the operation name for the object.
+     * @return True of user has access, false otherwise.
+     * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
+     */
+    final boolean checkPermission( Session session, Permission permission ) throws SecurityException
+    {
+        return pDao.checkPermission( session, permission );
+    }
+
+
+    /**
+     * Takes a Permission entity that contains full or partial object name and/or full or partial operation name for search.
+     *
+     * @param permission contains all or partial object name and/or all or partial operation name.
+     * @return List of type Permission containing fully populated matching Permission entities.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<Permission> search( Permission permission ) throws SecurityException
+    {
+        return pDao.findPermissions( permission );
+    }
+
+
+    /**
+     * Takes a Permission object entity that contains full or partial object name for search Permission Objects in directory..
+     *
+     * @param permObj contains all or partial object name.
+     * @return List of type Permission Objects containing fully populated matching entities.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<PermObj> search( PermObj permObj ) throws SecurityException
+    {
+        return pDao.findPermissions( permObj );
+    }
+
+
+    /**
+     * Takes an OrgUnit entity that contains full or partial orgUnitId for search Permission Objects in directory..
+     *
+     * @param ou contains all or OrgUnitId.
+     * @param limitSize contains max number of entries to return.
+     * @return List of type Permission Objects containing fully populated matching entities.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<PermObj> search( OrgUnit ou, boolean limitSize ) throws SecurityException
+    {
+        return pDao.findPermissions( ou, limitSize );
+    }
+
+
+    /**
+     * Search will return a list of matching permissions that are assigned to a given RBAC or Admin role name.  The
+     * DAO class will search the Admin perms if the "isAdmin" boolean flag is "true", otherwise it will search RBAC perm tree.
+     *
+     * @param role contains the RBAC or Admin Role name targeted for search.
+     * @return List of type Permission containing fully populated matching Permission entities.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<Permission> search( Role role ) throws SecurityException
+    {
+        return pDao.findPermissions( role );
+    }
+
+
+    /**
+     * Search will return a list of matching permissions that are assigned to a given User.  This method searches
+     * the RBAC perms only.
+     *
+     * @param user contains the userId targeted for search.
+     * @return List of type Permission containing fully populated matching Permission entities.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final List<Permission> search( User user ) throws SecurityException
+    {
+        return pDao.findPermissions( user );
+    }
+
+
+    /**
+     * Remove the User assignment attribute from all RBAC permssions.  This method is called by AdminMgrImpl
+     * when the User is being deleted.
+     *
+     * @param user contains the userId targeted for attribute removal.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final void remove( User user ) throws SecurityException
+    {
+        List<Permission> list;
+        try
+        {
+            list = pDao.findUserPermissions( user );
+            for ( Permission perm : list )
+            {
+                revoke( perm, user );
+            }
+        }
+        catch ( FinderException fe )
+        {
+            String error = "remove userId [" + user.getUserId() + "] caught FinderException=" + fe;
+            throw new SecurityException( GlobalErrIds.PERM_BULK_USER_REVOKE_FAILED, error, fe );
+        }
+    }
+
+
+    /**
+     * Remove the RBAC Role assignment attribute from all RBAC permssions.  This method is called by AdminMgrImpl
+     * when the RBAC Role is being deleted.
+     *
+     * @param role contains the name of Role targeted for attribute removal.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final void remove( Role role ) throws SecurityException
+    {
+        List<Permission> list;
+        try
+        {
+            list = pDao.findPermissions( role );
+            for ( Permission perm : list )
+            {
+                revoke( perm, role );
+            }
+        }
+        catch ( FinderException fe )
+        {
+            String error = "remove role [" + role.getName() + "] caught FinderException=" + fe;
+            throw new SecurityException( GlobalErrIds.PERM_BULK_ROLE_REVOKE_FAILED, error, fe );
+        }
+    }
+
+
+    /**
+     * Remove the Admin Role assignment attribute from all Admin permssions.  This method is called by DelAdminMgrImpl
+     * when the AdminRole is being deleted.
+     *
+     * @param role contains the name of AdminRole targeted for attribute removal.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    final void remove( AdminRole role ) throws SecurityException
+    {
+        List<Permission> list;
+        try
+        {
+            list = pDao.findPermissions( role );
+            for ( Permission perm : list )
+            {
+                perm.setAdmin( true );
+                revoke( perm, role );
+            }
+        }
+        catch ( FinderException fe )
+        {
+            String error = "remove admin role [" + role.getName() + "] caught FinderException=" + fe;
+            throw new SecurityException( GlobalErrIds.PERM_BULK_ADMINROLE_REVOKE_FAILED, error, fe );
+        }
+    }
+
+
+    /**
+     * This function returns the permissions of the session, i.e., the permissions assigned
+     * to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
+     *
+     * @param session This object must be instantiated by calling {@link AccessMgrImpl#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
+     * @return List<Permission> containing permissions (op, obj) active for user's session.
+     * @throws SecurityException is thrown if runtime error occurs with system.
+     */
+    final List<Permission> search( Session session ) throws SecurityException
+    {
+        return search(session, false);
+    }
+
+
+    /**
+     * This function returns the permissions of the session, i.e., the permissions assigned
+     * to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
+     *
+     * @param session This object must be instantiated by calling {@link AccessMgrImpl#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
+     * @return List<Permission> containing permissions (op, obj) active for user's session.
+     * @throws org.apache.directory.fortress.core.SecurityException is thrown if runtime error occurs with system.
+     */
+    final List<Permission> search(Session session, boolean isAdmin)
+        throws SecurityException
+    {
+        return pDao.findPermissions(session, isAdmin);
+    }
+
+
+    /**
+     * Return the matching Permission entity.  This method will throw SecurityException if not found.
+     *
+     * @param permission contains the full permission object and operation name.
+     * @return Permission containing fully populated matching object.
+     * @throws SecurityException is thrown if permission not found or runtime error occurs with system.
+     */
+    final Permission read( Permission permission ) throws SecurityException
+    {
+        return pDao.getPerm( permission );
+    }
+
+
+    /**
+     * Return the matching Permission object entity.  This method will throw SecurityException if not found.
+     *
+     * @param permObj contains the full permission object name.
+     * @return PermObj containing fully populated matching object.
+     * @throws SecurityException is thrown if perm object not found or runtime error occurs with system.
+     */
+    final PermObj read( PermObj permObj ) throws SecurityException
+    {
+        return pDao.getPerm( permObj );
+    }
+
+
+    /**
+     * Adds a new Permission Object entity to directory.  The Permission Object entity input will be validated to ensure that:
+     * object name is present, orgUnitId is valid, reasonability checks on all of the
+     * other populated values.
+     *
+     * @param entity Permission object entity contains data targeted for insertion.
+     * @return Permission entity copy of input + additional attributes (internalId) that were added by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final PermObj add( PermObj entity ) throws SecurityException
+    {
+        validate( entity, false );
+        return pDao.createObject( entity );
+    }
+
+
+    /**
+     * Adds a new Permission operation entity to directory.  The Permission operation entity input will be validated to ensure that:
+     * operation name is present, roles (optional) are valid, reasonability checks on all of the
+     * other populated values.
+     *
+     * @param entity Permission operation entity contains data targeted for insertion.
+     * @return Permission operation entity copy of input + additional attributes (internalId) that were added by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final Permission add( Permission entity ) throws SecurityException
+    {
+        validate( entity, false );
+        return pDao.createOperation( entity );
+    }
+
+
+    /**
+     * Update existing Permission Object attributes with the input entity.  Null or empty attributes will be ignored.
+     * The Permission Object entity input will be validated to ensure that:
+     * object name is present, orgUnitId is valid, reasonability checks on all of the other populated values.
+     *
+     * @param entity Permission object entity contains data targeted for updating.
+     * @return Permission entity copy of input + additional attributes (internalId) that were updated by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final PermObj update( PermObj entity ) throws SecurityException
+    {
+        update( entity, true );
+        return entity;
+    }
+
+
+    /**
+     * Update existing Permission Object attributes with the input entity.  Null or empty attributes will be ignored.
+     * The Permission Object entity input will be validated to ensure that:
+     * object name is present, orgUnitId is valid, reasonability checks on all of the other populated values.
+     *
+     * @param entity   Permission object entity contains data targeted for updating.
+     * @param validate if false will skip the validations described above.
+     * @return Permission entity copy of input + additional attributes (internalId) that were updated by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    private PermObj update( PermObj entity, boolean validate )
+        throws SecurityException
+    {
+        if ( validate )
+        {
+            validate( entity, true );
+        }
+        return pDao.updateObj( entity );
+    }
+
+
+    /**
+     * Update existing Permission Operation Object attributes with the input entity.  Null or empty attributes will be ignored.
+     * The Permission Operation Object entity input will be validated to ensure that:
+     * object name is present, orgUnitId is valid, reasonability checks on all of the other populated values.
+     *
+     * @param entity Permission operation object entity contains data targeted for updating.
+     * @return Permission entity copy of input + additional attributes (internalId) that were updated by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final Permission update( Permission entity ) throws SecurityException
+    {
+        update( entity, true );
+        return entity;
+    }
+
+
+    /**
+     * Update existing Permission Operation Object attributes with the input entity.  Null or empty attributes will be ignored.
+     * The Permission Operation Object entity input will be validated to ensure that:
+     * object name is present, orgUnitId is valid, reasonability checks on all of the other populated values.
+     *
+     * @param entity   Permission operation object entity contains data targeted for updating.
+     * @param validate if false will skip the validations described above.
+     * @return Permission entity copy of input + additional attributes (internalId) that were updated by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    private Permission update( Permission entity, boolean validate )
+        throws SecurityException
+    {
+        if ( validate )
+        {
+            validate( entity, true );
+        }
+        return pDao.updateOperation( entity );
+    }
+
+
+    /**
+     * This method performs a "hard" delete.  It completely removes all data associated with this Permission Object from the directory
+     * including the Permission operations..
+     * Permission Object entity must exist in directory prior to making this call else exception will be thrown.
+     *
+     * @param entity Contains the Permission Object name targeted for deletion.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final void delete( PermObj entity ) throws SecurityException
+    {
+        pDao.deleteObj( entity );
+    }
+
+
+    /**
+     * This method performs a "hard" delete.  It completely removes all data associated with this Permission Operation from the directory
+     * Permission Operation entity must exist in directory prior to making this call else exception will be thrown.
+     *
+     * @param entity Contains the Permission Operation name targeted for deletion.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    final void delete( Permission entity ) throws SecurityException
+    {
+        pDao.deleteOperation( entity );
+    }
+
+
+    /**
+     * This command grants a role the permission to perform an operation on an object to a role.
+     * The command is implemented by granting permission by setting the access control list of
+     * the object involved.
+     * The command is valid if and only if the pair (operation, object) represents a permission,
+     * and the role is a member of the ROLES data set.
+     *
+     * @param pOp  contains object and operation name for resource.
+     * @param role contains the role name
+     * @throws SecurityException Thrown in the event of data validation or system error.
+     */
+    final void grant( Permission pOp, Role role ) throws SecurityException
+    {
+        // Now assign it to the perm op:
+        pDao.grant( pOp, role );
+    }
+
+
+    /**
+     * This command revokes the permission to perform an operation on an object from the set
+     * of permissions assigned to a role. The command is implemented by setting the access control
+     * list of the object involved.
+     * The command is valid if and only if the pair (operation, object) represents a permission,
+     * the role is a member of the ROLES data set, and the permission is assigned to that role.
+     *
+     * @param pOp  contains object and operation name for resource.
+     * @param role contains role name
+     * @throws SecurityException Thrown in the event of data validation or system error.
+     */
+    final void revoke( Permission pOp, Role role ) throws SecurityException
+    {
+        pDao.revoke( pOp, role );
+    }
+
+
+    /**
+     * Method grants a permission directly to a User entity.
+     *
+     * @param pOp  contains object and operation name for resource.
+     * @param user contains userid of User entity.
+     * @throws SecurityException Thrown in the event of data validation or system error.
+     */
+    final void grant( Permission pOp, User user ) throws SecurityException
+    {
+        // call dao to grant userId access to the perm op:
+        pDao.grant( pOp, user );
+    }
+
+
+    /**
+     * Method revokes a permission directly from a User entity.
+     *
+     * @param pOp  contains object and operation name for resource.
+     * @param user contains userid of User entity.
+     * @throws SecurityException Thrown in the event of data validation or system error.
+     */
+    final void revoke( Permission pOp, User user ) throws SecurityException
+    {
+        pDao.revoke( pOp, user );
+    }
+
+
+    /**
+     * Method will perform various validations to ensure the integrity of the Permission Object entity targeted for insertion
+     * or updating in directory.  Data reasonability checks will be performed on all non-null attributes.
+     *
+     * @param pObj     Permission Object entity contains data targeted for insertion or update.
+     * @param isUpdate if true update operation is being performed which specifies a different set of targeted attributes.
+     * @throws org.apache.directory.fortress.core.ValidationException in the event of data validation error.
+     */
+    final void validate( PermObj pObj, boolean isUpdate ) throws ValidationException
+    {
+        if ( !isUpdate )
+        {
+            // Validate length
+            VUtil.orgUnit( pObj.getOu() );
+            // ensure ou exists in the OS-P pool:
+            OrgUnit ou = new OrgUnit( pObj.getOu(), OrgUnit.Type.PERM );
+            ou.setContextId( pObj.getContextId() );
+            if ( !orgUnitP.isValid( ou ) )
+            {
+                String error = "validate detected invalid orgUnit name [" + pObj.getOu() + "] for object name ["
+                    + pObj.getObjName() + "]";
+                //log.warn(error);
+                throw new ValidationException( GlobalErrIds.PERM_OU_INVALID, error );
+            }
+            if ( VUtil.isNotNullOrEmpty( pObj.getObjName() ) )
+            {
+                VUtil.description( pObj.getObjName() );
+            }
+            if ( VUtil.isNotNullOrEmpty( pObj.getOu() ) )
+            {
+                VUtil.orgUnit( pObj.getOu() );
+            }
+            if ( VUtil.isNotNullOrEmpty( pObj.getDescription() ) )
+            {
+                VUtil.description( pObj.getDescription() );
+            }
+        }
+        else
+        {
+            if ( VUtil.isNotNullOrEmpty( pObj.getOu() ) )
+            {
+                VUtil.orgUnit( pObj.getOu() );
+                // ensure ou exists in the OS-P pool:
+                OrgUnit ou = new OrgUnit( pObj.getOu(), OrgUnit.Type.PERM );
+                ou.setContextId( pObj.getContextId() );
+                if ( !orgUnitP.isValid( ou ) )
+                {
+                    String error = "validate detected invalid orgUnit name [" + pObj.getOu() + "] for object name ["
+                        + pObj.getObjName() + "]";
+                    throw new ValidationException( GlobalErrIds.PERM_OU_INVALID, error );
+                }
+            }
+            if ( VUtil.isNotNullOrEmpty( pObj.getDescription() ) )
+            {
+                VUtil.description( pObj.getDescription() );
+            }
+        }
+    }
+
+
+    /**
+     * Method will perform various validations to ensure the integrity of the Permission Operation entity targeted for insertion
+     * or updating in directory.  Data reasonability checks will be performed on all non-null attributes.
+     *
+     * @param pOp      Permission Operation entity contains data targeted for insertion or update.
+     * @param isUpdate if true update operation is being performed which specifies a different set of targeted attributes.
+     * @throws SecurityException in the event of data validation error or DAO error.
+     */
+    private void validate( Permission pOp, boolean isUpdate )
+        throws SecurityException
+    {
+        if ( !isUpdate )
+        {
+            //operation
+            if ( pOp.getOpName() != null && pOp.getOpName().length() > 0 )
+            {
+                VUtil.description( pOp.getOpName() );
+            }
+        }
+        if ( VUtil.isNotNullOrEmpty( pOp.getType() ) )
+        {
+            VUtil.description( pOp.getType() );
+        }
+        if ( VUtil.isNotNullOrEmpty( pOp.getDescription() ) )
+        {
+            VUtil.description( pOp.getDescription() );
+        }
+        // Validate Role Grants:
+        if ( VUtil.isNotNullOrEmpty( pOp.getRoles() ) )
+        {
+            Set<String> roles = pOp.getRoles();
+            if(pOp.isAdmin())
+            {
+                AdminRoleP arp = new AdminRoleP();
+                for (String roleNm : roles)
+                {
+                    AdminRole adminRole = new AdminRole(roleNm);
+                    adminRole.setContextId(pOp.getContextId());
+                    arp.read(adminRole);
+                }
+            }
+            else
+            {
+                RoleP rp = new RoleP();
+                for (String roleNm : roles)
+                {
+                    Role role = new Role(roleNm);
+                    role.setContextId(pOp.getContextId());
+                    rp.read(role);
+                }
+            }
+        }
+        // Validate User Grants:
+        if ( VUtil.isNotNullOrEmpty( pOp.getUsers() ) )
+        {
+            Set<String> users = pOp.getUsers();
+            UserP up = new UserP();
+            for ( String userId : users )
+            {
+                User user = new User( userId );
+                user.setContextId( pOp.getContextId() );
+                up.read( user, false );
+            }
+        }
+    }
+}
\ No newline at end of file


Mime
View raw message