directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [29/51] [partial] Rename packages from org.openldap.fortress to org.apache.directory.fortress.core. Change default suffix to org.apache. Switch default ldap api from unbound to apache ldap.
Date Wed, 22 Oct 2014 15:44:48 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
new file mode 100755
index 0000000..fd4a8ee
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditP.java
@@ -0,0 +1,150 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.List;
+
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.rbac.dao.unboundid.AuditDAO;
+
+
+/**
+ * This class is process layer for Fortress audit data.  It performs data validation
+ * and data mapping functions.
+ * Process module for the for Fortress audit data.  It performs data validation and data mapping functions.
+ * The audit data is passed using {@link org.apache.directory.fortress.core.rbac.AuthZ} class.  This class does perform simple data validations to ensure data reasonability and
+ * the required fields are present..<BR>
+ * The methods in this class are called by {@link AuditMgrImpl} methods during audit log interrogations.
+ * <p/>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exception {@link org.apache.directory.fortress.core.FinderException},
+ * or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link org.apache.directory.fortress.core.GlobalErrIds}.
+ * <p/>
+ * This class performs simple data validations.
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author Shawn McKinney
+ */
+public final class AuditP
+{
+    private static final AuditDAO aDao = new AuditDAO();
+
+
+    /**
+     * Package private constructor
+     */
+    AuditP()
+    {
+    }
+
+
+    /**
+     * This method returns a list of authorization events for a particular user {@link UserAudit#userId}
+     * and given timestamp field {@link UserAudit#beginDate}.<BR>
+     * Method also can discriminate between all events or failed only by setting {@link UserAudit#failedOnly}.
+     *
+     * @param uAudit This entity is instantiated and populated before invocation.
+     * @return a List of objects of type AuthZ.  Each AuthZ object contains one authorization event.
+     * @throws SecurityException if a runtime system error occurs.
+     */
+    final List<AuthZ> getAuthZs( UserAudit uAudit ) throws SecurityException
+    {
+        return aDao.getAllAuthZs( uAudit );
+    }
+
+
+    /**
+     * This method returns a list of authorization events for a particular user {@link UserAudit#userId},
+     * object {@link UserAudit#objName}, and given timestamp field {@link UserAudit#beginDate}.<BR>
+     * Method also can discriminate between all events or failed only by setting flag {@link UserAudit#failedOnly}..
+     *
+     * @param uAudit This entity is instantiated and populated before invocation.
+     * @return a List of objects of type AuthZ.  Each AuthZ object contains one authorization event.
+     * @throws SecurityException if a runtime system error occurs.
+     */
+    final List<AuthZ> searchAuthZs( UserAudit uAudit ) throws SecurityException
+    {
+        return aDao.searchAuthZs( uAudit );
+    }
+
+
+    /**
+     * This method returns a list of authentication audit events for a particular user {@link UserAudit#userId},
+     * and given timestamp field {@link UserAudit#beginDate}.<BR>
+     *
+     * @param uAudit This entity is instantiated and populated before invocation.
+     * @return a List of objects of type Bind.  Each Bind object contains one bind event.
+     * @throws SecurityException if a runtime system error occurs.
+     */
+    final List<Bind> searchBinds( UserAudit uAudit ) throws SecurityException
+    {
+        return aDao.searchBinds( uAudit );
+    }
+
+
+    /**
+     * This method returns a list of sessions created for a given user {@link UserAudit#userId},
+     * and timestamp {@link UserAudit#beginDate}.<BR>
+     *
+     * @param uAudit This entity is instantiated and populated before invocation.
+     * @return a List of objects of type AuthZ.  Each AuthZ object contains one authorization event.
+     * @throws SecurityException if a runtime system error occurs.
+     */
+    final List<Mod> searchUserMods( UserAudit uAudit ) throws SecurityException
+    {
+        return aDao.searchUserMods( uAudit );
+    }
+
+
+    /**
+     * This method returns a list of admin operations events for a particular entity {@link UserAudit#dn},
+     * object {@link UserAudit#objName} and timestamp {@link UserAudit#beginDate}.  If the internal
+     * userId {@link UserAudit#internalUserId} is set it will limit search by that field.
+     *
+     * @param uAudit This entity is instantiated and populated before invocation.
+     * @return a List of objects of type AuthZ.  Each AuthZ object contains one authorization event.
+     * @throws SecurityException if a runtime system error occurs.
+     */
+    final List<Mod> searchAdminMods( UserAudit uAudit ) throws SecurityException
+    {
+        return aDao.searchAdminMods( uAudit );
+    }
+
+
+    /**
+     * This method returns a list of failed authentication events for a particular invalid user {@link UserAudit#userId},
+     * and given timestamp {@link UserAudit#beginDate}.  If the {@link UserAudit#failedOnly} is true it will
+     * return only authentication attempts made with invalid userId.
+     * </p>
+     * This is possible because Fortress performs read on user before the bind.
+     * </p>
+     *
+     * @param uAudit This entity is instantiated and populated before invocation.
+     * @return a List of objects of type AuthZ.  Each AuthZ object contains one failed authentication event.
+     * @throws SecurityException if a runtime system error occurs.
+     */
+    final List<AuthZ> searchInvalidAuthNs( UserAudit uAudit ) throws SecurityException
+    {
+        return aDao.searchInvalidAuthNs( uAudit );
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java
new file mode 100755
index 0000000..b4ffe16
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuthZ.java
@@ -0,0 +1,769 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import java.io.Serializable;
+
+/**
+ * This entity class contains OpenLDAP slapo-accesslog records that correspond to authorization attempts made to the directory.
+ * <p/>
+ * The auditCompare Structural object class is used by the slapo-accesslog overlay to store record of fortress authorization events.
+ * These events can later be pulled as audit trail using ldap protocol.  The data pertaining to authZ events are stored in this entity record.<br/>
+ * <p/>
+ * <pre>
+ * ------------------------------------------
+ * objectclass (  1.3.6.1.4.1.4203.666.11.5.2.7
+ * NAME 'auditCompare'
+ * DESC 'Compare operation'
+ * SUP auditObject STRUCTURAL
+ * MUST reqAssertion )
+ * ------------------------------------------
+ * </pre>
+ * For the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request
+ * <p/>
+ * Note this class uses descriptions pulled from man pages on slapo-accesslog.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortAuthZ")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "authZ", propOrder = {
+    "createTimestamp",
+    "creatorsName",
+    "entryCSN",
+    "entryDN",
+    "entryUUID",
+    "hasSubordinates",
+    "modifiersName",
+    "modifyTimestamp",
+    "objectClass",
+    "reqAttr",
+    "reqAttrsOnly",
+    "reqAuthzID",
+    "reqControls",
+    "reqDN",
+    "reqDerefAliases",
+    "reqEnd",
+    "reqEntries",
+    "reqFilter",
+    "reqResult",
+    "reqScope",
+    "reqSession",
+    "reqSizeLimit",
+    "reqStart",
+    "reqTimeLimit",
+    "reqType",
+    "reqAssertion",
+    "structuralObjectClass",
+    "subschemaSubentry",
+    "sequenceId"
+})
+public class AuthZ extends FortEntity implements Serializable
+{
+    private String createTimestamp;
+    private String creatorsName;
+    private String entryCSN;
+    private String entryDN;
+    private String entryUUID;
+    private String hasSubordinates;
+    private String modifiersName;
+    private String modifyTimestamp;
+    private String objectClass;
+    private String reqAttr;
+    private String reqAttrsOnly;
+    private String reqAuthzID;
+    private String reqControls;
+    private String reqDN;
+    private String reqDerefAliases;
+    private String reqEnd;
+    private String reqEntries;
+    private String reqFilter;
+    private String reqResult;
+    private String reqScope;
+    private String reqSession;
+    private String reqSizeLimit;
+    private String reqStart;
+    private String reqTimeLimit;
+    private String reqType;
+    private String reqAssertion;
+    private String structuralObjectClass;
+    private String subschemaSubentry;
+    private long sequenceId;
+
+    /**
+     * Get the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+     * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @return attribute that maps to 'reqStart' in 'auditSearch' object class.
+     */
+    public String getCreateTimestamp()
+    {
+        return createTimestamp;
+    }
+
+    /**
+     * Set the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+     * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @param createTimestamp attribute that maps to 'reqStart' in 'auditSearch' object class.
+     */
+    public void setCreateTimestamp(String createTimestamp)
+    {
+        this.createTimestamp = createTimestamp;
+    }
+
+    /**
+     * Return the user dn containing the identity of log user who added the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @return value that maps to 'creatorsName' attribute on 'auditSearch' object class.
+     */
+    public String getCreatorsName()
+    {
+        return creatorsName;
+    }
+
+    /**
+     * Set the user dn containing the identity of log user who added the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @param creatorsName maps to 'creatorsName' attribute on 'auditSearch' object class.
+     */
+    public void setCreatorsName(String creatorsName)
+    {
+        this.creatorsName = creatorsName;
+    }
+
+    /**
+     * Return the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+     *
+     * @return attribute that maps to 'entryCSN' on 'auditSearch' object class.
+     */
+    public String getEntryCSN()
+    {
+        return entryCSN;
+    }
+
+    /**
+     * Set the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+     *
+     * @param entryCSN maps to 'entryCSN' attribute on 'auditSearch' object class.
+     */
+    public void setEntryCSN(String entryCSN)
+    {
+        this.entryCSN = entryCSN;
+    }
+
+    /**
+     * Get the entry dn for bind object stored in directory.  This attribute uses the 'reqStart' along with suffix for log.
+     *
+     * @return attribute that maps to 'entryDN' on 'auditSearch' object class.
+     */
+    public String getEntryDN()
+    {
+        return entryDN;
+    }
+
+    /**
+     * Set the entry dn for bind object stored in directory.  This attribute uses the 'reqStart' along with suffix for log.
+     *
+     * @param entryDN attribute that maps to 'entryDN' on 'auditSearch' object class.
+     */
+    public void setEntryDN(String entryDN)
+    {
+        this.entryDN = entryDN;
+    }
+
+    /**
+     * Get the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditSearch' record.
+     *
+     * @return value that maps to 'entryUUID' attribute on 'auditSearch' object class.
+     */
+    public String getEntryUUID()
+    {
+        return entryUUID;
+    }
+
+    /**
+     * Set the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditSearch' record.
+     *
+     * @param entryUUID that maps to 'entryUUID' attribute on 'auditSearch' object class.
+     */
+    public void setEntryUUID(String entryUUID)
+    {
+        this.entryUUID = entryUUID;
+    }
+
+    /**
+     * Get the attribute that corresponds to the boolean value hasSubordinates.
+     *
+     * @return value that maps to 'hasSubordinates' attribute on 'auditSearch' object class.
+     */
+    public String getHasSubordinates()
+    {
+        return hasSubordinates;
+    }
+
+    /**
+     * Set the attribute that corresponds to the boolean value hasSubordinates.
+     *
+     * @param hasSubordinates maps to same name on 'auditSearch' object class.
+     */
+    public void setHasSubordinates(String hasSubordinates)
+    {
+        this.hasSubordinates = hasSubordinates;
+    }
+
+    /**
+     * Return the user dn containing the identity of log user who last modified the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @return value that maps to 'modifiersName' attribute on 'auditSearch' object class.
+     */
+    public String getModifiersName()
+    {
+        return modifiersName;
+    }
+
+    /**
+     * Set the user dn containing the identity of log user who modified the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @param modifiersName maps to 'modifiersName' attribute on 'auditSearch' object class.
+     */
+    public void setModifiersName(String modifiersName)
+    {
+        this.modifiersName = modifiersName;
+    }
+
+    /**
+     * Get the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+     * The time attributes use generalizedTime syntax.
+     *
+     * @return attribute that maps to 'modifyTimestamp' in 'auditSearch' object class.
+     */
+    public String getModifyTimestamp()
+    {
+        return modifyTimestamp;
+    }
+
+    /**
+     * Set the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+     * The time attributes use generalizedTime syntax.
+     *
+     * @param modifyTimestamp attribute that maps to same name in 'auditSearch' object class.
+     */
+    public void setModifyTimestamp(String modifyTimestamp)
+    {
+        this.modifyTimestamp = modifyTimestamp;
+    }
+
+    /**
+     * Get the object class name of the audit record.  For this entity, this value will always be 'auditSearch'.
+     *
+     * @return value that maps to 'objectClass' attribute on 'auditSearch' obejct class.
+     */
+    public String getObjectClass()
+    {
+        return objectClass;
+    }
+
+    /**
+     * Set the object class name of the audit record.  For this entity, this value will always be 'auditSearch'.
+     *
+     * @param objectClass value that maps to same name on 'auditSearch' obejct class.
+     */
+    public void setObjectClass(String objectClass)
+    {
+        this.objectClass = objectClass;
+    }
+
+    /**
+     * The  reqAuthzID  attribute  is  the  distinguishedName of the user that
+     * performed the operation.  This will usually be the  same  name  as  was
+     * established  at  the  start of a session by a Bind request (if any) but
+     * may be altered in various circumstances.
+     * For Fortress bind operations this will map to {@link org.apache.directory.fortress.core.rbac.User#userId}
+     *
+     * @return value that maps to 'reqAuthzID' on 'auditSearch' object class.
+     */
+    public String getReqAuthzID()
+    {
+        return reqAuthzID;
+    }
+
+    /**
+     * The  reqAuthzID  attribute  is  the  distinguishedName of the user that
+     * performed the operation.  This will usually be the  same  name  as  was
+     * established  at  the  start of a session by a Bind request (if any) but
+     * may be altered in various circumstances.
+     * For Fortress bind operations this will map to {@link org.apache.directory.fortress.core.rbac.User#userId}
+     *
+     */
+    public void setReqAuthzID(String reqAuthzID)
+    {
+        this.reqAuthzID = reqAuthzID;
+    }
+
+    /**
+     * The reqControls and reqRespControls attributes carry any controls  sent
+     * by  the  client  on  the  request  and  returned  by  the server in the
+     * response, respectively. The attribute  values  are  just  uninterpreted
+     * octet strings.
+     *
+     * @return value that maps to 'reqControls' attribute on 'auditSearch' object class.
+     */
+    public String getReqControls()
+    {
+        return reqControls;
+    }
+
+    /**
+     * The reqControls and reqRespControls attributes carry any controls  sent
+     * by  the  client  on  the  request  and  returned  by  the server in the
+     * response, respectively. The attribute  values  are  just  uninterpreted
+     * octet strings.
+     *
+     * @param reqControls maps to same name attribute on 'auditSearch' object class.
+     */
+    public void setReqControls(String reqControls)
+    {
+        this.reqControls = reqControls;
+    }
+
+    /**
+     * The reqDN attribute is the  distinguishedName  of  the  target  of  the
+     * operation.  E.g.,  for  a Bind request, this is the Bind DN. For an Add
+     * request, this is the DN of the entry being added. For a Search request,
+     * this is the base DN of the search.
+     *
+     * @return value that map to 'reqDN' attribute on 'auditSearch' object class.
+     */
+    public String getReqDN()
+    {
+        return reqDN;
+    }
+
+    /**
+     * The reqDN attribute is the  distinguishedName  of  the  target  of  the
+     * operation.  E.g.,  for  a Bind request, this is the Bind DN. For an Add
+     * request, this is the DN of the entry being added. For a Search request,
+     * this is the base DN of the search.
+     *
+     * @param reqDN maps to 'reqDN' attribute on 'auditSearch' object class.
+     */
+    public void setReqDN(String reqDN)
+    {
+        this.reqDN = reqDN;
+    }
+
+    /**
+     * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+     *
+     * @return value that maps to 'reqEnd' attribute on 'auditSearch' object class.
+     */
+    public String getReqEnd()
+    {
+        return reqEnd;
+    }
+
+    /**
+     * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+     *
+     * @param reqEnd value that maps to same name on 'auditSearch' object class.
+     */
+    public void setReqEnd(String reqEnd)
+    {
+        this.reqEnd = reqEnd;
+    }
+
+    /**
+     * The  reqResult  attribute  is  the  numeric  LDAP  result  code  of the
+     * operation, indicating either success or a particular LDAP  error  code.
+     * An  error code may be accompanied by a text error message which will be
+     * recorded in the reqMessage attribute.
+     *
+     * @return value that maps to 'reqResult' attribute on 'auditSearch' object class.
+     */
+    public String getReqResult()
+    {
+        return reqResult;
+    }
+
+    /**
+     * The  reqResult  attribute  is  the  numeric  LDAP  result  code  of the
+     * operation, indicating either success or a particular LDAP  error  code.
+     * An  error code may be accompanied by a text error message which will be
+     * recorded in the reqMessage attribute.
+     *
+     * @param reqResult maps to same name on 'auditSearch' object class.
+     */
+    public void setReqResult(String reqResult)
+    {
+        this.reqResult = reqResult;
+    }
+
+    /**
+     * The reqSession attribute is an implementation-specific identifier  that
+     * is  common to all the operations associated with the same LDAP session.
+     * Currently this is slapd's internal connection ID, stored in decimal.
+     *
+     * @return value that maps to 'reqSession' attribute on 'auditSearch' object class.
+     */
+    public String getReqSession()
+    {
+        return reqSession;
+    }
+
+    /**
+     * The reqSession attribute is an implementation-specific identifier  that
+     * is  common to all the operations associated with the same LDAP session.
+     * Currently this is slapd's internal connection ID, stored in decimal.
+     *
+     * @param reqSession maps to same name on 'auditSearch' object class.
+     */
+    public void setReqSession(String reqSession)
+    {
+        this.reqSession = reqSession;
+    }
+
+    /**
+     * reqStart provide the start of the operation,  They  use generalizedTime syntax.
+     * The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @return value that maps to 'reqStart' attribute on 'auditSearch' object class.
+     */
+    public String getReqStart()
+    {
+        return reqStart;
+    }
+
+    /**
+     * reqStart provide the start of the operation,  They  use generalizedTime syntax.
+     * The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @param reqStart maps to same name on 'auditSearch' object class.
+     */
+    public void setReqStart(String reqStart)
+    {
+        this.reqStart = reqStart;
+    }
+
+    /**
+     * The  reqType  attribute  is  a  simple  string  containing  the type of
+     * operation being logged, e.g.  add, delete, search,  etc.  For  extended
+     * operations,  the  type also includes the OID of the extended operation,
+     * e.g.  extended(1.1.1.1)
+     *
+     * @return value that maps to 'reqType' attribute on 'auditSearch' object class.
+     */
+    public String getReqType()
+    {
+        return reqType;
+    }
+
+    /**
+     * The  reqType  attribute  is  a  simple  string  containing  the type of
+     * operation being logged, e.g.  add, delete, search,  etc.  For  extended
+     * operations,  the  type also includes the OID of the extended operation,
+     * e.g.  extended(1.1.1.1)
+     *
+     * @param reqType maps to same name on 'auditSearch' object class.
+     */
+    public void setReqType(String reqType)
+    {
+        this.reqType = reqType;
+    }
+
+    /**
+     * Get the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.
+     *
+     * @return value that maps to 'reqAssertion' attribute on 'auditCompare' object class.
+     */
+    public String getReqAssertion()
+    {
+        return reqAssertion;
+    }
+
+    /**
+     * Set the Compare operation the reqAssertion attribute carries the Attribute Value Assertion used in the compare request.
+     *
+     * @param reqAssertion value maps to 'reqAssertion' attribute contained in the 'auditCompare' object class.
+     */
+    public void setReqAssertion( String reqAssertion )
+    {
+        this.reqAssertion = reqAssertion;
+    }
+
+    /**
+     * Returns the name of the structural object class that is used to log the event.  For this entity
+     * this value will always be 'auditSearch'.
+     *
+     * @return value that maps to 'structuralObjectClass' attribute that contains the name 'auditSearch'.
+     */
+    public String getStructuralObjectClass()
+    {
+        return structuralObjectClass;
+    }
+
+    /**
+     * Returns the name of the structural object class that is used to log the event.  For this entity
+     * this value will always be 'auditSearch'.
+     *
+     * @param structuralObjectClass maps to same name on 'auditSearch' object class.
+     */
+    public void setStructuralObjectClass(String structuralObjectClass)
+    {
+        this.structuralObjectClass = structuralObjectClass;
+    }
+
+    /**
+     * The reqEntries attribute is the integer count of  how  many entries  were  returned  by  this search request.
+     *
+     * @return value that maps to 'reqEntries' attribute on 'auditSearch' object class
+     */
+    public String getReqEntries()
+    {
+        return reqEntries;
+    }
+
+    /**
+     * The reqEntries attribute is the integer count of  how  many entries  were  returned  by  this search request.
+     *
+     * @param reqEntries maps to same name on 'auditSearch' object class
+     */
+    public void setReqEntries(String reqEntries)
+    {
+        this.reqEntries = reqEntries;
+    }
+
+    /**
+     * The reqAttr attribute lists the requested attributes if specific attributes were requested.
+     *
+     * @return value maps to 'reqAttr' on 'auditSearch' object class.
+     */
+    public String getReqAttr()
+    {
+        return reqAttr;
+    }
+
+    /**
+     * The reqAttr attribute lists the requested attributes if specific attributes were requested.
+     *
+     * @param reqAttr maps to same name on 'auditSearch' object class.
+     */
+    public void setReqAttr(String reqAttr)
+    {
+        this.reqAttr = reqAttr;
+    }
+
+    /**
+     * The reqAttrsOnly attribute is a Boolean value showing TRUE if only attribute names
+     * were  requested, or FALSE if attributes and their values were requested.
+     * For Fortress authorization requests this value will always be TRUE.
+     *
+     * @return value maps to 'reqAttrsOnly' on 'auditSearch' object class.
+     */
+    public String getReqAttrsOnly()
+    {
+        return reqAttrsOnly;
+    }
+
+    /**
+     * The reqAttrsOnly attribute is a Boolean value showing TRUE if only attribute names
+     * were  requested, or FALSE if attributes and their values were requested.
+     * For Fortress authorization requests this value will always be TRUE.
+     *
+     * @param reqAttrsOnly maps to same name on 'auditSearch' object class.
+     */
+    public void setReqAttrsOnly(String reqAttrsOnly)
+    {
+        this.reqAttrsOnly = reqAttrsOnly;
+    }
+
+    /**
+     * The reqFilter attribute carries the filter used in the search request.
+     * <p/>
+     * For Fortress authorization events this will contain the following:
+     * <ul>
+     * <li>userId: {@link org.apache.directory.fortress.core.rbac.User#userId}
+     * <li>activated roles: {@link UserRole#name}
+     * <li>object name: {@link Permission#objName}
+     * <li>operation name: {@link Permission#opName}
+     * </ul>
+     *
+     * @return value that maps to 'reqFilter' attribute on 'auditSearch' object class.
+     */
+    public String getReqFilter()
+    {
+        return reqFilter;
+    }
+
+    /**
+     * The reqFilter attribute carries the filter used in the search request.
+     * <p/>
+     * For Fortress authorization events this will contain the following:
+     * <ul>
+     * <li>userId: {@link org.apache.directory.fortress.core.rbac.User#userId}
+     * <li>activated roles: {@link UserRole#name}
+     * <li>object name: {@link Permission#objName}
+     * <li>operation name: {@link Permission#opName}
+     * </ul>
+     *
+     * @param reqFilter maps to same name on 'auditSearch' object class.
+     */
+    public void setReqFilter(String reqFilter)
+    {
+        this.reqFilter = reqFilter;
+    }
+
+    /**
+     * The reqScope attribute contains the scope of the original search request, using
+     * the values specified for the LDAP URL format. I.e. base, one, sub, or subord.
+     *
+     * @return value that maps to 'reqScope' attribute on 'auditSearch' object class.
+     */
+    public String getReqScope()
+    {
+        return reqScope;
+    }
+
+    /**
+     * The reqScope attribute contains the scope of the original search request, using
+     * the values specified for the LDAP URL format. I.e. base, one, sub, or subord.
+     *
+     * @param reqScope maps to same name on 'auditSearch' object class.
+     */
+    public void setReqScope(String reqScope)
+    {
+        this.reqScope = reqScope;
+    }
+
+    /**
+     * The reqSizeLimit attribute indicate what limits were requested on the search operation.
+     *
+     * @return value that maps to 'reqSizeLimit' attribute on 'auditSearch' object class.
+     */
+    public String getReqSizeLimit()
+    {
+        return reqSizeLimit;
+    }
+
+    /**
+     * The reqSizeLimit attribute indicate what limits were requested on the search operation.
+     *
+     * @param reqSizeLimit maps to same name on 'auditSearch' object class.
+     */
+    public void setReqSizeLimit(String reqSizeLimit)
+    {
+        this.reqSizeLimit = reqSizeLimit;
+    }
+
+    /**
+     * The reqTimeLimit attribute indicate what limits were requested on the search operation.
+     *
+     * @return value that maps to 'reqTimeLimit' attribute on 'auditSearch' object class.
+     */
+    public String getReqTimeLimit()
+    {
+        return reqTimeLimit;
+    }
+
+    /**
+     * The reqTimeLimit attribute indicate what limits were requested on the search operation.
+     *
+     * @param reqTimeLimit maps to same name on 'auditSearch' object class.
+     */
+    public void setReqTimeLimit(String reqTimeLimit)
+    {
+        this.reqTimeLimit = reqTimeLimit;
+    }
+
+    /**
+     * Return the subschemaSubentry attribute from the audit entry.
+     *
+     * @return value that maps to 'subschemaSubentry' on 'auditSearch' object class.
+     */
+    public String getSubschemaSubentry()
+    {
+        return subschemaSubentry;
+    }
+
+    /**
+     * Set the subschemaSubentry attribute from the audit entry.
+     *
+     * @param subschemaSubentry maps to same name on 'auditSearch' object class.
+     */
+    public void setSubschemaSubentry(String subschemaSubentry)
+    {
+        this.subschemaSubentry = subschemaSubentry;
+    }
+
+    /**
+     * The reqDerefAliases attribute is on of never, finding, searching, or always, denoting how aliases
+     * will be processed during the search.
+     *
+     * @return value that maps to 'reqDerefAliases' on 'auditSearch' object class.
+     */
+    public String getReqDerefAliases()
+    {
+        return reqDerefAliases;
+    }
+
+    /**
+     * The reqDerefAliases attribute is on of never, finding, searching, or always, denoting how aliases
+     * will be processed during the search.
+     *
+     * @param reqDerefAliases maps to same name on 'auditSearch' object class.
+     */
+    public void setReqDerefAliases(String reqDerefAliases)
+    {
+        this.reqDerefAliases = reqDerefAliases;
+    }
+
+    /**
+     * Sequence id is used internal to Fortress.
+     * @return long value contains sequence id.
+     */
+    public long getSequenceId()
+    {
+        return sequenceId;
+    }
+
+    /**
+     * Sequence id is used internal to Fortress
+     * @param sequenceId contains sequence to use.
+     */
+    public void setSequenceId(long sequenceId)
+    {
+        this.sequenceId = sequenceId;
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java b/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java
new file mode 100755
index 0000000..34edddc
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Bind.java
@@ -0,0 +1,579 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import java.io.Serializable;
+
+/**
+ * This entity class contains OpenLDAP slapd access log records that correspond to bind attempts made to the directory.
+ * <p/>
+ * The auditBind Structural object class is used to store authentication events that can later be queried via ldap API.<br />
+ * <code># The Bind class includes the reqVersion attribute which contains the LDAP</code>
+ * <code># protocol version specified in the Bind as well as the reqMethod attribute</code>
+ * <code># which contains the Bind Method used in the Bind. This will be the string</code>
+ * <code># SIMPLE for LDAP Simple Binds or SASL(mech) for SASL Binds. Note that unless</code>
+ * <code># configured as a global overlay, only Simple Binds using DNs that reside in</code>
+ * <code># the current database will be logged:</code>
+ * <pre>
+ * ------------------------------------------
+ * objectclass (  1.3.6.1.4.1.4203.666.11.5.2.6 NAME 'auditBind'</code>
+ * DESC 'Bind operation'</code>
+ * SUP auditObject STRUCTURAL</code>
+ * MUST ( reqVersion $ reqMethod ) )</code>
+ * ------------------------------------------
+ * </pre>
+ * <p/>
+ * Note this class used descriptions pulled from man pages on slapd access log.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+@XmlRootElement(name = "fortBind")
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "bind", propOrder = {
+    "createTimestamp",
+    "creatorsName",
+    "entryCSN",
+    "entryDN",
+    "entryUUID",
+    "hasSubordinates",
+    "modifiersName",
+    "modifyTimestamp",
+    "objectClass",
+    "reqAuthzID",
+    "reqControls",
+    "reqDN",
+    "reqEnd",
+    "reqMethod",
+    "reqResult",
+    "reqSession",
+    "reqStart",
+    "reqType",
+    "reqVersion",
+    "structuralObjectClass",
+    "sequenceId"
+})
+public class Bind extends FortEntity implements Serializable
+{
+    private String createTimestamp;
+    private String creatorsName;
+    private String entryCSN;
+    private String entryDN;
+    private String entryUUID;
+    private String hasSubordinates;
+    private String modifiersName;
+    private String modifyTimestamp;
+    private String objectClass;
+    private String reqAuthzID;
+    private String reqControls;
+    private String reqDN;
+    private String reqEnd;
+    private String reqMethod;
+    private String reqResult;
+    private String reqSession;
+    private String reqStart;
+    private String reqType;
+    private String reqVersion;
+    private String structuralObjectClass;
+    private long sequenceId;
+
+    /**
+     * Get the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+     * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @return attribute that maps to 'reqStart' in 'auditBind' object class.
+     */
+    public String getCreateTimestamp()
+    {
+        return createTimestamp;
+    }
+
+    /**
+     * Set the attribute that maps to 'reqStart' which provides the start time of the operation which is also the rDn for the node.
+     * These time attributes use generalizedTime syntax. The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @param createTimestamp attribute that maps to 'reqStart' in 'auditBind' object class.
+     */
+    public void setCreateTimestamp(String createTimestamp)
+    {
+        this.createTimestamp = createTimestamp;
+    }
+
+    /**
+     * Return the user dn containing the identity of log user who added the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @return value that maps to 'creatorsName' attribute on 'auditBind' object class.
+     */
+    public String getCreatorsName()
+    {
+        return creatorsName;
+    }
+
+    /**
+     * Set the user dn containing the identity of log user who added the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @param creatorsName maps to 'creatorsName' attribute on 'auditBind' object class.
+     */
+    public void setCreatorsName(String creatorsName)
+    {
+        this.creatorsName = creatorsName;
+    }
+
+    /**
+     * Return the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+     *
+     * @return attribute that maps to 'entryCSN' on 'auditBind' object class.
+     */
+    public String getEntryCSN()
+    {
+        return entryCSN;
+    }
+
+    /**
+     * Set the Change Sequence Number (CSN) containing sequence number that is used for OpenLDAP synch replication functionality.
+     *
+     * @param entryCSN maps to 'entryCSN' attribute on 'auditBind' object class.
+     */
+    public void setEntryCSN(String entryCSN)
+    {
+        this.entryCSN = entryCSN;
+    }
+
+    /**
+     * Get the entry dn for bind object stored in directory.  This attribute uses the 'reqStart' along with suffix for log.
+     *
+     * @return attribute that maps to 'entryDN' on 'auditBind' object class.
+     */
+    public String getEntryDN()
+    {
+        return entryDN;
+    }
+
+    /**
+     * Set the entry dn for bind object stored in directory.  This attribute uses the 'reqStart' along with suffix for log.
+     *
+     * @param entryDN attribute that maps to 'entryDN' on 'auditBind' object class.
+     */
+    public void setEntryDN(String entryDN)
+    {
+        this.entryDN = entryDN;
+    }
+
+    /**
+     * Get the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditBind' record.
+     *
+     * @return value that maps to 'entryUUID' attribute on 'auditBind' object class.
+     */
+    public String getEntryUUID()
+    {
+        return entryUUID;
+    }
+
+    /**
+     * Set the attribute that contains the Universally Unique ID (UUID) of the corresponding 'auditBind' record.
+     *
+     * @param entryUUID that maps to 'entryUUID' attribute on 'auditBind' object class.
+     */
+    public void setEntryUUID(String entryUUID)
+    {
+        this.entryUUID = entryUUID;
+    }
+
+    /**
+     * Get the attribute that corresponds to the boolean value hasSubordinates.
+     *
+     * @return value that maps to 'hasSubordinates' attribute on 'auditBind' object class.
+     */
+    public String getHasSubordinates()
+    {
+        return hasSubordinates;
+    }
+
+    /**
+     * Set the attribute that corresponds to the boolean value hasSubordinates.
+     *
+     * @param hasSubordinates maps to same name on 'auditBind' object class.
+     */
+    public void setHasSubordinates(String hasSubordinates)
+    {
+        this.hasSubordinates = hasSubordinates;
+    }
+
+    /**
+     * Return the user dn containing the identity of log user who last modified the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @return value that maps to 'modifiersName' attribute on 'auditBind' object class.
+     */
+    public String getModifiersName()
+    {
+        return modifiersName;
+    }
+
+    /**
+     * Set the user dn containing the identity of log user who modified the audit record.  This will be the system user that
+     * is configured for performing slapd access log operations on behalf of Fortress.
+     * The config property name {@link org.apache.directory.fortress.ldap.PoolMgr#LDAP_LOG_POOL_UID} contains the audit log system user id.
+     *
+     * @param modifiersName maps to 'modifiersName' attribute on 'auditBind' object class.
+     */
+    public void setModifiersName(String modifiersName)
+    {
+        this.modifiersName = modifiersName;
+    }
+
+    /**
+     * Get the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+     * The time attributes use generalizedTime syntax.
+     *
+     * @return attribute that maps to 'modifyTimestamp' in 'auditBind' object class.
+     */
+    public String getModifyTimestamp()
+    {
+        return modifyTimestamp;
+    }
+
+    /**
+     * Set the attribute that maps to 'modifyTimestamp' which provides the last time audit record was changed.
+     * The time attributes use generalizedTime syntax.
+     *
+     * @param modifyTimestamp attribute that maps to same name in 'auditBind' object class.
+     */
+    public void setModifyTimestamp(String modifyTimestamp)
+    {
+        this.modifyTimestamp = modifyTimestamp;
+    }
+
+    /**
+     * Get the object class name of the audit record.  For this entity, this value will always be 'auditBind'.
+     *
+     * @return value that maps to 'objectClass' attribute on 'auditBind' obejct class.
+     */
+    public String getObjectClass()
+    {
+        return objectClass;
+    }
+
+    /**
+     * Set the object class name of the audit record.  For this entity, this value will always be 'auditBind'.
+     *
+     * @param objectClass value that maps to same name on 'auditBind' obejct class.
+     */
+    public void setObjectClass(String objectClass)
+    {
+        this.objectClass = objectClass;
+    }
+
+    /**
+     * The  reqAuthzID  attribute  is  the  distinguishedName of the user that
+     * performed the operation.  This will usually be the  same  name  as  was
+     * established  at  the  start of a session by a Bind request (if any) but
+     * may be altered in various circumstances.
+     * For Fortress bind operations this will map to {@link User#userId}
+     *
+     * @return value that maps to 'reqAuthzID' on 'auditBind' object class.
+     */
+    public String getReqAuthzID()
+    {
+        return reqAuthzID;
+    }
+
+    /**
+     * The  reqAuthzID  attribute  is  the  distinguishedName of the user that
+     * performed the operation.  This will usually be the  same  name  as  was
+     * established  at  the  start of a session by a Bind request (if any) but
+     * may be altered in various circumstances.
+     * For Fortress bind operations this will map to {@link User#userId}
+     *
+     */
+    public void setReqAuthzID(String reqAuthzID)
+    {
+        this.reqAuthzID = reqAuthzID;
+    }
+
+    /**
+     * The reqControls and reqRespControls attributes carry any controls  sent
+     * by  the  client  on  the  request  and  returned  by  the server in the
+     * response, respectively. The attribute  values  are  just  uninterpreted
+     * octet strings.
+     *
+     * @return value that maps to 'reqControls' attribute on 'auditBind' object class.
+     */
+    public String getReqControls()
+    {
+        return reqControls;
+    }
+
+    /**
+     * The reqControls and reqRespControls attributes carry any controls  sent
+     * by  the  client  on  the  request  and  returned  by  the server in the
+     * response, respectively. The attribute  values  are  just  uninterpreted
+     * octet strings.
+     *
+     * @param reqControls maps to same name attribute on 'auditBind' object class.
+     */
+    public void setReqControls(String reqControls)
+    {
+        this.reqControls = reqControls;
+    }
+
+    /**
+     * The reqDN attribute is the  distinguishedName  of  the  target  of  the
+     * operation.  E.g.,  for  a Bind request, this is the Bind DN. For an Add
+     * request, this is the DN of the entry being added. For a Search request,
+     * this is the base DN of the search.
+     *
+     * @return value that map to 'reqDN' attribute on 'auditBind' object class.
+     */
+    public String getReqDN()
+    {
+        return reqDN;
+    }
+
+    /**
+     * The reqDN attribute is the  distinguishedName  of  the  target  of  the
+     * operation.  E.g.,  for  a Bind request, this is the Bind DN. For an Add
+     * request, this is the DN of the entry being added. For a Search request,
+     * this is the base DN of the search.
+     *
+     * @param reqDN maps to 'reqDN' attribute on 'auditBind' object class.
+     */
+    public void setReqDN(String reqDN)
+    {
+        this.reqDN = reqDN;
+    }
+
+    /**
+     * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+     *
+     * @return value that maps to 'reqEnd' attribute on 'auditBind' object class.
+     */
+    public String getReqEnd()
+    {
+        return reqEnd;
+    }
+
+    /**
+     * reqEnd provide the end time of the operation. It uses generalizedTime syntax.
+     *
+     * @param reqEnd value that maps to same name on 'auditBind' object class.
+     */
+    public void setReqEnd(String reqEnd)
+    {
+        this.reqEnd = reqEnd;
+    }
+
+    /**
+     * The reqMethod attribute contains the Bind Method used in the Bind. This will be
+     * the string SIMPLE for LDAP Simple Binds or SASL(<mech>) for SASL Binds.
+     * Note  that  unless  configured  as  a global overlay, only Simple Binds
+     * using DNs that reside in the current database will be logged.
+     *
+     * @return String that maps to 'reqMethod' attribute on 'auditBind' object class.
+     */
+    public String getReqMethod()
+    {
+        return reqMethod;
+    }
+
+    /**
+     * The reqMethod attribute contains the Bind Method used in the Bind. This will be
+     * the string SIMPLE for LDAP Simple Binds or SASL(<mech>) for SASL Binds.
+     * Note  that  unless  configured  as  a global overlay, only Simple Binds
+     * using DNs that reside in the current database will be logged.
+     *
+     * @param reqMethod maps to same name on 'auditBind' object class.
+     */
+    public void setReqMethod(String reqMethod)
+    {
+        this.reqMethod = reqMethod;
+    }
+
+    /**
+     * The  reqResult  attribute  is  the  numeric  LDAP  result  code  of the
+     * operation, indicating either success or a particular LDAP  error  code.
+     * An  error code may be accompanied by a text error message which will be
+     * recorded in the reqMessage attribute.
+     *
+     * @return value that maps to 'reqResult' attribute on 'auditBind' object class.
+     */
+    public String getReqResult()
+    {
+        return reqResult;
+    }
+
+    /**
+     * The  reqResult  attribute  is  the  numeric  LDAP  result  code  of the
+     * operation, indicating either success or a particular LDAP  error  code.
+     * An  error code may be accompanied by a text error message which will be
+     * recorded in the reqMessage attribute.
+     *
+     * @param reqResult maps to same name on 'auditBind' object class.
+     */
+    public void setReqResult(String reqResult)
+    {
+        this.reqResult = reqResult;
+    }
+
+    /**
+     * The reqSession attribute is an implementation-specific identifier  that
+     * is  common to all the operations associated with the same LDAP session.
+     * Currently this is slapd's internal connection ID, stored in decimal.
+     *
+     * @return value that maps to 'reqSession' attribute on 'auditBind' object class.
+     */
+    public String getReqSession()
+    {
+        return reqSession;
+    }
+
+    /**
+     * The reqSession attribute is an implementation-specific identifier  that
+     * is  common to all the operations associated with the same LDAP session.
+     * Currently this is slapd's internal connection ID, stored in decimal.
+     *
+     * @param reqSession maps to same name on 'auditBind' object class.
+     */
+    public void setReqSession(String reqSession)
+    {
+        this.reqSession = reqSession;
+    }
+
+    /**
+     * reqStart provide the start of the operation,  They  use generalizedTime syntax.
+     * The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @return value that maps to 'reqStart' attribute on 'auditBind' object class.
+     */
+    public String getReqStart()
+    {
+        return reqStart;
+    }
+
+    /**
+     * reqStart provide the start of the operation,  They  use generalizedTime syntax.
+     * The reqStart attribute is also used as the RDN for each log entry.
+     *
+     * @param reqStart maps to same name on 'auditBind' object class.
+     */
+    public void setReqStart(String reqStart)
+    {
+        this.reqStart = reqStart;
+    }
+
+    /**
+     * The  reqType  attribute  is  a  simple  string  containing  the type of
+     * operation being logged, e.g.  add, delete, search,  etc.  For  extended
+     * operations,  the  type also includes the OID of the extended operation,
+     * e.g.  extended(1.1.1.1)
+     *
+     * @return value that maps to 'reqType' attribute on 'auditBind' object class.
+     */
+    public String getReqType()
+    {
+        return reqType;
+    }
+
+    /**
+     * The  reqType  attribute  is  a  simple  string  containing  the type of
+     * operation being logged, e.g.  add, delete, search,  etc.  For  extended
+     * operations,  the  type also includes the OID of the extended operation,
+     * e.g.  extended(1.1.1.1)
+     *
+     * @param reqType maps to same name on 'auditBind' object class.
+     */
+    public void setReqType(String reqType)
+    {
+        this.reqType = reqType;
+    }
+
+    /**
+     * The reqVersion attribute which contains the
+     * LDAP protocol version specified in the Bind
+     *
+     * @return value that maps to the 'reqVersion' attribute on 'auditBind' object class.
+     */
+    public String getReqVersion()
+    {
+        return reqVersion;
+    }
+
+    /**
+     * The reqVersion attribute which contains the
+     * LDAP protocol version specified in the Bind
+     *
+     * @param reqVersion maps to same name on 'auditBind' object class.
+     */
+    public void setReqVersion(String reqVersion)
+    {
+        this.reqVersion = reqVersion;
+    }
+
+    /**
+     * Returns the name of the structural object class that is used to log the event.  For this entity
+     * this value will always be 'auditBind'.
+     *
+     * @return value that maps to 'structuralObjectClass' attribute that contains the name 'auditBind'.
+     */
+    public String getStructuralObjectClass()
+    {
+        return structuralObjectClass;
+    }
+
+    /**
+     * Returns the name of the structural object class that is used to log the event.  For this entity
+     * this value will always be 'auditBind'.
+     *
+     * @param structuralObjectClass maps to same name on 'auditBind' object class.
+     */
+    public void setStructuralObjectClass(String structuralObjectClass)
+    {
+        this.structuralObjectClass = structuralObjectClass;
+    }
+
+    /**
+     * Sequence id is used internal to Fortress.
+     * @return long value contains sequence id.
+     */
+    public long getSequenceId()
+    {
+        return sequenceId;
+    }
+
+    /**
+     * Sequence id is used internal to Fortress
+     * @param sequenceId contains sequence to use.
+     */
+    public void setSequenceId(long sequenceId)
+    {
+        this.sequenceId = sequenceId;
+    }
+}
+

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java b/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java
new file mode 100755
index 0000000..e5ce164
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/CharArrayAdapter.java
@@ -0,0 +1,42 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import javax.xml.bind.annotation.adapters.XmlAdapter;
+import java.util.Arrays;
+
+/**
+ * Created by IntelliJ IDEA.
+ * User: Shawn McKinney
+ * Date: 1/8/12
+ * Time: 7:29 AM
+ */
+public class CharArrayAdapter extends XmlAdapter<String, char[]>
+{
+    public char[] unmarshal(String val) throws Exception
+    {
+        return val.toCharArray();
+    }
+
+    public String marshal(char[] val) throws Exception
+    {
+        return Arrays.toString(val);
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java b/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java
new file mode 100755
index 0000000..9dde185
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/ClassUtil.java
@@ -0,0 +1,103 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+import org.apache.directory.fortress.core.CfgException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+
+import java.io.InputStream;
+
+
+/**
+ * General purpose factory uses java reflection to instantiate new Manager object.
+ * </p>
+ * This class is called by the Manager factories:
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.AccessMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.AdminMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.AuditMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.DelAccessMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.DelAdminMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.DelReviewMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.PwPolicyMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.ReviewMgrFactory}</li>
+ * <li>{@link org.apache.directory.fortress.core.cfg.ConfigMgrFactory}</li>
+ * </ol>
+ *
+ * @author Shawn McKinney
+ */
+public class ClassUtil
+{
+    /**
+     * Given a valid class name call the default constructor through reflexion and return the reference to the caller.
+     * @param className contains fully qualified java class name to be instantiated.  Must have a public default constructor to be successful.
+     * @return reference to instantiated ManagerImpl object.
+     * @throws org.apache.directory.fortress.core.CfgException in the event of failure to instantiate.
+     *
+     */
+    public static Object createInstance(String className)
+        throws CfgException
+    {
+        Object target;
+        try
+        {
+            if (className == null || className.length() == 0)
+            {
+                String error = "createInstance() null or empty classname";
+                throw new CfgException(GlobalErrIds.FT_MGR_CLASS_NAME_NULL, error);
+            }
+            target = Class.forName(className).newInstance();
+        }
+        catch (java.lang.ClassNotFoundException e)
+        {
+            String error = "createInstance() className [" + className + "] caught java.lang.ClassNotFoundException=" + e;
+            throw new CfgException(GlobalErrIds.FT_MGR_CLASS_NOT_FOUND, error, e);
+        }
+        catch (java.lang.InstantiationException e)
+        {
+            String error = "createInstance()  [" + className + "] caught java.lang.InstantiationException=" + e;
+            throw new CfgException(GlobalErrIds.FT_MGR_INST_EXCEPTION, error, e);
+        }
+        catch (java.lang.IllegalAccessException e)
+        {
+            String error = "createInstance()  [" + className + "] caught java.lang.IllegalAccessException=" + e;
+            throw new CfgException(GlobalErrIds.FT_MGR_ILLEGAL_ACCESS, error, e);
+        }
+        return target;
+	}
+
+
+    /**
+     * Find a file on the classloader and return as InputStream.
+     * @param name contains the name of the file resource.
+     * @return handle to the InputStream
+     * @throws org.apache.directory.fortress.core.CfgException in the event resource is not found on classloader.
+     */
+    public static InputStream resourceAsStream(String name) throws CfgException
+    {
+        InputStream is;
+        is = ClassUtil.class.getClassLoader().getResourceAsStream(name);
+        if (is == null)
+        {
+            throw new CfgException(GlobalErrIds.FT_RESOURCE_NOT_FOUND, name);
+        }
+        return is;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/Context.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Context.java b/src/main/java/org/apache/directory/fortress/core/rbac/Context.java
new file mode 100644
index 0000000..e7a646d
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/Context.java
@@ -0,0 +1,95 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+/**
+ * This class contains the Context id which is used as container for segregating data by customer within the LDAP Directory Information Tree.
+ * <p/>
+ *
+ * @author Shawn McKinney
+ */
+public class Context
+{
+    private String name;
+    private String description;
+
+
+    /**
+     * Generate instance of context.
+     *
+     * @param name        contains the id to use for sub-directory within the DIT.
+     * @param description maps to 'description' attribute in 'organizationalUnit' object class.
+     */
+    public Context(String name, String description)
+    {
+        this.name = name;
+        this.description = description;
+    }
+
+    /**
+     * Default constructor used by {@link org.apache.directory.fortress.core.ant.FortressAntTask}
+     */
+    public Context()
+    {
+    }
+
+    /**
+     * Get the id to use for sub-directory within the DIT.  This attribute is required.
+     *
+     * @return name maps to 'dcObject' object class.
+     */
+    public String getName()
+    {
+        return name;
+    }
+
+    /**
+     * Set the id to use for sub-directory within the DIT.  This attribute is required.
+     *
+     * @param name maps to 'dcObject' object class.
+     */
+    public void setName(String name)
+    {
+        this.name = name;
+    }
+
+    /**
+     * Get the description for the context.  This value is not required or constrained
+     * but is validated on reasonability.
+     *
+     * @return field maps to 'description' attribute on 'organizationalUnit'.
+     */
+    public String getDescription()
+    {
+        return description;
+    }
+
+    /**
+     * Set the description for the context.  This value is not required or constrained
+     * but is validated on reasonability.
+     *
+     * @param description maps to to 'description' attribute on 'organizationalUnit'.
+     */
+    public void setDescription(String description)
+    {
+        this.description = description;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/687ee1ad/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java b/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java
new file mode 100755
index 0000000..ed5c928
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/rbac/DSDChecker.java
@@ -0,0 +1,152 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.rbac;
+
+
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.directory.fortress.core.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.util.time.Constraint;
+import org.apache.directory.fortress.core.util.time.Time;
+import org.apache.directory.fortress.core.util.time.Validator;
+
+
+/**
+ * This class performs Dynamic Separation of Duty checking on a collection of roles targeted for
+ * activation within a particular user's session.  This method is called from {@link org.apache.directory.fortress.core.util.time.CUtil#validateConstraints} during createSession
+ * sequence for users.  If DSD constraint violation is detected for a particular role method will remove the role
+ * from collection of activation candidates and log a warning.  This proc will also consider hierarchical relations
+ * between roles (RBAC spec calls these authorized roles).
+ * This validator will ensure the role being targeted for activation does not violate RBAC dynamic separation of duty constraints.
+ * <h4> Constraint Targets include</h4>
+ * <ol>
+ * <li>{@link org.apache.directory.fortress.core.rbac.User} maps to 'ftCstr' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.UserRole} maps to 'ftRC' attribute on 'ftUserAttrs' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.Role}  maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link org.apache.directory.fortress.core.rbac.AdminRole}  maps to 'ftCstr' attribute on 'ftRls' object class</li>
+ * <li>{@link UserAdminRole}  maps to 'ftARC' attribute on 'ftRls' object class</li>
+ * </ol>
+ * </p>
+ *
+ * @author Shawn McKinney
+ */
+public class DSDChecker
+    implements Validator
+{
+    private static final String CLS_NM = DSDChecker.class.getName();
+    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+
+
+    /**
+     * This method is called during entity activation, {@link org.apache.directory.fortress.core.util.time.CUtil#validateConstraints} and ensures the role does not violate dynamic separation of duty constraints.
+     *
+     * @param session    contains list of RBAC roles {@link org.apache.directory.fortress.core.rbac.UserRole} targeted for activation.
+     * @param constraint required for Validator interface, not used here..
+     * @param time       required for Validator interface, not used here.
+     * @return '0' if validation succeeds else {@link org.apache.directory.fortress.core.GlobalErrIds#ACTV_FAILED_DSD} if failed.
+     */
+    @Override
+    public int validate( Session session, Constraint constraint, Time time ) throws org.apache.directory.fortress.core.SecurityException
+    {
+        int rc = 0;
+        int matchCount;
+
+        // get all candidate activated roles user:
+        List<UserRole> activeRoleList = session.getRoles();
+        if ( activeRoleList == null || activeRoleList.size() == 0 )
+        {
+            return rc;
+        }
+        // get the list of authorized roles for this user:
+        Set<String> authorizedRoleSet = RoleUtil.getInheritedRoles( activeRoleList, session.getUser().getContextId() );
+        // only need to check DSD constraints if more than one role is being activated:
+        if ( authorizedRoleSet != null && authorizedRoleSet.size() > 1 )
+        {
+            // get all DSD sets that contain the candidate activated and authorized roles,
+            //If DSD cache is disabled, this will search the directory using authorizedRoleSet
+            Set<SDSet> dsdSets = SDUtil.getDsdCache( authorizedRoleSet, session.getUser().getContextId() );
+            if ( dsdSets != null && dsdSets.size() > 0 )
+            {
+                for ( SDSet dsd : dsdSets )
+                {
+                    Iterator activatedRoles = activeRoleList.iterator();
+                    matchCount = 0;
+                    Set<String> map = dsd.getMembers();
+
+                    // now check the DSD on every role activation candidate contained within session object:
+                    while ( activatedRoles.hasNext() )
+                    {
+                        UserRole activatedRole = ( UserRole ) activatedRoles.next();
+                        if ( map.contains( activatedRole.getName() ) )
+                        {
+                            matchCount++;
+                            if ( matchCount >= dsd.getCardinality() )
+                            {
+                                activatedRoles.remove();
+                                String warning = "validate userId [" + session.getUserId()
+                                    + "] failed activation of assignedRole [" + activatedRole.getName()
+                                    + "] validates DSD Set Name:" + dsd.getName() + " Cardinality:"
+                                    + dsd.getCardinality();
+                                LOG.warn( warning );
+                                rc = GlobalErrIds.ACTV_FAILED_DSD;
+                                session.setWarning( new ObjectFactory().createWarning( rc, warning,
+                                    Warning.Type.ROLE, activatedRole.getName() ) );
+                            }
+                        }
+                        else
+                        {
+                            Set<String> parentSet = RoleUtil.getAscendants( activatedRole.getName(), session.getUser()
+                                .getContextId() );
+                            // now check for every role inherited from this activated role:
+                            for ( String parentRole : parentSet )
+                            {
+                                if ( map.contains( parentRole ) )
+                                {
+                                    matchCount++;
+                                    if ( matchCount >= dsd.getCardinality() )
+                                    {
+                                        // remove the assigned role from session (not the authorized role):
+                                        activatedRoles.remove();
+                                        String warning = "validate userId [" + session.getUserId()
+                                            + "] assignedRole [" + activatedRole.getName() + "] parentRole ["
+                                            + parentRole + "] validates DSD Set Name:" + dsd.getName()
+                                            + " Cardinality:" + dsd.getCardinality();
+                                        LOG.warn( warning );
+                                        rc = GlobalErrIds.ACTV_FAILED_DSD;
+                                        session.setWarning( new ObjectFactory().createWarning( rc, warning, Warning.Type.ROLE, activatedRole.getName() ) );
+                                    }
+                                    // Breaking out of the loop here means the DSD algorithm will only match one
+                                    // role per parent.
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return rc;
+    }
+}
\ No newline at end of file


Mime
View raw message