Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 301DD9BF0 for ; Sat, 20 Dec 2014 16:49:47 +0000 (UTC) Received: (qmail 80649 invoked by uid 500); 20 Dec 2014 16:49:47 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 80605 invoked by uid 500); 20 Dec 2014 16:49:47 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 80596 invoked by uid 99); 20 Dec 2014 16:49:47 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 20 Dec 2014 16:49:47 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id C2425958536; Sat, 20 Dec 2014 16:49:46 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: smckinney@apache.org To: commits@directory.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: directory-fortress-core git commit: FC-29 - AuditMgr.getUserAuthZ cannot pull back failedOnly Date: Sat, 20 Dec 2014 16:49:46 +0000 (UTC) Repository: directory-fortress-core Updated Branches: refs/heads/1.0-RC40 [created] 3966a1518 FC-29 - AuditMgr.getUserAuthZ cannot pull back failedOnly Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/3966a151 Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/3966a151 Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/3966a151 Branch: refs/heads/1.0-RC40 Commit: 3966a15188bc8b2ccd6ed99e7be0af0664cdc33e Parents: 94935f5 Author: Shawn McKinney Authored: Sat Dec 20 10:19:56 2014 -0600 Committer: Shawn McKinney Committed: Sat Dec 20 10:19:56 2014 -0600 ---------------------------------------------------------------------- build.properties | 26 ++-- build.xml | 3 +- ivy.xml | 2 +- pom.xml | 2 +- .../directory/fortress/core/GlobalIds.java | 15 ++- .../core/ldap/ApacheDsDataProvider.java | 15 ++- .../directory/fortress/core/rbac/AuditDAO.java | 4 +- .../directory/fortress/core/rbac/PermDAO.java | 14 +- .../fortress/core/rbac/Permission.java | 1 + .../directory/fortress/core/rbac/User.java | 63 ++++++++- .../fortress/core/util/attr/AttrHelper.java | 133 ++++++------------- .../fortress/core/AccessMgrConsole.java | 17 ++- .../fortress/core/AdminMgrConsole.java | 27 ++++ .../fortress/core/AuditMgrConsole.java | 121 +++++++++++++++-- .../fortress/core/ReviewMgrConsole.java | 18 +++ .../fortress/core/rbac/AccessMgrImplTest.java | 91 +++++++------ .../fortress/core/rbac/AuditMgrImplTest.java | 14 +- 17 files changed, 390 insertions(+), 176 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/build.properties ---------------------------------------------------------------------- diff --git a/build.properties b/build.properties index 70c4b89..ba4cb7a 100644 --- a/build.properties +++ b/build.properties @@ -32,7 +32,7 @@ ######################################################################## # Use this Fortress Core version: -version=1.0-RC39 +version=1.0-RC40-SNAPSHOT # Enable local.mode property if your machine does not have connection to Internet and runtime dependencies have already downloaded to FORTRESS_HOME/lib folder on this machine: #local.mode=true @@ -63,14 +63,16 @@ http.protocol=http ######################################################################## # This param tells fortress what type of ldap server in use: -#ldap.server.type=openldap -ldap.server.type=apacheds +ldap.server.type=openldap +#ldap.server.type=apacheds # This is the default: ldap.client.type=apache # These parameters point fortress to LDAP host: ldap.host=localhost -ldap.port=10389 +ldap.port=389 +#ldap.host=fortressdemo2.com +#ldap.port=10636 #ldap.uris=ldap://${ldap.host}:${ldap.port} # These are needed for client SSL connections with LDAP Server: @@ -79,7 +81,7 @@ ldap.port=10389 #enable.ldap.ssl.debug=true #key.store=/home/smckinn/fortress/builder/src/test/resources/certs/mykeystore #key.store.password=changeit -#trust.store=/home/smckinn/fortress/builder/src/test/resources/certs/mytruststore +#trust.store=/home/smckinn/GIT/fortressDev/directory-fortress-core/src/test/resources/certs/mytruststore #trust.store.password=changeit #trust.store.set.prop=true @@ -112,8 +114,8 @@ audits.dn=cn=log groups.dn=ou=Groups,${suffix} # These are the connection parameters used for LDAP service account: -#root.dn=cn=Manager,${suffix} -root.dn=uid=admin,ou=system +root.dn=cn=Manager,${suffix} +#root.dn=uid=admin,ou=system # Used to load OpenLDAP admin root password in slapd.conf and was encrypted using 'slappasswd' command: root.pw={SSHA}pSOV2TpCxj2NMACijkcMko4fGrFopctU # This OpenLDAP admin root pass is bound for fortress.properties used by 'admin' pooled connections: @@ -127,9 +129,13 @@ admin.max.conn=10 user.min.conn=1 user.max.conn=10 -# Used for searching slapd logger. Leave zeros when using apacheds: -min.log.conn=0 -max.log.conn=0 +# Used for searching slapd logger. Comment out for ApacheDS or other directory servers: +log.admin.user=cn=Manager,cn=log +log.admin.pw=secret + +# Used for slapd logger connection pool. Leave zeros when using apacheds: +min.log.conn=1 +max.log.conn=3 ######################################################################## # 9. GROUP OBJECT CLASS DEFINITIONS http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/build.xml ---------------------------------------------------------------------- diff --git a/build.xml b/build.xml index 1cd1b6a..1ac04d7 100644 --- a/build.xml +++ b/build.xml @@ -174,7 +174,8 @@ - + + http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/ivy.xml ---------------------------------------------------------------------- diff --git a/ivy.xml b/ivy.xml index 3f14d97..1f4f876 100755 --- a/ivy.xml +++ b/ivy.xml @@ -48,7 +48,7 @@ - + http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index cd17188..666b18d 100644 --- a/pom.xml +++ b/pom.xml @@ -123,7 +123,7 @@ 1.9.1 2.7.7 2.0.0-M18 - 1.0.0-M25 + 1.0.0-M27-SNAPSHOT 1.7.0 1.8.0 1.2 http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/GlobalIds.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/GlobalIds.java b/src/main/java/org/apache/directory/fortress/core/GlobalIds.java index 7e12f20..d4a02c8 100755 --- a/src/main/java/org/apache/directory/fortress/core/GlobalIds.java +++ b/src/main/java/org/apache/directory/fortress/core/GlobalIds.java @@ -272,6 +272,12 @@ public class GlobalIds * ** OpenAccessMgr AUDIT * ************************************************************************ */ + + public final static int AUTHZ_COMPARE_FAILURE_FLAG = 5; + /** + * This string will be appended to the operation name to force failure on compare. + */ + public final static String FAILED_AUTHZ_INDICATOR = "%failed%"; /** * This object class contains Fortress audit contextual information. */ @@ -383,6 +389,11 @@ public class GlobalIds public final static String POBJ_NAME = "ftObjNm"; /** + * Attribute name for storing Fortress permission object id. + */ + public static final String POBJ_ID = "ftObjId"; + + /** * Attribute name for storing parent node names for hierarchical processing. */ public final static String PARENT_NODES = "ftParents"; @@ -473,7 +484,8 @@ public class GlobalIds .getProperty( LDAP_FILTER_SIZE_PROP ) != null ); public static final String APACHE_LDAP_API = "apache"; public static final String AUTH_Z_FAILED = "authzfailed"; - public static final String AUTH_Z_FAILED_VALUE = "ftOpNm=" + AUTH_Z_FAILED; + public static final String POP_NAME = "ftOpNm"; + public static final String AUTH_Z_FAILED_VALUE = POP_NAME + "=" + AUTH_Z_FAILED; /** * maximum number of entries allowed for ldap filter replacements. @@ -539,5 +551,4 @@ public class GlobalIds */ public static final String ALL = "all"; public static final String NULL = "null"; - public static final String POP_NAME = "ftOpNm"; } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java index a0280d2..753c346 100644 --- a/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java +++ b/src/main/java/org/apache/directory/fortress/core/ldap/ApacheDsDataProvider.java @@ -64,6 +64,9 @@ import org.apache.directory.api.ldap.model.message.ResultCodeEnum; import org.apache.directory.api.ldap.model.message.SearchRequest; import org.apache.directory.api.ldap.model.message.SearchRequestImpl; import org.apache.directory.api.ldap.model.message.SearchScope; +import org.apache.directory.api.ldap.model.message.controls.ProxiedAuthz; +import org.apache.directory.api.ldap.model.message.controls.ProxiedAuthzImpl; + import org.apache.directory.api.ldap.model.name.Dn; import org.apache.directory.ldap.client.api.DefaultPoolableLdapConnectionFactory; import org.apache.directory.ldap.client.api.LdapConnection; @@ -83,6 +86,8 @@ import org.apache.directory.fortress.core.util.time.Constraint; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import javax.naming.ldap.ExtendedResponse; + /** * Abstract class contains methods to perform low-level entity to ldap persistence. These methods are called by the @@ -153,6 +158,7 @@ public abstract class ApacheDsDataProvider private static final PasswordPolicy PP_REQ_CTRL = new PasswordPolicyImpl(); + static { String host = Config.getProperty( LDAP_HOST, "localhost" ); @@ -909,6 +915,10 @@ public abstract class ApacheDsDataProvider * This method uses the compare ldap func to assert audit record into the directory server's configured audit * logger. * + * This is for one reason - to force the ldap server to maintain an audit trail on checkAccess api. + * + * Use proxy authz control (RFC4370) to assert the caller's id onto the record. + * * @param connection is LdapConnection object used for all communication with host. * @param dn contains address of distinguished name to begin ldap search * @param userDn dn for user node @@ -927,8 +937,11 @@ public abstract class ApacheDsDataProvider compareRequest.setAttributeId( attribute.getId() ); compareRequest.setAssertionValue( attribute.getString() ); + // Assert the end user's dn onto the reqest using proxy authZ control so openldap can log who the user was (for authZ audit trail) + ProxiedAuthz proxiedAuthzControl = new ProxiedAuthzImpl(); + proxiedAuthzControl.setAuthzId( "dn: " + userDn ); + compareRequest.addControl( proxiedAuthzControl ); CompareResponse response = connection.compare( compareRequest ); - return response.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS; } http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java index e273559..c8667ce 100755 --- a/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java +++ b/src/main/java/org/apache/directory/fortress/core/rbac/AuditDAO.java @@ -320,7 +320,7 @@ final class AuditDAO extends ApacheDsDataProvider if ( audit.isFailedOnly() ) { - filter += "(!(" + REQRESULT + "=" + 6 + "))"; + filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")"; } if ( audit.getBeginDate() != null ) @@ -409,7 +409,7 @@ final class AuditDAO extends ApacheDsDataProvider // TODO: fix this so filter by only the Fortress AuthZ entries and not the others: if ( audit.isFailedOnly() ) { - filter += "(!(" + REQRESULT + "=" + 6 + "))"; + filter += "(" + REQRESULT + "=" + GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG + ")"; } } http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java index 1a7f1e9..b5a41ab 100755 --- a/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java +++ b/src/main/java/org/apache/directory/fortress/core/rbac/PermDAO.java @@ -173,13 +173,12 @@ final class PermDAO extends ApacheDsDataProvider }; private static final String PERM_NAME = "ftPermName"; - private static final String POBJ_ID = "ftObjId"; private static final String ROLES = "ftRoles"; private static final String USERS = "ftUsers"; private static final String[] PERMISSION_OP_ATRS = { GlobalIds.FT_IID, PERM_NAME, GlobalIds.POBJ_NAME, GlobalIds.POP_NAME, GlobalIds.DESC, SchemaConstants.OU_AT, - POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS + GlobalIds.POBJ_ID, TYPE, ROLES, USERS, GlobalIds.PROPS }; private static final String[] PERMISION_OBJ_ATRS = @@ -390,7 +389,7 @@ final class PermDAO extends ApacheDsDataProvider // objectid is optional: if ( VUtil.isNotNullOrEmpty( entity.getObjId() ) ) { - entry.add( POBJ_ID, entity.getObjId() ); + entry.add( GlobalIds.POBJ_ID, entity.getObjId() ); } // type is optional: @@ -854,6 +853,7 @@ final class PermDAO extends ApacheDsDataProvider isAuthZd = isAuthorized( session, outPerm ); // This is done to leave an audit trail in ldap server log: + attributeValue = outPerm.getOpName(); if ( isAuthZd ) { // Yes, set the operation name onto this attribute for storage into audit trail: @@ -861,8 +861,8 @@ final class PermDAO extends ApacheDsDataProvider } else { - // No, set a simple error message onto this attribute for storage into audit trail: - attributeValue = "AuthZ Failed"; + // Changing this attribute value forces the compare to fail. This facilitates tracking of authorization failures events in the slapd access log (by searching for compare failures). + attributeValue = outPerm.getOpName() + GlobalIds.FAILED_AUTHZ_INDICATOR; } // There is a switch in fortress config to disable audit ops like this one. @@ -1002,7 +1002,7 @@ final class PermDAO extends ApacheDsDataProvider entity.setSequenceId( sequence ); entity.setAbstractName( getAttribute( le, PERM_NAME ) ); entity.setObjName( getAttribute( le, GlobalIds.POBJ_NAME ) ); - entity.setObjId( getAttribute( le, POBJ_ID ) ); + entity.setObjId( getAttribute( le, GlobalIds.POBJ_ID ) ); entity.setOpName( getAttribute( le, GlobalIds.POP_NAME ) ); entity.setInternalId( getAttribute( le, GlobalIds.FT_IID ) ); entity.setRoles( getAttributeSet( le, ROLES ) ); @@ -1460,7 +1460,7 @@ final class PermDAO extends ApacheDsDataProvider if ( objId != null && objId.length() > 0 ) { - rDn = GlobalIds.POP_NAME + "=" + opName + "+" + POBJ_ID + "=" + objId; + rDn = GlobalIds.POP_NAME + "=" + opName + "+" + GlobalIds.POBJ_ID + "=" + objId; } else { http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java b/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java index a933947..e266778 100755 --- a/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java +++ b/src/main/java/org/apache/directory/fortress/core/rbac/Permission.java @@ -751,6 +751,7 @@ public class Permission extends FortEntity implements Serializable return "Permission{" + "objName='" + objName + '\'' + ", opName='" + opName + '\'' + + ", objId='" + objId + '\'' + '}'; } } http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/rbac/User.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/User.java b/src/main/java/org/apache/directory/fortress/core/rbac/User.java index 4f00ac1..235eecb 100755 --- a/src/main/java/org/apache/directory/fortress/core/rbac/User.java +++ b/src/main/java/org/apache/directory/fortress/core/rbac/User.java @@ -47,7 +47,7 @@ import org.apache.directory.fortress.core.util.time.Constraint; *
    *
  1. Manager layer: {@link AdminMgrImpl}, {@link AccessMgrImpl}, {@link ReviewMgrImpl},...
    2. *
  2. Process layer: {@link UserP}, {@link RoleP}, {@link PermP},...
    3. - *
  3. DAO layer: {@link UserDAO}, {@link org.apache.directory.fortress.core.rbac.dao.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.dao.PermDAO},...
    4. + *
  4. DAO layer: {@link UserDAO}, {@link org.apache.directory.fortress.core.rbac.RoleDAO}, {@link org.apache.directory.fortress.core.rbac.PermDAO},...
    5. *
* Fortress clients must first instantiate the data entity before invoking one of the Manager APIs. The caller must first * provide enough information to uniquely identity target record for the particular ldap operation performed.
@@ -280,6 +280,67 @@ public class User extends FortEntity implements Constraint, Serializable @XmlTransient private byte[] jpegPhoto; + // RFC2307bis: + /* + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ description ) ) + */ + private String uidNumber; + private String gidNumber; + private String homeDirectory; + private String loginShell; + private String gecos; + + public String getUidNumber() + { + return uidNumber; + } + + public void setUidNumber( String uidNumber ) + { + this.uidNumber = uidNumber; + } + + public String getGidNumber() + { + return gidNumber; + } + + public void setGidNumber( String gidNumber ) + { + this.gidNumber = gidNumber; + } + + public String getHomeDirectory() + { + return homeDirectory; + } + + public void setHomeDirectory( String homeDirectory ) + { + this.homeDirectory = homeDirectory; + } + + public String getLoginShell() + { + return loginShell; + } + + public void setLoginShell( String loginShell ) + { + this.loginShell = loginShell; + } + + public String getGecos() + { + return gecos; + } + + public void setGecos( String gecos ) + { + this.gecos = gecos; + } + /** * Default constructor not intended for external use and is typically used by internal Fortress classes. http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java index f1ab501..3b9ef0c 100755 --- a/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java +++ b/src/main/java/org/apache/directory/fortress/core/util/attr/AttrHelper.java @@ -19,6 +19,9 @@ */ package org.apache.directory.fortress.core.util.attr; +import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.api.ldap.model.name.Rdn; import org.apache.directory.api.util.DateUtils; import org.apache.directory.fortress.core.GlobalIds; import org.apache.directory.fortress.core.rbac.Administrator; @@ -185,6 +188,44 @@ public class AttrHelper /** + * Break the authZ eqDn attribute into 1. permission object name, 2. op name and 3. object id (optional). + * + * @param authZ contains the raw dn format from openldap slapo access log data + * @return Permisison containing objName, opName and optionally the objId populated from the raw data. + */ + public static Permission getAuthZPerm(AuthZ authZ) throws LdapInvalidDnException + { + // This will be returned to the caller: + Permission pOp = new Permission(); + // Break dn into rdns for leaf and parent. Use the 'type' field in rdn. + // The objId value is optional. If present it will be part of the parent's relative distinguished name.. + // Here the sample reqDN=ftOpNm=TOP2_2+ftObjId=002,ftObjNm=TOB2_1,ou=Permissions,ou=RBAC,dc=example,dc=com + // Will be mapped to objName=TOB2_1, opName=TOP2_2, objId=002, in the returned permission object. + Dn dn = new Dn( authZ.getReqDN() ); + if(dn != null && dn.getRdns() != null && VUtil.isNotNullOrEmpty( dn.getRdns() ) ) + { + for( Rdn rdn : dn.getRdns() ) + { + // The rdn type attribute will be mapped to objName, opName and objId fields. + switch ( rdn.getType() ) + { + case GlobalIds.POP_NAME: + pOp.setOpName( rdn.getType() ); + break; + case GlobalIds.POBJ_NAME: + pOp.setObjName( rdn.getType() ); + break; + case GlobalIds.POBJ_ID: + pOp.setObjId( rdn.getType() ); + break; + } + } + } + return pOp; + } + + + /** * Convert from raw ldap generalized time format to {@link java.util.Date}. * to decode the string. * @@ -212,96 +253,4 @@ public class AttrHelper szTime = DateUtils.getGeneralizedTime( date ); return szTime; } - - /** - * Parse slapd access raw data to pull the permission name out. - * - * @param authZ raw data contained in Fortress audit entity. - * @return Permission contains {@link org.apache.directory.fortress.core.rbac.Permission#objName} and {@link org.apache.directory.fortress.core.rbac.Permission#opName} - */ - public static Permission getAuthZPerm(AuthZ authZ) - { - int indx = 0; - //final int objectClass = 1; - final int oPNm = 2; - final int oBjNm = 3; - final int user = 4; - final int roles = 6; - - // reqFilter - // <(&(objectClass=ftOperation) - // (ftOpNm=top1_10)(ftObjNm=tob2_4) - // (|(ftUsers=fttu3user4) - // (ftRoles=ftt3role1) - // (ftRoles=ftt3role2) - // (ftRoles=ftt3role3) - // (ftRoles=ftt3role4) - // (ftRoles=ftt3role5) - // (ftRoles=ftt3role6) - // (ftRoles=ftt3role7) - // (ftRoles=ftt3role8) - // (ftRoles=ftt3role9) - // (ftRoles=ftt3role10)))> - - Permission pOp = new Permission(); - if (authZ.getReqFilter() != null && authZ.getReqFilter().length() > 0) - { - StringTokenizer maxTkn = new StringTokenizer(authZ.getReqFilter(), "("); - //System.out.println("maxTken size=" + maxTkn.countTokens()); - int numTokens = maxTkn.countTokens(); - for (int i = 0; i < numTokens; i++) - { - String val = maxTkn.nextToken(); - //System.out.println("token[" + i + "]=" + val); - switch (i) - { - //case objectClass: - // indx = val.indexOf('='); - // if (indx >= 1) - // { - // String value = val.substring(indx + 1, val.length() - 1); - // } - // break; - - case oPNm: - indx = val.indexOf('='); - if (indx >= 1) - { - pOp.setOpName(val.substring(indx + 1, val.length() - 1)); - } - break; - - case oBjNm: - indx = val.indexOf('='); - if (indx >= 1) - { - pOp.setObjName( val.substring( indx + 1, val.length() - 1 ) ); - } - break; - - case user: - indx = val.indexOf('='); - if (indx >= 1) - { - pOp.setUser(val.substring(indx + 1, val.length() - 1)); - } - break; - - default: - int indx2 = 0; - if (i >= roles) - { - indx = val.indexOf('='); - indx2 = val.indexOf(')'); - } - if (indx >= 1) - { - pOp.setRole(val.substring(indx + 1, indx2)); - } - break; - } - } - } - return pOp; - } } http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java index 6880857..dce7be3 100755 --- a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java +++ b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java @@ -276,12 +276,21 @@ class AccessMgrConsole { VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, "AccessMgrConsole.checkAccess"); ReaderUtil.clearScreen(); + Permission perm = new Permission(); System.out.println("Enter object name:"); - String objName = ReaderUtil.readLn(); + perm.setObjName( ReaderUtil.readLn() ); System.out.println("Enter operation name:"); - String opName = ReaderUtil.readLn(); - boolean result = am.checkAccess(session, new Permission(objName, opName)); - System.out.println("CheckAccess return [" + result + "] for user [" + session.getUserId() + "] objName [" + objName + "] operationName [" + opName + "]"); + perm.setOpName( ReaderUtil.readLn() ); + System.out.println("Enter object id (or NULL to skip):"); + String val = ReaderUtil.readLn(); + if ( val != null && val.length() > 0 ) + { + perm.setObjId( val ); + } + + boolean result = am.checkAccess( session, perm ); + System.out.println("CheckAccess return [" + result + "] for user [" + session.getUserId() + "], objName [" + perm.getObjName() + "], operationName [" + perm.getOpName() + "]" + + ", objId [" + perm.getObjId() + "]"); System.out.println("ENTER to continue"); } catch (SecurityException e) http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java index 207e77b..11f8597 100755 --- a/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java +++ b/src/test/java/org/apache/directory/fortress/core/AdminMgrConsole.java @@ -302,6 +302,21 @@ class AdminMgrConsole } + private void enterPosixAccount(User user) + { + System.out.println("Enter UID_NUMBER:"); + user.setUidNumber(ReaderUtil.readLn()); + System.out.println("Enter GID_NUMBER:"); + user.setGidNumber(ReaderUtil.readLn()); + System.out.println("Enter HOME_DIRECTORY:"); + user.setHomeDirectory(ReaderUtil.readLn()); + System.out.println("Enter LOGIN_SHELL:"); + user.setLoginShell(ReaderUtil.readLn()); + System.out.println("Enter GECOS:"); + user.setGecos(ReaderUtil.readLn()); + } + + /** * Adds a feature to the User attribute of the AdminMgrConsole object */ @@ -334,6 +349,13 @@ class AdminMgrConsole enterTemporal(ue); } + System.out.println("Do you want to set posix account attributes on User - Y or N"); + choice = ReaderUtil.readLn(); + if (choice != null && choice.equalsIgnoreCase("Y")) + { + enterPosixAccount( ue ); + } + System.out.println("Enter Role name (or NULL to skip):"); String val = ReaderUtil.readLn(); for (int i = 0; val != null && val.length() > 0; i++) @@ -405,6 +427,11 @@ class AdminMgrConsole { LOG.error("addUser caught SecurityException rc=" + e.getErrorId() + ", msg=" + e.getMessage(), e); } + catch(Exception e) + { + LOG.error( "addUser caught Exception=" + e ); + e.printStackTrace(); + } ReaderUtil.readChar(); } http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java index fa7d3f8..6e98de6 100755 --- a/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java +++ b/src/test/java/org/apache/directory/fortress/core/AuditMgrConsole.java @@ -19,6 +19,9 @@ */ package org.apache.directory.fortress.core; +import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException; +import org.apache.directory.api.ldap.model.name.Dn; +import org.apache.directory.api.ldap.model.name.Rdn; import org.apache.directory.fortress.core.rbac.Bind; import org.apache.directory.fortress.core.rbac.AuthZ; import org.apache.directory.fortress.core.rbac.Mod; @@ -33,6 +36,7 @@ import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.Date; import java.util.List; +import java.util.StringTokenizer; class AuditMgrConsole { @@ -448,19 +452,26 @@ class AuditMgrConsole } System.out.println(" userId " + AttrHelper.getAuthZId(authZ.getReqAuthzID())); - Permission pOp = AttrHelper.getAuthZPerm(authZ); - System.out.println(" Resource Name " + pOp.getObjName()); - System.out.println(" Operation " + pOp.getOpName()); - // TODO: fix the NPE that happens here: - //System.out.println(" Success? " + authZ.getReqEntries().equals("1")); - int rCtr = 0; - if (pOp.getRoles() != null) + try { - for (String role : pOp.getRoles()) + Permission pOp = AttrHelper.getAuthZPerm(authZ); + System.out.println(" Resource Name " + pOp.getObjName()); + System.out.println(" Operation " + pOp.getOpName()); + int rCtr = 0; + if (pOp != null && pOp.getRoles() != null) { - System.out.println(" Role[" + rCtr++ + "] " + role); + // TODO: fix the NPE that happens here: + System.out.println(" Success? " + authZ.getReqEntries().equals(GlobalIds.AUTHZ_COMPARE_FAILURE_FLAG)); + for (String role : pOp.getRoles()) + { + System.out.println(" Role[" + rCtr++ + "] " + role); + } } } + catch(LdapInvalidDnException e) + { + System.out.println("LdapInvalidDnException=" + e); + } //System.out.println(" reqStart [" + authZ.getReqStart() + "]"); //System.out.println(" reqEnd [" + authZ.getReqEnd() + "]"); System.out.println(); @@ -843,4 +854,96 @@ class AuditMgrConsole ReaderUtil.readChar(); } + + /** + * Parse slapd access raw data to pull the permission name out. + * + * @param authZ raw data contained in Fortress audit entity. + * @return Permission contains {@link org.apache.directory.fortress.core.rbac.Permission#objName} and {@link org.apache.directory.fortress.core.rbac.Permission#opName} + */ + private Permission getAuthZPerm2(AuthZ authZ) + { + int indx = 0; + //final int objectClass = 1; + final int oPNm = 2; + final int oBjNm = 3; + final int user = 4; + final int roles = 6; + + // reqFilter + // <(&(objectClass=ftOperation) + // (ftOpNm=top1_10)(ftObjNm=tob2_4) + // (|(ftUsers=fttu3user4) + // (ftRoles=ftt3role1) + // (ftRoles=ftt3role2) + // (ftRoles=ftt3role3) + // (ftRoles=ftt3role4) + // (ftRoles=ftt3role5) + // (ftRoles=ftt3role6) + // (ftRoles=ftt3role7) + // (ftRoles=ftt3role8) + // (ftRoles=ftt3role9) + // (ftRoles=ftt3role10)))> + + Permission pOp = new Permission(); + if (authZ.getReqFilter() != null && authZ.getReqFilter().length() > 0) + { + StringTokenizer maxTkn = new StringTokenizer(authZ.getReqFilter(), "="); + //System.out.println("maxTken size=" + maxTkn.countTokens()); + int numTokens = maxTkn.countTokens(); + for (int i = 0; i < numTokens; i++) + { + String val = maxTkn.nextToken(); + //System.out.println("token[" + i + "]=" + val); + switch (i) + { + //case objectClass: + // indx = val.indexOf('='); + // if (indx >= 1) + // { + // String value = val.substring(indx + 1, val.length() - 1); + // } + // break; + + case oPNm: + indx = val.indexOf('='); + if (indx >= 1) + { + pOp.setOpName(val.substring(indx + 1, val.length() - 1)); + } + break; + + case oBjNm: + indx = val.indexOf('='); + if (indx >= 1) + { + pOp.setObjName( val.substring( indx + 1, val.length() - 1 ) ); + } + break; + + case user: + indx = val.indexOf('='); + if (indx >= 1) + { + pOp.setUser(val.substring(indx + 1, val.length() - 1)); + } + break; + + default: + int indx2 = 0; + if (i >= roles) + { + indx = val.indexOf('='); + indx2 = val.indexOf(')'); + } + if (indx >= 1) + { + pOp.setRole(val.substring(indx + 1, indx2)); + } + break; + } + } + } + return pOp; + } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java index 777df92..e9533ba 100755 --- a/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java +++ b/src/test/java/org/apache/directory/fortress/core/ReviewMgrConsole.java @@ -163,6 +163,7 @@ class ReviewMgrConsole System.out.println(" orgUnitId [" + ue.getOu() + "]"); System.out.println(" pwpolicy [" + ue.getPwPolicy() + "]"); printTemporal(ue, "USER"); + printPosixAccount(ue, "POSIX" ); printAddress(ue.getAddress(), "ADDRESS"); printPhone(ue.getPhones(), "PHONES"); printPhone(ue.getMobiles(), "MOBILES"); @@ -223,6 +224,7 @@ class ReviewMgrConsole System.out.println(" pwpolicy [" + ue.getPwPolicy() + "]"); System.out.println(" seqId [" + ue.getSequenceId() + "]"); printTemporal(ue, "USER"); + printPosixAccount(ue, "POSIX" ); printAddress(ue.getAddress(), "ADDRESS"); printPhone(ue.getPhones(), "PHONES"); printPhone(ue.getMobiles(), "MOBILES"); @@ -289,6 +291,7 @@ class ReviewMgrConsole System.out.println(" orgUnitId [" + ue.getOu() + "]"); System.out.println(" pwpolicy [" + ue.getPwPolicy() + "]"); printTemporal(ue, "USER"); + printPosixAccount(ue, "POSIX" ); printAddress(ue.getAddress(), "ADDRESS"); printPhone(ue.getPhones(), "PHONES"); printPhone(ue.getMobiles(), "MOBILES"); @@ -452,6 +455,19 @@ class ReviewMgrConsole } } + static void printPosixAccount(User user, String label) + { + if (user != null) + { + System.out.println(" " + label + ":"); + System.out.println(" uid number [" + user.getUidNumber() + "]"); + System.out.println(" gid number [" + user.getGidNumber() + "]"); + System.out.println(" home dir [" + user.getHomeDirectory() + "]"); + System.out.println(" login shell [" + user.getLoginShell() + "]"); + System.out.println(" gecos [" + user.getGecos() + "]"); + } + } + private static void printAddress(Address address, String label) { if (address != null) @@ -519,6 +535,7 @@ class ReviewMgrConsole System.out.println(" surname [" + ue.getSn() + "]"); System.out.println(" orgUnitId [" + ue.getOu() + "]"); System.out.println(" pwpolicy [" + ue.getPwPolicy() + "]"); + printPosixAccount(ue, "POSIX" ); printTemporal(ue, "USER"); if (ue.getRoles() != null) { @@ -921,6 +938,7 @@ class ReviewMgrConsole System.out.println(" surname [" + ue.getSn() + "]"); System.out.println(" orgUnitId [" + ue.getOu() + "]"); printTemporal(ue, "USER"); + printPosixAccount(ue, "POSIX" ); System.out.println(); } System.out.println("ENTER to continue"); http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java index eaaca95..dad0a89 100755 --- a/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java +++ b/src/test/java/org/apache/directory/fortress/core/rbac/AccessMgrImplTest.java @@ -29,6 +29,7 @@ import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; +import org.apache.directory.fortress.core.util.attr.VUtil; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -55,7 +56,16 @@ public class AccessMgrImplTest extends TestCase { TestSuite suite = new TestSuite(); //suite.addTest(new AccessMgrImplTest("testDropActiveRole")); - suite.addTest( new AccessMgrImplTest( "testCreateSessionWithRolesTrusted" ) ); +/* + suite.addTest( new AdminMgrImplTest( "testResetPassword" ) ); + suite.addTest( new AccessMgrImplTest( "testAuthenticateReset" ) ); + suite.addTest( new AdminMgrImplTest( "testChangePassword" ) ); + suite.addTest( new AccessMgrImplTest( "testAuthenticate" ) ); + suite.addTest( new AdminMgrImplTest( "testLockUserAccount" ) ); + suite.addTest( new AccessMgrImplTest( "testAuthenticateLocked" ) ); + suite.addTest( new AdminMgrImplTest( "testUnlockUserAccount" ) ); +*/ + suite.addTest( new AccessMgrImplTest( "testCheckAccess" ) ); return suite; } @@ -300,7 +310,7 @@ public class AccessMgrImplTest extends TestCase try { accessMgr.authenticate( user.getUserId(), user.getPassword() ); - accessMgr.authenticate( user.getUserId(), user.getPassword() ); + //accessMgr.authenticate( user.getUserId(), user.getPassword() ); fail( CLS_NM + ".authenticateResetUsers failed test" ); } catch ( SecurityException se ) @@ -709,20 +719,12 @@ public class AccessMgrImplTest extends TestCase checkAccess( "CHCK-ACS TU1_UPD TO1 TOP1 ", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB1, PermTestData.OPS_TOP1, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3 ); checkAccess( "CHCK-ACS TU3 TO3 TOP1 ", UserTestData.USERS_TU3, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, - PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1 ); + PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2 ); checkAccess( "CHCK-ACS TU4 TO4 TOP1 ", UserTestData.USERS_TU4, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2, - PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1 ); + PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3 ); } - /** - * @param msg - * @param uArray - * @param oArray - * @param opArray - * @param oArrayBad - * @param opArrayBad - */ public static void checkAccess( String msg, String[][] uArray, String[][] oArray, String[][] opArray, String[][] oArrayBad, String[][] opArrayBad ) { @@ -741,32 +743,48 @@ public class AccessMgrImplTest extends TestCase int j = 0; for ( String[] op : opArray ) { - // Call checkAccess method - assertTrue( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" - + PermTestData.getName( obj ) + "] operationName [" + PermTestData.getName( op ) + "]", - accessMgr.checkAccess( - session, - new Permission( PermTestData.getName( obj ), PermTestData.getName( op ), PermTestData - .getObjId( opArray[j] ) ) ) ); - - // Call checkAccess method (this should fail): - try + Permission goodPerm; + if( VUtil.isNotNullOrEmpty( PermTestData.getObjId( opArray[j] ) ) ) { - boolean result = accessMgr.checkAccess( session, new Permission( PermTestData.getName( oArrayBad[i] ), - PermTestData.getName( opArrayBad[j] ), PermTestData.getObjId( opArrayBad[j] ) ) ); - assertTrue( - CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" - + PermTestData.getName( oArrayBad[i] ) + "] operationName [" - + PermTestData.getName( opArrayBad[j] ) + "]", - !result ); + // with an objectId: + goodPerm = new Permission( + PermTestData.getName( obj ), + PermTestData.getName( op ), + PermTestData.getObjId( opArray[j] ) ); + } + else + { + // without an objectId: + goodPerm = new Permission( + PermTestData.getName( obj ), + PermTestData.getName( op ) ); + } + + // Positive test case, call checkAccess method, should return 'true': + assertTrue( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" + + PermTestData.getName( obj ) + "] operationName [" + PermTestData.getName( op ) + "]", + accessMgr.checkAccess( session, goodPerm ) ); + Permission badPerm; + if( VUtil.isNotNullOrEmpty( PermTestData.getObjId( opArrayBad[j] ) ) ) + { + // with an objectId: + badPerm = new Permission( + PermTestData.getName( oArrayBad[i] ), + PermTestData.getName( opArrayBad[j] ), + PermTestData.getObjId( opArrayBad[j] ) ); } - catch (SecurityException se) + else { - // The expected condition is security exception perm not exist: - assertTrue( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" - + PermTestData.getName( oArrayBad[i] ) + "] operationName [" - + PermTestData.getName( opArrayBad[j] ) + "], negative use case, incorrect exception id=" + se.getErrorId(), se.getErrorId() == GlobalErrIds.PERM_NOT_EXIST ); + // without an objectId: + badPerm = new Permission( + PermTestData.getName( oArrayBad[i] ), + PermTestData.getName( opArrayBad[j] ) ); } + //LOG.warn("Assert False userId [" + user.getUserId() + "], perm: " + badPerm); + // Negative test case, call checkAccess method again, should return 'false': + assertFalse( CLS_NM + ".checkAccess failed userId [" + user.getUserId() + "] Perm objName [" + + PermTestData.getName( oArrayBad[i] ) + "] operationName [" + PermTestData.getName( + opArrayBad[j] ) + "]", accessMgr.checkAccess( session, badPerm ) ); j++; } i++; @@ -776,9 +794,8 @@ public class AccessMgrImplTest extends TestCase } catch ( SecurityException ex ) { - LOG.error( - "checkAccess: failed with SecurityException rc=" + ex.getErrorId() + ", msg=" - + ex.getMessage(), ex ); + LOG.error( "checkAccess: failed with SecurityException rc=" + ex.getErrorId() + ", " + + "msg=" + ex.getMessage(), ex ); fail( ex.getMessage() ); } } http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/3966a151/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java ---------------------------------------------------------------------- diff --git a/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java b/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java index 7a884d7..55ab13e 100755 --- a/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java +++ b/src/test/java/org/apache/directory/fortress/core/rbac/AuditMgrImplTest.java @@ -239,16 +239,14 @@ public class AuditMgrImplTest extends TestCase public void testSearchAuthZs() { - searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB1, PermTestData.OPS_TOP1, - false ); + searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB1, PermTestData.OPS_TOP1, false ); searchAuthZs( "GET-AUTHZ TU3", UserTestData.USERS_TU3, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, false ); searchAuthZs( "GET-AUTHZ TU4", UserTestData.USERS_TU4, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2, false ); // search for failed only: - searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, - true ); - searchAuthZs( "GET-AUTHZ TU3", UserTestData.USERS_TU3, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1, true ); - searchAuthZs( "GET-AUTHZ TU4", UserTestData.USERS_TU4, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP1, true ); + searchAuthZs( "GET-AUTHZ TU1_UPD", UserTestData.USERS_TU1_UPD, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, true ); + searchAuthZs( "GET-AUTHZ TU3", UserTestData.USERS_TU3, PermTestData.OBJS_TOB2, PermTestData.OPS_TOP2, true ); + searchAuthZs( "GET-AUTHZ TU4", UserTestData.USERS_TU4, PermTestData.OBJS_TOB3, PermTestData.OPS_TOP3, true ); } @@ -282,8 +280,8 @@ public class AuditMgrImplTest extends TestCase List authZs = auditMgr.searchAuthZs( uAudit ); assertNotNull( authZs ); assertTrue( - CLS_NM + "searchAuthZs failed search for successful authorization user [" - + user.getUserId() + "]", authZs.size() > 0 ); + CLS_NM + "searchAuthZs failedOnly=" + failedOnly + ", search authorizations user [" + + user.getUserId() + "], objName [" + uAudit.getObjName() + "], opName [" + uAudit.getOpName() + "], objId [" + uAudit.getObjId() + "]", authZs.size() > 0 ); } } }