directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [46/75] [abbrv] [partial] directory-fortress-core git commit: FC-109 - rename rbac package to impl
Date Tue, 09 Jun 2015 03:15:52 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
new file mode 100755
index 0000000..3a8d128
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleDAO.java
@@ -0,0 +1,695 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.impl;
+
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.directory.api.ldap.model.constants.SchemaConstants;
+import org.apache.directory.api.ldap.model.cursor.CursorException;
+import org.apache.directory.api.ldap.model.cursor.SearchCursor;
+import org.apache.directory.api.ldap.model.entry.DefaultEntry;
+import org.apache.directory.api.ldap.model.entry.DefaultModification;
+import org.apache.directory.api.ldap.model.entry.Entry;
+import org.apache.directory.api.ldap.model.entry.Modification;
+import org.apache.directory.api.ldap.model.entry.ModificationOperation;
+import org.apache.directory.api.ldap.model.exception.LdapException;
+import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
+import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
+import org.apache.directory.api.ldap.model.message.SearchScope;
+import org.apache.directory.fortress.core.CreateException;
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.model.ObjectFactory;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.UpdateException;
+import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
+import org.apache.directory.fortress.core.model.AdminRole;
+import org.apache.directory.fortress.core.model.Graphable;
+import org.apache.directory.fortress.core.model.Role;
+import org.apache.directory.fortress.core.util.ObjUtil;
+import org.apache.directory.fortress.core.util.time.CUtil;
+import org.apache.directory.ldap.client.api.LdapConnection;
+
+
+/**
+ * The AdminRoleDAO is called by {@link AdminRoleP} and processes data via its entity {@link org.apache.directory.fortress.core.model.AdminRole}.
+ * <p/>
+ * The Fortress AdminRoleDAO uses the following other Fortress structural and aux object classes:
+ * <h4>1. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass    ( 1.3.6.1.4.1.38088.2.1</code>
+ * <li> <code>NAME 'ftRls'</code>
+ * <li> <code>DESC 'Fortress Role Object Class'</code>
+ * <li> <code>SUP organizationalrole</code>
+ * <li> <code>STRUCTURAL</code>
+ * <li> <code>MUST ( ftId $ ftRoleName )</code>
+ * <li> <code>MAY ( description $ ftCstr ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
+ * <code># This aux object class can be used to store custom attributes.</code><br />
+ * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
+ * <li> <code>NAME 'ftProperties'</code>
+ * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftProps ) ) </code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>3. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity</h4>
+ * <ul>
+ * <li>  ------------------------------------------
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.3</code>
+ * <li> <code>NAME 'ftPools'</code>
+ * <li> <code>DESC 'Fortress Pools AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY ( ftOSU $ ftOSP ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
+ * <ul>
+ * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
+ * <li> <code>NAME 'ftMods'</code>
+ * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
+ * <li> <code>AUXILIARY</code>
+ * <li> <code>MAY (</code>
+ * <li> <code>ftModifier $</code>
+ * <li> <code>ftModCode $</code>
+ * <li> <code>ftModId ) )</code>
+ * <li>  ------------------------------------------
+ * </ul>
+ * <p/>
+ * This class is thread safe.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+final class AdminRoleDAO extends ApacheDsDataProvider
+{
+    private static final String ROLE_OCCUPANT = "roleOccupant";
+    private static final String ROLE_OSP = "ftOSP";
+    private static final String ROLE_OSU = "ftOSU";
+    private static final String ROLE_RANGE = "ftRange";
+    private static final String POOLS_AUX_OBJECT_CLASS_NAME = "ftPools";
+    private static final String ADMIN_ROLE_OBJ_CLASS[] =
+        {
+            SchemaConstants.TOP_OC,
+            GlobalIds.ROLE_OBJECT_CLASS_NM,
+            GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
+            POOLS_AUX_OBJECT_CLASS_NAME,
+            GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
+    };
+    private static final String ROLE_NM = "ftRoleName";
+    private static final String[] ROLE_NM_ATR =
+        {
+            ROLE_NM
+    };
+
+    private static final String[] ROLE_ATRS =
+        {
+            GlobalIds.FT_IID,
+            ROLE_NM,
+            SchemaConstants.DESCRIPTION_AT,
+            GlobalIds.CONSTRAINT,
+            ROLE_OCCUPANT,
+            ROLE_OSP,
+            ROLE_OSU,
+            ROLE_RANGE,
+            GlobalIds.PARENT_NODES
+    };
+
+
+    /**
+     * Create a new AdminRole entity using supplied data.  Required attribute is {@link org.apache.directory.fortress.core.model.AdminRole#name}.
+     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+     *
+     * @param entity record contains AdminRole data.  Null attributes will be ignored.
+     * @return input record back to client.
+     * @throws org.apache.directory.fortress.core.CreateException in the event LDAP errors occur.
+     */
+    AdminRole create( AdminRole entity ) throws CreateException
+    {
+        LdapConnection ld = null;
+        String dn = getDn( entity );
+
+        try
+        {
+            Entry entry = new DefaultEntry( dn );
+
+            entry.add( SchemaConstants.OBJECT_CLASS_AT, ADMIN_ROLE_OBJ_CLASS );
+            entity.setId();
+            entry.add( GlobalIds.FT_IID, entity.getId() );
+            entry.add( ROLE_NM, entity.getName() );
+
+            // description field is optional on this object class:
+            if ( StringUtils.isNotEmpty( entity.getDescription() ) )
+            {
+                entry.add( SchemaConstants.DESCRIPTION_AT, entity.getDescription() );
+            }
+
+            // CN attribute is required for this object class:
+            entry.add( SchemaConstants.CN_AT, entity.getName() );
+            entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
+            loadAttrs( entity.getOsP(), entry, ROLE_OSP );
+            loadAttrs( entity.getOsU(), entry, ROLE_OSU );
+            String szRaw = entity.getRoleRangeRaw();
+
+            if ( StringUtils.isNotEmpty( szRaw ) )
+            {
+                entry.add( ROLE_RANGE, szRaw );
+            }
+
+            // These multi-valued attributes are optional.  The utility function will return quietly if no items are loaded into collection:
+            loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
+
+            ld = getAdminConnection();
+            add( ld, entry, entity );
+        }
+        catch ( LdapException e )
+        {
+            String error = "create role [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+            throw new CreateException( GlobalErrIds.ARLE_ADD_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * Update existing AdminRole entity using supplied data.  Required attribute is {@link AdminRole#name}.
+     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+     *
+     * @param entity record contains AdminRole data.  Null attributes will be ignored.
+     * @return input record back to client.
+     * @throws UpdateException in the event LDAP errors occur.
+     */
+    AdminRole update( AdminRole entity ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String dn = getDn( entity );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+
+            if ( StringUtils.isNotEmpty( entity.getDescription() ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE,
+                    SchemaConstants.DESCRIPTION_AT, entity.getDescription() ) );
+            }
+
+            if ( ObjUtil.isNotNullOrEmpty( entity.getOccupants() ) )
+            {
+                for ( String name : entity.getOccupants() )
+                {
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REPLACE_ATTRIBUTE, ROLE_OCCUPANT, name ) );
+                }
+            }
+
+            if ( entity.isTemporalSet() )
+            {
+                String szRawData = CUtil.setConstraint( entity );
+
+                if ( StringUtils.isNotEmpty( szRawData ) )
+                {
+                    mods.add( new DefaultModification(
+                        ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
+                }
+            }
+
+            loadAttrs( entity.getOsU(), mods, ROLE_OSU );
+            loadAttrs( entity.getOsP(), mods, ROLE_OSP );
+            String szRaw = entity.getRoleRangeRaw();
+
+            if ( StringUtils.isNotEmpty( szRaw ) )
+            {
+                mods.add( new DefaultModification(
+                    ModificationOperation.REPLACE_ATTRIBUTE, ROLE_RANGE, szRaw ) );
+            }
+
+            loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
+
+            if ( mods.size() > 0 )
+            {
+                ld = getAdminConnection();
+                modify( ld, dn, mods, entity );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.ARLE_UPDATE_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     *
+     * @param entity
+     * @throws UpdateException
+     */
+    void deleteParent( AdminRole entity ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String dn = getDn( entity );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+            mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.PARENT_NODES ) );
+            ld = getAdminConnection();
+            modify( ld, dn, mods, entity );
+        }
+        catch ( LdapException e )
+        {
+            String error = "deleteParent name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.ARLE_REMOVE_PARENT_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+
+    /**
+     * This method will add the supplied DN as a role occupant to the target record.
+     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+     *
+     * @param entity record contains {@link AdminRole#name}.  Null attributes will be ignored.
+     * @param userDn contains the DN for userId who is being assigned.
+     * @return input record back to client.
+     * @throws UpdateException in the event LDAP errors occur.
+     */
+    AdminRole assign( AdminRole entity, String userDn ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String dn = getDn( entity );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+            mods.add( new DefaultModification( ModificationOperation.ADD_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
+            ld = getAdminConnection();
+            modify( ld, dn, mods, entity );
+        }
+        catch ( LdapException e )
+        {
+            String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LdapException="
+                + e.getMessage();
+            throw new UpdateException( GlobalErrIds.ARLE_USER_ASSIGN_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * This method will remove the supplied DN as a role occupant to the target record.
+     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+     *
+     * @param entity record contains {@link AdminRole#name}.  Null attributes will be ignored.
+     * @param userDn contains the DN for userId who is being deassigned.
+     * @return input record back to client.
+     * @throws UpdateException in the event LDAP errors occur.
+     */
+    AdminRole deassign( AdminRole entity, String userDn ) throws UpdateException
+    {
+        LdapConnection ld = null;
+        String dn = getDn( entity );
+
+        try
+        {
+            List<Modification> mods = new ArrayList<Modification>();
+            mods.add( new DefaultModification(
+                ModificationOperation.REMOVE_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
+            ld = getAdminConnection();
+            modify( ld, dn, mods, entity );
+        }
+        catch ( LdapException e )
+        {
+            String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
+                + "] caught LdapException=" + e.getMessage();
+            throw new UpdateException( GlobalErrIds.ARLE_USER_DEASSIGN_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+        return entity;
+    }
+
+
+    /**
+     * This method will completely remove the AdminRole from the directory.  It will use {@link AdminRole#name} as key.
+     * This operation is performed on the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
+     *
+     * @param role record contains {@link AdminRole#name}.
+     * @throws RemoveException in the event LDAP errors occur.
+     */
+    void remove( AdminRole role ) throws RemoveException
+    {
+        LdapConnection ld = null;
+        String dn = getDn( role );
+
+        try
+        {
+            ld = getAdminConnection();
+            delete( ld, dn, role );
+        }
+        catch ( LdapException e )
+        {
+            String error = "remove role name=" + role.getName() + " LdapException=" + e.getMessage();
+            throw new RemoveException( GlobalErrIds.ARLE_DELETE_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+    }
+
+
+    /**
+     * This method will retrieve the AdminRole from {@link GlobalIds#ADMIN_ROLE_ROOT} container by name.
+     *
+     * @param adminRole maps to {@link AdminRole#name}.
+     * @return AdminRole back to client.
+     * @throws FinderException in the event LDAP errors occur.
+     */
+    AdminRole getRole( AdminRole adminRole ) throws FinderException
+    {
+        AdminRole entity = null;
+        LdapConnection ld = null;
+        String dn = getDn( adminRole );
+
+        try
+        {
+            ld = getAdminConnection();
+            Entry findEntry = read( ld, dn, ROLE_ATRS );
+            if ( findEntry != null )
+            {
+                entity = unloadLdapEntry( findEntry, 0, adminRole.getContextId() );
+            }
+            if ( entity == null )
+            {
+                String warning = "getRole name [" + adminRole.getName() + "] no entry found dn [" + dn + "]";
+                throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
+            }
+        }
+        catch ( LdapNoSuchObjectException e )
+        {
+            String warning = "getRole name [" + adminRole.getName() + "] Obj COULD NOT FIND ENTRY for dn [" + dn
+                + "]";
+            throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning, e );
+        }
+        catch ( LdapException e )
+        {
+            String error = "getRole dn [" + dn + "] LEXCD=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_READ_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return entity;
+    }
+
+
+    /**
+     * @param adminRole
+     * @return
+     * @throws FinderException
+     *
+     */
+    List<AdminRole> findRoles( AdminRole adminRole ) throws FinderException
+    {
+        List<AdminRole> roleList = new ArrayList<AdminRole>();
+        LdapConnection ld = null;
+        String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
+        String filter;
+
+        try
+        {
+            String searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
+            filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+                + ROLE_NM + "=" + searchVal + "*))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, roleRoot,
+                SearchScope.ONELEVEL, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                roleList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, adminRole.getContextId() ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "findRoles name [" + adminRole.getName() + "] caught LdapException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+        }
+        catch ( CursorException e )
+        {
+            String error = "findRoles name [" + adminRole.getName() + "] caught CursorException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return roleList;
+    }
+
+
+    /**
+     * @param adminRole
+     * @param limit
+     * @return
+     * @throws FinderException
+     *
+     */
+    List<String> findRoles( AdminRole adminRole, int limit ) throws FinderException
+    {
+        List<String> roleList = new ArrayList<String>();
+        LdapConnection ld = null;
+        String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
+        String filter;
+        String searchVal = null;
+
+        try
+        {
+            searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
+            filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+                + ROLE_NM + "=" + searchVal + "*))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, roleRoot,
+                SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
+
+            while ( searchResults.next() )
+            {
+                Entry entry = searchResults.getEntry();
+                roleList.add( getAttribute( entry, ROLE_NM ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "findRoles name [" + searchVal + "] caught LdapException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+        }
+        catch ( CursorException e )
+        {
+            String error = "findRoles name [" + searchVal + "] caught CursorException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return roleList;
+    }
+
+
+    /**
+     * @param userDn
+     * @return
+     * @throws FinderException
+     */
+    List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException
+    {
+        List<String> roleNameList = new ArrayList<>();
+        LdapConnection ld = null;
+        String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
+
+        try
+        {
+            String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
+            filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, roleRoot,
+                SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
+
+            while ( searchResults.next() )
+            {
+                roleNameList.add( getAttribute( searchResults.getEntry(), ROLE_NM ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
+        }
+        catch ( CursorException e )
+        {
+            String error = "findAssignedRoles userDn [" + userDn + "] caught CursorException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return roleNameList;
+    }
+
+
+    /**
+      *
+      * @param contextId
+      * @return
+      * @throws FinderException
+      */
+    List<Graphable> getAllDescendants( String contextId )
+        throws FinderException
+    {
+        String[] DESC_ATRS =
+            { ROLE_NM, GlobalIds.PARENT_NODES };
+        List<Graphable> descendants = new ArrayList<>();
+        LdapConnection ld = null;
+        String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
+        String filter = null;
+
+        try
+        {
+            filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
+                + GlobalIds.PARENT_NODES + "=*))";
+            ld = getAdminConnection();
+            SearchCursor searchResults = search( ld, roleRoot,
+                SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
+            long sequence = 0;
+
+            while ( searchResults.next() )
+            {
+                descendants.add( unloadDescendants( searchResults.getEntry(), sequence++ ) );
+            }
+        }
+        catch ( LdapException e )
+        {
+            String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+        }
+        catch ( CursorException e )
+        {
+            String error = "getAllDescendants filter [" + filter + "] caught CursorException=" + e.getMessage();
+            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
+        }
+        finally
+        {
+            closeAdminConnection( ld );
+        }
+
+        return descendants;
+    }
+
+
+    /**
+    *
+    * @param le
+    * @param sequence
+    * @return
+     * @throws LdapInvalidAttributeValueException 
+    * @throws LdapException
+    */
+    private Graphable unloadDescendants( Entry le, long sequence )
+        throws LdapInvalidAttributeValueException
+    {
+        Role entity = new ObjectFactory().createRole();
+        entity.setSequenceId( sequence );
+        entity.setName( getAttribute( le, ROLE_NM ) );
+        entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+        return entity;
+    }
+
+
+    /**
+     * @param le
+     * @return
+     * @throws LdapInvalidAttributeValueException 
+     * @throws LdapException
+     */
+    private AdminRole unloadLdapEntry( Entry le, long sequence, String contextId )
+        throws LdapInvalidAttributeValueException
+    {
+        AdminRole entity = new ObjectFactory().createAdminRole();
+        entity.setSequenceId( sequence );
+        entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
+        entity.setDescription( getAttribute( le, SchemaConstants.DESCRIPTION_AT ) );
+        entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
+        entity.setOsP( getAttributeSet( le, ROLE_OSP ) );
+        entity.setOsU( getAttributeSet( le, ROLE_OSU ) );
+        entity.setName( getAttribute( le, SchemaConstants.CN_AT ) );
+        unloadTemporal( le, entity );
+        entity.setRoleRangeRaw( getAttribute( le, ROLE_RANGE ) );
+        entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
+        entity.setChildren( AdminRoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
+        return entity;
+    }
+
+
+    private String getDn( AdminRole adminRole )
+    {
+        return SchemaConstants.CN_AT + "=" + adminRole.getName() + ","
+            + getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleP.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleP.java
new file mode 100755
index 0000000..0b168f2
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleP.java
@@ -0,0 +1,424 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.impl;
+
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.directory.fortress.core.model.AdminRole;
+import org.apache.directory.fortress.core.model.Graphable;
+import org.apache.directory.fortress.core.model.OrgUnit;
+import org.apache.directory.fortress.core.model.UserAdminRole;
+import org.apache.directory.fortress.core.util.ObjUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.directory.fortress.core.FinderException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.RemoveException;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.model.VUtil;
+
+
+/**
+ * Process module for the AdminRole entity.  This class performs data validations and error mapping.  It is typically called
+ * by internal Fortress delegated manager classes ({@link DelAdminMgrImpl}, {@link DelAccessMgrImpl},
+ * {@link DelReviewMgrImpl}, ...) and not intended for external non-Fortress clients.  This class will accept,
+ * {@link org.apache.directory.fortress.core.model.AdminRole}, validate its contents and forward on to it's corresponding DAO class {@link AdminRoleDAO}.
+ * <p>
+ * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
+ * error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
+ * {@link org.apache.directory.fortress.core.CreateException},{@link org.apache.directory.fortress.core.UpdateException},{@link org.apache.directory.fortress.core.RemoveException}),
+ *  or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
+ * error id from {@link GlobalErrIds}.
+ * <p>
+ * This class is thread safe.
+ * <p/>
+
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public final class AdminRoleP
+{
+    private static final String CLS_NM = AdminRoleP.class.getName();
+    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+    private static final AdminRoleDAO rDao = new AdminRoleDAO();
+    private static final OrgUnitP op = new OrgUnitP();
+
+    /**
+     * Package private constructor.
+     */
+    AdminRoleP()
+    {
+    }
+
+
+    /**
+     * Return a fully populated Admin Role entity for a given Admin Role name.  If matching record not found a
+     * SecurityException will be thrown.
+     *
+     * @param adminRole contains full Admin Role name.
+     * @return AdminRole entity containing all attributes associated with Administrative Role in directory.
+     * @throws SecurityException in the event AdminRole not found or DAO search error.
+     */
+    AdminRole read( AdminRole adminRole ) throws SecurityException
+    {
+        return rDao.getRole( adminRole );
+    }
+
+
+    /**
+     * Takes a search string that contains full or partial Admin Role name in directory.
+     *
+     * @param adminRole contains full or partial Admin role name.
+     * @return List of type Role containing fully populated matching Admin Role entities.  If no records found this will be empty.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    List<AdminRole> search( AdminRole adminRole )
+        throws SecurityException
+    {
+        return rDao.findRoles( adminRole );
+    }
+
+
+    /**
+     * Takes a search string that contains full or partial Admin Role name in directory.
+     *
+     * @param adminRole contains full or partial Admin role name.
+     * @param limit     specify the max number of records to return in result set.
+     * @return List of type String containing Admin Role name of all matching User entities.  If no records found this will be empty.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    List<String> search( AdminRole adminRole, int limit )
+        throws SecurityException
+    {
+        return rDao.findRoles( adminRole, limit );
+    }
+
+
+    /**
+     * Return all AdminRoles that have a parent assignment.  This used for hierarchical processing.
+     *
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return List of type AdminRole containing {@link AdminRole#name} and {@link AdminRole#parents} populated.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    List<Graphable> getAllDescendants( String contextId )
+        throws SecurityException
+    {
+        return rDao.getAllDescendants( contextId );
+    }
+
+
+    /**
+     * Adds a new Admin Role entity to directory.  The Role entity input object will be validated to ensure that:
+     * role name is present, and reasonability checks on all of the other populated values.
+     *
+     * @param entity Admin Role entity contains data targeted for insertion.
+     * @return AdminRole entity copy of input + additional attributes (internalId) that were added by op.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    AdminRole add( AdminRole entity )
+        throws SecurityException
+    {
+        validate( entity );
+        return rDao.create( entity );
+    }
+
+
+    /**
+     * Updates existing AdminRole entity in directory.  For example the AdminRole description and temporal constraints
+     * updated.
+     *
+     * @param entity Admin Role entity contains data targeted for updating.
+     * @return AdminRole entity contains fully populated updated entity.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    AdminRole update( AdminRole entity ) throws SecurityException
+    {
+        validate( entity );
+        AdminRole updateEntity = rDao.update( entity );
+        return read( updateEntity );
+    }
+
+
+    /**
+     * Removes parent role assignments from Role entity in directory.
+     * updated.
+     *
+     * @param entity Admin Role entity contains data targeted for updating.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    void deleteParent( AdminRole entity ) throws SecurityException
+    {
+        validate( entity );
+        rDao.deleteParent( entity );
+    }
+
+
+    /**
+     * This command assigns a user to an admin role.
+     * Successful completion of this op, the following occurs:
+     * </p>
+     * <ul>
+     * <li> User entity (resides in people container) has role assignment added to aux object class attached to actual user record.
+     * <li> AdminRole entity (resides in admin role container) has userId added as role occupant.
+     * <li> (optional) Temporal constraints may be associated with <code>ftUserAttrs</code> aux object class based on:
+     * <ul>
+     * <li> timeout - number in seconds of session inactivity time allowed.
+     * <li> beginDate - YYYYMMDD - determines date when role may be activated.
+     * <li> endDate - YYMMDD - indicates latest date role may be activated.
+     * <li> beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
+     * <li> endLockDate - YYMMDD - determines end of enforced inactive status.
+     * <li> beginTime - HHMM - determines begin hour role may be activated in user's session.
+     * <li> endTime - HHMM - determines end hour role may be activated in user's session.*
+     * <li> dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
+     * </ul>
+     * </ul>
+     *
+     * @param entity contains userId and admin role name and (optional) role temporal constraints.
+     * @param userDn contains the DN of user being assigned.
+     * @return AdminRole contains copy of input entity and additional data processed by request.
+     * @throws SecurityException in the event data error in user or role objects or system error.
+     */
+    AdminRole assign( AdminRole entity, String userDn ) throws SecurityException
+    {
+        return rDao.assign( entity, userDn );
+    }
+
+
+    /**
+     * Add the User dn occupant attribute to the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
+     * when the User is being added.
+     *
+     * @param uRoles contains a collection of UserAdminRole being targeted for assignment.
+     * @param userDn contains the userId targeted for attribute addition.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    void addOccupant( List<UserAdminRole> uRoles, String userDn, String contextId )
+        throws SecurityException
+    {
+        if ( ObjUtil.isNotNullOrEmpty( uRoles ) )
+        {
+            for ( UserAdminRole uRole : uRoles )
+            {
+                AdminRole role = new AdminRole( uRole.getName() );
+                role.setContextId( contextId );
+                assign( role, userDn );
+            }
+        }
+    }
+
+
+    /**
+     * Remove the User dn occupant attribute from the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
+     * when the User is being deleted.
+     *
+     * @param userDn contains the userId targeted for attribute removal.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws SecurityException in the event of DAO search error.
+     */
+    void removeOccupant( String userDn, String contextId )
+        throws SecurityException
+    {
+        List<String> list;
+        try
+        {
+            list = rDao.findAssignedRoles( userDn, contextId );
+            for ( String roleNm : list )
+            {
+                deassign( new AdminRole( roleNm ), userDn );
+            }
+        }
+        catch ( FinderException fe )
+        {
+            String error = "removeOccupant userDn [" + userDn + "] caught FinderException=" + fe;
+            throw new SecurityException( GlobalErrIds.ARLE_REMOVE_OCCUPANT_FAILED, error, fe );
+        }
+    }
+
+
+    /**
+     * This method removes assigned admin role from user entity.  Both user and admin role entities must exist and have role relationship
+     * before calling this method.
+     * Successful completion:
+     * del Role to User assignment in User data set
+     * AND
+     * User to Role assignment in Admin Role data set.
+     *
+     * @param entity contains userId and admin role name targeted for removal.
+     * @param userDn contains the userId targeted for attribute removal.
+     * @return AdminRole contains copy of input entity and additional data processed by request.
+     * @throws SecurityException - in the event data error in user or role objects or system error.
+     */
+    AdminRole deassign( AdminRole entity, String userDn ) throws SecurityException
+    {
+        return rDao.deassign( entity, userDn );
+    }
+
+
+    /**
+     * This method performs a "hard" delete.  It completely the Admin Role node from the ldap directory.
+     * Admin Role entity must exist in directory prior to making this call else exception will be thrown.
+     *
+     * @param entity Contains the name of the Admin Role targeted for deletion.
+     * @throws SecurityException in the event of data validation or DAO system error.
+     */
+    void delete( AdminRole entity ) throws SecurityException
+    {
+        try
+        {
+            rDao.remove( entity );
+        }
+        catch ( RemoveException re )
+        {
+            String error = "delete name [" + entity.getName() + "] caught RemoveException=" + re;
+            LOG.error( error );
+            throw new SecurityException( GlobalErrIds.ARLE_DELETE_FAILED, error, re );
+        }
+    }
+    
+    /**
+     * Method will perform simple validations to ensure the integrity of the Admin Role entity targeted for insertion
+     * or updating in directory.  For example the Admin Role temporal constraints will be validated.  Data reasonability
+     * checks will be performed on all non-null attributes.  Validations will be performed on ARBAC constraints as well.
+     *
+     * @param entity contains data targeted for insertion or update.
+     * @throws SecurityException in the event of data validation error or DAO error on Org validation.
+     */
+    private void validate( AdminRole entity )
+        throws SecurityException
+    {
+        VUtil.safeText( entity.getName(), GlobalIds.ROLE_LEN );
+
+        if ( StringUtils.isNotEmpty( entity.getBeginRange() ) && StringUtils.isNotEmpty( entity.getEndRange() ) )
+        {
+            VUtil.safeText( entity.getBeginRange(), GlobalIds.ROLE_LEN );
+            VUtil.safeText( entity.getEndRange(), GlobalIds.ROLE_LEN );
+
+            if ( entity.getBeginRange().equalsIgnoreCase( entity.getEndRange() )
+                && ( !entity.isBeginInclusive() || !entity.isEndInclusive() ) )
+            {
+                String error = "validate invalid range detected for role name [" + entity.getName()
+                    + "] non inclusive endpoint for identical range [" + entity.getBeginRange() + "] begin inclusive ["
+                    + entity.isBeginInclusive() + "] end inclusive [" + entity.isEndInclusive() + "]";
+                LOG.warn( error );
+                throw new SecurityException( GlobalErrIds.ARLE_INVLD_RANGE_INCLUSIVE, error );
+            }
+            else if ( !RoleUtil.isParent( entity.getBeginRange(), entity.getEndRange(), entity.getContextId() )
+                && !entity.getBeginRange().equalsIgnoreCase( entity.getEndRange() ) )
+            {
+                String error = "validate invalid range detected for role name [" + entity.getName()
+                    + "] begin range [" + entity.getBeginRange() + "] end range [" + entity.getEndRange() + "]";
+                LOG.warn( error );
+                throw new SecurityException( GlobalErrIds.ARLE_INVLD_RANGE, error );
+            }
+        }
+        else if ( !StringUtils.isNotEmpty( entity.getBeginRange() ) && StringUtils.isNotEmpty( entity.getEndRange() ) )
+        {
+            String error = "validate role name [" + entity.getName() + "] begin range value null or empty.";
+            LOG.warn( error );
+            throw new SecurityException( GlobalErrIds.ARLE_BEGIN_RANGE_NULL, error );
+        }
+        else if ( StringUtils.isNotEmpty( entity.getBeginRange() ) && !StringUtils.isNotEmpty( entity.getEndRange() ) )
+        {
+            String error = "validate role name [" + entity.getName() + "] end range value null or empty.";
+            LOG.warn( error );
+            throw new SecurityException( GlobalErrIds.ARLE_END_RANGE_NULL, error );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getDescription() ) )
+        {
+            VUtil.description( entity.getDescription() );
+        }
+
+        if ( entity.getTimeout() >= 0 )
+        {
+            VUtil.timeout( entity.getTimeout() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getBeginTime() ) )
+        {
+            VUtil.beginTime( entity.getBeginTime() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getEndTime() ) )
+        {
+            VUtil.endTime( entity.getEndTime() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getBeginDate() ) )
+        {
+            VUtil.beginDate( entity.getBeginDate() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getEndDate() ) )
+        {
+            VUtil.endDate( entity.getEndDate() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getDayMask() ) )
+        {
+            VUtil.dayMask( entity.getDayMask() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getBeginLockDate() ) )
+        {
+            VUtil.beginDate( entity.getBeginDate() );
+        }
+
+        if ( StringUtils.isNotEmpty( entity.getEndLockDate() ) )
+        {
+            VUtil.endDate( entity.getEndLockDate() );
+        }
+
+        if ( ObjUtil.isNotNullOrEmpty( entity.getOsU() ) )
+        {
+            validateOrgs( entity.getOsU(), OrgUnit.Type.USER, entity.getContextId() );
+        }
+
+        if ( ObjUtil.isNotNullOrEmpty( entity.getOsP() ) )
+        {
+            validateOrgs( entity.getOsP(), OrgUnit.Type.PERM, entity.getContextId() );
+        }
+    }
+
+    /**
+     * Called by validate()
+     *
+     * @param orgs
+     * @param contextId
+     * @throws SecurityException
+     */
+    private void validateOrgs( Set<String> orgs, OrgUnit.Type type, String contextId ) throws SecurityException
+    {
+        for ( String ou : orgs )
+        {
+            OrgUnit inOe = new OrgUnit( ou );
+            inOe.setType( type );
+            inOe.setContextId( contextId );
+            op.read( inOe );
+        }
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleUtil.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleUtil.java
new file mode 100755
index 0000000..187a75c
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminRoleUtil.java
@@ -0,0 +1,339 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.impl;
+
+
+import java.util.List;
+import java.util.Set;
+import java.util.TreeSet;
+import java.util.concurrent.locks.ReadWriteLock;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.directory.fortress.core.model.AdminRole;
+import org.apache.directory.fortress.core.model.Graphable;
+import org.apache.directory.fortress.core.model.Hier;
+import org.apache.directory.fortress.core.model.Relationship;
+import org.apache.directory.fortress.core.model.UserAdminRole;
+import org.apache.directory.fortress.core.util.ObjUtil;
+import org.jgrapht.graph.SimpleDirectedGraph;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.apache.directory.fortress.core.GlobalIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.ValidationException;
+import org.apache.directory.fortress.core.util.cache.Cache;
+import org.apache.directory.fortress.core.util.cache.CacheMgr;
+
+
+/**
+ * This utility wraps {@link org.apache.directory.fortress.core.impl.HierUtil} methods to provide hierarchical functionality for the {@link org.apache.directory.fortress.core.model.AdminRole} data set.
+ * The child to parent relationships are stored within a data cache, {@link #adminRoleCache}, contained within this class.  The parent-child edges are contained in LDAP,
+ * in {@code ftParents} attribute.  The ldap data is retrieved {@link org.apache.directory.fortress.core.impl.AdminRoleP#getAllDescendants(String)} and loaded into {@code org.jgrapht.graph.SimpleDirectedGraph}.
+ * The graph...
+ * <ol>
+ * <li>is stored as singleton in this class with vertices of {@code String}, and edges, as {@link org.apache.directory.fortress.core.model.Relationship}s</li>
+ * <li>utilizes open source library, see <a href="http://www.jgrapht.org/">JGraphT</a>.</li>
+ * <li>contains a general hierarchical data structure i.e. allows multiple inheritance with parents.</li>
+ * <li>is a simple directed graph thus does not allow cycles.</li>
+ * </ol>
+ * After update is performed to ldap, the singleton is refreshed with latest info.
+ * <p/>
+ * Static methods on this class are intended for use by other Fortress classes, i.e. {@link DelAdminMgrImpl} and {@link org.apache.directory.fortress.core.impl.PermDAO}
+ * and cannot be directly invoked by outside programs.
+ * <p/>
+ * This class contains singleton that can be updated but is thread safe.
+ * <p/>
+
+ *  @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+public final class AdminRoleUtil
+{
+    private static final Cache adminRoleCache;
+    private static final AdminRoleP adminRoleP = new AdminRoleP();
+    private static final String CLS_NM = AdminRoleUtil.class.getName();
+    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
+
+    /**
+     * Initialize the AdminRole hierarchies.  This will read the {@link org.apache.directory.fortress.core.model.Hier} data set from ldap and load into
+     * the JGraphT simple digraph that referenced statically within this class.
+     */
+    static
+    {
+        CacheMgr cacheMgr = CacheMgr.getInstance();
+        adminRoleCache = cacheMgr.getCache( "fortress.admin.roles" );
+    }
+
+    /**
+     * Private constructor
+     *
+     */
+    private AdminRoleUtil()
+    {
+    }
+
+    /**
+     * Used to determine if one {@link org.apache.directory.fortress.core.model.AdminRole} is the parent of another.  This method
+     * will call recursive routine {@link #getAscendants(String, String)} to walk the {@code org.jgrapht.graph.SimpleDirectedGraph} data structure
+     * returning flag indicating if parent-child relationship is valid.
+     *
+     * @param child maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
+     * @param parent maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return boolean result, 'true' indicates parent/child relationship exists.
+     */
+    static boolean isParent( String child, String parent, String contextId )
+    {
+        boolean result = false;
+        Set<String> parents = getAscendants( child, contextId );
+        if ( parents != null && parents.size() > 0 )
+        {
+            result = parents.contains( parent.toUpperCase() );
+        }
+        return result;
+    }
+
+
+    /**
+     * Recursively traverse the {@link org.apache.directory.fortress.core.model.AdminRole} graph and return all of the descendants of a given parent {@link org.apache.directory.fortress.core.model.AdminRole#name}.
+     * @param roleName {@link org.apache.directory.fortress.core.model.AdminRole#name} maps on 'ftRls' object class.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return Set of AdminRole names are children {@link org.apache.directory.fortress.core.model.AdminRole}s of given parent.
+     */
+    static Set<String> getDescendants( String roleName, String contextId )
+    {
+        return HierUtil.getDescendants( roleName, getGraph( contextId ) );
+    }
+
+
+    /**
+     * Recursively traverse the hierarchical role graph and return all of the parents of a given child role.
+     * @param roleName maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return Set of AdminRole names that are descendants of given node.
+     */
+    public static Set<String> getAscendants( String roleName, String contextId )
+    {
+        return HierUtil.getAscendants( roleName, getGraph( contextId ) );
+    }
+
+
+    /**
+     * Traverse one level of the {@link org.apache.directory.fortress.core.model.AdminRole} graph and return all of the parents (direct ascendants) of a given parent {@link org.apache.directory.fortress.core.model.AdminRole#name}.
+     * @param roleName {@link org.apache.directory.fortress.core.model.AdminRole#name} maps on 'ftRls' object class.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return Set of AdminRole names are parents {@link org.apache.directory.fortress.core.model.AdminRole}s of given child.
+     */
+    static Set<String> getParents( String roleName, String contextId )
+    {
+        return HierUtil.getParents( roleName, getGraph( contextId ) );
+    }
+
+
+    /**
+     * Traverse one level of the hierarchical role graph and return all of the children (direct descendants) of a given parent role.
+     * @param roleName maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return Set of AdminRole names that are children of given parent.
+     */
+    public static Set<String> getChildren( String roleName, String contextId )
+    {
+        return HierUtil.getChildren( roleName, getGraph( contextId ) );
+    }
+
+
+    /**
+     * Return number of children (direct descendants) a given parent role has.
+     * @param roleName maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return int value contains the number of children of a given parent AdminRole.
+     */
+    static int numChildren( String roleName, String contextId )
+    {
+        return HierUtil.numChildren( roleName, getGraph( contextId ) );
+    }
+
+
+    /**
+     * Return Set of {@link org.apache.directory.fortress.core.model.AdminRole#name}s ascendants.  Used by {@link org.apache.directory.fortress.core.impl.PermDAO#checkPermission}
+     * for computing authorized {@link org.apache.directory.fortress.core.model.UserAdminRole#name}s.
+     * @param uRoles contains list of adminRoles activated within a {@link org.apache.directory.fortress.core.model.User}'s {@link org.apache.directory.fortress.core.model.Session}.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return contains Set of all authorized adminRoles for a given User.
+     */
+    public static Set<String> getInheritedRoles( List<UserAdminRole> uRoles, String contextId )
+    {
+        // create Set with case insensitive comparator:
+        Set<String> iRoles = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
+
+        if ( ObjUtil.isNotNullOrEmpty( uRoles ) )
+        {
+            for ( UserAdminRole uRole : uRoles )
+            {
+                String rleName = uRole.getName();
+                iRoles.add( rleName );
+                Set<String> parents = HierUtil.getAscendants( rleName, getGraph( contextId ) );
+
+                if ( ObjUtil.isNotNullOrEmpty( parents ) )
+                {
+                    iRoles.addAll( parents );
+                }
+            }
+        }
+        return iRoles;
+    }
+
+
+    /**
+     * This api is used by {@link DelAdminMgrImpl} to determine parentage for Hierarchical ARBAC processing.
+     * It calls {@link HierUtil#validateRelationship(org.jgrapht.graph.SimpleDirectedGraph, String, String, boolean)} to evaluate three adminRole relationship expressions:
+     * <ol>
+     * <li>If child equals parent</li>
+     * <li>If mustExist true and parent-child relationship exists</li>
+     * <li>If mustExist false and parent-child relationship does not exist</li>
+     * </ol>
+     * Method will throw {@link org.apache.directory.fortress.core.ValidationException} if rule check fails meaning caller failed validation
+     * attempt to add/remove hierarchical relationship failed.
+     *
+     * @param childRole contains {@link org.apache.directory.fortress.core.model.AdminRole#name} of child.
+     * @param parentRole contains {@link org.apache.directory.fortress.core.model.AdminRole#name} of parent.
+     * @param mustExist boolean is used to specify if relationship must be true.
+     * @throws org.apache.directory.fortress.core.ValidationException in the event it fails one of the 3 checks.
+     */
+    static void validateRelationship( AdminRole childRole, AdminRole parentRole, boolean mustExist )
+        throws ValidationException
+    {
+        HierUtil.validateRelationship( getGraph( childRole.getContextId() ), childRole.getName(), parentRole.getName(),
+            mustExist );
+    }
+
+
+    /**
+     * This api allows synchronized access to allow updates to hierarchical relationships.
+     * Method will update the hierarchical data set and reload the JGraphT simple digraph with latest.
+     *
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @param relationship contains parent-child relationship targeted for addition.
+     * @param op   used to pass the ldap op {@link org.apache.directory.fortress.core.model.Hier.Op#ADD}, {@link org.apache.directory.fortress.core.model.Hier.Op#MOD}, {@link org.apache.directory.fortress.core.model.Hier.Op#REM}
+     * @throws org.apache.directory.fortress.core.SecurityException in the event of a system error.
+     */
+    static void updateHier( String contextId, Relationship relationship, Hier.Op op ) throws SecurityException
+    {
+        HierUtil.updateHier( getGraph( contextId ), relationship, op );
+    }
+
+
+    /**
+     * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
+     * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
+     *
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return handle to simple digraph containing adminRole hierarchies.
+     */
+    private static SimpleDirectedGraph<String, Relationship> loadGraph( String contextId )
+    {
+        Hier inHier = new Hier( Hier.Type.ROLE );
+        inHier.setContextId( contextId );
+        LOG.info( "loadGraph initializing ADMIN ROLE context [{}]", inHier.getContextId() );
+        List<Graphable> descendants = null;
+
+        try
+        {
+            descendants = adminRoleP.getAllDescendants( inHier.getContextId() );
+        }
+        catch ( SecurityException se )
+        {
+            LOG.info( "loadGraph caught SecurityException={}", se );
+        }
+
+        Hier hier = HierUtil.loadHier( contextId, descendants );
+        SimpleDirectedGraph<String, Relationship> graph;
+
+        graph = HierUtil.buildGraph( hier );
+        adminRoleCache.put( getKey( contextId ), graph );
+
+        return graph;
+    }
+
+
+    /**
+     * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
+     * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
+     *
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return handle to simple digraph containing adminRole hierarchies.
+     */
+    private static SimpleDirectedGraph<String, Relationship> getGraph( String contextId )
+    {
+        ReadWriteLock hierLock = HierUtil.getLock( contextId, HierUtil.Type.ARLE );
+        String key = getKey( contextId );
+
+        try
+        {
+            hierLock.readLock().lock();
+            SimpleDirectedGraph<String, Relationship> graph = ( SimpleDirectedGraph<String, Relationship> ) adminRoleCache
+                .get( key );
+
+            if ( graph == null )
+            {
+                try
+                {
+                    hierLock.readLock().unlock();
+                    hierLock.writeLock().lock();
+
+                    // TODO: determine why this (code that was commented out) creates a deadlock:
+                    //graph = ( SimpleDirectedGraph<String, Relationship> ) adminRoleCache.get( key );
+
+                    //if ( graph == null )
+                    //{
+                    graph = loadGraph( contextId );
+                    //}
+
+                    hierLock.readLock().lock();
+                }
+                finally
+                {
+                    hierLock.writeLock().unlock();
+                }
+            }
+
+            return graph;
+        }
+        finally
+        {
+            hierLock.readLock().unlock();
+        }
+    }
+
+
+    /**
+     *
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return containing key to cache entry for this tenant.
+     */
+    private static String getKey( String contextId )
+    {
+        String key = HierUtil.Type.ARLE.toString();
+        if ( StringUtils.isNotEmpty( contextId ) && !contextId.equalsIgnoreCase( GlobalIds.NULL ) )
+        {
+            key += ":" + contextId;
+        }
+        return key;
+    }
+}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java b/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java
new file mode 100755
index 0000000..8b95267
--- /dev/null
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AdminUtil.java
@@ -0,0 +1,220 @@
+/*
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.apache.directory.fortress.core.impl;
+
+import org.apache.directory.fortress.core.DelAccessMgr;
+import org.apache.directory.fortress.core.AuthorizationException;
+import org.apache.directory.fortress.core.GlobalErrIds;
+import org.apache.directory.fortress.core.SecurityException;
+import org.apache.directory.fortress.core.DelAccessMgrFactory;
+import org.apache.directory.fortress.core.model.FortEntity;
+import org.apache.directory.fortress.core.model.Permission;
+import org.apache.directory.fortress.core.model.Role;
+import org.apache.directory.fortress.core.model.Session;
+import org.apache.directory.fortress.core.model.User;
+
+/**
+ * This class supplies static wrapper utilities to provide ARBAC functionality to Fortress internal Manager APIs.
+ * The utilities within this class are all static and can not be called by code outside of Fortress.
+ * </p>
+ * This class is thread safe.
+ *
+ * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
+ */
+final class AdminUtil
+{
+    private static final String CLS_NM = AdminUtil.class.getName();
+
+    /**
+     * Private constructor
+     *
+     */
+    private AdminUtil()
+    {
+    }
+
+    /**
+     * Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
+     * This will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA).  This adheres to the ARBAC02 functional specification for can-assign URA.
+     *
+     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
+     * @param user    Instantiated User entity requires only valid userId attribute set.
+     * @param role    Instantiated Role entity requires only valid role name attribute set.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
+     */
+    static void canAssign(Session session, User user, Role role, String contextId) throws SecurityException
+    {
+        if (session != null)
+        {
+            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+            boolean result = dAccessMgr.canAssign(session, user, role);
+            if (!result)
+            {
+                String warning = "canAssign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
+                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_ASSIGN, warning);
+            }
+        }
+    }
+
+    /**
+     * Wrapper function to call {@link DelAccessMgrImpl#canDeassign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
+     *
+     * This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA).  This adheres to the ARBAC02 functional specification for can-revoke URA.
+     *
+     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param user    Instantiated User entity requires only valid userId attribute set.
+     * @param user    Instantiated User entity requires userId attribute set.
+     * @param role    Instantiated Role entity requires only valid role name attribute set.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
+     */
+    static void canDeassign(Session session, User user, Role role, String contextId) throws SecurityException
+    {
+        if (session != null)
+        {
+            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+            boolean result = dAccessMgr.canDeassign(session, user, role);
+            if (!result)
+            {
+                String warning = "canDeassign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
+                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_DEASSIGN, warning);
+
+            }
+        }
+    }
+
+    /**
+     * Wrapper function to call {@link DelAccessMgrImpl#canGrant(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
+     * This function will determine if the user contains an AdminRole that is authorized assignment control over
+     * Permission-Role Assignment (PRA).  This adheres to the ARBAC02 functional specification for can-assign-p PRA.
+     *
+     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param perm    Instantiated Permission entity requires valid object name and operation name attributes set.
+     * @param role    Instantiated Role entity requires only valid role name attribute set.
+     * @param perm    Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @return boolean value true indicates access allowed.
+     * @throws SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
+     */
+    static void canGrant(Session session, Role role, Permission perm, String contextId) throws SecurityException
+    {
+        if (session != null)
+        {
+            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+            boolean result = dAccessMgr.canGrant(session, role, perm);
+            if (!result)
+            {
+                String warning = "canGrant Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
+                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_GRANT, warning);
+            }
+        }
+    }
+
+    /**
+     * Wrapper function to call {@link DelAccessMgrImpl#canRevoke(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
+     *
+     * This function will determine if the user contains an AdminRole that is authorized revoke control over
+     * Permission-Role Assignment (PRA).  This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
+     *
+     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param perm    Instantiated Permission entity requires valid object name and operation name attributes set.
+     * @param role    Instantiated Role entity requires only valid role name attribute set.
+     * @param perm    Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
+     */
+    static void canRevoke(Session session, Role role, Permission perm, String contextId) throws SecurityException
+    {
+        if (session != null)
+        {
+            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+            boolean result = dAccessMgr.canRevoke(session, role, perm);
+            if (!result)
+            {
+                String warning = "canRevoke Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
+                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_REVOKE, warning);
+            }
+        }
+    }
+
+    /**
+     * Method is called by Manager APIs to load contextual information on {@link org.apache.directory.fortress.core.model.FortEntity} and perform checkAccess on Administrative permission.
+     * </p>
+     * The information is used to
+     * <ol>
+     * <li>Load the administrative User's {@link Session} object into entity.  This is used for checking to ensure administrator has privilege to perform administrative operation.</li>
+     * <li>Load the target operation's permission into the audit context.  This is used for Fortress audit log stored in OpenLDAP</li>
+     * </ol>
+     *
+     * @param session object contains the {@link org.apache.directory.fortress.core.model.User}'s RBAC, {@link org.apache.directory.fortress.core.model.UserRole}, and Administrative Roles {@link org.apache.directory.fortress.core.model.UserAdminRole}.
+     * @param perm    contains the permission object name, {@link Permission#objName}, and operation name, {@link Permission#opName}
+     * @param entity  used to pass contextual information through Fortress layers for administrative security checks and audit.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws org.apache.directory.fortress.core.SecurityException in the event of system error.
+     */
+    static void setEntitySession(Session session, Permission perm, FortEntity entity, String contextId) throws SecurityException
+    {
+        if (session != null)
+        {
+            entity.setAdminSession(session);
+            entity.setModCode(getObjName(perm.getObjName()) + "." + perm.getOpName());
+            checkAccess(session, perm, contextId);
+        }
+    }
+
+    /**
+     * Wrapper function to call {@link DelAccessMgrImpl#checkAccess(org.apache.directory.fortress.core.model.Session, Permission)}.
+     * Perform user arbac authorization.  This function returns a Boolean value meaning whether the subject of a given session is
+     * allowed or not to perform a given operation on a given object. The function is valid if and
+     * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
+     * and the operation is a member of the OPS data set. The session's subject has the permission
+     * to perform the operation on that object if and only if that permission is assigned to (at least)
+     * one of the session's active roles. This implementation will verify the roles or userId correspond
+     * to the subject's active roles are registered in the object's access control list.
+     *
+     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
+     * @param perm    object contains obj attribute which is a String and contains the name of the object user is trying to access;
+     *                perm object contains operation attribute which is also a String and contains the operation name for the object.
+     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
+     * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
+     */
+    static void checkAccess(Session session, Permission perm, String contextId) throws SecurityException
+    {
+        if (session != null)
+        {
+            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
+            boolean result = dAccessMgr.checkAccess(session, perm);
+            if (!result)
+            {
+                String info = "checkAccess failed for user [" + session.getUserId() + "] object [" + perm.getObjName() + "] operation [" + perm.getOpName() + "]";
+                throw new AuthorizationException(GlobalErrIds.USER_ADMIN_NOT_AUTHORIZED, info);
+            }
+        }
+    }
+
+    /**
+     * Utility will parse a String containing objName.operationName and return the objName only.
+     *
+     * @param szObj contains raw data format.
+     * @return String containing objName.
+     */
+    static String getObjName(String szObj)
+    {
+        return szObj.substring(szObj.lastIndexOf('.') + 1);
+    }
+}


Mime
View raw message