directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [33/51] [partial] directory-fortress-core git commit: FC-109 - rename rbac package to impl
Date Tue, 02 Jun 2015 18:36:58 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java
deleted file mode 100644
index be782c8..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AcceleratorDAO.java
+++ /dev/null
@@ -1,399 +0,0 @@
-/*
- *   Licensed to the Apache Software Foundation (ASF) under one
- *   or more contributor license agreements.  See the NOTICE file
- *   distributed with this work for additional information
- *   regarding copyright ownership.  The ASF licenses this file
- *   to you under the Apache License, Version 2.0 (the
- *   "License"); you may not use this file except in compliance
- *   with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *   Unless required by applicable law or agreed to in writing,
- *   software distributed under the License is distributed on an
- *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *   KIND, either express or implied.  See the License for the
- *   specific language governing permissions and limitations
- *   under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac;
-
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.message.ResultCodeEnum;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
-import org.apache.directory.fortress.core.util.ObjUtil;
-import org.openldap.accelerator.api.addRole.RbacAddRoleRequest;
-import org.openldap.accelerator.api.addRole.RbacAddRoleRequestImpl;
-import org.openldap.accelerator.api.addRole.RbacAddRoleResponse;
-import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequest;
-import org.openldap.accelerator.api.checkAccess.RbacCheckAccessRequestImpl;
-import org.openldap.accelerator.api.checkAccess.RbacCheckAccessResponse;
-import org.openldap.accelerator.api.createSession.RbacCreateSessionRequest;
-import org.openldap.accelerator.api.createSession.RbacCreateSessionRequestImpl;
-import org.openldap.accelerator.api.createSession.RbacCreateSessionResponse;
-import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequest;
-import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionRequestImpl;
-import org.openldap.accelerator.api.deleteSession.RbacDeleteSessionResponse;
-import org.openldap.accelerator.api.dropRole.RbacDropRoleRequest;
-import org.openldap.accelerator.api.dropRole.RbacDropRoleRequestImpl;
-import org.openldap.accelerator.api.dropRole.RbacDropRoleResponse;
-import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequest;
-import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesRequestImpl;
-import org.openldap.accelerator.api.sessionRoles.RbacSessionRolesResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.model.VUtil;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-import java.util.ArrayList;
-import java.util.List;
-
-
-/**
- * Data access class for invoking RBAC Accelerator server-side operations.  This class utilizes
the openldap accelerator component for LDAPv3 extended operations.
- * This class follows the pattern of {@link org.apache.directory.fortress.core.AccessMgr}
except policy decisions are session state are made/stored on server-side and not client-side.
- * Its methods are not intended to be invoked by outside clients that should instead use
{@link org.apache.directory.fortress.core.rbac.AccelMgrImpl}.
- *
- * This class is thread safe.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- */
-final class AcceleratorDAO extends ApacheDsDataProvider
-{
-    private static final Logger LOG = LoggerFactory.getLogger( AcceleratorDAO.class.getName()
);
-
-
-    /**
-     * Authenticate user and return sessionId inside {@link org.apache.directory.fortress.core.model.Session#sessionId}.
-     * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#createSession(org.apache.directory.fortress.core.model.User,
boolean)}
-     * Success will result in rbac session state, i.e. {@link org.apache.directory.fortress.core.model.Session},
to be stored on server-side.
-     * Result may be stored inside RBAC server-side audit record and retrieved with {@link
org.apache.directory.fortress.core.AuditMgr#searchBinds(org.apache.directory.fortress.core.model.UserAudit)}
-     *
-     * It uses the {@link RbacCreateSessionRequest} and {@link RbacCreateSessionResponse}
accelerator APIs.
-     *
-     * todo: this method does not yet, but will soon, return password policy decisions.
-     *
-     * @param user
-     * @return session contains a valid sessionId captured from accelerator createSession
method.
-     *
-     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CREATE_SESSION_ERR}.
-     *
-     */
-    Session createSession( User user ) throws SecurityException
-    {
-        Session session = null;
-        LdapConnection ld = null;
-
-        try
-        {
-            ld = getAdminConnection();
-            ld.setTimeOut( 0 );
-            // Create a new RBAC session
-            RbacCreateSessionRequest rbacCreateSessionRequest = new RbacCreateSessionRequestImpl();
-            //rbacCreateSessionRequest.setTenantId( "jts" );
-            rbacCreateSessionRequest.setTenantId( user.getContextId() );
-            rbacCreateSessionRequest.setUserIdentity( user.getUserId() );
-            rbacCreateSessionRequest.setPassword( new String( user.getPassword() ) );
-
-            if ( ObjUtil.isNotNullOrEmpty( user.getRoles() ) )
-            {
-                for ( UserRole userRole : user.getRoles() )
-                {
-                    rbacCreateSessionRequest.addRole( userRole.getName() );
-                }
-            }
-
-            // Send the request
-            RbacCreateSessionResponse rbacCreateSessionResponse = ( RbacCreateSessionResponse
) ld.extended(
-                rbacCreateSessionRequest );
-            LOG.debug( "createSession userId: {}, sessionId: {}, resultCode: {}",
-                user.getUserId(), rbacCreateSessionResponse.getSessionId(),
-                rbacCreateSessionResponse.getLdapResult().getResultCode() );
-            session = new Session( user, rbacCreateSessionResponse.getSessionId() );
-
-            if ( rbacCreateSessionResponse.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS
)
-            {
-                session.setAuthenticated( true );
-            }
-            else
-            {
-                session.setAuthenticated( false );
-                String info = "createSession UserId [" + user.getUserId() + "] failed: "
-                    + rbacCreateSessionResponse.getLdapResult() + " , resultCode: "
-                    + rbacCreateSessionResponse.getLdapResult().getResultCode().getResultCode();
-                throw new SecurityException( GlobalErrIds.USER_PW_INVLD, info );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "createSession userId [" + user.getUserId() + "] caught LDAPException="
+ " msg=" + e
-                .getMessage();
-            throw new SecurityException( GlobalErrIds.ACEL_CREATE_SESSION_ERR, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return session;
-    }
-
-
-    /**
-     * Perform user rbac authorization.  This function returns a Boolean value meaning whether
the subject of a given session is
-     * allowed or not to perform a given operation on a given object. The function is valid
if and
-     * only if the session is a valid Fortress session, the object is a member of the OBJS
data set,
-     * and the operation is a member of the OPS data set. The session's subject has the permission
-     * to perform the operation on that object if and only if that permission is assigned
to (at least)
-     * one of the session's active roles. This implementation will verify the roles or userId
correspond
-     * to the subject's active roles are registered in the object's access control list.
-     * It uses the {@link RbacCheckAccessRequest} and {@link RbacCheckAccessResponse} accelerator
APIs.
-     *
-     * @param session This object must be instantiated by calling {@link #createSession}
method before passing into the method.  No variables need to be set by client after returned
from createSession.
-     * @param perm  must contain the object, {@link org.apache.directory.fortress.core.model.Permission#objName},
and operation, {@link org.apache.directory.fortress.core.model.Permission#opName}, of permission
User is trying to access.
-     * @return True if user has access, false otherwise.
-     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_CHECK_ACCESS_ERR}.
-     */
-    boolean checkAccess( Session session, Permission perm ) throws SecurityException
-    {
-        boolean result = false;
-        LdapConnection ld = null;
-
-        try
-        {
-            ld = getAdminConnection();
-            RbacCheckAccessRequest rbacCheckAccessRequest = new RbacCheckAccessRequestImpl();
-            rbacCheckAccessRequest.setSessionId( session.getSessionId() );
-            rbacCheckAccessRequest.setObject( perm.getObjName() );
-
-            // objectId is optional
-            if ( StringUtils.isNotEmpty( perm.getObjId() ) )
-            {
-                rbacCheckAccessRequest.setObjectId( perm.getObjId() );
-            }
-
-            rbacCheckAccessRequest.setOperation( perm.getOpName() );
-            // Send the request
-            RbacCheckAccessResponse rbacCheckAccessResponse = ( RbacCheckAccessResponse )
ld.extended(
-                rbacCheckAccessRequest );
-            LOG.debug( "checkAccess result: {}", rbacCheckAccessResponse.getLdapResult().getResultCode()
);
-
-            result = rbacCheckAccessResponse.getLdapResult().getResultCode() == ResultCodeEnum.SUCCESS;
-        }
-        catch ( LdapException e )
-        {
-            String error = "checkAccess perm obj [" + perm.getObjName() + "], operation ["
+ perm.getOpName()
-                + "] caught LDAPException=" + " msg=" + e
-                    .getMessage();
-            throw new SecurityException( GlobalErrIds.ACEL_CHECK_ACCESS_ERR, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return result;
-    }
-
-
-    /**
-     * Deactivate user role from rbac session
-     * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#dropActiveRole(org.apache.directory.fortress.core.model.Session,
org.apache.directory.fortress.core.model.UserRole)}.
-     * Success will result in rbac session state to be modified inside server-side cache.
-     * It uses the {@link RbacDropRoleRequest} and {@link RbacDropRoleResponse} accelerator
APIs.
-     *
-     * @param session contains a valid sessionId captured from accelerator createSession
method.
-     * @param userRole both the {@link org.apache.directory.fortress.core.model.UserRole#userId}
and {@link UserRole#name} fields must be set before invoking.
-     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DROP_ROLE_ERR}.
-     */
-    void dropActiveRole( Session session, UserRole userRole ) throws SecurityException
-    {
-        LdapConnection ld = null;
-
-        try
-        {
-            ld = getAdminConnection();
-            RbacDropRoleRequest dropRoleRequest = new RbacDropRoleRequestImpl();
-            dropRoleRequest.setSessionId( session.getSessionId() );
-            dropRoleRequest.setRole( userRole.getName() );
-            dropRoleRequest.setUserIdentity( userRole.getUserId() );
-            // Send the request
-            RbacDropRoleResponse rbacDropRoleResponse = ( RbacDropRoleResponse ) ld.extended(
-                dropRoleRequest );
-            LOG.debug( "dropActiveRole result: {}", rbacDropRoleResponse.getLdapResult().getResultCode()
);
-
-            if ( rbacDropRoleResponse.getLdapResult().getResultCode() != ResultCodeEnum.SUCCESS
)
-            {
-                String info = "dropActiveRole Role [" + userRole.getName() + "] User ["
-                    + session.getUserId() + "], not previously activated.";
-                throw new SecurityException( GlobalErrIds.URLE_NOT_ACTIVE, info );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "dropActiveRole role name [" + userRole.getName() + "] caught
LDAPException=" + " msg=" + e
-                .getMessage();
-            throw new SecurityException( GlobalErrIds.ACEL_DROP_ROLE_ERR, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-    }
-
-
-    /**
-     * Activate user role into rbac session
-     * This function follows the pattern from: {@link org.apache.directory.fortress.core.AccessMgr#addActiveRole(org.apache.directory.fortress.core.model.Session,
org.apache.directory.fortress.core.model.UserRole)}.
-     * Success will result in rbac session state to be modified inside server-side cache.
-     * It uses the {@link RbacAddRoleRequest} and {@link RbacAddRoleResponse} accelerator
APIs.
-     *
-     * @param session contains a valid sessionId captured from accelerator createSession
method.
-     * @param userRole both the {@link org.apache.directory.fortress.core.model.UserRole#userId}
and {@link UserRole#name} fields must be set before invoking.
-     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_ADD_ROLE_ERR}.
-     */
-    void addActiveRole( Session session, UserRole userRole ) throws SecurityException
-    {
-        LdapConnection ld = null;
-
-        try
-        {
-            ld = getAdminConnection();
-            RbacAddRoleRequest addRoleRequest = new RbacAddRoleRequestImpl();
-            addRoleRequest.setSessionId( session.getSessionId() );
-            addRoleRequest.setRole( userRole.getName() );
-            addRoleRequest.setUserIdentity( userRole.getUserId() );
-            // Send the request
-            RbacAddRoleResponse rbacAddRoleResponse = ( RbacAddRoleResponse ) ld.extended(
-                addRoleRequest );
-            LOG.debug( "addActiveRole result: {}", rbacAddRoleResponse.getLdapResult().getResultCode()
);
-
-            if ( rbacAddRoleResponse.getLdapResult().getResultCode() != ResultCodeEnum.SUCCESS
)
-            {
-                String info;
-                int rc;
-
-                if ( rbacAddRoleResponse.getLdapResult().getResultCode() == ResultCodeEnum.ATTRIBUTE_OR_VALUE_EXISTS
)
-                {
-                    info = "addActiveRole Role [" + userRole.getName() + "] User ["
-                        + session.getUserId() + "], already activated.";
-                    rc = GlobalErrIds.URLE_ALREADY_ACTIVE;
-                }
-                else
-                {
-                    info = "addActiveRole Role [" + userRole.getName() + "] User ["
-                        + session.getUserId() + "], not authorized for user.";
-                    rc = GlobalErrIds.URLE_ACTIVATE_FAILED;
-                }
-
-                throw new SecurityException( rc, info );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "addActiveRole role name [" + userRole.getName() + "] caught LDAPException="
+ " msg=" + e
-                .getMessage();
-            throw new SecurityException( GlobalErrIds.ACEL_ADD_ROLE_ERR, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-    }
-
-
-    /**
-     * Delete the stored session on rbac accelerator server.
-     * It uses the {@link RbacDeleteSessionRequest} and {@link RbacDeleteSessionResponse}
accelerator APIs.
-     *
-     * @param session contains a valid sessionId captured from accelerator createSession
method.
-     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_DELETE_SESSION_ERR}.
-     */
-    void deleteSession( Session session ) throws SecurityException
-    {
-        LdapConnection ld = null;
-
-        try
-        {
-            ld = getAdminConnection();
-            RbacDeleteSessionRequest deleteSessionRequest = new RbacDeleteSessionRequestImpl();
-            deleteSessionRequest.setSessionId( session.getSessionId() );
-            deleteSessionRequest.setUserIdentity( session.getUserId() );
-            // Send the request
-            RbacDeleteSessionResponse deleteSessionResponse = ( RbacDeleteSessionResponse
) ld.extended(
-                deleteSessionRequest );
-            LOG.debug( "deleteSession result: {}", deleteSessionResponse.getLdapResult().getResultCode()
);
-        }
-        catch ( LdapException e )
-        {
-            String error = "deleteSession caught LDAPException=" + " msg=" + e
-                .getMessage();
-            throw new SecurityException( GlobalErrIds.ACEL_DELETE_SESSION_ERR, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-    }
-
-
-    /**
-     * SessionRoles returns a list of UserRole's activated for user on rbac server.
-     * It uses the {@link RbacSessionRolesRequest} and {@link RbacSessionRolesResponse} accelerator
APIs.
-     *
-     * todo: This method does not yet, but will soon populate temporal constraints associated
with entities returned.
-     *
-     * @param session contains a valid sessionId captured from accelerator createSession
method.
-     * @return List of type UserRole.  May be null if user has no roles activated in session
stored - server side.
-     * @throws SecurityException rethrows {@code LdapException} with {@code GlobalErrIds.ACEL_SESSION_ROLES_ERR}.
-     */
-    List<UserRole> sessionRoles( Session session ) throws SecurityException
-    {
-        LdapConnection ld = null;
-        List<UserRole> userRoleList = null;
-
-        try
-        {
-            ld = getAdminConnection();
-            RbacSessionRolesRequest sessionRolesRequest = new RbacSessionRolesRequestImpl();
-            sessionRolesRequest.setSessionId( session.getSessionId() );
-            sessionRolesRequest.setUserIdentity( session.getUserId() );
-            // Send the request
-            RbacSessionRolesResponse sessionRolesResponse = ( RbacSessionRolesResponse )
ld.extended(
-                sessionRolesRequest );
-            LOG.debug( "sessionRoles result: {}", sessionRolesResponse.getLdapResult().getResultCode().getResultCode()
);
-
-            if ( ObjUtil.isNotNullOrEmpty( sessionRolesResponse.getRoles() ) )
-            {
-                userRoleList = new ArrayList<UserRole>();
-
-                for ( String roleNm : sessionRolesResponse.getRoles() )
-                {
-                    userRoleList.add( new UserRole( session.getUserId(), roleNm ) );
-                    // todo: add temporal constraints here
-                }
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "sessionRoles caught LDAPException=" + " msg=" + e
-                .getMessage();
-            throw new SecurityException( GlobalErrIds.ACEL_SESSION_ROLES_ERR, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return userRoleList;
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/rbac/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/rbac/AccessMgrImpl.java
deleted file mode 100755
index 406b919..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AccessMgrImpl.java
+++ /dev/null
@@ -1,437 +0,0 @@
-/*
- *   Licensed to the Apache Software Foundation (ASF) under one
- *   or more contributor license agreements.  See the NOTICE file
- *   distributed with this work for additional information
- *   regarding copyright ownership.  The ASF licenses this file
- *   to you under the Apache License, Version 2.0 (the
- *   "License"); you may not use this file except in compliance
- *   with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *   Unless required by applicable law or agreed to in writing,
- *   software distributed under the License is distributed on an
- *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *   KIND, either express or implied.  See the License for the
- *   specific language governing permissions and limitations
- *   under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac;
-
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.directory.fortress.core.AccessMgr;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-import org.apache.directory.fortress.core.model.UserRole;
-import org.apache.directory.fortress.core.model.VUtil;
-import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-
-
-/**
- * Implementation class that performs runtime access control operations on data objects of
type Fortress entities
- * This class performs runtime access control operations on objects that are provisioned
RBAC entities
- * that reside in LDAP directory.  These APIs map directly to similar named APIs specified
by ANSI and NIST
- * RBAC system functions.
- * Many of the java doc function descriptions found below were taken directly from ANSI INCITS
359-2004.
- * The RBAC Functional specification describes administrative operations for the creation
- * and maintenance of RBAC element sets and relations; administrative review functions for
- * performing administrative queries; and system functions for creating and managing
- * RBAC attributes on user sessions and making access control decisions.
- * <p/>
- * <hr>
- * <h4>RBAC0 - Core</h4>
- * Many-to-many relationship between Users, Roles and Permissions. Selective role activation
into sessions.  API to add, update, delete identity data and perform identity and access control
decisions during runtime operations.
- * <p/>
- * <img src="../doc-files/RbacCore.png">
- * <hr>
- * <h4>RBAC1 - General Hierarchical Roles</h4>
- * Simplifies role engineering tasks using inheritance of one or more parent roles.
- * <p/>
- * <img src="../doc-files/RbacHier.png">
- * <hr>
- * <h4>RBAC2 - Static Separation of Duty (SSD) Relations</h4>
- * Enforce mutual membership exclusions across role assignments.  Facilitate dual control
policies by restricting which roles may be assigned to users in combination.  SSD provide
added granularity for authorization limits which help enterprises meet strict compliance regulations.
- * <p/>
- * <img src="../doc-files/RbacSSD.png">
- * <hr>
- * <h4>RBAC3 - Dynamic Separation of Duty (DSD) Relations</h4>
- * Control allowed role combinations to be activated within an RBAC session.  DSD policies
fine tune role policies that facilitate authorization dual control and two man policy restrictions
during runtime security checks.
- * <p/>
- * <img src="../doc-files/RbacDSD.png">
- * <hr>
- * <p/>
- * This class is NOT thread safe if parent instance variables ({@link #contextId} or {@link
#adminSess}) are set.
- * <p/>
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- */
-public class AccessMgrImpl extends Manageable implements AccessMgr
-{
-    private static final String CLS_NM = AccessMgrImpl.class.getName();
-    private static final UserP userP = new UserP();
-    private static final PermP permP = new PermP();
-
-    /**
-     * Perform user authentication only.  It does not activate RBAC roles in session but
will evaluate
-     * password policies.
-     *
-     * @param userId   Contains the userid of the user signing on.
-     * @param password Contains the user's password.
-     * @return Session object will be returned if authentication successful.  This will not
contain user's roles.
-     * @throws SecurityException in the event of data validation failure, security policy
violation or DAO error.
-     */
-    @Override
-    public Session authenticate( String userId, char[] password )
-        throws SecurityException
-    {
-        String methodName = "authenticate";
-        VUtil.assertNotNullOrEmpty( userId, GlobalErrIds.USER_ID_NULL, getFullMethodName(
CLS_NM, methodName ) );
-        VUtil.assertNotNullOrEmpty( password, GlobalErrIds.USER_PW_NULL, getFullMethodName(
CLS_NM, methodName ) );
-        User inUser = new User( userId );
-        inUser.setContextId( contextId );
-
-        // Determine if user valid.
-        User user = userP.read( inUser, false );
-        user.setPassword( password );
-        user.setContextId( contextId );
-        Session ftSess = userP.authenticate( user );
-        ftSess.setUser( user );
-        return ftSess;
-    }
-
-
-    /**
-     * Perform user authentication {@link User#password} and role activations.<br />
-     * This method must be called once per user prior to calling other methods within this
class.
-     * The successful result is {@link Session} that contains target user's RBAC {@link User#roles}
and Admin role {@link User#adminRoles}.<br />
-     * In addition to checking user password validity it will apply configured password policy
checks {@link User#pwPolicy}..<br />
-     * Method may also store parms passed in for audit trail {@link org.apache.directory.fortress.core.model.FortEntity}.
-     * <h4> This API will...</h4>
-     * <ul>
-     * <li> authenticate user password if trusted == false.
-     * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a
href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10">password policy
evaluation</a>.
-     * <li> fail for any user who is locked by OpenLDAP's policies {@link User#isLocked()},
regardless of trusted flag being set as parm on API.
-     * <li> evaluate temporal {@link org.apache.directory.fortress.core.util.time.Constraint}(s)
on {@link User}, {@link org.apache.directory.fortress.core.model.UserRole} and {@link org.apache.directory.fortress.core.model.UserAdminRole}
entities.
-     * <li> process selective role activations into User RBAC Session {@link User#roles}.
-     * <li> check Dynamic Separation of Duties {@link org.apache.directory.fortress.core.rbac.DSDChecker#validate(Session,
org.apache.directory.fortress.core.util.time.Constraint, org.apache.directory.fortress.core.util.time.Time)}
on {@link User#roles}.
-     * <li> process selective administrative role activations {@link User#adminRoles}.
-     * <li> return a {@link Session} containing {@link Session#getUser()}, {@link Session#getRoles()}
and (if admin user) {@link Session#getAdminRoles()} if everything checks out good.
-     * <li> throw a checked exception that will be {@link org.apache.directory.fortress.core.SecurityException}
or its derivation.
-     * <li> throw a {@link SecurityException} for system failures.
-     * <li> throw a {@link org.apache.directory.fortress.core.PasswordException} for
authentication and password policy violations.
-     * <li> throw a {@link org.apache.directory.fortress.core.ValidationException}
for data validation errors.
-     * <li> throw a {@link org.apache.directory.fortress.core.FinderException} if User
id not found.
-     * </ul>
-     * <h4>
-     * The function is valid if and only if:
-     * </h4>
-     * <ul>
-     * <li> the user is a member of the USERS data set
-     * <li> the password is supplied (unless trusted).
-     * <li> the (optional) active role set is a subset of the roles authorized for
that user.
-     * </ul>
-     * <h4>
-     * The following attributes may be set when calling this method
-     * </h4>
-     * <ul>
-     * <li> {@link User#userId} - required
-     * <li> {@link User#password}
-     * <li> {@link User#roles} contains a list of RBAC role names authorized for user
and targeted for activation within this session.  Default is all authorized RBAC roles will
be activated into this Session.
-     * <li> {@link User#adminRoles} contains a list of Admin role names authorized
for user and targeted for activation.  Default is all authorized ARBAC roles will be activated
into this Session.
-     * <li> {@link User#props} collection of name value pairs collected on behalf of
User during signon.  For example hostname:myservername or ip:192.168.1.99
-     * </ul>
-     * <h4>
-     * Notes:
-     * </h4>
-     * <ul>
-     * <li> roles that violate Dynamic Separation of Duty Relationships will not be
activated into session.
-     * <li> role activations will proceed in same order as supplied to User entity
setter, see {@link User#setRole(String)}.
-     * </ul>
-     * </p>
-     *
-     * @param user Contains {@link User#userId}, {@link User#password} (optional if {@code
isTrusted} is 'true'), optional {@link User#roles}, optional {@link User#adminRoles}
-     * @param isTrusted if true password is not required.
-     * @return Session object will contain authentication result code {@link Session#errorId},
RBAC role activations {@link Session#getRoles()}, Admin Role activations {@link Session#getAdminRoles()},OpenLDAP
pw policy codes {@link Session#warnings}, {@link Session#expirationSeconds}, {@link Session#graceLogins}
and more.
-     * @throws SecurityException in the event of data validation failure, security policy
violation or DAO error.
-     */
-    @Override
-    public Session createSession( User user, boolean isTrusted )
-        throws SecurityException
-    {
-        String methodName = "createSession";
-        assertContext( CLS_NM, methodName, user, GlobalErrIds.USER_NULL );
-
-        return userP.createSession( user, isTrusted );
-    }
-
-
-    /**
-     * Perform user rbac authorization.  This function returns a Boolean value meaning whether
the subject of a given session is
-     * allowed or not to perform a given operation on a given object. The function is valid
if and
-     * only if the session is a valid Fortress session, the object is a member of the OBJS
data set,
-     * and the operation is a member of the OPS data set. The session's subject has the permission
-     * to perform the operation on that object if and only if that permission is assigned
to (at least)
-     * one of the session's active roles. This implementation will verify the roles or userId
correspond
-     * to the subject's active roles are registered in the object's access control list.
-     *
-     * @param perm  must contain the object, {@link org.apache.directory.fortress.core.model.Permission#objName},
and operation, {@link org.apache.directory.fortress.core.model.Permission#opName}, of permission
User is trying to access.
-     * @param session This object must be instantiated by calling {@link AccessMgrImpl#createSession}
method before passing into the method.  No variables need to be set by client after returned
from createSession.
-     * @return True if user has access, false otherwise.
-     * @throws SecurityException in the event of data validation failure, security policy
violation or DAO error.
-     */
-    @Override
-    public boolean checkAccess( Session session, Permission perm )
-        throws SecurityException
-    {
-        String methodName = "checkAccess";
-        assertContext( CLS_NM, methodName, perm, GlobalErrIds.PERM_NULL );
-        assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        VUtil.assertNotNullOrEmpty( perm.getOpName(), GlobalErrIds.PERM_OPERATION_NULL,
-            getFullMethodName( CLS_NM, methodName ) );
-        VUtil.assertNotNullOrEmpty( perm.getObjName(), GlobalErrIds.PERM_OBJECT_NULL,
-            getFullMethodName( CLS_NM, methodName ) );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
-        return permP.checkPermission( session, perm );
-    }
-
-
-    /**
-     * This function returns the permissions of the session, i.e., the permissions assigned
-     * to its authorized roles. The function is valid if and only if the session is a valid
Fortress session.
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @return List<Permission> containing permissions (op, obj) active for user's
session.
-     * @throws SecurityException in the event runtime error occurs with system.
-     */
-    @Override
-    public List<Permission> sessionPermissions( Session session )
-        throws SecurityException
-    {
-        String methodName = "sessionPermissions";
-        assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
-        return permP.search( session );
-    }
-
-
-    /**
-     * This function returns the active roles associated with a session. The function is
valid if
-     * and only if the session is a valid Fortress session.
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @return List<UserRole> containing all roles active in user's session.  This
will NOT contain inherited roles.
-     * @throws SecurityException
-     *          is thrown if session invalid or system. error.
-     */
-    @Override
-    public List<UserRole> sessionRoles( Session session )
-        throws SecurityException
-    {
-        String methodName = "sessionRoles";
-        assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
-        return session.getRoles();
-    }
-
-
-    /**
-     * This function returns the authorized roles associated with a session based on hierarchical
relationships. The function is valid if
-     * and only if the session is a valid Fortress session.
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @return Set<String> containing all roles active in user's session.  This will
contain inherited roles.
-     * @throws SecurityException is thrown if session invalid or system. error.
-     */
-    @Override
-    public Set<String> authorizedRoles( Session session )
-        throws SecurityException
-    {
-        String methodName = "authorizedRoles";
-        assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        VUtil.assertNotNull( session.getUser(), GlobalErrIds.USER_NULL, CLS_NM + ".authorizedRoles"
);
-        CUtil.validateConstraints( session, CUtil.ConstraintType.USER, false );
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
-        return RoleUtil.getInheritedRoles( session.getRoles(), this.contextId );
-    }
-
-
-    /**
-     * This function adds a role as an active role of a session whose owner is a given user.
-     * <p>
-     * The function is valid if and only if:
-     * <ul>
-     * <li> the user is a member of the USERS data set
-     * <li> the role is a member of the ROLES data set
-     * <li> the role inclusion does not violate Dynamic Separation of Duty Relationships
-     * <li> the session is a valid Fortress session
-     * <li> the user is authorized to that role
-     * <li> the session is owned by that user.
-     * </ul>
-     * </p>
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @param role object contains the role name, {@link UserRole#name}, to be activated
into session.
-     * @throws SecurityException is thrown if user is not allowed to activate or runtime
error occurs with system.
-     */
-    @Override
-    public void addActiveRole( Session session, UserRole role )
-        throws SecurityException
-    {
-        String methodName = "addActiveRole";
-        assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        assertContext( CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL );
-        role.setUserId( session.getUserId() );
-        List<UserRole> uRoles;
-        List<UserRole> sRoles = session.getRoles();
-        // If session already has same role activated:
-        if ( sRoles != null && sRoles.contains( role ) )
-        {
-            String info = getFullMethodName( CLS_NM, methodName ) + " User [" + session.getUserId()
+ "] Role ["
-                + role.getName() + "] role already activated.";
-            throw new SecurityException( GlobalErrIds.URLE_ALREADY_ACTIVE, info );
-        }
-
-        User inUser = new User( session.getUserId() );
-        inUser.setContextId( this.contextId );
-        User ue = userP.read( inUser, true );
-        uRoles = ue.getRoles();
-        int indx;
-        // Is the role activation target valid for this user?
-        if ( !ObjUtil.isNotNullOrEmpty( uRoles ) || ( ( indx = uRoles.indexOf( role ) ) ==
-1 ) )
-        {
-            String info = getFullMethodName( CLS_NM, methodName ) + " Role [" + role.getName()
+ "] User ["
-                + session.getUserId() + "] role not authorized for user.";
-            throw new SecurityException( GlobalErrIds.URLE_ACTIVATE_FAILED, info );
-        }
-
-        // validate Dynamic Separation of Duty Relations:
-        SDUtil.validateDSD( session, role );
-
-        // set the role to the session:
-        session.setRole( uRoles.get( indx ) );
-
-        // Check role temporal constraints & DSD:
-        CUtil.validateConstraints( session, CUtil.ConstraintType.ROLE, false );
-    }
-
-
-    /**
-     * This function deletes a role from the active role set of a session owned by a given
user.
-     * The function is valid if and only if the user is a member of the USERS data set, the
-     * session object contains a valid Fortress session, the session is owned by the user,
-     * and the role is an active role of that session.
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @param role object contains the role name, {@link UserRole#name}, to be deactivated.
-     * @throws SecurityException is thrown if user is not allowed to deactivate or runtime
error occurs with system.
-     */
-    @Override
-    public void dropActiveRole( Session session, UserRole role )
-        throws SecurityException
-    {
-        String methodName = "dropActiveRole";
-        assertContext( CLS_NM, methodName, session, GlobalErrIds.USER_SESS_NULL );
-        assertContext( CLS_NM, methodName, role, GlobalErrIds.ROLE_NULL );
-        role.setUserId( session.getUserId() );
-        List<UserRole> roles = session.getRoles();
-        VUtil
-            .assertNotNull( roles, GlobalErrIds.URLE_DEACTIVE_FAILED, CLS_NM + getFullMethodName(
CLS_NM, methodName ) );
-        int indx = roles.indexOf( role );
-        if ( indx != -1 )
-        {
-            roles.remove( role );
-        }
-        else
-        {
-            String info = getFullMethodName( CLS_NM, methodName ) + " Role [" + role.getName()
+ "] User ["
-                + session.getUserId() + "], not previously activated";
-            throw new SecurityException( GlobalErrIds.URLE_NOT_ACTIVE, info );
-        }
-    }
-
-
-    /**
-     * This function returns the userId value that is contained within the session object.
-     * The function is valid if and only if the session object contains a valid Fortress
session.
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @return The userId value
-     * @throws SecurityException is thrown if user session not active or runtime error occurs
with system.
-     */
-    @Override
-    public String getUserId( Session session )
-        throws SecurityException
-    {
-        assertContext( CLS_NM, "getUserId", session, GlobalErrIds.USER_SESS_NULL );
-        return session.getUserId();
-    }
-
-
-    /**
-     * This function returns the user object that is contained within the session object.
-     * The function is valid if and only if the session object contains a valid Fortress
session.
-     *
-     * @param session object contains the user's returned RBAC session from the createSession
method.
-     * @return The user value
-     *         Sample User data contained in Session object:
-     *         <ul> <code>Session</code>
-     *         <li> <code>session.getUserId() => demoUser4</code>
-     *         <li> <code>session.getInternalUserId() => be2dd2e:12a82ba707e:-7fee</code>
-     *         <li> <code>session.getMessage() => Fortress checkPwPolicies
userId <demouser4> VALIDATION GOOD</code>
-     *         <li> <code>session.getErrorId() => 0</code>
-     *         <li> <code>session.getWarningId() => 11</code>
-     *         <li> <code>session.getExpirationSeconds() => 469831</code>
-     *         <li> <code>session.getGraceLogins() => 0</code>
-     *         <li> <code>session.getIsAuthenticated() => true</code>
-     *         <li> <code>session.getLastAccess() => 1283623680440</code>
-     *         <li> <code>session.getSessionId() => -7410986f:12addeea576:-7fff</code>
-     *         <li>  ------------------------------------------
-     *         <li> <code>User user = session.getUser();</code>
-     *         <ul> <li> <code>user.getUserId() => demoUser4</code>
-     *         <li> <code>user.getInternalId() => be2dd2e:12a82ba707e:-7fee</code>
-     *         <li> <code>user.getCn() => JoeUser4</code>
-     *         <li> <code>user.getDescription() => Demo Test User 4</code>
-     *         <li> <code>user.getOu() => test</code>
-     *         <li> <code>user.getSn() => User4</code>
-     *         <li> <code>user.getBeginDate() => 20090101</code>
-     *         <li> <code>user.getEndDate() => none</code>
-     *         <li> <code>user.getBeginLockDate() => none</code>
-     *         <li> <code>user.getEndLockDate() => none</code>
-     *         <li> <code>user.getDayMask() => 1234567</code>
-     *         <li> <code>user.getTimeout() => 60</code>
-     *         <li> <code>List<UserRole> roles = session.getRoles();</code>
-     *         <ul> <li><code>UserRole userRole = roles.get(i);</code>
-     *         <li> <code>userRole.getName() => role1</code>
-     *         <li> <code>userRole.getBeginTime() => 0000</code>
-     *         <li> <code>userRole.getEndTime() => 0000</code>
-     *         <li> <code>userRole.getBeginDate() => none</code>
-     *         <li> <code>userRole.getEndDate() => none</code>
-     *         <li> <code>userRole.getBeginLockDate() => null</code>
-     *         <li> <code>userRole.getEndLockDate() => null</code>
-     *         <li> <code>userRole.getDayMask() => null</code>
-     *         <li> <code>userRole.getTimeout() => 0</code>
-     *         </ul>
-     *         </ul>
-     *         </ul>
-     * @throws SecurityException is thrown if user session not active or runtime error occurs
with system.
-     */
-    @Override
-    public User getUser( Session session )
-        throws SecurityException
-    {
-        assertContext( CLS_NM, "getUser", session, GlobalErrIds.USER_SESS_NULL );
-
-        return session.getUser();
-    }
-}
\ No newline at end of file


Mime
View raw message