directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [31/51] [partial] directory-fortress-core git commit: FC-109 - rename rbac package to impl
Date Tue, 02 Jun 2015 18:36:56 GMT
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java
deleted file mode 100755
index d6fa79f..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleDAO.java
+++ /dev/null
@@ -1,696 +0,0 @@
-/*
- *   Licensed to the Apache Software Foundation (ASF) under one
- *   or more contributor license agreements.  See the NOTICE file
- *   distributed with this work for additional information
- *   regarding copyright ownership.  The ASF licenses this file
- *   to you under the Apache License, Version 2.0 (the
- *   "License"); you may not use this file except in compliance
- *   with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *   Unless required by applicable law or agreed to in writing,
- *   software distributed under the License is distributed on an
- *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *   KIND, either express or implied.  See the License for the
- *   specific language governing permissions and limitations
- *   under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac;
-
-
-import java.util.ArrayList;
-import java.util.List;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.directory.api.ldap.model.constants.SchemaConstants;
-import org.apache.directory.api.ldap.model.cursor.CursorException;
-import org.apache.directory.api.ldap.model.cursor.SearchCursor;
-import org.apache.directory.api.ldap.model.entry.DefaultEntry;
-import org.apache.directory.api.ldap.model.entry.DefaultModification;
-import org.apache.directory.api.ldap.model.entry.Entry;
-import org.apache.directory.api.ldap.model.entry.Modification;
-import org.apache.directory.api.ldap.model.entry.ModificationOperation;
-import org.apache.directory.api.ldap.model.exception.LdapException;
-import org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException;
-import org.apache.directory.api.ldap.model.exception.LdapNoSuchObjectException;
-import org.apache.directory.api.ldap.model.message.SearchScope;
-import org.apache.directory.fortress.core.CreateException;
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.model.ObjectFactory;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.UpdateException;
-import org.apache.directory.fortress.core.ldap.ApacheDsDataProvider;
-import org.apache.directory.fortress.core.model.AdminRole;
-import org.apache.directory.fortress.core.model.Graphable;
-import org.apache.directory.fortress.core.model.Role;
-import org.apache.directory.fortress.core.model.VUtil;
-import org.apache.directory.fortress.core.util.ObjUtil;
-import org.apache.directory.fortress.core.util.time.CUtil;
-import org.apache.directory.ldap.client.api.LdapConnection;
-
-
-/**
- * The AdminRoleDAO is called by {@link AdminRoleP} and processes data via its entity {@link org.apache.directory.fortress.core.model.AdminRole}.
- * <p/>
- * The Fortress AdminRoleDAO uses the following other Fortress structural and aux object classes:
- * <h4>1. ftRls Structural objectclass is used to store the AdminRole information like name, and temporal constraints</h4>
- * <ul>
- * <li>  ------------------------------------------
- * <li> <code>objectclass    ( 1.3.6.1.4.1.38088.2.1</code>
- * <li> <code>NAME 'ftRls'</code>
- * <li> <code>DESC 'Fortress Role Object Class'</code>
- * <li> <code>SUP organizationalrole</code>
- * <li> <code>STRUCTURAL</code>
- * <li> <code>MUST ( ftId $ ftRoleName )</code>
- * <li> <code>MAY ( description $ ftCstr ) )</code>
- * <li>  ------------------------------------------
- * </ul>
- * <h4>2. ftProperties AUXILIARY Object Class is used to store client specific name/value pairs on target entity</h4>
- * <code># This aux object class can be used to store custom attributes.</code><br />
- * <code># The properties collections consist of name/value pairs and are not constrainted by Fortress.</code><br />
- * <ul>
- * <li>  ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.2</code>
- * <li> <code>NAME 'ftProperties'</code>
- * <li> <code>DESC 'Fortress Properties AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftProps ) ) </code>
- * <li>  ------------------------------------------
- * </ul>
- * <h4>3. ftPools Auxiliary object class store the ARBAC Perm and User OU assignments on AdminRole entity</h4>
- * <ul>
- * <li>  ------------------------------------------
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.3</code>
- * <li> <code>NAME 'ftPools'</code>
- * <li> <code>DESC 'Fortress Pools AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY ( ftOSU $ ftOSP ) )</code>
- * <li>  ------------------------------------------
- * </ul>
- * <h4>4. ftMods AUXILIARY Object Class is used to store Fortress audit variables on target entity</h4>
- * <ul>
- * <li> <code>objectclass ( 1.3.6.1.4.1.38088.3.4</code>
- * <li> <code>NAME 'ftMods'</code>
- * <li> <code>DESC 'Fortress Modifiers AUX Object Class'</code>
- * <li> <code>AUXILIARY</code>
- * <li> <code>MAY (</code>
- * <li> <code>ftModifier $</code>
- * <li> <code>ftModCode $</code>
- * <li> <code>ftModId ) )</code>
- * <li>  ------------------------------------------
- * </ul>
- * <p/>
- * This class is thread safe.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- */
-final class AdminRoleDAO extends ApacheDsDataProvider
-{
-    private static final String ROLE_OCCUPANT = "roleOccupant";
-    private static final String ROLE_OSP = "ftOSP";
-    private static final String ROLE_OSU = "ftOSU";
-    private static final String ROLE_RANGE = "ftRange";
-    private static final String POOLS_AUX_OBJECT_CLASS_NAME = "ftPools";
-    private static final String ADMIN_ROLE_OBJ_CLASS[] =
-        {
-            SchemaConstants.TOP_OC,
-            GlobalIds.ROLE_OBJECT_CLASS_NM,
-            GlobalIds.PROPS_AUX_OBJECT_CLASS_NAME,
-            POOLS_AUX_OBJECT_CLASS_NAME,
-            GlobalIds.FT_MODIFIER_AUX_OBJECT_CLASS_NAME
-    };
-    private static final String ROLE_NM = "ftRoleName";
-    private static final String[] ROLE_NM_ATR =
-        {
-            ROLE_NM
-    };
-
-    private static final String[] ROLE_ATRS =
-        {
-            GlobalIds.FT_IID,
-            ROLE_NM,
-            SchemaConstants.DESCRIPTION_AT,
-            GlobalIds.CONSTRAINT,
-            ROLE_OCCUPANT,
-            ROLE_OSP,
-            ROLE_OSU,
-            ROLE_RANGE,
-            GlobalIds.PARENT_NODES
-    };
-
-
-    /**
-     * Create a new AdminRole entity using supplied data.  Required attribute is {@link org.apache.directory.fortress.core.model.AdminRole#name}.
-     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
-     *
-     * @param entity record contains AdminRole data.  Null attributes will be ignored.
-     * @return input record back to client.
-     * @throws org.apache.directory.fortress.core.CreateException in the event LDAP errors occur.
-     */
-    AdminRole create( AdminRole entity ) throws CreateException
-    {
-        LdapConnection ld = null;
-        String dn = getDn( entity );
-
-        try
-        {
-            Entry entry = new DefaultEntry( dn );
-
-            entry.add( SchemaConstants.OBJECT_CLASS_AT, ADMIN_ROLE_OBJ_CLASS );
-            entity.setId();
-            entry.add( GlobalIds.FT_IID, entity.getId() );
-            entry.add( ROLE_NM, entity.getName() );
-
-            // description field is optional on this object class:
-            if ( StringUtils.isNotEmpty( entity.getDescription() ) )
-            {
-                entry.add( SchemaConstants.DESCRIPTION_AT, entity.getDescription() );
-            }
-
-            // CN attribute is required for this object class:
-            entry.add( SchemaConstants.CN_AT, entity.getName() );
-            entry.add( GlobalIds.CONSTRAINT, CUtil.setConstraint( entity ) );
-            loadAttrs( entity.getOsP(), entry, ROLE_OSP );
-            loadAttrs( entity.getOsU(), entry, ROLE_OSU );
-            String szRaw = entity.getRoleRangeRaw();
-
-            if ( StringUtils.isNotEmpty( szRaw ) )
-            {
-                entry.add( ROLE_RANGE, szRaw );
-            }
-
-            // These multi-valued attributes are optional.  The utility function will return quietly if no items are loaded into collection:
-            loadAttrs( entity.getParents(), entry, GlobalIds.PARENT_NODES );
-
-            ld = getAdminConnection();
-            add( ld, entry, entity );
-        }
-        catch ( LdapException e )
-        {
-            String error = "create role [" + entity.getName() + "] caught LdapException=" + e.getMessage();
-            throw new CreateException( GlobalErrIds.ARLE_ADD_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return entity;
-    }
-
-
-    /**
-     * Update existing AdminRole entity using supplied data.  Required attribute is {@link AdminRole#name}.
-     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
-     *
-     * @param entity record contains AdminRole data.  Null attributes will be ignored.
-     * @return input record back to client.
-     * @throws UpdateException in the event LDAP errors occur.
-     */
-    AdminRole update( AdminRole entity ) throws UpdateException
-    {
-        LdapConnection ld = null;
-        String dn = getDn( entity );
-
-        try
-        {
-            List<Modification> mods = new ArrayList<Modification>();
-
-            if ( StringUtils.isNotEmpty( entity.getDescription() ) )
-            {
-                mods.add( new DefaultModification(
-                    ModificationOperation.REPLACE_ATTRIBUTE,
-                    SchemaConstants.DESCRIPTION_AT, entity.getDescription() ) );
-            }
-
-            if ( ObjUtil.isNotNullOrEmpty( entity.getOccupants() ) )
-            {
-                for ( String name : entity.getOccupants() )
-                {
-                    mods.add( new DefaultModification(
-                        ModificationOperation.REPLACE_ATTRIBUTE, ROLE_OCCUPANT, name ) );
-                }
-            }
-
-            if ( entity.isTemporalSet() )
-            {
-                String szRawData = CUtil.setConstraint( entity );
-
-                if ( StringUtils.isNotEmpty( szRawData ) )
-                {
-                    mods.add( new DefaultModification(
-                        ModificationOperation.REPLACE_ATTRIBUTE, GlobalIds.CONSTRAINT, szRawData ) );
-                }
-            }
-
-            loadAttrs( entity.getOsU(), mods, ROLE_OSU );
-            loadAttrs( entity.getOsP(), mods, ROLE_OSP );
-            String szRaw = entity.getRoleRangeRaw();
-
-            if ( StringUtils.isNotEmpty( szRaw ) )
-            {
-                mods.add( new DefaultModification(
-                    ModificationOperation.REPLACE_ATTRIBUTE, ROLE_RANGE, szRaw ) );
-            }
-
-            loadAttrs( entity.getParents(), mods, GlobalIds.PARENT_NODES );
-
-            if ( mods.size() > 0 )
-            {
-                ld = getAdminConnection();
-                modify( ld, dn, mods, entity );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "update name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
-            throw new UpdateException( GlobalErrIds.ARLE_UPDATE_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return entity;
-    }
-
-
-    /**
-     *
-     * @param entity
-     * @throws UpdateException
-     */
-    void deleteParent( AdminRole entity ) throws UpdateException
-    {
-        LdapConnection ld = null;
-        String dn = getDn( entity );
-
-        try
-        {
-            List<Modification> mods = new ArrayList<Modification>();
-            mods.add( new DefaultModification( ModificationOperation.REMOVE_ATTRIBUTE, GlobalIds.PARENT_NODES ) );
-            ld = getAdminConnection();
-            modify( ld, dn, mods, entity );
-        }
-        catch ( LdapException e )
-        {
-            String error = "deleteParent name [" + entity.getName() + "] caught LdapException=" + e.getMessage();
-            throw new UpdateException( GlobalErrIds.ARLE_REMOVE_PARENT_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-    }
-
-
-    /**
-     * This method will add the supplied DN as a role occupant to the target record.
-     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
-     *
-     * @param entity record contains {@link AdminRole#name}.  Null attributes will be ignored.
-     * @param userDn contains the DN for userId who is being assigned.
-     * @return input record back to client.
-     * @throws UpdateException in the event LDAP errors occur.
-     */
-    AdminRole assign( AdminRole entity, String userDn ) throws UpdateException
-    {
-        LdapConnection ld = null;
-        String dn = getDn( entity );
-
-        try
-        {
-            List<Modification> mods = new ArrayList<Modification>();
-            mods.add( new DefaultModification( ModificationOperation.ADD_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
-            ld = getAdminConnection();
-            modify( ld, dn, mods, entity );
-        }
-        catch ( LdapException e )
-        {
-            String error = "assign role name [" + entity.getName() + "] user dn [" + userDn + "] caught LdapException="
-                + e.getMessage();
-            throw new UpdateException( GlobalErrIds.ARLE_USER_ASSIGN_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return entity;
-    }
-
-
-    /**
-     * This method will remove the supplied DN as a role occupant to the target record.
-     * This data will be stored in the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
-     *
-     * @param entity record contains {@link AdminRole#name}.  Null attributes will be ignored.
-     * @param userDn contains the DN for userId who is being deassigned.
-     * @return input record back to client.
-     * @throws UpdateException in the event LDAP errors occur.
-     */
-    AdminRole deassign( AdminRole entity, String userDn ) throws UpdateException
-    {
-        LdapConnection ld = null;
-        String dn = getDn( entity );
-
-        try
-        {
-            List<Modification> mods = new ArrayList<Modification>();
-            mods.add( new DefaultModification(
-                ModificationOperation.REMOVE_ATTRIBUTE, ROLE_OCCUPANT, userDn ) );
-            ld = getAdminConnection();
-            modify( ld, dn, mods, entity );
-        }
-        catch ( LdapException e )
-        {
-            String error = "deassign role name [" + entity.getName() + "] user dn [" + userDn
-                + "] caught LdapException=" + e.getMessage();
-            throw new UpdateException( GlobalErrIds.ARLE_USER_DEASSIGN_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-        return entity;
-    }
-
-
-    /**
-     * This method will completely remove the AdminRole from the directory.  It will use {@link AdminRole#name} as key.
-     * This operation is performed on the {@link GlobalIds#ADMIN_ROLE_ROOT} container.
-     *
-     * @param role record contains {@link AdminRole#name}.
-     * @throws RemoveException in the event LDAP errors occur.
-     */
-    void remove( AdminRole role ) throws RemoveException
-    {
-        LdapConnection ld = null;
-        String dn = getDn( role );
-
-        try
-        {
-            ld = getAdminConnection();
-            delete( ld, dn, role );
-        }
-        catch ( LdapException e )
-        {
-            String error = "remove role name=" + role.getName() + " LdapException=" + e.getMessage();
-            throw new RemoveException( GlobalErrIds.ARLE_DELETE_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-    }
-
-
-    /**
-     * This method will retrieve the AdminRole from {@link GlobalIds#ADMIN_ROLE_ROOT} container by name.
-     *
-     * @param adminRole maps to {@link AdminRole#name}.
-     * @return AdminRole back to client.
-     * @throws FinderException in the event LDAP errors occur.
-     */
-    AdminRole getRole( AdminRole adminRole ) throws FinderException
-    {
-        AdminRole entity = null;
-        LdapConnection ld = null;
-        String dn = getDn( adminRole );
-
-        try
-        {
-            ld = getAdminConnection();
-            Entry findEntry = read( ld, dn, ROLE_ATRS );
-            if ( findEntry != null )
-            {
-                entity = unloadLdapEntry( findEntry, 0, adminRole.getContextId() );
-            }
-            if ( entity == null )
-            {
-                String warning = "getRole name [" + adminRole.getName() + "] no entry found dn [" + dn + "]";
-                throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning );
-            }
-        }
-        catch ( LdapNoSuchObjectException e )
-        {
-            String warning = "getRole name [" + adminRole.getName() + "] Obj COULD NOT FIND ENTRY for dn [" + dn
-                + "]";
-            throw new FinderException( GlobalErrIds.ARLE_NOT_FOUND, warning, e );
-        }
-        catch ( LdapException e )
-        {
-            String error = "getRole dn [" + dn + "] LEXCD=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_READ_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return entity;
-    }
-
-
-    /**
-     * @param adminRole
-     * @return
-     * @throws FinderException
-     *
-     */
-    List<AdminRole> findRoles( AdminRole adminRole ) throws FinderException
-    {
-        List<AdminRole> roleList = new ArrayList<AdminRole>();
-        LdapConnection ld = null;
-        String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
-        String filter;
-
-        try
-        {
-            String searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
-            filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
-                + ROLE_NM + "=" + searchVal + "*))";
-            ld = getAdminConnection();
-            SearchCursor searchResults = search( ld, roleRoot,
-                SearchScope.ONELEVEL, filter, ROLE_ATRS, false, GlobalIds.BATCH_SIZE );
-            long sequence = 0;
-
-            while ( searchResults.next() )
-            {
-                roleList.add( unloadLdapEntry( searchResults.getEntry(), sequence++, adminRole.getContextId() ) );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "findRoles name [" + adminRole.getName() + "] caught LdapException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
-        }
-        catch ( CursorException e )
-        {
-            String error = "findRoles name [" + adminRole.getName() + "] caught CursorException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return roleList;
-    }
-
-
-    /**
-     * @param adminRole
-     * @param limit
-     * @return
-     * @throws FinderException
-     *
-     */
-    List<String> findRoles( AdminRole adminRole, int limit ) throws FinderException
-    {
-        List<String> roleList = new ArrayList<String>();
-        LdapConnection ld = null;
-        String roleRoot = getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
-        String filter;
-        String searchVal = null;
-
-        try
-        {
-            searchVal = encodeSafeText( adminRole.getName(), GlobalIds.ROLE_LEN );
-            filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
-                + ROLE_NM + "=" + searchVal + "*))";
-            ld = getAdminConnection();
-            SearchCursor searchResults = search( ld, roleRoot,
-                SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE, limit );
-
-            while ( searchResults.next() )
-            {
-                Entry entry = searchResults.getEntry();
-                roleList.add( getAttribute( entry, ROLE_NM ) );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "findRoles name [" + searchVal + "] caught LdapException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
-        }
-        catch ( CursorException e )
-        {
-            String error = "findRoles name [" + searchVal + "] caught CursorException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return roleList;
-    }
-
-
-    /**
-     * @param userDn
-     * @return
-     * @throws FinderException
-     */
-    List<String> findAssignedRoles( String userDn, String contextId ) throws FinderException
-    {
-        List<String> roleNameList = new ArrayList<>();
-        LdapConnection ld = null;
-        String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
-
-        try
-        {
-            String filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")";
-            filter += "(" + ROLE_OCCUPANT + "=" + userDn + "))";
-            ld = getAdminConnection();
-            SearchCursor searchResults = search( ld, roleRoot,
-                SearchScope.ONELEVEL, filter, ROLE_NM_ATR, false, GlobalIds.BATCH_SIZE );
-
-            while ( searchResults.next() )
-            {
-                roleNameList.add( getAttribute( searchResults.getEntry(), ROLE_NM ) );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "findAssignedRoles userDn [" + userDn + "] caught LdapException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
-        }
-        catch ( CursorException e )
-        {
-            String error = "findAssignedRoles userDn [" + userDn + "] caught CursorException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_OCCUPANT_SEARCH_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return roleNameList;
-    }
-
-
-    /**
-      *
-      * @param contextId
-      * @return
-      * @throws FinderException
-      */
-    List<Graphable> getAllDescendants( String contextId )
-        throws FinderException
-    {
-        String[] DESC_ATRS =
-            { ROLE_NM, GlobalIds.PARENT_NODES };
-        List<Graphable> descendants = new ArrayList<>();
-        LdapConnection ld = null;
-        String roleRoot = getRootDn( contextId, GlobalIds.ADMIN_ROLE_ROOT );
-        String filter = null;
-
-        try
-        {
-            filter = GlobalIds.FILTER_PREFIX + GlobalIds.ROLE_OBJECT_CLASS_NM + ")("
-                + GlobalIds.PARENT_NODES + "=*))";
-            ld = getAdminConnection();
-            SearchCursor searchResults = search( ld, roleRoot,
-                SearchScope.ONELEVEL, filter, DESC_ATRS, false, GlobalIds.BATCH_SIZE );
-            long sequence = 0;
-
-            while ( searchResults.next() )
-            {
-                descendants.add( unloadDescendants( searchResults.getEntry(), sequence++ ) );
-            }
-        }
-        catch ( LdapException e )
-        {
-            String error = "getAllDescendants filter [" + filter + "] caught LdapException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
-        }
-        catch ( CursorException e )
-        {
-            String error = "getAllDescendants filter [" + filter + "] caught CursorException=" + e.getMessage();
-            throw new FinderException( GlobalErrIds.ARLE_SEARCH_FAILED, error, e );
-        }
-        finally
-        {
-            closeAdminConnection( ld );
-        }
-
-        return descendants;
-    }
-
-
-    /**
-    *
-    * @param le
-    * @param sequence
-    * @return
-     * @throws LdapInvalidAttributeValueException 
-    * @throws LdapException
-    */
-    private Graphable unloadDescendants( Entry le, long sequence )
-        throws LdapInvalidAttributeValueException
-    {
-        Role entity = new ObjectFactory().createRole();
-        entity.setSequenceId( sequence );
-        entity.setName( getAttribute( le, ROLE_NM ) );
-        entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
-        return entity;
-    }
-
-
-    /**
-     * @param le
-     * @return
-     * @throws LdapInvalidAttributeValueException 
-     * @throws LdapException
-     */
-    private AdminRole unloadLdapEntry( Entry le, long sequence, String contextId )
-        throws LdapInvalidAttributeValueException
-    {
-        AdminRole entity = new ObjectFactory().createAdminRole();
-        entity.setSequenceId( sequence );
-        entity.setId( getAttribute( le, GlobalIds.FT_IID ) );
-        entity.setDescription( getAttribute( le, SchemaConstants.DESCRIPTION_AT ) );
-        entity.setOccupants( getAttributes( le, ROLE_OCCUPANT ) );
-        entity.setOsP( getAttributeSet( le, ROLE_OSP ) );
-        entity.setOsU( getAttributeSet( le, ROLE_OSU ) );
-        entity.setName( getAttribute( le, SchemaConstants.CN_AT ) );
-        unloadTemporal( le, entity );
-        entity.setRoleRangeRaw( getAttribute( le, ROLE_RANGE ) );
-        entity.setParents( getAttributeSet( le, GlobalIds.PARENT_NODES ) );
-        entity.setChildren( AdminRoleUtil.getChildren( entity.getName().toUpperCase(), contextId ) );
-        return entity;
-    }
-
-
-    private String getDn( AdminRole adminRole )
-    {
-        return SchemaConstants.CN_AT + "=" + adminRole.getName() + ","
-            + getRootDn( adminRole.getContextId(), GlobalIds.ADMIN_ROLE_ROOT );
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
deleted file mode 100755
index fb0269b..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleP.java
+++ /dev/null
@@ -1,424 +0,0 @@
-/*
- *   Licensed to the Apache Software Foundation (ASF) under one
- *   or more contributor license agreements.  See the NOTICE file
- *   distributed with this work for additional information
- *   regarding copyright ownership.  The ASF licenses this file
- *   to you under the Apache License, Version 2.0 (the
- *   "License"); you may not use this file except in compliance
- *   with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *   Unless required by applicable law or agreed to in writing,
- *   software distributed under the License is distributed on an
- *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *   KIND, either express or implied.  See the License for the
- *   specific language governing permissions and limitations
- *   under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac;
-
-
-import java.util.List;
-import java.util.Set;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.directory.fortress.core.model.AdminRole;
-import org.apache.directory.fortress.core.model.Graphable;
-import org.apache.directory.fortress.core.model.OrgUnit;
-import org.apache.directory.fortress.core.model.UserAdminRole;
-import org.apache.directory.fortress.core.util.ObjUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import org.apache.directory.fortress.core.FinderException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.RemoveException;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.model.VUtil;
-
-
-/**
- * Process module for the AdminRole entity.  This class performs data validations and error mapping.  It is typically called
- * by internal Fortress delegated manager classes ({@link DelAdminMgrImpl}, {@link DelAccessMgrImpl},
- * {@link DelReviewMgrImpl}, ...) and not intended for external non-Fortress clients.  This class will accept,
- * {@link org.apache.directory.fortress.core.model.AdminRole}, validate its contents and forward on to it's corresponding DAO class {@link AdminRoleDAO}.
- * <p>
- * Class will throw {@link SecurityException} to caller in the event of security policy, data constraint violation or system
- * error internal to DAO object. This class will forward DAO exceptions ({@link org.apache.directory.fortress.core.FinderException},
- * {@link org.apache.directory.fortress.core.CreateException},{@link org.apache.directory.fortress.core.UpdateException},{@link org.apache.directory.fortress.core.RemoveException}),
- *  or {@link org.apache.directory.fortress.core.ValidationException} as {@link SecurityException}s with appropriate
- * error id from {@link GlobalErrIds}.
- * <p>
- * This class is thread safe.
- * <p/>
-
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- */
-public final class AdminRoleP
-{
-    private static final String CLS_NM = AdminRoleP.class.getName();
-    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
-    private static final AdminRoleDAO rDao = new AdminRoleDAO();
-    private static final OrgUnitP op = new OrgUnitP();
-
-    /**
-     * Package private constructor.
-     */
-    AdminRoleP()
-    {
-    }
-
-
-    /**
-     * Return a fully populated Admin Role entity for a given Admin Role name.  If matching record not found a
-     * SecurityException will be thrown.
-     *
-     * @param adminRole contains full Admin Role name.
-     * @return AdminRole entity containing all attributes associated with Administrative Role in directory.
-     * @throws SecurityException in the event AdminRole not found or DAO search error.
-     */
-    AdminRole read( AdminRole adminRole ) throws SecurityException
-    {
-        return rDao.getRole( adminRole );
-    }
-
-
-    /**
-     * Takes a search string that contains full or partial Admin Role name in directory.
-     *
-     * @param adminRole contains full or partial Admin role name.
-     * @return List of type Role containing fully populated matching Admin Role entities.  If no records found this will be empty.
-     * @throws SecurityException in the event of DAO search error.
-     */
-    List<AdminRole> search( AdminRole adminRole )
-        throws SecurityException
-    {
-        return rDao.findRoles( adminRole );
-    }
-
-
-    /**
-     * Takes a search string that contains full or partial Admin Role name in directory.
-     *
-     * @param adminRole contains full or partial Admin role name.
-     * @param limit     specify the max number of records to return in result set.
-     * @return List of type String containing Admin Role name of all matching User entities.  If no records found this will be empty.
-     * @throws SecurityException in the event of DAO search error.
-     */
-    List<String> search( AdminRole adminRole, int limit )
-        throws SecurityException
-    {
-        return rDao.findRoles( adminRole, limit );
-    }
-
-
-    /**
-     * Return all AdminRoles that have a parent assignment.  This used for hierarchical processing.
-     *
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return List of type AdminRole containing {@link AdminRole#name} and {@link AdminRole#parents} populated.
-     * @throws SecurityException in the event of DAO search error.
-     */
-    List<Graphable> getAllDescendants( String contextId )
-        throws SecurityException
-    {
-        return rDao.getAllDescendants( contextId );
-    }
-
-
-    /**
-     * Adds a new Admin Role entity to directory.  The Role entity input object will be validated to ensure that:
-     * role name is present, and reasonability checks on all of the other populated values.
-     *
-     * @param entity Admin Role entity contains data targeted for insertion.
-     * @return AdminRole entity copy of input + additional attributes (internalId) that were added by op.
-     * @throws SecurityException in the event of data validation or DAO system error.
-     */
-    AdminRole add( AdminRole entity )
-        throws SecurityException
-    {
-        validate( entity );
-        return rDao.create( entity );
-    }
-
-
-    /**
-     * Updates existing AdminRole entity in directory.  For example the AdminRole description and temporal constraints
-     * updated.
-     *
-     * @param entity Admin Role entity contains data targeted for updating.
-     * @return AdminRole entity contains fully populated updated entity.
-     * @throws SecurityException in the event of data validation or DAO system error.
-     */
-    AdminRole update( AdminRole entity ) throws SecurityException
-    {
-        validate( entity );
-        AdminRole updateEntity = rDao.update( entity );
-        return read( updateEntity );
-    }
-
-
-    /**
-     * Removes parent role assignments from Role entity in directory.
-     * updated.
-     *
-     * @param entity Admin Role entity contains data targeted for updating.
-     * @throws SecurityException in the event of data validation or DAO system error.
-     */
-    void deleteParent( AdminRole entity ) throws SecurityException
-    {
-        validate( entity );
-        rDao.deleteParent( entity );
-    }
-
-
-    /**
-     * This command assigns a user to an admin role.
-     * Successful completion of this op, the following occurs:
-     * </p>
-     * <ul>
-     * <li> User entity (resides in people container) has role assignment added to aux object class attached to actual user record.
-     * <li> AdminRole entity (resides in admin role container) has userId added as role occupant.
-     * <li> (optional) Temporal constraints may be associated with <code>ftUserAttrs</code> aux object class based on:
-     * <ul>
-     * <li> timeout - number in seconds of session inactivity time allowed.
-     * <li> beginDate - YYYYMMDD - determines date when role may be activated.
-     * <li> endDate - YYMMDD - indicates latest date role may be activated.
-     * <li> beginLockDate - YYYYMMDD - determines beginning of enforced inactive status
-     * <li> endLockDate - YYMMDD - determines end of enforced inactive status.
-     * <li> beginTime - HHMM - determines begin hour role may be activated in user's session.
-     * <li> endTime - HHMM - determines end hour role may be activated in user's session.*
-     * <li> dayMask - 1234567, 1 = Sunday, 2 = Monday, etc - specifies which day of week role may be activated.
-     * </ul>
-     * </ul>
-     *
-     * @param entity contains userId and admin role name and (optional) role temporal constraints.
-     * @param userDn contains the DN of user being assigned.
-     * @return AdminRole contains copy of input entity and additional data processed by request.
-     * @throws SecurityException in the event data error in user or role objects or system error.
-     */
-    AdminRole assign( AdminRole entity, String userDn ) throws SecurityException
-    {
-        return rDao.assign( entity, userDn );
-    }
-
-
-    /**
-     * Add the User dn occupant attribute to the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
-     * when the User is being added.
-     *
-     * @param uRoles contains a collection of UserAdminRole being targeted for assignment.
-     * @param userDn contains the userId targeted for attribute addition.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws SecurityException in the event of DAO search error.
-     */
-    void addOccupant( List<UserAdminRole> uRoles, String userDn, String contextId )
-        throws SecurityException
-    {
-        if ( ObjUtil.isNotNullOrEmpty( uRoles ) )
-        {
-            for ( UserAdminRole uRole : uRoles )
-            {
-                AdminRole role = new AdminRole( uRole.getName() );
-                role.setContextId( contextId );
-                assign( role, userDn );
-            }
-        }
-    }
-
-
-    /**
-     * Remove the User dn occupant attribute from the OrganizationalRole entity in ldap.  This method is called by AdminMgrImpl
-     * when the User is being deleted.
-     *
-     * @param userDn contains the userId targeted for attribute removal.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws SecurityException in the event of DAO search error.
-     */
-    void removeOccupant( String userDn, String contextId )
-        throws SecurityException
-    {
-        List<String> list;
-        try
-        {
-            list = rDao.findAssignedRoles( userDn, contextId );
-            for ( String roleNm : list )
-            {
-                deassign( new AdminRole( roleNm ), userDn );
-            }
-        }
-        catch ( FinderException fe )
-        {
-            String error = "removeOccupant userDn [" + userDn + "] caught FinderException=" + fe;
-            throw new SecurityException( GlobalErrIds.ARLE_REMOVE_OCCUPANT_FAILED, error, fe );
-        }
-    }
-
-
-    /**
-     * This method removes assigned admin role from user entity.  Both user and admin role entities must exist and have role relationship
-     * before calling this method.
-     * Successful completion:
-     * del Role to User assignment in User data set
-     * AND
-     * User to Role assignment in Admin Role data set.
-     *
-     * @param entity contains userId and admin role name targeted for removal.
-     * @param userDn contains the userId targeted for attribute removal.
-     * @return AdminRole contains copy of input entity and additional data processed by request.
-     * @throws SecurityException - in the event data error in user or role objects or system error.
-     */
-    AdminRole deassign( AdminRole entity, String userDn ) throws SecurityException
-    {
-        return rDao.deassign( entity, userDn );
-    }
-
-
-    /**
-     * This method performs a "hard" delete.  It completely the Admin Role node from the ldap directory.
-     * Admin Role entity must exist in directory prior to making this call else exception will be thrown.
-     *
-     * @param entity Contains the name of the Admin Role targeted for deletion.
-     * @throws SecurityException in the event of data validation or DAO system error.
-     */
-    void delete( AdminRole entity ) throws SecurityException
-    {
-        try
-        {
-            rDao.remove( entity );
-        }
-        catch ( RemoveException re )
-        {
-            String error = "delete name [" + entity.getName() + "] caught RemoveException=" + re;
-            LOG.error( error );
-            throw new SecurityException( GlobalErrIds.ARLE_DELETE_FAILED, error, re );
-        }
-    }
-    
-    /**
-     * Method will perform simple validations to ensure the integrity of the Admin Role entity targeted for insertion
-     * or updating in directory.  For example the Admin Role temporal constraints will be validated.  Data reasonability
-     * checks will be performed on all non-null attributes.  Validations will be performed on ARBAC constraints as well.
-     *
-     * @param entity contains data targeted for insertion or update.
-     * @throws SecurityException in the event of data validation error or DAO error on Org validation.
-     */
-    private void validate( AdminRole entity )
-        throws SecurityException
-    {
-        VUtil.safeText( entity.getName(), GlobalIds.ROLE_LEN );
-
-        if ( StringUtils.isNotEmpty( entity.getBeginRange() ) && StringUtils.isNotEmpty( entity.getEndRange() ) )
-        {
-            VUtil.safeText( entity.getBeginRange(), GlobalIds.ROLE_LEN );
-            VUtil.safeText( entity.getEndRange(), GlobalIds.ROLE_LEN );
-
-            if ( entity.getBeginRange().equalsIgnoreCase( entity.getEndRange() )
-                && ( !entity.isBeginInclusive() || !entity.isEndInclusive() ) )
-            {
-                String error = "validate invalid range detected for role name [" + entity.getName()
-                    + "] non inclusive endpoint for identical range [" + entity.getBeginRange() + "] begin inclusive ["
-                    + entity.isBeginInclusive() + "] end inclusive [" + entity.isEndInclusive() + "]";
-                LOG.warn( error );
-                throw new SecurityException( GlobalErrIds.ARLE_INVLD_RANGE_INCLUSIVE, error );
-            }
-            else if ( !RoleUtil.isParent( entity.getBeginRange(), entity.getEndRange(), entity.getContextId() )
-                && !entity.getBeginRange().equalsIgnoreCase( entity.getEndRange() ) )
-            {
-                String error = "validate invalid range detected for role name [" + entity.getName()
-                    + "] begin range [" + entity.getBeginRange() + "] end range [" + entity.getEndRange() + "]";
-                LOG.warn( error );
-                throw new SecurityException( GlobalErrIds.ARLE_INVLD_RANGE, error );
-            }
-        }
-        else if ( !StringUtils.isNotEmpty( entity.getBeginRange() ) && StringUtils.isNotEmpty( entity.getEndRange() ) )
-        {
-            String error = "validate role name [" + entity.getName() + "] begin range value null or empty.";
-            LOG.warn( error );
-            throw new SecurityException( GlobalErrIds.ARLE_BEGIN_RANGE_NULL, error );
-        }
-        else if ( StringUtils.isNotEmpty( entity.getBeginRange() ) && !StringUtils.isNotEmpty( entity.getEndRange() ) )
-        {
-            String error = "validate role name [" + entity.getName() + "] end range value null or empty.";
-            LOG.warn( error );
-            throw new SecurityException( GlobalErrIds.ARLE_END_RANGE_NULL, error );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getDescription() ) )
-        {
-            VUtil.description( entity.getDescription() );
-        }
-
-        if ( entity.getTimeout() >= 0 )
-        {
-            VUtil.timeout( entity.getTimeout() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getBeginTime() ) )
-        {
-            VUtil.beginTime( entity.getBeginTime() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getEndTime() ) )
-        {
-            VUtil.endTime( entity.getEndTime() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getBeginDate() ) )
-        {
-            VUtil.beginDate( entity.getBeginDate() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getEndDate() ) )
-        {
-            VUtil.endDate( entity.getEndDate() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getDayMask() ) )
-        {
-            VUtil.dayMask( entity.getDayMask() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getBeginLockDate() ) )
-        {
-            VUtil.beginDate( entity.getBeginDate() );
-        }
-
-        if ( StringUtils.isNotEmpty( entity.getEndLockDate() ) )
-        {
-            VUtil.endDate( entity.getEndLockDate() );
-        }
-
-        if ( ObjUtil.isNotNullOrEmpty( entity.getOsU() ) )
-        {
-            validateOrgs( entity.getOsU(), OrgUnit.Type.USER, entity.getContextId() );
-        }
-
-        if ( ObjUtil.isNotNullOrEmpty( entity.getOsP() ) )
-        {
-            validateOrgs( entity.getOsP(), OrgUnit.Type.PERM, entity.getContextId() );
-        }
-    }
-
-    /**
-     * Called by validate()
-     *
-     * @param orgs
-     * @param contextId
-     * @throws SecurityException
-     */
-    private void validateOrgs( Set<String> orgs, OrgUnit.Type type, String contextId ) throws SecurityException
-    {
-        for ( String ou : orgs )
-        {
-            OrgUnit inOe = new OrgUnit( ou );
-            inOe.setType( type );
-            inOe.setContextId( contextId );
-            op.read( inOe );
-        }
-    }
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java
deleted file mode 100755
index d73a301..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AdminRoleUtil.java
+++ /dev/null
@@ -1,340 +0,0 @@
-/*
- *   Licensed to the Apache Software Foundation (ASF) under one
- *   or more contributor license agreements.  See the NOTICE file
- *   distributed with this work for additional information
- *   regarding copyright ownership.  The ASF licenses this file
- *   to you under the Apache License, Version 2.0 (the
- *   "License"); you may not use this file except in compliance
- *   with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *   Unless required by applicable law or agreed to in writing,
- *   software distributed under the License is distributed on an
- *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *   KIND, either express or implied.  See the License for the
- *   specific language governing permissions and limitations
- *   under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac;
-
-
-import java.util.List;
-import java.util.Set;
-import java.util.TreeSet;
-import java.util.concurrent.locks.ReadWriteLock;
-
-import org.apache.commons.lang.StringUtils;
-import org.apache.directory.fortress.core.model.AdminRole;
-import org.apache.directory.fortress.core.model.Graphable;
-import org.apache.directory.fortress.core.model.Hier;
-import org.apache.directory.fortress.core.model.Relationship;
-import org.apache.directory.fortress.core.model.UserAdminRole;
-import org.apache.directory.fortress.core.util.ObjUtil;
-import org.jgrapht.graph.SimpleDirectedGraph;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.apache.directory.fortress.core.GlobalIds;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.ValidationException;
-import org.apache.directory.fortress.core.model.VUtil;
-import org.apache.directory.fortress.core.util.cache.Cache;
-import org.apache.directory.fortress.core.util.cache.CacheMgr;
-
-
-/**
- * This utility wraps {@link org.apache.directory.fortress.core.rbac.HierUtil} methods to provide hierarchical functionality for the {@link org.apache.directory.fortress.core.model.AdminRole} data set.
- * The child to parent relationships are stored within a data cache, {@link #adminRoleCache}, contained within this class.  The parent-child edges are contained in LDAP,
- * in {@code ftParents} attribute.  The ldap data is retrieved {@link org.apache.directory.fortress.core.rbac.AdminRoleP#getAllDescendants(String)} and loaded into {@code org.jgrapht.graph.SimpleDirectedGraph}.
- * The graph...
- * <ol>
- * <li>is stored as singleton in this class with vertices of {@code String}, and edges, as {@link org.apache.directory.fortress.core.model.Relationship}s</li>
- * <li>utilizes open source library, see <a href="http://www.jgrapht.org/">JGraphT</a>.</li>
- * <li>contains a general hierarchical data structure i.e. allows multiple inheritance with parents.</li>
- * <li>is a simple directed graph thus does not allow cycles.</li>
- * </ol>
- * After update is performed to ldap, the singleton is refreshed with latest info.
- * <p/>
- * Static methods on this class are intended for use by other Fortress classes, i.e. {@link DelAdminMgrImpl} and {@link org.apache.directory.fortress.core.rbac.PermDAO}
- * and cannot be directly invoked by outside programs.
- * <p/>
- * This class contains singleton that can be updated but is thread safe.
- * <p/>
-
- *  @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- */
-public final class AdminRoleUtil
-{
-    private static final Cache adminRoleCache;
-    private static final AdminRoleP adminRoleP = new AdminRoleP();
-    private static final String CLS_NM = AdminRoleUtil.class.getName();
-    private static final Logger LOG = LoggerFactory.getLogger( CLS_NM );
-
-    /**
-     * Initialize the AdminRole hierarchies.  This will read the {@link org.apache.directory.fortress.core.model.Hier} data set from ldap and load into
-     * the JGraphT simple digraph that referenced statically within this class.
-     */
-    static
-    {
-        CacheMgr cacheMgr = CacheMgr.getInstance();
-        adminRoleCache = cacheMgr.getCache( "fortress.admin.roles" );
-    }
-
-    /**
-     * Private constructor
-     *
-     */
-    private AdminRoleUtil()
-    {
-    }
-
-    /**
-     * Used to determine if one {@link org.apache.directory.fortress.core.model.AdminRole} is the parent of another.  This method
-     * will call recursive routine {@link #getAscendants(String, String)} to walk the {@code org.jgrapht.graph.SimpleDirectedGraph} data structure
-     * returning flag indicating if parent-child relationship is valid.
-     *
-     * @param child maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
-     * @param parent maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return boolean result, 'true' indicates parent/child relationship exists.
-     */
-    static boolean isParent( String child, String parent, String contextId )
-    {
-        boolean result = false;
-        Set<String> parents = getAscendants( child, contextId );
-        if ( parents != null && parents.size() > 0 )
-        {
-            result = parents.contains( parent.toUpperCase() );
-        }
-        return result;
-    }
-
-
-    /**
-     * Recursively traverse the {@link org.apache.directory.fortress.core.model.AdminRole} graph and return all of the descendants of a given parent {@link org.apache.directory.fortress.core.model.AdminRole#name}.
-     * @param roleName {@link org.apache.directory.fortress.core.model.AdminRole#name} maps on 'ftRls' object class.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return Set of AdminRole names are children {@link org.apache.directory.fortress.core.model.AdminRole}s of given parent.
-     */
-    static Set<String> getDescendants( String roleName, String contextId )
-    {
-        return HierUtil.getDescendants( roleName, getGraph( contextId ) );
-    }
-
-
-    /**
-     * Recursively traverse the hierarchical role graph and return all of the parents of a given child role.
-     * @param roleName maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return Set of AdminRole names that are descendants of given node.
-     */
-    public static Set<String> getAscendants( String roleName, String contextId )
-    {
-        return HierUtil.getAscendants( roleName, getGraph( contextId ) );
-    }
-
-
-    /**
-     * Traverse one level of the {@link org.apache.directory.fortress.core.model.AdminRole} graph and return all of the parents (direct ascendants) of a given parent {@link org.apache.directory.fortress.core.model.AdminRole#name}.
-     * @param roleName {@link org.apache.directory.fortress.core.model.AdminRole#name} maps on 'ftRls' object class.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return Set of AdminRole names are parents {@link org.apache.directory.fortress.core.model.AdminRole}s of given child.
-     */
-    static Set<String> getParents( String roleName, String contextId )
-    {
-        return HierUtil.getParents( roleName, getGraph( contextId ) );
-    }
-
-
-    /**
-     * Traverse one level of the hierarchical role graph and return all of the children (direct descendants) of a given parent role.
-     * @param roleName maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return Set of AdminRole names that are children of given parent.
-     */
-    public static Set<String> getChildren( String roleName, String contextId )
-    {
-        return HierUtil.getChildren( roleName, getGraph( contextId ) );
-    }
-
-
-    /**
-     * Return number of children (direct descendants) a given parent role has.
-     * @param roleName maps to logical {@link org.apache.directory.fortress.core.model.AdminRole#name} on 'ftRls' object class.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return int value contains the number of children of a given parent AdminRole.
-     */
-    static int numChildren( String roleName, String contextId )
-    {
-        return HierUtil.numChildren( roleName, getGraph( contextId ) );
-    }
-
-
-    /**
-     * Return Set of {@link org.apache.directory.fortress.core.model.AdminRole#name}s ascendants.  Used by {@link org.apache.directory.fortress.core.rbac.PermDAO#checkPermission}
-     * for computing authorized {@link org.apache.directory.fortress.core.model.UserAdminRole#name}s.
-     * @param uRoles contains list of adminRoles activated within a {@link org.apache.directory.fortress.core.model.User}'s {@link org.apache.directory.fortress.core.model.Session}.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return contains Set of all authorized adminRoles for a given User.
-     */
-    public static Set<String> getInheritedRoles( List<UserAdminRole> uRoles, String contextId )
-    {
-        // create Set with case insensitive comparator:
-        Set<String> iRoles = new TreeSet<>( String.CASE_INSENSITIVE_ORDER );
-
-        if ( ObjUtil.isNotNullOrEmpty( uRoles ) )
-        {
-            for ( UserAdminRole uRole : uRoles )
-            {
-                String rleName = uRole.getName();
-                iRoles.add( rleName );
-                Set<String> parents = HierUtil.getAscendants( rleName, getGraph( contextId ) );
-
-                if ( ObjUtil.isNotNullOrEmpty( parents ) )
-                {
-                    iRoles.addAll( parents );
-                }
-            }
-        }
-        return iRoles;
-    }
-
-
-    /**
-     * This api is used by {@link DelAdminMgrImpl} to determine parentage for Hierarchical ARBAC processing.
-     * It calls {@link HierUtil#validateRelationship(org.jgrapht.graph.SimpleDirectedGraph, String, String, boolean)} to evaluate three adminRole relationship expressions:
-     * <ol>
-     * <li>If child equals parent</li>
-     * <li>If mustExist true and parent-child relationship exists</li>
-     * <li>If mustExist false and parent-child relationship does not exist</li>
-     * </ol>
-     * Method will throw {@link org.apache.directory.fortress.core.ValidationException} if rule check fails meaning caller failed validation
-     * attempt to add/remove hierarchical relationship failed.
-     *
-     * @param childRole contains {@link org.apache.directory.fortress.core.model.AdminRole#name} of child.
-     * @param parentRole contains {@link org.apache.directory.fortress.core.model.AdminRole#name} of parent.
-     * @param mustExist boolean is used to specify if relationship must be true.
-     * @throws org.apache.directory.fortress.core.ValidationException in the event it fails one of the 3 checks.
-     */
-    static void validateRelationship( AdminRole childRole, AdminRole parentRole, boolean mustExist )
-        throws ValidationException
-    {
-        HierUtil.validateRelationship( getGraph( childRole.getContextId() ), childRole.getName(), parentRole.getName(),
-            mustExist );
-    }
-
-
-    /**
-     * This api allows synchronized access to allow updates to hierarchical relationships.
-     * Method will update the hierarchical data set and reload the JGraphT simple digraph with latest.
-     *
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @param relationship contains parent-child relationship targeted for addition.
-     * @param op   used to pass the ldap op {@link org.apache.directory.fortress.core.model.Hier.Op#ADD}, {@link org.apache.directory.fortress.core.model.Hier.Op#MOD}, {@link org.apache.directory.fortress.core.model.Hier.Op#REM}
-     * @throws org.apache.directory.fortress.core.SecurityException in the event of a system error.
-     */
-    static void updateHier( String contextId, Relationship relationship, Hier.Op op ) throws SecurityException
-    {
-        HierUtil.updateHier( getGraph( contextId ), relationship, op );
-    }
-
-
-    /**
-     * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
-     * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
-     *
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return handle to simple digraph containing adminRole hierarchies.
-     */
-    private static SimpleDirectedGraph<String, Relationship> loadGraph( String contextId )
-    {
-        Hier inHier = new Hier( Hier.Type.ROLE );
-        inHier.setContextId( contextId );
-        LOG.info( "loadGraph initializing ADMIN ROLE context [{}]", inHier.getContextId() );
-        List<Graphable> descendants = null;
-
-        try
-        {
-            descendants = adminRoleP.getAllDescendants( inHier.getContextId() );
-        }
-        catch ( SecurityException se )
-        {
-            LOG.info( "loadGraph caught SecurityException={}", se );
-        }
-
-        Hier hier = HierUtil.loadHier( contextId, descendants );
-        SimpleDirectedGraph<String, Relationship> graph;
-
-        graph = HierUtil.buildGraph( hier );
-        adminRoleCache.put( getKey( contextId ), graph );
-
-        return graph;
-    }
-
-
-    /**
-     * Read this ldap record,{@code cn=Hierarchies, ou=OS-P} into this entity, {@link Hier}, before loading into this collection class,{@code org.jgrapht.graph.SimpleDirectedGraph}
-     * using 3rd party lib, <a href="http://www.jgrapht.org/">JGraphT</a>.
-     *
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return handle to simple digraph containing adminRole hierarchies.
-     */
-    private static SimpleDirectedGraph<String, Relationship> getGraph( String contextId )
-    {
-        ReadWriteLock hierLock = HierUtil.getLock( contextId, HierUtil.Type.ARLE );
-        String key = getKey( contextId );
-
-        try
-        {
-            hierLock.readLock().lock();
-            SimpleDirectedGraph<String, Relationship> graph = ( SimpleDirectedGraph<String, Relationship> ) adminRoleCache
-                .get( key );
-
-            if ( graph == null )
-            {
-                try
-                {
-                    hierLock.readLock().unlock();
-                    hierLock.writeLock().lock();
-
-                    // TODO: determine why this (code that was commented out) creates a deadlock:
-                    //graph = ( SimpleDirectedGraph<String, Relationship> ) adminRoleCache.get( key );
-
-                    //if ( graph == null )
-                    //{
-                    graph = loadGraph( contextId );
-                    //}
-
-                    hierLock.readLock().lock();
-                }
-                finally
-                {
-                    hierLock.writeLock().unlock();
-                }
-            }
-
-            return graph;
-        }
-        finally
-        {
-            hierLock.readLock().unlock();
-        }
-    }
-
-
-    /**
-     *
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return containing key to cache entry for this tenant.
-     */
-    private static String getKey( String contextId )
-    {
-        String key = HierUtil.Type.ARLE.toString();
-        if ( StringUtils.isNotEmpty( contextId ) && !contextId.equalsIgnoreCase( GlobalIds.NULL ) )
-        {
-            key += ":" + contextId;
-        }
-        return key;
-    }
-}

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/ba64d26a/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java b/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java
deleted file mode 100755
index c9171d4..0000000
--- a/src/main/java/org/apache/directory/fortress/core/rbac/AdminUtil.java
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- *   Licensed to the Apache Software Foundation (ASF) under one
- *   or more contributor license agreements.  See the NOTICE file
- *   distributed with this work for additional information
- *   regarding copyright ownership.  The ASF licenses this file
- *   to you under the Apache License, Version 2.0 (the
- *   "License"); you may not use this file except in compliance
- *   with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- *   Unless required by applicable law or agreed to in writing,
- *   software distributed under the License is distributed on an
- *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- *   KIND, either express or implied.  See the License for the
- *   specific language governing permissions and limitations
- *   under the License.
- *
- */
-package org.apache.directory.fortress.core.rbac;
-
-import org.apache.directory.fortress.core.DelAccessMgr;
-import org.apache.directory.fortress.core.AuthorizationException;
-import org.apache.directory.fortress.core.GlobalErrIds;
-import org.apache.directory.fortress.core.SecurityException;
-import org.apache.directory.fortress.core.DelAccessMgrFactory;
-import org.apache.directory.fortress.core.model.FortEntity;
-import org.apache.directory.fortress.core.model.Permission;
-import org.apache.directory.fortress.core.model.Role;
-import org.apache.directory.fortress.core.model.Session;
-import org.apache.directory.fortress.core.model.User;
-
-/**
- * This class supplies static wrapper utilities to provide ARBAC functionality to Fortress internal Manager APIs.
- * The utilities within this class are all static and can not be called by code outside of Fortress.
- * </p>
- * This class is thread safe.
- *
- * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
- */
-final class AdminUtil
-{
-    private static final String CLS_NM = AdminUtil.class.getName();
-
-    /**
-     * Private constructor
-     *
-     */
-    private AdminUtil()
-    {
-    }
-
-    /**
-     * Wrapper function to call {@link DelAccessMgrImpl#canAssign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
-     * This will determine if the user contains an AdminRole that is authorized assignment control over User-Role Assignment (URA).  This adheres to the ARBAC02 functional specification for can-assign URA.
-     *
-     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
-     * @param user    Instantiated User entity requires only valid userId attribute set.
-     * @param role    Instantiated Role entity requires only valid role name attribute set.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
-     */
-    static void canAssign(Session session, User user, Role role, String contextId) throws SecurityException
-    {
-        if (session != null)
-        {
-            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
-            boolean result = dAccessMgr.canAssign(session, user, role);
-            if (!result)
-            {
-                String warning = "canAssign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
-                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_ASSIGN, warning);
-            }
-        }
-    }
-
-    /**
-     * Wrapper function to call {@link DelAccessMgrImpl#canDeassign(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.User, org.apache.directory.fortress.core.model.Role)}.
-     *
-     * This function will determine if the user contains an AdminRole that is authorized revoke control over User-Role Assignment (URA).  This adheres to the ARBAC02 functional specification for can-revoke URA.
-     *
-     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param user    Instantiated User entity requires only valid userId attribute set.
-     * @param user    Instantiated User entity requires userId attribute set.
-     * @param role    Instantiated Role entity requires only valid role name attribute set.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid userId or role name) or system error.
-     */
-    static void canDeassign(Session session, User user, Role role, String contextId) throws SecurityException
-    {
-        if (session != null)
-        {
-            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
-            boolean result = dAccessMgr.canDeassign(session, user, role);
-            if (!result)
-            {
-                String warning = "canDeassign Role [" + role.getName() + "] User [" + user.getUserId() + "] Admin [" + session.getUserId() + "] failed check.";
-                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_DEASSIGN, warning);
-
-            }
-        }
-    }
-
-    /**
-     * Wrapper function to call {@link DelAccessMgrImpl#canGrant(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
-     * This function will determine if the user contains an AdminRole that is authorized assignment control over
-     * Permission-Role Assignment (PRA).  This adheres to the ARBAC02 functional specification for can-assign-p PRA.
-     *
-     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param perm    Instantiated Permission entity requires valid object name and operation name attributes set.
-     * @param role    Instantiated Role entity requires only valid role name attribute set.
-     * @param perm    Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @return boolean value true indicates access allowed.
-     * @throws SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
-     */
-    static void canGrant(Session session, Role role, Permission perm, String contextId) throws SecurityException
-    {
-        if (session != null)
-        {
-            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
-            boolean result = dAccessMgr.canGrant(session, role, perm);
-            if (!result)
-            {
-                String warning = "canGrant Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
-                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_GRANT, warning);
-            }
-        }
-    }
-
-    /**
-     * Wrapper function to call {@link DelAccessMgrImpl#canRevoke(org.apache.directory.fortress.core.model.Session, org.apache.directory.fortress.core.model.Role, Permission)}.
-     *
-     * This function will determine if the user contains an AdminRole that is authorized revoke control over
-     * Permission-Role Assignment (PRA).  This adheres to the ARBAC02 functional specification for can-revoke-p PRA.
-     *
-     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.     * @param perm    Instantiated Permission entity requires valid object name and operation name attributes set.
-     * @param role    Instantiated Role entity requires only valid role name attribute set.
-     * @param perm    Instantiated Permission entity requires {@link Permission#objName} and {@link Permission#opName}.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws org.apache.directory.fortress.core.SecurityException In the event of data validation error (i.e. invalid perm or role name) or system error.
-     */
-    static void canRevoke(Session session, Role role, Permission perm, String contextId) throws SecurityException
-    {
-        if (session != null)
-        {
-            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
-            boolean result = dAccessMgr.canRevoke(session, role, perm);
-            if (!result)
-            {
-                String warning = "canRevoke Role [" + role.getName() + "] Perm object [" + perm.getObjName() + "] Perm Operation [" + perm.getOpName() + "] Admin [" + session.getUserId() + "] failed check.";
-                throw new SecurityException(GlobalErrIds.URLE_ADMIN_CANNOT_REVOKE, warning);
-            }
-        }
-    }
-
-    /**
-     * Method is called by Manager APIs to load contextual information on {@link org.apache.directory.fortress.core.model.FortEntity} and perform checkAccess on Administrative permission.
-     * </p>
-     * The information is used to
-     * <ol>
-     * <li>Load the administrative User's {@link Session} object into entity.  This is used for checking to ensure administrator has privilege to perform administrative operation.</li>
-     * <li>Load the target operation's permission into the audit context.  This is used for Fortress audit log stored in OpenLDAP</li>
-     * </ol>
-     *
-     * @param session object contains the {@link org.apache.directory.fortress.core.model.User}'s RBAC, {@link org.apache.directory.fortress.core.model.UserRole}, and Administrative Roles {@link org.apache.directory.fortress.core.model.UserAdminRole}.
-     * @param perm    contains the permission object name, {@link Permission#objName}, and operation name, {@link Permission#opName}
-     * @param entity  used to pass contextual information through Fortress layers for administrative security checks and audit.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws org.apache.directory.fortress.core.SecurityException in the event of system error.
-     */
-    static void setEntitySession(Session session, Permission perm, FortEntity entity, String contextId) throws SecurityException
-    {
-        if (session != null)
-        {
-            entity.setAdminSession(session);
-            entity.setModCode(getObjName(perm.getObjName()) + "." + perm.getOpName());
-            checkAccess(session, perm, contextId);
-        }
-    }
-
-    /**
-     * Wrapper function to call {@link DelAccessMgrImpl#checkAccess(org.apache.directory.fortress.core.model.Session, Permission)}.
-     * Perform user arbac authorization.  This function returns a Boolean value meaning whether the subject of a given session is
-     * allowed or not to perform a given operation on a given object. The function is valid if and
-     * only if the session is a valid Fortress session, the object is a member of the OBJS data set,
-     * and the operation is a member of the OPS data set. The session's subject has the permission
-     * to perform the operation on that object if and only if that permission is assigned to (at least)
-     * one of the session's active roles. This implementation will verify the roles or userId correspond
-     * to the subject's active roles are registered in the object's access control list.
-     *
-     * @param session This object must be instantiated by calling {@link org.apache.directory.fortress.core.AccessMgr#createSession} method before passing into the method.  No variables need to be set by client after returned from createSession.
-     * @param perm    object contains obj attribute which is a String and contains the name of the object user is trying to access;
-     *                perm object contains operation attribute which is also a String and contains the operation name for the object.
-     * @param contextId maps to sub-tree in DIT, for example ou=contextId, dc=jts, dc = com.
-     * @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
-     */
-    static void checkAccess(Session session, Permission perm, String contextId) throws SecurityException
-    {
-        if (session != null)
-        {
-            DelAccessMgr dAccessMgr = DelAccessMgrFactory.createInstance(contextId);
-            boolean result = dAccessMgr.checkAccess(session, perm);
-            if (!result)
-            {
-                String info = "checkAccess failed for user [" + session.getUserId() + "] object [" + perm.getObjName() + "] operation [" + perm.getOpName() + "]";
-                throw new AuthorizationException(GlobalErrIds.USER_ADMIN_NOT_AUTHORIZED, info);
-            }
-        }
-    }
-
-    /**
-     * Utility will parse a String containing objName.operationName and return the objName only.
-     *
-     * @param szObj contains raw data format.
-     * @return String containing objName.
-     */
-    static String getObjName(String szObj)
-    {
-        return szObj.substring(szObj.lastIndexOf('.') + 1);
-    }
-}


Mime
View raw message