Repository: directory-fortress-core
Updated Branches:
refs/heads/master ab30e6371 -> c105b8287
+ fortress console enable/disable role constraints
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/c105b828
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/c105b828
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/c105b828
Branch: refs/heads/master
Commit: c105b8287d2456c8ddfd61c7b6ceafad96bf4e30
Parents: ab30e63
Author: Shawn McKinney <smckinney@apache.org>
Authored: Tue Oct 23 08:47:38 2018 -0500
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Tue Oct 23 08:47:38 2018 -0500
----------------------------------------------------------------------
.../directory/fortress/core/AccessMgr.java | 22 ++++++++--
.../fortress/core/impl/AccessMgrImpl.java | 13 ++++++
.../fortress/core/rest/AccessMgrRestImpl.java | 28 +++++++++++++
.../directory/fortress/core/rest/HttpIds.java | 1 +
.../fortress/core/AccessMgrConsole.java | 43 ++++++++++++++++++--
.../fortress/core/ProcessMenuCommand.java | 27 +++++++-----
6 files changed, 117 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
index 824582c..c21c528 100755
--- a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
@@ -187,8 +187,6 @@ public interface AccessMgr extends Manageable
* (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional
* {@link org.apache.directory.fortress.core.model.User#adminRoles}
* @param constraints List of case-sensitive {@link RoleConstraint#key}, {@link RoleConstraint#value},
bound for role activation checks.
- * (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional
- * {@link org.apache.directory.fortress.core.model.User#adminRoles}
* @param isTrusted if true password is not required.
* @return Session object will contain authentication result code
* {@link org.apache.directory.fortress.core.model.Session#errorId},
@@ -275,7 +273,6 @@ public interface AccessMgr extends Manageable
throws SecurityException;
-
/**
* Perform user RBAC authorization. This function returns a Boolean value meaning whether
the subject of a given
* session is allowed or not to perform a given operation on a given object. The function
is valid if and
@@ -296,6 +293,25 @@ public interface AccessMgr extends Manageable
boolean checkAccess( Session session, Permission perm )
throws SecurityException;
+ /**
+ * Combine createSession and checkAccess into a single method.
+ * This function returns a Boolean value meaning whether the User is allowed or not to
perform a given operation on a given object.
+ * The function is valid if and only if the user is a valid Fortress user, the object
is a member of the OBJS data set,
+ * and the operation is a member of the OPS data set. The user has the permission
+ * to perform the operation on that object if and only if that permission is assigned
to (at least)
+ * one of the session's active roles. This implementation will verify the roles or userId
correspond
+ * to the user's active roles are registered in the object's access control list.
+ *
+ * @param user Contains {@link User#userId}, {@link org.apache.directory.fortress.core.model.User#password}
+ * (optional if {@code isTrusted} is 'true'), optional {@link User#roles}}
+ * @param perm must contain the object, {@link Permission#objName}, and operation,
{@link Permission#opName}, of
+ * permission User is trying to access.
+ * @return True if user has access, false otherwise.
+ * @throws SecurityException
+ * in the event of data validation failure, security policy violation or DAO
error.
+ */
+ public boolean checkAccess( User user, Permission perm, boolean isTrusted )
+ throws SecurityException;
/**
* This function returns the permissions of the session, i.e., the permissions assigned
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
index 2748adb..c001245 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
@@ -169,6 +169,19 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
*/
@Override
@AdminPermissionOperation
+ public boolean checkAccess( User user, Permission perm, boolean isTrusted )
+ throws SecurityException
+ {
+ Session session = createSession( user, isTrusted );
+ return checkAccess( session, perm );
+ }
+
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
+ @AdminPermissionOperation
public List<Permission> sessionPermissions( Session session )
throws SecurityException
{
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
index 3bb6797..cf9c331 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
@@ -202,6 +202,34 @@ public class AccessMgrRestImpl extends Manageable implements AccessMgr
* {@inheritDoc}
*/
@Override
+ public boolean checkAccess(User user, Permission perm, boolean isTrusted)
+ throws SecurityException
+ {
+ VUtil.assertNotNull(perm, GlobalErrIds.PERM_NULL, CLS_NM + ".checkAccess");
+ VUtil.assertNotNull(user, GlobalErrIds.USER_NULL, CLS_NM + ".checkAccess");
+ boolean result;
+ FortRequest request = RestUtils.getRequest( this.contextId );
+ request.setEntity2(user);
+ request.setEntity(perm);
+ request.setIsFlag( isTrusted );
+ String szRequest = RestUtils.marshal(request);
+ String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.RBAC_CHECK);
+ FortResponse response = RestUtils.unmarshall(szResponse);
+ if (response.getErrorCode() == 0)
+ {
+ result = response.getAuthorized();
+ }
+ else
+ {
+ throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+ }
+ return result;
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ @Override
public List<Permission> sessionPermissions(Session session)
throws SecurityException
{
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java b/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
index 8f66e48..aa1dc15 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
@@ -28,6 +28,7 @@ public class HttpIds
{
public static final String RBAC_AUTHN = "rbacAuthN";
public static final String RBAC_CREATE = "rbacCreate";
+ public static final String RBAC_CHECK = "rbacCheck";
public static final String RBAC_CREATE_TRUSTED = "rbacCreateT";
public static final String RBAC_AUTHZ = "rbacAuthZ";
public static final String RBAC_PERMS = "rbacPerms";
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
index ffc265d..7c9dc7d 100755
--- a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
@@ -24,6 +24,7 @@ import java.util.Collections;
import java.util.Comparator;
import java.util.Enumeration;
import java.util.List;
+import java.util.Properties;
import org.apache.directory.fortress.core.model.Permission;
import org.apache.directory.fortress.core.model.RoleConstraint;
@@ -288,8 +289,8 @@ class AccessMgrConsole
{
User user = new User();
ReaderUtil.clearScreen();
- System.out.println("Enter userId:");
- user.setUserId(ReaderUtil.readLn());
+ System.out.println( "Enter userId:" );
+ user.setUserId( ReaderUtil.readLn() );
System.out.println("Enter role (or NULL to skip):");
String key = ReaderUtil.readLn();
for (int i = 0; key != null && key.length() > 0; i++)
@@ -322,7 +323,7 @@ class AccessMgrConsole
VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, "AccessMgrConsole.checkAccess");
ReaderUtil.clearScreen();
Permission perm = new Permission();
- System.out.println("Enter object name:");
+ System.out.println( "Enter object name:" );
perm.setObjName( ReaderUtil.readLn() );
System.out.println("Enter operation name:");
perm.setOpName( ReaderUtil.readLn() );
@@ -345,6 +346,42 @@ class AccessMgrConsole
ReaderUtil.readChar();
}
+ void createSessionCheckAccess()
+ {
+ //Session session = null;
+ try
+ {
+ Permission perm = new Permission();
+ System.out.println("Enter object name:");
+ perm.setObjName( ReaderUtil.readLn() );
+ System.out.println("Enter operation name:");
+ perm.setOpName( ReaderUtil.readLn() );
+ System.out.println("Enter object id (or NULL to skip):");
+ String val = ReaderUtil.readLn();
+ if ( val != null && val.length() > 0 )
+ {
+ perm.setObjId( val );
+ }
+
+ System.out.println("Enter userId:");
+ String userId = ReaderUtil.readLn();
+ User inUser = new User(userId);
+
+ Properties props = new Properties( );
+ props.setProperty( "locale", "east" );
+ inUser.addProperties( props );
+ boolean result = am.checkAccess( inUser, perm, true );
+ System.out.println("createSessionCheckAccess return [" + result + "] for user
[" + userId + "], objName [" + perm.getObjName() + "], operationName [" + perm.getOpName()
+ "]" +
+ ", objId [" + perm.getObjId() + "]");
+ System.out.println("ENTER to continue");
+ }
+ catch (SecurityException e)
+ {
+ LOG.error("createSessionCheckAccess caught SecurityException rc=" + e.getErrorId()
+ ", msg=" + e.getMessage(), e);
+ }
+ ReaderUtil.readChar();
+ }
+
void sessionRoles()
{
try
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java b/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
index a94f8a6..1ab2914 100755
--- a/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
+++ b/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
@@ -706,12 +706,13 @@ class ProcessMenuCommand
System.out.println( "4. Create Session with Roles Trusted" );
System.out.println( "5. Create Session with Props" );
System.out.println( "6. Check Access - RBAC" );
- System.out.println( "7. Session Roles" );
- System.out.println( "8. Add Active Role to Session" );
- System.out.println( "9. Drop Active Role from Session" );
- System.out.println( "0. Show User Data in Session" );
- System.out.println( "A. Show UserId in Session" );
- System.out.println( "B. Session Permissions" );
+ System.out.println( "7. Create Session & Check Access" );
+ System.out.println( "8. Session Roles" );
+ System.out.println( "9. Add Active Role to Session" );
+ System.out.println( "0. Drop Active Role from Session" );
+ System.out.println( "A. Show User Data in Session" );
+ System.out.println( "B. Show UserId in Session" );
+ System.out.println( "C. Session Permissions" );
System.out.println( "Enter q or Q to return to previous menu" );
}
@@ -753,23 +754,27 @@ class ProcessMenuCommand
accessConsole.checkAccess();
break;
case '7':
- accessConsole.sessionRoles();
+ accessConsole.createSessionCheckAccess();
break;
case '8':
- accessConsole.addActiveRole();
+ accessConsole.sessionRoles();
break;
case '9':
- accessConsole.dropActiveRole();
+ accessConsole.addActiveRole();
break;
case '0':
- accessConsole.getUser();
+ accessConsole.dropActiveRole();
break;
case 'a':
case 'A':
- accessConsole.getUserId();
+ accessConsole.getUser();
break;
case 'b':
case 'B':
+ accessConsole.getUserId();
+ break;
+ case 'c':
+ case 'C':
accessConsole.sessionPermissions();
break;
case 'q':
|