directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject directory-fortress-core git commit: + fortress console enable/disable role constraints
Date Wed, 24 Oct 2018 10:29:13 GMT
Repository: directory-fortress-core
Updated Branches:
  refs/heads/master ab30e6371 -> c105b8287


+ fortress console enable/disable role constraints


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/c105b828
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/c105b828
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/c105b828

Branch: refs/heads/master
Commit: c105b8287d2456c8ddfd61c7b6ceafad96bf4e30
Parents: ab30e63
Author: Shawn McKinney <smckinney@apache.org>
Authored: Tue Oct 23 08:47:38 2018 -0500
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Tue Oct 23 08:47:38 2018 -0500

----------------------------------------------------------------------
 .../directory/fortress/core/AccessMgr.java      | 22 ++++++++--
 .../fortress/core/impl/AccessMgrImpl.java       | 13 ++++++
 .../fortress/core/rest/AccessMgrRestImpl.java   | 28 +++++++++++++
 .../directory/fortress/core/rest/HttpIds.java   |  1 +
 .../fortress/core/AccessMgrConsole.java         | 43 ++++++++++++++++++--
 .../fortress/core/ProcessMenuCommand.java       | 27 +++++++-----
 6 files changed, 117 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
index 824582c..c21c528 100755
--- a/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
+++ b/src/main/java/org/apache/directory/fortress/core/AccessMgr.java
@@ -187,8 +187,6 @@ public interface AccessMgr extends Manageable
      * (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional
      * {@link org.apache.directory.fortress.core.model.User#adminRoles}
      * @param constraints List of case-sensitive {@link RoleConstraint#key}, {@link RoleConstraint#value},
bound for role activation checks.
-     * (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional
-     * {@link org.apache.directory.fortress.core.model.User#adminRoles}
      * @param isTrusted if true password is not required.
      * @return Session object will contain authentication result code
      * {@link org.apache.directory.fortress.core.model.Session#errorId},
@@ -275,7 +273,6 @@ public interface AccessMgr extends Manageable
             throws SecurityException;
 
 
-
     /**
      * Perform user RBAC authorization.  This function returns a Boolean value meaning whether
the subject of a given 
      * session is allowed or not to perform a given operation on a given object. The function
is valid if and
@@ -296,6 +293,25 @@ public interface AccessMgr extends Manageable
     boolean checkAccess( Session session, Permission perm )
         throws SecurityException;
 
+    /**
+     * Combine createSession and checkAccess into a single method.
+     * This function returns a Boolean value meaning whether the User is allowed or not to
perform a given operation on a given object.
+     * The function is valid if and only if the user is a valid Fortress user, the object
is a member of the OBJS data set,
+     * and the operation is a member of the OPS data set. The user has the permission
+     * to perform the operation on that object if and only if that permission is assigned
to (at least)
+     * one of the session's active roles. This implementation will verify the roles or userId
correspond
+     * to the user's active roles are registered in the object's access control list.
+     *
+     * @param user      Contains {@link User#userId}, {@link org.apache.directory.fortress.core.model.User#password}
+     * (optional if {@code isTrusted} is 'true'), optional {@link User#roles}}
+     * @param perm    must contain the object, {@link Permission#objName}, and operation,
{@link Permission#opName}, of
+     * permission User is trying to access.
+     * @return True if user has access, false otherwise.
+     * @throws SecurityException
+     *          in the event of data validation failure, security policy violation or DAO
error.
+     */
+    public boolean checkAccess( User user, Permission perm, boolean isTrusted )
+        throws SecurityException;
 
     /**
      * This function returns the permissions of the session, i.e., the permissions assigned

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
index 2748adb..c001245 100755
--- a/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/impl/AccessMgrImpl.java
@@ -169,6 +169,19 @@ public class AccessMgrImpl extends Manageable implements AccessMgr, Serializable
      */
     @Override
     @AdminPermissionOperation
+    public boolean checkAccess( User user, Permission perm, boolean isTrusted )
+        throws SecurityException
+    {
+        Session session = createSession( user, isTrusted );
+        return checkAccess( session, perm );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    @AdminPermissionOperation
     public List<Permission> sessionPermissions( Session session )
         throws SecurityException
     {

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
index 3bb6797..cf9c331 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/AccessMgrRestImpl.java
@@ -202,6 +202,34 @@ public class AccessMgrRestImpl extends Manageable implements AccessMgr
      * {@inheritDoc}
      */
     @Override
+    public boolean checkAccess(User user, Permission perm, boolean isTrusted)
+        throws SecurityException
+    {
+        VUtil.assertNotNull(perm, GlobalErrIds.PERM_NULL, CLS_NM + ".checkAccess");
+        VUtil.assertNotNull(user, GlobalErrIds.USER_NULL, CLS_NM + ".checkAccess");
+        boolean result;
+        FortRequest request = RestUtils.getRequest( this.contextId );
+        request.setEntity2(user);
+        request.setEntity(perm);
+        request.setIsFlag( isTrusted );
+        String szRequest = RestUtils.marshal(request);
+        String szResponse = RestUtils.getInstance().post(szRequest, HttpIds.RBAC_CHECK);
+        FortResponse response = RestUtils.unmarshall(szResponse);
+        if (response.getErrorCode() == 0)
+        {
+            result = response.getAuthorized();
+        }
+        else
+        {
+            throw new SecurityException(response.getErrorCode(), response.getErrorMessage());
+        }
+        return result;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
     public List<Permission> sessionPermissions(Session session)
         throws SecurityException
     {

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java b/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
index 8f66e48..aa1dc15 100644
--- a/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
+++ b/src/main/java/org/apache/directory/fortress/core/rest/HttpIds.java
@@ -28,6 +28,7 @@ public class HttpIds
 {
     public static final String RBAC_AUTHN = "rbacAuthN";
     public static final String RBAC_CREATE = "rbacCreate";
+    public static final String RBAC_CHECK = "rbacCheck";
     public static final String RBAC_CREATE_TRUSTED = "rbacCreateT";
     public static final String RBAC_AUTHZ = "rbacAuthZ";
     public static final String RBAC_PERMS = "rbacPerms";

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
index ffc265d..7c9dc7d 100755
--- a/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
+++ b/src/test/java/org/apache/directory/fortress/core/AccessMgrConsole.java
@@ -24,6 +24,7 @@ import java.util.Collections;
 import java.util.Comparator;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.Properties;
 
 import org.apache.directory.fortress.core.model.Permission;
 import org.apache.directory.fortress.core.model.RoleConstraint;
@@ -288,8 +289,8 @@ class AccessMgrConsole
         {
             User user = new User();
             ReaderUtil.clearScreen();
-            System.out.println("Enter userId:");
-            user.setUserId(ReaderUtil.readLn());
+            System.out.println( "Enter userId:" );
+            user.setUserId( ReaderUtil.readLn() );
             System.out.println("Enter role (or NULL to skip):");
             String key = ReaderUtil.readLn();
             for (int i = 0; key != null && key.length() > 0; i++)
@@ -322,7 +323,7 @@ class AccessMgrConsole
             VUtil.assertNotNull(session, GlobalErrIds.USER_SESS_NULL, "AccessMgrConsole.checkAccess");
             ReaderUtil.clearScreen();
             Permission perm = new Permission();
-            System.out.println("Enter object name:");
+            System.out.println( "Enter object name:" );
             perm.setObjName( ReaderUtil.readLn() );
             System.out.println("Enter operation name:");
             perm.setOpName( ReaderUtil.readLn() );
@@ -345,6 +346,42 @@ class AccessMgrConsole
         ReaderUtil.readChar();
     }
 
+    void createSessionCheckAccess()
+    {
+        //Session session = null;
+        try
+        {
+            Permission perm = new Permission();
+            System.out.println("Enter object name:");
+            perm.setObjName( ReaderUtil.readLn() );
+            System.out.println("Enter operation name:");
+            perm.setOpName( ReaderUtil.readLn() );
+            System.out.println("Enter object id (or NULL to skip):");
+            String val = ReaderUtil.readLn();
+            if ( val != null && val.length() > 0 )
+            {
+                perm.setObjId( val );
+            }
+
+            System.out.println("Enter userId:");
+            String userId = ReaderUtil.readLn();
+            User inUser = new User(userId);
+
+            Properties props = new Properties(  );
+            props.setProperty( "locale", "east" );
+            inUser.addProperties( props );
+            boolean result = am.checkAccess( inUser, perm, true );
+            System.out.println("createSessionCheckAccess return [" + result + "] for user
[" + userId + "], objName [" + perm.getObjName() + "], operationName [" + perm.getOpName()
+ "]" +
+                ", objId [" + perm.getObjId() + "]");
+            System.out.println("ENTER to continue");
+        }
+        catch (SecurityException e)
+        {
+            LOG.error("createSessionCheckAccess caught SecurityException rc=" + e.getErrorId()
+ ", msg=" + e.getMessage(), e);
+        }
+        ReaderUtil.readChar();
+    }
+
     void sessionRoles()
     {
         try

http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/c105b828/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
----------------------------------------------------------------------
diff --git a/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java b/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
index a94f8a6..1ab2914 100755
--- a/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
+++ b/src/test/java/org/apache/directory/fortress/core/ProcessMenuCommand.java
@@ -706,12 +706,13 @@ class ProcessMenuCommand
         System.out.println( "4. Create Session with Roles Trusted" );
         System.out.println( "5. Create Session with Props" );
         System.out.println( "6. Check Access - RBAC" );
-        System.out.println( "7. Session Roles" );
-        System.out.println( "8. Add Active Role to Session" );
-        System.out.println( "9. Drop Active Role from Session" );
-        System.out.println( "0. Show User Data in Session" );
-        System.out.println( "A. Show UserId in Session" );
-        System.out.println( "B. Session Permissions" );
+        System.out.println( "7. Create Session & Check Access" );
+        System.out.println( "8. Session Roles" );
+        System.out.println( "9. Add Active Role to Session" );
+        System.out.println( "0. Drop Active Role from Session" );
+        System.out.println( "A. Show User Data in Session" );
+        System.out.println( "B. Show UserId in Session" );
+        System.out.println( "C. Session Permissions" );
         System.out.println( "Enter q or Q to return to previous menu" );
     }
 
@@ -753,23 +754,27 @@ class ProcessMenuCommand
                         accessConsole.checkAccess();
                         break;
                     case '7':
-                        accessConsole.sessionRoles();
+                        accessConsole.createSessionCheckAccess();
                         break;
                     case '8':
-                        accessConsole.addActiveRole();
+                        accessConsole.sessionRoles();
                         break;
                     case '9':
-                        accessConsole.dropActiveRole();
+                        accessConsole.addActiveRole();
                         break;
                     case '0':
-                        accessConsole.getUser();
+                        accessConsole.dropActiveRole();
                         break;
                     case 'a':
                     case 'A':
-                        accessConsole.getUserId();
+                        accessConsole.getUser();
                         break;
                     case 'b':
                     case 'B':
+                        accessConsole.getUserId();
+                        break;
+                    case 'c':
+                    case 'C':
                         accessConsole.sessionPermissions();
                         break;
                     case 'q':


Mime
View raw message