directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject directory-fortress-enmasse git commit: FC-249 - New API isUserInRole in AccessMgr
Date Wed, 24 Oct 2018 13:26:43 GMT
Repository: directory-fortress-enmasse
Updated Branches:
  refs/heads/master 9b7057d60 -> 3cd213617


FC-249 - New API isUserInRole in AccessMgr


Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/commit/3cd21361
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/tree/3cd21361
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/diff/3cd21361

Branch: refs/heads/master
Commit: 3cd213617259e8c6d8345416f79678a3095ba08b
Parents: 9b7057d
Author: Shawn McKinney <smckinney@apache.org>
Authored: Tue Oct 23 11:14:13 2018 -0500
Committer: Shawn McKinney <smckinney@apache.org>
Committed: Tue Oct 23 11:14:13 2018 -0500

----------------------------------------------------------------------
 .../directory/fortress/rest/AccessMgrImpl.java  | 28 ++++++
 .../fortress/rest/FortressService.java          | 95 ++++++++++++++++++--
 .../fortress/rest/FortressServiceImpl.java      | 13 +++
 3 files changed, 128 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/3cd21361/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
index c695e5e..b451741 100644
--- a/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/AccessMgrImpl.java
@@ -207,6 +207,34 @@ class AccessMgrImpl extends AbstractMgrImpl
     }
 
 
+    /**
+     * Perform user ROLE check.
+     *
+     * @param request The {@link FortRequest} we have to check
+     * @return a {@link FortResponse} containing the response
+     */
+    /* no qualifier*/ FortResponse isUserInRole( FortRequest request )
+    {
+        FortResponse response = createResponse();
+
+        try
+        {
+            AccessMgr accessMgr = AccessMgrFactory.createInstance( request.getContextId()
);
+            Role role = (Role)request.getEntity();
+            User user = (User) request.getEntity2();
+            boolean isTrusted = request.getIsFlag();
+            boolean result = accessMgr.isUserInRole( user, role, isTrusted );
+            response.setAuthorized( result );
+        }
+        catch ( SecurityException se )
+        {
+            createError( response, LOG, se );
+        }
+
+        return response;
+    }
+
+
     /* No qualifier */ FortResponse sessionPermissions( FortRequest request )
     {
         FortResponse response = createResponse();

http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/3cd21361/src/main/java/org/apache/directory/fortress/rest/FortressService.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressService.java b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
index 55c496d..a36608a 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressService.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressService.java
@@ -4006,13 +4006,13 @@ public interface FortressService
 
 
     /**
-     * Perform user RBAC authorization.  This function returns a Boolean value meaning whether
the subject of a given
-     * session is allowed or not to perform a given operation on a given object. The function
is valid if and
-     * only if the session is a valid Fortress session, the object is a member of the OBJS
data set,
-     * and the operation is a member of the OPS data set. The session's subject has the permission
+     * Combine createSession and checkAccess into a single method.
+     * This function returns a Boolean value meaning whether the User is allowed or not to
perform a given operation on a given object.
+     * The function is valid if and only if the user is a valid Fortress user, the object
is a member of the OBJS data set,
+     * and the operation is a member of the OPS data set. The user has the permission
      * to perform the operation on that object if and only if that permission is assigned
to (at least)
      * one of the session's active roles. This implementation will verify the roles or userId
correspond
-     * to the subject's active roles are registered in the object's access control list.
+     * to the user's active roles are registered in the object's access control list.
      * <h3></h3>
      * <h4>required parameters</h4>
      * <ul>
@@ -4021,8 +4021,10 @@ public interface FortressService
      *     entity
      *   </li>
      *   <li>
-     *     {@link FortRequest#session} - contains a reference to User's RBAC session that
is created by calling
-     *     {@link FortressServiceImpl#createSession} method before use in this service.
+     *     {@link FortRequest#entity2} - contains a reference to User object containing userId.
+     *   </li>
+     *   <li>
+     *     {@link FortRequest#isFlag} - boolean value if true, password check will not be
performed.
      *   </li>
      * </ul>
      * <ul style="list-style-type:none">
@@ -4041,18 +4043,95 @@ public interface FortressService
      *           </li>
      *         </ul>
      *       </li>
+     *       <li>
+     *         <h5>{@link org.apache.directory.fortress.core.model.User} required parameters</h5>
+     *         <ul>
+     *           <li>{@link org.apache.directory.fortress.core.model.User#userId} -
maps to INetOrgPerson uid</li>
+     *           <li>{@link org.apache.directory.fortress.core.model.User#password}
- used to authenticate the User</li>
+     *         </ul>
+     *         <h5>User optional parameters</h5>
+     *         <ul>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.User#roles} * - multi-occurring
attribute contains the
+     *             names of assigned RBAC roles targeted for activation into Session.
+     *           </li>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.User#props} collection
of name value pairs collected on
+     *             behalf of User during signon.  For example locale:east
+     *           </li>
+     *         </ul>
+     *       </li>
      *     </ul>
      *   </li>
      * </ul>
      *
      * @param request contains a reference to {@code FortRequest}
      * @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean
will be 'true' if User
-     * authorized, otherwise 'false'.  Updated {@link FortResponse#session} will be included
in response as well.
+     * authorized, otherwise 'false'.
      */
     FortResponse createSessionCheckAccess( FortRequest request );
 
 
     /**
+     * Combine createSession and a role check into a single method.
+     * This function returns a Boolean value meaning whether the User has a particular role.
+     * The function is valid if and only if the user is a valid Fortress user and the role
is a member of the ROLES data set.
+     * <h3></h3>
+     * <h4>required parameters</h4>
+     * <ul>
+     *   <li>
+     *     {@link FortRequest#entity} - contains a reference to {@link org.apache.directory.fortress.core.model.Role}
+     *     entity
+     *   </li>
+     *   <li>
+     *     {@link FortRequest#entity2} - contains a reference to User object containing userId.
+     *   </li>
+     *   <li>
+     *     {@link FortRequest#isFlag} - boolean value if true, password check will not be
performed.
+     *   </li>
+     * </ul>
+     * <ul style="list-style-type:none">
+     *   <li>
+     *     <ul style="list-style-type:none">
+     *       <li>
+     *         <h5>{@link org.apache.directory.fortress.core.model.Role} required parameters</h5>
+     *         <ul>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.Role#name} - contains
the name of existing
+     *             role being targeted for check.
+     *           </li>
+     *         </ul>
+     *       </li>
+     *       <li>
+     *         <h5>{@link org.apache.directory.fortress.core.model.User} required parameters</h5>
+     *         <ul>
+     *           <li>{@link org.apache.directory.fortress.core.model.User#userId} -
maps to INetOrgPerson uid</li>
+     *           <li>{@link org.apache.directory.fortress.core.model.User#password}
- used to authenticate the User</li>
+     *         </ul>
+     *         <h5>User optional parameters</h5>
+     *         <ul>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.User#roles} * - multi-occurring
attribute contains the
+     *             names of assigned RBAC roles targeted for activation into Session.
+     *           </li>
+     *           <li>
+     *             {@link org.apache.directory.fortress.core.model.User#props} collection
of name value pairs collected on
+     *             behalf of User during signon.  For example locale:east
+     *           </li>
+     *         </ul>
+     *       </li>
+     *     </ul>
+     *   </li>
+     * </ul>
+     *
+     * @param request contains a reference to {@code FortRequest}
+     * @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean
will be 'true' if User
+     * authorized, otherwise 'false'..
+     */
+    FortResponse isUserInRole( FortRequest request );
+
+
+    /**
      * This function returns the permissions of the session, i.e., the permissions assigned
      * to its authorized roles. The function is valid if and only if the session is a valid
Fortress session.
      * <h3></h3>

http://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse/blob/3cd21361/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
index 3e0fe8e..1cd57b0 100644
--- a/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
+++ b/src/main/java/org/apache/directory/fortress/rest/FortressServiceImpl.java
@@ -1248,6 +1248,19 @@ public class FortressServiceImpl implements FortressService
      * {@inheritDoc}
      */
     @POST
+    @Path("/" + HttpIds.RBAC_CHECK_ROLE + "/")
+    @RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
+    @Override
+    public FortResponse isUserInRole( FortRequest request )
+    {
+        return accessMgrImpl.isUserInRole( request );
+    }
+
+
+    /**
+     * {@inheritDoc}
+     */
+    @POST
     @Path("/" + HttpIds.RBAC_PERMS + "/")
     @RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
     @Override


Mime
View raw message