X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FAbstractUserDirectory.java;h=671f634969bd8f49db28a20eabace94a02df6c17;hb=6bd449f839949c0ebc7eafdd9c9997dc10850db0;hp=1d2e72759b479151ddf032d8a8f9a1ac19ef5bd2;hpb=137290df09ccfb49fcdfc72b611aa8d32182342c;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java index 1d2e72759..671f63496 100644 --- a/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java +++ b/org.argeo.security.core/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java @@ -12,10 +12,10 @@ import java.net.URISyntaxException; import java.util.ArrayList; import java.util.Arrays; import java.util.Dictionary; -import java.util.HashMap; +import java.util.Enumeration; +import java.util.Hashtable; import java.util.Iterator; import java.util.List; -import java.util.Map; import javax.naming.InvalidNameException; import javax.naming.directory.Attributes; @@ -26,9 +26,6 @@ import javax.naming.ldap.Rdn; import javax.transaction.SystemException; import javax.transaction.Transaction; import javax.transaction.TransactionManager; -import javax.transaction.xa.XAException; -import javax.transaction.xa.XAResource; -import javax.transaction.xa.Xid; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -36,22 +33,22 @@ import org.osgi.framework.Filter; import org.osgi.framework.FrameworkUtil; import org.osgi.framework.InvalidSyntaxException; import org.osgi.service.useradmin.Authorization; -import org.osgi.service.useradmin.Group; import org.osgi.service.useradmin.Role; import org.osgi.service.useradmin.User; import org.osgi.service.useradmin.UserAdmin; +/** Base class for a {@link UserDirectory}. */ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { private final static Log log = LogFactory .getLog(AbstractUserDirectory.class); - private Dictionary properties; - private String baseDn = "dc=example,dc=com"; - private String userObjectClass; - private String groupObjectClass; + private final Hashtable properties; + private final String baseDn; + private final String userObjectClass; + private final String groupObjectClass; - private boolean isReadOnly; - private URI uri; + private final boolean readOnly; + private final URI uri; private UserAdmin externalRoles; private List indexedUserProperties = Arrays.asList(new String[] { @@ -61,16 +58,17 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { private List credentialAttributeIds = Arrays .asList(new String[] { LdifName.userpassword.name() }); - // private TransactionSynchronizationRegistry syncRegistry; - // private Object editingTransactionKey = null; - private TransactionManager transactionManager; - private ThreadLocal workingCopy = new ThreadLocal(); - private Xid editingTransactionXid = null; - - public AbstractUserDirectory(Dictionary properties) { - // TODO make a copy? - this.properties = properties; + // private TransactionSynchronizationRegistry transactionRegistry; + // private Xid editingTransactionXid = null; + private WcXaResource xaResource = new WcXaResource(this); + + AbstractUserDirectory(Dictionary props) { + properties = new Hashtable(); + for (Enumeration keys = props.keys(); keys.hasMoreElements();) { + String key = keys.nextElement(); + properties.put(key, props.get(key)); + } String uriStr = UserAdminConf.uri.getValue(properties); if (uriStr == null) @@ -79,29 +77,25 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { try { uri = new URI(uriStr); } catch (URISyntaxException e) { - throw new UserDirectoryException("Badly formatted URI", e); + throw new UserDirectoryException("Badly formatted URI " + + uriStr, e); } baseDn = UserAdminConf.baseDn.getValue(properties).toString(); - String isReadOnly = UserAdminConf.readOnly.getValue(properties); - if (isReadOnly == null) - this.isReadOnly = readOnlyDefault(uri); - else - this.isReadOnly = new Boolean(isReadOnly); + String readOnlyStr = UserAdminConf.readOnly.getValue(properties); + if (readOnlyStr == null) { + readOnly = readOnlyDefault(uri); + properties.put(UserAdminConf.readOnly.property(), + Boolean.toString(readOnly)); + } else + readOnly = new Boolean(readOnlyStr); - this.userObjectClass = UserAdminConf.userObjectClass - .getValue(properties); - this.groupObjectClass = UserAdminConf.groupObjectClass - .getValue(properties); + userObjectClass = UserAdminConf.userObjectClass.getValue(properties); + groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties); } - // public AbstractUserDirectory(URI uri, boolean isReadOnly) { - // this.uri = uri; - // this.isReadOnly = isReadOnly; - // } - - /** Returns the {@link Group}s this user is a direct member of. */ - protected abstract List getDirectGroups(User user); + /** Returns the groups this user is a direct member of. */ + protected abstract List getDirectGroups(LdapName dn); protected abstract Boolean daoHasRole(LdapName dn); @@ -109,9 +103,6 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { protected abstract List doGetRoles(Filter f); - protected abstract void doGetUser(String key, String value, - List collectedUsers); - public void init() { } @@ -121,23 +112,21 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { } boolean isEditing() { - if (editingTransactionXid == null) - return false; - return workingCopy.get() != null; - // Object currentTrKey = syncRegistry.getTransactionKey(); - // if (currentTrKey == null) + // if (editingTransactionXid == null) // return false; - // return editingTransactionKey.equals(currentTrKey); + // return workingCopy.get() != null; + return xaResource.wc() != null; } - protected WorkingCopy getWorkingCopy() { - WorkingCopy wc = workingCopy.get(); + protected UserDirectoryWorkingCopy getWorkingCopy() { + // UserDirectoryWorkingCopy wc = workingCopy.get(); + UserDirectoryWorkingCopy wc = xaResource.wc(); if (wc == null) return null; - if (wc.xid == null) { - workingCopy.set(null); - return null; - } + // if (wc.getXid() == null) { + // workingCopy.set(null); + // return null; + // } return wc; } @@ -151,27 +140,30 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { if (transaction == null) throw new UserDirectoryException( "A transaction needs to be active in order to edit"); - if (editingTransactionXid == null) { - WorkingCopy wc = new WorkingCopy(); + if (xaResource.wc() == null) { + // UserDirectoryWorkingCopy wc = new UserDirectoryWorkingCopy(this); try { - transaction.enlistResource(wc); - editingTransactionXid = wc.getXid(); - workingCopy.set(wc); + transaction.enlistResource(xaResource); + // editingTransactionXid = wc.getXid(); + // workingCopy.set(wc); } catch (Exception e) { - throw new UserDirectoryException("Cannot enlist " + wc, e); + throw new UserDirectoryException("Cannot enlist " + xaResource, + e); } } else { - if (workingCopy.get() == null) - throw new UserDirectoryException("Transaction " - + editingTransactionXid + " already editing"); - else if (!editingTransactionXid.equals(workingCopy.get().getXid())) - throw new UserDirectoryException("Working copy Xid " - + workingCopy.get().getXid() + " inconsistent with" - + editingTransactionXid); + // UserDirectoryWorkingCopy wc = xaResource.wc(); + // if (wc == null) + // throw new UserDirectoryException("Transaction " + // + editingTransactionXid + " already editing"); + // else if + // (!editingTransactionXid.equals(workingCopy.get().getXid())) + // throw new UserDirectoryException("Working copy Xid " + // + workingCopy.get().getXid() + " inconsistent with" + // + editingTransactionXid); } } - List getAllRoles(User user) { + List getAllRoles(DirectoryUser user) { List allRoles = new ArrayList(); if (user != null) { collectRoles(user, allRoles); @@ -181,9 +173,10 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { return allRoles; } - private void collectRoles(User user, List allRoles) { - for (Group group : getDirectGroups(user)) { + private void collectRoles(DirectoryUser user, List allRoles) { + for (LdapName groupDn : getDirectGroups(user.getDn())) { // TODO check for loops + DirectoryUser group = doGetRole(groupDn); allRoles.add(group); collectRoles(group, allRoles); } @@ -196,13 +189,16 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { // USER ADMIN @Override public Role getRole(String name) { - LdapName key = toDn(name); - WorkingCopy wc = getWorkingCopy(); - DirectoryUser user = daoGetRole(key); + return doGetRole(toDn(name)); + } + + protected DirectoryUser doGetRole(LdapName dn) { + UserDirectoryWorkingCopy wc = getWorkingCopy(); + DirectoryUser user = daoGetRole(dn); if (wc != null) { - if (user == null && wc.getNewUsers().containsKey(key)) - user = wc.getNewUsers().get(key); - else if (wc.getDeletedUsers().containsKey(key)) + if (user == null && wc.getNewUsers().containsKey(dn)) + user = wc.getNewUsers().get(dn); + else if (wc.getDeletedUsers().containsKey(dn)) user = null; } return user; @@ -211,7 +207,7 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { @SuppressWarnings("unchecked") @Override public Role[] getRoles(String filter) throws InvalidSyntaxException { - WorkingCopy wc = getWorkingCopy(); + UserDirectoryWorkingCopy wc = getWorkingCopy(); Filter f = filter != null ? FrameworkUtil.createFilter(filter) : null; List res = doGetRoles(f); if (wc != null) { @@ -254,9 +250,25 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { } if (collectedUsers.size() == 1) return collectedUsers.get(0); + else if (collectedUsers.size() > 1) + log.warn(collectedUsers.size() + " users for " + + (key != null ? key + "=" : "") + value); return null; } + protected void doGetUser(String key, String value, + List collectedUsers) { + try { + Filter f = FrameworkUtil.createFilter("(&(" + objectClass + "=" + + getUserObjectClass() + ")(" + key + "=" + value + "))"); + List users = doGetRoles(f); + collectedUsers.addAll(users); + } catch (InvalidSyntaxException e) { + throw new UserDirectoryException("Cannot get user with " + key + + "=" + value, e); + } + } + @Override public Authorization getAuthorization(User user) { return new LdifAuthorization((DirectoryUser) user, @@ -266,7 +278,7 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { @Override public Role createRole(String name, int type) { checkEdit(); - WorkingCopy wc = getWorkingCopy(); + UserDirectoryWorkingCopy wc = getWorkingCopy(); LdapName dn = toDn(name); if ((daoHasRole(dn) && !wc.getDeletedUsers().containsKey(dn)) || wc.getNewUsers().containsKey(dn)) @@ -315,33 +327,41 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { @Override public boolean removeRole(String name) { checkEdit(); - WorkingCopy wc = getWorkingCopy(); + UserDirectoryWorkingCopy wc = getWorkingCopy(); LdapName dn = toDn(name); - if (!daoHasRole(dn) && !wc.getNewUsers().containsKey(dn)) - return false; - DirectoryUser user = (DirectoryUser) getRole(name); - wc.getDeletedUsers().put(dn, user); - // FIXME clarify directgroups - for (DirectoryGroup group : getDirectGroups(user)) { + boolean actuallyDeleted; + if (daoHasRole(dn) || wc.getNewUsers().containsKey(dn)) { + DirectoryUser user = (DirectoryUser) getRole(name); + wc.getDeletedUsers().put(dn, user); + actuallyDeleted = true; + } else {// just removing from groups (e.g. system roles) + actuallyDeleted = false; + } + for (LdapName groupDn : getDirectGroups(dn)) { + DirectoryUser group = doGetRole(groupDn); group.getAttributes().get(getMemberAttributeId()) .remove(dn.toString()); } - return true; + return actuallyDeleted; } // TRANSACTION - protected void prepare(WorkingCopy wc) { + protected void prepare(UserDirectoryWorkingCopy wc) { } - protected void commit(WorkingCopy wc) { + protected void commit(UserDirectoryWorkingCopy wc) { } - protected void rollback(WorkingCopy wc) { + protected void rollback(UserDirectoryWorkingCopy wc) { } + // void clearEditingTransactionXid() { + // editingTransactionXid = null; + // } + // UTILITIES protected LdapName toDn(String name) { try { @@ -365,10 +385,6 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { return uri; } - protected void setUri(URI uri) { - this.uri = uri; - } - protected List getIndexedUserProperties() { return indexedUserProperties; } @@ -377,22 +393,21 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { this.indexedUserProperties = indexedUserProperties; } - protected void setReadOnly(boolean isReadOnly) { - this.isReadOnly = isReadOnly; - } - private static boolean readOnlyDefault(URI uri) { if (uri == null) return true; if (uri.getScheme().equals("file")) { File file = new File(uri); - return !file.canWrite(); + if (file.exists()) + return !file.canWrite(); + else + return !file.getParentFile().canWrite(); } return true; } public boolean isReadOnly() { - return isReadOnly; + return readOnly; } UserAdmin getExternalRoles() { @@ -423,156 +438,8 @@ abstract class AbstractUserDirectory implements UserAdmin, UserDirectory { this.transactionManager = transactionManager; } - // - // XA RESOURCE - // - protected class WorkingCopy implements XAResource { - private Xid xid; - private int transactionTimeout = 0; - - private Map newUsers = new HashMap(); - private Map modifiedUsers = new HashMap(); - private Map deletedUsers = new HashMap(); - - @Override - public void start(Xid xid, int flags) throws XAException { - if (editingTransactionXid != null) - throw new UserDirectoryException("Transaction " - + editingTransactionXid + " already editing"); - this.xid = xid; - } - - @Override - public void end(Xid xid, int flags) throws XAException { - checkXid(xid); - - // clean collections - newUsers.clear(); - newUsers = null; - modifiedUsers.clear(); - modifiedUsers = null; - deletedUsers.clear(); - deletedUsers = null; - - // clean IDs - this.xid = null; - editingTransactionXid = null; - } - - @Override - public int prepare(Xid xid) throws XAException { - checkXid(xid); - if (noModifications()) - return XA_RDONLY; - try { - AbstractUserDirectory.this.prepare(this); - } catch (Exception e) { - log.error("Cannot prepare " + xid, e); - throw new XAException(XAException.XA_RBOTHER); - } - return XA_OK; - } - - @Override - public void commit(Xid xid, boolean onePhase) throws XAException { - checkXid(xid); - if (noModifications()) - return; - try { - if (onePhase) - AbstractUserDirectory.this.prepare(this); - AbstractUserDirectory.this.commit(this); - } catch (Exception e) { - log.error("Cannot commit " + xid, e); - throw new XAException(XAException.XA_RBOTHER); - } - } - - @Override - public void rollback(Xid xid) throws XAException { - checkXid(xid); - try { - AbstractUserDirectory.this.rollback(this); - } catch (Exception e) { - log.error("Cannot rollback " + xid, e); - throw new XAException(XAException.XA_HEURMIX); - } - } - - @Override - public void forget(Xid xid) throws XAException { - throw new UnsupportedOperationException(); - } - - @Override - public boolean isSameRM(XAResource xares) throws XAException { - return xares == this; - } - - @Override - public Xid[] recover(int flag) throws XAException { - throw new UnsupportedOperationException(); - } - - @Override - public int getTransactionTimeout() throws XAException { - return transactionTimeout; - } - - @Override - public boolean setTransactionTimeout(int seconds) throws XAException { - transactionTimeout = seconds; - return true; - } - - private Xid getXid() { - return xid; - } - - private void checkXid(Xid xid) throws XAException { - if (this.xid == null) - throw new XAException(XAException.XAER_OUTSIDE); - if (!this.xid.equals(xid)) - throw new XAException(XAException.XAER_NOTA); - } - - @Override - protected void finalize() throws Throwable { - if (editingTransactionXid != null) - log.warn("Editing transaction still referenced but no working copy " - + editingTransactionXid); - editingTransactionXid = null; - } - - public boolean noModifications() { - return newUsers.size() == 0 && modifiedUsers.size() == 0 - && deletedUsers.size() == 0; - } - - public Attributes getAttributes(LdapName dn) { - if (modifiedUsers.containsKey(dn)) - return modifiedUsers.get(dn); - return null; - } - - public void startEditing(DirectoryUser user) { - LdapName dn = user.getDn(); - if (modifiedUsers.containsKey(dn)) - throw new UserDirectoryException("Already editing " + dn); - modifiedUsers.put(dn, (Attributes) user.getAttributes().clone()); - } - - public Map getNewUsers() { - return newUsers; - } - - public Map getDeletedUsers() { - return deletedUsers; - } - - public Map getModifiedUsers() { - return modifiedUsers; - } - + public WcXaResource getXaResource() { + return xaResource; } + }