X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FDirectoryUserAdmin.java;h=8ed23ad2ec92d747c66b3ba395ddb80844b525fa;hb=1d6840195189cbdbf632ca2800b6179d3b6349df;hp=6f3bd1a6865695cbdbc48729c10a7fda745fc156;hpb=e921c662016dd893e60f3e801eb86d676adcb77d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java index 6f3bd1a68..8ed23ad2e 100644 --- a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java +++ b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java @@ -8,9 +8,10 @@ import static org.argeo.util.naming.LdapObjs.person; import static org.argeo.util.naming.LdapObjs.top; import java.net.URI; -import java.nio.channels.UnsupportedAddressTypeException; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Dictionary; +import java.util.Hashtable; import java.util.Iterator; import java.util.List; @@ -21,7 +22,10 @@ import javax.naming.directory.BasicAttribute; import javax.naming.directory.BasicAttributes; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosTicket; +import org.argeo.util.CurrentSubject; import org.argeo.util.directory.DirectoryConf; import org.argeo.util.directory.DirectoryDigestUtils; import org.argeo.util.directory.HierarchyUnit; @@ -146,16 +150,16 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm protected List getAllRoles(DirectoryUser user) { List allRoles = new ArrayList(); if (user != null) { - collectRoles(user, allRoles); + collectRoles((LdapEntry) user, allRoles); allRoles.add(user); } else collectAnonymousRoles(allRoles); return allRoles; } - private void collectRoles(DirectoryUser user, List allRoles) { + private void collectRoles(LdapEntry user, List allRoles) { List allEntries = new ArrayList<>(); - LdapEntry entry = (LdapEntry) user; + LdapEntry entry = user; collectGroups(entry, allEntries); for (LdapEntry e : allEntries) { if (e instanceof Role) @@ -275,24 +279,54 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm @Override public Authorization getAuthorization(User user) { - if (user == null || user instanceof DirectoryUser) { - return new LdifAuthorization(user, getAllRoles((DirectoryUser) user)); + if (user == null) {// anonymous + return new LdifAuthorization(user, getAllRoles(null)); + } + LdapName userName = toLdapName(user.getName()); + if (isExternal(userName) && user instanceof LdapEntry) { + List allRoles = new ArrayList(); + collectRoles((LdapEntry) user, allRoles); + return new LdifAuthorization(user, allRoles); } else { - // bind - DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user); - try { - DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); - if (directoryUser == null) - throw new IllegalStateException("No scoped user found for " + user); - LdifAuthorization authorization = new LdifAuthorization(directoryUser, - scopedUserAdmin.getAllRoles(directoryUser)); - return authorization; - } finally { - scopedUserAdmin.destroy(); + + Subject currentSubject = CurrentSubject.current(); + if (currentSubject != null // + && getRealm().isPresent() // + && !currentSubject.getPrivateCredentials(Authorization.class).isEmpty() // + && !currentSubject.getPrivateCredentials(KerberosTicket.class).isEmpty()) // + { + // TODO not only Kerberos but also bind scope with kept password ? + Authorization auth = currentSubject.getPrivateCredentials(Authorization.class).iterator().next(); + // bind with authenticating user + DirectoryUserAdmin scopedUserAdmin = Subject.doAs(currentSubject, + (PrivilegedAction) () -> (DirectoryUserAdmin) scope( + new AuthenticatingUser(auth.getName(), new Hashtable<>()))); + return getAuthorizationFromScoped(scopedUserAdmin, user); + } + + if (user instanceof DirectoryUser) { + return new LdifAuthorization(user, getAllRoles((DirectoryUser) user)); + } else { + // bind with authenticating user + DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user); + return getAuthorizationFromScoped(scopedUserAdmin, user); } } } + private Authorization getAuthorizationFromScoped(DirectoryUserAdmin scopedUserAdmin, User user) { + try { + DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); + if (directoryUser == null) + throw new IllegalStateException("No scoped user found for " + user); + LdifAuthorization authorization = new LdifAuthorization(directoryUser, + scopedUserAdmin.getAllRoles(directoryUser)); + return authorization; + } finally { + scopedUserAdmin.destroy(); + } + } + @Override public Role createRole(String name, int type) { checkEdit(); @@ -312,13 +346,13 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm return getRole(name); } else { wc.getModifiedData().put(dn, attrs); - LdapEntry newRole = newRole(dn, type, attrs); + LdapEntry newRole = doCreateRole(dn, type, attrs); wc.getNewData().put(dn, newRole); return (Role) newRole; } } - protected LdapEntry newRole(LdapName dn, int type, Attributes attrs) { + private LdapEntry doCreateRole(LdapName dn, int type, Attributes attrs) { LdapEntry newRole; BasicAttribute objClass = new BasicAttribute(objectClass.name()); if (type == Role.USER) { @@ -333,14 +367,14 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm objClass.add(top.name()); objClass.add(extensibleObject.name()); attrs.put(objClass); - newRole = newUser(dn, attrs); + newRole = newUser(dn); } else if (type == Role.GROUP) { String groupObjClass = getGroupObjectClass(); objClass.add(groupObjClass); // objClass.add(LdifName.extensibleObject.name()); objClass.add(top.name()); attrs.put(objClass); - newRole = newGroup(dn, attrs); + newRole = newGroup(dn); } else throw new IllegalArgumentException("Unsupported type " + type); return newRole; @@ -382,7 +416,7 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm @Override public Iterable getHierarchyUnitRoles(HierarchyUnit hierarchyUnit, String filter, boolean deep) { - LdapName dn = LdapNameUtils.toLdapName(hierarchyUnit.getContext()); + LdapName dn = LdapNameUtils.toLdapName(hierarchyUnit.getBase()); try { return getRoles(dn, filter, deep); } catch (InvalidSyntaxException e) { @@ -393,13 +427,13 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm /* * ROLES CREATION */ - protected LdapEntry newUser(LdapName name, Attributes attrs) { + protected LdapEntry newUser(LdapName name) { // TODO support devices, applications, etc. - return new LdifUser(this, name, attrs); + return new LdifUser(this, name); } - protected LdapEntry newGroup(LdapName name, Attributes attrs) { - return new LdifGroup(this, name, attrs); + protected LdapEntry newGroup(LdapName name) { + return new LdifGroup(this, name); }