import java.util.ArrayList;
import java.util.Arrays;
-import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
-import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
-import org.argeo.naming.LdapAttrs;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.Group;
*/
public class AggregatingUserAdmin implements UserAdmin {
private final LdapName systemRolesBaseDn;
+ private final LdapName tokensBaseDn;
// DAOs
private AbstractUserDirectory systemRoles = null;
+ private AbstractUserDirectory tokens = null;
private Map<LdapName, AbstractUserDirectory> businessRoles = new HashMap<LdapName, AbstractUserDirectory>();
- public AggregatingUserAdmin(String systemRolesBaseDn) {
+ public AggregatingUserAdmin(String systemRolesBaseDn, String tokensBaseDn) {
try {
this.systemRolesBaseDn = new LdapName(systemRolesBaseDn);
+ if (tokensBaseDn != null)
+ this.tokensBaseDn = new LdapName(tokensBaseDn);
+ else
+ this.tokensBaseDn = null;
} catch (InvalidNameException e) {
throw new UserDirectoryException("Cannot initialize " + AggregatingUserAdmin.class, e);
}
public User getUser(String key, String value) {
List<User> res = new ArrayList<User>();
for (UserAdmin userAdmin : businessRoles.values()) {
- User u = userAdmin.getUser(key, value);
- if (u != null)
- res.add(u);
+ User u = userAdmin.getUser(key, value);
+ if (u != null)
+ res.add(u);
}
// Note: node roles cannot contain users, so it is not searched
return res.size() == 1 ? res.get(0) : null;
if (user == null) {// anonymous
return systemRoles.getAuthorization(null);
}
- UserAdmin userAdmin = findUserAdmin(user.getName());
- Authorization rawAuthorization = userAdmin.getAuthorization(user);
+ AbstractUserDirectory userReferentialOfThisUser = findUserAdmin(user.getName());
+ Authorization rawAuthorization = userReferentialOfThisUser.getAuthorization(user);
String usernameToUse;
String displayNameToUse;
- if (user instanceof Group) {// tokens
- String ownerDn = (String) user.getProperties().get(LdapAttrs.owner.name());
- if (ownerDn != null) {
+ if (user instanceof Group) {
+ // TODO check whether this is still working
+ String ownerDn = TokenUtils.userDn((Group) user);
+ if (ownerDn != null) {// tokens
UserAdmin ownerUserAdmin = findUserAdmin(ownerDn);
User ownerUser = (User) ownerUserAdmin.getRole(ownerDn);
usernameToUse = ownerDn;
displayNameToUse = LdifAuthorization.extractDisplayName(ownerUser);
} else {
- throw new UserDirectoryException(
- "Cannot get authorization for group " + user.getName() + " without owner");
+ usernameToUse = rawAuthorization.getName();
+ displayNameToUse = rawAuthorization.toString();
}
} else {// regular users
usernameToUse = rawAuthorization.getName();
displayNameToUse = rawAuthorization.toString();
}
- // gather system roles
- Set<String> sysRoles = new HashSet<String>();
- for (String role : rawAuthorization.getRoles()) {
- Authorization auth = systemRoles.getAuthorization((User) userAdmin.getRole(role));
- sysRoles.addAll(Arrays.asList(auth.getRoles()));
+
+ // gather roles from other referentials
+ final AbstractUserDirectory userAdminToUse;// possibly scoped when authenticating
+ if (user instanceof DirectoryUser) {
+ userAdminToUse = userReferentialOfThisUser;
+ } else if (user instanceof AuthenticatingUser) {
+ userAdminToUse = userReferentialOfThisUser.scope(user);
+ } else {
+ throw new IllegalArgumentException("Unsupported user type " + user.getClass());
+ }
+
+ try {
+ Set<String> sysRoles = new HashSet<String>();
+ for (String role : rawAuthorization.getRoles()) {
+ User userOrGroup = (User) userAdminToUse.getRole(role);
+ Authorization auth = systemRoles.getAuthorization(userOrGroup);
+ systemRoles: for (String systemRole : auth.getRoles()) {
+ if (role.equals(systemRole))
+ continue systemRoles;
+ sysRoles.add(systemRole);
+ }
+// sysRoles.addAll(Arrays.asList(auth.getRoles()));
+ }
+ addAbstractSystemRoles(rawAuthorization, sysRoles);
+ Authorization authorization = new AggregatingAuthorization(usernameToUse, displayNameToUse, sysRoles,
+ rawAuthorization.getRoles());
+ return authorization;
+ } finally {
+ if (userAdminToUse != null && userAdminToUse.isScoped()) {
+ userAdminToUse.destroy();
+ }
}
- addAbstractSystemRoles(rawAuthorization, sysRoles);
- Authorization authorization = new AggregatingAuthorization(usernameToUse, displayNameToUse, sysRoles,
- rawAuthorization.getRoles());
- return authorization;
}
/**
if (isSystemRolesBaseDn(baseDn)) {
this.systemRoles = userDirectory;
systemRoles.setExternalRoles(this);
+ } else if (isTokensBaseDn(baseDn)) {
+ this.tokens = userDirectory;
+ tokens.setExternalRoles(this);
} else {
if (businessRoles.containsKey(baseDn))
throw new UserDirectoryException("There is already a user admin for " + baseDn);
protected void postAdd(AbstractUserDirectory userDirectory) {
}
- private UserAdmin findUserAdmin(String name) {
+// private UserAdmin findUserAdmin(User user) {
+// if (user == null)
+// throw new IllegalArgumentException("User should not be null");
+// AbstractUserDirectory userAdmin = findUserAdmin(user.getName());
+// if (user instanceof DirectoryUser) {
+// return userAdmin;
+// } else {
+// return userAdmin.scope(user);
+// }
+// }
+
+ private AbstractUserDirectory findUserAdmin(String name) {
try {
- UserAdmin userAdmin = findUserAdmin(new LdapName(name));
- return userAdmin;
+ return findUserAdmin(new LdapName(name));
} catch (InvalidNameException e) {
throw new UserDirectoryException("Badly formatted name " + name, e);
}
}
- private UserAdmin findUserAdmin(LdapName name) {
+ private AbstractUserDirectory findUserAdmin(LdapName name) {
if (name.startsWith(systemRolesBaseDn))
return systemRoles;
- List<UserAdmin> res = new ArrayList<UserAdmin>(1);
- for (LdapName baseDn : businessRoles.keySet()) {
+ if (tokensBaseDn != null && name.startsWith(tokensBaseDn))
+ return tokens;
+ List<AbstractUserDirectory> res = new ArrayList<>(1);
+ userDirectories: for (LdapName baseDn : businessRoles.keySet()) {
+ AbstractUserDirectory userDirectory = businessRoles.get(baseDn);
if (name.startsWith(baseDn)) {
- AbstractUserDirectory ud = businessRoles.get(baseDn);
- if (!ud.isDisabled())
- res.add(ud);
+ if (userDirectory.isDisabled())
+ continue userDirectories;
+// if (res.isEmpty()) {
+ res.add(userDirectory);
+// } else {
+// for (AbstractUserDirectory ud : res) {
+// LdapName bd = ud.getBaseDn();
+// if (userDirectory.getBaseDn().startsWith(bd)) {
+// // child user directory
+// }
+// }
+// }
}
}
if (res.size() == 0)
return baseDn.equals(systemRolesBaseDn);
}
- protected Dictionary<String, Object> currentState() {
- Dictionary<String, Object> res = new Hashtable<String, Object>();
- // res.put(NodeConstants.CN, NodeConstants.DEFAULT);
- for (LdapName name : businessRoles.keySet()) {
- AbstractUserDirectory userDirectory = businessRoles.get(name);
- String uri = UserAdminConf.propertiesAsUri(userDirectory.getProperties()).toString();
- res.put(uri, "");
- }
- return res;
+ protected boolean isTokensBaseDn(LdapName baseDn) {
+ return tokensBaseDn != null && baseDn.equals(tokensBaseDn);
}
+// protected Dictionary<String, Object> currentState() {
+// Dictionary<String, Object> res = new Hashtable<String, Object>();
+// // res.put(NodeConstants.CN, NodeConstants.DEFAULT);
+// for (LdapName name : businessRoles.keySet()) {
+// AbstractUserDirectory userDirectory = businessRoles.get(name);
+// String uri = UserAdminConf.propertiesAsUri(userDirectory.getProperties()).toString();
+// res.put(uri, "");
+// }
+// return res;
+// }
+
public void destroy() {
for (LdapName name : businessRoles.keySet()) {
AbstractUserDirectory userDirectory = businessRoles.get(name);