import java.util.Hashtable;
import java.util.List;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
return res.size() == 1 ? res.get(0) : null;
}
+ /** Builds an authorisation by scanning all referentials. */
@Override
public Authorization getAuthorization(User user) {
if (user == null) {// anonymous
}
// gather roles from other referentials
- List<String> allRoles = new ArrayList<>(Arrays.asList(rawAuthorization.getRoles()));
+ List<String> rawRoles = Arrays.asList(rawAuthorization.getRoles());
+ List<String> allRoles = new ArrayList<>(rawRoles);
for (LdapName otherBaseDn : businessRoles.keySet()) {
if (otherBaseDn.equals(userReferentialOfThisUser.getBaseDn()))
continue;
- DirectoryUserAdmin otherUserAdmin = businessRoles.get(otherBaseDn);
- Authorization auth = otherUserAdmin.getAuthorization(retrievedUser);
- allRoles.addAll(Arrays.asList(auth.getRoles()));
+ DirectoryUserAdmin otherUserAdmin = userAdminToUse(user, businessRoles.get(otherBaseDn));
+ if (otherUserAdmin == null)
+ continue;
+ for (String roleStr : rawRoles) {
+ User role = (User) findUserAdmin(roleStr).getRole(roleStr);
+ Authorization auth = otherUserAdmin.getAuthorization(role);
+ allRoles.addAll(Arrays.asList(auth.getRoles()));
+ }
}
// integrate system roles
- final DirectoryUserAdmin userAdminToUse;// possibly scoped when authenticating
- if (user instanceof DirectoryUser) {
- userAdminToUse = userReferentialOfThisUser;
- } else if (user instanceof AuthenticatingUser) {
- userAdminToUse = (DirectoryUserAdmin) userReferentialOfThisUser.scope(user);
- } else {
- throw new IllegalArgumentException("Unsupported user type " + user.getClass());
- }
+ final DirectoryUserAdmin userAdminToUse = userAdminToUse(retrievedUser, userReferentialOfThisUser);
+ Objects.requireNonNull(userAdminToUse);
try {
Set<String> sysRoles = new HashSet<String>();
}
}
+ /** Decide whether to scope or not */
+ private DirectoryUserAdmin userAdminToUse(User user, DirectoryUserAdmin userAdmin) {
+ if (userAdmin.isAuthenticated())
+ return userAdmin;
+ if (user instanceof DirectoryUser) {
+ return userAdmin;
+ } else if (user instanceof AuthenticatingUser) {
+ return userAdmin.scope(user).orElse(null);
+ } else {
+ throw new IllegalArgumentException("Unsupported user type " + user.getClass());
+ }
+
+ }
+
/**
* Enrich with application-specific roles which are strictly programmatic, such
* as anonymous/user semantics.