import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.Hashtable;
import java.util.List;
import java.util.Map;
+import java.util.Objects;
import java.util.Set;
import java.util.TreeSet;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
+import org.argeo.util.directory.DirectoryConf;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.useradmin.Authorization;
import org.osgi.service.useradmin.Group;
return res.size() == 1 ? res.get(0) : null;
}
+ /** Builds an authorisation by scanning all referentials. */
@Override
public Authorization getAuthorization(User user) {
if (user == null) {// anonymous
}
DirectoryUserAdmin userReferentialOfThisUser = findUserAdmin(user.getName());
Authorization rawAuthorization = userReferentialOfThisUser.getAuthorization(user);
+ User retrievedUser = (User) userReferentialOfThisUser.getRole(user.getName());
String usernameToUse;
String displayNameToUse;
if (user instanceof Group) {
}
// gather roles from other referentials
- final DirectoryUserAdmin userAdminToUse;// possibly scoped when authenticating
- if (user instanceof DirectoryUser) {
- userAdminToUse = userReferentialOfThisUser;
- } else if (user instanceof AuthenticatingUser) {
- userAdminToUse = (DirectoryUserAdmin) userReferentialOfThisUser.scope(user);
- } else {
- throw new IllegalArgumentException("Unsupported user type " + user.getClass());
+ List<String> rawRoles = Arrays.asList(rawAuthorization.getRoles());
+ List<String> allRoles = new ArrayList<>(rawRoles);
+ for (LdapName otherBaseDn : businessRoles.keySet()) {
+ if (otherBaseDn.equals(userReferentialOfThisUser.getBaseDn()))
+ continue;
+ DirectoryUserAdmin otherUserAdmin = userAdminToUse(user, businessRoles.get(otherBaseDn));
+ if (otherUserAdmin == null)
+ continue;
+ for (String roleStr : rawRoles) {
+ User role = (User) findUserAdmin(roleStr).getRole(roleStr);
+ Authorization auth = otherUserAdmin.getAuthorization(role);
+ allRoles.addAll(Arrays.asList(auth.getRoles()));
+ }
+
}
+ // integrate system roles
+ final DirectoryUserAdmin userAdminToUse = userAdminToUse(retrievedUser, userReferentialOfThisUser);
+ Objects.requireNonNull(userAdminToUse);
+
try {
Set<String> sysRoles = new HashSet<String>();
for (String role : rawAuthorization.getRoles()) {
}
addAbstractSystemRoles(rawAuthorization, sysRoles);
Authorization authorization = new AggregatingAuthorization(usernameToUse, displayNameToUse, sysRoles,
- rawAuthorization.getRoles());
+ allRoles.toArray(new String[allRoles.size()]));
return authorization;
} finally {
if (userAdminToUse != null && userAdminToUse.isScoped()) {
}
}
+ /** Decide whether to scope or not */
+ private DirectoryUserAdmin userAdminToUse(User user, DirectoryUserAdmin userAdmin) {
+ if (userAdmin.isAuthenticated())
+ return userAdmin;
+ if (user instanceof DirectoryUser) {
+ return userAdmin;
+ } else if (user instanceof AuthenticatingUser) {
+ return userAdmin.scope(user).orElse(null);
+ } else {
+ throw new IllegalArgumentException("Unsupported user type " + user.getClass());
+ }
+
+ }
+
/**
* Enrich with application-specific roles which are strictly programmatic, such
* as anonymous/user semantics.
if (!(ud instanceof DirectoryUserAdmin))
throw new IllegalArgumentException("Only " + DirectoryUserAdmin.class.getName() + " is supported");
DirectoryUserAdmin userDirectory = (DirectoryUserAdmin) ud;
- String basePath = userDirectory.getContext();
+ String basePath = userDirectory.getBase();
if (isSystemRolesBaseDn(basePath)) {
this.systemRoles = userDirectory;
systemRoles.setExternalRoles(this);
// return res;
// }
- public void destroy() {
+ public void start() {
+ if (systemRoles == null) {
+ // TODO do we really need separate system roles?
+ Hashtable<String, Object> properties = new Hashtable<>();
+ properties.put(DirectoryConf.baseDn.name(), "ou=roles,ou=system");
+ systemRoles = new DirectoryUserAdmin(properties);
+ }
+ }
+
+ public void stop() {
for (LdapName name : businessRoles.keySet()) {
DirectoryUserAdmin userDirectory = businessRoles.get(name);
destroy(userDirectory);
userDirectory.destroy();
}
+// protected void removeUserDirectory(UserDirectory userDirectory) {
+// LdapName baseDn = toLdapName(userDirectory.getContext());
+// businessRoles.remove(baseDn);
+// if (userDirectory instanceof DirectoryUserAdmin)
+// destroy((DirectoryUserAdmin) userDirectory);
+// }
+
+ @Deprecated
protected void removeUserDirectory(String basePath) {
if (isSystemRolesBaseDn(basePath))
throw new IllegalArgumentException("System roles cannot be removed ");
}
public Set<UserDirectory> getUserDirectories() {
- TreeSet<UserDirectory> res = new TreeSet<>((o1, o2) -> o1.getContext().compareTo(o2.getContext()));
+ TreeSet<UserDirectory> res = new TreeSet<>((o1, o2) -> o1.getBase().compareTo(o2.getBase()));
res.addAll(businessRoles.values());
+ res.add(systemRoles);
return res;
}
+
}
projects / lgpl / argeo-commons.git / blobdiff