Make CMS running without data area, and remove unnecessary dependencies.

[lgpl/argeo-commons.git] / org.argeo.util / src / org / argeo / osgi / useradmin / AggregatingUserAdmin.java
diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java

index 79d2bd3cbc2f21142f1801a1df5c5fbc307c2095..ef253800ca304d9b3af6302b1e4df365a65c7af6 100644 (file)
--- a/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
+++ b/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
@@ -6,6 +6,7 @@ import java.util.ArrayList;
  import java.util.Arrays;
  import java.util.HashMap;
  import java.util.HashSet;
+import java.util.Hashtable;
  import java.util.List;
  import java.util.Map;
  import java.util.Set;
@@ -14,6 +15,7 @@ import java.util.TreeSet;
  import javax.naming.InvalidNameException;
  import javax.naming.ldap.LdapName;
  
+import org.argeo.util.directory.DirectoryConf;
  import org.osgi.framework.InvalidSyntaxException;
  import org.osgi.service.useradmin.Authorization;
  import org.osgi.service.useradmin.Group;
@@ -93,6 +95,7 @@ public class AggregatingUserAdmin implements UserAdmin {
                 }
                 DirectoryUserAdmin userReferentialOfThisUser = findUserAdmin(user.getName());
                 Authorization rawAuthorization = userReferentialOfThisUser.getAuthorization(user);
+               User retrievedUser = (User) userReferentialOfThisUser.getRole(user.getName());
                 String usernameToUse;
                 String displayNameToUse;
                 if (user instanceof Group) {
@@ -113,6 +116,17 @@ public class AggregatingUserAdmin implements UserAdmin {
                 }
  
                 // gather roles from other referentials
+               List<String> allRoles = new ArrayList<>(Arrays.asList(rawAuthorization.getRoles()));
+               for (LdapName otherBaseDn : businessRoles.keySet()) {
+                       if (otherBaseDn.equals(userReferentialOfThisUser.getBaseDn()))
+                               continue;
+                       DirectoryUserAdmin otherUserAdmin = businessRoles.get(otherBaseDn);
+                       Authorization auth = otherUserAdmin.getAuthorization(retrievedUser);
+                       allRoles.addAll(Arrays.asList(auth.getRoles()));
+
+               }
+
+               // integrate system roles
                 final DirectoryUserAdmin userAdminToUse;// possibly scoped when authenticating
                 if (user instanceof DirectoryUser) {
                         userAdminToUse = userReferentialOfThisUser;
@@ -136,7 +150,7 @@ public class AggregatingUserAdmin implements UserAdmin {
                         }
                         addAbstractSystemRoles(rawAuthorization, sysRoles);
                         Authorization authorization = new AggregatingAuthorization(usernameToUse, displayNameToUse, sysRoles,
-                                       rawAuthorization.getRoles());
+                                       allRoles.toArray(new String[allRoles.size()]));
                         return authorization;
                 } finally {
                         if (userAdminToUse != null && userAdminToUse.isScoped()) {
@@ -239,7 +253,12 @@ public class AggregatingUserAdmin implements UserAdmin {
  //     }
  
         public void start() {
-
+               if (systemRoles == null) {
+                       // TODO do we really need separate system roles?
+                       Hashtable<String, Object> properties = new Hashtable<>();
+                       properties.put(DirectoryConf.baseDn.name(), "ou=roles,ou=system");
+                       systemRoles = new DirectoryUserAdmin(properties);
+               }
         }
  
         public void stop() {