X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.enterprise%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FAbstractUserDirectory.java;h=95b1f07adec9705e2802df0e2fea989ea9d2f003;hb=70481c7fe25b2f0393b5e7237d4ee9f4aca304c1;hp=5e7cbc61cde708cdf832e96e1a4736874757a4ff;hpb=db7aecc7170c024e0e39135cf6b8aa6ce7569ccb;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java index 5e7cbc61c..95b1f07ad 100644 --- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java +++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AbstractUserDirectory.java @@ -1,6 +1,7 @@ package org.argeo.osgi.useradmin; import static org.argeo.naming.LdapAttrs.objectClass; +import static org.argeo.naming.LdapObjs.extensibleObject; import static org.argeo.naming.LdapObjs.inetOrgPerson; import static org.argeo.naming.LdapObjs.organizationalPerson; import static org.argeo.naming.LdapObjs.person; @@ -18,6 +19,9 @@ import java.util.Iterator; import java.util.List; import javax.naming.InvalidNameException; +import javax.naming.NameNotFoundException; +import javax.naming.NamingEnumeration; +import javax.naming.directory.Attribute; import javax.naming.directory.Attributes; import javax.naming.directory.BasicAttribute; import javax.naming.directory.BasicAttributes; @@ -46,42 +50,56 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory private final static Log log = LogFactory.getLog(AbstractUserDirectory.class); private final Hashtable properties; - private final LdapName baseDn; + private final LdapName baseDn, userBaseDn, groupBaseDn; private final String userObjectClass, userBase, groupObjectClass, groupBase; private final boolean readOnly; + private final boolean disabled; private final URI uri; private UserAdmin externalRoles; - private List indexedUserProperties = Arrays - .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(), LdapAttrs.cn.name() }); + // private List indexedUserProperties = Arrays + // .asList(new String[] { LdapAttrs.uid.name(), LdapAttrs.mail.name(), + // LdapAttrs.cn.name() }); private String memberAttributeId = "member"; - private List credentialAttributeIds = Arrays.asList(new String[] { LdapAttrs.userPassword.name() }); + private List credentialAttributeIds = Arrays + .asList(new String[] { LdapAttrs.userPassword.name(), LdapAttrs.authPassword.name() }); // JTA private TransactionManager transactionManager; private WcXaResource xaResource = new WcXaResource(this); - public AbstractUserDirectory(Dictionary props) { + public AbstractUserDirectory(URI uriArg, Dictionary props) { properties = new Hashtable(); for (Enumeration keys = props.keys(); keys.hasMoreElements();) { String key = keys.nextElement(); properties.put(key, props.get(key)); } - String uriStr = UserAdminConf.uri.getValue(properties); - if (uriStr == null) - uri = null; - else - try { - uri = new URI(uriStr); - } catch (URISyntaxException e) { - throw new UserDirectoryException("Badly formatted URI " + uriStr, e); - } + if (uriArg != null) { + uri = uriArg; + // uri from properties is ignored + } else { + String uriStr = UserAdminConf.uri.getValue(properties); + if (uriStr == null) + uri = null; + else + try { + uri = new URI(uriStr); + } catch (URISyntaxException e) { + throw new UserDirectoryException("Badly formatted URI " + uriStr, e); + } + } + userObjectClass = UserAdminConf.userObjectClass.getValue(properties); + userBase = UserAdminConf.userBase.getValue(properties); + groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties); + groupBase = UserAdminConf.groupBase.getValue(properties); try { baseDn = new LdapName(UserAdminConf.baseDn.getValue(properties)); + userBaseDn = new LdapName(userBase + "," + baseDn); + groupBaseDn = new LdapName(groupBase + "," + baseDn); } catch (InvalidNameException e) { throw new UserDirectoryException("Badly formated base DN " + UserAdminConf.baseDn.getValue(properties), e); } @@ -91,11 +109,11 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory properties.put(UserAdminConf.readOnly.name(), Boolean.toString(readOnly)); } else readOnly = new Boolean(readOnlyStr); - - userObjectClass = UserAdminConf.userObjectClass.getValue(properties); - userBase = UserAdminConf.userBase.getValue(properties); - groupObjectClass = UserAdminConf.groupObjectClass.getValue(properties); - groupBase = UserAdminConf.groupBase.getValue(properties); + String disabledStr = UserAdminConf.disabled.getValue(properties); + if (disabledStr != null) + disabled = new Boolean(disabledStr); + else + disabled = false; } /** Returns the groups this user is a direct member of. */ @@ -103,7 +121,7 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory protected abstract Boolean daoHasRole(LdapName dn); - protected abstract DirectoryUser daoGetRole(LdapName key); + protected abstract DirectoryUser daoGetRole(LdapName key) throws NameNotFoundException; protected abstract List doGetRoles(Filter f); @@ -158,11 +176,32 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory } private void collectRoles(DirectoryUser user, List allRoles) { - for (LdapName groupDn : getDirectGroups(user.getDn())) { - // TODO check for loops - DirectoryUser group = doGetRole(groupDn); - allRoles.add(group); - collectRoles(group, allRoles); + Attributes attrs = user.getAttributes(); + // TODO centralize attribute name + Attribute memberOf = attrs.get(LdapAttrs.memberOf.name()); + if (memberOf != null) { + try { + NamingEnumeration values = memberOf.getAll(); + while (values.hasMore()) { + Object value = values.next(); + LdapName groupDn = new LdapName(value.toString()); + DirectoryUser group = doGetRole(groupDn); + allRoles.add(group); + if (log.isTraceEnabled()) + log.trace("Add memberOf " + groupDn); + } + } catch (Exception e) { + throw new UserDirectoryException("Cannot get memberOf groups for " + user, e); + } + } else { + for (LdapName groupDn : getDirectGroups(user.getDn())) { + // TODO check for loops + DirectoryUser group = doGetRole(groupDn); + allRoles.add(group); + if (log.isTraceEnabled()) + log.trace("Add direct group " + groupDn); + collectRoles(group, allRoles); + } } } @@ -178,7 +217,12 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory protected DirectoryUser doGetRole(LdapName dn) { UserDirectoryWorkingCopy wc = getWorkingCopy(); - DirectoryUser user = daoGetRole(dn); + DirectoryUser user; + try { + user = daoGetRole(dn); + } catch (NameNotFoundException e) { + user = null; + } if (wc != null) { if (user == null && wc.getNewUsers().containsKey(dn)) user = wc.getNewUsers().get(dn); @@ -214,22 +258,23 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory @Override public User getUser(String key, String value) { // TODO check value null or empty - List collectedUsers = new ArrayList(getIndexedUserProperties().size()); + List collectedUsers = new ArrayList(); if (key != null) { doGetUser(key, value, collectedUsers); } else { - // try dn - DirectoryUser user = null; - try { - user = (DirectoryUser) getRole(value); - if (user != null) - collectedUsers.add(user); - } catch (Exception e) { - // silent - } - // try all indexes - for (String attr : getIndexedUserProperties()) - doGetUser(attr, value, collectedUsers); + throw new UserDirectoryException("Key cannot be null"); + // // try dn + // DirectoryUser user = null; + // try { + // user = (DirectoryUser) getRole(value); + // if (user != null) + // collectedUsers.add(user); + // } catch (Exception e) { + // // silent + // } + // // try all indexes + // for (String attr : getIndexedUserProperties()) + // doGetUser(attr, value, collectedUsers); } if (collectedUsers.size() == 1) return collectedUsers.get(0); @@ -255,11 +300,16 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory } else { // bind AbstractUserDirectory scopedUserAdmin = scope(user); - DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); - LdifAuthorization authorization = new LdifAuthorization(directoryUser, - scopedUserAdmin.getAllRoles(directoryUser)); - scopedUserAdmin.destroy(); - return authorization; + try { + DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); + if (directoryUser == null) + throw new UserDirectoryException("No scoped user found for " + user); + LdifAuthorization authorization = new LdifAuthorization(directoryUser, + scopedUserAdmin.getAllRoles(directoryUser)); + return authorization; + } finally { + scopedUserAdmin.destroy(); + } } } @@ -278,12 +328,13 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory if (wc.getDeletedUsers().containsKey(dn)) { wc.getDeletedUsers().remove(dn); wc.getModifiedUsers().put(dn, attrs); + return getRole(name); } else { wc.getModifiedUsers().put(dn, attrs); DirectoryUser newRole = newRole(dn, type, attrs); wc.getNewUsers().put(dn, newRole); + return newRole; } - return getRole(name); } protected DirectoryUser newRole(LdapName dn, int type, Attributes attrs) { @@ -299,6 +350,7 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory objClass.add(person.name()); } objClass.add(top.name()); + objClass.add(extensibleObject.name()); attrs.put(objClass); newRole = new LdifUser(this, dn, attrs); } else if (type == Role.GROUP) { @@ -368,38 +420,45 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return uri; } - protected List getIndexedUserProperties() { - return indexedUserProperties; - } - - protected void setIndexedUserProperties(List indexedUserProperties) { - this.indexedUserProperties = indexedUserProperties; - } - private static boolean readOnlyDefault(URI uri) { if (uri == null) return true; - if (uri.getScheme().equals("file")) { + if (uri.getScheme() == null) + return false;// assume relative file to be writable + if (uri.getScheme().equals(UserAdminConf.SCHEME_FILE)) { File file = new File(uri); if (file.exists()) return !file.canWrite(); else return !file.getParentFile().canWrite(); + } else if (uri.getScheme().equals(UserAdminConf.SCHEME_LDAP)) { + if (uri.getAuthority() != null)// assume writable if authenticated + return false; + } else if (uri.getScheme().equals(UserAdminConf.SCHEME_OS)) { + return true; } - return true; + return true;// read only by default } public boolean isReadOnly() { return readOnly; } + public boolean isDisabled() { + return disabled; + } + protected UserAdmin getExternalRoles() { return externalRoles; } - public LdapName getBaseDn() { - // always clone so that the property is not modified by reference - return (LdapName) baseDn.clone(); + protected int roleType(LdapName dn) { + if (dn.startsWith(groupBaseDn)) + return Role.GROUP; + else if (dn.startsWith(userBaseDn)) + return Role.USER; + else + return Role.GROUP; } /** dn can be null, in that case a default should be returned. */ @@ -423,6 +482,10 @@ public abstract class AbstractUserDirectory implements UserAdmin, UserDirectory return groupBase; } + public LdapName getBaseDn() { + return (LdapName) baseDn.clone(); + } + public Dictionary getProperties() { return properties; }