X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FAggregatingUserAdmin.java;h=c9479d51cd40ad7703bd0b9db09a42fc73951fe1;hb=3c1cdc594d954520b14646102b366290bdad58c7;hp=179099bad124ebc7cd4c5c049f7723a50177650f;hpb=285c23f26c4d634cd139d393ebcb708187d5e960;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java index 179099bad..c9479d51c 100644 --- a/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java +++ b/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java @@ -9,6 +9,7 @@ import java.util.HashSet; import java.util.Hashtable; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.TreeSet; @@ -88,6 +89,7 @@ public class AggregatingUserAdmin implements UserAdmin { return res.size() == 1 ? res.get(0) : null; } + /** Builds an authorisation by scanning all referentials. */ @Override public Authorization getAuthorization(User user) { if (user == null) {// anonymous @@ -116,25 +118,25 @@ public class AggregatingUserAdmin implements UserAdmin { } // gather roles from other referentials - List allRoles = new ArrayList<>(Arrays.asList(rawAuthorization.getRoles())); + List rawRoles = Arrays.asList(rawAuthorization.getRoles()); + List allRoles = new ArrayList<>(rawRoles); for (LdapName otherBaseDn : businessRoles.keySet()) { if (otherBaseDn.equals(userReferentialOfThisUser.getBaseDn())) continue; - DirectoryUserAdmin otherUserAdmin = businessRoles.get(otherBaseDn); - Authorization auth = otherUserAdmin.getAuthorization(retrievedUser); - allRoles.addAll(Arrays.asList(auth.getRoles())); + DirectoryUserAdmin otherUserAdmin = userAdminToUse(user, businessRoles.get(otherBaseDn)); + if (otherUserAdmin == null) + continue; + for (String roleStr : rawRoles) { + User role = (User) findUserAdmin(roleStr).getRole(roleStr); + Authorization auth = otherUserAdmin.getAuthorization(role); + allRoles.addAll(Arrays.asList(auth.getRoles())); + } } // integrate system roles - final DirectoryUserAdmin userAdminToUse;// possibly scoped when authenticating - if (user instanceof DirectoryUser) { - userAdminToUse = userReferentialOfThisUser; - } else if (user instanceof AuthenticatingUser) { - userAdminToUse = (DirectoryUserAdmin) userReferentialOfThisUser.scope(user); - } else { - throw new IllegalArgumentException("Unsupported user type " + user.getClass()); - } + final DirectoryUserAdmin userAdminToUse = userAdminToUse(retrievedUser, userReferentialOfThisUser); + Objects.requireNonNull(userAdminToUse); try { Set sysRoles = new HashSet(); @@ -159,6 +161,20 @@ public class AggregatingUserAdmin implements UserAdmin { } } + /** Decide whether to scope or not */ + private DirectoryUserAdmin userAdminToUse(User user, DirectoryUserAdmin userAdmin) { + if (userAdmin.isAuthenticated()) + return userAdmin; + if (user instanceof DirectoryUser) { + return userAdmin; + } else if (user instanceof AuthenticatingUser) { + return userAdmin.scope(user).orElse(null); + } else { + throw new IllegalArgumentException("Unsupported user type " + user.getClass()); + } + + } + /** * Enrich with application-specific roles which are strictly programmatic, such * as anonymous/user semantics.