X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FAggregatingUserAdmin.java;h=c9479d51cd40ad7703bd0b9db09a42fc73951fe1;hb=3c1cdc594d954520b14646102b366290bdad58c7;hp=ef253800ca304d9b3af6302b1e4df365a65c7af6;hpb=f3ea14abccc33b1c3326417a87c91145be776c72;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java index ef253800c..c9479d51c 100644 --- a/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java +++ b/org.argeo.util/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java @@ -9,6 +9,7 @@ import java.util.HashSet; import java.util.Hashtable; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.TreeSet; @@ -88,6 +89,7 @@ public class AggregatingUserAdmin implements UserAdmin { return res.size() == 1 ? res.get(0) : null; } + /** Builds an authorisation by scanning all referentials. */ @Override public Authorization getAuthorization(User user) { if (user == null) {// anonymous @@ -116,25 +118,25 @@ public class AggregatingUserAdmin implements UserAdmin { } // gather roles from other referentials - List allRoles = new ArrayList<>(Arrays.asList(rawAuthorization.getRoles())); + List rawRoles = Arrays.asList(rawAuthorization.getRoles()); + List allRoles = new ArrayList<>(rawRoles); for (LdapName otherBaseDn : businessRoles.keySet()) { if (otherBaseDn.equals(userReferentialOfThisUser.getBaseDn())) continue; - DirectoryUserAdmin otherUserAdmin = businessRoles.get(otherBaseDn); - Authorization auth = otherUserAdmin.getAuthorization(retrievedUser); - allRoles.addAll(Arrays.asList(auth.getRoles())); + DirectoryUserAdmin otherUserAdmin = userAdminToUse(user, businessRoles.get(otherBaseDn)); + if (otherUserAdmin == null) + continue; + for (String roleStr : rawRoles) { + User role = (User) findUserAdmin(roleStr).getRole(roleStr); + Authorization auth = otherUserAdmin.getAuthorization(role); + allRoles.addAll(Arrays.asList(auth.getRoles())); + } } // integrate system roles - final DirectoryUserAdmin userAdminToUse;// possibly scoped when authenticating - if (user instanceof DirectoryUser) { - userAdminToUse = userReferentialOfThisUser; - } else if (user instanceof AuthenticatingUser) { - userAdminToUse = (DirectoryUserAdmin) userReferentialOfThisUser.scope(user); - } else { - throw new IllegalArgumentException("Unsupported user type " + user.getClass()); - } + final DirectoryUserAdmin userAdminToUse = userAdminToUse(retrievedUser, userReferentialOfThisUser); + Objects.requireNonNull(userAdminToUse); try { Set sysRoles = new HashSet(); @@ -159,6 +161,20 @@ public class AggregatingUserAdmin implements UserAdmin { } } + /** Decide whether to scope or not */ + private DirectoryUserAdmin userAdminToUse(User user, DirectoryUserAdmin userAdmin) { + if (userAdmin.isAuthenticated()) + return userAdmin; + if (user instanceof DirectoryUser) { + return userAdmin; + } else if (user instanceof AuthenticatingUser) { + return userAdmin.scope(user).orElse(null); + } else { + throw new IllegalArgumentException("Unsupported user type " + user.getClass()); + } + + } + /** * Enrich with application-specific roles which are strictly programmatic, such * as anonymous/user semantics. @@ -174,7 +190,7 @@ public class AggregatingUserAdmin implements UserAdmin { if (!(ud instanceof DirectoryUserAdmin)) throw new IllegalArgumentException("Only " + DirectoryUserAdmin.class.getName() + " is supported"); DirectoryUserAdmin userDirectory = (DirectoryUserAdmin) ud; - String basePath = userDirectory.getContext(); + String basePath = userDirectory.getBase(); if (isSystemRolesBaseDn(basePath)) { this.systemRoles = userDirectory; systemRoles.setExternalRoles(this); @@ -303,7 +319,7 @@ public class AggregatingUserAdmin implements UserAdmin { } public Set getUserDirectories() { - TreeSet res = new TreeSet<>((o1, o2) -> o1.getContext().compareTo(o2.getContext())); + TreeSet res = new TreeSet<>((o1, o2) -> o1.getBase().compareTo(o2.getBase())); res.addAll(businessRoles.values()); res.add(systemRoles); return res;