X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FDirectoryUserAdmin.java;h=003aad11d8e1e6ea6e3ab9212b3c38db061755e9;hb=1d7058b30bd990cda7d4efc1c029501f05a07113;hp=6f3bd1a6865695cbdbc48729c10a7fda745fc156;hpb=e921c662016dd893e60f3e801eb86d676adcb77d;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java index 6f3bd1a68..003aad11d 100644 --- a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java +++ b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java @@ -8,9 +8,10 @@ import static org.argeo.util.naming.LdapObjs.person; import static org.argeo.util.naming.LdapObjs.top; import java.net.URI; -import java.nio.channels.UnsupportedAddressTypeException; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Dictionary; +import java.util.Hashtable; import java.util.Iterator; import java.util.List; @@ -21,7 +22,10 @@ import javax.naming.directory.BasicAttribute; import javax.naming.directory.BasicAttributes; import javax.naming.ldap.LdapName; import javax.naming.ldap.Rdn; +import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosTicket; +import org.argeo.util.CurrentSubject; import org.argeo.util.directory.DirectoryConf; import org.argeo.util.directory.DirectoryDigestUtils; import org.argeo.util.directory.HierarchyUnit; @@ -146,16 +150,16 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm protected List getAllRoles(DirectoryUser user) { List allRoles = new ArrayList(); if (user != null) { - collectRoles(user, allRoles); + collectRoles((LdapEntry) user, allRoles); allRoles.add(user); } else collectAnonymousRoles(allRoles); return allRoles; } - private void collectRoles(DirectoryUser user, List allRoles) { + private void collectRoles(LdapEntry user, List allRoles) { List allEntries = new ArrayList<>(); - LdapEntry entry = (LdapEntry) user; + LdapEntry entry = user; collectGroups(entry, allEntries); for (LdapEntry e : allEntries) { if (e instanceof Role) @@ -275,24 +279,54 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm @Override public Authorization getAuthorization(User user) { - if (user == null || user instanceof DirectoryUser) { - return new LdifAuthorization(user, getAllRoles((DirectoryUser) user)); + if (user == null) {// anonymous + return new LdifAuthorization(user, getAllRoles(null)); + } + LdapName userName = toLdapName(user.getName()); + if (isExternal(userName) && user instanceof LdapEntry) { + List allRoles = new ArrayList(); + collectRoles((LdapEntry) user, allRoles); + return new LdifAuthorization(user, allRoles); } else { - // bind - DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user); - try { - DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); - if (directoryUser == null) - throw new IllegalStateException("No scoped user found for " + user); - LdifAuthorization authorization = new LdifAuthorization(directoryUser, - scopedUserAdmin.getAllRoles(directoryUser)); - return authorization; - } finally { - scopedUserAdmin.destroy(); + + Subject currentSubject = CurrentSubject.current(); + if (currentSubject != null // + && getRealm().isPresent() // + && !currentSubject.getPrivateCredentials(Authorization.class).isEmpty() // + && !currentSubject.getPrivateCredentials(KerberosTicket.class).isEmpty()) // + { + // TODO not only Kerberos but also bind scope with kept password ? + Authorization auth = currentSubject.getPrivateCredentials(Authorization.class).iterator().next(); + // bind with authenticating user + DirectoryUserAdmin scopedUserAdmin = Subject.doAs(currentSubject, + (PrivilegedAction) () -> (DirectoryUserAdmin) scope( + new AuthenticatingUser(auth.getName(), new Hashtable<>()))); + return getAuthorizationFromScoped(scopedUserAdmin, user); + } + + if (user instanceof DirectoryUser) { + return new LdifAuthorization(user, getAllRoles((DirectoryUser) user)); + } else { + // bind with authenticating user + DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user); + return getAuthorizationFromScoped(scopedUserAdmin, user); } } } + private Authorization getAuthorizationFromScoped(DirectoryUserAdmin scopedUserAdmin, User user) { + try { + DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName()); + if (directoryUser == null) + throw new IllegalStateException("No scoped user found for " + user); + LdifAuthorization authorization = new LdifAuthorization(directoryUser, + scopedUserAdmin.getAllRoles(directoryUser)); + return authorization; + } finally { + scopedUserAdmin.destroy(); + } + } + @Override public Role createRole(String name, int type) { checkEdit();