X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.util%2Fsrc%2Forg%2Fargeo%2Fosgi%2Fuseradmin%2FDirectoryUserAdmin.java;h=003aad11d8e1e6ea6e3ab9212b3c38db061755e9;hb=f3ea14abccc33b1c3326417a87c91145be776c72;hp=6f12195dc3c1d6ea6c52b1b056b0fecafe512b0a;hpb=0ce8ecfe974cec9f524c16884209cd08544d890d;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java
index 6f12195dc..003aad11d 100644
--- a/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java
+++ b/org.argeo.util/src/org/argeo/osgi/useradmin/DirectoryUserAdmin.java
@@ -8,9 +8,10 @@ import static org.argeo.util.naming.LdapObjs.person;
 import static org.argeo.util.naming.LdapObjs.top;
 
 import java.net.URI;
-import java.nio.channels.UnsupportedAddressTypeException;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Dictionary;
+import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.List;
 
@@ -21,11 +22,15 @@ import javax.naming.directory.BasicAttribute;
 import javax.naming.directory.BasicAttributes;
 import javax.naming.ldap.LdapName;
 import javax.naming.ldap.Rdn;
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosTicket;
 
+import org.argeo.util.CurrentSubject;
 import org.argeo.util.directory.DirectoryConf;
 import org.argeo.util.directory.DirectoryDigestUtils;
 import org.argeo.util.directory.HierarchyUnit;
 import org.argeo.util.directory.ldap.AbstractLdapDirectory;
+import org.argeo.util.directory.ldap.LdapDao;
 import org.argeo.util.directory.ldap.LdapEntry;
 import org.argeo.util.directory.ldap.LdapEntryWorkingCopy;
 import org.argeo.util.directory.ldap.LdapNameUtils;
@@ -65,7 +70,13 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm
 	 */
 
 	protected AbstractLdapDirectory scope(User user) {
-		throw new UnsupportedAddressTypeException();
+		if (getDirectoryDao() instanceof LdapDao) {
+			return scopeLdap(user);
+		} else if (getDirectoryDao() instanceof LdifDao) {
+			return scopeLdif(user);
+		} else {
+			throw new IllegalStateException("Unsupported DAO " + getDirectoryDao().getClass());
+		}
 	}
 
 	protected DirectoryUserAdmin scopeLdap(User user) {
@@ -83,7 +94,9 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm
 		} else {
 			properties.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
 		}
-		return new DirectoryUserAdmin(null, properties, true);
+		DirectoryUserAdmin scopedDirectory = new DirectoryUserAdmin(null, properties, true);
+		scopedDirectory.init();
+		return scopedDirectory;
 	}
 
 	protected DirectoryUserAdmin scopeLdif(User user) {
@@ -108,6 +121,7 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm
 //		scopedUserAdmin.users = Collections.unmodifiableNavigableMap(users);
 		// FIXME do it better
 		((LdifDao) getDirectoryDao()).scope((LdifDao) scopedUserAdmin.getDirectoryDao());
+		scopedUserAdmin.init();
 		return scopedUserAdmin;
 	}
 
@@ -125,25 +139,31 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm
 
 	@Override
 	public Role getRoleByPath(String path) {
-		return (Role) doGetRole(pathToName(path));
+		LdapEntry entry = doGetRole(pathToName(path));
+		if (!(entry instanceof Role)) {
+			throw new IllegalStateException("Path must be a UserAdmin Role.");
+		} else {
+			return (Role) entry;
+		}
 	}
 
 	protected List<Role> getAllRoles(DirectoryUser user) {
 		List<Role> allRoles = new ArrayList<Role>();
 		if (user != null) {
-			collectRoles(user, allRoles);
+			collectRoles((LdapEntry) user, allRoles);
 			allRoles.add(user);
 		} else
 			collectAnonymousRoles(allRoles);
 		return allRoles;
 	}
 
-	private void collectRoles(DirectoryUser user, List<Role> allRoles) {
+	private void collectRoles(LdapEntry user, List<Role> allRoles) {
 		List<LdapEntry> allEntries = new ArrayList<>();
-		LdapEntry entry = (LdapEntry) user;
+		LdapEntry entry = user;
 		collectGroups(entry, allEntries);
 		for (LdapEntry e : allEntries) {
-			allRoles.add((Role) e);
+			if (e instanceof Role)
+				allRoles.add((Role) e);
 		}
 //		Attributes attrs = user.getAttributes();
 //		// TODO centralize attribute name
@@ -259,21 +279,51 @@ public class DirectoryUserAdmin extends AbstractLdapDirectory implements UserAdm
 
 	@Override
 	public Authorization getAuthorization(User user) {
-		if (user == null || user instanceof DirectoryUser) {
-			return new LdifAuthorization(user, getAllRoles((DirectoryUser) user));
+		if (user == null) {// anonymous
+			return new LdifAuthorization(user, getAllRoles(null));
+		}
+		LdapName userName = toLdapName(user.getName());
+		if (isExternal(userName) && user instanceof LdapEntry) {
+			List<Role> allRoles = new ArrayList<Role>();
+			collectRoles((LdapEntry) user, allRoles);
+			return new LdifAuthorization(user, allRoles);
 		} else {
-			// bind
-			DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user);
-			try {
-				DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
-				if (directoryUser == null)
-					throw new IllegalStateException("No scoped user found for " + user);
-				LdifAuthorization authorization = new LdifAuthorization(directoryUser,
-						scopedUserAdmin.getAllRoles(directoryUser));
-				return authorization;
-			} finally {
-				scopedUserAdmin.destroy();
+
+			Subject currentSubject = CurrentSubject.current();
+			if (currentSubject != null //
+					&& getRealm().isPresent() //
+					&& !currentSubject.getPrivateCredentials(Authorization.class).isEmpty() //
+					&& !currentSubject.getPrivateCredentials(KerberosTicket.class).isEmpty()) //
+			{
+				// TODO not only Kerberos but also bind scope with kept password ?
+				Authorization auth = currentSubject.getPrivateCredentials(Authorization.class).iterator().next();
+				// bind with authenticating user
+				DirectoryUserAdmin scopedUserAdmin = Subject.doAs(currentSubject,
+						(PrivilegedAction<DirectoryUserAdmin>) () -> (DirectoryUserAdmin) scope(
+								new AuthenticatingUser(auth.getName(), new Hashtable<>())));
+				return getAuthorizationFromScoped(scopedUserAdmin, user);
 			}
+
+			if (user instanceof DirectoryUser) {
+				return new LdifAuthorization(user, getAllRoles((DirectoryUser) user));
+			} else {
+				// bind with authenticating user
+				DirectoryUserAdmin scopedUserAdmin = (DirectoryUserAdmin) scope(user);
+				return getAuthorizationFromScoped(scopedUserAdmin, user);
+			}
+		}
+	}
+
+	private Authorization getAuthorizationFromScoped(DirectoryUserAdmin scopedUserAdmin, User user) {
+		try {
+			DirectoryUser directoryUser = (DirectoryUser) scopedUserAdmin.getRole(user.getName());
+			if (directoryUser == null)
+				throw new IllegalStateException("No scoped user found for " + user);
+			LdifAuthorization authorization = new LdifAuthorization(directoryUser,
+					scopedUserAdmin.getAllRoles(directoryUser));
+			return authorization;
+		} finally {
+			scopedUserAdmin.destroy();
 		}
 	}