import java.util.Set;
import javax.security.auth.Subject;
+import javax.xml.namespace.QName;
import org.argeo.api.cms.directory.CmsGroup;
import org.argeo.api.cms.directory.CmsUser;
import org.argeo.api.cms.directory.HierarchyUnit;
import org.argeo.api.cms.directory.UserDirectory;
-import org.argeo.cms.auth.SystemRole;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.useradmin.Role;
import org.osgi.service.useradmin.User;
CmsGroup getOrCreateGroup(HierarchyUnit groups, String commonName);
/** Creates a new system role. */
- CmsGroup getOrCreateSystemRole(HierarchyUnit roles, SystemRole systemRole);
+ CmsGroup getOrCreateSystemRole(HierarchyUnit roles, QName systemRole);
/** Add additional object classes to this role. */
void addObjectClasses(Role role, Set<String> objectClasses, Map<String, Object> additionalProperties);
--- /dev/null
+package org.argeo.cms;
+
+import static org.argeo.api.acr.RuntimeNamespaceContext.getNamespaceContext;
+
+import javax.xml.namespace.QName;
+
+import org.argeo.api.acr.ArgeoNamespace;
+import org.argeo.api.acr.NamespaceUtils;
+import org.argeo.cms.directory.ldap.LdapNameUtils;
+
+/** Simplifies analysis of system roles. */
+public class RoleNameUtils {
+ public static String getLastRdnValue(String dn) {
+ return LdapNameUtils.getLastRdnValue(dn);
+// // we don't use LdapName for portability with Android
+// // TODO make it more robust
+// String[] parts = dn.split(",");
+// String[] rdn = parts[0].split("=");
+// return rdn[1];
+ }
+
+ public static QName getLastRdnAsName(String dn) {
+ String cn = getLastRdnValue(dn);
+ QName roleName = NamespaceUtils.parsePrefixedName(getNamespaceContext(), cn);
+ return roleName;
+ }
+
+ public static boolean isSystemRole(QName roleName) {
+ return roleName.getNamespaceURI().equals(ArgeoNamespace.ROLE_NAMESPACE_URI);
+ }
+
+ public static String getParent(String dn) {
+ int index = dn.indexOf(',');
+ return dn.substring(index + 1);
+ }
+
+ /** Up two levels. */
+ public static String getContext(String dn) {
+ return getParent(getParent(dn));
+ }
+}
--- /dev/null
+package org.argeo.cms;
+
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.xml.namespace.QName;
+
+import org.argeo.api.cms.CmsConstants;
+import org.argeo.cms.internal.auth.ImpliedByPrincipal;
+
+/** A programmatic role. */
+public interface SystemRole {
+ QName getName();
+
+ /** Whether this role is implied for this authenticated user. */
+ default boolean implied(Subject subject, String context) {
+ return implied(getName(), subject, context);
+ }
+
+ /** Whether this role is implied for this distinguished name. */
+ default boolean implied(String dn, String context) {
+ String roleContext = RoleNameUtils.getContext(dn);
+ QName roleName = RoleNameUtils.getLastRdnAsName(dn);
+ return roleContext.equalsIgnoreCase(context) && getName().equals(roleName);
+ }
+
+ /**
+ * Whether this role is implied for this authenticated subject. If context is
+ * <code>null</code>, it is not considered; this should be used to build user
+ * interfaces, but not to authorise.
+ */
+ static boolean implied(QName name, Subject subject, String context) {
+ Set<ImpliedByPrincipal> roles = subject.getPrincipals(ImpliedByPrincipal.class);
+ for (ImpliedByPrincipal role : roles) {
+ if (role.isSystemRole()) {
+ if (role.getRoleName().equals(name)) {
+ // !! if context is not specified, it is considered irrelevant
+ if (context == null)
+ return true;
+ if (role.getContext().equalsIgnoreCase(context)
+ || role.getContext().equals(CmsConstants.NODE_BASEDN))
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+}
import org.argeo.api.acr.ArgeoNamespace;
import org.argeo.api.acr.ContentName;
+import org.argeo.cms.SystemRole;
/** Standard CMS system roles. */
public enum CmsRole implements SystemRole {
import org.argeo.api.cms.CmsConstants;
import org.argeo.api.cms.CmsSession;
import org.argeo.api.cms.CmsSessionId;
+import org.argeo.cms.SystemRole;
import org.argeo.cms.internal.auth.CmsSessionImpl;
import org.argeo.cms.internal.auth.ImpliedByPrincipal;
import org.argeo.cms.internal.runtime.CmsContextImpl;
+++ /dev/null
-package org.argeo.cms.auth;
-
-import static org.argeo.api.acr.RuntimeNamespaceContext.getNamespaceContext;
-
-import javax.xml.namespace.QName;
-
-import org.argeo.api.acr.ArgeoNamespace;
-import org.argeo.api.acr.NamespaceUtils;
-import org.argeo.cms.directory.ldap.LdapNameUtils;
-
-/** Simplifies analysis of system roles. */
-public class RoleNameUtils {
- public static String getLastRdnValue(String dn) {
- return LdapNameUtils.getLastRdnValue(dn);
-// // we don't use LdapName for portability with Android
-// // TODO make it more robust
-// String[] parts = dn.split(",");
-// String[] rdn = parts[0].split("=");
-// return rdn[1];
- }
-
- public static QName getLastRdnAsName(String dn) {
- String cn = getLastRdnValue(dn);
- QName roleName = NamespaceUtils.parsePrefixedName(getNamespaceContext(), cn);
- return roleName;
- }
-
- public static boolean isSystemRole(QName roleName) {
- return roleName.getNamespaceURI().equals(ArgeoNamespace.ROLE_NAMESPACE_URI);
- }
-
- public static String getParent(String dn) {
- int index = dn.indexOf(',');
- return dn.substring(index + 1);
- }
-
- /** Up two levels. */
- public static String getContext(String dn) {
- return getParent(getParent(dn));
- }
-}
+++ /dev/null
-package org.argeo.cms.auth;
-
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.xml.namespace.QName;
-
-import org.argeo.api.cms.CmsConstants;
-import org.argeo.cms.internal.auth.ImpliedByPrincipal;
-
-/** A programmatic role. */
-public interface SystemRole {
- QName getName();
-
- /** Whether this role is implied for this authenticated user. */
- default boolean implied(Subject subject, String context) {
- return implied(getName(), subject, context);
- }
-
- /** Whether this role is implied for this distinguished name. */
- default boolean implied(String dn, String context) {
- String roleContext = RoleNameUtils.getContext(dn);
- QName roleName = RoleNameUtils.getLastRdnAsName(dn);
- return roleContext.equalsIgnoreCase(context) && getName().equals(roleName);
- }
-
- /**
- * Whether this role is implied for this authenticated subject. If context is
- * <code>null</code>, it is not considered; this should be used to build user
- * interfaces, but not to authorise.
- */
- static boolean implied(QName name, Subject subject, String context) {
- Set<ImpliedByPrincipal> roles = subject.getPrincipals(ImpliedByPrincipal.class);
- for (ImpliedByPrincipal role : roles) {
- if (role.isSystemRole()) {
- if (role.getRoleName().equals(name)) {
- // !! if context is not specified, it is considered irrelevant
- if (context == null)
- return true;
- if (role.getContext().equalsIgnoreCase(context)
- || role.getContext().equals(CmsConstants.NODE_BASEDN))
- return true;
- }
- }
- }
- return false;
- }
-}
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.security.auth.Subject;
+import javax.xml.namespace.QName;
import org.argeo.api.acr.NamespaceUtils;
import org.argeo.api.acr.ldap.LdapAttrs;
import org.argeo.api.cms.transaction.WorkTransaction;
import org.argeo.cms.CmsUserManager;
import org.argeo.cms.auth.CurrentUser;
-import org.argeo.cms.auth.SystemRole;
import org.argeo.cms.auth.UserAdminUtils;
import org.argeo.cms.directory.ldap.LdapEntry;
import org.argeo.cms.directory.ldap.SharedSecret;
}
@Override
- public CmsGroup getOrCreateSystemRole(HierarchyUnit roles, SystemRole systemRole) {
+ public CmsGroup getOrCreateSystemRole(HierarchyUnit roles, QName systemRole) {
try {
- String dn = LdapAttrs.cn.name() + "=" + NamespaceUtils.toPrefixedName(systemRole.getName()) + ","
+ String dn = LdapAttrs.cn.name() + "=" + NamespaceUtils.toPrefixedName(systemRole) + ","
+ roles.getBase();
CmsGroup group = (CmsGroup) getUserAdmin().getRole(dn);
if (group != null)
import javax.xml.namespace.QName;
-import org.argeo.cms.auth.RoleNameUtils;
+import org.argeo.cms.RoleNameUtils;
import org.osgi.service.useradmin.Authorization;
/**