From: Mathieu Date: Sat, 12 Nov 2022 07:01:12 +0000 (+0100) Subject: Clarify implementation base APIs. X-Git-Tag: v2.3.11~20 X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=e018ad9078249a806f2e2ef86a6adcbd8cca3188 Clarify implementation base APIs. --- diff --git a/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java b/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java index 2d64d9db0..f87d28b1c 100644 --- a/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java +++ b/org.argeo.cms/src/org/argeo/cms/CmsUserManager.java @@ -6,12 +6,12 @@ import java.util.Map; import java.util.Set; import javax.security.auth.Subject; +import javax.xml.namespace.QName; import org.argeo.api.cms.directory.CmsGroup; import org.argeo.api.cms.directory.CmsUser; import org.argeo.api.cms.directory.HierarchyUnit; import org.argeo.api.cms.directory.UserDirectory; -import org.argeo.cms.auth.SystemRole; import org.osgi.framework.InvalidSyntaxException; import org.osgi.service.useradmin.Role; import org.osgi.service.useradmin.User; @@ -72,7 +72,7 @@ public interface CmsUserManager { CmsGroup getOrCreateGroup(HierarchyUnit groups, String commonName); /** Creates a new system role. */ - CmsGroup getOrCreateSystemRole(HierarchyUnit roles, SystemRole systemRole); + CmsGroup getOrCreateSystemRole(HierarchyUnit roles, QName systemRole); /** Add additional object classes to this role. */ void addObjectClasses(Role role, Set objectClasses, Map additionalProperties); diff --git a/org.argeo.cms/src/org/argeo/cms/RoleNameUtils.java b/org.argeo.cms/src/org/argeo/cms/RoleNameUtils.java new file mode 100644 index 000000000..04302c42f --- /dev/null +++ b/org.argeo.cms/src/org/argeo/cms/RoleNameUtils.java @@ -0,0 +1,41 @@ +package org.argeo.cms; + +import static org.argeo.api.acr.RuntimeNamespaceContext.getNamespaceContext; + +import javax.xml.namespace.QName; + +import org.argeo.api.acr.ArgeoNamespace; +import org.argeo.api.acr.NamespaceUtils; +import org.argeo.cms.directory.ldap.LdapNameUtils; + +/** Simplifies analysis of system roles. */ +public class RoleNameUtils { + public static String getLastRdnValue(String dn) { + return LdapNameUtils.getLastRdnValue(dn); +// // we don't use LdapName for portability with Android +// // TODO make it more robust +// String[] parts = dn.split(","); +// String[] rdn = parts[0].split("="); +// return rdn[1]; + } + + public static QName getLastRdnAsName(String dn) { + String cn = getLastRdnValue(dn); + QName roleName = NamespaceUtils.parsePrefixedName(getNamespaceContext(), cn); + return roleName; + } + + public static boolean isSystemRole(QName roleName) { + return roleName.getNamespaceURI().equals(ArgeoNamespace.ROLE_NAMESPACE_URI); + } + + public static String getParent(String dn) { + int index = dn.indexOf(','); + return dn.substring(index + 1); + } + + /** Up two levels. */ + public static String getContext(String dn) { + return getParent(getParent(dn)); + } +} diff --git a/org.argeo.cms/src/org/argeo/cms/SystemRole.java b/org.argeo.cms/src/org/argeo/cms/SystemRole.java new file mode 100644 index 000000000..817bc1ac2 --- /dev/null +++ b/org.argeo.cms/src/org/argeo/cms/SystemRole.java @@ -0,0 +1,48 @@ +package org.argeo.cms; + +import java.util.Set; + +import javax.security.auth.Subject; +import javax.xml.namespace.QName; + +import org.argeo.api.cms.CmsConstants; +import org.argeo.cms.internal.auth.ImpliedByPrincipal; + +/** A programmatic role. */ +public interface SystemRole { + QName getName(); + + /** Whether this role is implied for this authenticated user. */ + default boolean implied(Subject subject, String context) { + return implied(getName(), subject, context); + } + + /** Whether this role is implied for this distinguished name. */ + default boolean implied(String dn, String context) { + String roleContext = RoleNameUtils.getContext(dn); + QName roleName = RoleNameUtils.getLastRdnAsName(dn); + return roleContext.equalsIgnoreCase(context) && getName().equals(roleName); + } + + /** + * Whether this role is implied for this authenticated subject. If context is + * null, it is not considered; this should be used to build user + * interfaces, but not to authorise. + */ + static boolean implied(QName name, Subject subject, String context) { + Set roles = subject.getPrincipals(ImpliedByPrincipal.class); + for (ImpliedByPrincipal role : roles) { + if (role.isSystemRole()) { + if (role.getRoleName().equals(name)) { + // !! if context is not specified, it is considered irrelevant + if (context == null) + return true; + if (role.getContext().equalsIgnoreCase(context) + || role.getContext().equals(CmsConstants.NODE_BASEDN)) + return true; + } + } + } + return false; + } +} diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsRole.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsRole.java index 31068b1a3..4c139135a 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CmsRole.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsRole.java @@ -4,6 +4,7 @@ import javax.xml.namespace.QName; import org.argeo.api.acr.ArgeoNamespace; import org.argeo.api.acr.ContentName; +import org.argeo.cms.SystemRole; /** Standard CMS system roles. */ public enum CmsRole implements SystemRole { diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CurrentUser.java b/org.argeo.cms/src/org/argeo/cms/auth/CurrentUser.java index f2b4f0a58..41a6a880d 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/CurrentUser.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/CurrentUser.java @@ -17,6 +17,7 @@ import org.argeo.api.acr.NamespaceUtils; import org.argeo.api.cms.CmsConstants; import org.argeo.api.cms.CmsSession; import org.argeo.api.cms.CmsSessionId; +import org.argeo.cms.SystemRole; import org.argeo.cms.internal.auth.CmsSessionImpl; import org.argeo.cms.internal.auth.ImpliedByPrincipal; import org.argeo.cms.internal.runtime.CmsContextImpl; diff --git a/org.argeo.cms/src/org/argeo/cms/auth/RoleNameUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/RoleNameUtils.java deleted file mode 100644 index a281c2f7d..000000000 --- a/org.argeo.cms/src/org/argeo/cms/auth/RoleNameUtils.java +++ /dev/null @@ -1,41 +0,0 @@ -package org.argeo.cms.auth; - -import static org.argeo.api.acr.RuntimeNamespaceContext.getNamespaceContext; - -import javax.xml.namespace.QName; - -import org.argeo.api.acr.ArgeoNamespace; -import org.argeo.api.acr.NamespaceUtils; -import org.argeo.cms.directory.ldap.LdapNameUtils; - -/** Simplifies analysis of system roles. */ -public class RoleNameUtils { - public static String getLastRdnValue(String dn) { - return LdapNameUtils.getLastRdnValue(dn); -// // we don't use LdapName for portability with Android -// // TODO make it more robust -// String[] parts = dn.split(","); -// String[] rdn = parts[0].split("="); -// return rdn[1]; - } - - public static QName getLastRdnAsName(String dn) { - String cn = getLastRdnValue(dn); - QName roleName = NamespaceUtils.parsePrefixedName(getNamespaceContext(), cn); - return roleName; - } - - public static boolean isSystemRole(QName roleName) { - return roleName.getNamespaceURI().equals(ArgeoNamespace.ROLE_NAMESPACE_URI); - } - - public static String getParent(String dn) { - int index = dn.indexOf(','); - return dn.substring(index + 1); - } - - /** Up two levels. */ - public static String getContext(String dn) { - return getParent(getParent(dn)); - } -} diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java b/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java deleted file mode 100644 index 646752d41..000000000 --- a/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java +++ /dev/null @@ -1,48 +0,0 @@ -package org.argeo.cms.auth; - -import java.util.Set; - -import javax.security.auth.Subject; -import javax.xml.namespace.QName; - -import org.argeo.api.cms.CmsConstants; -import org.argeo.cms.internal.auth.ImpliedByPrincipal; - -/** A programmatic role. */ -public interface SystemRole { - QName getName(); - - /** Whether this role is implied for this authenticated user. */ - default boolean implied(Subject subject, String context) { - return implied(getName(), subject, context); - } - - /** Whether this role is implied for this distinguished name. */ - default boolean implied(String dn, String context) { - String roleContext = RoleNameUtils.getContext(dn); - QName roleName = RoleNameUtils.getLastRdnAsName(dn); - return roleContext.equalsIgnoreCase(context) && getName().equals(roleName); - } - - /** - * Whether this role is implied for this authenticated subject. If context is - * null, it is not considered; this should be used to build user - * interfaces, but not to authorise. - */ - static boolean implied(QName name, Subject subject, String context) { - Set roles = subject.getPrincipals(ImpliedByPrincipal.class); - for (ImpliedByPrincipal role : roles) { - if (role.isSystemRole()) { - if (role.getRoleName().equals(name)) { - // !! if context is not specified, it is considered irrelevant - if (context == null) - return true; - if (role.getContext().equalsIgnoreCase(context) - || role.getContext().equals(CmsConstants.NODE_BASEDN)) - return true; - } - } - } - return false; - } -} diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java index b5ee9b306..94262a521 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java @@ -23,6 +23,7 @@ import java.util.UUID; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; import javax.security.auth.Subject; +import javax.xml.namespace.QName; import org.argeo.api.acr.NamespaceUtils; import org.argeo.api.acr.ldap.LdapAttrs; @@ -36,7 +37,6 @@ import org.argeo.api.cms.directory.UserDirectory; import org.argeo.api.cms.transaction.WorkTransaction; import org.argeo.cms.CmsUserManager; import org.argeo.cms.auth.CurrentUser; -import org.argeo.cms.auth.SystemRole; import org.argeo.cms.auth.UserAdminUtils; import org.argeo.cms.directory.ldap.LdapEntry; import org.argeo.cms.directory.ldap.SharedSecret; @@ -285,9 +285,9 @@ public class CmsUserManagerImpl implements CmsUserManager { } @Override - public CmsGroup getOrCreateSystemRole(HierarchyUnit roles, SystemRole systemRole) { + public CmsGroup getOrCreateSystemRole(HierarchyUnit roles, QName systemRole) { try { - String dn = LdapAttrs.cn.name() + "=" + NamespaceUtils.toPrefixedName(systemRole.getName()) + "," + String dn = LdapAttrs.cn.name() + "=" + NamespaceUtils.toPrefixedName(systemRole) + "," + roles.getBase(); CmsGroup group = (CmsGroup) getUserAdmin().getRole(dn); if (group != null) diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/ImpliedByPrincipal.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/ImpliedByPrincipal.java index 15c47293e..9e0ebce97 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/ImpliedByPrincipal.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/ImpliedByPrincipal.java @@ -6,7 +6,7 @@ import java.util.Set; import javax.xml.namespace.QName; -import org.argeo.cms.auth.RoleNameUtils; +import org.argeo.cms.RoleNameUtils; import org.osgi.service.useradmin.Authorization; /**