From c424738be0c47c808f8cc64c2a51a67eb8e3d584 Mon Sep 17 00:00:00 2001 From: Mathieu Baudier Date: Tue, 23 Aug 2022 09:22:24 +0200 Subject: [PATCH] Clarify system roles --- .../argeo/cms/jcr/internal/EgoRepository.java | 2 +- .../src/org/argeo/api/acr/NamespaceUtils.java | 4 ++++ .../src/org/argeo/api/cms/CmsConstants.java | 16 ++++++++-------- .../src/org/argeo/cms/auth/SystemRole.java | 4 +++- .../src/org/argeo/cms/auth/UserAdminUtils.java | 2 +- .../cms/internal/auth/CmsUserManagerImpl.java | 4 ++-- .../argeo/cms/internal/runtime/CmsUserAdmin.java | 4 ++-- .../src/org/argeo/cms/e4/users/GroupsView.java | 4 ++-- .../org/argeo/cms/e4/users/UserAdminWrapper.java | 2 +- .../argeo/cms/e4/users/providers/RoleIconLP.java | 2 +- .../argeo/cms/e4/users/providers/UserFilter.java | 2 +- .../cms/swt/useradmin/PickUpUserDialog.java | 2 +- .../src/org/argeo/cms/swt/useradmin/UserLP.java | 2 +- 13 files changed, 28 insertions(+), 22 deletions(-) diff --git a/jcr/org.argeo.cms.jcr/src/org/argeo/cms/jcr/internal/EgoRepository.java b/jcr/org.argeo.cms.jcr/src/org/argeo/cms/jcr/internal/EgoRepository.java index abf1a6418..ef785f93d 100644 --- a/jcr/org.argeo.cms.jcr/src/org/argeo/cms/jcr/internal/EgoRepository.java +++ b/jcr/org.argeo.cms.jcr/src/org/argeo/cms/jcr/internal/EgoRepository.java @@ -155,7 +155,7 @@ class EgoRepository extends JcrRepositoryWrapper { // if (workspaceName != null) // return; // skip system users - if (username.endsWith(CmsConstants.ROLES_BASEDN)) + if (username.endsWith(CmsConstants.SYSTEM_ROLES_BASEDN)) return; try { diff --git a/org.argeo.api.acr/src/org/argeo/api/acr/NamespaceUtils.java b/org.argeo.api.acr/src/org/argeo/api/acr/NamespaceUtils.java index 792802d8c..904d50ed5 100644 --- a/org.argeo.api.acr/src/org/argeo/api/acr/NamespaceUtils.java +++ b/org.argeo.api.acr/src/org/argeo/api/acr/NamespaceUtils.java @@ -13,6 +13,10 @@ import javax.xml.namespace.QName; public class NamespaceUtils { + public static ContentName parsePrefixedName(String nameWithPrefix) { + return parsePrefixedName(RuntimeNamespaceContext.getNamespaceContext(), nameWithPrefix); + } + public static ContentName parsePrefixedName(NamespaceContext nameSpaceContext, String nameWithPrefix) { Objects.requireNonNull(nameWithPrefix, "Name cannot be null"); if (nameWithPrefix.charAt(0) == '{') { diff --git a/org.argeo.api.cms/src/org/argeo/api/cms/CmsConstants.java b/org.argeo.api.cms/src/org/argeo/api/cms/CmsConstants.java index 5b005deca..52e8a205d 100644 --- a/org.argeo.api.cms/src/org/argeo/api/cms/CmsConstants.java +++ b/org.argeo.api.cms/src/org/argeo/api/cms/CmsConstants.java @@ -49,17 +49,18 @@ public interface CmsConstants { /* * RESERVED ROLES */ - String ROLES_BASEDN = "ou=roles,ou=node"; + String NODE_BASEDN = "ou=node"; + String SYSTEM_ROLES_BASEDN = "ou=roles," + NODE_BASEDN; String TOKENS_BASEDN = "ou=tokens,ou=node"; - String ROLE_ADMIN = "cn=admin," + ROLES_BASEDN; - String ROLE_USER_ADMIN = "cn=userAdmin," + ROLES_BASEDN; - String ROLE_DATA_ADMIN = "cn=dataAdmin," + ROLES_BASEDN; + String ROLE_ADMIN = "cn=admin," + SYSTEM_ROLES_BASEDN; + String ROLE_USER_ADMIN = "cn=userAdmin," + SYSTEM_ROLES_BASEDN; + String ROLE_DATA_ADMIN = "cn=dataAdmin," + SYSTEM_ROLES_BASEDN; // Special system groups that cannot be edited: // user U anonymous = everyone - String ROLE_USER = "cn=user," + ROLES_BASEDN; - String ROLE_ANONYMOUS = "cn=anonymous," + ROLES_BASEDN; + String ROLE_USER = "cn=user," + SYSTEM_ROLES_BASEDN; + String ROLE_ANONYMOUS = "cn=anonymous," + SYSTEM_ROLES_BASEDN; // Account lifecycle - String ROLE_REGISTERING = "cn=registering," + ROLES_BASEDN; + String ROLE_REGISTERING = "cn=registering," + SYSTEM_ROLES_BASEDN; /* * PATHS @@ -87,7 +88,6 @@ public interface CmsConstants { String EVENT_TOPICS = "event.topics"; String ACR_MOUNT_PATH = "acr.mount.path"; - /* * FILE SYSTEM */ diff --git a/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java b/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java index 9c686a6c6..933f80a95 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/SystemRole.java @@ -5,6 +5,7 @@ import java.util.Set; import javax.security.auth.Subject; import javax.xml.namespace.QName; +import org.argeo.api.cms.CmsConstants; import org.argeo.cms.internal.auth.ImpliedByPrincipal; public interface SystemRole { @@ -15,7 +16,8 @@ public interface SystemRole { for (ImpliedByPrincipal role : roles) { if (role.isSystemRole()) { if (role.getRoleName().equals(getName())) { - if (role.getContext().equalsIgnoreCase(context)) + if (role.getContext().equalsIgnoreCase(context) + || role.getContext().equals(CmsConstants.NODE_BASEDN)) return true; } } diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminUtils.java index 5a3657211..0d4830663 100644 --- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminUtils.java +++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminUtils.java @@ -136,7 +136,7 @@ public class UserAdminUtils { /** Simply retrieves a display name of the relevant domain */ public final static String getDomainName(User user) { String dn = user.getName(); - if (dn.endsWith(CmsConstants.ROLES_BASEDN)) + if (dn.endsWith(CmsConstants.SYSTEM_ROLES_BASEDN)) return "System roles"; if (dn.endsWith(CmsConstants.TOKENS_BASEDN)) return "Tokens"; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java b/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java index 0bf9a211b..a1bc1efc8 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/auth/CmsUserManagerImpl.java @@ -166,7 +166,7 @@ public class CmsUserManagerImpl implements CmsUserManager { List users = new ArrayList(); for (Role role : roles) { if ((includeUsers && role.getType() == Role.USER || role.getType() == Role.GROUP) && !users.contains(role) - && (includeSystemRoles || !role.getName().toLowerCase().endsWith(CmsConstants.ROLES_BASEDN))) { + && (includeSystemRoles || !role.getName().toLowerCase().endsWith(CmsConstants.SYSTEM_ROLES_BASEDN))) { if (match(role, filter)) users.add((User) role); } @@ -368,7 +368,7 @@ public class CmsUserManagerImpl implements CmsUserManager { if (onlyWritable && readOnly) continue; - if (baseDn.equalsIgnoreCase(CmsConstants.ROLES_BASEDN)) + if (baseDn.equalsIgnoreCase(CmsConstants.SYSTEM_ROLES_BASEDN)) continue; if (baseDn.equalsIgnoreCase(CmsConstants.TOKENS_BASEDN)) continue; diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java index daec2ea76..7f4314b99 100644 --- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java +++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/CmsUserAdmin.java @@ -65,7 +65,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin { private CmsState cmsState; public CmsUserAdmin() { - super(CmsConstants.ROLES_BASEDN, CmsConstants.TOKENS_BASEDN); + super(CmsConstants.SYSTEM_ROLES_BASEDN, CmsConstants.TOKENS_BASEDN); } public void start() { @@ -93,7 +93,7 @@ public class CmsUserAdmin extends AggregatingUserAdmin { // node roles String nodeRolesUri = null;// getFrameworkProp(CmsConstants.ROLES_URI); - String baseNodeRoleDn = CmsConstants.ROLES_BASEDN; + String baseNodeRoleDn = CmsConstants.SYSTEM_ROLES_BASEDN; if (nodeRolesUri == null && nodeBase != null) { nodeRolesUri = baseNodeRoleDn + ".ldif"; Path nodeRolesFile = nodeBase.resolve(nodeRolesUri); diff --git a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/GroupsView.java b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/GroupsView.java index 3bf48918d..73e4f5d11 100644 --- a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/GroupsView.java +++ b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/GroupsView.java @@ -198,7 +198,7 @@ public class GroupsView { .append("))"); if (!showSystemRoles) - builder.append("(!(").append(LdapAttrs.DN).append("=*").append(CmsConstants.ROLES_BASEDN) + builder.append("(!(").append(LdapAttrs.DN).append("=*").append(CmsConstants.SYSTEM_ROLES_BASEDN) .append("))"); builder.append("(|"); builder.append(tmpBuilder.toString()); @@ -207,7 +207,7 @@ public class GroupsView { if (!showSystemRoles) builder.append("(&(").append(LdapAttrs.objectClass.name()).append("=") .append(LdapObjs.groupOfNames.name()).append(")(!(").append(LdapAttrs.DN).append("=*") - .append(CmsConstants.ROLES_BASEDN).append("))(!(").append(LdapAttrs.DN).append("=*") + .append(CmsConstants.SYSTEM_ROLES_BASEDN).append("))(!(").append(LdapAttrs.DN).append("=*") .append(CmsConstants.TOKENS_BASEDN).append(")))"); else builder.append("(&(").append(LdapAttrs.objectClass.name()).append("=") diff --git a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/UserAdminWrapper.java b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/UserAdminWrapper.java index 00b519d5c..dbb629c25 100644 --- a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/UserAdminWrapper.java +++ b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/UserAdminWrapper.java @@ -95,7 +95,7 @@ public class UserAdminWrapper { if (onlyWritable && readOnly) continue; - if (baseDn.equalsIgnoreCase(CmsConstants.ROLES_BASEDN)) + if (baseDn.equalsIgnoreCase(CmsConstants.SYSTEM_ROLES_BASEDN)) continue; if (baseDn.equalsIgnoreCase(CmsConstants.TOKENS_BASEDN)) continue; diff --git a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/RoleIconLP.java b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/RoleIconLP.java index 8c94093e4..8e12eeda1 100644 --- a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/RoleIconLP.java +++ b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/RoleIconLP.java @@ -22,7 +22,7 @@ public class RoleIconLP extends UserAdminAbstractLP { public Image getImage(Object element) { User user = (User) element; String dn = user.getName(); - if (dn.endsWith(CmsConstants.ROLES_BASEDN)) + if (dn.endsWith(CmsConstants.SYSTEM_ROLES_BASEDN)) return SecurityAdminImages.ICON_ROLE; else if (user.getType() == Role.GROUP) { String businessCategory = UserAdminUtils.getProperty(user, LdapAttrs.businessCategory); diff --git a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/UserFilter.java b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/UserFilter.java index 154b04725..7a7bfbf56 100644 --- a/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/UserFilter.java +++ b/swt/org.argeo.cms.e4/src/org/argeo/cms/e4/users/providers/UserFilter.java @@ -37,7 +37,7 @@ public class UserFilter extends ViewerFilter { @Override public boolean select(Viewer viewer, Object parentElement, Object element) { User user = (User) element; - if (!showSystemRole && user.getName().matches(".*(" + CmsConstants.ROLES_BASEDN + ")")) + if (!showSystemRole && user.getName().matches(".*(" + CmsConstants.SYSTEM_ROLES_BASEDN + ")")) // UserAdminUtils.getProperty(user, LdifName.dn.name()) // .toLowerCase().endsWith(AuthConstants.ROLES_BASEDN)) return false; diff --git a/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/PickUpUserDialog.java b/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/PickUpUserDialog.java index ed1bfd868..23e41eada 100644 --- a/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/PickUpUserDialog.java +++ b/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/PickUpUserDialog.java @@ -214,7 +214,7 @@ public class PickUpUserDialog extends TrayDialog { if (!showSystemRoleBtn.getSelection()) typeStr = "(& " + typeStr + "(!(" + LdapAttrs.DN + "=*" - + CmsConstants.ROLES_BASEDN + ")))"; + + CmsConstants.SYSTEM_ROLES_BASEDN + ")))"; if (filterBuilder.length() > 1) { builder.append("(&" + typeStr); diff --git a/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/UserLP.java b/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/UserLP.java index d1c90a43f..b3ab40ec3 100644 --- a/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/UserLP.java +++ b/swt/org.argeo.cms.swt/src/org/argeo/cms/swt/useradmin/UserLP.java @@ -46,7 +46,7 @@ class UserLP extends ColumnLabelProvider { if (COL_ICON.equals(currType)) { User user = (User) element; String dn = user.getName(); - if (dn.endsWith(CmsConstants.ROLES_BASEDN)) + if (dn.endsWith(CmsConstants.SYSTEM_ROLES_BASEDN)) return UsersImages.ICON_ROLE; else if (user.getType() == Role.GROUP) return UsersImages.ICON_GROUP; -- 2.30.2