Skip to content
Permalink
Browse files
FC-249 - New API isUserInRole in AccessMgr
  • Loading branch information
shawnmckinney committed Oct 23, 2018
1 parent 9b7057d commit 3cd213617259e8c6d8345416f79678a3095ba08b
Show file tree
Hide file tree
Showing 3 changed files with 128 additions and 8 deletions.
@@ -207,6 +207,34 @@ private FortResponse createSession( FortRequest request, boolean trusted )
}


/**
* Perform user ROLE check.
*
* @param request The {@link FortRequest} we have to check
* @return a {@link FortResponse} containing the response
*/
/* no qualifier*/ FortResponse isUserInRole( FortRequest request )
{
FortResponse response = createResponse();

try
{
AccessMgr accessMgr = AccessMgrFactory.createInstance( request.getContextId() );
Role role = (Role)request.getEntity();
User user = (User) request.getEntity2();
boolean isTrusted = request.getIsFlag();
boolean result = accessMgr.isUserInRole( user, role, isTrusted );
response.setAuthorized( result );
}
catch ( SecurityException se )
{
createError( response, LOG, se );
}

return response;
}


/* No qualifier */ FortResponse sessionPermissions( FortRequest request )
{
FortResponse response = createResponse();
@@ -4006,13 +4006,13 @@


/**
* Perform user RBAC authorization. This function returns a Boolean value meaning whether the subject of a given
* session is allowed or not to perform a given operation on a given object. The function is valid if and
* only if the session is a valid Fortress session, the object is a member of the OBJS data set,
* and the operation is a member of the OPS data set. The session's subject has the permission
* Combine createSession and checkAccess into a single method.
* This function returns a Boolean value meaning whether the User is allowed or not to perform a given operation on a given object.
* The function is valid if and only if the user is a valid Fortress user, the object is a member of the OBJS data set,
* and the operation is a member of the OPS data set. The user has the permission
* to perform the operation on that object if and only if that permission is assigned to (at least)
* one of the session's active roles. This implementation will verify the roles or userId correspond
* to the subject's active roles are registered in the object's access control list.
* to the user's active roles are registered in the object's access control list.
* <h3></h3>
* <h4>required parameters</h4>
* <ul>
@@ -4021,8 +4021,10 @@
* entity
* </li>
* <li>
* {@link FortRequest#session} - contains a reference to User's RBAC session that is created by calling
* {@link FortressServiceImpl#createSession} method before use in this service.
* {@link FortRequest#entity2} - contains a reference to User object containing userId.
* </li>
* <li>
* {@link FortRequest#isFlag} - boolean value if true, password check will not be performed.
* </li>
* </ul>
* <ul style="list-style-type:none">
@@ -4041,17 +4043,94 @@
* </li>
* </ul>
* </li>
* <li>
* <h5>{@link org.apache.directory.fortress.core.model.User} required parameters</h5>
* <ul>
* <li>{@link org.apache.directory.fortress.core.model.User#userId} - maps to INetOrgPerson uid</li>
* <li>{@link org.apache.directory.fortress.core.model.User#password} - used to authenticate the User</li>
* </ul>
* <h5>User optional parameters</h5>
* <ul>
* <li>
* {@link org.apache.directory.fortress.core.model.User#roles} * - multi-occurring attribute contains the
* names of assigned RBAC roles targeted for activation into Session.
* </li>
* <li>
* {@link org.apache.directory.fortress.core.model.User#props} collection of name value pairs collected on
* behalf of User during signon. For example locale:east
* </li>
* </ul>
* </li>
* </ul>
* </li>
* </ul>
*
* @param request contains a reference to {@code FortRequest}
* @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean will be 'true' if User
* authorized, otherwise 'false'. Updated {@link FortResponse#session} will be included in response as well.
* authorized, otherwise 'false'.
*/
FortResponse createSessionCheckAccess( FortRequest request );


/**
* Combine createSession and a role check into a single method.
* This function returns a Boolean value meaning whether the User has a particular role.
* The function is valid if and only if the user is a valid Fortress user and the role is a member of the ROLES data set.
* <h3></h3>
* <h4>required parameters</h4>
* <ul>
* <li>
* {@link FortRequest#entity} - contains a reference to {@link org.apache.directory.fortress.core.model.Role}
* entity
* </li>
* <li>
* {@link FortRequest#entity2} - contains a reference to User object containing userId.
* </li>
* <li>
* {@link FortRequest#isFlag} - boolean value if true, password check will not be performed.
* </li>
* </ul>
* <ul style="list-style-type:none">
* <li>
* <ul style="list-style-type:none">
* <li>
* <h5>{@link org.apache.directory.fortress.core.model.Role} required parameters</h5>
* <ul>
* <li>
* {@link org.apache.directory.fortress.core.model.Role#name} - contains the name of existing
* role being targeted for check.
* </li>
* </ul>
* </li>
* <li>
* <h5>{@link org.apache.directory.fortress.core.model.User} required parameters</h5>
* <ul>
* <li>{@link org.apache.directory.fortress.core.model.User#userId} - maps to INetOrgPerson uid</li>
* <li>{@link org.apache.directory.fortress.core.model.User#password} - used to authenticate the User</li>
* </ul>
* <h5>User optional parameters</h5>
* <ul>
* <li>
* {@link org.apache.directory.fortress.core.model.User#roles} * - multi-occurring attribute contains the
* names of assigned RBAC roles targeted for activation into Session.
* </li>
* <li>
* {@link org.apache.directory.fortress.core.model.User#props} collection of name value pairs collected on
* behalf of User during signon. For example locale:east
* </li>
* </ul>
* </li>
* </ul>
* </li>
* </ul>
*
* @param request contains a reference to {@code FortRequest}
* @return reference to {@code FortResponse}, {@link FortResponse#isAuthorized} boolean will be 'true' if User
* authorized, otherwise 'false'..
*/
FortResponse isUserInRole( FortRequest request );


/**
* This function returns the permissions of the session, i.e., the permissions assigned
* to its authorized roles. The function is valid if and only if the session is a valid Fortress session.
@@ -1244,6 +1244,19 @@ public FortResponse createSessionCheckAccess( FortRequest request )
}


/**
* {@inheritDoc}
*/
@POST
@Path("/" + HttpIds.RBAC_CHECK_ROLE + "/")
@RolesAllowed({SUPER_USER, ACCESS_MGR_USER})
@Override
public FortResponse isUserInRole( FortRequest request )
{
return accessMgrImpl.isUserInRole( request );
}


/**
* {@inheritDoc}
*/

0 comments on commit 3cd2136

Please sign in to comment.