Java > Open Source Codes > org > mr > kernel > security > impl > ldap > management > ACLLDAPManagement


1 /*
2  * Copyright 2002 by
3  * <a HREF="http://www.coridan.com">Coridan</a>
4  * <a HREF="mailto: support@coridan.com ">support@coridan.com</a>
5  *
6  * The contents of this file are subject to the Mozilla Public License Version
7  * 1.1 (the "License"); you may not use this file except in compliance with the
8  * License. You may obtain a copy of the License at
9  * http://www.mozilla.org/MPL/
10  *
11  * Software distributed under the License is distributed on an "AS IS" basis,
12  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
13  * for the specific language governing rights and limitations under the
14  * License.
15  *
16  * The Original Code is "MantaRay" (TM).
17  *
18  * The Initial Developer of the Original Code is Shirley Sasson.
19  * Portions created by the Initial Developer are Copyright (C) 2006
20  * Coridan Inc. All Rights Reserved.
21  *
22  * Contributor(s): all the names of the contributors are added in the source
23  * code where applicable.
24  *
25  * Alternatively, the contents of this file may be used under the terms of the
26  * LGPL license (the "GNU LESSER GENERAL PUBLIC LICENSE"), in which case the
27  * provisions of LGPL are applicable instead of those above. If you wish to
28  * allow use of your version of this file only under the terms of the LGPL
29  * License and not to allow others to use your version of this file under
30  * the MPL, indicate your decision by deleting the provisions above and
31  * replace them with the notice and other provisions required by the LGPL.
32  * If you do not delete the provisions above, a recipient may use your version
33  * of this file under either the MPL or the GNU LESSER GENERAL PUBLIC LICENSE.
34
35  *
36  * This library is free software; you can redistribute it and/or modify it
37  * under the terms of the MPL as stated above or under the terms of the GNU
38  * Lesser General Public License as published by the Free Software Foundation;
39  * either version 2.1 of the License, or any later version.
40  *
41  * This library is distributed in the hope that it will be useful, but WITHOUT
42  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
43  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
44  * License for more details.
45  */
46
47 package org.mr.kernel.security.impl.ldap.management;
48
49 import org.mr.MantaAgent;
50 import org.mr.kernel.security.*;
51 import org.mr.core.configuration.ConfigurationElement;
52
53 import javax.jms.JMSSecurityException ;
54 import javax.naming.directory.Attributes ;
55 import javax.naming.directory.Attribute ;
56 import javax.naming.NamingException ;
57 import javax.management.NotCompliantMBeanException ;
58 import java.util.*;
59
60 import org.mr.kernel.security.impl.*;
61 import org.mr.kernel.security.impl.management.*;
62 import org.mr.kernel.security.impl.management.jmx.SecurityManagementJMX;
63 import org.mr.kernel.security.impl.ldap.*;
64 import org.mr.kernel.security.SecurityActionTypes;
65 import org.apache.commons.logging.Log;
66 import org.apache.commons.logging.LogFactory;
67 import org.mr.kernel.security.authorization.permissions.*;
68 import org.mr.kernel.security.authorization.permissions.management.SpecificGroupPermission;
69 import org.mr.kernel.security.authorization.permissions.management.SpecificQueuePermission;
70 import org.mr.kernel.security.authorization.permissions.management.SpecificTopicPermission;
71 import org.mr.kernel.security.authorization.permissions.management.SpecificUserPermission;
72 import org.mr.kernel.security.authorization.PermissionFactory;
73 import org.mr.kernel.security.authorization.PermissionKeyEntry;
74 import org.mr.kernel.security.authorization.AuthorizationValue;
75
76 /**
77  * This class is an LDAP implementation of {@link org.mr.kernel.security.impl.management.ACLManagement}.
78  *
79  * @version 1.0
80  * @since Apr 11, 2006
81  * @author Shirley Sasson
82  *
83  */
84 public class ACLLDAPManagement implements ACLManagement, SecurityConfigurationPaths, SecurityActionTypes, LDAPConstants, SecurityConstants {
85
86     private MantaAuthorization _authorization;
87     private String _pathToGroups;
88     private String _pathToUsers;
89     private String _pathToWhiteList;
90     private String _pathToTopics;
91     private String _pathToQueues;
92     private String _groupAttributeName;
93     private String _userRDNAttributeName;
94     private String _groupRDNAttributeName;
95     private String _whiteListRDNAttributeName;
96     private String _topicRDNAttributeName;
97     private String _queueRDNAttributeName;
98     private ArrayList _configurableUserAttributes;
99     private ArrayList _configurableGroupAttributes;
100     private ArrayList _configurableDefaultAttributes;
101     private LDAPActions _ldapActions;
102     private String _configurationName;
103     private Log _logger;
104
105     // TODO - the path to each permission may contain the fixed path to topics, path to queues... etc.
106 // TODO - if it contains the path then the location of the permissions will be unflexible - it will have
107 // TODO - to be under the fixed path for topics, queues.. etc. Think of a better solution in the meeting on Sunday.
108 /**
109      * Constructs a new instance of ACLLDAPManagement.
110      *
111      */
112     public ACLLDAPManagement(String configurationName) throws MantaSecurityException {
113         init(configurationName);
114         _configurationName = configurationName;
115         _ldapActions = new LDAPActions(configurationName);
116     }
117
118     /**
119      * Creates a new principal on the LDAP storage.
120      *
121      * @param sessionID the session id returned from MantaAuthentication.authenticate method
122      * @param principal the principal to add
123      * @throws PrincipalAlreadyExistsException if this pricipal already exists
124      * @throws PrincipalNotFoundException if the principal to create is a user and the group specified for the
125      * user, doesn't exist
126      * @throws MantaSecurityException if an error occured
127      * @throws JMSSecurityException if action is unauthorized for the specific client
128      *
129      */
130     public void createPrincipal(SessionID sessionID, MantaPrincipal principal) throws PrincipalAlreadyExistsException, PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
131         if (principal == null){
132             if (getLogger().isErrorEnabled())
133                 getLogger().error("[createPrincipal] Invalid argument: Principal");
134             throw new MantaSecurityException("Invalid argument: Principal");
135         }
136
137         if (principal instanceof UserPrincipal){
138             UserPrincipal user = (UserPrincipal) principal;
139             createUserPrincipal(sessionID, user);
140         }
141         else if (principal instanceof GroupPrincipal){
142             GroupPrincipal group = (GroupPrincipal) principal;
143             createGroupPrincipal(sessionID, group);
144         }
145     }
146
147     /**
148      * Renames a principal on the LDAP storage.
149      *
150      * @param sessionID the session id returned from MantaAuthentication.authenticate method
151      * @param principal the principal to rename
152      * @throws PrincipalNotFoundException if a principal with the same name already exists
153      * @throws PrincipalAlreadyExistsException if this pricipal already exists
154      * @throws MantaSecurityException if an error occured
155      * @throws JMSSecurityException if action is unauthorized for the specific client
156      *
157      */
158     public void renamePrincipal(SessionID sessionID, MantaPrincipal principal, String newName) throws PrincipalNotFoundException, PrincipalAlreadyExistsException, MantaSecurityException, JMSSecurityException {
159         if (principal == null){
160             if (getLogger().isErrorEnabled())
161                 getLogger().error("[renamePrincipal] Invalid argument: Principal");
162             throw new MantaSecurityException("Invalid argument: Principal");
163         }
164         if (newName == null || "".equals(newName)){
165             if (getLogger().isErrorEnabled())
166                 getLogger().error("[renamePrincipal] Invalid argument: New name for principal");
167             throw new MantaSecurityException("Invalid argument: New name for principal");
168         }
169
170         if (principal instanceof UserPrincipal){
171             UserPrincipal user = (UserPrincipal) principal;
172             renameUser(sessionID, user, newName);
173         }
174         else if (principal instanceof GroupPrincipal){
175             GroupPrincipal group = (GroupPrincipal) principal;
176             renameGroup(sessionID, group, newName);
177         }
178     }
179
180     /**
181      * Sets a group attribute for a user on the LDAP storage.
182      *
183      * @param sessionID the session id returned from MantaAuthentication.authenticate method
184      * @param user the user to set the group for
185      * @param groupName the name of the group to set
186      * @throws PrincipalNotFoundException if user is not found or if group is not found
187      * @throws MantaSecurityException if an error occured
188      * @throws JMSSecurityException if action is unauthorized for the specific client
189      *
190      */
191     public void setUserGroup(SessionID sessionID, UserPrincipal user, String groupName) throws PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
192         if (user == null){
193             if (getLogger().isErrorEnabled())
194                 getLogger().error("[setUserGroup] Invalid argument: User principal");
195             throw new MantaSecurityException("Invalid argument: User principal");
196         }
197         if (groupName == null || "".equals(groupName)){
198             if (getLogger().isErrorEnabled())
199                 getLogger().error("[setUserGroup] Invalid argument: Group name");
200             throw new MantaSecurityException("Invalid argument: Group name");
201         }
202
203         // check permission
204 _authorization.authorize(sessionID, ACTION_SET_GROUP_FOR_USER, user.getName());
205         if (getLogger().isDebugEnabled())
206             getLogger().debug("[setUserGroup] Authorization granted: action = " + ACTION_SET_GROUP_FOR_USER + ", param = " + user.getName());
207
208         // check that group exists
209 String pathToGroup = _groupRDNAttributeName + "=" + groupName + "," + _pathToGroups;
210         boolean isGroupExists = _ldapActions.isExistEntry(new LDAPDN(pathToGroup));
211         if (!isGroupExists)
212             throw new PrincipalNotFoundException(new GroupPrincipal(groupName));
213
214         Map attributes = new HashMap();
215         String pathToEntry = _userRDNAttributeName + "=" + user.getName() + "," + _pathToUsers;
216         LDAPDN entry = new LDAPDN(pathToEntry);
217         attributes.put(_groupAttributeName, groupName);
218
219         if (getLogger().isDebugEnabled())
220             getLogger().debug("[setUserGroup] Setting " + _groupAttributeName + " attribute of " + entry.getPath() + " to be " + groupName);
221         try {
222             _ldapActions.setAttributes(entry, attributes);
223         }
224         catch (EntryNotFoundException e) {
225             if (getLogger().isErrorEnabled())
226                 getLogger().error("[setUserGroup] " + e.getMessage());
227             throw new PrincipalNotFoundException(user);
228         }
229     }
230
231     /**
232      * Sets a password attribute for a user on the LDAP storage.
233      *
234      * @param sessionID the session id returned from MantaAuthentication.authenticate method
235      * @param user the user to set the group for
236      * @param password the password to set
237      * @throws PrincipalNotFoundException if user is not found
238      * @throws MantaSecurityException if an error occured
239      * @throws JMSSecurityException if action is unauthorized for the specific client
240      *
241      */
242     public void setUserPassword(SessionID sessionID, UserPrincipal user, String password) throws PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
243         if (user == null){
244             if (getLogger().isErrorEnabled())
245                 getLogger().error("[setUserPassword] Invalid argument: User principal");
246             throw new MantaSecurityException("Invalid argument: User principal");
247         }
248         if (password == null || "".equals(password)){
249             if (getLogger().isErrorEnabled())
250                 getLogger().error("[setUserPassword] Invalid argument: Password");
251             throw new MantaSecurityException("Invalid argument: Password");
252         }
253
254         // check permission
255 _authorization.authorize(sessionID, ACTION_SET_PASSWORD_FOR_USER, user.getName());
256         if (getLogger().isDebugEnabled())
257             getLogger().debug("[setUserPassword] Authorization granted: action = " + ACTION_SET_PASSWORD_FOR_USER + ", param = " + user.getName());
258
259         Map attributes = new HashMap();
260         String pathToEntry = _userRDNAttributeName + "=" + user.getName() + "," + _pathToUsers;
261         LDAPDN entry = new LDAPDN(pathToEntry);
262
263         // crypt the password
264 attributes.put(ATTRIBUTE_USER_PASSWORD, LDAPUtilities.crypt(password));
265
266         if (getLogger().isDebugEnabled())
267             getLogger().debug("[setUserPassword] Setting " + ATTRIBUTE_USER_PASSWORD + " attribute of " + pathToEntry);
268         try {
269             _ldapActions.setAttributes(entry, attributes);
270         }
271         catch (EntryNotFoundException e) {
272             if (getLogger().isErrorEnabled())
273                 getLogger().error("[setUserPassword] " + e.getMessage());
274             throw new PrincipalNotFoundException(user);
275         }
276     }
277
278     /**
279      * Creates a new permission on the LDAP storage.
280      *
281      * @param sessionID the session id returned from MantaAuthentication.authenticate method
282      * @param permission the permission to add
283      * @throws org.mr.kernel.security.impl.management.PermissionAlreadyExistsException if this permission already exists
284      * @throws MantaSecurityException if an error occured
285      * @throws JMSSecurityException if action is unauthorized for the specific client
286      *
287      */
288     public void createPermission(SessionID sessionID, MantaPermission permission, MantaPrincipal principal) throws PrincipalNotFoundException, PermissionAlreadyExistsException, MantaSecurityException, JMSSecurityException {
289         if (permission == null){
290             if (getLogger().isErrorEnabled())
291                 getLogger().error("[createPermission] Invalid argument: Permission");
292             throw new MantaSecurityException("Invalid argument: Permission");
293         }
294         if (principal == null){
295             if (getLogger().isErrorEnabled())
296                 getLogger().error("[createPermission] Invalid argument: Principal");
297             throw new MantaSecurityException("Invalid argument: Principal");
298         }
299
300
301         if (principal instanceof UserPrincipal){
302             // check permission
303 _authorization.authorize(sessionID, ACTION_CREATE_PERMISSIONS_FOR_USER, principal.getName());
304             if (getLogger().isDebugEnabled())
305                 getLogger().debug("[createPermission] Authorization granted: action = " + ACTION_CREATE_PERMISSIONS_FOR_USER + ", param = " + principal.getName());
306
307             // check that user exists
308 String pathToUser = _userRDNAttributeName + "=" + principal.getName() + "," + _pathToUsers;
309             boolean isUserExists = _ldapActions.isExistEntry(new LDAPDN(pathToUser));
310             if (!isUserExists)
311                 throw new PrincipalNotFoundException((UserPrincipal) principal);
312         }
313         else if (principal instanceof GroupPrincipal){
314             // check permission
315 _authorization.authorize(sessionID, ACTION_CREATE_PERMISSIONS_FOR_GROUP, principal.getName());
316             if (getLogger().isDebugEnabled())
317                 getLogger().debug("[createPermission] Authorization granted: action = " + ACTION_CREATE_PERMISSIONS_FOR_GROUP + " param = " + principal.getName());
318
319             // check that group exists
320 String pathToGroup = _groupRDNAttributeName + "=" + principal.getName() + "," + _pathToGroups;
321             boolean isGroupExists = _ldapActions.isExistEntry(new LDAPDN(pathToGroup));
322             if (!isGroupExists)
323                 throw new PrincipalNotFoundException((GroupPrincipal) principal);
324         }
325
326         LDAPDN permissionDN = LDAPUtilities.buildPermissionPath(permission, principal);
327
328         if (getLogger().isDebugEnabled())
329             getLogger().debug("[createPermission] Adding permission " + permissionDN.getPath());
330         try {
331             recursiveAdd(permissionDN, setAttributesForAdd(_configurableDefaultAttributes, null));
332         }
333         catch (EntryAlreadyExistsException e){
334             if (getLogger().isErrorEnabled())
335                 getLogger().error("[createPermission] " + e.getMessage());
336             if (principal instanceof UserPrincipal)
337                 throw new PermissionAlreadyExistsException(permission, (UserPrincipal) principal);
338             else if (principal instanceof GroupPrincipal)
339                 throw new PermissionAlreadyExistsException(permission, (GroupPrincipal) principal);
340         }
341         catch (PropertyNotFoundException pnfe){
342             if (getLogger().isErrorEnabled())
343                 getLogger().error("[createPermission] " + pnfe.getMessage());
344         }
345     }
346
347
348     /**
349      * Returns the collection of all permissions for a specific principal, from the LDAP storage.
350      *
351      * @param sessionID the session id returned from MantaAuthentication.authenticate method
352      * @param principal the principal
353      * @return a collection of all permissions for a specific principal
354      * @throws MantaSecurityException if an error occured
355      * @throws JMSSecurityException if action is unauthorized for the specific client
356      *
357      */
358     public Collection getPermissionsForPrincipal(SessionID sessionID, MantaPrincipal principal) throws PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
359         if (principal == null){
360             if (getLogger().isErrorEnabled())
361                 getLogger().error("[getPermissionsForPrincipal] Invalid argument: Principal");
362             throw new MantaSecurityException("Invalid argument: Principal");
363         }
364
365         if (principal instanceof UserPrincipal){
366             // check permission
367 _authorization.authorize(sessionID, ACTION_READ_PERMISSIONS_FOR_USER, principal.getName());
368             if (getLogger().isDebugEnabled())
369                 getLogger().debug("[getPermissionsForPrincipal] Authorization granted: action = " + ACTION_READ_PERMISSIONS_FOR_USER + ", param = " + principal.getName());
370
371             // check that user exisys
372 String pathToUser = _userRDNAttributeName + "=" + principal.getName() + "," + _pathToUsers;
373             boolean isUserExists = _ldapActions.isExistEntry(new LDAPDN(pathToUser));
374             if (!isUserExists)
375                 throw new PrincipalNotFoundException((UserPrincipal) principal);
376         }
377         else if (principal instanceof GroupPrincipal){
378             // check permission
379 _authorization.authorize(sessionID, ACTION_READ_PERMISSIONS_FOR_GROUP, principal.getName());
380             if (getLogger().isDebugEnabled())
381                 getLogger().debug("[getPermissionsForPrincipal] Authorization granted: action = " + ACTION_READ_PERMISSIONS_FOR_GROUP + ", param = " + principal.getName());
382
383             // check that group exists
384 String pathToGroup = _groupRDNAttributeName + "=" + principal.getName() + "," + _pathToGroups;
385             boolean isGroupExists = _ldapActions.isExistEntry(new LDAPDN(pathToGroup));
386             if (!isGroupExists)
387                 throw new PrincipalNotFoundException((GroupPrincipal) principal);
388         }
389
390         if (getLogger().isDebugEnabled())
391             getLogger().debug("[getPermissionsForPrincipal] Reading collection of all users");
392         Collection users = getUsers(sessionID);
393
394         if (getLogger().isDebugEnabled())
395             getLogger().debug("[getPermissionsForPrincipal] Reading collection of all groups");
396         Collection groups = getGroups(sessionID);
397
398         if (getLogger().isDebugEnabled())
399             getLogger().debug("[getPermissionsForPrincipal] Reading collection of all topics");
400         Collection topics = getTopics();
401
402         if (getLogger().isDebugEnabled())
403             getLogger().debug("[getPermissionsForPrincipal] Reading collection of all queues");
404         Collection queues = getQueues();
405
406         if (getLogger().isDebugEnabled())
407             getLogger().debug("[getPermissionsForPrincipal] Reading list of all configured permissions");
408         List permissions = new ArrayList();
409         PermissionFactory factory = PermissionFactory.getInstance();
410         List availablePermissions = factory.getAvailablePermissions();
411         ACLStorageConnector ldap = ACLStorageConnectorFactory.getInstance().getACLStorageConnector(_configurationName);
412
413         for (int i=0 ; i<availablePermissions.size() ; i++){
414             String permissionName = (String ) availablePermissions.get(i);
415             MantaPermission permission = factory.getPermission(permissionName);
416             if (permission instanceof SpecificUserPermission){
417                 Iterator iter = users.iterator();
418                 while (iter.hasNext()){
419                     String username = (String ) iter.next();
420                     SpecificUserPermission specificUserPermission = (SpecificUserPermission) permission;
421                     specificUserPermission.setParameter(username);
422                     if (checkPermission(specificUserPermission, principal, ldap))
423                         permissions.add(permission);
424                 }
425             }
426             else if (permission instanceof SpecificGroupPermission){
427                 Iterator iter = groups.iterator();
428                 while (iter.hasNext()){
429                     String groupName = (String ) iter.next();
430                     SpecificGroupPermission specificGroupPermission = (SpecificGroupPermission) permission;
431                     specificGroupPermission.setParameter(groupName);
432                     if (checkPermission(specificGroupPermission, principal, ldap))
433                         permissions.add(permission);
434                 }
435             }
436             else if (permission instanceof SpecificTopicPermission){
437                 Iterator iter = topics.iterator();
438                 while (iter.hasNext()){
439                     String topicName = (String ) iter.next();
440                     SpecificTopicPermission specificTopicPermission = (SpecificTopicPermission) permission;
441                     specificTopicPermission.setParameter(topicName);
442                     if (checkPermission(specificTopicPermission, principal, ldap))
443                         permissions.add(permission);
444                 }
445             }
446             else if (permission instanceof SpecificQueuePermission){
447                 Iterator iter = queues.iterator();
448                 while (iter.hasNext()){
449                     String queueName = (String ) iter.next();
450                     SpecificQueuePermission specificQueuePermission = (SpecificQueuePermission) permission;
451                     specificQueuePermission.setParameter(queueName);
452                     if (checkPermission(specificQueuePermission, principal, ldap))
453                         permissions.add(permission);
454                 }
455             }
456             else {
457                 if (checkPermission(permission, principal, ldap))
458                     permissions.add(permission);
459             }
460         }
461         return permissions;
462     }
463
464     /**
465      * Deletes a principal from the LDAP storage.
466      *
467      * @param sessionID the session id returned from MantaAuthentication.authenticate method
468      * @param principal the principal to delete
469      * @throws PrincipalNotFoundException if this pricipal is not found
470      * @throws GroupNotEmptyException if the principal to delete is a group which has users related to it and so cannot be deleted
471      * @throws MantaSecurityException if an error occured
472      * @throws JMSSecurityException if action is unauthorized for the specific client
473      *
474      */
475     public void deletePrincipal(SessionID sessionID, MantaPrincipal principal) throws PrincipalNotFoundException, GroupNotEmptyException, MantaSecurityException, JMSSecurityException {
476         if (principal == null){
477             if (getLogger().isErrorEnabled())
478                 getLogger().error("[deletePrincipal] Invalid argument: Principal");
479             throw new MantaSecurityException("Invalid argument: Principal");
480         }
481
482         if (principal instanceof UserPrincipal){
483             UserPrincipal user = (UserPrincipal) principal;
484
485             // check permissions
486 // user needs permissions to delete a user
487 _authorization.authorize(sessionID, ACTION_DELETE_USER, user.getName());
488             if (getLogger().isDebugEnabled())
489                 getLogger().debug("[deletePrincipal] Authorization granted: action = " + ACTION_DELETE_USER + ", param = " + user.getName());
490
491             // user also needs permissions to delete user's permissions - cause they should be deleted as well
492 _authorization.authorize(sessionID, ACTION_DELETE_PERMISSIONS_FOR_USER, user.getName());
493             if (getLogger().isDebugEnabled())
494                 getLogger().debug("[deletePrincipal] Authorization granted: action = " + ACTION_DELETE_PERMISSIONS_FOR_USER + ", param = " + user.getName());
495
496             // TODO - start transaction
497 if (getLogger().isDebugEnabled())
498                 getLogger().debug("[deletePrincipal] Deleting user: " + user);
499             deleteUser(user);
500
501             if (getLogger().isDebugEnabled())
502                 getLogger().debug("[deletePrincipal] Deleting permissions for user: " + user);
503             deletePermissionsForPrincipal(sessionID, user);
504             // TODO - end transaction
505 }
506         else if (principal instanceof GroupPrincipal){
507             GroupPrincipal group = (GroupPrincipal) principal;
508
509             // check that there are no users that belong to this group
510 Collection usersInGroup = getUsers(sessionID, _groupAttributeName, group.getName());
511             if (usersInGroup.size() > 0){
512                 if (getLogger().isErrorEnabled())
513                     getLogger().error("[deletePrincipal] Group " + group + " not empty");
514                 throw new GroupNotEmptyException(group, usersInGroup);
515             }
516
517             // check permission
518 // user needs permissions to delete a group
519 _authorization.authorize(sessionID, ACTION_DELETE_GROUP, group.getName());
520             if (getLogger().isDebugEnabled())
521                 getLogger().debug("[deletePrincipal] Authorization granted: action = " + ACTION_DELETE_GROUP + ", param = " + group.getName());
522
523             // user also needs permissions to delete group's permissions - cause they should be deleted as well
524 _authorization.authorize(sessionID, ACTION_DELETE_PERMISSIONS_FOR_GROUP, group.getName());
525             if (getLogger().isDebugEnabled())
526                 getLogger().debug("[deletePrincipal] Authorization granted: action = " + ACTION_DELETE_PERMISSIONS_FOR_GROUP + ", param = " + group.getName());
527
528             // TODO - start transaction
529 if (getLogger().isDebugEnabled())
530                 getLogger().debug("[deletePrincipal] Deleting group: " + group);
531             deleteGroup(group);
532
533             if (getLogger().isDebugEnabled())
534                 getLogger().debug("[deletePrincipal] Deleting permissions for group: " + group);
535             deletePermissionsForPrincipal(sessionID, group);
536             // TODO - end transaction
537 }
538     }
539
540     /**
541      * Deletes a permission from the LDAP storage.
542      *
543      * @param sessionID the session id returned from MantaAuthentication.authenticate method
544      * @param permission the permission to delete
545      * @throws PermissionNotFoundException if this permission is not found
546      * @throws MantaSecurityException if an error occured
547      * @throws JMSSecurityException if action is unauthorized for the specific client
548      *
549      */
550     public void deletePermission(SessionID sessionID, MantaPermission permission, MantaPrincipal principal) throws PermissionNotFoundException, MantaSecurityException, JMSSecurityException {
551         if (permission == null){
552             if (getLogger().isErrorEnabled())
553                 getLogger().error("[deletePermission] Invalid argument: Permission");
554             throw new MantaSecurityException("Invalid argument: Permission");
555         }
556         if (principal == null){
557             if (getLogger().isErrorEnabled())
558                 getLogger().error("[deletePermission] Invalid argument: Principal");
559             throw new MantaSecurityException("Invalid argument: Principal");
560         }
561
562         // check permission
563 if (principal instanceof UserPrincipal){
564             if (getLogger().isDebugEnabled())
565                 getLogger().debug("[deletePermission] Authorization granted: action = " + ACTION_DELETE_PERMISSIONS_FOR_USER + ", param = " + principal.getName());
566             _authorization.authorize(sessionID, ACTION_DELETE_PERMISSIONS_FOR_USER, principal.getName());
567         }
568         else if (principal instanceof GroupPrincipal){
569             if (getLogger().isDebugEnabled())
570                 getLogger().debug("[deletePermission] Authorization granted: action = " + ACTION_DELETE_PERMISSIONS_FOR_GROUP + ", param = " + principal.getName());
571             _authorization.authorize(sessionID, ACTION_DELETE_PERMISSIONS_FOR_GROUP, principal.getName());
572         }
573
574         LDAPDN permissionDN = LDAPUtilities.buildPermissionPath(permission, principal);
575         if (getLogger().isDebugEnabled())
576             getLogger().debug("[deletePermission] Deleting permission: " + permissionDN);
577
578         try {
579             recursiveDelete(permissionDN);
580         }
581         catch (EntryNotFoundException e) {
582             if (getLogger().isErrorEnabled())
583                 getLogger().error("[deletePermission] " + e.getMessage());
584             if (principal instanceof UserPrincipal)
585                 throw new PermissionNotFoundException(permission, (UserPrincipal) principal);
586             else if (principal instanceof GroupPrincipal)
587                 throw new PermissionNotFoundException(permission, (GroupPrincipal) principal);
588         }
589     }
590
591     /**
592      * Creates a new white list entry, on the LDAP storage.
593      *
594      * @param sessionID the session id returned from MantaAuthentication.authenticate method
595      * @param whiteListEntry the white list entry to add
596      * @throws WhiteListEntryAlreadyExistsException if this white list entry already exists
597      * @throws MantaSecurityException if an error occured
598      * @throws JMSSecurityException if action is unauthorized for the specific client
599      *
600      */
601     public void createWhiteListEntry(SessionID sessionID, String whiteListEntry) throws WhiteListEntryAlreadyExistsException, MantaSecurityException, JMSSecurityException {
602         if (whiteListEntry == null){
603             if (getLogger().isErrorEnabled())
604                 getLogger().error("[createWhiteListEntry] Invalid argument: White List Entry");
605             throw new MantaSecurityException("Invalid argument: White List Entry");
606         }
607
608         // check permission
609 _authorization.authorize(sessionID, ACTION_CREATE_WHITE_LIST_ENTRY);
610         if (getLogger().isDebugEnabled())
611             getLogger().debug("[createWhiteListEntry] Authorization granted: action = " + ACTION_CREATE_WHITE_LIST_ENTRY);
612
613         String strPathToEntry = _whiteListRDNAttributeName + "=" + whiteListEntry + "," + _pathToWhiteList;
614         LDAPDN entry = new LDAPDN(strPathToEntry);
615
616         if (getLogger().isDebugEnabled())
617             getLogger().debug("[createWhiteListEntry] Adding white list entry: " + entry);
618         try {
619             recursiveAdd(entry, setAttributesForAdd(_configurableDefaultAttributes, null));
620         }
621         catch (EntryAlreadyExistsException e){
622             if (getLogger().isErrorEnabled())
623                 getLogger().error("[createWhiteListEntry] " + e.getMessage());
624             throw new WhiteListEntryAlreadyExistsException(whiteListEntry);
625         }
626         catch (PropertyNotFoundException pnfe){
627             if (getLogger().isErrorEnabled())
628                 getLogger().error("[createWhiteListEntry] " + pnfe.getMessage());
629         }
630     }
631
632     /**
633      * Deletes a white list entry, from the LDAP storage.
634      *
635      * @param sessionID the session id returned from MantaAuthentication.authenticate method
636      * @param whiteListEntry the white list entry to delete
637      * @throws WhiteListEntryNotFoundException if this white list entry is not found
638      * @throws MantaSecurityException if an error occured
639      * @throws JMSSecurityException if action is unauthorized for the specific client
640      *
641      */
642     public void deleteWhiteListEntry(SessionID sessionID, String whiteListEntry) throws WhiteListEntryNotFoundException, MantaSecurityException, JMSSecurityException {
643         if (whiteListEntry == null){
644             if (getLogger().isErrorEnabled())
645                 getLogger().error("[deleteWhiteListEntry] Invalid argument: White List Entry");
646             throw new MantaSecurityException("Invalid argument: White List Entry");
647          }
648
649         // check permission
650 _authorization.authorize(sessionID, ACTION_DELETE_WHITE_LIST_ENTRY);
651         if (getLogger().isDebugEnabled())
652             getLogger().debug("[deleteWhiteListEntry] Authorization granted: action = " + ACTION_DELETE_WHITE_LIST_ENTRY);
653
654         String strPathToEntry = _whiteListRDNAttributeName + "=" + whiteListEntry + "," + _pathToWhiteList;
655
656         if (getLogger().isDebugEnabled())
657             getLogger().debug("[deleteWhiteListEntry] Deleting white list entry: " + strPathToEntry);
658         LDAPDN entry = new LDAPDN(strPathToEntry);
659
660         try {
661             recursiveDelete(entry);
662         }
663         catch (EntryNotFoundException e) {
664             if (getLogger().isErrorEnabled())
665                 getLogger().error("[deleteWhiteListEntry] " + e.getMessage());
666             throw new WhiteListEntryNotFoundException(whiteListEntry);
667         }
668     }
669
670     /**
671      * Returns the collection of all users that exist on the LDAP storage.
672      *
673      * @param sessionID the session id returned from MantaAuthentication.authenticate method
674      * @return a collection of all users
675      * @throws MantaSecurityException if an error occured
676      * @throws JMSSecurityException if action is unauthorized for the specific client
677      *
678      */
679     public Collection getUsers(SessionID sessionID) throws MantaSecurityException, JMSSecurityException {
680         _authorization.authorize(sessionID, ACTION_LIST_USERS);
681         if (getLogger().isDebugEnabled())
682             getLogger().debug("[getUsers] Authorization granted: action = " + ACTION_LIST_USERS);
683
684         if (getLogger().isDebugEnabled())
685             getLogger().debug("[getUsers] Getting entries of name " + _userRDNAttributeName + " from " + _pathToUsers);
686         return getEntries(_pathToUsers, _userRDNAttributeName);
687     }
688
689     /**
690      * Returns the collection of all groups that exist on the LDAP storage.
691      *
692      * @param sessionID the session id returned from MantaAuthentication.authenticate method
693      * @return a collection of all groups
694      * @throws MantaSecurityException if an error occured
695      * @throws JMSSecurityException if action is unauthorized for the specific client
696      *
697      */
698     public Collection getGroups(SessionID sessionID) throws MantaSecurityException, JMSSecurityException {
699         _authorization.authorize(sessionID, ACTION_LIST_GROUPS);
700         if (getLogger().isDebugEnabled())
701             getLogger().debug("[getGroups] Authorization granted: action = " + ACTION_LIST_GROUPS);
702
703         if (getLogger().isDebugEnabled())
704             getLogger().debug("[getGroups] Getting entries of name " + _groupRDNAttributeName + " from " + _pathToGroups);
705         return getEntries(_pathToGroups, _groupRDNAttributeName);
706     }
707
708     /**
709      * Returns the collection of all white list entries that exist on the LDAP storage.
710      *
711      * @param sessionID the session id returned from MantaAuthentication.authenticate method
712      * @return a collection of all white list entries
713      * @throws MantaSecurityException if an error occured
714      * @throws JMSSecurityException if action is unauthorized for the specific client
715      *
716      */
717     public Collection getWhiteList(SessionID sessionID) throws MantaSecurityException, JMSSecurityException {
718         _authorization.authorize(sessionID, ACTION_LIST_WHITE_LIST);
719         if (getLogger().isDebugEnabled())
720             getLogger().debug("[getWhiteList] Authorization granted: action = " + ACTION_LIST_WHITE_LIST);
721
722         if (getLogger().isDebugEnabled())
723             getLogger().debug("[getWhiteList] Getting entries of name " + _whiteListRDNAttributeName + " from " + _pathToWhiteList);
724         return getEntries(_pathToWhiteList, _whiteListRDNAttributeName);
725     }
726
727     /**
728      * Returns the JMX object used to communicate with this ACLManagement instance.
729      *
730      * @return the JMX object used to communicate with this ACLManagement instance.
731      *
732      */
733     public Object getManagedObject(){
734         Object managedObj = null;
735         try {
736             managedObj = new SecurityManagementJMX(this);
737         }
738         catch (NotCompliantMBeanException e){
739             if (getLogger().isErrorEnabled())
740                 getLogger().error("[getManagedObject] " + e.getMessage());
741         }
742         return managedObj;
743     }
744
745     /**
746      * Returns the instance of the logger for this class
747      *
748      * @return the instance of the logger
749      */
750     public Log getLogger(){
751         if (_logger == null){
752             _logger = LogFactory.getLog(getClass().getName());
753         }
754         return _logger;
755     }
756
757     private void init(String configurationName) throws MantaSecurityException {
758         String authorizationImplementationClass = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(AUTHORIZATION_IMPLEMENTING_CLASS);
759         if (authorizationImplementationClass == null){
760             if (getLogger().isErrorEnabled())
761                 getLogger().error("[init] Unable to find configuration parameter: " + AUTHORIZATION_IMPLEMENTING_CLASS);
762             throw new MantaSecurityException("Unable to find configuration parameter: " + AUTHORIZATION_IMPLEMENTING_CLASS);
763         }
764
765         try {
766             _authorization = (MantaAuthorization) Class.forName(authorizationImplementationClass).newInstance();
767             if (getLogger().isDebugEnabled())
768                 getLogger().debug("[init] Class " + authorizationImplementationClass + " was instantiated");
769         }
770         catch (Exception e){
771             if (getLogger().isErrorEnabled())
772                 getLogger().error("[init] Unable to instantiate authorization imlementing class");
773             throw new MantaSecurityException("Unable to instantiate authorization imlementing class");
774         }
775
776         _pathToGroups = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_GROUPS);
777         if (_pathToGroups == null){
778             if (getLogger().isErrorEnabled())
779                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_GROUPS);
780             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_GROUPS);
781         }
782
783         _pathToUsers = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_USERS);
784         if (_pathToUsers == null){
785             if (getLogger().isErrorEnabled())
786                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_USERS);
787             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_USERS);
788         }
789
790         _pathToWhiteList = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_WHITE_LIST);
791         if (_pathToWhiteList == null){
792             if (getLogger().isErrorEnabled())
793                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_WHITE_LIST);
794             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_WHITE_LIST);
795         }
796
797         _pathToTopics = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_TOPICS);
798         if (_pathToTopics == null){
799             if (getLogger().isErrorEnabled())
800                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_TOPICS);
801             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_TOPICS);
802         }
803
804         _pathToQueues = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_QUEUES);
805         if (_pathToQueues == null){
806             if (getLogger().isErrorEnabled())
807                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_QUEUES);
808             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + PATH_TO_QUEUES);
809         }
810
811         _groupAttributeName = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_OF_USER_ATTRIBUTE);
812         if (_groupAttributeName == null){
813             if (getLogger().isErrorEnabled())
814                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_OF_USER_ATTRIBUTE);
815             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_OF_USER_ATTRIBUTE);
816         }
817
818         _groupRDNAttributeName = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_RDN_ATTRIBUTE_NAME);
819         if (_groupRDNAttributeName == null){
820             if (getLogger().isErrorEnabled())
821                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_RDN_ATTRIBUTE_NAME);
822             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_RDN_ATTRIBUTE_NAME);
823         }
824
825         _userRDNAttributeName = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + USER_RDN_ATTRIBUTE_NAME);
826         if (_userRDNAttributeName == null){
827             if (getLogger().isErrorEnabled())
828                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + USER_RDN_ATTRIBUTE_NAME);
829             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + USER_RDN_ATTRIBUTE_NAME);
830         }
831
832         _whiteListRDNAttributeName = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + WHITE_LIST_RDN_ATTRIBUTE_NAME);
833         if (_whiteListRDNAttributeName == null){
834             if (getLogger().isErrorEnabled())
835                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + WHITE_LIST_RDN_ATTRIBUTE_NAME);
836             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + WHITE_LIST_RDN_ATTRIBUTE_NAME);
837         }
838
839         _topicRDNAttributeName = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + TOPIC_RDN_ATTRIBUTE_NAME);
840         if (_topicRDNAttributeName == null){
841             if (getLogger().isErrorEnabled())
842                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + TOPIC_RDN_ATTRIBUTE_NAME);
843             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + TOPIC_RDN_ATTRIBUTE_NAME);
844         }
845
846         _queueRDNAttributeName = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getStringProperty(ACL_CONFIGURATIONS + "." + configurationName + "." + QUEUE_RDN_ATTRIBUTE_NAME);
847         if (_queueRDNAttributeName == null){
848             if (getLogger().isErrorEnabled())
849                 getLogger().error("[init] Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + QUEUE_RDN_ATTRIBUTE_NAME);
850             throw new MantaSecurityException("Unable to find configuration parameter: " + ACL_CONFIGURATIONS + "." + configurationName + "." + QUEUE_RDN_ATTRIBUTE_NAME);
851         }
852
853         _configurableGroupAttributes = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getConfigurationElements(ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_ATTRIBUTES);
854         if (_configurableGroupAttributes == null){
855             if (getLogger().isErrorEnabled())
856                 getLogger().error("[init] Unable to find configuration element: " + ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_ATTRIBUTES);
857             throw new MantaSecurityException("Unable to find configuration element: " + ACL_CONFIGURATIONS + "." + configurationName + "." + GROUP_ATTRIBUTES);
858         }
859
860         _configurableUserAttributes = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getConfigurationElements(ACL_CONFIGURATIONS + "." + configurationName + "." + USER_ATTRIBUTES);
861         if (_configurableUserAttributes == null){
862             if (getLogger().isErrorEnabled())
863                 getLogger().error("[init] Unable to find configuration element: " + ACL_CONFIGURATIONS + "." + configurationName + "." + USER_ATTRIBUTES);
864             throw new MantaSecurityException("Unable to find configuration element: " + ACL_CONFIGURATIONS + "." + configurationName + "." + USER_ATTRIBUTES);
865         }
866
867         _configurableDefaultAttributes = MantaAgent.getInstance().getSingletonRepository().getConfigManager().getConfigurationElements(ACL_CONFIGURATIONS + "." + configurationName + "." + DEFAULT_ATTRIBUTES);
868         if (_configurableDefaultAttributes == null){
869             if (getLogger().isErrorEnabled())
870                 getLogger().error("[init] Unable to find configuration element: " + ACL_CONFIGURATIONS + "." + configurationName + "." + DEFAULT_ATTRIBUTES);
871             throw new MantaSecurityException("Unable to find configuration element: " + ACL_CONFIGURATIONS + "." + configurationName + "." + DEFAULT_ATTRIBUTES);
872         }
873     }
874
875     private void createUserPrincipal(SessionID sessionID, UserPrincipal user) throws PrincipalAlreadyExistsException, PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
876         if (user.getName() == null || "".equals(user.getName())){
877             if (getLogger().isErrorEnabled())
878                 getLogger().error("[createUserPrincipal] Username not found in argument");
879             throw new MantaSecurityException("Username not found in argument");
880         }
881
882         // check permission
883 String groupName = (String ) user.getProperty(PROPERTY_USER_GROUP);
884         if (groupName == null){
885             if (getLogger().isErrorEnabled())
886                 getLogger().error("[createUserPrincipal] Unable to find property " + PROPERTY_USER_GROUP + " in user object to create");
887             throw new MantaSecurityException("Unable to find property " + PROPERTY_USER_GROUP + " in user object to create");
888         }
889
890         // verify that the containing group exist
891 String pathToGroup = _groupRDNAttributeName + "=" + groupName + "," + _pathToGroups;
892         boolean isGroupExist = _ldapActions.isExistEntry(new LDAPDN(pathToGroup));
893         if (!isGroupExist){
894             throw new PrincipalNotFoundException(new GroupPrincipal(groupName));
895         }
896
897
898         // crypt the password, if not already crypted
899 boolean encryptPassword = true;
900         Boolean isDirty = (Boolean ) user.getProperty(PROPERTY_IS_DIRTY_RECORD);
901         if (isDirty != null && isDirty.booleanValue())
902             encryptPassword = false;
903         if (encryptPassword){
904             if (getLogger().isDebugEnabled())
905                 getLogger().debug("[createUserPrincipal] Encrypting password");
906             String password = LDAPUtilities.crypt((String )user.getProperty(PROPERTY_USER_PASSWORD));
907             user.setProperty(PROPERTY_USER_PASSWORD, password);
908         }
909
910         _authorization.authorize(sessionID, ACTION_CREATE_USER_IN_GROUP, user.getProperty(PROPERTY_USER_GROUP));
911         if (getLogger().isDebugEnabled())
912             getLogger().debug("[createUserPrincipal] Authorization granted: action = " + ACTION_CREATE_USER_IN_GROUP + ", param = " + user.getProperty(PROPERTY_USER_GROUP));
913
914         Map attributes;
915         try {
916             if (getLogger().isDebugEnabled())
917                 getLogger().debug("[createUserPrincipal] Creating attributes map for user");
918             attributes = new HashMap(setAttributesForAdd(_configurableUserAttributes, user.getProperties()));
919         }
920         catch (PropertyNotFoundException pnfe){
921             if (getLogger().isErrorEnabled())
922                 getLogger().error("[createUserPrincipal] Unable to find property " + pnfe.getProperty() + " in user object to create");
923             throw new MantaSecurityException("Unable to find property " + pnfe.getProperty() + " in user object to create");
924         }
925
926         String strPathToPrincipal = _userRDNAttributeName + "=" + user.getName() + "," + _pathToUsers;
927
928         if (getLogger().isDebugEnabled())
929             getLogger().debug("[createUserPrincipal] Adding principal: " + strPathToPrincipal);
930         LDAPDN entry = new LDAPDN(strPathToPrincipal);
931         try {
932             recursiveAdd(entry, attributes);
933         }
934         catch (EntryAlreadyExistsException e) {
935             if (getLogger().isErrorEnabled())
936                 getLogger().error("[createUserPrincipal] " + e.getMessage());
937             throw new PrincipalAlreadyExistsException(user);
938         }
939     }
940
941     private void createGroupPrincipal(SessionID sessionID, GroupPrincipal group) throws PrincipalAlreadyExistsException, MantaSecurityException, JMSSecurityException {
942         if (group.getName() == null || "".equals(group.getName())){
943             if (getLogger().isErrorEnabled())
944                 getLogger().error("[createGroupPrincipal] Group name not found in argument");
945             throw new MantaSecurityException("Group name not found in argument");
946         }
947
948         // check for permissions to create group
949 _authorization.authorize(sessionID, ACTION_CREATE_GROUP);
950         if (getLogger().isDebugEnabled())
951             getLogger().debug("[createGroupPrincipal] Authorization granted: action = " + ACTION_CREATE_GROUP);
952
953         Map attributes;
954         try {
955             if (getLogger().isDebugEnabled())
956                 getLogger().debug("[createUserPrincipal] Creating attributes map for group");
957             attributes = new HashMap(setAttributesForAdd(_configurableGroupAttributes, group.getProperties()));
958         }
959         catch (PropertyNotFoundException pnfe){
960             if (getLogger().isErrorEnabled())
961                 getLogger().error("[createGroupPrincipal] Unable to find property " + pnfe.getProperty() + " in group object to create");
962             throw new MantaSecurityException("Unable to find property " + pnfe.getProperty() + " in group object to create");
963         }
964         String strPathToPrincipal = _groupRDNAttributeName + "=" + group.getName() + "," + _pathToGroups;
965         LDAPDN entry = new LDAPDN(strPathToPrincipal);
966
967         if (getLogger().isDebugEnabled())
968             getLogger().debug("[createGroupPrincipal] Adding principal: " + strPathToPrincipal);
969         try {
970             recursiveAdd(entry, attributes);
971         }
972         catch (EntryAlreadyExistsException e) {
973             if (getLogger().isErrorEnabled())
974                 getLogger().error("[createGroupPrincipal] " + e.getMessage());
975             throw new PrincipalAlreadyExistsException(group);
976         }
977     }
978
979     private void renameUser(SessionID sessionID, UserPrincipal user, String newName) throws PrincipalNotFoundException, PrincipalAlreadyExistsException, MantaSecurityException, JMSSecurityException {
980         // check permission
981 _authorization.authorize(sessionID, ACTION_RENAME_USER, user.getName());
982         if (getLogger().isDebugEnabled())
983             getLogger().debug("[renameUser] Authorization granted: action = " + ACTION_RENAME_USER + ", param = " + user.getName());
984
985         // TODO - start transaction
986 if (getLogger().isDebugEnabled())
987             getLogger().debug("[renameUser] Copying user " + user + " with its attributes to new user " + newName);
988         copyPrincipalWithAttributes(sessionID, user, newName);
989
990         if (getLogger().isDebugEnabled())
991             getLogger().debug("[renameUser] Copying permissions of user " + user + " to user " + newName);
992         copyPrincipalPermissions(sessionID, user, newName);
993
994         try {
995             if (getLogger().isDebugEnabled())
996                 getLogger().debug("[renameUser] Deleting user " + user);
997             deletePrincipal(sessionID, user);
998         }
999         catch (GroupNotEmptyException e) {
1000            if (getLogger().isErrorEnabled())
1001                getLogger().error("[renameUser] " + e.getMessage());
1002        }
1003        // TODO - end transaction
1004 }
1005
1006    private void renameGroup(SessionID sessionID, GroupPrincipal group, String newName) throws PrincipalNotFoundException, PrincipalAlreadyExistsException, MantaSecurityException, JMSSecurityException {
1007        // check permission
1008 _authorization.authorize(sessionID, ACTION_RENAME_GROUP, group.getName());
1009        if (getLogger().isDebugEnabled())
1010            getLogger().debug("[renameGroup] Authorization granted: action = " + ACTION_RENAME_GROUP + ", param = " + group.getName());
1011
1012        // TODO - start transaction
1013 if (getLogger().isDebugEnabled())
1014            getLogger().debug("[renameGroup] Copying group " + group + " with its attributes to new group " + newName);
1015        copyPrincipalWithAttributes(sessionID, group, newName);
1016
1017        if (getLogger().isDebugEnabled())
1018            getLogger().debug("[renameGroup] Modifying group name to " + newName + " for all users that belong to group " + group);
1019        renameGroupAttributeInAllUsers(sessionID, group, newName);
1020
1021        if (getLogger().isDebugEnabled())
1022            getLogger().debug("[renameGroup] Copying permissions of group " + group + " to group " + newName);
1023        copyPrincipalPermissions(sessionID, group, newName);
1024
1025        try {
1026            if (getLogger().isDebugEnabled())
1027                getLogger().debug("[renameGroup] Deleting group " + group);
1028            deletePrincipal(sessionID, group);
1029        }
1030        catch (GroupNotEmptyException e) {
1031            if (getLogger().isErrorEnabled())
1032                getLogger().error("[renameGroup] " + e.getMessage());
1033        }
1034        // TODO - end transaction
1035 }
1036
1037    private void deleteUser(UserPrincipal user) throws PrincipalNotFoundException, MantaSecurityException {
1038        String strPathToUser = _userRDNAttributeName + "=" + user.getName() + "," + _pathToUsers;
1039
1040        if (getLogger().isDebugEnabled())
1041            getLogger().debug("[deleteUser] Deleting user: " + strPathToUser);
1042        LDAPDN entry = new LDAPDN(strPathToUser);
1043        try {
1044            recursiveDelete(entry);
1045        }
1046        catch (EntryNotFoundException enfe){
1047            if (getLogger().isErrorEnabled())
1048                getLogger().error("[deleteUser] " + enfe.getMessage());
1049            throw new PrincipalNotFoundException(user);
1050        }
1051    }
1052
1053    private void deleteGroup(GroupPrincipal group) throws PrincipalNotFoundException, MantaSecurityException {
1054        String strPathToGroup = _groupRDNAttributeName + "=" + group.getName() + "," + _pathToGroups;
1055        LDAPDN entry = new LDAPDN(strPathToGroup);
1056
1057        if (getLogger().isDebugEnabled())
1058            getLogger().debug("[deleteGroup] Deleting group: " + strPathToGroup);
1059        try {
1060            recursiveDelete(entry);
1061        }
1062        catch (EntryNotFoundException enfe){
1063            if (getLogger().isErrorEnabled())
1064                getLogger().error("[deleteGroup] " + enfe.getMessage());
1065            throw new PrincipalNotFoundException(group);
1066        }
1067    }
1068
1069    private void deletePermissionsForPrincipal(SessionID sessionID, MantaPrincipal princiapl) throws PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
1070        if (getLogger().isDebugEnabled())
1071            getLogger().debug("[deletePermissionsForPrincipal] Getting list of permissions for principal " + princiapl);
1072        Collection permissionsForUser = getPermissionsForPrincipal(sessionID, princiapl);
1073
1074        Iterator iter = permissionsForUser.iterator();
1075        while (iter.hasNext()){
1076            MantaPermission p = (MantaPermission) iter.next();
1077
1078            if (getLogger().isDebugEnabled())
1079                getLogger().debug("[deletePermissionsForPrincipal] Deleting permission " + p + " for principal " + princiapl);
1080
1081            try {
1082                deletePermission(sessionID, p, princiapl);
1083            }
1084            catch (PermissionNotFoundException e) {
1085                if (getLogger().isErrorEnabled())
1086                    getLogger().error("[deletePermissionsForPrincipal] " + e.getMessage());
1087            }
1088        }
1089    }
1090
1091    // receives the list of required attributes from the configuration
1092 // receives the map of proprties configured by the client
1093 // returns a map that contains all attributes to be added with the entry
1094 private Map setAttributesForAdd(ArrayList configurableAttributes, Map properties) throws PropertyNotFoundException, MantaSecurityException {
1095        Map attributes = new HashMap();
1096        ConfigurationElement element = (ConfigurationElement) configurableAttributes.get(0);
1097
1098        if (getLogger().isDebugEnabled())
1099            getLogger().debug("[setAttributesForAdd] Getting list of config params under " + element.getName());
1100
1101        ArrayList subElements = element.getSubConfigurationElements();
1102        for (int i=0 ; i<subElements.size() ; i++){
1103            ConfigurationElement current = (ConfigurationElement) subElements.get(i);
1104            String name = current.getName();
1105            String value = current.getValue();
1106
1107            if (value != null){
1108                boolean placeHoldersFound = false;
1109                String withoutPlaceholders = LDAPUtilities.removePlaceHolders(value, '$');
1110                if (!value.equals(withoutPlaceholders))
1111                    placeHoldersFound = true;
1112                if (placeHoldersFound){
1113                    if (properties.containsKey(withoutPlaceholders)){
1114                        if (getLogger().isDebugEnabled())
1115                            getLogger().debug("[setAttributesForAdd] Adding " + name + " = " + properties.get(withoutPlaceholders) + " to the attributes map");
1116                        attributes.put(name, properties.get(withoutPlaceholders));
1117                    }
1118                    else {
1119                        if (getLogger().isErrorEnabled())
1120                            getLogger().error("[setAttributesForAdd] Property " + withoutPlaceholders + " not found");
1121                        throw new PropertyNotFoundException(withoutPlaceholders);
1122                    }
1123                }
1124                else {
1125                    if (getLogger().isDebugEnabled())
1126                        getLogger().debug("[setAttributesForAdd] Adding " + name + " = " + value + " to the attributes map");
1127                    attributes.put(name, value);
1128                }
1129            }
1130        }
1131        return attributes;
1132    }
1133
1134    private Map buildMapFromAttributes(ArrayList configurableAttributes, Attributes attributes) throws MantaSecurityException {
1135        Map props = new HashMap();
1136        ConfigurationElement element = (ConfigurationElement) configurableAttributes.get(0);
1137        if (getLogger().isDebugEnabled())
1138            getLogger().debug("[buildMapFromAttributes] Getting list of config params under " + element.getName());
1139
1140        ArrayList subElements = element.getSubConfigurationElements();
1141        for (int i=0 ; i<subElements.size() ; i++){
1142            ConfigurationElement current = (ConfigurationElement) subElements.get(i);
1143            String name = current.getName();
1144            String value = current.getValue();
1145            if (value != null){
1146                Attribute attr = attributes.get(name);
1147                if (attr != null){
1148                    boolean placeHoldersFound = false;
1149                    String withoutPlaceholders = LDAPUtilities.removePlaceHolders(value, '$');
1150                    if (!value.equals(withoutPlaceholders))
1151                        placeHoldersFound = true;
1152                    if (placeHoldersFound){
1153                        try {
1154                            if (getLogger().isDebugEnabled())
1155                                getLogger().debug("[buildMapFromAttributes] Adding " + withoutPlaceholders + " = " + attr.get(0).toString() + " to the attributes map");
1156                            props.put(withoutPlaceholders, attr.get(0));
1157                        }
1158                        catch (NamingException e) {
1159                            if (getLogger().isErrorEnabled())
1160                                getLogger().error("[buildMapFromAttributes] Error occured while reading LDAP attributes");
1161                            throw new MantaSecurityException("Error occured while reading LDAP attributes");
1162                        }
1163                    }
1164                    else {
1165                        if (getLogger().isDebugEnabled())
1166                            getLogger().debug("[buildMapFromAttributes] Adding " + name + " = " + value + " to the attributes map");
1167                        props.put(name, value);
1168                    }
1169                }
1170            }
1171        }
1172        // mark that the the proprties were read from the LDAP - meaning that they are not new.
1173 // This will be usefull to mark that the password is already encrypted - cause it was read
1174 // from the LDAP, and we should not encrypt it again
1175 props.put(PROPERTY_IS_DIRTY_RECORD, Boolean.valueOf(true));
1176        return props;
1177    }
1178
1179    private Collection getTopics() throws MantaSecurityException {
1180        return getEntries(_pathToTopics, _topicRDNAttributeName);
1181    }
1182
1183    private Collection getQueues() throws MantaSecurityException {
1184        return getEntries(_pathToQueues, _queueRDNAttributeName);
1185    }
1186
1187    private Collection getEntries(String path, String objectRDNAttributeName) throws MantaSecurityException {
1188        Collection entries = new ArrayList();
1189        try {
1190            Collection ldapEntries = _ldapActions.getEntries(new LDAPDN(path));
1191            Iterator iter = ldapEntries.iterator();
1192            while (iter.hasNext()){
1193                String entry = (String ) iter.next();
1194                if (entry != null){
1195                    String key = objectRDNAttributeName + "=";
1196                    int indexOfObjectEntryName = entry.indexOf(key);
1197                    if (indexOfObjectEntryName != -1){
1198                        if (getLogger().isDebugEnabled())
1199                            getLogger().debug("[getEntries] Adding " + entry.substring(indexOfObjectEntryName+key.length()) + " to the list of entries");
1200                        entries.add(entry.substring(indexOfObjectEntryName+key.length()));
1201                    }
1202                }
1203            }
1204        }
1205        catch (EntryNotFoundException enfe){
1206            if (getLogger().isErrorEnabled())
1207                getLogger().error("[getEntries] " + enfe.getMessage());
1208            throw new MantaSecurityException("Unable to find entries under " + path);
1209        }
1210        return entries;
1211    }
1212
1213    private Collection getEntries(String path, String objectName, String attributeName, String attributeValue) throws MantaSecurityException {
1214        Collection entries = new ArrayList();
1215        try {
1216            Collection ldapEntries = _ldapActions.getEntries(new LDAPDN(path), attributeName, attributeValue);
1217            Iterator iter = ldapEntries.iterator();
1218            while (iter.hasNext()){
1219                String entry = (String ) iter.next();
1220                if (entry != null){
1221                    String key = objectName + "=";
1222                    int indexOfObjectEntryName = entry.indexOf(key);
1223                    if (indexOfObjectEntryName != -1){
1224                        if (getLogger().isDebugEnabled())
1225                            getLogger().debug("[getEntries] Adding " + entry.substring(indexOfObjectEntryName+key.length()) + " to the list of entries");
1226                        entries.add(entry.substring(indexOfObjectEntryName+key.length()));
1227                    }
1228                }
1229            }
1230        }
1231        catch (EntryNotFoundException enfe){
1232            if (getLogger().isErrorEnabled())
1233                getLogger().error("[getEntries] " + enfe.getMessage());
1234            throw new MantaSecurityException("Unable to find entries under " + path);
1235        }
1236        return entries;
1237    }
1238
1239    private boolean checkPermission(MantaPermission permission, MantaPrincipal principal, ACLStorageConnector ldap) throws MantaSecurityException {
1240        PermissionKeyEntry permissionsEntry = new PermissionKeyEntry(principal, permission);
1241        AuthorizationValue authorizationValue = ldap.isAuthorized(permissionsEntry);
1242        if (authorizationValue != null && authorizationValue.isAuthorized()){
1243            if (getLogger().isDebugEnabled())
1244                getLogger().debug("[checkPermission] Permission " + permission + " found for principal " + principal);
1245            return true;
1246        }
1247        else
1248            return false;
1249    }
1250
1251    private void recursiveAdd(LDAPDN entry, Map attributes) throws MantaSecurityException, EntryAlreadyExistsException {
1252// if (!LDAPActions.getInstance().isExistEntry(entry.getParentDN().getStrFirstEntry(), entry.getParentDN().getStringParentDN()))
1253 if (!_ldapActions.isExistEntry(entry.getParentDN()))
1254            recursiveAdd(entry.getParentDN(), attributes);
1255
1256        if (getLogger().isDebugEnabled())
1257            getLogger().debug("[recursiveAdd] Adding entry " + entry);
1258        _ldapActions.addEntry(entry, attributes);
1259    }
1260
1261    private void recursiveDelete(LDAPDN entry) throws MantaSecurityException, EntryNotFoundException {
1262        // first recursively, delete the entry's children
1263 Collection c = _ldapActions.getEntries(entry);
1264        Iterator iter = c.iterator();
1265        while (iter.hasNext()){
1266            String current = (String ) iter.next();
1267            recursiveDelete(new LDAPDN(current + "," + entry.getPath()));
1268        }
1269        // delete the entry
1270 if (getLogger().isDebugEnabled())
1271            getLogger().debug("[recursiveDelete] Deleting entry " + entry);
1272        _ldapActions.deleteEntry(entry);
1273    }
1274
1275    private void renameGroupAttributeInAllUsers(SessionID sessionID, GroupPrincipal group, String newName) throws MantaSecurityException, JMSSecurityException {
1276        if (getLogger().isDebugEnabled())
1277            getLogger().debug("Calling getUsers(" + sessionID + ", " + _groupAttributeName + ", " + group.getName() + ")");
1278        Collection users = getUsers(sessionID, _groupAttributeName, group.getName());
1279
1280        Iterator iter = users.iterator();
1281        while (iter.hasNext()){
1282            String user = (String ) iter.next();
1283
1284            // check permission
1285 try {
1286                _authorization.authorize(sessionID, ACTION_SET_GROUP_FOR_USER, user);
1287                if (getLogger().isDebugEnabled())
1288                    getLogger().debug("[renameGroupAttributeInAllUsers] Authorization granted: action = " + ACTION_SET_GROUP_FOR_USER + ", param = " + user);
1289            }
1290            catch (JMSSecurityException e) {
1291                if (getLogger().isInfoEnabled())
1292                    getLogger().info("[renameGroupAttributeInAllUsers] No permission to set group of user " + user);
1293                continue;
1294            }
1295
1296            Map attributes = new HashMap();
1297            String pathToEntry = _userRDNAttributeName + "=" + user + "," + _pathToUsers;
1298            LDAPDN entry = new LDAPDN(pathToEntry);
1299            attributes.put(_groupAttributeName, newName);
1300            try {
1301                if (getLogger().isDebugEnabled())
1302                    getLogger().debug("[renameGroupAttributeInAllUsers] Setting group attribute for " + entry.getPath());
1303                _ldapActions.setAttributes(entry, attributes);
1304            }
1305            catch (EntryNotFoundException e) {
1306                if (getLogger().isErrorEnabled())
1307                    getLogger().error("[renameGroupAttributeInAllUsers] " + e.getMessage());
1308            }
1309        }
1310
1311    }
1312
1313    private void copyPrincipalWithAttributes(SessionID sessionID, MantaPrincipal principal, String newName) throws PrincipalNotFoundException, PrincipalAlreadyExistsException, MantaSecurityException, JMSSecurityException {
1314        if (principal instanceof UserPrincipal){
1315            UserPrincipal user = (UserPrincipal) principal;
1316
1317            try {
1318                // read the attributes of the old user
1319 if (getLogger().isDebugEnabled())
1320                    getLogger().debug("[copyPrincipalWithAttributes] Reading attributes of user " + user);
1321                LDAPDN entry = new LDAPDN( _userRDNAttributeName + "=" + user.getName() + "," + _pathToUsers);
1322                Attributes oldUserAttributes = _ldapActions.getAttributes(entry);
1323                Map oldUserProperties = buildMapFromAttributes(_configurableUserAttributes, oldUserAttributes);
1324
1325                // create the new user with the old user's attributes
1326 UserPrincipal newUser = new UserPrincipal(newName);
1327                newUser.setProperties(oldUserProperties);
1328                newUser.setProperty(PROPERTY_USER_UID, newName);
1329
1330                if (getLogger().isDebugEnabled())
1331                    getLogger().debug("[copyPrincipalWithAttributes] Creating new user " + newUser);
1332                createPrincipal(sessionID, newUser);
1333            }
1334            catch (EntryNotFoundException enfe){
1335                if (getLogger().isErrorEnabled())
1336                    getLogger().error("[copyPrincipalWithAttributes] " + enfe.getMessage());
1337                throw new PrincipalNotFoundException(user);
1338            }
1339        }
1340        else if (principal instanceof GroupPrincipal){
1341            GroupPrincipal group = (GroupPrincipal) principal;
1342
1343            try {
1344                // read the attributes of the old user
1345 if (getLogger().isDebugEnabled())
1346                    getLogger().debug("[copyPrincipalWithAttributes] Reading attributes of group " + group);
1347                LDAPDN entry = new LDAPDN(_groupRDNAttributeName + "=" + group.getName() + "," + _pathToGroups);
1348                Attributes oldGroupAttributes = _ldapActions.getAttributes(entry);
1349                Map oldGroupProperties = buildMapFromAttributes(_configurableGroupAttributes, oldGroupAttributes);
1350
1351                // create the new group with the old group's attributes
1352 GroupPrincipal newGroup = new GroupPrincipal(newName);
1353                newGroup.setProperties(oldGroupProperties);
1354
1355                if (getLogger().isDebugEnabled())
1356                    getLogger().debug("[copyPrincipalWithAttributes] Creating new group " + newGroup);
1357                createPrincipal(sessionID, newGroup);
1358            }
1359            catch (EntryNotFoundException enfe){
1360                if (getLogger().isErrorEnabled())
1361                    getLogger().error("[copyPrincipalWithAttributes] " + enfe.getMessage());
1362                throw new PrincipalNotFoundException(group);
1363            }
1364        }
1365    }
1366
1367    private void copyPrincipalPermissions(SessionID sessionID, MantaPrincipal principal, String newName) throws PrincipalNotFoundException, MantaSecurityException, JMSSecurityException {
1368        if (principal instanceof UserPrincipal){
1369            UserPrincipal user = (UserPrincipal) principal;
1370
1371            // copy permissions of old user to the new user
1372 UserPrincipal newUser = new UserPrincipal(newName);
1373            if (getLogger().isDebugEnabled())
1374                getLogger().debug("[copyPrincipalPermissions] Reading permissions of user " + user);
1375            Collection permissionsForUser = getPermissionsForPrincipal(sessionID, user);
1376
1377            Iterator iter = permissionsForUser.iterator();
1378            while (iter.hasNext()){
1379                MantaPermission p = (MantaPermission) iter.next();
1380                try {
1381                    if (getLogger().isDebugEnabled())
1382                        getLogger().debug("[copyPrincipalPermissions] Creating permission " + p + " for user " + newUser);
1383                    createPermission(sessionID, p, newUser);
1384                }
1385                catch (PermissionAlreadyExistsException e) {
1386                    if (getLogger().isErrorEnabled())
1387                        getLogger().error("[copyPrincipalPermissions] " + e.getMessage());
1388                }
1389            }
1390        }
1391        else if (principal instanceof GroupPrincipal){
1392            GroupPrincipal group = (GroupPrincipal) principal;
1393
1394            // copy permissions of old group to the new group
1395 GroupPrincipal newGroup = new GroupPrincipal(newName);
1396
1397            if (getLogger().isDebugEnabled())
1398                getLogger().debug("[copyPrincipalPermissions] Reading permissions of group " + group);
1399            Collection permissionsForUser = getPermissionsForPrincipal(sessionID, group);
1400
1401            Iterator iter = permissionsForUser.iterator();
1402            while (iter.hasNext()){
1403                MantaPermission p = (MantaPermission) iter.next();
1404                try {
1405                    if (getLogger().isDebugEnabled())
1406                        getLogger().debug("[copyPrincipalPermissions] Creating permission " + p + " for group " + newGroup);
1407                    createPermission(sessionID, p, newGroup);
1408                }
1409                catch (PermissionAlreadyExistsException e) {
1410                    if (getLogger().isErrorEnabled())
1411                        getLogger().error("[copyPrincipalPermissions] " + e.getMessage());
1412                }
1413            }
1414        }
1415    }
1416
1417    private Collection getUsers(SessionID sessionID, String attributeName, String attributeValue) throws MantaSecurityException, JMSSecurityException {
1418        _authorization.authorize(sessionID, ACTION_LIST_USERS);
1419        if (getLogger().isDebugEnabled())
1420            getLogger().debug("[getUsers] Authorization granted: action = " + ACTION_LIST_USERS);
1421
1422        if (getLogger().isDebugEnabled())
1423            getLogger().debug("[getUsers] Getting entries with relative distinguished name attribute " + _userRDNAttributeName + " that also has attribute " + attributeName + "=" + attributeValue + " from " + _pathToUsers);
1424        return getEntries(_pathToUsers, _userRDNAttributeName, attributeName, attributeValue);
1425    }
1426}
1427

A to Z: JavaDoc & Examples

---

Daily Java News & Articles

---

Open Source Projects

---

Open Source Codes

---

Free Computer Books

---

Remove Frame

---

Popular Tags