1 56 57 package org.opencrx.kernel.layer.application; 58 59 import java.io.BufferedReader ; 60 import java.io.ByteArrayInputStream ; 61 import java.io.IOException ; 62 import java.io.InputStreamReader ; 63 import java.util.Arrays ; 64 import java.util.List ; 65 import java.util.StringTokenizer ; 66 67 import org.opencrx.kernel.account1.cci.Contact; 68 import org.opencrx.kernel.generic.SecurityKeys; 69 import org.opencrx.kernel.home1.cci.CreateUserParams; 70 import org.openmdx.application.log.AppLog; 71 import org.openmdx.base.exception.ServiceException; 72 import org.openmdx.compatibility.base.dataprovider.cci.AttributeSelectors; 73 import org.openmdx.compatibility.base.dataprovider.cci.AttributeSpecifier; 74 import org.openmdx.compatibility.base.dataprovider.cci.DataproviderObject; 75 import org.openmdx.compatibility.base.dataprovider.cci.DataproviderObject_1_0; 76 import org.openmdx.compatibility.base.dataprovider.cci.RequestCollection; 77 import org.openmdx.compatibility.base.dataprovider.cci.SystemAttributes; 78 import org.openmdx.compatibility.base.naming.Path; 79 import org.openmdx.compatibility.base.query.FilterOperators; 80 import org.openmdx.compatibility.base.query.FilterProperty; 81 import org.openmdx.compatibility.base.query.Quantors; 82 83 public class Admin { 84 85 public Admin( 87 OpenCrxKernel_1 plugin, 88 RequestCollection delegation, 89 String passwordEncodingAlgorithm 90 ) { 91 this.plugin = plugin; 92 this.delegation = delegation; 93 this.passwordEncodingAlgorithm = passwordEncodingAlgorithm; 94 } 95 96 private DataproviderObject_1_0 createSegment( 98 String qualifiedModelName, 99 String providerName, 100 String segmentName, 101 boolean isSecureObject, 102 Path groupAdminIdentity, 103 Path groupAdmininstratorsIdentity, 104 List errors 105 ) { 106 Path segmentIdentity = new Path("xri:@openmdx:" + qualifiedModelName.replace(':', '.') + "/provider"); 107 segmentIdentity = segmentIdentity.getDescendant(new String []{providerName, "segment", segmentName}); 108 DataproviderObject_1_0 segment = null; 109 try { 110 segment = this.delegation.addGetRequest( 111 segmentIdentity, 112 AttributeSelectors.ALL_ATTRIBUTES, 113 new AttributeSpecifier[]{} 114 ); 115 } 116 catch(Exception e) { 117 DataproviderObject newSegment = new DataproviderObject( 118 segmentIdentity 119 ); 120 newSegment.values(SystemAttributes.OBJECT_CLASS).add(qualifiedModelName + ":Segment"); 121 if(isSecureObject) { 122 newSegment.values("owningUser").add(groupAdminIdentity); 123 newSegment.values("owningGroup").add(groupAdmininstratorsIdentity); 124 newSegment.values("accessLevelBrowse").add(new Short (SecurityKeys.ACCESS_LEVEL_GLOBAL)); 125 newSegment.values("accessLevelUpdate").add(new Short (SecurityKeys.ACCESS_LEVEL_DEEP)); 126 newSegment.values("accessLevelDelete").add(new Short (SecurityKeys.ACCESS_LEVEL_PRIVATE)); 127 } 128 try { 129 this.delegation.addCreateRequest(newSegment); 130 } 131 catch(Exception e0) { 132 ServiceException e1 = new ServiceException(e0); 133 AppLog.warning(e1.getMessage(), e1.getCause(), 1); 134 errors.add("can not create segment for " + qualifiedModelName); 135 errors.add("reason is " + e0.getMessage()); 136 return null; 137 } 138 segment = newSegment; 139 } 140 return segment; 141 } 142 143 private Path createContact( 145 Path adminIdentity, 146 String segmentName, 147 String principalName, 148 Path owningUser, 149 Path[] owningGroup, 150 List errors 151 ) { 152 Path contactIdentity = new Path("xri:@openmdx:org.opencrx.kernel.account1/provider"); 153 contactIdentity = contactIdentity.getDescendant(new String []{adminIdentity.get(2), "segment", segmentName, "account", principalName}); 154 try { 155 this.delegation.addGetRequest( 156 contactIdentity, 157 AttributeSelectors.ALL_ATTRIBUTES, 158 new AttributeSpecifier[]{} 159 ); 160 } 161 catch(Exception e) { 162 DataproviderObject newContact = new DataproviderObject( 163 contactIdentity 164 ); 165 newContact.values(SystemAttributes.OBJECT_CLASS).add("org:opencrx:kernel:account1:Contact"); 166 newContact.values("lastName").add(principalName); 167 newContact.values("owningUser").add(owningUser); 168 newContact.values("owningGroup").addAll( 169 Arrays.asList(owningGroup) 170 ); 171 try { 172 this.plugin.accounts.setAccountFullName(newContact, null); 173 this.delegation.addCreateRequest(newContact); 174 } 175 catch(Exception e0) { 176 ServiceException e1 = new ServiceException(e); 177 AppLog.warning(e1.getMessage(), e1.getCause(), 1); 178 errors.add("can not create contact"); 179 errors.add("reason is " + e0.getMessage()); 180 return null; 181 } 182 } 183 return contactIdentity; 184 } 185 186 191 void createAdministrator( 192 Path adminIdentity, 193 Path loginRealmIdentity, 194 String segmentName, 195 String principalName, 196 String initialPassword, 197 String initialPasswordVerification, 198 List errors 199 ) { 200 String providerName = adminIdentity.get(2); 201 202 String segmentAdminName = SecurityKeys.ADMIN_PRINCIPAL + SecurityKeys.ID_SEPARATOR + segmentName; 204 try { 205 this.delegation.addGetRequest( 206 loginRealmIdentity.getDescendant(new String []{"principal", principalName}), 207 AttributeSelectors.ALL_ATTRIBUTES, 208 new AttributeSpecifier[]{} 209 ); 210 } 211 catch(Exception e) { 212 if(principalName.equals(segmentAdminName)) { 214 Path segmentAdminSubjectIdentity = this.plugin.createSubject( 216 segmentAdminName, 217 new Path("xri:@openmdx:org.opencrx.security.identity1/provider/" + loginRealmIdentity.get(2) + "/segment/" + loginRealmIdentity.get(4)), 218 errors 219 ); 220 if(errors.size() > 0) return; 221 this.plugin.createPrincipal( 223 principalName, 224 loginRealmIdentity, 225 SecurityKeys.PRINCIPAL_TYPE_PRINCIPAL, 226 new Path[]{ 227 loginRealmIdentity.getDescendant(new String []{"principal", SecurityKeys.PRINCIPAL_GROUP_ADMINISTRATORS}) 228 }, 229 segmentAdminSubjectIdentity, 230 errors 231 ); 232 if(errors.size() > 0) return; 233 } 234 else { 235 ServiceException e1 = new ServiceException(e); 236 AppLog.warning(e1.getMessage(), e1.getCause(), 1); 237 errors.add("principal " + principalName + " not found in realm " + loginRealmIdentity); 238 return; 239 } 240 } 241 242 try { 245 this.delegation.addGetRequest( 246 loginRealmIdentity.getDescendant(new String []{"principal", segmentAdminName}), 247 AttributeSelectors.ALL_ATTRIBUTES, 248 new AttributeSpecifier[]{} 249 ); 250 } 251 catch(Exception e) { 252 if(!principalName.equals(segmentAdminName)) { 254 errors.add("primary principal name must match " + segmentAdminName); 255 return; 256 } 257 } 258 if( 259 (principalName.startsWith(SecurityKeys.ADMIN_PRINCIPAL + SecurityKeys.ID_SEPARATOR)) && 260 !principalName.equals(segmentAdminName) 261 ) { 262 errors.add("admin principal for segment " + segmentName + " must match " + segmentAdminName); 263 return; 264 } 265 266 Path realmIdentity = new Path("xri:@openmdx:org.openmdx.security.realm1/provider"); 268 realmIdentity = realmIdentity.getDescendant(new String []{providerName, "segment", adminIdentity.get(4), "realm", segmentName}); 269 270 Path userIdentity = realmIdentity; 272 userIdentity = userIdentity.getDescendant(new String []{"principal", principalName + "." + SecurityKeys.USER_SUFFIX}); 273 274 Path groupUnspecifiedIdentity = realmIdentity; 276 groupUnspecifiedIdentity = groupUnspecifiedIdentity.getDescendant(new String []{"principal", SecurityKeys.USER_GROUP_UNSPECIFIED}); 277 278 Path groupAdministratorsIdentity = realmIdentity; 280 groupAdministratorsIdentity = groupAdministratorsIdentity.getDescendant(new String []{"principal", SecurityKeys.USER_GROUP_ADMINISTRATORS}); 281 282 Path groupUsersIdentity = realmIdentity; 284 groupUsersIdentity = groupUsersIdentity.getDescendant(new String []{"principal", SecurityKeys.USER_GROUP_USERS}); 285 286 try { 288 this.delegation.addGetRequest( 289 realmIdentity, 290 AttributeSelectors.ALL_ATTRIBUTES, 291 new AttributeSpecifier[]{} 292 ); 293 } 294 catch(Exception e) { 295 DataproviderObject realm = new DataproviderObject( 296 realmIdentity 297 ); 298 realm.values(SystemAttributes.OBJECT_CLASS).add("org:openmdx:security:realm1:Realm"); 299 realm.values("description").add(segmentName + " Realm"); 300 try { 301 this.delegation.addCreateRequest(realm); 302 } 303 catch(Exception e0) { 304 ServiceException e1 = new ServiceException(e); 305 AppLog.warning(e1.getMessage(), e1.getCause(), 1); 306 errors.add("can not create realm " + realmIdentity); 307 errors.add("reason is " + e0.getMessage()); 308 return; 309 } 310 } 311 312 this.createSegment("org:opencrx:kernel:account1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 314 this.createSegment("org:opencrx:kernel:home1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 315 this.createSegment("org:opencrx:kernel:activity1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 316 this.createSegment("org:opencrx:kernel:contract1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 317 this.createSegment("org:opencrx:kernel:product1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 318 this.createSegment("org:opencrx:kernel:document1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 319 this.createSegment("org:opencrx:kernel:building1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 320 this.createSegment("org:opencrx:kernel:uom1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 321 this.createSegment("org:opencrx:kernel:forecast1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 322 this.createSegment("org:opencrx:kernel:workflow1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 323 this.createSegment("org:opencrx:kernel:depot1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 324 this.createSegment("org:opencrx:kernel:model1", providerName, segmentName, true, userIdentity, groupAdministratorsIdentity, errors); 325 if(errors.size() > 0) return; 326 327 Path contactIdentity = this.createContact( 329 adminIdentity, 330 segmentName, 331 principalName, 332 userIdentity, 333 new Path[]{ 334 groupUsersIdentity, 335 groupAdministratorsIdentity 336 }, 337 errors 338 ); 339 if(contactIdentity == null) return; 340 341 this.plugin.createPrincipal( 342 SecurityKeys.USER_GROUP_UNSPECIFIED, 343 realmIdentity, 344 SecurityKeys.PRINCIPAL_TYPE_GROUP, 345 new Path[]{}, 346 null, 347 errors 348 ); 349 if(errors.size() > 0) return; 350 351 this.plugin.createPrincipal( 352 SecurityKeys.USER_GROUP_ADMINISTRATORS, 353 realmIdentity, 354 SecurityKeys.PRINCIPAL_TYPE_GROUP, 355 new Path[]{ 356 groupUnspecifiedIdentity 357 }, 358 null, 359 errors 360 ); 361 if(errors.size() > 0) return; 362 363 this.plugin.createPrincipal( 364 SecurityKeys.USER_GROUP_USERS, 365 realmIdentity, 366 SecurityKeys.PRINCIPAL_TYPE_GROUP, 367 new Path[]{ 368 groupUnspecifiedIdentity 369 }, 370 null, 371 errors 372 ); 373 if(errors.size() > 0) return; 374 375 this.plugin.createPrincipal( 376 SecurityKeys.USER_GROUP_UNASSIGNED, 377 realmIdentity, 378 SecurityKeys.PRINCIPAL_TYPE_GROUP, 379 new Path[]{ 380 groupUsersIdentity 381 }, 382 null, 383 errors 384 ); 385 if(errors.size() > 0) return; 386 387 this.plugin.userHomes.createUserHome( 389 loginRealmIdentity, 390 realmIdentity, 391 contactIdentity, 392 groupAdministratorsIdentity, 393 principalName, 394 true, 395 initialPassword, 396 initialPasswordVerification, 397 errors 398 ); 399 400 } 401 402 private DataproviderObject_1_0 retrievePrincipal( 404 Path realm, 405 String principalName 406 ) { 407 try { 408 return this.plugin.retrieveObjectFromDelegation( 409 realm.getDescendant(new String []{"principal", principalName}) 410 ); 411 } 412 catch(Exception e) { 413 return null; 414 } 415 } 416 417 private DataproviderObject retrievePrincipalForModification( 419 Path realm, 420 String principalName 421 ) { 422 try { 423 return this.plugin.retrieveObjectForModification( 424 realm.getDescendant(new String []{"principal", principalName}) 425 ); 426 } 427 catch(Exception e) { 428 return null; 429 } 430 } 431 432 private DataproviderObject_1_0 retrieveSubject( 434 Path identitySegment, 435 String subjectName 436 ) { 437 try { 438 return this.plugin.retrieveObjectFromDelegation( 439 identitySegment.getDescendant(new String []{"subject", subjectName}) 440 ); 441 } 442 catch(Exception e) { 443 return null; 444 } 445 } 446 447 public String importLoginPrincipals( 449 DataproviderObject_1_0 adminSegment, 450 byte[] item 451 ) throws ServiceException { 452 BufferedReader reader = new BufferedReader ( 453 new InputStreamReader (new ByteArrayInputStream (item)) 454 ); 455 DataproviderObject_1_0 loginRealm = this.plugin.retrieveObjectFromDelegation( 456 new Path("xri:@openmdx:org.openmdx.security.realm1/provider/" + adminSegment.path().get(2) + "/segment/Root/realm/Default") 457 ); 458 DataproviderObject_1_0 identitySegment = this.plugin.retrieveObjectFromDelegation( 459 new Path("xri:@openmdx:org.opencrx.security.identity1/provider/" + adminSegment.path().get(2) + "/segment/Root") 460 ); 461 int nCreatedPrincipals = 0; 462 int nExistingPrincipals = 0; 463 int nFailedPrincipals = 0; 464 int nCreatedSubjects = 0; 465 int nExistingSubjects = 0; 466 int nFailedSubjects = 0; 467 try { 468 while(reader.ready()) { 469 String l = reader.readLine(); 470 if(l.startsWith("Principal")) { 471 StringTokenizer t = new StringTokenizer (l, ";"); 472 String command = t.nextToken(); 473 String principalName = t.nextToken(); 474 String principalDescription = t.nextToken(); 475 String subjectName = t.nextToken(); 476 String groups = t.nextToken(); 477 DataproviderObject principal = null; 478 if((principal = this.retrievePrincipalForModification(loginRealm.path(), principalName)) == null) { 479 try { 480 DataproviderObject_1_0 subject = this.plugin.retrieveObjectFromDelegation( 481 identitySegment.path().getDescendant(new String []{"subject", subjectName}) 482 ); 483 principal = new DataproviderObject( 484 loginRealm.path().getDescendant(new String []{"principal", principalName}) 485 ); 486 principal.values(SystemAttributes.OBJECT_CLASS).add( 487 "org:opencrx:security:realm1:Principal" 488 ); 489 principal.values("description").add(principalDescription); 490 principal.values("disabled").add(Boolean.FALSE); 491 principal.values("subject").add(subject.path()); 492 this.delegation.addCreateRequest( 493 principal 494 ); 495 principal = this.retrievePrincipalForModification( 496 loginRealm.path(), 497 principalName 498 ); 499 nCreatedPrincipals++; 500 } 501 catch(Exception e) { 502 new ServiceException(e).log(); 503 nFailedPrincipals++; 504 } 505 } 506 else { 507 nExistingPrincipals++; 508 } 509 if(principal != null) { 510 StringTokenizer g = new StringTokenizer (groups, ","); 511 while(g.hasMoreTokens()) { 512 String groupPrincipalName = g.nextToken(); 513 DataproviderObject_1_0 groupPrincipal = this.retrievePrincipal( 514 loginRealm.path(), 515 groupPrincipalName 516 ); 517 if(!principal.values("isMemberOf").contains(groupPrincipal.path())) { 518 principal.values("isMemberOf").add(groupPrincipal.path()); 519 } 520 } 521 } 522 } 523 else if(l.startsWith("Subject")) { 524 StringTokenizer t = new StringTokenizer (l, ";"); 525 String command = t.nextToken(); 526 String subjectName = t.nextToken(); 527 String subjectDescription = t.nextToken(); 528 if((this.retrieveSubject(identitySegment.path(), subjectName)) == null) { 529 try { 530 DataproviderObject subject = new DataproviderObject( 531 identitySegment.path().getDescendant(new String []{"subject", subjectName}) 532 ); 533 subject.values(SystemAttributes.OBJECT_CLASS).add( 534 "org:opencrx:security:identity1:Subject" 535 ); 536 subject.values("description").add(subjectDescription); 537 this.delegation.addCreateRequest( 538 subject 539 ); 540 nCreatedSubjects++; 541 } 542 catch(Exception e) { 543 new ServiceException(e).log(); 544 nFailedSubjects++; 545 } 546 } 547 else { 548 nExistingSubjects++; 549 } 550 } 551 } 552 } 553 catch(IOException e) { 554 new ServiceException(e).log(); 555 } 556 return 557 "Principals=(created:" + nCreatedPrincipals + ",existing:" + nExistingPrincipals + ",failed:" + nFailedPrincipals + "); " + 558 "Subjects:(created:" + nCreatedSubjects + ",existing:" + nExistingSubjects + ",failed:" + nFailedSubjects + ")"; 559 } 560 561 private final OpenCrxKernel_1 plugin; 565 private final RequestCollection delegation; 566 private final String passwordEncodingAlgorithm; 567 568 } 569 570 | Popular Tags |