in src/main/java/org/apache/directory/fortress/core/impl/DSDChecker.java [79:170]
public int validate( Session session, Constraint constraint, Time time, VUtil.ConstraintType type )
throws org.apache.directory.fortress.core.SecurityException
{
int rc = 0;
int matchCount;
// get all candidate activated roles user:
List<UserRole> activeRoleList = session.getRoles();
if ( activeRoleList == null || activeRoleList.size() == 0 )
{
return rc;
}
// Depending on if session is group or user session, fill objects
String contextId = session.isGroupSession()
? session.getGroup().getContextId()
: session.getUser().getContextId();
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
// get the list of authorized roles for this user/group:
Set<String> authorizedRoleSet = RoleUtil.getInstance().getInheritedRoles( activeRoleList, contextId);
// only need to check DSD constraints if more than one role is being activated:
if ( authorizedRoleSet != null && authorizedRoleSet.size() > 1 )
{
// get all DSD sets that contain the candidate activated and authorized roles,
//If DSD cache is disabled, this will search the directory using authorizedRoleSet
Set<SDSet> dsdSets = SDUtil.getInstance().getDsdCache( authorizedRoleSet, contextId);
if ( dsdSets != null && dsdSets.size() > 0 )
{
for ( SDSet dsd : dsdSets )
{
Iterator<UserRole> activatedRoles = activeRoleList.iterator();
matchCount = 0;
Set<String> map = dsd.getMembers();
// now check the DSD on every role activation candidate contained within session object:
while ( activatedRoles.hasNext() )
{
UserRole activatedRole = activatedRoles.next();
if ( map.contains( activatedRole.getName() ) )
{
matchCount++;
if ( matchCount >= dsd.getCardinality() )
{
activatedRoles.remove();
String warning = "validate " + entityType + " [" + entityId
+ "] failed activation of assignedRole [" + activatedRole.getName()
+ "] validates DSD Set Name:" + dsd.getName() + " Cardinality:"
+ dsd.getCardinality();
LOG.warn( warning );
rc = GlobalErrIds.ACTV_FAILED_DSD;
session.setWarning( new ObjectFactory().createWarning( rc, warning,
Warning.Type.ROLE, activatedRole.getName() ) );
}
}
else
{
Set<String> parentSet = RoleUtil.getInstance().getAscendants( activatedRole.getName(), contextId);
// now check for every role inherited from this activated role:
for ( String parentRole : parentSet )
{
if ( map.contains( parentRole ) )
{
matchCount++;
if ( matchCount >= dsd.getCardinality() )
{
String warning = "validate " + entityType + " [" + entityId
+ "] assignedRole [" + activatedRole.getName() + "] parentRole ["
+ parentRole + "] validates DSD Set Name:" + dsd.getName()
+ " Cardinality:" + dsd.getCardinality();
rc = GlobalErrIds.ACTV_FAILED_DSD;
// remove the assigned role from session (not the authorized role):
activatedRoles.remove();
session.setWarning( new ObjectFactory().createWarning( rc, warning,
Warning.Type.ROLE, activatedRole.getName() ) );
LOG.warn( warning );
// Breaking out of the loop because assigned role has been removed from session.
break;
}
}
}
}
}
}
}
}
return rc;
}