Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/*
************************************************************************
******************* CANADIAN ASTRONOMY DATA CENTRE *******************
************** CENTRE CANADIEN DE DONNÉES ASTRONOMIQUES **************
*
* (c) 2014. (c) 2014.
* Government of Canada Gouvernement du Canada
* National Research Council Conseil national de recherches
* Ottawa, Canada, K1A 0R6 Ottawa, Canada, K1A 0R6
* All rights reserved Tous droits réservés
*
* NRC disclaims any warranties, Le CNRC dénie toute garantie
* expressed, implied, or énoncée, implicite ou légale,
* statutory, of any kind with de quelque nature que ce
* respect to the software, soit, concernant le logiciel,
* including without limitation y compris sans restriction
* any warranty of merchantability toute garantie de valeur
* or fitness for a particular marchande ou de pertinence
* purpose. NRC shall not be pour un usage particulier.
* liable in any event for any Le CNRC ne pourra en aucun cas
* damages, whether direct or être tenu responsable de tout
* indirect, special or general, dommage, direct ou indirect,
* consequential or incidental, particulier ou général,
* arising from the use of the accessoire ou fortuit, résultant
* software. Neither the name de l'utilisation du logiciel. Ni
* of the National Research le nom du Conseil National de
* Council of Canada nor the Recherches du Canada ni les noms
* names of its contributors may de ses participants ne peuvent
* be used to endorse or promote être utilisés pour approuver ou
* products derived from this promouvoir les produits dérivés
* software without specific prior de ce logiciel sans autorisation
* written permission. préalable et particulière
* par écrit.
*
* This file is part of the Ce fichier fait partie du projet
* OpenCADC project. OpenCADC.
*
* OpenCADC is free software: OpenCADC est un logiciel libre ;
* you can redistribute it and/or vous pouvez le redistribuer ou le
* modify it under the terms of modifier suivant les termes de
* the GNU Affero General Public la “GNU Affero General Public
* License as published by the License” telle que publiée
* Free Software Foundation, par la Free Software Foundation
* either version 3 of the : soit la version 3 de cette
* License, or (at your option) licence, soit (à votre gré)
* any later version. toute version ultérieure.
*
* OpenCADC is distributed in the OpenCADC est distribué
* hope that it will be useful, dans l’espoir qu’il vous
* but WITHOUT ANY WARRANTY; sera utile, mais SANS AUCUNE
* without even the implied GARANTIE : sans même la garantie
* warranty of MERCHANTABILITY implicite de COMMERCIALISABILITÉ
* or FITNESS FOR A PARTICULAR ni d’ADÉQUATION À UN OBJECTIF
* PURPOSE. See the GNU Affero PARTICULIER. Consultez la Licence
* General Public License for Générale Publique GNU Affero
* more details. pour plus de détails.
*
* You should have received Vous devriez avoir reçu une
* a copy of the GNU Affero copie de la Licence Générale
* General Public License along Publique GNU Affero avec
* with OpenCADC. If not, see OpenCADC ; si ce n’est
* <http://www.gnu.org/licenses/>. pas le cas, consultez :
* <http://www.gnu.org/licenses/>.
*
* $Revision: 4 $
*
************************************************************************
*/
package ca.nrc.cadc.ac.server.ldap;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
Brian Major
committed
import java.util.HashSet;
import javax.security.auth.x500.X500Principal;
import org.apache.log4j.Logger;
import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.GroupAlreadyExistsException;
import ca.nrc.cadc.ac.GroupNotFoundException;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.util.StringUtil;
import com.unboundid.ldap.sdk.AddRequest;
import com.unboundid.ldap.sdk.Attribute;
import com.unboundid.ldap.sdk.DN;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.LDAPSearchException;
import com.unboundid.ldap.sdk.Modification;
import com.unboundid.ldap.sdk.ModificationType;
import com.unboundid.ldap.sdk.ModifyRequest;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.controls.ProxiedAuthorizationV2RequestControl;
Patrick Dowler
committed
import javax.naming.ldap.Rdn;
public class LdapGroupDAO<T extends Principal> extends LdapDAO
{
private static final Logger logger = Logger.getLogger(LdapGroupDAO.class);
Patrick Dowler
committed
private static String[] GROUP_ATTRS = new String[]
{
"entrydn", "cn", "nsaccountlock", "owner", "modifytimestamp", "description"
};
private LdapUserDAO<T> userPersist;
public LdapGroupDAO(LdapConfig config, LdapUserDAO<T> userPersist)
{
super(config);
if (userPersist == null)
{
throw new IllegalArgumentException(
"User persistence instance required");
}
this.userPersist = userPersist;
}
*
* @param group The group to create
*
* @return created group
*
* @throws GroupAlreadyExistsException If a group with the same ID already
* exists.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws UserNotFoundException If owner or a member not valid user.
public Group addGroup(final Group group)
throws GroupAlreadyExistsException, TransientException,
UserNotFoundException, AccessControlException,
GroupNotFoundException
Jeff Burke
committed
if (group.getOwner() == null)
{
throw new IllegalArgumentException("Group owner must be specified");
}
if (!group.getProperties().isEmpty())
{
throw new UnsupportedOperationException(
"Support for groups properties not available");
}
if (!isCreatorOwner(group.getOwner()))
throw new AccessControlException("Group owner must be creator");
Group newGroup = reactivateGroup(group);
if ( newGroup != null)
{
return newGroup;
}
else
{
DN ownerDN = userPersist.getUserDN(group.getOwner());
// add group to groups tree
LDAPResult result = addGroup(getGroupDN(group.getID()),
group.getID(), ownerDN,
group.description,
group.getUserMembers(),
group.getGroupMembers());
LdapDAO.checkLdapResult(result.getResultCode());
// add group to admin groups tree
result = addGroup(getAdminGroupDN(group.getID()),
group.getID(), ownerDN,
group.description,
group.getUserAdmins(),
group.getGroupAdmins());
LdapDAO.checkLdapResult(result.getResultCode());
Adrian Damian
committed
// AD: Search results sometimes come incomplete if
// connection is not reset - not sure why.
getConnection().reconnect();
try
{
return getGroup(group.getID());
}
catch (GroupNotFoundException e)
{
throw new RuntimeException("BUG: new group not found");
}
}
}
Brian Major
committed
logger.debug("addGroup Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode());
private LDAPResult addGroup(final DN groupDN, final String groupID,
final DN ownerDN, final String description,
final Set<User<? extends Principal>> users,
final Set<Group> groups)
throws UserNotFoundException, LDAPException, TransientException,
AccessControlException, GroupNotFoundException
{
// add new group
List<Attribute> attributes = new ArrayList<Attribute>();
Attribute ownerAttribute =
new Attribute("owner", ownerDN.toNormalizedString());
attributes.add(ownerAttribute);
attributes.add(new Attribute("objectClass", "groupofuniquenames"));
attributes.add(new Attribute("cn", groupID));
if (StringUtil.hasText(description))
{
attributes.add(new Attribute("description", description));
}
List<String> members = new ArrayList<String>();
for (User<? extends Principal> userMember : users)
{
DN memberDN = this.userPersist.getUserDN(userMember);
members.add(memberDN.toNormalizedString());
}
for (Group groupMember : groups)
{
final String groupMemberID = groupMember.getID();
Patrick Dowler
committed
if (!checkGroupExists(groupMemberID))
throw new GroupNotFoundException(groupMemberID);
members.add(memberDN.toNormalizedString());
}
if (!members.isEmpty())
{
attributes.add(new Attribute("uniquemember",
(String[]) members.toArray(new String[members.size()])));
}
AddRequest addRequest = new AddRequest(groupDN, attributes);
addRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
Patrick Dowler
committed
logger.debug("addGroup: " + groupDN);
return getConnection().add(addRequest);
}
/**
* Checks whether group name available for the user or already in use.
* @param group
* @return activated group or null if group does not exists
* @throws AccessControlException
* @throws UserNotFoundException
* @throws GroupNotFoundException
* @throws TransientException
* @throws GroupAlreadyExistsException
*/
private Group reactivateGroup(final Group group)
throws AccessControlException, UserNotFoundException,
TransientException, GroupAlreadyExistsException
// check group name exists
Filter filter = Filter.createEqualityFilter("cn", group.getID());
SearchRequest searchRequest =
new SearchRequest(
getGroupDN(group.getID())
.toNormalizedString(), SearchScope.SUB, filter,
new String[] {"nsaccountlock"});
searchRequest.addControl(
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
SearchResultEntry searchResult =
getConnection().searchForEntry(searchRequest);
if (searchResult == null)
if (searchResult.getAttributeValue("nsaccountlock") == null)
Brian Major
committed
throw new GroupAlreadyExistsException("Group already exists " + group.getID());
Brian Major
committed
return modifyGroup(null, group, true);
"BUG: group to modify does not exist" + group.getID());
}
Brian Major
committed
logger.debug("reactivateGroup Exception: " + e, e);
LdapDAO.checkLdapResult(e.getResultCode());
/**
* Get all group names.
*
* @return A collection of strings
*
* @throws TransientException If an temporary, unexpected problem occurred.
*/
public Collection<String> getGroupNames()
Filter filter = Filter.createPresenceFilter("cn");
String [] attributes = new String[] {"cn", "nsaccountlock"};
SearchRequest searchRequest =
new SearchRequest(config.getGroupsDN(),
SearchScope.SUB, filter, attributes);
SearchResult searchResult = null;
try
{
searchResult = getConnection().search(searchRequest);
}
catch (LDAPSearchException e)
{
Patrick Dowler
committed
logger.debug("Could not find groups root", e);
LdapDAO.checkLdapResult(e.getResultCode());
if (e.getResultCode() == ResultCode.NO_SUCH_OBJECT)
{
throw new IllegalStateException("Could not find groups root");
Patrick Dowler
committed
throw new IllegalStateException("unexpected failure", e);
}
LdapDAO.checkLdapResult(searchResult.getResultCode());
List<String> groupNames = new ArrayList<String>();
for (SearchResultEntry next : searchResult.getSearchEntries())
{
if (!next.hasAttribute("nsaccountlock"))
{
groupNames.add(next.getAttributeValue("cn"));
}
}
return groupNames;
}
catch (LDAPException e1)
{
Patrick Dowler
committed
logger.debug("getGroupNames Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode());
throw new IllegalStateException("Unexpected exception: " + e1.getMatchedDN(), e1);
}
}
Jeff Burke
committed
* Get the group with the given Group ID.
Jeff Burke
committed
* @param groupID The Group unique ID.
*
* @return A Group instance
*
* @throws GroupNotFoundException If the group was not found.
Jeff Burke
committed
* @throws TransientException If an temporary, unexpected problem occurred.
public Group getGroup(final String groupID)
throws GroupNotFoundException, TransientException,
AccessControlException
Jeff Burke
committed
return getGroup(groupID, true);
Patrick Dowler
committed
private Group getGroup(final String groupID, final boolean withMembers)
throws GroupNotFoundException, TransientException,
AccessControlException
{
Group group = getGroup(getGroupDN(groupID), groupID, true);
Group adminGroup = getAdminGroup(getAdminGroupDN(groupID), groupID,
true);
group.getGroupAdmins().addAll(adminGroup.getGroupMembers());
group.getUserAdmins().addAll(adminGroup.getUserMembers());
return group;
}
private Group getGroup(final DN groupDN, final String groupID,
final boolean withMembers)
throws GroupNotFoundException, TransientException,
AccessControlException
{
String [] attributes = new String[] {"entrydn", "cn", "description",
"owner", "uniquemember",
"modifytimestamp", "nsaccountlock"};
return getGroup(groupDN, groupID, withMembers, attributes);
}
private Group getAdminGroup(final DN groupDN, final String groupID,
final boolean withMembers)
throws GroupNotFoundException, TransientException,
AccessControlException
{
String [] attributes = new String[] {"entrydn", "cn", "owner",
"uniquemember"};
return getGroup(groupDN, groupID, withMembers, attributes);
}
Jeff Burke
committed
Patrick Dowler
committed
// withMembers is with direct members only: not members of child groups
private Group getGroup(final DN groupDN, final String groupID,
final boolean withMembers, final String[] attributes)
throws GroupNotFoundException, TransientException,
AccessControlException
Patrick Dowler
committed
Filter filterLock = Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock"));
Filter filterDN = Filter.createEqualityFilter("entrydn", groupDN.toNormalizedString());
//Filter filter = Filter.createANDFilter(filterDN, filterLock);
// work-around: if we use the nsaccountlock filter then we can't tell the difference
// between not-found and not-allowed (by LDAP ACI)
Filter filter = filterDN;
SearchRequest searchRequest =
new SearchRequest(groupDN.toNormalizedString(),
SearchScope.SUB, filter, attributes);
searchRequest.addControl(
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
SearchResult searchResult = null;
try
{
}
catch (LDAPSearchException e)
{
Patrick Dowler
committed
logger.debug("LDAPSearchException: " + e.getEntryCount());
if (ResultCode.NO_SUCH_OBJECT.equals(e.getResultCode()))
{
String msg = "Group not found " + groupID;
logger.debug(msg);
throw new GroupNotFoundException(groupID);
}
else
{
LdapDAO.checkLdapResult(e.getResultCode());
LdapDAO.checkLdapResult(searchResult.getResultCode());
//access denied
String msg = "Not authorized to access " + groupID;
throw new AccessControlException(groupID);
if (searchResult.getEntryCount() >1)
{
throw new RuntimeException("BUG: multiple results when retrieving group " + groupID);
}
SearchResultEntry searchEntry = searchResult.getSearchEntries().get(0);
if (searchEntry.getAttribute("nsaccountlock") != null)
{
// deleted group
String msg = "Group not found " + groupID;
logger.debug(msg);
throw new GroupNotFoundException(groupID);
}
DN groupOwner = searchEntry.getAttributeValueAsDN("owner");
if (groupOwner == null)
{
//TODO assume user not allowed to read group
throw new AccessControlException(groupID);
}
}
catch (UserNotFoundException e)
{
throw new RuntimeException("BUG: group owner not found");
}
Group ldapGroup = new Group(groupID, owner);
if (searchEntry.hasAttribute("description"))
searchEntry.getAttributeValue("description");
if (searchEntry.hasAttribute("modifytimestamp"))
searchEntry.getAttributeValueAsDate("modifytimestamp");
if (searchEntry.getAttributeValues("uniquemember") != null)
if (memberDN.isDescendantOf(config.getUsersDN(), false))
Jeff Burke
committed
User<X500Principal> user;
user = userPersist.getMember(memberDN);
Patrick Dowler
committed
ldapGroup.getUserMembers().add(user);
}
catch (UserNotFoundException e)
{
Patrick Dowler
committed
// ignore as we do not cleanup deleted users
// from groups they belong to
else if (memberDN.isDescendantOf(config.getGroupsDN(),
false))
Patrick Dowler
committed
ldapGroup.getGroupMembers().add(getGroup(memberDN));
}
catch(GroupNotFoundException e)
{
// ignore as we are not cleaning up
// deleted groups from the group members
}
throw new RuntimeException(
"BUG: unknown member DN type: " + memberDN);
return ldapGroup;
}
catch (LDAPException e1)
{
Brian Major
committed
logger.debug("getGroup Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode());
throw new GroupNotFoundException("Not found " + groupID);
* @param group The group to update. It must be an existing group
*
* @return The newly updated group.
*
* @throws GroupNotFoundException If the group was not found.
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws AccessControlException If the operation is not permitted.
* @throws UserNotFoundException If owner or group members not valid users.
*/
public Group modifyGroup(final Group group)
throws GroupNotFoundException, TransientException,
AccessControlException, UserNotFoundException
Brian Major
committed
Group existing = getGroup(group.getID()); //group must exists first
return modifyGroup(existing, group, false);
Brian Major
committed
private Group modifyGroup(final Group existing, final Group group, boolean withActivate)
throw new UnsupportedOperationException(
"Support for groups properties not available");
Brian Major
committed
boolean adminChanges = false;
List<Modification> mods = new ArrayList<Modification>();
List<Modification> adminMods = new ArrayList<Modification>();
if (withActivate)
mods.add(new Modification(ModificationType.DELETE, "nsaccountlock"));
adminMods.add(new Modification(ModificationType.DELETE, "nsaccountlock"));
Brian Major
committed
adminChanges = true;
mods.add(new Modification(ModificationType.REPLACE, "description"));
mods.add(new Modification(ModificationType.REPLACE, "description", group.description));
try
Set<String> newMembers = new HashSet<String>();
for (User<?> member : group.getUserMembers())
DN memberDN = userPersist.getUserDN(member);
newMembers.add(memberDN.toNormalizedString());
for (Group gr : group.getGroupMembers())
Brian Major
committed
{
Patrick Dowler
committed
if (!checkGroupExists(gr.getID()))
{
throw new GroupNotFoundException(gr.getID());
}
DN grDN = getGroupDN(gr.getID());
newMembers.add(grDN.toNormalizedString());
Brian Major
committed
}
Set<String> newAdmins = new HashSet<String>();
Set<User<? extends Principal>> existingUserAdmins = new HashSet<User<? extends Principal>>(0);
if (existing != null)
existingUserAdmins = existing.getUserAdmins();
}
for (User<?> member : group.getUserAdmins())
{
DN memberDN = userPersist.getUserDN(member);
newAdmins.add(memberDN.toNormalizedString());
if (!existingUserAdmins.contains(member))
{
adminChanges = true;
}
Brian Major
committed
Set<Group> existingGroupAdmins = new HashSet<Group>(0);
if (existing != null)
Brian Major
committed
{
existingGroupAdmins = existing.getGroupAdmins();
}
for (Group gr : group.getGroupAdmins())
{
Patrick Dowler
committed
if (!checkGroupExists(gr.getID()))
{
throw new GroupNotFoundException(gr.getID());
}
DN grDN = getGroupDN(gr.getID());
newAdmins.add(grDN.toNormalizedString());
if (!existingGroupAdmins.contains(gr))
{
adminChanges = true;
}
Brian Major
committed
}
mods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newMembers.toArray(new String[newMembers.size()])));
adminMods.add(new Modification(ModificationType.REPLACE, "uniquemember",
(String[]) newAdmins.toArray(new String[newAdmins.size()])));
// modify admin group first (if necessary)
if (adminChanges)
{
ModifyRequest modifyRequest = new ModifyRequest(getAdminGroupDN(group.getID()), adminMods);
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LdapDAO.checkLdapResult(getConnection().
modify(modifyRequest).getResultCode());
}
Brian Major
committed
ModifyRequest modifyRequest = new ModifyRequest(getGroupDN(group.getID()), mods);
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LdapDAO.checkLdapResult(getConnection().
logger.debug("Modify Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode());
if (withActivate)
{
return new ActivatedGroup(getGroup(group.getID()));
}
else
{
return getGroup(group.getID());
}
}
catch (GroupNotFoundException e)
{
"BUG: modified group not found (" + group.getID() + ")");
Jeff Burke
committed
* Deletes the group.
Jeff Burke
committed
* @param groupID The group to delete
*
* @throws GroupNotFoundException If the group was not found.
* @throws TransientException If an temporary, unexpected problem occurred.
public void deleteGroup(final String groupID)
Jeff Burke
committed
throws GroupNotFoundException, TransientException,
AccessControlException
deleteGroup(getGroupDN(groupID), groupID, false);
deleteGroup(getAdminGroupDN(groupID), groupID, true);
}
private void deleteGroup(final DN groupDN, final String groupID,
final boolean isAdmin)
throws GroupNotFoundException, TransientException,
AccessControlException
{
Group group = getGroup(groupDN, groupID, true);
Jeff Burke
committed
List<Modification> modifs = new ArrayList<Modification>();
modifs.add(new Modification(ModificationType.ADD, "nsaccountlock", "true"));
if (!group.getGroupAdmins().isEmpty() ||
!group.getUserAdmins().isEmpty())
{
modifs.add(new Modification(ModificationType.DELETE, "uniquemember"));
}
Jeff Burke
committed
}
Jeff Burke
committed
{
if (!group.getGroupMembers().isEmpty() ||
!group.getUserMembers().isEmpty())
{
modifs.add(new Modification(ModificationType.DELETE, "uniquemember"));
}
ModifyRequest modifyRequest = new ModifyRequest(groupDN, modifs);
Jeff Burke
committed
try
{
modifyRequest.addControl(
new ProxiedAuthorizationV2RequestControl(
"dn:" + getSubjectDN().toNormalizedString()));
LDAPResult result = getConnection().modify(modifyRequest);
LdapDAO.checkLdapResult(result.getResultCode());
Jeff Burke
committed
}
catch (LDAPException e1)
{
Brian Major
committed
logger.debug("Delete Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode());
Jeff Burke
committed
}
try
{
Patrick Dowler
committed
getGroup(getGroupDN(group.getID()));
Jeff Burke
committed
throw new RuntimeException("BUG: group not deleted " +
group.getID());
}
catch (GroupNotFoundException ignore) {}
Patrick Dowler
committed
catch (LDAPException e)
{
logger.debug("deleteGroup Exception: " + e, e);
throw new TransientException("Error verifying delete group", e);
}
Jeff Burke
committed
/**
Patrick Dowler
committed
* Obtain a Collection of Groups that fit the given query. The returned groups
* will not include members.
Jeff Burke
committed
*
* @param userID The userID.
* @param role Role of the user, either owner, member, or read/write.
* @param groupID The Group ID.
*
Patrick Dowler
committed
* @return possibly empty collection of Group that match the query
Jeff Burke
committed
* @throws TransientException If an temporary, unexpected problem occurred.
* @throws UserNotFoundException
* @throws GroupNotFoundException
*/
public Collection<Group> getGroups(final T userID, final Role role,
final String groupID)
Jeff Burke
committed
throws TransientException, AccessControlException,
GroupNotFoundException, UserNotFoundException
Jeff Burke
committed
User<T> user = new User<T>(userID);
DN userDN = null;
try
{
userDN = userPersist.getUserDN(user);
}
catch (UserNotFoundException e)
{
// no anonymous searches
throw new AccessControlException("Not authorized to search");
}
Jeff Burke
committed
Patrick Dowler
committed
Collection<Group> ret;
Jeff Burke
committed
if (role == Role.OWNER)
{
Patrick Dowler
committed
ret = getOwnerGroups(user, userDN, groupID);
Jeff Burke
committed
}
Patrick Dowler
committed
else
Patrick Dowler
committed
Collection<DN> groupDNs = null;
if (role == Role.MEMBER)
Patrick Dowler
committed
groupDNs = getMemberGroups(user, userDN, groupID, false);
Patrick Dowler
committed
else if (role == Role.ADMIN)
Patrick Dowler
committed
groupDNs = getMemberGroups(user, userDN, groupID, true);
}
else
throw new IllegalArgumentException("null role");
ret = new ArrayList<Group>();
try
{
for (DN groupDN : groupDNs)
Patrick Dowler
committed
if (role == Role.ADMIN)
{
groupDN = new DN(groupDN.getRDNString() + "," + config.getGroupsDN());
}
try
{
Group g = getGroup(groupDN);
logger.debug("found group: " + g.getID());
ret.add(g);
}
catch (GroupNotFoundException e)
{
final String message = "BUG: group " + groupDN + " not found but " +
"membership exists (" + userID + ")";
logger.error(message);
//throw new IllegalStateException(message);
}
Patrick Dowler
committed
catch (LDAPException e)
{
logger.debug("getGroups Exception: " + e, e);
throw new TransientException("Error getting group", e);
}
Patrick Dowler
committed
logger.debug("found: " + ret.size() + "groups matching " + userID + "," + role + "," + groupID);
return ret;
Patrick Dowler
committed
protected Collection<Group> getOwnerGroups(final User<T> user,
final DN userDN,
final String groupID)
Patrick Dowler
committed
throws TransientException, AccessControlException
Patrick Dowler
committed
Collection<Group> ret = new ArrayList<Group>();
Patrick Dowler
committed
{
Filter filter = Filter.createNOTFilter(Filter.createPresenceFilter("nsaccountlock"));
filter = Filter.createANDFilter(filter,
Filter.createEqualityFilter("owner", userDN.toNormalizedString()));
Patrick Dowler
committed
// getGroup(groupID);
// filter = Filter.createANDFilter(filter,
// Filter.createEqualityFilter("cn", groupID));
DN groupDN = getGroupDN(groupID);
Patrick Dowler
committed
Filter.createEqualityFilter("entrydn", groupDN.toNormalizedString()));
}
SearchRequest searchRequest = new SearchRequest(
Patrick Dowler
committed
config.getGroupsDN(), SearchScope.SUB, filter, GROUP_ATTRS);
searchRequest.addControl(
new ProxiedAuthorizationV2RequestControl("dn:" +
getSubjectDN().toNormalizedString()));
SearchResult results = getConnection().search(searchRequest);
for (SearchResultEntry result : results.getSearchEntries())
{
Patrick Dowler
committed
ret.add(createGroup(result));
Patrick Dowler
committed
logger.debug("getOwnerGroups Exception: " + e1, e1);
LdapDAO.checkLdapResult(e1.getResultCode());
Patrick Dowler
committed
return ret;
}
private Group createGroup(SearchResultEntry result)
throws LDAPException
{
if (result.getAttribute("nsaccountlock") != null)
{
throw new RuntimeException("BUG: found group with nsaccountlock set: " + result.getAttributeValue("entrydn").toString());
}
String entryDN = result.getAttributeValue("entrydn");
String groupName = result.getAttributeValue("cn");
DN ownerDN = result.getAttributeValueAsDN("owner");
try
{
User owner = userPersist.getMember(ownerDN);
Group g = new Group(groupName, owner);
g.description = result.getAttributeValue("description");
g.lastModified = result.getAttributeValueAsDate("modifytimestamp");
return g;
}
catch(UserNotFoundException ex)
{
throw new RuntimeException("Invalid state: owner does not exist: " + ownerDN + " group: " + entryDN);
}
protected Collection<DN> getMemberGroups(final User<T> user,
final DN userDN,
final String groupID,
final boolean isAdmin)
throws TransientException, AccessControlException,
GroupNotFoundException, UserNotFoundException
{
DN groupDN;
if (isAdmin)
groupDN = getAdminGroupDN(groupID);
groupDN = getGroupDN(groupID);
if (userPersist.isMember(user.getUserID(),
groupDN.toNormalizedString()))
Collection<DN> memberGroupDNs =
userPersist.getUserGroups(user.getUserID(), isAdmin);
Jeff Burke
committed
/**
* Returns a group based on its LDAP DN. The returned group does not contain