From adf53dd49f5c657946db3a5a7f4157e17a3da203 Mon Sep 17 00:00:00 2001 From: Robert von Burg Date: Fri, 6 Oct 2017 16:59:22 +0200 Subject: [PATCH] [Major] Implemented SingleSignOn facility for Privilege --- .../persistence/api/AbstractTransaction.java | 10 +- .../DefaultStrolchPrivilegeHandler.java | 46 +- .../runtime/privilege/PrivilegeHandler.java | 193 +++---- .../service/api/DefaultServiceHandler.java | 6 +- .../config/PrivilegeConfig.xml | 47 -- .../handler/DefaultPrivilegeHandler.java | 234 +++++--- .../privilege/handler/PrivilegeHandler.java | 539 +++++++++--------- .../handler/SingleSignOnHandler.java | 32 ++ .../helper/PrivilegeInitializationHelper.java | 54 +- .../privilege/helper/XmlConstants.java | 5 + .../internal/PrivilegeContainerModel.java | 25 +- .../xml/PrivilegeConfigDomWriter.java | 99 ++-- .../xml/PrivilegeConfigSaxReader.java | 6 + .../privilege/test/AbstractPrivilegeTest.java | 23 +- .../privilege/test/PersistSessionsTest.java | 4 +- .../strolch/privilege/test/PrivilegeTest.java | 28 +- .../privilege/test/SsoHandlerTest.java | 57 ++ .../li/strolch/privilege/test/XmlTest.java | 80 +-- .../privilege/test/model/DummySsoHandler.java | 29 + .../test/resources/config/PrivilegeConfig.xml | 49 ++ .../config/PrivilegeConfigMerge.xml | 2 +- .../test/resources}/config/PrivilegeRoles.xml | 0 .../resources}/config/PrivilegeRolesMerge.xml | 0 .../test/resources}/config/PrivilegeUsers.xml | 0 .../resources}/config/PrivilegeUsersMerge.xml | 0 .../rest/DefaultStrolchSessionHandler.java | 19 +- .../strolch/rest/StrolchSessionHandler.java | 41 +- .../rest/endpoint/AuthenticationService.java | 2 +- .../rest/endpoint/UserSessionsService.java | 2 +- .../service/test/GreetingServiceTest.java | 2 +- .../li/strolch/service/test/ServiceTest.java | 35 +- .../strolch/testbase/runtime/RuntimeMock.java | 5 +- 32 files changed, 915 insertions(+), 759 deletions(-) delete mode 100644 li.strolch.privilege/config/PrivilegeConfig.xml create mode 100644 li.strolch.privilege/src/main/java/li/strolch/privilege/handler/SingleSignOnHandler.java create mode 100644 li.strolch.privilege/src/test/java/li/strolch/privilege/test/SsoHandlerTest.java create mode 100644 li.strolch.privilege/src/test/java/li/strolch/privilege/test/model/DummySsoHandler.java create mode 100644 li.strolch.privilege/src/test/resources/config/PrivilegeConfig.xml rename li.strolch.privilege/{ => src/test/resources}/config/PrivilegeConfigMerge.xml (95%) rename li.strolch.privilege/{ => src/test/resources}/config/PrivilegeRoles.xml (100%) rename li.strolch.privilege/{ => src/test/resources}/config/PrivilegeRolesMerge.xml (100%) rename li.strolch.privilege/{ => src/test/resources}/config/PrivilegeUsers.xml (100%) rename li.strolch.privilege/{ => src/test/resources}/config/PrivilegeUsersMerge.xml (100%) diff --git a/li.strolch.agent/src/main/java/li/strolch/persistence/api/AbstractTransaction.java b/li.strolch.agent/src/main/java/li/strolch/persistence/api/AbstractTransaction.java index 297f97dbf..dec72dd46 100644 --- a/li.strolch.agent/src/main/java/li/strolch/persistence/api/AbstractTransaction.java +++ b/li.strolch.agent/src/main/java/li/strolch/persistence/api/AbstractTransaction.java @@ -336,7 +336,7 @@ public abstract class AbstractTransaction implements StrolchTransaction { private void assertQueryAllowed(StrolchQuery query) { try { - PrivilegeContext privilegeContext = this.privilegeHandler.getPrivilegeContext(this.certificate); + PrivilegeContext privilegeContext = this.privilegeHandler.validate(this.certificate); privilegeContext.validateAction(query); } catch (PrivilegeException e) { throw new StrolchAccessDeniedException(this.certificate, query, ExceptionHelper.getExceptionMessage(e), e); @@ -705,7 +705,7 @@ public abstract class AbstractTransaction implements StrolchTransaction { public void assertHasPrivilege(Operation operation, StrolchRootElement element) throws AccessDeniedException { DBC.PRE.assertNotNull("operation must not be null", operation); DBC.PRE.assertNotNull("element must not be null", element); - this.privilegeHandler.getPrivilegeContext(this.certificate) + this.privilegeHandler.validate(this.certificate) .validateAction(new TransactedRestrictable(this, operation.getPrivilegeName(element), element)); } @@ -960,13 +960,9 @@ public abstract class AbstractTransaction implements StrolchTransaction { @Override public void autoCloseableReadOnly() throws StrolchTransactionException { long start = System.nanoTime(); - boolean throwException = false; try { this.txResult.setState(TransactionState.CLOSING); - Thread.currentThread().getUncaughtExceptionHandler(); - StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace(); - if (!this.commands.isEmpty()) { autoCloseableRollback(); String msg = "There are commands registered on a read-only transaction. Changing to rollback! Did you forget to commit?"; @@ -1218,8 +1214,6 @@ public abstract class AbstractTransaction implements StrolchTransaction { List audits = new ArrayList<>(); - // TODO this is bad... doesn't account for a created and deleted in same TX... - if (this.orderMap != null) { if (this.realm.isAuditTrailEnabledForRead()) auditsFor(audits, AccessType.READ, this.orderMap.getRead()); diff --git a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java index e93da3510..f9916daae 100644 --- a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java +++ b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/DefaultStrolchPrivilegeHandler.java @@ -30,14 +30,8 @@ import li.strolch.agent.api.StrolchRealm; import li.strolch.model.audit.AccessType; import li.strolch.model.audit.Audit; import li.strolch.persistence.api.StrolchTransaction; -import li.strolch.privilege.base.NotAuthenticatedException; import li.strolch.privilege.base.PrivilegeException; -import li.strolch.privilege.handler.DefaultPrivilegeHandler; -import li.strolch.privilege.handler.EncryptionHandler; -import li.strolch.privilege.handler.PersistenceHandler; -import li.strolch.privilege.handler.SystemAction; -import li.strolch.privilege.handler.SystemActionWithResult; -import li.strolch.privilege.handler.XmlPersistenceHandler; +import li.strolch.privilege.handler.*; import li.strolch.privilege.helper.PrivilegeInitializationHelper; import li.strolch.privilege.helper.XmlConstants; import li.strolch.privilege.model.Certificate; @@ -67,24 +61,22 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements // initialize privilege RuntimeConfiguration runtimeConfiguration = configuration.getRuntimeConfiguration(); - File privilegeConfigFile = configuration.getConfigFile(PROP_PRIVILEGE_CONFIG_FILE, PRIVILEGE_CONFIG_XML, - runtimeConfiguration); - li.strolch.privilege.handler.PrivilegeHandler privilegeHandler = initializeFromXml(configuration, - privilegeConfigFile); - this.privilegeHandler = privilegeHandler; + File privilegeConfigFile = configuration + .getConfigFile(PROP_PRIVILEGE_CONFIG_FILE, PRIVILEGE_CONFIG_XML, runtimeConfiguration); + this.privilegeHandler = initializeFromXml(configuration, privilegeConfigFile); } /** * Initializes the {@link DefaultPrivilegeHandler} from the configuration file - * + * * @param privilegeXmlFile - * a {@link File} reference to the XML file containing the configuration for Privilege - * + * a {@link File} reference to the XML file containing the configuration for Privilege + * * @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and - * {@link PersistenceHandler} are set and initialized as well + * {@link PersistenceHandler} are set and initialized as well */ private li.strolch.privilege.handler.PrivilegeHandler initializeFromXml(ComponentConfiguration configuration, - File privilegeXmlFile) { + File privilegeXmlFile) { // make sure file exists if (!privilegeXmlFile.exists()) { @@ -142,14 +134,13 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements } @Override - public void isCertificateValid(Certificate certificate) throws PrivilegeException, NotAuthenticatedException { - assertStarted(); - this.privilegeHandler.isCertificateValid(certificate); + public PrivilegeContext validate(Certificate certificate) throws PrivilegeException { + return this.privilegeHandler.validate(certificate); } @Override - public boolean invalidateSession(Certificate certificate) { - boolean invalidateSession = this.privilegeHandler.invalidateSession(certificate); + public boolean invalidate(Certificate certificate) { + boolean invalidateSession = this.privilegeHandler.invalidate(certificate); StrolchRealm realm = getContainer().getRealm(certificate); try (StrolchTransaction tx = realm.openTx(certificate, StrolchPrivilegeConstants.LOGOUT)) { tx.setSuppressDoNothingLogging(true); @@ -164,7 +155,7 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements @Override public boolean sessionTimeout(Certificate certificate) { assertStarted(); - boolean invalidateSession = this.privilegeHandler.invalidateSession(certificate); + boolean invalidateSession = this.privilegeHandler.invalidate(certificate); StrolchRealm realm = getContainer().getRealm(certificate); try (StrolchTransaction tx = realm.openTx(certificate, StrolchPrivilegeConstants.SESSION_TIME_OUT)) { tx.setSuppressDoNothingLogging(true); @@ -213,13 +204,8 @@ public class DefaultStrolchPrivilegeHandler extends StrolchComponent implements @Override public T runAsAgentWithResult(PrivilegedRunnableWithResult runnable) throws PrivilegeException { - return this.privilegeHandler.runWithResult(StrolchConstants.SYSTEM_USER_AGENT, - new StrolchSystemActionWithResult<>(runnable)); - } - - @Override - public PrivilegeContext getPrivilegeContext(Certificate certificate) throws PrivilegeException { - return this.privilegeHandler.getPrivilegeContext(certificate); + return this.privilegeHandler + .runWithResult(StrolchConstants.SYSTEM_USER_AGENT, new StrolchSystemActionWithResult<>(runnable)); } @Override diff --git a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java index 43ff60d94..adc055c4f 100644 --- a/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java +++ b/li.strolch.agent/src/main/java/li/strolch/runtime/privilege/PrivilegeHandler.java @@ -24,183 +24,170 @@ import li.strolch.runtime.StrolchConstants; /** * The privilege handler for authenticating users and performing actions as a system user - * + * * @author Robert von Burg */ public interface PrivilegeHandler { /** * Authenticate a user - * + * * @param username - * the username + * the username * @param password - * the password - * + * the password + * * @return the certificate - * - * @see li.strolch.privilege.handler.PrivilegeHandler#authenticate(String, byte[]) + * + * @see li.strolch.privilege.handler.PrivilegeHandler#authenticate(String, char[]) */ - public Certificate authenticate(String username, char[] password); - - /** - * Validate that the certificate is still valid - * - * @param certificate - * the certificate - * - * @throws PrivilegeException - * if the certificate is not valid - * - * @see li.strolch.privilege.handler.PrivilegeHandler#isCertificateValid(Certificate) - */ - public void isCertificateValid(Certificate certificate) throws PrivilegeException; - - /** - * Invalidates the given certificate - * - * @param certificate - * the certificate - * - * @return true if the certificate was invalidated, or false if it was already invalidated - * - * @see li.strolch.privilege.handler.PrivilegeHandler#invalidateSession(li.strolch.privilege.model.Certificate) - */ - public boolean invalidateSession(Certificate certificate); - - /** - * Notifies that the session has timed out, i.e. the certificate must be invalidated - * - * @param certificate - * the certificate that has timed out - * @return true if the certificate was invalidated, or false it was already invalidated - * - * @see li.strolch.privilege.handler.PrivilegeHandler#invalidateSession(li.strolch.privilege.model.Certificate) - */ - public boolean sessionTimeout(Certificate certificate); + Certificate authenticate(String username, char[] password); /** * Returns the {@link PrivilegeContext} for the given certificate - * + * * @param certificate - * the certificate - * + * the certificate + * * @return the {@link PrivilegeContext} for the given certificate - * + * * @throws PrivilegeException - * if the certificate is not valid anymore - * - * @see li.strolch.privilege.handler.PrivilegeHandler#getPrivilegeContext(li.strolch.privilege.model.Certificate) + * if the certificate is not valid anymore + * @see li.strolch.privilege.handler.PrivilegeHandler#validate(li.strolch.privilege.model.Certificate) */ - public PrivilegeContext getPrivilegeContext(Certificate certificate) throws PrivilegeException; + PrivilegeContext validate(Certificate certificate) throws PrivilegeException; + + /** + * Invalidates the given certificate + * + * @param certificate + * the certificate + * + * @return true if the certificate was invalidated, or false if it was already invalidated + * + * @see li.strolch.privilege.handler.PrivilegeHandler#invalidate(li.strolch.privilege.model.Certificate) + */ + boolean invalidate(Certificate certificate); + + /** + * Notifies that the session has timed out, i.e. the certificate must be invalidated + * + * @param certificate + * the certificate that has timed out + * + * @return true if the certificate was invalidated, or false it was already invalidated + * + * @see li.strolch.privilege.handler.PrivilegeHandler#invalidate(li.strolch.privilege.model.Certificate) + */ + boolean sessionTimeout(Certificate certificate); /** * Run the given {@link SystemAction} as the given system user - * + * * @param username - * the system username + * the system username * @param action - * the action to perform - * + * the action to perform + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public void runAs(String username, SystemAction action) throws PrivilegeException; + void runAs(String username, SystemAction action) throws PrivilegeException; /** * Run the given {@link SystemActionWithResult} as the given system user - * + * * @param username - * the system username + * the system username * @param action - * the action to perform - * + * the action to perform + * * @return the result - * + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public T runWithResult(String username, SystemActionWithResult action) throws PrivilegeException; + T runWithResult(String username, SystemActionWithResult action) throws PrivilegeException; /** * Run the given {@link PrivilegedRunnable} as the given system user - * + * * @param username - * the system username + * the system username * @param runnable - * the runnable to perform - * + * the runnable to perform + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public void runAs(String username, PrivilegedRunnable runnable) throws PrivilegeException; + void runAs(String username, PrivilegedRunnable runnable) throws PrivilegeException; /** * Run the given {@link PrivilegedRunnable} as the given system user - * + * * @param username - * the system username + * the system username * @param runnable - * the runnable to perform - * + * the runnable to perform + * * @return the result - * + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public T runWithResult(String username, PrivilegedRunnableWithResult runnable) throws PrivilegeException; + T runWithResult(String username, PrivilegedRunnableWithResult runnable) throws PrivilegeException; /** * Run the given {@link SystemAction} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT} - * - * @param runnable - * the runnable to perform - * + * + * @param action + * the action to perform + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public void runAsAgent(SystemAction action) throws PrivilegeException; + void runAsAgent(SystemAction action) throws PrivilegeException; /** * Run the given {@link SystemActionWithResult} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT} - * - * @param runnable - * the runnable to perform - * + * + * @param action + * the action to perform + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public T runAsAgentWithResult(SystemActionWithResult action) throws PrivilegeException; + T runAsAgentWithResult(SystemActionWithResult action) throws PrivilegeException; /** * Run the given {@link PrivilegedRunnable} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT} - * + * * @param runnable - * the runnable to perform - * + * the runnable to perform + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public void runAsAgent(PrivilegedRunnable runnable) throws PrivilegeException; + void runAsAgent(PrivilegedRunnable runnable) throws PrivilegeException; /** * Run the given {@link PrivilegedRunnableWithResult} as the system user {@link StrolchConstants#SYSTEM_USER_AGENT} - * + * * @param runnable - * the runnable to perform - * + * the runnable to perform + * * @return the result - * + * * @throws PrivilegeException - * if there is something wrong + * if there is something wrong */ - public T runAsAgentWithResult(PrivilegedRunnableWithResult runnable) throws PrivilegeException; + T runAsAgentWithResult(PrivilegedRunnableWithResult runnable) throws PrivilegeException; /** * Returns the {@link li.strolch.privilege.handler.PrivilegeHandler} - * + * * @return the {@link li.strolch.privilege.handler.PrivilegeHandler} */ - public abstract li.strolch.privilege.handler.PrivilegeHandler getPrivilegeHandler(); + li.strolch.privilege.handler.PrivilegeHandler getPrivilegeHandler(); } \ No newline at end of file diff --git a/li.strolch.agent/src/main/java/li/strolch/service/api/DefaultServiceHandler.java b/li.strolch.agent/src/main/java/li/strolch/service/api/DefaultServiceHandler.java index ca9e5a451..7e518aaf1 100644 --- a/li.strolch.agent/src/main/java/li/strolch/service/api/DefaultServiceHandler.java +++ b/li.strolch.agent/src/main/java/li/strolch/service/api/DefaultServiceHandler.java @@ -39,10 +39,6 @@ public class DefaultServiceHandler extends StrolchComponent implements ServiceHa private PrivilegeHandler privilegeHandler; private boolean throwOnPrivilegeFail; - /** - * @param container - * @param componentName - */ public DefaultServiceHandler(ComponentContainer container, String componentName) { super(container, componentName); } @@ -74,7 +70,7 @@ public class DefaultServiceHandler extends StrolchComponent implements ServiceHa PrivilegeContext privilegeContext; String username = certificate == null ? "null" : certificate.getUsername(); try { - privilegeContext = this.privilegeHandler.getPrivilegeContext(certificate); + privilegeContext = this.privilegeHandler.validate(certificate); privilegeContext.validateAction(service); } catch (PrivilegeException e) { diff --git a/li.strolch.privilege/config/PrivilegeConfig.xml b/li.strolch.privilege/config/PrivilegeConfig.xml deleted file mode 100644 index f38f260d8..000000000 --- a/li.strolch.privilege/config/PrivilegeConfig.xml +++ /dev/null @@ -1,47 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/DefaultPrivilegeHandler.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/DefaultPrivilegeHandler.java index 80b07f0a2..d3444f21c 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/DefaultPrivilegeHandler.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/DefaultPrivilegeHandler.java @@ -85,6 +85,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { */ private EncryptionHandler encryptionHandler; + /** + * The Single Sign On Handler + */ + private SingleSignOnHandler ssoHandler; + /** * The {@link UserChallengeHandler} is used to challenge a user which tries to authenticate and/or change their * password @@ -127,7 +132,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public RoleRep getRole(Certificate certificate, String roleName) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_GET_ROLE); Role role = this.persistenceHandler.getRole(roleName); @@ -143,7 +148,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public UserRep getUser(Certificate certificate, String username) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_GET_USER); User user = this.persistenceHandler.getUser(username); @@ -158,7 +163,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public Map getPolicyDefs(Certificate certificate) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_GET_POLICIES)); Map policyDef = new HashMap<>(this.policyMap.size()); @@ -172,7 +177,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public List getCertificates(Certificate certificate) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_GET_CERTIFICATES)); return this.privilegeContextMap.values().stream().map(PrivilegeContext::getCertificate) @@ -183,7 +188,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public List getRoles(Certificate certificate) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_GET_ROLE); Stream rolesStream = this.persistenceHandler.getAllRoles().stream(); @@ -207,7 +212,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public List getUsers(Certificate certificate) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_GET_USER); Stream usersStream = this.persistenceHandler.getAllUsers().stream(); @@ -231,7 +236,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public List queryUsers(Certificate certificate, UserRep selectorRep) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_GET_USER); String selUserId = selectorRep.getUserId(); @@ -334,8 +339,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { * null or empty, then true is returned. If a key/value pair from the selectionMap is not in the properties, then * false is returned * - * @param selectionMap the map defining the expected properties - * @param properties the properties which must be a sub set of selectionMap to have this method return true + * @param selectionMap + * the map defining the expected properties + * @param properties + * the properties which must be a sub set of selectionMap to have this method return true + * * @return If the selectionMap is null or empty, then true is returned. If a key/value pair from the selectionMap is * not in the properties, then false is returned */ @@ -361,8 +369,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { * Checks if the given roles contains the given selectionRoles, if this is the case, or selectionRoles is null or * empty, then true is returned, otherwise false * - * @param selectionRoles the required roles - * @param roles the roles to check if they contain the selectionRoles + * @param selectionRoles + * the required roles + * @param roles + * the roles to check if they contain the selectionRoles + * * @return Checks if the given roles contains the given selectionRoles, if this is the case, or selectionRoles is * null or empty, then true is returned, otherwise false */ @@ -379,7 +390,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { try { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_ADD_USER); // make sure userId is not set @@ -444,7 +455,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { try { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_USER); // first validate user @@ -512,10 +523,15 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } private User createUser(UserRep userRep, byte[] passwordHash, byte[] salt) { - User user = new User(userRep.getUserId(), userRep.getUsername(), passwordHash, salt, userRep.getFirstname(), - userRep.getLastname(), userRep.getUserState(), userRep.getRoles(), userRep.getLocale(), - userRep.getProperties()); - return user; + String userId = userRep.getUserId(); + String userName = userRep.getUsername(); + String firstName = userRep.getFirstname(); + String lastName = userRep.getLastname(); + UserState state = userRep.getUserState(); + Set roles = userRep.getRoles(); + Locale locale = userRep.getLocale(); + Map properties = userRep.getProperties(); + return new User(userId, userName, passwordHash, salt, firstName, lastName, state, roles, locale, properties); } @Override @@ -523,7 +539,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { throws AccessDeniedException, PrivilegeException { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_USER); // get existing user @@ -585,7 +601,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public UserRep removeUser(Certificate certificate, String username) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_REMOVE_USER); // validate user exists @@ -610,7 +626,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public UserRep addRoleToUser(Certificate certificate, String username, String roleName) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_ADD_ROLE_TO_USER); // get user @@ -658,7 +674,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public UserRep removeRoleFromUser(Certificate certificate, String username, String roleName) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_REMOVE_ROLE_FROM_USER); // get User @@ -698,7 +714,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public UserRep setUserLocale(Certificate certificate, String username, Locale locale) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_SET_USER_LOCALE); // get User @@ -735,7 +751,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { try { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_SET_USER_PASSWORD); // get User @@ -778,7 +794,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } if (certificate.getUsage() == Usage.SET_PASSWORD) { - invalidateSession(certificate); + invalidate(certificate); } logger.info("Updated password for " + newUser.getUsername()); @@ -792,7 +808,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public UserRep setUserState(Certificate certificate, String username, UserState state) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_SET_USER_STATE); // get User @@ -821,7 +837,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public RoleRep addRole(Certificate certificate, RoleRep roleRep) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_ADD_ROLE); // first validate role @@ -854,7 +870,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public RoleRep replaceRole(Certificate certificate, RoleRep roleRep) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_ROLE); // first validate role @@ -891,7 +907,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public RoleRep removeRole(Certificate certificate, String roleName) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_REMOVE_ROLE); // validate no user is using this role @@ -927,7 +943,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_ROLE); // validate PrivilegeRep @@ -983,7 +999,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName) { // validate user actually has this type of privilege - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.assertHasPrivilege(PRIVILEGE_MODIFY_ROLE); // get role @@ -1116,12 +1132,39 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } } + @Override + public Certificate authenticateSingleSignOn(Object data) throws PrivilegeException { + if (this.ssoHandler == null) + throw new IllegalStateException("The SSO Handler is not configured!"); + + User user = this.ssoHandler.authenticateSingleSignOn(data); + + // get 2 auth tokens + String authToken = this.encryptionHandler.nextToken(); + + // get next session id + String sessionId = UUID.randomUUID().toString(); + + // create a new certificate, with details of the user + Certificate certificate = buildCertificate(Usage.ANY, user, authToken, sessionId); + certificate.setLastAccess(new Date()); + + PrivilegeContext privilegeContext = buildPrivilegeContext(certificate, user); + this.privilegeContextMap.put(sessionId, privilegeContext); + + persistSessions(); + + // log + logger.info(MessageFormat.format("User {0} authenticated: {1}", user.getUsername(), certificate)); //$NON-NLS-1$ + + return certificate; + } + private Certificate buildCertificate(Usage usage, User user, String authToken, String sessionId) { Set userRoles = user.getRoles(); - Certificate certificate = new Certificate(usage, sessionId, user.getUsername(), user.getFirstname(), - user.getLastname(), user.getUserState(), authToken, new Date(), user.getLocale(), userRoles, + return new Certificate(usage, sessionId, user.getUsername(), user.getFirstname(), user.getLastname(), + user.getUserState(), authToken, new Date(), user.getLocale(), userRoles, new HashMap<>(user.getProperties())); - return certificate; } private boolean persistSessions() { @@ -1146,15 +1189,15 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { return true; } - private boolean loadSessions() { + private void loadSessions() { if (!this.persistSessions) { logger.info("Persisteding of sessions not enabled, so not loading!."); - return false; + return; } if (!this.persistSessionsPath.exists()) { logger.info("No persisted sessions exist to be loaded."); - return false; + return; } if (!this.persistSessionsPath.isFile()) @@ -1170,13 +1213,14 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } catch (Exception e) { logger.error("Failed to load sessions!", e); - this.persistSessionsPath.delete(); - return false; + if (!this.persistSessionsPath.delete()) + logger.error("Failed to delete session file at " + this.persistSessionsPath.getAbsolutePath()); + return; } if (certificateStubs.isEmpty()) { logger.info("No persisted sessions exist to be loaded."); - return false; + return; } for (CertificateStub certificateStub : certificateStubs) { @@ -1205,17 +1249,22 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } logger.info("Loaded " + this.privilegeContextMap.size() + " sessions."); - return true; } /** * Checks the credentials and validates that the user may log in. * - * @param username the username of the {@link User} to check against - * @param password the password of this user + * @param username + * the username of the {@link User} to check against + * @param password + * the password of this user + * * @return the {@link User} if the credentials are valid and the user may login - * @throws AccessDeniedException if anything is wrong with the credentials or the user state - * @throws InvalidCredentialsException if the given credentials are invalid, the user does not exist, or has no password set + * + * @throws AccessDeniedException + * if anything is wrong with the credentials or the user state + * @throws InvalidCredentialsException + * if the given credentials are invalid, the user does not exist, or has no password set */ private User checkCredentialsAndUserState(String username, char[] password) throws InvalidCredentialsException, AccessDeniedException { @@ -1253,7 +1302,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { byte[] salt = user.getSalt(); if (salt == null) throw new AccessDeniedException( - MessageFormat.format("User {0} has no salt and may not login!", salt)); //$NON-NLS-1$ + MessageFormat.format("User {0} has no salt and may not login!", username)); //$NON-NLS-1$ // we only work with hashed passwords byte[] passwordHash = this.encryptionHandler.hashPassword(password, salt); @@ -1269,8 +1318,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { /** * Builds a {@link PrivilegeContext} for the given {@link User} and its {@link Certificate} * - * @param certificate the certificate for which to build the {@link PrivilegeContext} - * @param user the user for which to build the {@link PrivilegeContext} + * @param certificate + * the certificate for which to build the {@link PrivilegeContext} + * @param user + * the user for which to build the {@link PrivilegeContext} + * * @return the {@link PrivilegeContext} */ private PrivilegeContext buildPrivilegeContext(Certificate certificate, User user) { @@ -1337,12 +1389,11 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } UserRep userRep = user.asUserRep(); - PrivilegeContext privilegeContext = new PrivilegeContext(userRep, certificate, privileges, policies); - return privilegeContext; + return new PrivilegeContext(userRep, certificate, privileges, policies); } @Override - public boolean invalidateSession(Certificate certificate) { + public boolean invalidate(Certificate certificate) { // remove registration PrivilegeContext privilegeContext = this.privilegeContextMap.remove(certificate.getSessionId()); @@ -1361,7 +1412,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } @Override - public void isCertificateValid(Certificate certificate) throws PrivilegeException, NotAuthenticatedException { + public PrivilegeContext validate(Certificate certificate) throws PrivilegeException, NotAuthenticatedException { // certificate must not be null if (certificate == null) @@ -1387,33 +1438,13 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { LocalDateTime dateTime = LocalDateTime .ofInstant(sessionCertificate.getLoginTime().toInstant(), ZoneId.systemDefault()); if (dateTime.plusHours(1).isBefore(LocalDateTime.now())) { - invalidateSession(sessionCertificate); + invalidate(sessionCertificate); throw new NotAuthenticatedException("Certificate has already expired!"); //$NON-NLS-1$ } } - // get user object - User user = this.persistenceHandler.getUser(privilegeContext.getUsername()); - - // if user exists, then certificate is valid - if (user == null) { - String msg = "Oh boy, how did this happen: No User in user map although the certificate is valid!"; //$NON-NLS-1$ - throw new PrivilegeException(msg); - } - - // everything is ok - certificate.setLastAccess(new Date()); - } - - @Override - public PrivilegeContext getPrivilegeContext(Certificate certificate) - throws PrivilegeException, NotAuthenticatedException { - - // first validate certificate - isCertificateValid(certificate); - - return this.privilegeContextMap.get(certificate.getSessionId()); + return privilegeContext; } /** @@ -1437,7 +1468,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public boolean persist(Certificate certificate) { // validate who is doing this - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_PERSIST)); return this.persistenceHandler.persist(); @@ -1447,7 +1478,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public boolean persistSessions(Certificate certificate) { // validate who is doing this - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_PERSIST_SESSIONS)); return persistSessions(); @@ -1457,7 +1488,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { public boolean reload(Certificate certificate) { // validate who is doing this - PrivilegeContext prvCtx = getPrivilegeContext(certificate); + PrivilegeContext prvCtx = validate(certificate); prvCtx.validateAction(new SimpleRestrictable(PRIVILEGE_ACTION, PRIVILEGE_ACTION_RELOAD)); return this.persistenceHandler.reload(); @@ -1468,16 +1499,28 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { * {@link PrivilegeHandler} might need. This method may only be called once and this must be enforced by the * concrete implementation * - * @param parameterMap a map containing configuration properties - * @param encryptionHandler the {@link EncryptionHandler} instance for this {@link PrivilegeHandler} - * @param persistenceHandler the {@link PersistenceHandler} instance for this {@link PrivilegeHandler} - * @param userChallengeHandler the handler to challenge a user's actions e.g. password change or authentication - * @param policyMap map of {@link PrivilegePolicy} classes - * @throws PrivilegeException if the this method is called multiple times or an initialization exception occurs + * @param parameterMap + * a map containing configuration properties + * @param encryptionHandler + * the {@link EncryptionHandler} instance for this {@link PrivilegeHandler} + * @param persistenceHandler + * the {@link PersistenceHandler} instance for this {@link PrivilegeHandler} + * @param userChallengeHandler + * the handler to challenge a user's actions e.g. password change or authentication + * @param ssoHandler + * the {@link SingleSignOnHandler} + * @param policyMap + * map of {@link PrivilegePolicy} classes + * + * @throws PrivilegeException + * if the this method is called multiple times or an initialization exception occurs */ - public synchronized void initialize(Map parameterMap, EncryptionHandler encryptionHandler, - PersistenceHandler persistenceHandler, UserChallengeHandler userChallengeHandler, - Map> policyMap) { + public synchronized void initialize(Map parameterMap, + EncryptionHandler encryptionHandler, + PersistenceHandler persistenceHandler, + UserChallengeHandler userChallengeHandler, + SingleSignOnHandler ssoHandler, + Map> policyMap) { if (this.initialized) throw new PrivilegeException("Already initialized!"); //$NON-NLS-1$ @@ -1486,6 +1529,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { this.encryptionHandler = encryptionHandler; this.persistenceHandler = persistenceHandler; this.userChallengeHandler = userChallengeHandler; + this.ssoHandler = ssoHandler; handleAutoPersistOnUserDataChange(parameterMap); handlePersistSessionsParam(parameterMap); @@ -1678,7 +1722,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { /** * Validates that the policies which are not null on the privileges of the role exist * - * @param role the role for which the policies are to be checked + * @param role + * the role for which the policies are to be checked */ private void validatePolicies(Role role) { for (String privilegeName : role.getPrivilegeNames()) { @@ -1696,7 +1741,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { * Passwords should not be kept as strings, as string are immutable, this method thus clears the char array so that * the password is not in memory anymore * - * @param password the char array containing the passwort which is to be set to zeroes + * @param password + * the char array containing the passwort which is to be set to zeroes */ private void clearPassword(char[] password) { if (password != null) { @@ -1734,7 +1780,7 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { } } - private PrivilegeContext initiateSystemPrivilege(String username, Restrictable restrictable) { + private PrivilegeContext initiateSystemPrivilege(String username, Restrictable restrictable) { if (username == null) throw new PrivilegeException("systemUsername may not be null!"); //$NON-NLS-1$ if (restrictable == null) @@ -1767,7 +1813,9 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { * Returns the {@link Certificate} for the given system username. If it does not yet exist, then it is created by * authenticating the system user * - * @param systemUsername the name of the system user + * @param systemUsername + * the name of the system user + * * @return the {@link Certificate} for this system user */ private PrivilegeContext getSystemUserPrivilegeContext(String systemUsername) { @@ -1833,9 +1881,13 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler { * {@link PrivilegePolicy} object *

* - * @param policyName the class name of the {@link PrivilegePolicy} object to return + * @param policyName + * the class name of the {@link PrivilegePolicy} object to return + * * @return the {@link PrivilegePolicy} object - * @throws PrivilegeException if the {@link PrivilegePolicy} object for the given policy name could not be instantiated + * + * @throws PrivilegeException + * if the {@link PrivilegePolicy} object for the given policy name could not be instantiated */ private PrivilegePolicy getPolicy(String policyName) { diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/PrivilegeHandler.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/PrivilegeHandler.java index 67cc906a4..cf60ce7d2 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/PrivilegeHandler.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/PrivilegeHandler.java @@ -39,7 +39,7 @@ import li.strolch.privilege.policy.PrivilegePolicy; * The {@link PrivilegeHandler} is the centrally exposed API for accessing the privilege library. It exposes all needed * methods to access Privilege data model objects, modify them and validate if users or roles have privileges to perform * an action - * + * * @author Robert von Burg */ public interface PrivilegeHandler { @@ -50,307 +50,303 @@ public interface PrivilegeHandler { * Privilege "PrivilegeAction" which is used for privileges which are not further categorized e.g. s * {@link #PRIVILEGE_ACTION_PERSIST} and {@link #PRIVILEGE_ACTION_GET_POLICIES} */ - public static final String PRIVILEGE_ACTION = "PrivilegeAction"; + String PRIVILEGE_ACTION = "PrivilegeAction"; /** * For Privilege "PrivilegeAction" value required to be able to persist changes if not exempted by auto persist or * allAllowed */ - public static final String PRIVILEGE_ACTION_PERSIST = "Persist"; + String PRIVILEGE_ACTION_PERSIST = "Persist"; /** * For Privilege "PrivilegeAction" value required to be able to persist session if not exempted by * allAllowed */ - public static final String PRIVILEGE_ACTION_PERSIST_SESSIONS = "PersistSessions"; + String PRIVILEGE_ACTION_PERSIST_SESSIONS = "PersistSessions"; /** * For Privilege "PrivilegeAction" value required to be able to reload changes if not exempted by * allAllowed */ - public static final String PRIVILEGE_ACTION_RELOAD = "Reload"; + String PRIVILEGE_ACTION_RELOAD = "Reload"; /** * For Privilege "PrivilegeAction" value required to get currently configured policies if not * allAllowed */ - public static final String PRIVILEGE_ACTION_GET_POLICIES = "GetPolicies"; + String PRIVILEGE_ACTION_GET_POLICIES = "GetPolicies"; /** * For Privilege "PrivilegeAction" value required to get a certificate if not allAllowed */ - public static final String PRIVILEGE_ACTION_GET_CERTIFICATE = "GetCertificate"; + String PRIVILEGE_ACTION_GET_CERTIFICATE = "GetCertificate"; /** * For Privilege "PrivilegeAction" value required to get all certificates if not allAllowed */ - public static final String PRIVILEGE_ACTION_GET_CERTIFICATES = "GetCertificates"; + String PRIVILEGE_ACTION_GET_CERTIFICATES = "GetCertificates"; /// /** * Privilege "PrivilegeGetRole" which is used to validate that a user can get a specific role */ - public static final String PRIVILEGE_GET_ROLE = "PrivilegeGetRole"; + String PRIVILEGE_GET_ROLE = "PrivilegeGetRole"; /** * Privilege "PrivilegeAddRole" which is used to validate that a user can add a specific role */ - public static final String PRIVILEGE_ADD_ROLE = "PrivilegeAddRole"; + String PRIVILEGE_ADD_ROLE = "PrivilegeAddRole"; /** * Privilege "PrivilegeRemoveRole" which is used to validate that a user can remove a specific role */ - public static final String PRIVILEGE_REMOVE_ROLE = "PrivilegeRemoveRole"; + String PRIVILEGE_REMOVE_ROLE = "PrivilegeRemoveRole"; /** * Privilege "PrivilegeModifyRole" which is used to validate that a user can modify a specific role. Note: * This includes modifying of the privileges on the role */ - public static final String PRIVILEGE_MODIFY_ROLE = "PrivilegeModifyRole"; + String PRIVILEGE_MODIFY_ROLE = "PrivilegeModifyRole"; /// /** * Privilege "PrivilegeGetUser" which is used to validate that a user can get a specific user */ - public static final String PRIVILEGE_GET_USER = "PrivilegeGetUser"; + String PRIVILEGE_GET_USER = "PrivilegeGetUser"; /** * Privilege "PrivilegeAddUser" which is used to validate that a user can add a specific user */ - public static final String PRIVILEGE_ADD_USER = "PrivilegeAddUser"; + String PRIVILEGE_ADD_USER = "PrivilegeAddUser"; /** * Privilege "PrivilegeRemoveUser" which is used to validate that a user can remove a specific user */ - public static final String PRIVILEGE_REMOVE_USER = "PrivilegeRemoveUser"; + String PRIVILEGE_REMOVE_USER = "PrivilegeRemoveUser"; /** * Privilege "PrivilegeModifyUser" which is used to validate that a user can modify a specific user */ - public static final String PRIVILEGE_MODIFY_USER = "PrivilegeModifyUser"; + String PRIVILEGE_MODIFY_USER = "PrivilegeModifyUser"; /** * Privilege "PrivilegeAddRoleToUser" which is used to validate that a user can add a specific role to a specific * user */ - public static final String PRIVILEGE_ADD_ROLE_TO_USER = "PrivilegeAddRoleToUser"; + String PRIVILEGE_ADD_ROLE_TO_USER = "PrivilegeAddRoleToUser"; /** * Privilege "PrivilegeRemoveRoleFromUser" which is used to validate that a user can remove a specific role from a * specific user */ - public static final String PRIVILEGE_REMOVE_ROLE_FROM_USER = "PrivilegeRemoveRoleFromUser"; + String PRIVILEGE_REMOVE_ROLE_FROM_USER = "PrivilegeRemoveRoleFromUser"; /** * Privilege "PRIVILEGE_SET_USER_LOCALE" which is used to validate that a user can set the locale of a user, or * their own */ - public static final String PRIVILEGE_SET_USER_LOCALE = "PrivilegeSetUserLocale"; + String PRIVILEGE_SET_USER_LOCALE = "PrivilegeSetUserLocale"; /** * Privilege "PRIVILEGE_SET_USER_STATE" which is used to validate that a user can set the state of a user */ - public static final String PRIVILEGE_SET_USER_STATE = "PrivilegeSetUserState"; + String PRIVILEGE_SET_USER_STATE = "PrivilegeSetUserState"; /** * Privilege "PRIVILEGE_SET_USER_PASSWORD" which is used to validate that a user can set the password of a user, or * their own */ - public static final String PRIVILEGE_SET_USER_PASSWORD = "PrivilegeSetUserPassword"; + String PRIVILEGE_SET_USER_PASSWORD = "PrivilegeSetUserPassword"; /// /** * configuration parameter to define a secret_key */ - public static final String PARAM_SECRET_KEY = "secretKey"; //$NON-NLS-1$ + String PARAM_SECRET_KEY = "secretKey"; //$NON-NLS-1$ /** * configuration parameter to define a secret salt */ - public static final String PARAM_SECRET_SALT = "secretSalt"; //$NON-NLS-1$ + String PARAM_SECRET_SALT = "secretSalt"; //$NON-NLS-1$ /** * configuration parameter to define automatic persisting on password change */ - public static final String PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA = "autoPersistOnUserChangesData"; //$NON-NLS-1$ + String PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA = "autoPersistOnUserChangesData"; //$NON-NLS-1$ /** * configuration parameter to define if sessions should be persisted */ - public static final String PARAM_PERSIST_SESSIONS = "persistSessions"; //$NON-NLS-1$ + String PARAM_PERSIST_SESSIONS = "persistSessions"; //$NON-NLS-1$ /** * configuration parameter to define where sessions are to be persisted */ - public static final String PARAM_PERSIST_SESSIONS_PATH = "persistSessionsPath"; //$NON-NLS-1$ + String PARAM_PERSIST_SESSIONS_PATH = "persistSessionsPath"; //$NON-NLS-1$ /** * configuration parameter to define {@link PrivilegeConflictResolution} */ - public static final String PARAM_PRIVILEGE_CONFLICT_RESOLUTION = "privilegeConflictResolution"; + String PARAM_PRIVILEGE_CONFLICT_RESOLUTION = "privilegeConflictResolution"; /** * Returns a {@link UserRep} for the given username - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the name of the {@link UserRep} to return - * + * the name of the {@link UserRep} to return + * * @return the {@link UserRep} for the given username, or null if it was not found */ - public UserRep getUser(Certificate certificate, String username); + UserRep getUser(Certificate certificate, String username); /** * Returns a {@link RoleRep} for the given roleName - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param roleName - * the name of the {@link RoleRep} to return - * + * the name of the {@link RoleRep} to return + * * @return the {@link RoleRep} for the given roleName, or null if it was not found */ - public RoleRep getRole(Certificate certificate, String roleName); + RoleRep getRole(Certificate certificate, String roleName); /** * Returns the map of {@link PrivilegePolicy} definitions - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return the map of {@link PrivilegePolicy} definitions */ - public Map getPolicyDefs(Certificate certificate); + Map getPolicyDefs(Certificate certificate); /** * Returns the list of {@link Certificate Certificates} - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return the list of {@link Certificate Certificates} */ - public List getCertificates(Certificate certificate); + List getCertificates(Certificate certificate); /** * Returns all {@link RoleRep RoleReps} - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return the list of {@link RoleRep RoleReps} */ - public List getRoles(Certificate certificate); + List getRoles(Certificate certificate); /** * Returns all {@link UserRep UserReps} - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return the list of {@link UserRep UserReps} */ - public List getUsers(Certificate certificate); + List getUsers(Certificate certificate); /** * Method to query {@link UserRep} which meet the criteria set in the given {@link UserRep}. Null fields mean the * fields are irrelevant. - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param selectorRep - * the {@link UserRep} to use as criteria selection - * + * the {@link UserRep} to use as criteria selection + * * @return a list of {@link UserRep}s which fit the given criteria */ - public List queryUsers(Certificate certificate, UserRep selectorRep); + List queryUsers(Certificate certificate, UserRep selectorRep); /** * Removes the user with the given username - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the username of the user to remove - * + * the username of the user to remove + * * @return the {@link UserRep} of the user removed, or null if the user did not exist - * + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate + * if there is anything wrong with this certificate */ - public UserRep removeUser(Certificate certificate, String username) - throws AccessDeniedException, PrivilegeException; + UserRep removeUser(Certificate certificate, String username) throws PrivilegeException; /** * Removes the role with the given roleName from the user with the given username - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the username of the user from which the role is to be removed + * the username of the user from which the role is to be removed * @param roleName - * the roleName of the role to remove from the user - * + * the roleName of the role to remove from the user + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate + * if there is anything wrong with this certificate */ - public UserRep removeRoleFromUser(Certificate certificate, String username, String roleName) - throws AccessDeniedException, PrivilegeException; + UserRep removeRoleFromUser(Certificate certificate, String username, String roleName) throws PrivilegeException; /** * Removes the role with the given roleName - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param roleName - * the roleName of the role to remove - * + * the roleName of the role to remove + * * @return the {@link RoleRep} of the role removed, or null if the role did not exist - * + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or the role is still in use by a user + * if there is anything wrong with this certificate or the role is still in use by a user */ - public RoleRep removeRole(Certificate certificate, String roleName) - throws AccessDeniedException, PrivilegeException; + RoleRep removeRole(Certificate certificate, String roleName) throws PrivilegeException; /** * Removes the privilege with the given privilegeName from the role with the given roleName - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param roleName - * the roleName of the role from which the privilege is to be removed + * the roleName of the role from which the privilege is to be removed * @param privilegeName - * the privilegeName of the privilege to remove from the role - * + * the privilegeName of the privilege to remove from the role + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate + * if there is anything wrong with this certificate */ - public RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName) - throws AccessDeniedException, PrivilegeException; + RoleRep removePrivilegeFromRole(Certificate certificate, String roleName, String privilegeName) + throws PrivilegeException; /** *

* Adds a new user with the information from this {@link UserRep} *

- * + * *

* If the password given is null, then the user is created, but can not not login! Otherwise the password must meet * the requirements of the implementation under {@link PrivilegeHandler#validatePassword(char[])} *

- * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param userRep - * the {@link UserRep} containing the information to create the new {@link User} + * the {@link UserRep} containing the information to create the new {@link User} * @param password - * the password of the new user. If the password is null, then this is accepted but the user can not - * login, otherwise the password must be validated against - * {@link PrivilegeHandler#validatePassword(char[])} - * + * the password of the new user. If the password is null, then this is accepted but the user can not + * login, otherwise the password must be validated against + * {@link PrivilegeHandler#validatePassword(char[])} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or the user already exists + * if there is anything wrong with this certificate or the user already exists */ - public UserRep addUser(Certificate certificate, UserRep userRep, char[] password) - throws AccessDeniedException, PrivilegeException; + UserRep addUser(Certificate certificate, UserRep userRep, char[] password) throws PrivilegeException; /** *

@@ -358,7 +354,7 @@ public interface PrivilegeHandler { * will be updated on the existing user. The username on the given {@link UserRep} must be set and correspond to an * existing user. *

- * + * * The following fields are considered updateable: *
    *
  • {@link UserRep#getFirstname()}
    • @@ -366,117 +362,113 @@ public interface PrivilegeHandler { *
  • {@link UserRep#getLocale()}
    • *
  • {@link UserRep#getProperties()} - the existing properties will be replaced with the given properties
    • *
- * + * *

* Any other fields will be ignored *

- * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param userRep - * the {@link UserRep} with the fields set to their new values - * + * the {@link UserRep} with the fields set to their new values + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or if the user does not exist + * if there is anything wrong with this certificate or if the user does not exist */ - public UserRep updateUser(Certificate certificate, UserRep userRep) - throws AccessDeniedException, PrivilegeException; + UserRep updateUser(Certificate certificate, UserRep userRep) throws PrivilegeException; /** *

* Replaces the existing user with the information from this {@link UserRep} if the user already exists *

- * + * *

* If the password given is null, then the user is created, but can not not login! Otherwise the password must meet * the requirements of the implementation under {@link PrivilegeHandler#validatePassword(char[])} *

- * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param userRep - * the {@link UserRep} containing the information to replace the existing {@link User} + * the {@link UserRep} containing the information to replace the existing {@link User} * @param password - * the password of the new user. If the password is null, then this is accepted but the user can not - * login, otherwise the password must be validated against - * {@link PrivilegeHandler#validatePassword(char[])} - * + * the password of the new user. If the password is null, then this is accepted but the user can not + * login, otherwise the password must be validated against + * {@link PrivilegeHandler#validatePassword(char[])} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or if the user does not exist + * if there is anything wrong with this certificate or if the user does not exist */ - public UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password) - throws AccessDeniedException, PrivilegeException; + UserRep replaceUser(Certificate certificate, UserRep userRep, char[] password) throws PrivilegeException; /** * Adds a new role with the information from this {@link RoleRep} - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param roleRep - * the {@link RoleRep} containing the information to create the new {@link Role} - * + * the {@link RoleRep} containing the information to create the new {@link Role} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or if the role already exists + * if there is anything wrong with this certificate or if the role already exists */ - public RoleRep addRole(Certificate certificate, RoleRep roleRep) throws AccessDeniedException, PrivilegeException; + RoleRep addRole(Certificate certificate, RoleRep roleRep) throws PrivilegeException; /** * Replaces the existing role with the information from this {@link RoleRep} - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param roleRep - * the {@link RoleRep} containing the information to replace the existing {@link Role} - * + * the {@link RoleRep} containing the information to replace the existing {@link Role} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or if the role does not exist + * if there is anything wrong with this certificate or if the role does not exist */ - public RoleRep replaceRole(Certificate certificate, RoleRep roleRep) - throws AccessDeniedException, PrivilegeException; + RoleRep replaceRole(Certificate certificate, RoleRep roleRep) throws PrivilegeException; /** * Adds the role with the given roleName to the {@link User} with the given username - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the username of the {@link User} to which the role should be added + * the username of the {@link User} to which the role should be added * @param roleName - * the roleName of the {@link Role} which should be added to the {@link User} - * + * the roleName of the {@link Role} which should be added to the {@link User} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or if the role does not exist + * if there is anything wrong with this certificate or if the role does not exist */ - public UserRep addRoleToUser(Certificate certificate, String username, String roleName) - throws AccessDeniedException, PrivilegeException; + UserRep addRoleToUser(Certificate certificate, String username, String roleName) throws PrivilegeException; /** * Adds the {@link PrivilegeRep} to the {@link Role} with the given roleName or replaces it, if it already exists - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param roleName - * the roleName of the {@link Role} to which the privilege should be added + * the roleName of the {@link Role} to which the privilege should be added * @param privilegeRep - * the representation of the {@link IPrivilege} which should be added or replaced on the {@link Role} - * + * the representation of the {@link IPrivilege} which should be added or replaced on the {@link Role} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate or the role does not exist + * if there is anything wrong with this certificate or the role does not exist */ - public RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep) - throws AccessDeniedException, PrivilegeException; + RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String roleName, PrivilegeRep privilegeRep) + throws PrivilegeException; /** *

@@ -484,243 +476,240 @@ public interface PrivilegeHandler { * can not login anymore. Otherwise the password must meet the requirements of the implementation under * {@link PrivilegeHandler#validatePassword(char[])} *

- * + * *

* It should be possible for a user to change their own password *

- * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the username of the {@link User} for which the password is to be changed + * the username of the {@link User} for which the password is to be changed * @param password - * the new password for this user. If the password is null, then the {@link User} can not login anymore. - * Otherwise the password must meet the requirements of the implementation under - * {@link PrivilegeHandler#validatePassword(char[])} - * + * the new password for this user. If the password is null, then the {@link User} can not login anymore. + * Otherwise the password must meet the requirements of the implementation under + * {@link PrivilegeHandler#validatePassword(char[])} + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate + * if there is anything wrong with this certificate */ - public void setUserPassword(Certificate certificate, String username, char[] password) - throws AccessDeniedException, PrivilegeException; + void setUserPassword(Certificate certificate, String username, char[] password) throws PrivilegeException; /** * Changes the {@link UserState} of the user - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the username of the {@link User} for which the {@link UserState} is to be changed + * the username of the {@link User} for which the {@link UserState} is to be changed * @param state - * the new state for the user - * + * the new state for the user + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate + * if there is anything wrong with this certificate */ - public UserRep setUserState(Certificate certificate, String username, UserState state) - throws AccessDeniedException, PrivilegeException; + UserRep setUserState(Certificate certificate, String username, UserState state) throws PrivilegeException; /** * Changes the {@link Locale} of the user - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action + * the {@link Certificate} of the user which has the privilege to perform this action * @param username - * the username of the {@link User} for which the {@link Locale} is to be changed + * the username of the {@link User} for which the {@link Locale} is to be changed * @param locale - * the new {@link Locale} for the user - * + * the new {@link Locale} for the user + * * @throws AccessDeniedException - * if the user for this certificate may not perform the action + * if the user for this certificate may not perform the action * @throws PrivilegeException - * if there is anything wrong with this certificate + * if there is anything wrong with this certificate */ - public UserRep setUserLocale(Certificate certificate, String username, Locale locale) - throws AccessDeniedException, PrivilegeException; + UserRep setUserLocale(Certificate certificate, String username, Locale locale) throws PrivilegeException; /** * Initiate a password reset challenge for the given username - * + * * @param usage - * the usage for which the challenge is requested + * the usage for which the challenge is requested * @param username - * the username of the user to initiate the challenge for + * the username of the user to initiate the challenge for */ - public void initiateChallengeFor(Usage usage, String username); + void initiateChallengeFor(Usage usage, String username); /** * Validate the response of a challenge for the given username - * + * * @param username - * the username of the user for which the challenge is to be validated + * the username of the user for which the challenge is to be validated * @param challenge - * the challenge from the user - * + * the challenge from the user + * * @return certificate with which the user can access the system with the {@link Usage} set to the value from the - * initiated challenge - * + * initiated challenge + * * @throws PrivilegeException - * if anything goes wrong + * if anything goes wrong */ - public Certificate validateChallenge(String username, String challenge) throws PrivilegeException; + Certificate validateChallenge(String username, String challenge) throws PrivilegeException; /** * Authenticates a user by validating that a {@link User} for the given username and password exist and then returns * a {@link Certificate} with which this user may then perform actions - * + * * @param username - * the username of the {@link User} which is registered in the {@link PersistenceHandler} + * the username of the {@link User} which is registered in the {@link PersistenceHandler} * @param password - * the password with which this user is to be authenticated. Null passwords are not accepted and they - * must meet the requirements of the {@link #validatePassword(char[])}-method - * + * the password with which this user is to be authenticated. Null passwords are not accepted and they + * must meet the requirements of the {@link #validatePassword(char[])}-method + * * @return a {@link Certificate} with which this user may then perform actions - * + * * @throws AccessDeniedException - * if the user credentials are not valid + * if the user credentials are not valid */ - public Certificate authenticate(String username, char[] password) throws AccessDeniedException; + Certificate authenticate(String username, char[] password) throws AccessDeniedException; + + /** + * Authenticates a user on a remote Single Sign On service. This is implemented by the + * + * @param data + * the data to perform the SSO + * + * @return the {@link Certificate} for the user + * + * @throws PrivilegeException + * if something goes wrong with the SSO + */ + Certificate authenticateSingleSignOn(Object data) throws PrivilegeException; /** * Invalidates the session for the given {@link Certificate}, effectively logging out the user who was authenticated * with the credentials associated to the given {@link Certificate} - * + * * @param certificate - * the {@link Certificate} for which the session is to be invalidated + * the {@link Certificate} for which the session is to be invalidated + * * @return true if the session was still valid and is now invalidated, false otherwise */ - public boolean invalidateSession(Certificate certificate); + boolean invalidate(Certificate certificate); /** * Checks if the given {@link Certificate} is valid. This means that the certificate is for a valid session and that * the user exists for the certificate. This method checks if the {@link Certificate} has been tampered with - * - * @param certificate - * the {@link Certificate} to check - * - * @throws PrivilegeException - * if there is anything wrong with this certificate - * @throws NotAuthenticatedException - * if the certificate has expired - */ - public void isCertificateValid(Certificate certificate) throws PrivilegeException, NotAuthenticatedException; - - /** + * * Returns the {@link PrivilegeContext} for the given {@link Certificate}. The {@link PrivilegeContext} is an * encapsulated state of a user's privileges so that for the duration of a user's call, the user can perform their * actions and do not need to access the {@link PrivilegeHandler} anymore - * + * * @param certificate - * a valid {@link Certificate} for which a {@link PrivilegeContext} is to be returned + * the {@link Certificate} to check + * * @return the {@link PrivilegeContext} for the given {@link Certificate} - * + * * @throws PrivilegeException - * if there is a configuration error or the {@link Certificate} is invalid + * if there is anything wrong with this certificate * @throws NotAuthenticatedException - * if the certificate has expired + * if the certificate has expired */ - public PrivilegeContext getPrivilegeContext(Certificate certificate) - throws PrivilegeException, NotAuthenticatedException; + PrivilegeContext validate(Certificate certificate) throws PrivilegeException; /** * Validate that the given password meets certain requirements. What these requirements are is a decision made by * the concrete implementation - * + * * @param password - * the password to be validated to meet certain requirements - * + * the password to be validated to meet certain requirements + * * @throws PrivilegeException - * if the password does not implement the requirement of the concrete implementation + * if the password does not implement the requirement of the concrete implementation */ - public void validatePassword(char[] password) throws PrivilegeException; + void validatePassword(char[] password) throws PrivilegeException; /** *

* Informs this {@link PersistenceHandler} to reload the data from the backend *

- * + * * Note: It depends on the underlying {@link PersistenceHandler} implementation if data really is read - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return true if the reload was successful, false if something went wrong - * + * * @throws AccessDeniedException - * if the users of the given certificate does not have the privilege to perform this action + * if the users of the given certificate does not have the privilege to perform this action */ - public boolean reload(Certificate certificate); + boolean reload(Certificate certificate); /** * Persists any changes to the privilege data model. Changes are thus not persisted immediately, but must be * actively performed - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return true if changes were persisted, false if no changes were persisted - * + * * @throws AccessDeniedException - * if the users of the given certificate does not have the privilege to perform this action + * if the users of the given certificate does not have the privilege to perform this action */ - public boolean persist(Certificate certificate) throws AccessDeniedException; + boolean persist(Certificate certificate) throws AccessDeniedException; /** * Persists all currently active sessions - * + * * @param certificate - * the {@link Certificate} of the user which has the privilege to perform this action - * + * the {@link Certificate} of the user which has the privilege to perform this action + * * @return true if changes were persisted, false if not (i.e. not enabled) - * + * * @throws AccessDeniedException - * if the users of the given certificate does not have the privilege to perform this action + * if the users of the given certificate does not have the privilege to perform this action */ - public boolean persistSessions(Certificate certificate) throws AccessDeniedException; + boolean persistSessions(Certificate certificate) throws AccessDeniedException; /** * Special method to perform work as a System user, meaning the given systemUsername corresponds to an account which * has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation * of the given {@link SystemAction} instance - * - * + * * @param systemUsername - * the username of the system user to perform the action as + * the username of the system user to perform the action as * @param action - * the action to be performed as the system user - * - * @return the action - * + * the action to be performed as the system user + * * @throws PrivilegeException + * if the user does not exist, or the system action is not alloed */ - public void runAs(String systemUsername, SystemAction action) throws PrivilegeException; + void runAs(String systemUsername, SystemAction action) throws PrivilegeException; /** * Special method to perform work as a System user, meaning the given systemUsername corresponds to an account which * has the state {@link UserState#SYSTEM} and this user must have privilege to perform the concrete implementation * of the given {@link SystemAction} instance - * - * + * * @param systemUsername - * the username of the system user to perform the action as + * the username of the system user to perform the action as * @param action - * the action to be performed as the system user - * + * the action to be performed as the system user + * * @return the action - * + * * @throws PrivilegeException + * if the user does not exist, or the system action is not alloed */ - public T runWithResult(String systemUsername, SystemActionWithResult action) throws PrivilegeException; + T runWithResult(String systemUsername, SystemActionWithResult action) throws PrivilegeException; /** * Returns the {@link EncryptionHandler} instance - * + * * @return the {@link EncryptionHandler} instance */ - public EncryptionHandler getEncryptionHandler() throws PrivilegeException; - + EncryptionHandler getEncryptionHandler() throws PrivilegeException; } diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/SingleSignOnHandler.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/SingleSignOnHandler.java new file mode 100644 index 000000000..9bc27f4e8 --- /dev/null +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/handler/SingleSignOnHandler.java @@ -0,0 +1,32 @@ +package li.strolch.privilege.handler; + +import java.util.Map; + +import li.strolch.privilege.base.PrivilegeException; +import li.strolch.privilege.model.internal.User; + +public interface SingleSignOnHandler { + + /** + * Initialize the concrete {@link SingleSignOnHandler}. The passed parameter map contains any configuration the + * concrete {@link SingleSignOnHandler} might need + * + * @param parameterMap + * a map containing configuration properties + */ + void initialize(Map parameterMap); + + /** + * Authenticates a user on a remote Single Sign On service. + * + * @param data + * the data required to sign on the user + * + * @return the user, configured with the remote + * + * @throws PrivilegeException + * if the SSO can not be performed with the given data + */ + User authenticateSingleSignOn(Object data) throws PrivilegeException; + +} diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/PrivilegeInitializationHelper.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/PrivilegeInitializationHelper.java index d511ffbd2..962c7cffc 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/PrivilegeInitializationHelper.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/PrivilegeInitializationHelper.java @@ -22,11 +22,7 @@ import java.text.MessageFormat; import java.util.Map; import li.strolch.privilege.base.PrivilegeException; -import li.strolch.privilege.handler.DefaultPrivilegeHandler; -import li.strolch.privilege.handler.EncryptionHandler; -import li.strolch.privilege.handler.PersistenceHandler; -import li.strolch.privilege.handler.PrivilegeHandler; -import li.strolch.privilege.handler.UserChallengeHandler; +import li.strolch.privilege.handler.*; import li.strolch.privilege.model.internal.PrivilegeContainerModel; import li.strolch.privilege.policy.PrivilegePolicy; import li.strolch.privilege.xml.PrivilegeConfigSaxReader; @@ -36,19 +32,19 @@ import li.strolch.utils.helper.XmlHelper; /** * This class implements the initializing of the {@link PrivilegeHandler} by loading an XML file containing the * configuration - * + * * @author Robert von Burg */ public class PrivilegeInitializationHelper { /** * Initializes the {@link DefaultPrivilegeHandler} from the configuration file - * + * * @param privilegeXmlFile - * a {@link File} reference to the XML file containing the configuration for Privilege - * + * a {@link File} reference to the XML file containing the configuration for Privilege + * * @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and - * {@link PersistenceHandler} are set and initialized as well + * {@link PersistenceHandler} are set and initialized as well */ public static PrivilegeHandler initializeFromXml(File privilegeXmlFile) { @@ -72,12 +68,12 @@ public class PrivilegeInitializationHelper { /** * Initializes the {@link PrivilegeHandler} by loading from the given input stream. This stream must be a valid XML * source - * + * * @param privilegeConfigInputStream - * the XML stream containing the privilege configuration - * + * the XML stream containing the privilege configuration + * * @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and - * {@link PersistenceHandler} are set and initialized as well + * {@link PersistenceHandler} are set and initialized as well */ public static PrivilegeHandler initializeFromXml(InputStream privilegeConfigInputStream) { @@ -91,12 +87,12 @@ public class PrivilegeInitializationHelper { /** * Initializes the {@link PrivilegeHandler} by initializing from the given {@link PrivilegeContainerModel} - * + * * @param containerModel - * the configuration for the {@link PrivilegeHandler} - * + * the configuration for the {@link PrivilegeHandler} + * * @return the initialized {@link PrivilegeHandler} where the {@link EncryptionHandler} and - * {@link PersistenceHandler} are set and initialized as well + * {@link PersistenceHandler} are set and initialized as well */ public static PrivilegeHandler initializeFromXml(PrivilegeContainerModel containerModel) { @@ -137,13 +133,31 @@ public class PrivilegeInitializationHelper { throw new PrivilegeException(msg, e); } + // initialize SSO handler + SingleSignOnHandler ssoHandler; + if (containerModel.getSsoHandlerClassName() == null) { + ssoHandler = null; + } else { + String ssoHandlerClassName = containerModel.getSsoHandlerClassName(); + ssoHandler = ClassHelper.instantiateClass(ssoHandlerClassName); + parameterMap = containerModel.getSsoHandlerParameterMap(); + try { + ssoHandler.initialize(parameterMap); + } catch (Exception e) { + String msg = "SingleSignOnHandler {0} could not be initialized"; //$NON-NLS-1$ + msg = MessageFormat.format(msg, ssoHandlerClassName); + throw new PrivilegeException(msg, e); + } + } + // initialize privilege handler DefaultPrivilegeHandler privilegeHandler = new DefaultPrivilegeHandler(); parameterMap = containerModel.getParameterMap(); Map> policyMap = containerModel.getPolicies(); try { - privilegeHandler.initialize(parameterMap, encryptionHandler, persistenceHandler, challengeHandler, - policyMap); + privilegeHandler + .initialize(parameterMap, encryptionHandler, persistenceHandler, challengeHandler, ssoHandler, + policyMap); } catch (Exception e) { String msg = "PrivilegeHandler {0} could not be initialized"; //$NON-NLS-1$ msg = MessageFormat.format(msg, privilegeHandler.getClass().getName()); diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/XmlConstants.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/XmlConstants.java index cad9ab76e..8dafde168 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/XmlConstants.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/helper/XmlConstants.java @@ -68,6 +68,11 @@ public class XmlConstants { */ public static final String XML_HANDLER_ENCRYPTION = "EncryptionHandler"; + /** + * XML_HANDLER_ENCRYPTION = "EncryptionHandler" : + */ + public static final String XML_HANDLER_SSO = "SsoHandler"; + /** * XML_HANDLER_PRIVILEGE = "PrivilegeHandler" : */ diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/model/internal/PrivilegeContainerModel.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/model/internal/PrivilegeContainerModel.java index 6cc895051..c42bf2ad2 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/model/internal/PrivilegeContainerModel.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/model/internal/PrivilegeContainerModel.java @@ -27,11 +27,11 @@ import li.strolch.privilege.policy.PrivilegePolicy; /** * This class is used during XML parsing to hold the model before it is properly validated and made accessible through * the {@link PrivilegeHandler} - * + * *

* Note: This is an internal object which is not to be serialized or passed to clients *

- * + * * @author Robert von Burg */ public class PrivilegeContainerModel { @@ -39,10 +39,12 @@ public class PrivilegeContainerModel { private String encryptionHandlerClassName; private String persistenceHandlerClassName; private String userChallengeHandlerClassName; + private String ssoHandlerClassName; private Map encryptionHandlerParameterMap; private Map persistenceHandlerParameterMap; private Map challengeHandlerParameterMap; + private Map ssoHandlerParameterMap; private Map parameterMap; @@ -53,6 +55,7 @@ public class PrivilegeContainerModel { this.encryptionHandlerParameterMap = new HashMap<>(); this.persistenceHandlerParameterMap = new HashMap<>(); this.challengeHandlerParameterMap = new HashMap<>(); + this.ssoHandlerParameterMap = new HashMap<>(); } public Map getParameterMap() { @@ -103,6 +106,14 @@ public class PrivilegeContainerModel { this.userChallengeHandlerClassName = userChallengeHandlerClassName; } + public String getSsoHandlerClassName() { + return this.ssoHandlerClassName; + } + + public void setSsoHandlerClassName(String ssoHandlerClassName) { + this.ssoHandlerClassName = ssoHandlerClassName; + } + public Map getUserChallengeHandlerParameterMap() { return this.challengeHandlerParameterMap; } @@ -111,6 +122,14 @@ public class PrivilegeContainerModel { this.challengeHandlerParameterMap = challengeHandlerParameterMap; } + public Map getSsoHandlerParameterMap() { + return this.ssoHandlerParameterMap; + } + + public void setSsoHandlerParameterMap(Map ssoHandlerParameterMap) { + this.ssoHandlerParameterMap = ssoHandlerParameterMap; + } + public void addPolicy(String privilegeName, String policyClassName) { try { @@ -160,6 +179,8 @@ public class PrivilegeContainerModel { builder.append(this.persistenceHandlerParameterMap.size()); builder.append(", challengeHandlerParameterMap="); builder.append(this.challengeHandlerParameterMap.size()); + builder.append(", ssoHandlerParameterMap="); + builder.append(this.ssoHandlerParameterMap.size()); builder.append(", parameterMap="); builder.append(this.parameterMap.size()); builder.append(", policies="); diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigDomWriter.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigDomWriter.java index 97dfb3458..4b1d7e31c 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigDomWriter.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigDomWriter.java @@ -15,20 +15,20 @@ */ package li.strolch.privilege.xml; +import static li.strolch.privilege.helper.XmlConstants.*; + import java.io.File; +import java.util.Map; import java.util.Map.Entry; -import org.w3c.dom.Document; -import org.w3c.dom.Element; - -import li.strolch.privilege.helper.XmlConstants; import li.strolch.privilege.model.internal.PrivilegeContainerModel; import li.strolch.privilege.policy.PrivilegePolicy; import li.strolch.utils.helper.XmlHelper; +import org.w3c.dom.Document; +import org.w3c.dom.Element; /** * @author Robert von Burg - * */ public class PrivilegeConfigDomWriter { @@ -36,7 +36,7 @@ public class PrivilegeConfigDomWriter { private final File configFile; /** - * + * */ public PrivilegeConfigDomWriter(PrivilegeContainerModel containerModel, File configFile) { this.containerModel = containerModel; @@ -44,72 +44,77 @@ public class PrivilegeConfigDomWriter { } /** - * + * */ public void write() { // create document root Document doc = XmlHelper.createDocument(); - Element rootElement = doc.createElement(XmlConstants.XML_ROOT_PRIVILEGE); + Element rootElement = doc.createElement(XML_ROOT_PRIVILEGE); doc.appendChild(rootElement); - Element containerElement = doc.createElement(XmlConstants.XML_CONTAINER); + Element containerElement = doc.createElement(XML_CONTAINER); rootElement.appendChild(containerElement); - Element parameterElement; - Element parametersElement; - - // Parameters - parametersElement = doc.createElement(XmlConstants.XML_PARAMETERS); - containerElement.appendChild(parametersElement); - for (Entry entry : this.containerModel.getParameterMap().entrySet()) { - parameterElement = doc.createElement(XmlConstants.XML_PARAMETER); - parameterElement.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey()); - parameterElement.setAttribute(XmlConstants.XML_ATTR_VALUE, entry.getValue()); - parametersElement.appendChild(parameterElement); - } - // create EncryptionHandler - Element encryptionHandlerElem = doc.createElement(XmlConstants.XML_HANDLER_ENCRYPTION); + Element encryptionHandlerElem = doc.createElement(XML_HANDLER_ENCRYPTION); containerElement.appendChild(encryptionHandlerElem); - encryptionHandlerElem.setAttribute(XmlConstants.XML_ATTR_CLASS, - this.containerModel.getEncryptionHandlerClassName()); + encryptionHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getEncryptionHandlerClassName()); // Parameters - parametersElement = doc.createElement(XmlConstants.XML_PARAMETERS); - encryptionHandlerElem.appendChild(parametersElement); - for (Entry entry : this.containerModel.getEncryptionHandlerParameterMap().entrySet()) { - parameterElement = doc.createElement(XmlConstants.XML_PARAMETER); - parameterElement.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey()); - parameterElement.setAttribute(XmlConstants.XML_ATTR_VALUE, entry.getValue()); - parametersElement.appendChild(parameterElement); - } + fillParameterMap(doc, encryptionHandlerElem, this.containerModel.getEncryptionHandlerParameterMap()); // create PersistenceHandler - Element persistenceHandlerElem = doc.createElement(XmlConstants.XML_HANDLER_PERSISTENCE); + Element persistenceHandlerElem = doc.createElement(XML_HANDLER_PERSISTENCE); containerElement.appendChild(persistenceHandlerElem); - persistenceHandlerElem.setAttribute(XmlConstants.XML_ATTR_CLASS, - this.containerModel.getPersistenceHandlerClassName()); + persistenceHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getPersistenceHandlerClassName()); // Parameters - parametersElement = doc.createElement(XmlConstants.XML_PARAMETERS); - persistenceHandlerElem.appendChild(parametersElement); - for (Entry entry : this.containerModel.getPersistenceHandlerParameterMap().entrySet()) { - parameterElement = doc.createElement(XmlConstants.XML_PARAMETER); - parameterElement.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey()); - parameterElement.setAttribute(XmlConstants.XML_ATTR_VALUE, entry.getValue()); - parametersElement.appendChild(parameterElement); + fillParameterMap(doc, persistenceHandlerElem, this.containerModel.getPersistenceHandlerParameterMap()); + + // Parameters + fillParameterMap(doc, containerElement, this.containerModel.getParameterMap()); + + // create UserChallengeHandler + Element userChallengeHandlerElem = doc.createElement(XML_HANDLER_USER_CHALLENGE); + containerElement.appendChild(userChallengeHandlerElem); + userChallengeHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getUserChallengeHandlerClassName()); + // Parameters + fillParameterMap(doc, userChallengeHandlerElem, this.containerModel.getUserChallengeHandlerParameterMap()); + + // create SingleSignOnHandler + if (this.containerModel.getSsoHandlerClassName() != null) { + Element ssoHandlerElem = doc.createElement(XML_HANDLER_SSO); + containerElement.appendChild(ssoHandlerElem); + ssoHandlerElem.setAttribute(XML_ATTR_CLASS, this.containerModel.getSsoHandlerClassName()); + // Parameters + fillParameterMap(doc, ssoHandlerElem, this.containerModel.getSsoHandlerParameterMap()); } // Policies - Element policiesElem = doc.createElement(XmlConstants.XML_POLICIES); + Element policiesElem = doc.createElement(XML_POLICIES); rootElement.appendChild(policiesElem); for (Entry> entry : this.containerModel.getPolicies().entrySet()) { - Element policyElem = doc.createElement(XmlConstants.XML_POLICY); - policyElem.setAttribute(XmlConstants.XML_ATTR_NAME, entry.getKey()); - policyElem.setAttribute(XmlConstants.XML_ATTR_CLASS, entry.getValue().getName()); + Element policyElem = doc.createElement(XML_POLICY); + policyElem.setAttribute(XML_ATTR_NAME, entry.getKey()); + policyElem.setAttribute(XML_ATTR_CLASS, entry.getValue().getName()); policiesElem.appendChild(policyElem); } // write the container file to disk XmlHelper.writeDocument(doc, this.configFile); } + + private void fillParameterMap(Document doc, Element parent, Map parameterMap) { + + if (parameterMap != null && !parameterMap.isEmpty()) { + Element parametersElement = doc.createElement(XML_PARAMETERS); + for (Entry entry : parameterMap.entrySet()) { + Element parameterElement = doc.createElement(XML_PARAMETER); + parameterElement.setAttribute(XML_ATTR_NAME, entry.getKey()); + parameterElement.setAttribute(XML_ATTR_VALUE, entry.getValue()); + parametersElement.appendChild(parameterElement); + } + + parent.appendChild(parametersElement); + } + } } diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigSaxReader.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigSaxReader.java index 16432ad49..25450531d 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigSaxReader.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/xml/PrivilegeConfigSaxReader.java @@ -105,6 +105,10 @@ public class PrivilegeConfigSaxReader extends DefaultHandler { this.currentElement = qName; String className = attributes.getValue(XmlConstants.XML_ATTR_CLASS); getContainerModel().setUserChallengeHandlerClassName(className); + } else if (qName.equals(XmlConstants.XML_HANDLER_SSO)) { + this.currentElement = qName; + String className = attributes.getValue(XmlConstants.XML_ATTR_CLASS); + getContainerModel().setSsoHandlerClassName(className); } } @@ -123,6 +127,8 @@ public class PrivilegeConfigSaxReader extends DefaultHandler { getContainerModel().setPersistenceHandlerParameterMap(parametersChild.getParameterMap()); } else if (this.currentElement.equals(XmlConstants.XML_HANDLER_USER_CHALLENGE)) { getContainerModel().setUserChallengeHandlerParameterMap(parametersChild.getParameterMap()); + } else if (this.currentElement.equals(XmlConstants.XML_HANDLER_SSO)) { + getContainerModel().setSsoHandlerParameterMap(parametersChild.getParameterMap()); } } } diff --git a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/AbstractPrivilegeTest.java b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/AbstractPrivilegeTest.java index fb5b13f28..3efa69ee9 100644 --- a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/AbstractPrivilegeTest.java +++ b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/AbstractPrivilegeTest.java @@ -25,8 +25,7 @@ public class AbstractPrivilegeTest { protected void login(String username, char[] password) { Certificate certificate = privilegeHandler.authenticate(username, password); assertTrue("Certificate is null!", certificate != null); - PrivilegeContext privilegeContext = privilegeHandler.getPrivilegeContext(certificate); - this.ctx = privilegeContext; + this.ctx = privilegeHandler.validate(certificate); } protected void logout() { @@ -34,7 +33,7 @@ public class AbstractPrivilegeTest { try { PrivilegeContext privilegeContext = this.ctx; this.ctx = null; - privilegeHandler.invalidateSession(privilegeContext.getCertificate()); + privilegeHandler.invalidate(privilegeContext.getCertificate()); } catch (PrivilegeException e) { String msg = "There is no PrivilegeContext currently bound to the ThreadLocal!"; if (!e.getMessage().equals(msg)) @@ -43,18 +42,18 @@ public class AbstractPrivilegeTest { } } - protected static void prepareConfigs(String dst, String configFilename, String usersFilename, - String rolesFilename) { + protected static void prepareConfigs(String dst, + String configFilename, + String usersFilename, + String rolesFilename) { try { - String pwd = System.getProperty("user.dir"); - - File configPath = new File(pwd, "config"); + File configPath = new File("src/test/resources/config"); File privilegeConfigFile = new File(configPath, configFilename); File privilegeUsersFile = new File(configPath, usersFilename); File privilegeRolesFile = new File(configPath, rolesFilename); - File targetPath = new File(pwd, "target/" + dst); + File targetPath = new File("target/" + dst); if (!targetPath.mkdirs()) throw new RuntimeException("Could not create parent " + targetPath); @@ -79,8 +78,7 @@ public class AbstractPrivilegeTest { protected static void removeConfigs(String dst) { try { - String pwd = System.getProperty("user.dir"); - File targetPath = new File(pwd, "target"); + File targetPath = new File("target"); targetPath = new File(targetPath, dst); if (targetPath.exists() && !FileHelper.deleteFile(targetPath, true)) { throw new RuntimeException( @@ -94,8 +92,7 @@ public class AbstractPrivilegeTest { protected static File getPrivilegeConfigFile(String dst, String configFilename) { try { - String pwd = System.getProperty("user.dir"); - File targetPath = new File(pwd, "target"); + File targetPath = new File("target"); targetPath = new File(targetPath, dst); return new File(targetPath, configFilename); } catch (Exception e) { diff --git a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PersistSessionsTest.java b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PersistSessionsTest.java index d5c6d02ef..1b10ac221 100644 --- a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PersistSessionsTest.java +++ b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PersistSessionsTest.java @@ -38,11 +38,11 @@ public class PersistSessionsTest extends AbstractPrivilegeTest { // login and assert sessions file was written login("admin", "admin".toCharArray()); - this.privilegeHandler.isCertificateValid(ctx.getCertificate()); + this.privilegeHandler.validate(ctx.getCertificate()); assertTrue("Sessions File should have been created!", sessionsFile.isFile()); // re-initialize and assert still logged in initialize(PersistSessionsTest.class.getSimpleName(), "PrivilegeConfig.xml"); - this.privilegeHandler.isCertificateValid(ctx.getCertificate()); + this.privilegeHandler.validate(ctx.getCertificate()); } } diff --git a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PrivilegeTest.java b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PrivilegeTest.java index 9c684a42b..25ef9bdec 100644 --- a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PrivilegeTest.java +++ b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/PrivilegeTest.java @@ -59,9 +59,9 @@ import li.strolch.utils.helper.ArraysHelper; /** * JUnit for performing Privilege tests. This JUnit is by no means complete, but checks the bare minimum.br /> - * + * * TODO add more tests, especially with deny and allow lists - * + * * @author Robert von Burg */ @SuppressWarnings("nls") @@ -117,9 +117,10 @@ public class PrivilegeTest extends AbstractPrivilegeTest { } } + @Test public void testFailAuthenticationNOk() throws Exception { this.exception.expect(AccessDeniedException.class); - this.exception.expectMessage("blabla"); + this.exception.expectMessage("User admin failed to authenticate: Password is incorrect for admin"); try { login(ADMIN, ArraysHelper.copyOf(PASS_BAD)); } finally { @@ -127,9 +128,10 @@ public class PrivilegeTest extends AbstractPrivilegeTest { } } + @Test public void testFailAuthenticationPWNull() throws Exception { this.exception.expect(PrivilegeException.class); - this.exception.expectMessage("blabla"); + this.exception.expectMessage("User admin failed to authenticate: A password may not be empty!"); try { login(ADMIN, null); } finally { @@ -324,7 +326,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest { Certificate certificate = this.ctx.getCertificate(); UserRep selectorRep = new UserRep(null, null, null, null, null, - new HashSet<>(Arrays.asList("PrivilegeAdmin")), null, null); + new HashSet<>(Collections.singletonList("PrivilegeAdmin")), null, null); List users = this.privilegeHandler.queryUsers(certificate, selectorRep); assertEquals(1, users.size()); assertEquals(ADMIN, users.get(0).getUsername()); @@ -341,8 +343,8 @@ public class PrivilegeTest extends AbstractPrivilegeTest { Certificate certificate = this.ctx.getCertificate(); - UserRep selectorRep = new UserRep(null, null, null, null, null, new HashSet<>(Arrays.asList(ROLE_TEMP)), - null, null); + UserRep selectorRep = new UserRep(null, null, null, null, null, + new HashSet<>(Collections.singletonList(ROLE_TEMP)), null, null); List users = this.privilegeHandler.queryUsers(certificate, selectorRep); assertEquals(0, users.size()); @@ -384,12 +386,13 @@ public class PrivilegeTest extends AbstractPrivilegeTest { public void shouldSetPasswordWithChallenge() { this.privilegeHandler.initiateChallengeFor(Usage.SET_PASSWORD, ADMIN); UserChallenge userChallenge = TestUserChallengeHandler.getInstance().getChallenges().values().stream() - .filter(u -> u.getUser().getUsername().equals(ADMIN)).findFirst().get(); + .filter(u -> u.getUser().getUsername().equals(ADMIN)).findFirst() + .orElseThrow(() -> new IllegalStateException("Missing admin user!")); Certificate certificate = this.privilegeHandler.validateChallenge(ADMIN, userChallenge.getChallenge()); this.privilegeHandler.setUserPassword(certificate, ADMIN, ArraysHelper.copyOf(PASS_TED)); try { - this.privilegeHandler.isCertificateValid(certificate); + this.privilegeHandler.validate(certificate); fail("Certificate should not be valid anymore!"); } catch (PrivilegeException e) { // expected @@ -398,7 +401,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest { // change password back certificate = this.privilegeHandler.authenticate(ADMIN, PASS_TED); this.privilegeHandler.setUserPassword(certificate, ADMIN, ArraysHelper.copyOf(PASS_ADMIN)); - this.privilegeHandler.invalidateSession(certificate); + this.privilegeHandler.invalidate(certificate); } /** @@ -651,8 +654,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest { // let's add a new user ted HashSet roles = new HashSet<>(); roles.add(ROLE_USER); - userRep = new UserRep(null, TED, "Ted", "Newman", UserState.ENABLED, roles, null, - new HashMap()); + userRep = new UserRep(null, TED, "Ted", "Newman", UserState.ENABLED, roles, null, new HashMap<>()); Certificate certificate = this.ctx.getCertificate(); this.privilegeHandler.addUser(certificate, userRep, null); logger.info("Added user " + TED); @@ -765,7 +767,7 @@ public class PrivilegeTest extends AbstractPrivilegeTest { // let's add a new user bob UserRep userRep = new UserRep(null, BOB, "Bob", "Newman", UserState.NEW, - new HashSet<>(Arrays.asList(ROLE_MY)), null, new HashMap()); + new HashSet<>(Collections.singletonList(ROLE_MY)), null, new HashMap<>()); Certificate certificate = this.ctx.getCertificate(); this.privilegeHandler.addUser(certificate, userRep, null); logger.info("Added user " + BOB); diff --git a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/SsoHandlerTest.java b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/SsoHandlerTest.java new file mode 100644 index 000000000..0cbeee57a --- /dev/null +++ b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/SsoHandlerTest.java @@ -0,0 +1,57 @@ +package li.strolch.privilege.test; + +import java.util.HashMap; +import java.util.Map; + +import li.strolch.privilege.model.Certificate; +import li.strolch.privilege.model.Restrictable; +import li.strolch.privilege.test.model.TestRestrictable; +import org.junit.AfterClass; +import org.junit.Before; +import org.junit.BeforeClass; +import org.junit.Test; + +public class SsoHandlerTest extends AbstractPrivilegeTest { + + @BeforeClass + public static void init() throws Exception { + removeConfigs(SsoHandlerTest.class.getSimpleName()); + prepareConfigs(SsoHandlerTest.class.getSimpleName(), "PrivilegeConfig.xml", "PrivilegeUsers.xml", + "PrivilegeRoles.xml"); + } + + @AfterClass + public static void destroy() throws Exception { + removeConfigs(SsoHandlerTest.class.getSimpleName()); + } + + @Before + public void setup() throws Exception { + initialize(SsoHandlerTest.class.getSimpleName(), "PrivilegeConfig.xml"); + } + + @Test + public void testSsoAdmin() throws Exception { + + try { + Map data = new HashMap<>(); + data.put("userId", "admin"); + data.put("username", "admin"); + data.put("firstName", "Admin"); + data.put("lastName", "Istrator"); + data.put("roles", "PrivilegeAdmin, AppUser"); + + // auth + Certificate cert = this.privilegeHandler.authenticateSingleSignOn(data); + this.ctx = this.privilegeHandler.validate(cert); + + // validate action + Restrictable restrictable = new TestRestrictable(); + this.ctx.validateAction(restrictable); + + } finally { + // de-auth + logout(); + } + } +} diff --git a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/XmlTest.java b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/XmlTest.java index 1ad31166a..480e53490 100644 --- a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/XmlTest.java +++ b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/XmlTest.java @@ -16,30 +16,13 @@ package li.strolch.privilege.test; import static org.hamcrest.Matchers.containsInAnyOrder; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; -import static org.junit.Assert.assertNotNull; -import static org.junit.Assert.assertThat; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; import java.io.File; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; -import java.util.List; -import java.util.Locale; -import java.util.Map; -import java.util.Set; - -import org.junit.AfterClass; -import org.junit.BeforeClass; -import org.junit.Test; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; +import java.util.*; import li.strolch.privilege.handler.DefaultEncryptionHandler; +import li.strolch.privilege.handler.MailUserChallengeHandler; import li.strolch.privilege.handler.PrivilegeHandler; import li.strolch.privilege.handler.XmlPersistenceHandler; import li.strolch.privilege.model.IPrivilege; @@ -48,15 +31,16 @@ import li.strolch.privilege.model.internal.PrivilegeContainerModel; import li.strolch.privilege.model.internal.PrivilegeImpl; import li.strolch.privilege.model.internal.Role; import li.strolch.privilege.model.internal.User; -import li.strolch.privilege.xml.PrivilegeConfigDomWriter; -import li.strolch.privilege.xml.PrivilegeConfigSaxReader; -import li.strolch.privilege.xml.PrivilegeRolesDomWriter; -import li.strolch.privilege.xml.PrivilegeRolesSaxReader; -import li.strolch.privilege.xml.PrivilegeUsersDomWriter; -import li.strolch.privilege.xml.PrivilegeUsersSaxReader; +import li.strolch.privilege.test.model.DummySsoHandler; +import li.strolch.privilege.xml.*; import li.strolch.utils.helper.FileHelper; import li.strolch.utils.helper.StringHelper; import li.strolch.utils.helper.XmlHelper; +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * @author Robert von Burg @@ -64,12 +48,13 @@ import li.strolch.utils.helper.XmlHelper; @SuppressWarnings("nls") public class XmlTest { - private static final String TARGET_TEST = "./target/test"; + private static final String TARGET_TEST = "target/test/"; + private static final String SRC_TEST = "src/test/resources/config/"; private static final Logger logger = LoggerFactory.getLogger(XmlTest.class); /** * @throws Exception - * if something goes wrong + * if something goes wrong */ @BeforeClass public static void init() throws Exception { @@ -89,17 +74,17 @@ public class XmlTest { if (!tmpDir.exists()) return; - File tmpFile = new File("target/test/PrivilegeTest.xml"); + File tmpFile = new File(TARGET_TEST + "PrivilegeTest.xml"); if (tmpFile.exists() && !tmpFile.delete()) { throw new RuntimeException("Tmp still exists and can not be deleted at " + tmpFile.getAbsolutePath()); } - tmpFile = new File("target/test/PrivilegeUsersTest.xml"); + tmpFile = new File(TARGET_TEST + "PrivilegeUsersTest.xml"); if (tmpFile.exists() && !tmpFile.delete()) { throw new RuntimeException("Tmp still exists and can not be deleted at " + tmpFile.getAbsolutePath()); } - tmpFile = new File("target/test/PrivilegeRolesTest.xml"); + tmpFile = new File(TARGET_TEST + "PrivilegeRolesTest.xml"); if (tmpFile.exists() && !tmpFile.delete()) { throw new RuntimeException("Tmp still exists and can not be deleted at " + tmpFile.getAbsolutePath()); } @@ -115,7 +100,7 @@ public class XmlTest { PrivilegeContainerModel containerModel = new PrivilegeContainerModel(); PrivilegeConfigSaxReader saxReader = new PrivilegeConfigSaxReader(containerModel); - File xmlFile = new File("config/PrivilegeConfig.xml"); + File xmlFile = new File(SRC_TEST + "PrivilegeConfig.xml"); XmlHelper.parseDocument(xmlFile, saxReader); logger.info(containerModel.toString()); @@ -153,22 +138,24 @@ public class XmlTest { containerModel.setEncryptionHandlerParameterMap(encryptionHandlerParameterMap); containerModel.setPersistenceHandlerClassName(XmlPersistenceHandler.class.getName()); containerModel.setPersistenceHandlerParameterMap(persistenceHandlerParameterMap); + containerModel.setUserChallengeHandlerClassName(MailUserChallengeHandler.class.getName()); + containerModel.setSsoHandlerClassName(DummySsoHandler.class.getName()); containerModel.addPolicy("DefaultPrivilege", "li.strolch.privilege.policy.DefaultPrivilege"); - File configFile = new File("./target/test/PrivilegeTest.xml"); + File configFile = new File(TARGET_TEST + "PrivilegeTest.xml"); PrivilegeConfigDomWriter configSaxWriter = new PrivilegeConfigDomWriter(containerModel, configFile); configSaxWriter.write(); String fileHash = StringHelper.toHexString(FileHelper.hashFileSha256(configFile)); - assertEquals("800b8e42e15b6b3bb425fa9c12a011d587d2b12343a1d1371eaa36dc1b2ea5f4", fileHash); + assertEquals("55c1212446707563877009f2090a39ad2fdf5462108109bbe0c10759d100a482", fileHash); } @Test public void canReadUsers() { PrivilegeUsersSaxReader xmlHandler = new PrivilegeUsersSaxReader(); - File xmlFile = new File("config/PrivilegeUsers.xml"); + File xmlFile = new File(SRC_TEST + "PrivilegeUsers.xml"); XmlHelper.parseDocument(xmlFile, xmlHandler); List users = xmlHandler.getUsers(); @@ -215,7 +202,7 @@ public class XmlTest { public void canReadRoles() { PrivilegeRolesSaxReader xmlHandler = new PrivilegeRolesSaxReader(); - File xmlFile = new File("config/PrivilegeRoles.xml"); + File xmlFile = new File(SRC_TEST + "PrivilegeRoles.xml"); XmlHelper.parseDocument(xmlFile, xmlHandler); List roles = xmlHandler.getRoles(); @@ -253,7 +240,7 @@ public class XmlTest { // AppUser Role appUser = findRole("AppUser", roles); assertEquals("AppUser", appUser.getName()); - assertEquals(new HashSet<>(Arrays.asList("li.strolch.privilege.test.model.TestRestrictable")), + assertEquals(new HashSet<>(Collections.singletonList("li.strolch.privilege.test.model.TestRestrictable")), appUser.getPrivilegeNames()); IPrivilege testRestrictable = appUser.getPrivilege("li.strolch.privilege.test.model.TestRestrictable"); @@ -267,8 +254,9 @@ public class XmlTest { Role systemAdminPrivileges = findRole("system_admin_privileges", roles); assertEquals("system_admin_privileges", systemAdminPrivileges.getName()); assertEquals(2, systemAdminPrivileges.getPrivilegeNames().size()); - assertThat(systemAdminPrivileges.getPrivilegeNames(), containsInAnyOrder( - "li.strolch.privilege.handler.SystemAction", "li.strolch.privilege.test.model.TestSystemRestrictable")); + assertThat(systemAdminPrivileges.getPrivilegeNames(), + containsInAnyOrder("li.strolch.privilege.handler.SystemAction", + "li.strolch.privilege.test.model.TestSystemRestrictable")); IPrivilege testSystemUserAction = systemAdminPrivileges .getPrivilege("li.strolch.privilege.handler.SystemAction"); @@ -302,11 +290,6 @@ public class XmlTest { assertThat(testSystemUserAction2.getDenyList(), containsInAnyOrder("goodbye")); } - /** - * @param username - * @param users - * @return - */ private User findUser(String username, List users) { for (User user : users) { if (user.getUsername().equals(username)) @@ -316,11 +299,6 @@ public class XmlTest { throw new RuntimeException("No user exists with username " + username); } - /** - * @param name - * @param roles - * @return - */ private Role findRole(String name, List roles) { for (Role role : roles) { if (role.getName().equals(name)) @@ -353,7 +331,7 @@ public class XmlTest { UserState.ENABLED, userRoles, Locale.ENGLISH, propertyMap); users.add(user2); - File modelFile = new File("./target/test/PrivilegeUsersTest.xml"); + File modelFile = new File(TARGET_TEST + "PrivilegeUsersTest.xml"); PrivilegeUsersDomWriter configSaxWriter = new PrivilegeUsersDomWriter(users, modelFile); configSaxWriter.write(); @@ -408,7 +386,7 @@ public class XmlTest { Role role2 = new Role("role2", privilegeMap); roles.add(role2); - File modelFile = new File("./target/test/PrivilegeRolesTest.xml"); + File modelFile = new File(TARGET_TEST + "PrivilegeRolesTest.xml"); PrivilegeRolesDomWriter configSaxWriter = new PrivilegeRolesDomWriter(roles, modelFile); configSaxWriter.write(); diff --git a/li.strolch.privilege/src/test/java/li/strolch/privilege/test/model/DummySsoHandler.java b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/model/DummySsoHandler.java new file mode 100644 index 000000000..87da4ce86 --- /dev/null +++ b/li.strolch.privilege/src/test/java/li/strolch/privilege/test/model/DummySsoHandler.java @@ -0,0 +1,29 @@ +package li.strolch.privilege.test.model; + +import java.util.*; +import java.util.stream.Collectors; + +import li.strolch.privilege.base.PrivilegeException; +import li.strolch.privilege.handler.SingleSignOnHandler; +import li.strolch.privilege.model.UserState; +import li.strolch.privilege.model.internal.User; + +public class DummySsoHandler implements SingleSignOnHandler { + + @Override + public void initialize(Map parameterMap) { + // do nothing + } + + @Override + public User authenticateSingleSignOn(Object data) throws PrivilegeException { + + @SuppressWarnings("unchecked") + Map map = (Map) data; + + Set roles = Arrays.stream(map.get("roles").split(",")).map(String::trim).collect(Collectors.toSet()); + Map properties = new HashMap<>(); + return new User(map.get("userId"), map.get("username"), null, null, map.get("firstName"), map.get("lastName"), + UserState.ENABLED, roles, Locale.ENGLISH, properties); + } +} diff --git a/li.strolch.privilege/src/test/resources/config/PrivilegeConfig.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeConfig.xml new file mode 100644 index 000000000..4e3a31061 --- /dev/null +++ b/li.strolch.privilege/src/test/resources/config/PrivilegeConfig.xml @@ -0,0 +1,49 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/li.strolch.privilege/config/PrivilegeConfigMerge.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeConfigMerge.xml similarity index 95% rename from li.strolch.privilege/config/PrivilegeConfigMerge.xml rename to li.strolch.privilege/src/test/resources/config/PrivilegeConfigMerge.xml index 2cc02f506..77abe6fdc 100644 --- a/li.strolch.privilege/config/PrivilegeConfigMerge.xml +++ b/li.strolch.privilege/src/test/resources/config/PrivilegeConfigMerge.xml @@ -23,7 +23,7 @@ - + diff --git a/li.strolch.privilege/config/PrivilegeRoles.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml similarity index 100% rename from li.strolch.privilege/config/PrivilegeRoles.xml rename to li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml diff --git a/li.strolch.privilege/config/PrivilegeRolesMerge.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeRolesMerge.xml similarity index 100% rename from li.strolch.privilege/config/PrivilegeRolesMerge.xml rename to li.strolch.privilege/src/test/resources/config/PrivilegeRolesMerge.xml diff --git a/li.strolch.privilege/config/PrivilegeUsers.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeUsers.xml similarity index 100% rename from li.strolch.privilege/config/PrivilegeUsers.xml rename to li.strolch.privilege/src/test/resources/config/PrivilegeUsers.xml diff --git a/li.strolch.privilege/config/PrivilegeUsersMerge.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeUsersMerge.xml similarity index 100% rename from li.strolch.privilege/config/PrivilegeUsersMerge.xml rename to li.strolch.privilege/src/test/resources/config/PrivilegeUsersMerge.xml diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java b/li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java index 67e58b4f3..93e97882b 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/DefaultStrolchSessionHandler.java @@ -116,7 +116,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St } else if (this.certificateMap != null) { synchronized (this.certificateMap) { for (Certificate certificate : this.certificateMap.values()) { - this.privilegeHandler.invalidateSession(certificate); + this.privilegeHandler.invalidate(certificate); } this.certificateMap.clear(); } @@ -154,14 +154,13 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St throw new StrolchNotAuthenticatedException( MessageFormat.format("No certificate exists for sessionId {0}", authToken)); //$NON-NLS-1$ - return validate(certificate); + return validate(certificate).getCertificate(); } @Override - public Certificate validate(Certificate certificate) throws StrolchNotAuthenticatedException { + public PrivilegeContext validate(Certificate certificate) throws StrolchNotAuthenticatedException { try { - this.privilegeHandler.isCertificateValid(certificate); - return certificate; + return this.privilegeHandler.validate(certificate); } catch (PrivilegeException e) { throw new StrolchNotAuthenticatedException(e.getMessage(), e); } @@ -176,7 +175,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St logger.error(MessageFormat .format("No session was registered with token {0}", certificate.getAuthToken())); //$NON-NLS-1$ - this.privilegeHandler.invalidateSession(certificate); + this.privilegeHandler.invalidate(certificate); } @Override @@ -255,7 +254,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St @Override public UserSession getSession(Certificate certificate, String sessionId) { - PrivilegeContext ctx = this.privilegeHandler.getPrivilegeContext(certificate); + PrivilegeContext ctx = this.privilegeHandler.validate(certificate); ctx.assertHasPrivilege(PRIVILEGE_GET_SESSION); synchronized (this.certificateMap) { for (Certificate cert : certificateMap.values()) { @@ -271,7 +270,7 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St @Override public List getSessions(Certificate certificate) { - PrivilegeContext ctx = this.privilegeHandler.getPrivilegeContext(certificate); + PrivilegeContext ctx = this.privilegeHandler.validate(certificate); ctx.assertHasPrivilege(PRIVILEGE_GET_SESSION); List sessions = new ArrayList<>(this.certificateMap.size()); synchronized (this.certificateMap) { @@ -289,8 +288,8 @@ public class DefaultStrolchSessionHandler extends StrolchComponent implements St } @Override - public void invalidateSession(Certificate certificate, String sessionId) { - PrivilegeContext ctx = this.privilegeHandler.getPrivilegeContext(certificate); + public void invalidate(Certificate certificate, String sessionId) { + PrivilegeContext ctx = this.privilegeHandler.validate(certificate); ctx.assertHasPrivilege(PRIVILEGE_INVALIDATE_SESSION); Map map; diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/StrolchSessionHandler.java b/li.strolch.rest/src/main/java/li/strolch/rest/StrolchSessionHandler.java index f84496bc4..356b04fe9 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/StrolchSessionHandler.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/StrolchSessionHandler.java @@ -21,6 +21,7 @@ import java.util.Locale; import li.strolch.exception.StrolchNotAuthenticatedException; import li.strolch.privilege.base.PrivilegeException; import li.strolch.privilege.model.Certificate; +import li.strolch.privilege.model.PrivilegeContext; import li.strolch.privilege.model.Usage; import li.strolch.rest.model.UserSession; @@ -29,46 +30,46 @@ import li.strolch.rest.model.UserSession; */ public interface StrolchSessionHandler { - public Certificate authenticate(String username, char[] password); + Certificate authenticate(String username, char[] password); - public Certificate validate(String authToken) throws StrolchNotAuthenticatedException; + Certificate validate(String authToken) throws StrolchNotAuthenticatedException; - public Certificate validate(Certificate certificate) throws StrolchNotAuthenticatedException; + PrivilegeContext validate(Certificate certificate) throws StrolchNotAuthenticatedException; - public void invalidate(Certificate certificate); + List getSessions(Certificate certificate); - public List getSessions(Certificate certificate); + UserSession getSession(Certificate certificate, String sessionId); - public UserSession getSession(Certificate certificate, String sessionId); + void invalidate(Certificate certificate); - public void invalidateSession(Certificate certificate, String sessionId); + void invalidate(Certificate certificate, String sessionId); - public void setSessionLocale(Certificate certificate, String sessionId, Locale locale); + void setSessionLocale(Certificate certificate, String sessionId, Locale locale); /** * Initiate a password reset challenge for the given username - * + * * @param usage - * the usage for which the challenge is requested + * the usage for which the challenge is requested * @param username - * the username of the user to initiate the challenge for + * the username of the user to initiate the challenge for */ - public void initiateChallengeFor(Usage usage, String username); + void initiateChallengeFor(Usage usage, String username); /** * Validate the response of a challenge for the given username - * + * * @param username - * the username of the user for which the challenge is to be validated + * the username of the user for which the challenge is to be validated * @param challenge - * the challenge from the user - * + * the challenge from the user + * * @return certificate with which the user can access the system with the {@link Usage} set to the value from the - * initiated challenge - * + * initiated challenge + * * @throws PrivilegeException - * if anything goes wrong + * if anything goes wrong */ - public Certificate validateChallenge(String username, String challenge) throws PrivilegeException; + Certificate validateChallenge(String username, String challenge) throws PrivilegeException; } diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java index 6a37abf2b..53f600089 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/AuthenticationService.java @@ -93,7 +93,7 @@ public class AuthenticationService { PrivilegeHandler privilegeHandler = RestfulStrolchComponent.getInstance().getContainer() .getPrivilegeHandler(); - PrivilegeContext privilegeContext = privilegeHandler.getPrivilegeContext(certificate); + PrivilegeContext privilegeContext = privilegeHandler.validate(certificate); loginResult.addProperty("sessionId", certificate.getSessionId()); loginResult.addProperty("authToken", certificate.getAuthToken()); loginResult.addProperty("username", certificate.getUsername()); diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/UserSessionsService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/UserSessionsService.java index 974764a09..177c745e5 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/UserSessionsService.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/UserSessionsService.java @@ -68,7 +68,7 @@ public class UserSessionsService { Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE); logger.info("[" + cert.getUsername() + "] Invalidating session " + sessionId); StrolchSessionHandler sessionHandler = RestfulStrolchComponent.getInstance().getSessionHandler(); - sessionHandler.invalidateSession(cert, sessionId); + sessionHandler.invalidate(cert, sessionId); return ResponseUtil.toResponse(); } diff --git a/li.strolch.service/src/test/java/li/strolch/service/test/GreetingServiceTest.java b/li.strolch.service/src/test/java/li/strolch/service/test/GreetingServiceTest.java index 688ac90c8..7d7bb016d 100644 --- a/li.strolch.service/src/test/java/li/strolch/service/test/GreetingServiceTest.java +++ b/li.strolch.service/src/test/java/li/strolch/service/test/GreetingServiceTest.java @@ -43,7 +43,7 @@ public class GreetingServiceTest extends AbstractServiceTest { greetingArgument); assertThat(greetingResult.getGreeting(), containsString("Hello Robert. Nice to meet you!")); //$NON-NLS-1$ } finally { - runtimeMock.getPrivilegeHandler().invalidateSession(certificate); + runtimeMock.getPrivilegeHandler().invalidate(certificate); } } } diff --git a/li.strolch.service/src/test/java/li/strolch/service/test/ServiceTest.java b/li.strolch.service/src/test/java/li/strolch/service/test/ServiceTest.java index e42c8073d..71359c300 100644 --- a/li.strolch.service/src/test/java/li/strolch/service/test/ServiceTest.java +++ b/li.strolch.service/src/test/java/li/strolch/service/test/ServiceTest.java @@ -58,16 +58,17 @@ public class ServiceTest extends AbstractServiceTest { public void shouldFailInvalidCertificate1() { this.thrown.expect(PrivilegeException.class); TestService testService = new TestService(); - getServiceHandler().doService(new Certificate(null, null, null, null, null, null, null, new Date(), null, - new HashSet(), null), testService); + getServiceHandler().doService( + new Certificate(null, null, null, null, null, null, null, new Date(), null, new HashSet<>(), null), + testService); } @Test public void shouldFailInvalidCertificate2() { TestService testService = new TestService(); - Certificate badCert = new Certificate(Usage.ANY, "1", "bob", "Bob", "Brown", UserState.ENABLED, "dsdf", //$NON-NLS-1$//$NON-NLS-2$//$NON-NLS-3$ - new Date(), null, - new HashSet(), null); + Certificate badCert = new Certificate(Usage.ANY, "1", "bob", "Bob", "Brown", UserState.ENABLED, "dsdf", + //$NON-NLS-1$//$NON-NLS-2$//$NON-NLS-3$ + new Date(), null, new HashSet<>(), null); ServiceResult svcResult = getServiceHandler().doService(badCert, testService); assertThat(svcResult.getThrowable(), instanceOf(NotAuthenticatedException.class)); } @@ -75,21 +76,23 @@ public class ServiceTest extends AbstractServiceTest { @Test public void shouldFailWithNoAccess() { - Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ + Certificate certificate = runtimeMock.getPrivilegeHandler() + .authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ try { TestService testService = new TestService(); ServiceResult svcResult = getServiceHandler().doService(certificate, testService); - assertThat(svcResult.getMessage(), - containsString("User jill does not have the privilege li.strolch.service.api.Service")); //$NON-NLS-1$ + assertThat(svcResult.getMessage(), containsString( + "User jill does not have the privilege li.strolch.service.api.Service")); //$NON-NLS-1$ assertThat(svcResult.getThrowable(), instanceOf(AccessDeniedException.class)); } finally { - runtimeMock.getPrivilegeHandler().invalidateSession(certificate); + runtimeMock.getPrivilegeHandler().invalidate(certificate); } } @Test public void shouldNotFailWithAccess() { - Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ + Certificate certificate = runtimeMock.getPrivilegeHandler() + .authenticate("jill", "jill".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ try { GreetingService service = new GreetingService(); GreetingArgument argument = new GreetingArgument(); @@ -97,25 +100,27 @@ public class ServiceTest extends AbstractServiceTest { GreetingResult greetingResult = getServiceHandler().doService(certificate, service, argument); assertThat(greetingResult.getGreeting(), equalTo("Hello Jill. Nice to meet you!")); //$NON-NLS-1$ } finally { - runtimeMock.getPrivilegeHandler().invalidateSession(certificate); + runtimeMock.getPrivilegeHandler().invalidate(certificate); } } @Test public void shouldNotFailWithLogin1() { - Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ + Certificate certificate = runtimeMock.getPrivilegeHandler() + .authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ try { TestService testService = new TestService(); getServiceHandler().doService(certificate, testService); } finally { - runtimeMock.getPrivilegeHandler().invalidateSession(certificate); + runtimeMock.getPrivilegeHandler().invalidate(certificate); } } @Test public void shouldNotFailWithLogin2() { - Certificate certificate = runtimeMock.getPrivilegeHandler().authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ + Certificate certificate = runtimeMock.getPrivilegeHandler() + .authenticate("bob", "bob".toCharArray()); //$NON-NLS-1$//$NON-NLS-2$ try { GreetingService service = new GreetingService(); GreetingArgument argument = new GreetingArgument(); @@ -123,7 +128,7 @@ public class ServiceTest extends AbstractServiceTest { GreetingResult greetingResult = getServiceHandler().doService(certificate, service, argument); assertThat(greetingResult.getGreeting(), equalTo("Hello Bob. Nice to meet you!")); //$NON-NLS-1$ } finally { - runtimeMock.getPrivilegeHandler().invalidateSession(certificate); + runtimeMock.getPrivilegeHandler().invalidate(certificate); } } } diff --git a/li.strolch.testbase/src/main/java/li/strolch/testbase/runtime/RuntimeMock.java b/li.strolch.testbase/src/main/java/li/strolch/testbase/runtime/RuntimeMock.java index a0e97761c..8da73235b 100644 --- a/li.strolch.testbase/src/main/java/li/strolch/testbase/runtime/RuntimeMock.java +++ b/li.strolch.testbase/src/main/java/li/strolch/testbase/runtime/RuntimeMock.java @@ -89,7 +89,7 @@ public class RuntimeMock { } public boolean logout(Certificate cert) { - return getPrivilegeHandler().invalidateSession(cert); + return getPrivilegeHandler().invalidate(cert); } public RuntimeMock mockRuntime(String targetPath, String srcPath) { @@ -235,8 +235,7 @@ public class RuntimeMock { } catch (Exception e) { throw new IllegalStateException("Failed to read " + StrolchAgent.AGENT_VERSION_PROPERTIES, e); } - StrolchVersion version = new StrolchVersion(properties); - return version; + return new StrolchVersion(properties); } }