private static final String authFileName = ROOT + "authorization.conf";
private ConcurrentMap<String, UserConfig> localUserConfigList;
private ConcurrentMap<String, ServerConfig> remoteServerConfigList;
- private ConcurrentMap<String, AuthorizationConfig> authorizationConfList; // local
- // authorization
- // info
- // for
- // remotely
- // authenticated
- // users
+ // local authorization info for remotely authenticated users
+ private ConcurrentMap<String, AuthorizationConfig> authorizationConfList;
private ConcurrentMap<String, AuthenticatedUser> activeUsers;
private ConcurrentMap<String, IAAAProvider> authProviders;
private ConcurrentMap<Long, String> localUserListSaveConfigEvent,
- remoteServerSaveConfigEvent, authorizationSaveConfigEvent;
+ remoteServerSaveConfigEvent, authorizationSaveConfigEvent;
private IClusterGlobalServices clusterGlobalService = null;
private SecurityContextRepository securityContextRepo = new UserSecurityContextRepository();
private IContainerAuthorization containerAuthorizationClient;
return authProviders.get(name);
}
+ @Override
public Set<String> getAAAProviderNames() {
return authProviders.keySet();
}
"usermanager.authorizationSaveConfigEvent",
EnumSet.of(IClusterServices.cacheMode.NON_TRANSACTIONAL));
} catch (CacheConfigException cce) {
- logger.error("\nCache configuration invalid - check cache mode");
+ logger.error("Cache configuration invalid - check cache mode");
} catch (CacheExistException ce) {
- logger.error("\nCache already exits - destroy and recreate if needed");
+ logger.debug("Skipping cache creation as already present");
}
}
activeUsers = (ConcurrentMap<String, AuthenticatedUser>) clusterGlobalService
.getCache("usermanager.activeUsers");
if (activeUsers == null) {
- logger.error("\nFailed to get cache for activeUsers");
+ logger.error("Failed to get cache for activeUsers");
}
localUserConfigList = (ConcurrentMap<String, UserConfig>) clusterGlobalService
.getCache("usermanager.localUserConfigList");
if (localUserConfigList == null) {
- logger.error("\nFailed to get cache for localUserConfigList");
+ logger.error("Failed to get cache for localUserConfigList");
}
remoteServerConfigList = (ConcurrentMap<String, ServerConfig>) clusterGlobalService
.getCache("usermanager.remoteServerConfigList");
if (remoteServerConfigList == null) {
- logger.error("\nFailed to get cache for remoteServerConfigList");
+ logger.error("Failed to get cache for remoteServerConfigList");
}
authorizationConfList = (ConcurrentMap<String, AuthorizationConfig>) clusterGlobalService
.getCache("usermanager.authorizationConfList");
if (authorizationConfList == null) {
- logger.error("\nFailed to get cache for authorizationConfList");
+ logger.error("Failed to get cache for authorizationConfList");
}
localUserListSaveConfigEvent = (ConcurrentMap<Long, String>) clusterGlobalService
.getCache("usermanager.localUserSaveConfigEvent");
if (localUserListSaveConfigEvent == null) {
- logger.error("\nFailed to get cache for localUserSaveConfigEvent");
+ logger.error("Failed to get cache for localUserSaveConfigEvent");
}
remoteServerSaveConfigEvent = (ConcurrentMap<Long, String>) clusterGlobalService
.getCache("usermanager.remoteServerSaveConfigEvent");
if (remoteServerSaveConfigEvent == null) {
- logger.error("\nFailed to get cache for remoteServerSaveConfigEvent");
+ logger.error("Failed to get cache for remoteServerSaveConfigEvent");
}
authorizationSaveConfigEvent = (ConcurrentMap<Long, String>) clusterGlobalService
.getCache("usermanager.authorizationSaveConfigEvent");
if (authorizationSaveConfigEvent == null) {
- logger.error("\nFailed to get cache for authorizationSaveConfigEvent");
+ logger.error("Failed to get cache for authorizationSaveConfigEvent");
}
}
// If startup config is not there, it's old or it was deleted,
// need to add Default Admin
if (!localUserConfigList.containsKey(defaultAdmin)) {
+ List<String> roles = new ArrayList<String>(1);
+ roles.add(defaultAdminRole);
localUserConfigList.put(defaultAdmin, new UserConfig(defaultAdmin,
- defaultAdminPassword, defaultAdminRole));
+ defaultAdminPassword, roles));
}
}
IAAAProvider aaaClient;
AuthResponse rcResponse = null;
AuthenticatedUser result;
- String[] adminRoles = null;
boolean remotelyAuthenticated = false;
boolean authorizationInfoIsPresent = false;
boolean authorized = false;
} else if (rcResponse.getStatus() == AuthResultEnum.AUTH_REJECT) {
logger.info(
"Remote Authentication Rejected User: \"{}\", from Server: {}, Reason:{}",
- new Object[] {userName, aaaServer.getAddress(),
- rcResponse.getStatus().toString()});
+ new Object[] { userName, aaaServer.getAddress(),
+ rcResponse.getStatus().toString() });
} else {
logger.info(
"Remote Authentication Failed for User: \"{}\", from Server: {}, Reason:{}",
- new Object[] {userName, aaaServer.getAddress(),
- rcResponse.getStatus().toString()});
+ new Object[] { userName, aaaServer.getAddress(),
+ rcResponse.getStatus().toString() });
}
}
}
if (resource != null) {
logger.info("Found Local Authorization Info for User: \"{}\"",
userName);
- attributes = resource.getRolesData();
+ attributes = resource.getRolesString();
}
authorizationInfoIsPresent = checkAuthorizationInfo(attributes);
*/
if (authorizationInfoIsPresent) {
// Identifying the administrative role
- adminRoles = attributes.split(" ");
- result.setRoleList(adminRoles);
+ result.setRoleList(attributes.split(" "));
authorized = true;
} else {
logger.info("Not able to find Authorization Info for User: \"{}\"",
putUserInActiveList(userName, result);
if (authorized) {
logger.info("User \"{}\" authorized for the following role(s): {}",
- userName, result.getUserRoles());
+ userName, result.getUserRoles());
} else {
logger.info("User \"{}\" Not Authorized for any role ", userName);
}
activeUsers.remove(user);
}
+ @Override
public Status saveLocalUserList() {
// Publish the save config event to the cluster nodes
localUserListSaveConfigEvent.put(new Date().getTime(), SAVE);
localUserConfigList), usersFileName);
}
+ @Override
public Status saveAAAServerList() {
// Publish the save config event to the cluster nodes
remoteServerSaveConfigEvent.put(new Date().getTime(), SAVE);
remoteServerConfigList), serversFileName);
}
+ @Override
public Status saveAuthorizationList() {
// Publish the save config event to the cluster nodes
authorizationSaveConfigEvent.put(new Date().getTime(), SAVE);
return new Status(StatusCode.NOTALLOWED, msg);
}
localUserConfigList.remove(AAAconf.getUser());
+ /*
+ * A user account has been removed form local database, we assume
+ * admin does not want this user to stay connected, in case he has
+ * an open session. So we clean the active list as well.
+ */
+ removeUserFromActiveList(AAAconf.getUser());
} else {
if (AAAconf.getUser().equals(UserManagerImpl.defaultAdmin)) {
String msg = "Invalid Request: Default Network Admin User "
if (targetConfigEntry == null) {
return new Status(StatusCode.NOTFOUND, "User not found");
}
- if (false == targetConfigEntry.update(curPassword, newPassword, null)) {
- return new Status(StatusCode.BADREQUEST,
- "Current password is incorrect");
+ Status status = targetConfigEntry
+ .update(curPassword, newPassword, null);
+ if (!status.isSuccess()) {
+ return status;
}
- localUserConfigList.put(user, targetConfigEntry); // trigger cluster
- // update
+ // Trigger cluster update
+ localUserConfigList.put(user, targetConfigEntry);
logger.info("Password changed for User \"{}\"", user);
- return new Status(StatusCode.SUCCESS, null);
+ return status;
}
@Override
String password = ci.nextArgument();
String role = ci.nextArgument();
+ List<String> roles = new ArrayList<String>();
+ while (role != null) {
+ if (!role.trim().isEmpty()) {
+ roles.add(role);
+ }
+ role = ci.nextArgument();
+ }
+
if (userName == null || userName.trim().isEmpty() || password == null
- || password.trim().isEmpty() || role == null
- || role.trim().isEmpty()) {
+ || password.trim().isEmpty() || roles == null
+ || roles.isEmpty()) {
ci.println("Invalid Arguments");
ci.println("umAddUser <user_name> <password> <user_role>");
return;
}
- this.addLocalUser(new UserConfig(userName, password, role));
+ ci.print(this.addLocalUser(new UserConfig(userName, password, roles)));
}
public void _umRemUser(CommandInterpreter ci) {
String userName = ci.nextArgument();
- String password = ci.nextArgument();
- String role = ci.nextArgument();
- if (userName == null || userName.trim().isEmpty() || password == null
- || password.trim().isEmpty() || role == null
- || role.trim().isEmpty()) {
+ if (userName == null || userName.trim().isEmpty()) {
ci.println("Invalid Arguments");
- ci.println("umRemUser <user_name> <password> <user_role>");
+ ci.println("umRemUser <user_name>");
+ return;
+ }
+ UserConfig target = localUserConfigList.get(userName);
+ if (target == null) {
+ ci.println("User not found");
return;
}
- this.removeLocalUser(new UserConfig(userName, password, role));
+ ci.println(this.removeLocalUser(target));
}
public void _umGetUsers(CommandInterpreter ci) {
for (UserConfig conf : this.getLocalUserList()) {
- ci.println(conf.getUser() + " " + conf.getRole());
+ ci.println(conf.getUser() + " " + conf.getRoles());
}
}
public void _printAAAServers(CommandInterpreter ci) {
for (ServerConfig aaaServer : remoteServerConfigList.values()) {
- String protocol = aaaServer.getProtocol();
ci.println(aaaServer.getAddress() + "-" + aaaServer.getProtocol());
}
}
/**
* Function called by the dependency manager when all the required
* dependencies are satisfied
- *
+ *
*/
void init() {
}
* Function called by the dependency manager when at least one dependency
* become unsatisfied or when the component is shutting down because for
* example bundle is being stopped.
- *
+ *
*/
void destroy() {
}
/**
* Function called by dependency manager after "init ()" is called and after
* the services provided by the class are registered in the service registry
- *
+ *
*/
void start() {
authProviders = new ConcurrentHashMap<String, IAAAProvider>();
* Function called by the dependency manager before the services exported by
* the component are unregistered, this will be followed by a "destroy ()"
* calls
- *
+ *
*/
void stop() {
}
@Override
public List<String> getUserRoles(String userName) {
- if (userName == null) {
- return new ArrayList<String>(0);
+ List<String> roles = null;
+ if (userName != null) {
+ /*
+ * First look in active users then in local configured users,
+ * finally in local authorized users
+ */
+ if (activeUsers.containsKey(userName)) {
+ roles = activeUsers.get(userName).getUserRoles();
+ } else if (localUserConfigList.containsKey(userName)) {
+ roles = localUserConfigList.get(userName).getRoles();
+ } else if (authorizationConfList.containsKey(userName)) {
+ roles = authorizationConfList.get(userName).getRoles();
+ }
}
- AuthenticatedUser locatedUser = activeUsers.get(userName);
- return (locatedUser == null) ? new ArrayList<String>(0) : locatedUser
- .getUserRoles();
+ return (roles == null) ? new ArrayList<String>(0) : roles;
}
@Override
public UserLevel getUserLevel(String username) {
- // Returns the controller well-know user level for the passed user
- String roleName = null;
-
- // First check in active users then in local configured users
- if (activeUsers.containsKey(username)) {
- roleName = activeUsers.get(username).getUserRoles().get(0);
- } else if (localUserConfigList.containsKey(username)) {
- roleName = localUserConfigList.get(username).getRole();
- }
+ // Returns the highest controller user level for the passed user
+ List<String> rolesNames = getUserRoles(username);
- if (roleName == null) {
+ if (rolesNames.isEmpty()) {
return UserLevel.NOUSER;
}
- // For now only one role per user is allowed
- if (roleName.equals(UserLevel.SYSTEMADMIN.toString())) {
+ // Check against the well known controller roles first
+ if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
return UserLevel.SYSTEMADMIN;
}
- if (roleName.equals(UserLevel.NETWORKADMIN.toString())) {
+ if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
return UserLevel.NETWORKADMIN;
}
- if (roleName.equals(UserLevel.NETWORKOPERATOR.toString())) {
+ if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
return UserLevel.NETWORKOPERATOR;
}
- if (this.containerAuthorizationClient != null
- && this.containerAuthorizationClient
- .isApplicationRole(roleName)) {
- return UserLevel.CONTAINERUSER;
+ // Check if container user now
+ if (containerAuthorizationClient != null) {
+ for (String roleName : rolesNames) {
+ if (containerAuthorizationClient.isApplicationRole(roleName)) {
+ return UserLevel.CONTAINERUSER;
+ }
+ }
}
- for (IResourceAuthorization client : this.applicationAuthorizationClients) {
- if (client.isApplicationRole(roleName)) {
- return UserLevel.APPUSER;
+ // Finally check if application user
+ if (applicationAuthorizationClients != null) {
+ for (String roleName : rolesNames) {
+ for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+ if (client.isApplicationRole(roleName)) {
+ return UserLevel.APPUSER;
+ }
+ }
}
}
return UserLevel.NOUSER;
}
+
+ @Override
+ public List<UserLevel> getUserLevels(String username) {
+ // Returns the controller user levels for the passed user
+ List<String> rolesNames = getUserRoles(username);
+ List<UserLevel> levels = new ArrayList<UserLevel>();
+
+ if (rolesNames.isEmpty()) {
+ return levels;
+ }
+
+ // Check against the well known controller roles first
+ if (rolesNames.contains(UserLevel.SYSTEMADMIN.toString())) {
+ levels.add(UserLevel.SYSTEMADMIN);
+ }
+ if (rolesNames.contains(UserLevel.NETWORKADMIN.toString())) {
+ levels.add(UserLevel.NETWORKADMIN);
+ }
+ if (rolesNames.contains(UserLevel.NETWORKOPERATOR.toString())) {
+ levels.add(UserLevel.NETWORKOPERATOR);
+ }
+ // Check if container user now
+ if (containerAuthorizationClient != null) {
+ for (String roleName : rolesNames) {
+ if (containerAuthorizationClient.isApplicationRole(roleName)) {
+ levels.add(UserLevel.CONTAINERUSER);
+ break;
+ }
+ }
+ }
+ // Finally check if application user
+ if (applicationAuthorizationClients != null) {
+ for (String roleName : rolesNames) {
+ for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+ if (client.isApplicationRole(roleName)) {
+ levels.add(UserLevel.APPUSER);
+ break;
+ }
+ }
+ }
+ }
+ return levels;
+ }
+
@Override
public Status saveConfiguration() {
boolean success = true;
.getPassword(), enabled, accountNonExpired,
credentialsNonExpired, accountNonLocked,
user.getGrantedAuthorities(getUserLevel(username)));
- } else
+ } else {
throw new UsernameNotFoundException("User not found " + username);
+ }
}
@Override
.getName())));
return authentication;
- } else
+ } else {
throw new BadCredentialsException(
"Username or credentials did not match");
+ }
}
- // following are setters for use in unit testing
+ // Following are setters for use in unit testing
void setLocalUserConfigList(ConcurrentMap<String, UserConfig> ucl) {
if (ucl != null) {
this.localUserConfigList = ucl;
this.sessionMgr = sessionMgr;
}
+ @Override
public String getPassword(String username) {
return localUserConfigList.get(username).getPassword();
}
+
+ @Override
+ public boolean isRoleInUse(String role) {
+ if (role == null || role.isEmpty()) {
+ return false;
+ }
+ // Check against controller roles
+ if (role.equals(UserLevel.SYSTEMADMIN.toString())
+ || role.equals(UserLevel.NETWORKADMIN.toString())
+ || role.equals(UserLevel.NETWORKOPERATOR.toString())) {
+ return true;
+ }
+ // Check if container roles
+ if (containerAuthorizationClient != null) {
+ if (containerAuthorizationClient.isApplicationRole(role)) {
+ return true;
+ }
+ }
+ // Finally if application role
+ if (applicationAuthorizationClients != null) {
+ for (IResourceAuthorization client : this.applicationAuthorizationClients) {
+ if (client.isApplicationRole(role)) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
}