/** Throws a permission exception if the user is not allowed to access this functionality. */
private void hasPermission() {
Subject subject = EnterpriseFacesContextUtility.getSubject();
if (!LookupUtil.getAuthorizationManager()
.hasGlobalPermission(subject, Permission.MANAGE_INVENTORY)) {
throw new PermissionException(
"User ["
+ subject.getName()
+ "] does not have the proper permissions to view or manage agents");
}
}
/** @author Simeon Pinder */
public class LdapGWTServiceImpl extends AbstractGWTServiceImpl implements LdapGWTService {
private static final long serialVersionUID = 1L;
private LdapGroupManagerLocal ldapManager = LookupUtil.getLdapGroupManager();
private SubjectManagerLocal subjectManager = LookupUtil.getSubjectManager();
private SystemManagerLocal systemManager = LookupUtil.getSystemManager();
private AuthorizationManagerLocal authorizationManager = LookupUtil.getAuthorizationManager();
private final Log log = LogFactory.getLog(LdapGWTServiceImpl.class);
@Override
public Set<Map<String, String>> findAvailableGroups() throws RuntimeException {
try {
// add permissions check
Set<Permission> globalPermissions =
authorizationManager.getExplicitGlobalPermissions(getSessionSubject());
Boolean accessGranted = globalPermissions.contains(Permission.MANAGE_SECURITY);
Set<Map<String, String>> results = null;
if (accessGranted) {
results = ldapManager.findAvailableGroups();
} else {
String message =
"User '"
+ getSessionSubject().getName()
+ "' does not have sufficient permissions to query available LDAP groups.";
log.debug(message);
throw new PermissionException(message);
}
return SerialUtility.prepare(results, "findAvailableGroups");
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
@Override
public Set<Map<String, String>> findAvailableGroupsStatus() throws RuntimeException {
try {
// add permissions check
Set<Permission> globalPermissions =
authorizationManager.getExplicitGlobalPermissions(getSessionSubject());
Boolean accessGranted = globalPermissions.contains(Permission.MANAGE_SECURITY);
Set<Map<String, String>> results = null;
if (accessGranted) {
results = ldapManager.findAvailableGroupsStatus();
} else {
String message =
"User '"
+ getSessionSubject().getName()
+ "' does not have sufficient permissions to query the status of available LDAP groups request.";
log.debug(message);
throw new PermissionException(message);
}
return SerialUtility.prepare(results, "findAvailableGroups");
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
public void setLdapGroupsForRole(int roleId, List<String> groupIds) throws RuntimeException {
try {
// add permissions check
Set<Permission> globalPermissions =
authorizationManager.getExplicitGlobalPermissions(getSessionSubject());
Boolean accessGranted = globalPermissions.contains(Permission.MANAGE_SECURITY);
if (accessGranted) {
// clean out existing roles as this defines the new list of roles
PageList<LdapGroup> existing =
ldapManager.findLdapGroupsByRole(roleId, PageControl.getUnlimitedInstance());
log.trace("Removing " + existing.getTotalSize() + " groups from role '" + roleId + "'.");
int[] groupIndices = new int[existing.size()];
int indx = 0;
for (LdapGroup lg : existing) {
groupIndices[indx++] = lg.getId();
}
log.trace("Removing " + groupIndices.length + " LDAP Groups." + groupIndices);
ldapManager.removeLdapGroupsFromRole(subjectManager.getOverlord(), roleId, groupIndices);
PageList<LdapGroup> nowGroups =
ldapManager.findLdapGroupsByRole(roleId, PageControl.getUnlimitedInstance());
// from among all available groups, if group name matches then add it to the list.
ArrayList<String> validGroupIds = new ArrayList<String>();
Set<Map<String, String>> allAvailableLdapGroups = ldapManager.findAvailableGroups();
for (String group : groupIds) {
for (Map<String, String> map : allAvailableLdapGroups) {
if (map.get("name").equals(group)) {
validGroupIds.add(group);
}
}
}
log.trace("Adding " + validGroupIds.size() + " ldap groups to role[" + roleId + "].");
ldapManager.addLdapGroupsToRole(subjectManager.getOverlord(), roleId, groupIds);
nowGroups = ldapManager.findLdapGroupsByRole(roleId, PageControl.getUnlimitedInstance());
} else {
String message =
"User '"
+ getSessionSubject().getName()
+ "' does not have sufficient permissions to modify LDAP group assignments for roles.";
log.debug(message);
throw new PermissionException(message);
}
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
public PageList<LdapGroup> findLdapGroupsAssignedToRole(int roleId) throws RuntimeException {
try {
// add permissions check
Set<Permission> globalPermissions =
authorizationManager.getExplicitGlobalPermissions(getSessionSubject());
Boolean accessGranted = globalPermissions.contains(Permission.MANAGE_SECURITY);
PageList<LdapGroup> allAssignedLdapGroups = null;
if (accessGranted) {
allAssignedLdapGroups =
ldapManager.findLdapGroupsByRole(roleId, PageControl.getUnlimitedInstance());
} else {
String message =
"User '"
+ getSessionSubject().getName()
+ "' does not have permissions to query LDAP group by role.";
log.debug(message);
throw new PermissionException(message);
}
return SerialUtility.prepare(allAssignedLdapGroups, "findLdapGroupsAssignedToRole");
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
/** Returns true if LDAP authentication is enabled, or false otherwise. */
public Boolean checkLdapConfiguredStatus() throws RuntimeException {
try {
SystemSettings systemSettings = systemManager.getUnmaskedSystemSettings(true);
String value = systemSettings.get(SystemSetting.LDAP_BASED_JAAS_PROVIDER);
boolean result = (value != null) ? Boolean.valueOf(value) : false;
return result;
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
/** Returns all LDAP details for a given user, using the configured ldap details of server. */
public Map<String, String> getLdapDetailsFor(String user) throws RuntimeException {
try {
return ldapManager.findLdapUserDetails(user);
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
@Override
public Boolean checkLdapServerRequiresAttention() throws RuntimeException {
boolean requiresAttention = false;
if (checkLdapConfiguredStatus()) { // ldap configured
try {
requiresAttention = ldapManager.ldapServerRequiresAttention();
} catch (Throwable t) {
throw getExceptionToThrowToClient(t);
}
}
return Boolean.valueOf(requiresAttention);
}
}