/**
* Serializes list of ldap users matching filter.
*
* @param context the current request context
* @param filter the user search filter for ldap
* @return the list of users as json
* @throws IdentityException if a system error occurs preventing the action
* @throws NamingException if an LDAP naming exception occurs
* @throws SQLException
*/
protected String serializeUsersAsJson(
RequestContext context, String filter, String attributeName, boolean isMemberSearch)
throws IdentityException, NamingException, SQLException {
Users users = new Users();
int totalMatches = 0;
if (!isMemberSearch) {
HashMap<String, Object> resultsMap = buildUsersList(context, filter, null);
users = (Users) resultsMap.get("topUserMatches");
totalMatches = (Integer) resultsMap.get("totalMatches");
} else if (isMemberSearch && attributeName != null) {
Roles configuredRoles = context.getIdentityConfiguration().getConfiguredRoles();
Role role = configuredRoles.get(attributeName);
String sDn = role.getDistinguishedName();
IdentityAdapter idAdapter = context.newIdentityAdapter();
users = idAdapter.readGroupMembers(sDn);
totalMatches = users.size();
users.sort();
} else {
IdentityAdapter idAdapter = context.newIdentityAdapter();
Users members = idAdapter.readGroupMembers(filter);
for (User u : members.values()) {
users.add(u);
}
users.sort();
totalMatches = users.size();
}
String usersJson =
"{ \"totalUsers\" : \""
+ totalMatches
+ "\" ,\"topUsers\" : \""
+ users.size()
+ "\" , \"users\": [";
boolean firstUser = true;
for (User user : users.values()) {
String userName = user.getName();
String dn = user.getKey();
if (!firstUser) {
usersJson += ",";
} else {
firstUser = false;
}
usersJson +=
" { \"dn\" : \""
+ dn
+ "\" , \"userName\" : \""
+ Val.escapeStrForJson(userName)
+ "\" }";
}
usersJson += " ] }";
return usersJson;
}
/**
* Constructs a administrator based upon the user associated with the current request context.
*
* @param context the current request context (contains the active user)
* @throws NotAuthorizedException if the user does not have publishing rights
*/
protected void checkRole(RequestContext context) throws NotAuthorizedException {
// initialize
User user = context.getUser();
user.setKey(user.getKey());
user.setLocalID(user.getLocalID());
user.setDistinguishedName(user.getDistinguishedName());
user.setName(user.getName());
// establish credentials
UsernamePasswordCredentials creds = new UsernamePasswordCredentials();
creds.setUsername(user.getName());
user.setCredentials(creds);
user.setAuthenticationStatus(user.getAuthenticationStatus());
assertAdministratorRole(user);
}
/**
* Establishes the user associated with the operation.
*
* @param context the assertion operation context
* @throws NotAuthorizedException if authentication was required
* @throws AsnInsufficientPrivilegeException if the user has insufficient privilege
* @throws AsnUnestablishedUserException if the user could not be established
*/
public void establishUser(AsnContext context)
throws NotAuthorizedException, AsnUnestablishedUserException {
// initialize
this.setWasUserEstablished(false);
AsnOperation operation = context.getOperation();
User user = context.getRequestContext().getUser();
// establish the user part of the operation
if (operation.getUserPart() == null) {
operation.setUserPart(new AsnUserPart());
}
operation.getUserPart().setIPAddress(context.getRequestOptions().getIPAddress());
AsnAuthPolicy authPolicy = operation.getAuthPolicy();
if (authPolicy.getAuthenticationRequired()) {
if ((user == null) || !user.getAuthenticationStatus().getWasAuthenticated()) {
throw new NotAuthorizedException("Not authorized.");
}
}
if ((user == null) || !user.getAuthenticationStatus().getWasAuthenticated()) {
operation.getUserPart().setName(AsnConstants.ANONYMOUS_USERNAME);
this.setWasUserEstablished(true);
} else {
String key = Val.chkStr(user.getKey());
if (key.length() > 0) {
operation.getUserPart().setKey(key);
if (user.getLocalID() >= 0) {
operation.getUserPart().setID("" + user.getLocalID());
String name = Val.chkStr(user.getName());
if (name.length() > 0) {
operation.getUserPart().setName(name);
this.setWasUserEstablished(true);
}
}
}
}
if (!this.getWasUserEstablished()) {
throw new AsnUnestablishedUserException();
}
// check the admin database for a disabled user:ipaddress or user:key
// check the admin index for moderation privileges
}
/**
* Executes the query request.
*
* @throws SQLException if a database exception occurs
* @throws IOException
* @throws SAXException
* @throws ParserConfigurationException
*/
public void execute()
throws SQLException, IdentityException, NamingException, ParserConfigurationException,
SAXException, IOException {
// intitalize
PreparedStatement st = null;
PreparedStatement stCount = null;
MmdQueryCriteria criteria = getQueryCriteria();
MmdRecords records = getQueryResult().getRecords();
PageCursor pageCursor = getQueryResult().getPageCursor();
criteria.getDateRange().check();
pageCursor.setTotalRecordCount(0);
adminDao = new ImsMetadataAdminDao(getRequestContext());
tblImsUser = getRequestContext().getCatalogConfiguration().getUserTableName();
Users editablePublishers = Publisher.buildSelectablePublishers(getRequestContext(), false);
for (User u : editablePublishers.values()) {
if (u.getName().length() > 0) {
hmEditablePublishers.put(u.getName().toLowerCase(), u.getKey());
}
}
User tmpUser = new User();
tmpUser.setDistinguishedName("*");
getRequestContext().newIdentityAdapter().readUserGroups(tmpUser);
allGroups = tmpUser.getGroups();
isGptAdministrator = new RoleMap(getRequestContext().getUser()).get("gptAdministrator");
// determine if we are in ArcIMS metadata server proxy mode
try {
// establish the connection
ManagedConnection mc = returnConnection();
Connection con = mc.getJdbcConnection();
// start the SQL expression
StringBuilder sbSql = new StringBuilder();
StringBuilder sbCount = new StringBuilder();
StringBuilder sbFrom = new StringBuilder();
StringBuilder sbWhere = new StringBuilder();
sbSql.append("SELECT A.TITLE,A.DOCUUID,A.SITEUUID,C.USERNAME");
sbSql.append(",A.APPROVALSTATUS,A.PUBMETHOD,A.UPDATEDATE,A.ACL");
sbSql.append(",A.ID,A.HOST_URL,A.FREQUENCY,A.SEND_NOTIFICATION,A.PROTOCOL");
sbSql.append(",A.FINDABLE,A.SEARCHABLE,A.SYNCHRONIZABLE");
sbCount.append("SELECT COUNT(*)");
// append from clause
sbFrom.append(" FROM ").append(tblImsUser).append(" C");
sbFrom.append(",").append(getResourceTableName()).append(" A");
sbSql.append(sbFrom);
sbCount.append(sbFrom);
// build the where clause
if (sbWhere.length() > 0) {
sbWhere.append(" AND");
}
sbWhere.append(" (A.OWNER = C.USERID)");
Map<String, Object> args = criteria.appendWherePhrase("A", sbWhere, getPublisher());
// append the where clause expressions
if (sbWhere.length() > 0) {
sbSql.append(" WHERE ").append(sbWhere.toString());
sbCount.append(" WHERE ").append(sbWhere.toString());
}
// append the order by clause
String sSortColumn = criteria.getSortOption().getColumnKey();
String sSortDir = criteria.getSortOption().getDirection().toString();
if (sSortColumn.equalsIgnoreCase("title")) {
sSortColumn = "UPPER(A.TITLE)";
} else if (sSortColumn.equalsIgnoreCase("uuid")) {
sSortColumn = "A.DOCUUID";
} else if (sSortColumn.equalsIgnoreCase("owner")) {
sSortColumn = "UPPER(C.USERNAME)";
} else if (sSortColumn.equalsIgnoreCase("status")) {
sSortColumn = "A.APPROVALSTATUS";
} else if (sSortColumn.equalsIgnoreCase("method")) {
sSortColumn = "A.PUBMETHOD";
} else if (sSortColumn.equalsIgnoreCase("acl")) {
sSortColumn = "A.ACL";
} else if (sSortColumn.equalsIgnoreCase("updatedate")) {
sSortColumn = "A.UPDATEDATE";
} else {
sSortColumn = "A.UPDATEDATE";
sSortDir = "DESC";
criteria.getSortOption().setColumnKey("updatedate");
criteria.getSortOption().setDirection("desc");
}
sbSql.append(" ORDER BY ");
sbSql.append(sSortColumn).append(" ").append(sSortDir.toUpperCase());
if (!sSortColumn.equalsIgnoreCase("A.UPDATEDATE")) {
sbSql.append(", A.UPDATEDATE DESC");
}
// prepare the statements
st = con.prepareStatement(sbSql.toString());
stCount = con.prepareStatement(sbCount.toString());
int n = 1;
criteria.applyArgs(st, n, args);
criteria.applyArgs(stCount, n, args);
// query the count
logExpression(sbCount.toString());
ResultSet rsCount = stCount.executeQuery();
if (rsCount.next()) {
pageCursor.setTotalRecordCount(rsCount.getInt(1));
}
stCount.close();
stCount = null;
// query records if a count was found
pageCursor.checkCurrentPage();
if (pageCursor.getTotalRecordCount() > 0) {
// set the start record and the number of records to retrieve
int nCurPage = pageCursor.getCurrentPage();
int nRecsPerPage = getQueryResult().getPageCursor().getRecordsPerPage();
int nStartRecord = ((nCurPage - 1) * nRecsPerPage) + 1;
int nMaxRecsToRetrieve = nCurPage * nRecsPerPage;
st.setMaxRows(nMaxRecsToRetrieve);
// determine publisher names associated with editable records
// execute the query
logExpression(sbSql.toString());
ResultSet rs = st.executeQuery();
// build the record set
int nCounter = 0;
while (rs.next()) {
n = 1;
nCounter++;
if (nCounter >= nStartRecord) {
MmdRecord record = new MmdRecord();
records.add(record);
readRecord(rs, record);
// break if we hit the max value for the cursor
if (records.size() >= nRecsPerPage) {
break;
}
}
}
TreeMap<String, MmdRecord> recordsMap =
new TreeMap<String, MmdRecord>(String.CASE_INSENSITIVE_ORDER);
StringBuilder keys = new StringBuilder();
for (MmdRecord r : records) {
if (r.getProtocol() == null) continue;
recordsMap.put(r.getUuid(), r);
if (keys.length() > 0) {
keys.append(",");
}
keys.append("'").append(r.getUuid().toUpperCase()).append("'");
}
readJobStatus(con, recordsMap, keys.toString());
readLastHarvestDate(con, recordsMap, keys.toString());
}
} finally {
closeStatement(st);
closeStatement(stCount);
}
}
/**
* Authorizes a create, update, delete or query based operation.
*
* @param context the assertion operation context
* @param assertion the active assertion
* @param action the action
* @throws NotAuthorizedException if authentication was required
* @throws AsnInsufficientPrivilegeException if the user has insufficient privilege
*/
private void authorizeAction(AsnContext context, Assertion assertion, String action)
throws NotAuthorizedException, AsnInsufficientPrivilegeException {
// ensure an authorization policy
AsnOperation operation = context.getOperation();
if (operation.getAuthPolicy() == null) {
String msg = "An authorization policy was not configured.";
throw new ConfigurationException(msg);
}
// check the user, ensure an authenticated user if required
User user = context.getRequestContext().getUser();
boolean userWasAuthenticated = false;
if ((user != null) && user.getAuthenticationStatus().getWasAuthenticated()) {
userWasAuthenticated = true;
}
if (operation.getAuthPolicy().getAuthenticationRequired() && !userWasAuthenticated) {
throw new NotAuthorizedException("Not authorized.");
}
// determine the principals
AsnPrincipals principals = null;
boolean isWrite = false;
if (action.equals(AsnAuthorizer.ACTION_CREATE)) {
isWrite = true;
principals = operation.getAuthPolicy().getCreatePrincipals();
if (principals == null) {
String msg = "Create principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_DELETE)) {
isWrite = true;
principals = operation.getAuthPolicy().getDeletePrincipals();
if (principals == null) {
String msg = "Delete principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_ENABLE)
|| action.equals(AsnAuthorizer.ACTION_DISABLE)) {
isWrite = true;
principals = operation.getAuthPolicy().getEnableDisablePrincipals();
if (principals == null) {
String msg = "Enable/Disable principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_QUERY)) {
principals = operation.getAuthPolicy().getQueryPrincipals();
if (principals == null) {
String msg = "Query principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_UPDATE)) {
isWrite = true;
principals = operation.getAuthPolicy().getQueryPrincipals();
if (principals == null) {
String msg = "Query principals were not configured.";
throw new ConfigurationException(msg);
}
}
// hard check to ensure an authenticated user for any modifications
// (regardless of configuration)
if (isWrite && !userWasAuthenticated) {
throw new AsnInsufficientPrivilegeException();
}
// check "any user" user privilege
if (principals.contains(AsnConstants.PRINCIPAL_ANY)) {
return;
}
// check administrator privilege
if (userWasAuthenticated) {
if (principals.contains(AsnConstants.PRINCIPAL_ADMINISTRATOR)) {
RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
if (roles.hasRole("gptAdministrator")) {
return;
}
}
}
// check for ownership
if (userWasAuthenticated && (assertion != null) && assertion.getWasReadFromIndex()) {
if (principals.contains(AsnConstants.PRINCIPAL_OWNER)) {
String asnUserKey = Val.chkStr(assertion.getUserPart().getKey());
String userKey = Val.chkStr(user.getKey());
if ((asnUserKey.length() > 0) && asnUserKey.equals(userKey)) {
return;
}
}
}
throw new AsnInsufficientPrivilegeException();
}
/**
* Determines if the user can perform an action.
*
* @param context the assertion operation context
* @param policy the authorization policy
* @param assertion the active assertion
* @param action the action
* @return true if the user can perform the action
*/
private boolean canAct(
AsnContext context, AsnAuthPolicy policy, Assertion assertion, String action) {
// ensure an authorization policy
if (policy == null) {
return false;
}
// check the user, ensure an authenticated user if required
User user = context.getRequestContext().getUser();
boolean userWasAuthenticated = false;
if ((user != null) && user.getAuthenticationStatus().getWasAuthenticated()) {
userWasAuthenticated = true;
}
if (policy.getAuthenticationRequired() && !userWasAuthenticated) {
return false;
}
// determine the write principals (creation or modification)
AsnPrincipals principals = null;
boolean isWrite = false;
if (action.equals(AsnAuthorizer.ACTION_CREATE)) {
isWrite = true;
principals = policy.getCreatePrincipals();
} else if (action.equals(AsnAuthorizer.ACTION_DELETE)) {
isWrite = true;
principals = policy.getDeletePrincipals();
if (assertion == null) return false;
} else if (action.equals(AsnAuthorizer.ACTION_DISABLE)) {
isWrite = true;
principals = policy.getEnableDisablePrincipals();
if (assertion == null) return false;
if (!assertion.getSystemPart().getEnabled()) return false;
} else if (action.equals(AsnAuthorizer.ACTION_ENABLE)) {
isWrite = true;
principals = policy.getEnableDisablePrincipals();
if (assertion.getSystemPart().getEnabled()) return false;
if (assertion == null) return false;
} else if (action.equals(AsnAuthorizer.ACTION_QUERY)) {
principals = policy.getQueryPrincipals();
} else if (action.equals(AsnAuthorizer.ACTION_UPDATE)) {
isWrite = true;
principals = policy.getQueryPrincipals();
if (assertion == null) return false;
if (!assertion.getSystemPart().getEnabled()) return false;
}
if ((policy == null) || (principals == null)) {
return false;
}
// hard check to ensure an authenticated user for any modifications
// (regardless of configuration)
if (isWrite && !userWasAuthenticated) {
return false;
}
// check "any user" user privilege
if (principals.contains(AsnConstants.PRINCIPAL_ANY)) {
return true;
}
// check administrator privilege
if (userWasAuthenticated) {
if (principals.contains(AsnConstants.PRINCIPAL_ADMINISTRATOR)) {
RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
if (roles.hasRole("gptAdministrator")) {
return true;
}
}
}
// check for ownership
if (userWasAuthenticated && (assertion != null) && assertion.getWasReadFromIndex()) {
if (principals.contains(AsnConstants.PRINCIPAL_OWNER)) {
String asnUserKey = Val.chkStr(assertion.getUserPart().getKey());
String userKey = Val.chkStr(user.getKey());
if ((asnUserKey.length() > 0) && asnUserKey.equals(userKey)) {
return true;
}
}
}
return false;
}
