/**
* remove objects not allowed to see privileges on
*
* @param groupsAndStems
*/
public static void removeObjectsNotAllowedToSeePrivs(Set<?> groupsAndStems) {
if (groupsAndStems == null) {
return;
}
// subject who is making the query
final Subject grouperSessionSubject = GrouperSession.staticGrouperSession().getSubject();
Iterator<?> iterator = groupsAndStems.iterator();
while (iterator.hasNext()) {
Object groupOrStem = iterator.next();
if (groupOrStem instanceof Group) {
Group group = (Group) groupOrStem;
if (!group.hasAdmin(grouperSessionSubject)) {
iterator.remove();
}
} else if (groupOrStem instanceof Stem) {
Stem stem = (Stem) groupOrStem;
if (!stem.hasStem(grouperSessionSubject)) {
iterator.remove();
}
} else {
// this should never happen
throw new RuntimeException(
"Not expecting object of type: " + groupOrStem.getClass() + ", " + groupOrStem);
}
}
}
/**
* retrieve if delegatable
*
* @param action
* @param attributeDefName
* @return if delegatable or grant
*/
private AttributeAssignDelegatable retrieveDelegatable(
String action, AttributeDefName attributeDefName) {
if (AttributeDefType.perm != attributeDefName.getAttributeDef().getAttributeDefType()) {
throw new RuntimeException(
"Can only delegate a permission: "
+ attributeDefName.getAttributeDef().getAttributeDefType());
}
Set<PermissionEntry> permissionEntries =
GrouperDAOFactory.getFactory()
.getPermissionEntry()
.findByMemberIdAndAttributeDefNameId(
GrouperSession.staticGrouperSession().getMemberUuid(), attributeDefName.getId());
boolean isGrant = false;
boolean isDelegate = false;
action = StringUtils.defaultString(action, AttributeDef.ACTION_DEFAULT);
for (PermissionEntry permissionEntry : permissionEntries) {
if (permissionEntry.isEnabled() && StringUtils.equals(action, permissionEntry.getAction())) {
AttributeAssignDelegatable localDelegatable =
permissionEntry.getAttributeAssignDelegatable();
isGrant = isGrant || (localDelegatable == AttributeAssignDelegatable.GRANT);
isDelegate = isDelegate || localDelegatable.delegatable();
}
}
if (isGrant) {
return AttributeAssignDelegatable.GRANT;
}
if (isDelegate) {
return AttributeAssignDelegatable.TRUE;
}
return AttributeAssignDelegatable.FALSE;
}
public void testGroupType() {
GroupType adminType = GroupType.createType(GrouperSession.staticGrouperSession(), "adminType");
groupA.addType(adminType);
correctAttributesA.setAttribute("groupType", adminType, GroupTypeFinder.find("base", true));
runResolveTest("testAttributesOnly", groupA, correctAttributesA);
}
public void setUp() {
super.setUp();
// add etc:attribute:courses:courseType attribute
Stem etcStem =
StemFinder.findByName(GrouperSession.staticGrouperSession(), "etc:attribute", true);
Stem coursesStem = etcStem.addChildStem("courses", "Courses");
AttributeDef attributeDef =
coursesStem.addChildAttributeDef("courseType", AttributeDefType.attr);
attributeDef.setAssignToGroup(true);
attributeDef.setMultiValued(true);
attributeDef.setValueType(AttributeDefValueType.string);
attributeDef.store();
coursesStem.addChildAttributeDefName(attributeDef, "courseType", "courseType");
}
/**
* see if a group or parent or ancestor folder has an attribute. this can run securely.
*
* @param attributeFlagName
* @param checkSecurity
* @return true if group or stem has attribute
*/
public boolean hasAttributeOrAncestorHasAttribute(
final String attributeFlagName, final boolean checkSecurity) {
final AttributeAssignable owner = this.getAttributeAssignable();
if (checkSecurity) {
Subject subjectMakingCall = GrouperSession.staticGrouperSession().getSubject();
return hasAttributeOrAncestorHasAttributeHelper(
owner, null, attributeFlagName, subjectMakingCall);
}
return (Boolean)
GrouperSession.internal_callbackRootGrouperSession(
new GrouperSessionHandler() {
public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
return hasAttributeOrAncestorHasAttributeHelper(
owner, null, attributeFlagName, grouperSession.getSubject());
}
});
}
/**
* @see
* edu.internet2.middleware.grouper.changeLog.ChangeLogConsumerBase#processChangeLogEntries(java.util.List,
* edu.internet2.middleware.grouper.changeLog.ChangeLogProcessorMetadata)
*/
@Override
public long processChangeLogEntries(
List<ChangeLogEntry> changeLogEntryList,
ChangeLogProcessorMetadata changeLogProcessorMetadata) {
long currentId = -1;
boolean startedGrouperSession = false;
GrouperSession grouperSession = GrouperSession.staticGrouperSession(false);
if (grouperSession == null) {
grouperSession = GrouperSession.startRootSession();
startedGrouperSession = true;
} else {
grouperSession = grouperSession.internal_getRootSession();
}
// try catch so we can track that we made some progress
try {
for (ChangeLogEntry changeLogEntry : changeLogEntryList) {
currentId = changeLogEntry.getSequenceNumber();
// if this is a group add action and category
if (changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.GROUP_ADD)) {
String groupName = changeLogEntry.retrieveValueForLabel(ChangeLogLabels.GROUP_ADD.name);
if (GrouperDuoUtils.validDuoGroupName(groupName)) {
String groupExtension = GrouperUtil.extensionFromName(groupName);
// get the group in grouper
String groupDescription =
changeLogEntry.retrieveValueForLabel(ChangeLogLabels.GROUP_ADD.description);
// shouldnt be the case but check anyways
if (!GrouperDuoCommands.retrieveGroups().containsKey(groupExtension)) {
GrouperDuoCommands.createDuoGroup(groupExtension, groupDescription, true);
}
}
} else if (changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.GROUP_DELETE)) {
String groupName =
changeLogEntry.retrieveValueForLabel(ChangeLogLabels.GROUP_DELETE.name);
if (GrouperDuoUtils.validDuoGroupName(groupName)) {
String groupExtension = GrouperUtil.extensionFromName(groupName);
// shouldnt be the case but check anyways
GrouperDuoGroup grouperDuoGroup =
GrouperDuoCommands.retrieveGroups().get(groupExtension);
if (grouperDuoGroup != null) {
GrouperDuoCommands.deleteDuoGroup(grouperDuoGroup.getId(), true);
}
}
}
if (changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.GROUP_UPDATE)) {
String groupName =
changeLogEntry.retrieveValueForLabel(ChangeLogLabels.GROUP_UPDATE.name);
if (GrouperDuoUtils.validDuoGroupName(groupName)) {
String groupExtension = GrouperUtil.extensionFromName(groupName);
// get the group in grouper
Group group = GroupFinder.findByName(grouperSession, groupName, false);
if (group != null) {
// shouldnt be the case but check anyways
Map<String, GrouperDuoGroup> groupNameToDuoGroupMap =
GrouperDuoCommands.retrieveGroups();
GrouperDuoGroup grouperDuoGroup = groupNameToDuoGroupMap.get(groupExtension);
if (grouperDuoGroup != null) {
GrouperDuoCommands.updateDuoGroup(
grouperDuoGroup.getId(), group.getDescription(), true);
}
}
}
}
boolean isMembershipAdd =
changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.MEMBERSHIP_ADD);
boolean isMembershipDelete =
changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.MEMBERSHIP_DELETE);
boolean isMembershipUpdate =
changeLogEntry.equalsCategoryAndAction(ChangeLogTypeBuiltin.MEMBERSHIP_UPDATE);
if (isMembershipAdd || isMembershipDelete || isMembershipUpdate) {
String groupName =
changeLogEntry.retrieveValueForLabel(ChangeLogLabels.MEMBERSHIP_ADD.groupName);
if (GrouperDuoUtils.validDuoGroupName(groupName)) {
String sourceId =
changeLogEntry.retrieveValueForLabel(ChangeLogLabels.MEMBERSHIP_ADD.sourceId);
boolean inCorrectSubjectSource =
GrouperDuoUtils.configSourcesForSubjects().contains(sourceId);
if (inCorrectSubjectSource) {
String groupExtension = GrouperUtil.extensionFromName(groupName);
Group group = GroupFinder.findByName(grouperSession, groupName, false);
Map<String, GrouperDuoGroup> groupNameToDuoGroupMap =
GrouperDuoCommands.retrieveGroups();
GrouperDuoGroup grouperDuoGroup = groupNameToDuoGroupMap.get(groupExtension);
String subjectId =
changeLogEntry.retrieveValueForLabel(ChangeLogLabels.MEMBERSHIP_ADD.subjectId);
String subjectAttributeForDuoUsername =
GrouperDuoUtils.configSubjectAttributeForDuoUsername();
String username = null;
Subject subject = SubjectFinder.findByIdAndSource(subjectId, sourceId, false);
if (StringUtils.equals("id", subjectAttributeForDuoUsername)) {
username = subjectId;
} else {
if (subject != null) {
String attributeValue = subject.getAttributeValue(subjectAttributeForDuoUsername);
if (!StringUtils.isBlank(attributeValue)) {
username = attributeValue;
}
}
}
String duoGroupId = grouperDuoGroup != null ? grouperDuoGroup.getId() : null;
String duoUserId =
!StringUtils.isBlank(username)
? GrouperDuoCommands.retrieveUserIdFromUsername(username)
: null;
// cant do anything if missing these things
if (!StringUtils.isBlank(duoGroupId) && !StringUtils.isBlank(duoUserId)) {
boolean userInDuoGroup =
GrouperDuoCommands.userInGroup(duoUserId, duoGroupId, true);
boolean addUserToGroup = isMembershipAdd;
// if update it could have unexpired
if (isMembershipUpdate
&& group != null
&& subject != null
&& group.hasMember(subject)) {
addUserToGroup = true;
}
// see if any update is needed
if (addUserToGroup != userInDuoGroup) {
if (addUserToGroup) {
GrouperDuoCommands.assignUserToGroup(duoUserId, duoGroupId, true);
} else {
GrouperDuoCommands.removeUserFromGroup(duoUserId, duoGroupId, true);
}
}
}
}
}
}
// we successfully processed this record
}
} catch (Exception e) {
changeLogProcessorMetadata.registerProblem(e, "Error processing record", currentId);
// we made it to this -1
return currentId - 1;
} finally {
if (startedGrouperSession) {
GrouperSession.stopQuietly(grouperSession);
}
}
if (currentId == -1) {
throw new RuntimeException("Couldnt process any records");
}
return currentId;
}
/**
* @param action is the action on the assignment (null means default action)
* @param attributeDefName
* @param assign true to assign, false to unassign
* @param attributeAssignDelegateOptions if there are more options, null if not
* @return the result including if added or already there
*/
public AttributeAssignResult delegateAttribute(
final String action,
final AttributeDefName attributeDefName,
final boolean assign,
final AttributeAssignDelegateOptions attributeAssignDelegateOptions) {
AttributeDef attributeDef = attributeDefName.getAttributeDef();
if (attributeDef.isMultiAssignable()) {
throw new RuntimeException(
"This attribute must not be multi-assignable to call "
+ "this method, use the multi-assign methods: "
+ attributeDefName.getName());
}
this.assertCanDelegateAttributeDefName(action, attributeDefName);
if (attributeAssignDelegateOptions != null
&& attributeAssignDelegateOptions.isAssignAttributeAssignDelegatable()) {
if (attributeAssignDelegateOptions.getAttributeAssignDelegatable()
== AttributeAssignDelegatable.GRANT
|| attributeAssignDelegateOptions.getAttributeAssignDelegatable()
== AttributeAssignDelegatable.TRUE) {
this.assertCanGrantAttributeDefName(action, attributeDefName);
}
}
AttributeAssignResult attributeAssignResult =
(AttributeAssignResult)
GrouperSession.callbackGrouperSession(
GrouperSession.staticGrouperSession().internal_getRootSession(),
new GrouperSessionHandler() {
public Object callback(GrouperSession grouperSession)
throws GrouperSessionException {
if (assign) {
// do the same thing that an assign would do
// do this as root since the user who can delegate might not be able to
// assign...
AttributeAssignResult attributeAssignResult2 =
AttributeAssignBaseDelegate.this.internal_assignAttributeHelper(
action, attributeDefName, false, null, null);
if (attributeAssignDelegateOptions != null) {
AttributeAssign attributeAssign =
attributeAssignResult2.getAttributeAssign();
if (attributeAssignDelegateOptions.isAssignAttributeAssignDelegatable()) {
attributeAssign.setAttributeAssignDelegatable(
attributeAssignDelegateOptions.getAttributeAssignDelegatable());
}
if (attributeAssignDelegateOptions.isAssignDisabledDate()) {
attributeAssign.setDisabledTime(
attributeAssignDelegateOptions.getDisabledTime());
}
if (attributeAssignDelegateOptions.isAssignEnabledDate()) {
attributeAssign.setDisabledTime(
attributeAssignDelegateOptions.getEnabledTime());
}
attributeAssign.saveOrUpdate(true);
}
return attributeAssignResult2;
}
return AttributeAssignBaseDelegate.this.removeAttributeHelper(
action, attributeDefName, false);
}
});
return attributeAssignResult;
}