public class SecurityAdmin extends java.lang.Object implements SecurityConstants
Modifier and Type | Field and Description |
---|---|
private AdminAccountExtension |
ae
instance of account extension plugin
|
private AdminResource |
ar
instance of admin resource plugin
|
private static java.lang.String |
CERT_BEG
certificate encoding start mark
|
private static java.lang.String |
CERT_END
certificate encoding end mark
|
private DirectoryService |
ds
instance of directory service
|
private java.util.Map<java.lang.Integer,java.lang.String> |
mapId
current map from mapTypes
|
private java.util.Map<java.lang.String,java.util.Map<java.lang.String,java.util.Map<java.lang.Integer,java.lang.String>>> |
mapInst
maps ACL instance name into map of resource types
|
private java.util.Map<java.lang.String,java.util.Map<java.lang.Integer,java.lang.String>> |
mapTypes
current map from mapInst
|
private static java.lang.String[] |
prof
list of admin resource instance names maing up a profile
|
private SecurityCache |
sc
instance of current offline security cache
|
private SecurityManager |
sm
instance of security manager
|
private static int |
SPLIT_CHUNK
certificate encoding I/O chunk (as in *.PEM files)
|
private SystemResource |
sr
instance of system resource plugin
|
AUTH_ACTION_ABORT, AUTH_ACTION_CONTINUE, AUTH_ACTION_DONE, AUTH_ACTION_RETRY, AUTH_MODE_CUSTOM, AUTH_MODE_HIGHEST, AUTH_MODE_IDPW, AUTH_MODE_LOWEST, AUTH_MODE_NONE, AUTH_MODE_X509, AUTH_MODE_X509_IDPW, AUTH_REQ_PROCESS, AUTH_REQ_PROGRAM, AUTH_REQ_USER, AUTH_RESULT_INSUFFICIENT_RIGHTS, AUTH_RESULT_INVALID_PASSWORD, AUTH_RESULT_INVALID_USERID, AUTH_RESULT_NONE, AUTH_RESULT_SKIP_TO_NEXT, AUTH_RESULT_SUCCESS, AUTH_RESULT_UNSPECIFIED_FAILURE, PKT_SIZE_SKIP_TO_NEXT
Constructor and Description |
---|
SecurityAdmin(DirectoryService ds)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
boolean |
addAcl(java.lang.String resourceType,
Acl acl,
java.util.Map<java.lang.Integer,java.lang.String> subjMap)
Adds new set of ACLs based on the contents of the given ACL definition.
|
boolean |
addCert(CertDef cert)
Adds a new certificate according to its definition.
|
boolean |
addGroup(GroupDef group)
Adds new group account definition.
|
boolean |
addProcess(ProcessDef process,
java.io.Serializable ext)
Adds new process account definition.
|
boolean |
addUser(UserDef user,
java.io.Serializable ext)
Adds new user account definition.
|
boolean |
adminAccess()
Checks the rights of the caller to perform admin operations.
|
int |
bulkAuthModeUpdate(int targetAccounts,
java.lang.String[] excludedAccounts,
int authMode,
java.lang.String authPlugin)
Preforms bulk update of authentication settings of the accounts of the
specified type.
|
boolean |
canRefresh()
Check if there user can perform refresh.
|
boolean |
changeGroupUsers(java.lang.String name,
java.lang.String[] additions,
java.lang.String[] deletions)
Changes the group by adding and/or removing users.
|
private boolean |
changeGroupUsersWorker(java.lang.String name,
java.lang.String[] additions,
java.lang.String[] deletions)
Changes the group by adding and/or removing users.
|
private boolean |
checkAcl(java.lang.String resourceType,
Acl acl,
java.util.Map<java.lang.Integer,java.lang.String> subjMap,
java.lang.String[] subjects,
boolean setInstance,
boolean setSubjects,
boolean setRights,
boolean addOrSet)
Checks an ACL for validity.
|
private boolean |
checkCAAlias(java.lang.String alias)
Checks certificate alias for duplication in CA domain.
|
private boolean |
checkCache()
Checks to see if the cache is available and stores a message if not.
|
private byte[] |
checkCertificate(CertDef cert)
Reassembles certificate encoding from its definition.
|
private boolean |
checkPeerAlias(java.lang.String alias)
Checks certificate alias for duplication in peer domain.
|
private boolean |
checkPermission()
Admin permissions check routine.
|
private boolean |
checkPermission(java.lang.String name,
int mode)
Admin permission check routine for a specific resource instance, leaf
node and permission.
|
private boolean |
checkPermissions(java.lang.String name,
int[] mode)
Admin permission check routine for a specific resource instance, leaf
node and permission.
|
private int |
checkResourceType(java.lang.String resourceType)
Checks the resource type name for validity.
|
boolean |
cloneAcl(java.lang.String resourceType,
java.lang.String instanceName,
int oid,
int cloneOid)
Clones the specified ACL to another position within the same ACL
instance.
|
boolean |
cloneGroup(java.lang.String nameFrom,
java.lang.String nameTo,
boolean acls)
Clones an existing group account into a new one.
|
boolean |
cloneProcess(java.lang.String nameFrom,
java.lang.String nameTo,
boolean acls)
Clones an existing process account into a new one.
|
private boolean |
cloneSubjectInACLs(java.lang.String name,
java.lang.String nameTo)
Modifies all ACLs that refer to the given subject so that they also
refer to the clone.
|
boolean |
cloneUser(java.lang.String nameFrom,
java.lang.String nameTo,
boolean acls,
boolean replacePassword,
byte[] newPassword)
Clones an existing user account into a new one.
|
private java.lang.String |
commonParent(java.lang.String snode,
java.lang.String tnode)
Calculates the common parent node for two given nodes.
|
boolean |
consReloadDirectory()
Causes the live system to reload the P2J directory from the back
storage.
|
private boolean |
createCertNode(java.lang.String id,
byte[] enc)
Creates a certificate directory object.
|
private boolean |
createGroupNode(java.lang.String gid,
java.lang.String text,
int mode,
java.lang.String authPlugin)
Creates a group account directory object.
|
private boolean |
createProcessNode(java.lang.String id,
boolean enabled,
java.lang.String text,
java.lang.String alias,
boolean server,
boolean master)
Creates a process account directory object.
|
private boolean |
createUserNode(java.lang.String uid,
boolean enabled,
java.lang.String person,
int mode,
java.lang.String authPlugin,
java.lang.String alias,
java.lang.String[] groups,
boolean protect,
byte[] password,
DateValue date,
TimeValue time)
Creates a user account directory object.
|
private boolean |
currentCache()
Creates new security cache generation offline.
|
boolean |
deleteAcl(java.lang.String resourceType,
java.lang.String instanceName,
int oid)
Deletes the specified ACL from the specified ACL instance.
|
boolean |
deleteCert(java.lang.String alias,
boolean force)
Deletes an existing certificate conditionally or unconditionally.
|
boolean |
deleteGroup(java.lang.String name)
Deletes a group account definition.
|
boolean |
deleteProcess(java.lang.String name)
Deletes a process account definition.
|
boolean |
deleteUser(java.lang.String name)
Deletes a user account definition.
|
private static void |
encode(java.lang.String[] args)
User password encoding utility.
|
private static boolean |
encodeWorker(DirectoryService ds,
java.lang.String attrName)
Modifies all ACLs in the specified ACL instance which refer to a given
subject ID.
|
private java.lang.String[] |
enumerateACLInstancePaths()
Enumerates ACL instances defined in the directory.
|
private java.lang.String[] |
enumerateACLInstances()
Enumerates ACL instances defined in the directory.
|
private java.lang.String[] |
enumerateACLInstances(java.lang.String resourceType)
Enumerates ACL instances defined in the directory, that have ACLs
defined for the specified resource type.
|
private int |
enumerateACLs(java.lang.String path,
java.util.Map<java.lang.Integer,java.lang.String> comb,
int badIds)
Enumerates ACLs under the given directory path and combines then into
the given map.
|
AccountReportsExtension |
getAccountReportsExtension()
Account reports extension point.
|
AclDef |
getAcl(java.lang.String resourceType,
java.lang.String instanceName)
Gets the full ACL definition information from the directory for the
specified ACL instance and resource type.
|
AclDef[] |
getAcls(java.lang.String instanceName)
Gets the full ACL definition information from the directory for the
specified ACL instance or all of them.
|
private AclDef |
getAclWorker(java.lang.String resourceType,
java.lang.String instanceName,
java.lang.String mpath,
java.lang.String opath)
Creates an ACL definition from the ACLs for the specified resource type.
|
SessionInfo[] |
getActiveSessions(java.lang.String jar,
java.lang.String iface)
Get the list of all active sessions which have executed API(s)
associated to this jar.
|
AdminDef |
getAdminDef()
Returns the configuration information about the administration interface
itself.
|
CertDef |
getCert(java.lang.String alias)
Returns a DER-encoded certificate like those found in *.PEM files.
|
TaggedName[] |
getCertAccounts(java.lang.String alias)
Returns an array of all account names with their description for
accounts sharing this certificate.
|
TaggedName[] |
getCertProcesses(java.lang.String alias)
Returns an array of process account names with their description for
processes sharing this certificate.
|
TaggedName[] |
getCertUsers(java.lang.String alias)
Returns an array of user account names with their description for users
sharing this certificate.
|
private AdminAccountExtension |
getExtension()
Utility method to get the custom server extension interface.
|
GroupDef |
getGroup(java.lang.String name)
Returns the group definition for the specified group name.
|
ProcessDef |
getProcess(java.lang.String name)
Returns the process definition for the specified process name.
|
AdminProfile[] |
getProfile(java.lang.String[] name)
Returns the admin permissions profile for an arbitrary set of resource
instance names.
|
AdminProfile[] |
getProfile(java.lang.String name,
int[] perm)
Returns the admin permissions profile for an arbitrary set of
permissions for a resource instance name.
|
java.lang.String |
getResourceType(java.lang.String name)
Returns the registered resource type name for the given resource plugin.
|
SessionInfo[] |
getSessionList()
Creates a report of all current user and process sessions.
|
UserDef |
getUser(java.lang.String name)
Returns the user account definition for the specified account name.
|
boolean |
isMaster()
Tells whether the server can modify the directory.
|
private static void |
johndoe(java.lang.String[] args)
ACL subjects list verification utility.
|
void |
killSession(int sid)
Forcibly terminates (closes) the socket in use for the given session.
|
java.lang.String[] |
listAclInstances()
Locates all instances of ACLs in the directory and returns their names.
|
java.lang.String[] |
listAclInstances(java.lang.String resourceType)
Locates all instances of ACLs in the directory and returns their names
for those instances which have ACLs defined for the specified resource
type.
|
TaggedName[] |
listAuthPlugins()
Get the list of available auth plugins.
|
private TaggedName[] |
listCertAccounts(java.lang.String alias,
int type)
Returns an array of account names with their description for accounts
sharing this certificate.
|
TaggedName[] |
listCerts(boolean auth,
boolean unusedOnly)
Returns an array of defined CA or peer certificates with their
distinctive names.
|
TaggedName[] |
listGroups()
Returns a tagged array of defined group names.
|
TaggedName[] |
listGroupUsers(java.lang.String name)
Enumerates the users of a named group.
|
java.lang.String[] |
listInstanceAcls(java.lang.String instanceName)
Lists resource names for which the specified ACL instance has ACLs
defined.
|
TaggedName[] |
listProcesses()
Returns a tagged array of defined process names.
|
java.lang.String[] |
listResourceNames()
Returns an array of resource plugin names.
|
TaggedName[] |
listUserGroups(java.lang.String name)
Enumerates the groups the named user is part of.
|
TaggedName[] |
listUsers()
Returns an array of defined user account names and their owners.
|
static void |
main(java.lang.String[] args)
Application entry point.
|
private void |
message(java.lang.String msg)
Utility method to store server messages for later retrieval by clients.
|
private void |
message(java.lang.String[] msg)
Utility method to store server messages for later retrieval by clients.
|
private static void |
migrate(java.lang.String[] args)
ACL migration utility.
|
private static boolean |
modifySubjectsInACLs(DirectoryService ds,
java.lang.String origin,
java.lang.String name,
java.lang.String[] namesDel,
java.lang.String[] namesAdd)
Modifies all ACLs in the specified ACL instance which refer to a given
subject ID.
|
boolean |
moveAcl(java.lang.String resourceType,
java.lang.String instanceName,
int oid,
int newOid)
Moves the specified ACL to another position within the same ACL
instance.
|
boolean |
moveAcl(java.lang.String resourceType,
java.lang.String instanceName,
int oid,
java.lang.String newInstanceName)
Moves the specified ACL to another ACL instance, private or shared.
|
boolean |
moveCert(java.lang.String aliasFrom,
java.lang.String aliasTo)
Changes the certificate's alias.
|
private static void |
printMessages(java.util.List<java.lang.String[]> msgBuf)
Message buffer printout
|
private boolean |
queryPermission(java.lang.String name,
int mode)
Admin permission check routine for a specific resource instance, leaf
node and permission.
|
void |
refreshPlugin(java.lang.String resourceType)
Send a refresh request to specified plugin.
|
private boolean |
removeSubjectFromACLs(java.lang.String name)
Modifies all ACLs that refer to the given subject so that they no longer
do.
|
boolean |
resequenceAcls(java.lang.String resourceType,
java.lang.String instanceName,
int start,
int step)
Assigns new object IDs sequentially for all ACLs in the given ACL
instance and resource type.
|
private static void |
resource(java.lang.String[] args)
ACL resource name verification utility.
|
(package private) static void |
say_(java.lang.String msg)
Shortcut for the System.out.print()
|
private static void |
say(java.lang.String msg)
Shortcut for the System.out.prinln()
|
java.lang.String |
searchCert(java.lang.String dn)
Searches the CA directory for an alias of the certificate by the
distinctive name of the subject.
|
boolean |
setAcl(java.lang.String resourceType,
Acl acl,
java.util.Map<java.lang.Integer,java.lang.String> subjMap,
boolean setInstance,
boolean setInstanceMode,
boolean setSubjects,
boolean setRights)
Conditionally edits the existing ACL based on the contents of the given
ACL and the selected conditions.
|
boolean |
setCert(CertDef cert)
Replaces an existing certificate with the given one.
|
boolean |
setGroup(GroupDef group)
Changes the group definition for the named group.
|
boolean |
setProcess(ProcessDef process,
java.io.Serializable ext,
boolean syncExt)
Changes the process definition for the named process.
|
boolean |
setUser(UserDef user,
java.io.Serializable ext,
boolean syncExt)
Changes the user account definition for the named account.
|
private static void |
subjects(java.lang.String[] args)
ACL subjects filtering and editing utility.
|
private boolean |
syncAuthSettings(java.lang.String node,
int authMode,
java.lang.String authPlugin)
Synchronizes authentication-related directory node attributes with the
given values.
|
private boolean |
syncBoolean(java.lang.String id,
java.lang.String attr,
java.lang.Boolean value)
Synchronizes a directory node attribute with the given value.
|
private boolean |
syncBytes(java.lang.String id,
java.lang.String attr,
byte[] value)
Synchronizes a directory node attribute with the given value.
|
private boolean |
syncDate(java.lang.String id,
java.lang.String attr,
DateValue value)
Synchronizes a directory node attribute with the given value.
|
private boolean |
syncInteger(java.lang.String id,
java.lang.String attr,
java.lang.Integer value)
Synchronizes a directory node attribute with the given value.
|
private boolean |
syncString(java.lang.String id,
java.lang.String attr,
java.lang.String value)
Synchronizes a directory node attribute with the given value.
|
private boolean |
syncStrings(java.lang.String id,
java.lang.String attr,
java.lang.String[] value)
Synchronizes a directory node attribute with the given value.
|
private boolean |
syncTime(java.lang.String id,
java.lang.String attr,
TimeValue value)
Synchronizes a directory node attribute with the given value.
|
boolean |
terminateSessions(java.lang.String jar,
java.lang.String iface)
Terminate all active sessions which have invoked the given APIs in the
given jar.
|
private static final int SPLIT_CHUNK
private static final java.lang.String CERT_BEG
private static final java.lang.String CERT_END
private static final java.lang.String[] prof
private SecurityManager sm
private SystemResource sr
private AdminResource ar
private SecurityCache sc
private DirectoryService ds
private AdminAccountExtension ae
private java.util.Map<java.lang.String,java.util.Map<java.lang.String,java.util.Map<java.lang.Integer,java.lang.String>>> mapInst
private java.util.Map<java.lang.String,java.util.Map<java.lang.Integer,java.lang.String>> mapTypes
private java.util.Map<java.lang.Integer,java.lang.String> mapId
public SecurityAdmin(DirectoryService ds)
ds
- instance of DirectoryService to use for directory accesspublic boolean adminAccess()
true
if the caller has sufficient rightspublic boolean isMaster()
true
if it canpublic boolean canRefresh()
true
if current user has enough rights to perform
security cache refresh.public SessionInfo[] getActiveSessions(java.lang.String jar, java.lang.String iface)
jar
- The name of the target jar file.iface
- The interface for which we need the sessions;
if null
, search through the entire jar.public boolean terminateSessions(java.lang.String jar, java.lang.String iface)
null
, terminate all active
tracked sessions.
This method guarantees that all session termination listeners have been
executed.jar
- The jar name; if null
, terminate all active
tracked sessions.iface
- The interface for which we need to terminate the sessions;
if null
, terminate all sessions for the given
jar.true
if operation was successful,
false
if you do not have admin rights.public TaggedName[] listGroups()
null
public GroupDef getGroup(java.lang.String name)
name
- Group name.null
public TaggedName[] listGroupUsers(java.lang.String name)
name
- group namenull
if
there is no such grouppublic boolean setGroup(GroupDef group)
group
- group definitiontrue
if successfully changed the grouppublic boolean addGroup(GroupDef group)
group
- group definition for a new accounttrue
if successfully added the grouppublic boolean deleteGroup(java.lang.String name)
The directory modification is done in multiple separate transactions:
/security/accounts/users
/security/acl
and /security/acls
/security/accounts/groups
name
- group name for the group being deletedtrue
if successfully deleted the grouppublic boolean cloneGroup(java.lang.String nameFrom, java.lang.String nameTo, boolean acls)
nameFrom
- group name for the source groupnameTo
- group name for the cloneacls
- true
tells to clone ACLs as welltrue
if successfully cloned the grouppublic boolean changeGroupUsers(java.lang.String name, java.lang.String[] additions, java.lang.String[] deletions)
This API requires ADLU_GROUP_ACCESS permission.
name
- group nameadditions
- array of user names to be added to the group; may be emptydeletions
- array of user names to be excluded from the group;
may be emptytrue
if successfully changed the grouppublic TaggedName[] listUsers()
This API requires ADLU_ENUMERATE_ACCESS permission.
null
public AdminDef getAdminDef()
public AdminProfile[] getProfile(java.lang.String[] name)
name
- array of admin resource instance names to querynull
public AdminProfile[] getProfile(java.lang.String name, int[] perm)
name
- admin leaf resource instance name to queryperm
- array of permissions to querynull
public UserDef getUser(java.lang.String name)
This API requires one of the following permissions:
name
- user account namenull
if no such userpublic boolean setUser(UserDef user, java.io.Serializable ext, boolean syncExt)
This API requires one of the following permissions:
user
- user account definitionext
- optional extension container for custom account extensionssyncExt
- if true
, the state of the account should sync'ed
with the state of the extension container;
otherwise the state of the account extensions does not changetrue
if successfully changed the accountpublic boolean addUser(UserDef user, java.io.Serializable ext)
The mandatory fields of the user definition container are validated. Optional fields are added, depending on their presence in the container. One exception is the password timestamp: if the account is password protected and the password is present, but both the date and time fields are NOT present, then they are automatically set to the current date and time.
This API requires ADLU_CREATE_ACCESS permission.
user
- user account definitionext
- optional extension container for custom account extensionstrue
if successfully added the accountpublic boolean deleteUser(java.lang.String name)
The directory modification is done in multiple separate transactions:
/security/acl
and /security/acls
/security/accounts/users
This API requires ADLU_DELETE_ACCESS permission.
name
- user account name being deletedtrue
if successfully deleted the accountpublic boolean cloneUser(java.lang.String nameFrom, java.lang.String nameTo, boolean acls, boolean replacePassword, byte[] newPassword)
This API requires ADLU_CREATE_ACCESS permission.
nameFrom
- user account name for the sourcenameTo
- user account name for the cloneacls
- true
tells to clone ACLs as wellreplacePassword
- true
tells to assign the provided password
instead of cloning itnewPassword
- a replacement password for the clonetrue
if successfully cloned the user accountpublic TaggedName[] listUserGroups(java.lang.String name)
This API requires one of the following permissions:
name
- user account namenull
if there is no such user etcpublic java.lang.String[] listResourceNames()
public java.lang.String getResourceType(java.lang.String name)
name
- plugin namenull
if no matchpublic TaggedName[] listProcesses()
null
public ProcessDef getProcess(java.lang.String name)
name
- Process name.null
public boolean setProcess(ProcessDef process, java.io.Serializable ext, boolean syncExt)
process
- process definitionext
- optional extension container for custom account extensionssyncExt
- if true
, the state of the account should sync'ed
with the state of the extension container;
otherwise the state of the account extensions does not changetrue
if successfully changed the processpublic boolean addProcess(ProcessDef process, java.io.Serializable ext)
process
- process definition for a new accountext
- optional extension container for custom account extensionstrue
if successfully added the processpublic boolean deleteProcess(java.lang.String name)
The directory modification is done in multiple separate transactions:
/security/acl
and /security/acls
/security/accounts/processes
name
- process account name being deletedtrue
if successfully deleted the processpublic boolean cloneProcess(java.lang.String nameFrom, java.lang.String nameTo, boolean acls)
nameFrom
- process name for the sourcenameTo
- process name for the cloneacls
- true
tells to clone ACLs as welltrue
if successfully cloned the processpublic TaggedName[] listCerts(boolean auth, boolean unusedOnly)
auth
- if true
, list CA certificates. otherwise peer
certificatesunusedOnly
- if true
, lists unused certificates only,
otherwise all certificatesnull
public TaggedName[] getCertUsers(java.lang.String alias)
alias
- certificate alias namenull
public TaggedName[] getCertProcesses(java.lang.String alias)
alias
- certificate alias namenull
public TaggedName[] getCertAccounts(java.lang.String alias)
alias
- certificate alias namenull
public CertDef getCert(java.lang.String alias)
alias
- the alias of the certificate to getnull
public boolean setCert(CertDef cert)
cert
- encoded certificatetrue
if replaced, false
if errorspublic boolean addCert(CertDef cert)
cert
- encoded certificatetrue
if added, false
if errorspublic boolean deleteCert(java.lang.String alias, boolean force)
alias
- the alias of the certificate being deletedforce
- if true
, the certificate is deleted even if in
usetrue
if deleted, false
if errorspublic boolean moveCert(java.lang.String aliasFrom, java.lang.String aliasTo)
aliasFrom
- current certificate's aliasaliasTo
- new certificate's aliastrue
if changed, false
if errorspublic java.lang.String searchCert(java.lang.String dn)
dn
- distinctive namenull
public boolean consReloadDirectory()
true
if successfulpublic SessionInfo[] getSessionList()
null
if insufficient rights exist to obtain the
list.public void killSession(int sid)
sid
- Session ID to terminate.public java.lang.String[] listAclInstances()
ACL instances are the directory branches that store ACLs. The shared
instance is the one found under /security/acl
branch.
Private instances are found under
/security/acls/name
branches.
public java.lang.String[] listAclInstances(java.lang.String resourceType)
ACL instances are the directory branches that store ACLs. The shared
instance is the one found under /security/acl
branch.
Private instances are found under
/security/acls/name
branches.
resourceType
- name of the resource of interestpublic java.lang.String[] listInstanceAcls(java.lang.String instanceName)
instanceName
- name of the ACL instance; empty string for the shared onepublic AclDef getAcl(java.lang.String resourceType, java.lang.String instanceName)
resourceType
- name of the resource of interest; can't be null
instanceName
- name of the ACL instance; empty string for the shared one, or
null
for the effective list of this servernull
public AclDef[] getAcls(java.lang.String instanceName)
instanceName
- name of the ACL instance; empty string for the shared one; if
null
, all ACLs are returned and some may be
combinednull
public boolean addAcl(java.lang.String resourceType, Acl acl, java.util.Map<java.lang.Integer,java.lang.String> subjMap)
resourceType
- name of the resource to add the ACL foracl
- ACL definition, that should come fully defined, including the
instance name.subjMap
- a map to translate numeric subject IDs back to namestrue
if added, false
if errorspublic TaggedName[] listAuthPlugins()
null
if no plugins are available.public int bulkAuthModeUpdate(int targetAccounts, java.lang.String[] excludedAccounts, int authMode, java.lang.String authPlugin)
targetAccounts
- Type of accounts to update. Account.ACC_USER
and
Account.ACC_GROUP
are supported.excludedAccounts
- The list of IDs of the accounts that should NOT be updated. Can
be null
.authMode
- Authentication mode to set.authPlugin
- Authentication plugin to set.-1
if an error
has occured.public void refreshPlugin(java.lang.String resourceType)
resourceType
- public boolean setAcl(java.lang.String resourceType, Acl acl, java.util.Map<java.lang.Integer,java.lang.String> subjMap, boolean setInstance, boolean setInstanceMode, boolean setSubjects, boolean setRights)
resourceType
- name of the resource to set the ACL foracl
- ACL definitionsubjMap
- a map to translate numeric subject IDs back to names; needed
only when setSubjects is true
and can be
null
all other timessetInstance
- true
if setting the resource instance namesetInstanceMode
- true
if setting the resource instance name modesetSubjects
- true
if setting the subjects IDssetRights
- true
if setting the rights for this ACLtrue
if added, false
if errorspublic boolean moveAcl(java.lang.String resourceType, java.lang.String instanceName, int oid, int newOid)
resourceType
- name of the resource of interestinstanceName
- name of the source ACL instance; empty string for the shared
oneoid
- ACL object ID that selects the ACL to movenewOid
- new ACL object IDtrue
if moved, false
if errorspublic boolean moveAcl(java.lang.String resourceType, java.lang.String instanceName, int oid, java.lang.String newInstanceName)
resourceType
- name of the resource of interestinstanceName
- name of the source ACL instance; empty string for the shared
oneoid
- ACL object ID that selects the ACL to movenewInstanceName
- name of the target ACL instance; empty string for the shared
onetrue
if moved, false
if errorspublic boolean deleteAcl(java.lang.String resourceType, java.lang.String instanceName, int oid)
resourceType
- name of the resource of interestinstanceName
- name of the source ACL instance; empty string for the shared
oneoid
- ACL object ID that selects the ACL to deletetrue
if deleted, false
if errorspublic boolean cloneAcl(java.lang.String resourceType, java.lang.String instanceName, int oid, int cloneOid)
resourceType
- name of the resource of interestinstanceName
- name of the source ACL instance; empty string for the shared
oneoid
- ACL object ID that selects the ACL to clonecloneOid
- ACL object ID for the clonetrue
if cloned, false
if errorspublic boolean resequenceAcls(java.lang.String resourceType, java.lang.String instanceName, int start, int step)
resourceType
- name of the resource of interestinstanceName
- name of the source ACL instance; empty string for the shared
onestart
- the starting numberstep
- the incrementtrue
if success, false
if errorspublic AccountReportsExtension getAccountReportsExtension()
AccountReportsExtension
or null
if no
extension is present.private boolean checkAcl(java.lang.String resourceType, Acl acl, java.util.Map<java.lang.Integer,java.lang.String> subjMap, java.lang.String[] subjects, boolean setInstance, boolean setSubjects, boolean setRights, boolean addOrSet)
resourceType
- name of the resource to add the ACL foracl
- ACL definitionsubjMap
- a map to translate numeric subject IDs back to namessubjects
- array to store the subject namessetInstance
- true
if setting the resource instance namesetSubjects
- true
if setting the subjects IDssetRights
- true
if setting the rights for this ACLaddOrSet
- true
if adding new ACL, else setting existing ACLtrue
if validprivate int checkResourceType(java.lang.String resourceType)
resourceType
- resource type name-1
if no matchprivate boolean checkCAAlias(java.lang.String alias)
alias
- certificate aliastrue
if there is no duplicateprivate boolean checkPeerAlias(java.lang.String alias)
alias
- certificate aliastrue
if there is no duplicateprivate byte[] checkCertificate(CertDef cert)
The domain verification is based on the presence and contents of the BasicConstraints X.509 extension, object ID 2.5.29.19. To avoid using a DER decoder, this particular case takes a shortcut, based on the knowledge of the expected result.
First, the result of the getExtensionValue() is always an OCTET STRING. Second, the BasicConstraints value is
BasicConstraints ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER (0..MAX) OPTIONAL }Thus, the DER encoding should look like this:
cert
- certificate definitionnull
private TaggedName[] listCertAccounts(java.lang.String alias, int type)
alias
- certificate alias nametype
- account typenull
private boolean currentCache()
true
if cache is OKprivate boolean checkCache()
true
if cache is OKprivate boolean changeGroupUsersWorker(java.lang.String name, java.lang.String[] additions, java.lang.String[] deletions)
name
- group nameadditions
- array of user names to be added to the group; may be emptydeletions
- array of user names to be excluded from the group;
may be emptytrue
if successfully changed the groupprivate boolean syncString(java.lang.String id, java.lang.String attr, java.lang.String value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean syncStrings(java.lang.String id, java.lang.String attr, java.lang.String[] value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean syncBoolean(java.lang.String id, java.lang.String attr, java.lang.Boolean value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean syncInteger(java.lang.String id, java.lang.String attr, java.lang.Integer value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean syncBytes(java.lang.String id, java.lang.String attr, byte[] value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean syncDate(java.lang.String id, java.lang.String attr, DateValue value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean syncTime(java.lang.String id, java.lang.String attr, TimeValue value)
id
- object ID for a directory nodeattr
- node attribute namevalue
- attribute value to sync with; may be null
true
if successfulprivate boolean createGroupNode(java.lang.String gid, java.lang.String text, int mode, java.lang.String authPlugin)
gid
- object ID for the new directory objecttext
- group descriptionmode
- authorization modeauthPlugin
- custom authentication plugin classtrue
if successfulprivate boolean createUserNode(java.lang.String uid, boolean enabled, java.lang.String person, int mode, java.lang.String authPlugin, java.lang.String alias, java.lang.String[] groups, boolean protect, byte[] password, DateValue date, TimeValue time)
uid
- object ID for the new directory objectenabled
- enabled/disabled status of the accountperson
- account owner's name; may be null
mode
- account authentication modealias
- related certificate's alias; may be null
groups
- array of group names this account is a part of; may be
null
protect
- password-protected status of the accountpassword
- password hash; may be null
date
- date of the last password change; may be null
time
- time of the last password change; may be null
authPlugin
- custom authentication plugin classtrue
if successfulprivate boolean createProcessNode(java.lang.String id, boolean enabled, java.lang.String text, java.lang.String alias, boolean server, boolean master)
id
- object ID for the new directory objectenabled
- enabled/disabled status of the accounttext
- descriptionalias
- process certificate aliasserver
- true
if this process is a server,
false
if an applicationmaster
- true
if this server process is a master server,
false
otherwisetrue
if successfulprivate boolean createCertNode(java.lang.String id, byte[] enc)
id
- object ID for the new directory objectenc
- certificate encodingtrue
if successfulprivate boolean removeSubjectFromACLs(java.lang.String name)
name
- subject name to be removed from all ACLstrue
if successfulprivate boolean cloneSubjectInACLs(java.lang.String name, java.lang.String nameTo)
name
- subject name to be cloned in all ACLsnameTo
- clone nametrue
if successfulprivate java.lang.String[] enumerateACLInstances()
/security/acl
private java.lang.String[] enumerateACLInstances(java.lang.String resourceType)
Instances are identified by their directory path. The shared ACL
instance has the fixed path /security/acl
private java.lang.String[] enumerateACLInstancePaths()
/security/acl
private int enumerateACLs(java.lang.String path, java.util.Map<java.lang.Integer,java.lang.String> comb, int badIds)
path
- directory branch to processcomb
- a map to receive the IDs to object paths mappingsbadIds
- starting counter of bad IDs that should be incrementedprivate AclDef getAclWorker(java.lang.String resourceType, java.lang.String instanceName, java.lang.String mpath, java.lang.String opath)
resourceType
- name of the resource of interestinstanceName
- name of the ACL instance or null
meaning the
effective combination is requestedmpath
- mandatory directory path to the resource container; can't be
null
opath
- optional directory path to the resource container; must be
null
if instanceNamwe is given; otherwise must be
specifiedprivate java.lang.String commonParent(java.lang.String snode, java.lang.String tnode)
snode
- a directory nodetnode
- another directory nodeprivate void message(java.lang.String[] msg)
msg
- array of strings that constitutes a messageprivate void message(java.lang.String msg)
msg
- a single string that constitutes a messageprivate boolean syncAuthSettings(java.lang.String node, int authMode, java.lang.String authPlugin)
node
- Object ID for a directory node.authMode
- Authentication mode to set.authPlugin
- Authentication plugin to set.true
if successfulprivate AdminAccountExtension getExtension()
null
private boolean checkPermission()
true
if any admin permission is assignedprivate boolean checkPermissions(java.lang.String name, int[] mode)
name
- resource instance namemode
- access modes (requested permission)true
if access granted to any permissionprivate boolean checkPermission(java.lang.String name, int mode)
name
- resource instance namemode
- access mode (requested permission)true
if access grantedprivate boolean queryPermission(java.lang.String name, int mode)
name
- resource instance namemode
- access mode (requested permission)true
if access grantedprivate static boolean modifySubjectsInACLs(DirectoryService ds, java.lang.String origin, java.lang.String name, java.lang.String[] namesDel, java.lang.String[] namesAdd)
ds
- instance of DirectoryService to use (should be bound)origin
- directory path to the ACLs to process, f.i.
/security/acl/application-specific-acls
name
- subject name which works as a selector; may be
null
if no selection needednamesDel
- array of subject IDs to delete conditionally; may be
null
namesAdd
- array of subject IDs to add conditionally; may be
null
true
if successfulprivate static void subjects(java.lang.String[] args) throws ConfigurationException
args
- args[0] - the directory file to process
args[1] - the path to the ACLs
args[2] - the selector name in ""
args[3] - the names being deleted in ""
args[4] - the names being added in ""ConfigurationException
private static void migrate(java.lang.String[] args) throws ConfigurationException, java.lang.NoSuchMethodException
args
- args[0] - the directory file to process
args[1] - the path to the ACLs
args[2] - the class name for the resource pluginConfigurationException
java.lang.NoSuchMethodException
private static void johndoe(java.lang.String[] args) throws ConfigurationException, java.lang.NoSuchMethodException
args
- args[0] - the directory file to process
args[1] - the path to the ACLs
args[2] - the class name for the resource pluginConfigurationException
java.lang.NoSuchMethodException
private static void resource(java.lang.String[] args) throws ConfigurationException, java.lang.NoSuchMethodException
args
- args[0] - the directory file to process
args[1] - the path to the ACLs
args[2] - the class name for the resource pluginConfigurationException
java.lang.NoSuchMethodException
private static boolean encodeWorker(DirectoryService ds, java.lang.String attrName)
ds
- instance of DirectoryService to use (should be bound)attrName
- attribute name to take the plain text password fromtrue
if successfulprivate static void encode(java.lang.String[] args) throws ConfigurationException
args
- args[0] - the directory file to process
args[1] - the attribute name to take plain password fromConfigurationException
private static void printMessages(java.util.List<java.lang.String[]> msgBuf)
msgBuf
- Message buffer after SecurityCacheprivate static void say(java.lang.String msg)
msg
- Message to print to standard output.static void say_(java.lang.String msg)
msg
- Message to print to standard output.public static void main(java.lang.String[] args)
args
- Command line parameters. The first one specifies the utility
and the rest is utility specific. The currently implemented
utilities are: