001: package com.sun.portal.search.community;
002:
003: import java.util.List;
004: import java.util.Map;
005: import java.util.StringTokenizer;
006: import java.util.logging.Level;
007: import java.security.AccessController;
008: import javax.xml.rpc.Stub;
009: import com.iplanet.sso.SSOToken;
010: import com.iplanet.am.util.AdminUtils;
011: import com.sun.identity.security.AdminTokenAction;
012:
013: import com.sun.portal.search.util.SearchLogger;
014: import com.sun.portal.search.rdm.RDMException;
015: import com.sun.portal.search.db.SToken;
016: import com.sun.portal.search.soif.SOIF;
017:
018: import com.sun.portal.community.stubs.CommunityManagerWSInterface;
019: import com.sun.portal.community.stubs.CommunityManagerWebServices_Impl;
020: import com.sun.portal.community.RoleId;
021: import com.sun.portal.community.CommunityId;
022:
023: import com.sun.portal.admin.common.util.AdminUtil;
024: import com.sun.portal.admin.common.context.PortalDomainContext;
025: import com.sun.portal.search.db.DatabaseSecurityModule;
026: import com.sun.portal.search.db.DbManager;
027: import com.sun.portal.search.db.RDMSecurityManager;
028: import java.util.HashSet;
029: import java.util.Iterator;
030: import java.util.Properties;
031: import java.util.Set;
032:
033: public class CommunityDatabaseSecurityModule implements
034: DatabaseSecurityModule {
035: static private final String MY_NAME = "community_content";
036: static private final String DB_ATTR_PORTALID = "portalId";
037: static private CommunityDatabaseSecurityModule instance = new CommunityDatabaseSecurityModule();
038:
039: static public CommunityDatabaseSecurityModule getInstance() {
040: return instance;
041: }
042:
043: private void setReadACL(SOIF rd, String ctyRole) {
044: rd.replace("ReadACL", ctyRole);
045: }
046:
047: public Set getPrivateRoles(SOIF dbsoif, String user) {
048: Set results = new HashSet();
049: try {
050: String portalId = dbsoif.getValue("portalId");
051: CommunityManagerWSInterface cmwsi = getWSInterface(portalId);
052: List ctys = cmwsi.getSecuredCommunityMembership(
053: getAdminSSOTokenID().toString(), user);
054: Iterator cit = ctys.iterator();
055: while (cit.hasNext()) {
056: String cid = (String) cit.next();
057: CommunityId cId = new CommunityId(cid);
058: results.add(cId.getName() + ":" + RoleId.MEMBER_ROLE);
059: }
060: } catch (Exception e) {
061: SearchLogger.getLogger().log(
062: Level.FINE,
063: "Unable to resolve private community`ies for user:"
064: + user + " " + e);
065: }
066: return results;
067: }
068:
069: public boolean checkDatabasePermission(SToken st,
070: String permissionName, SOIF rd) throws RDMException {
071: try {
072:
073: //
074: // For community databases, only super user gets
075: // to search the entire database. Rest of users
076: // must have a query with virtual database set in
077: // it.
078: String physicalDBName = st.getPhysicalDBName();
079: String virtualDBName = st.getVirtualDBName();
080: if ((virtualDBName == null)
081: || (virtualDBName.length() == 0)) {
082: SearchLogger.getLogger().log(Level.FINE,
083: "PSSP_CSPSC0001", st.getDatabaseName());
084: return true;
085: }
086:
087: //
088: // find out the name of the community and see
089: // if the community is secure.
090: // If it is not, return true.
091: //
092:
093: // get the dbsoif entry for the database.
094: SOIF dbsoif = DbManager.getRootDbEntry(st, physicalDBName);
095: String portalId = dbsoif.getValue("portalId");
096:
097: SearchLogger.getLogger().log(Level.FINE, "PSSP_CSPSC0002",
098: new Object[] { st.getDatabaseName(), portalId });
099:
100: StringTokenizer tokenizer = new StringTokenizer(
101: virtualDBName, SToken.Deliminator);
102: String communityName = tokenizer.nextToken();
103: SearchLogger.getLogger()
104: .log(
105: Level.FINE,
106: "PSSP_CSPSC0003",
107: new Object[] { st.getDatabaseName(),
108: communityName });
109: CommunityId cid;
110: try {
111: cid = new CommunityId(communityName);
112: } catch (Exception ce) {
113: SearchLogger.getLogger().log(Level.WARNING,
114: "The virtualdb doesn't belong to anycommunity");
115: return true;
116: }
117:
118: CommunityManagerWSInterface cmwsi = getWSInterface(portalId);
119: Properties p = cmwsi.getCommunityProperties(
120: getAdminSSOTokenID().toString(), new CommunityId(
121: communityName).getName());
122: String value = p.getProperty("deleted");
123: if (value == null) {
124: SearchLogger.getLogger().log(Level.WARNING,
125: "Unable to obtain community properties");
126: return false;
127: }
128: boolean deleted = value.equalsIgnoreCase("true");
129: value = p.getProperty("secured");
130: boolean secure = value.equalsIgnoreCase("true");
131: value = p.getProperty("disabled");
132: boolean disabled = value.equalsIgnoreCase("true");
133:
134: SearchLogger.getLogger().log(
135: Level.FINE,
136: "PSSP_CSPSC0004",
137: new Object[] { st.getDatabaseName(), communityName,
138: new Boolean(secure) });
139:
140: if (deleted || disabled) {
141: // admin, has all rights all the time?
142: return RDMSecurityManager.getInstance()
143: .isPrivilegedUser(st);
144: }
145:
146: if (!secure) {
147: st.setCheckSearch(false);
148: st.setCheckRDFilter(false);
149: return true;
150: }
151:
152: //
153: // Get the sso token and return false if it is not there.
154: //
155: SSOToken token = (SSOToken) st.getNativeToken();
156: if (token == null) {
157: SearchLogger.getLogger().log(Level.FINE,
158: "PSSP_CSPSC0005", st.getDatabaseName());
159: return false;
160: }
161:
162: //
163: // Return true if the user is prividged e.g. amadmin
164: //
165:
166: if (RDMSecurityManager.getInstance().isPrivilegedUser(st)) {
167: if (rd != null) {
168: st.setReadAcl(cid.getName() + ":"
169: + RoleId.MEMBER_ROLE.toString());
170: //this.setReadACL(rd, cid.getName() + ":" + RoleId.MEMBER_ROLE.toString());
171: }
172: st.setCheckSearch(false);
173: st.setCheckRDFilter(false);
174: return true;
175: }
176: //
177: // check if the user has the right roles to
178: // access this information
179: //
180:
181: String userId = token.getPrincipal().getName();
182: SearchLogger.getLogger().log(Level.FINE, "PSSP_CSPSC0006",
183: new Object[] { st.getDatabaseName(), userId });
184:
185: List roles = cmwsi.getUserRoles(getAdminSSOTokenID(),
186: new CommunityId(communityName).getName(), userId);
187:
188: SearchLogger.getLogger()
189: .log(
190: Level.FINE,
191: "PSSP_CSPSC0007",
192: new Object[] { st.getDatabaseName(),
193: userId, roles });
194:
195: if (roles != null
196: && ((roles.contains(RoleId.MEMBER_ROLE.toString())) || (roles
197: .contains(RoleId.OWNER_ROLE.toString())))
198: && !roles.contains(RoleId.BANNED_ROLE.toString())) {
199: SearchLogger.getLogger().log(Level.FINE,
200: "PSSP_CSPSC0008",
201: new Object[] { st.getDatabaseName(), userId });
202: if (rd != null) {
203: //this.setReadACL(rd, cid.getName() + ":" + RoleId.MEMBER_ROLE.toString());
204: st.setReadAcl(cid.getName() + ":"
205: + RoleId.MEMBER_ROLE.toString());
206: }
207: st.setCheckSearch(false);
208: st.setCheckRDFilter(false);
209:
210: return true;
211: }
212: return false;
213: } catch (Throwable e) {
214: SearchLogger.getLogger().log(Level.SEVERE, e.toString());
215: throw new RDMException(e.toString(), new Exception(e));
216: }
217: }
218:
219: //
220: // Get the handle to call community web service
221: //
222: private CommunityManagerWSInterface getWSInterface(String portalId)
223: throws RDMException {
224: String url = CommunityWebServiceURLHolder.getInstance()
225: .getCommunityWebServiceURL(portalId);
226:
227: SearchLogger.getLogger().log(Level.FINE, "PSSP_CSPSC0009",
228: new Object[] { portalId, url });
229:
230: Stub s = (Stub) (new CommunityManagerWebServices_Impl()
231: .getCommunityManagerWSInterfacePort());
232: s._setProperty(javax.xml.rpc.Stub.ENDPOINT_ADDRESS_PROPERTY,
233: url);
234: CommunityManagerWSInterface cmwsi = (CommunityManagerWSInterface) s;
235: return cmwsi;
236: }
237:
238: //
239: // Get admin sso token
240: //
241: private static String getAdminSSOTokenID() {
242: return ((SSOToken) AccessController
243: .doPrivileged(AdminTokenAction.getInstance()))
244: .getTokenID().toString();
245: }
246:
247: public String getName() {
248: return MY_NAME;
249: }
250:
251: /* public String getSecurityQuery(SToken st) throws Exception {
252: String physicalDBName = st.getPhysicalDBName();
253: String vdbName = st.getVirtualDBName();
254: // only apply to physical database search
255: if ( physicalDBName == null || vdbName != null) {
256: throw new Exception("physical db name or virtual db name is null");
257: }
258:
259: // get the dbsoif entry for the database.
260: SOIF dbsoif = DbManager.getRootDbEntry(st, physicalDBName);
261: if (dbsoif == null) {
262: throw new Exception("db enrty not found in root db");
263: }
264: if (!MY_NAME.equalsIgnoreCase(dbsoif.getValue(RDMSecurityManager.DB_SECURITY_MODULE_ATTRNAME))) {
265: throw new Exception("SecurityModule doesn't match");
266: }
267: SSOToken token = (SSOToken) st.getNativeToken();
268: if (token != null) {
269: String userDN = token.getPrincipal().getName();
270: Set ctyPrivateRoles = getPrivateRoles(dbsoif, userDN);
271: if (ctyPrivateRoles.size() > 0) {
272: ctyPrivateRoles.add("");
273: return RDMSecurityManager.roleSet2Query(ctyPrivateRoles);
274: }
275: }
276: return "ReadACL=\"\"";
277: }
278: */
279: public boolean onCreateCallback(SOIF dbsoif) {
280: if (dbsoif != null) {
281: String dbname = dbsoif.getURL();
282: String[] nameparts = dbname.split("_");
283: if (nameparts.length >= 3
284: && nameparts[0].equalsIgnoreCase("community")) {
285: dbsoif.replace(
286: RDMSecurityManager.DB_SECURITY_MODULE_ATTRNAME,
287: getName());
288: dbsoif.replace(DB_ATTR_PORTALID,
289: nameparts[nameparts.length - 1]);
290: return true;
291: }
292: }
293: return false;
294: }
295:
296: public Set getUserRoles(SToken st) throws Exception {
297: Object token = st.getNativeToken();
298: if (token == null && !(token instanceof SSOToken)) {
299: Set roles = new HashSet();
300: return roles;
301: }
302: String physicalDBName = st.getPhysicalDBName();
303: String vdbName = st.getVirtualDBName();
304:
305: SSOToken ssotoken = (SSOToken) token;
306: String userDN = ssotoken.getPrincipal().getName();
307: if (RDMSecurityManager.getInstance().isPrivilegedUser(st)) {
308: if (st.isProxy()) {
309: userDN = st.getProxyDN();
310: } else {
311: return null;
312: }
313: }
314:
315: // get the dbsoif entry for the database.
316: SOIF dbsoif = DbManager.getRootDbEntry(st, physicalDBName);
317: if (dbsoif == null) {
318: throw new Exception("db enrty not found in root db");
319: }
320: if (!getName()
321: .equalsIgnoreCase(
322: dbsoif
323: .getValue(RDMSecurityManager.DB_SECURITY_MODULE_ATTRNAME))) {
324: throw new Exception("SecurityModule doesn't match");
325: }
326: Set proles = getPrivateRoles(dbsoif, userDN);
327: return proles;
328: }
329:
330: }
|