Skip to content
Snippets Groups Projects
Commit 1c2f213b authored by juanf's avatar juanf
Browse files

CCS-75 / SP-1150: Design a maintenance task to revoke user access privileges. Generic Version.

SVN: 30455
parent 52d33f94
No related branches found
No related tags found
No related merge requests found
...@@ -235,6 +235,15 @@ public class StackedAuthenticationService implements IAuthenticationService ...@@ -235,6 +235,15 @@ public class StackedAuthenticationService implements IAuthenticationService
} }
return principals; return principals;
} }
public boolean allServicesSupportListingByUserId() {
boolean result = true;
for (IAuthenticationService service : delegates)
{
result = result && service.supportsListingByUserId();
}
return result;
}
@Override @Override
public boolean supportsListingByEmail() public boolean supportsListingByEmail()
......
...@@ -25,9 +25,8 @@ import java.util.Properties; ...@@ -25,9 +25,8 @@ import java.util.Properties;
import org.apache.log4j.Logger; import org.apache.log4j.Logger;
import ch.systemsx.cisd.authentication.Principal; import ch.systemsx.cisd.authentication.IAuthenticationService;
import ch.systemsx.cisd.authentication.ldap.LDAPDirectoryConfiguration; import ch.systemsx.cisd.authentication.stacked.StackedAuthenticationService;
import ch.systemsx.cisd.authentication.ldap.LDAPPrincipalQuery;
import ch.systemsx.cisd.common.logging.LogCategory; import ch.systemsx.cisd.common.logging.LogCategory;
import ch.systemsx.cisd.common.logging.LogFactory; import ch.systemsx.cisd.common.logging.LogFactory;
import ch.systemsx.cisd.common.maintenance.IMaintenanceTask; import ch.systemsx.cisd.common.maintenance.IMaintenanceTask;
...@@ -43,50 +42,52 @@ import ch.systemsx.cisd.openbis.generic.shared.dto.RoleAssignmentPE; ...@@ -43,50 +42,52 @@ import ch.systemsx.cisd.openbis.generic.shared.dto.RoleAssignmentPE;
import ch.systemsx.cisd.openbis.generic.shared.dto.SessionContextDTO; import ch.systemsx.cisd.openbis.generic.shared.dto.SessionContextDTO;
/** /**
* {@link IMaintenanceTask} to revoke access to delete LDAP users. * {@link IMaintenanceTask} to revoke access to users not present on the authentication service anymore.
* *
* @author Juan Fuentes * @author Juan Fuentes
*/ */
public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask { public class RevokeUserAccessMaintenanceTask implements IMaintenanceTask {
private static final Logger operationLog = LogFactory.getLogger( private static final Logger operationLog = LogFactory.getLogger(LogCategory.OPERATION, RevokeUserAccessMaintenanceTask.class);
LogCategory.OPERATION, RevokeLDAPUserAccessMaintenanceTask.class); private static final String AUTH_SERVICE_BEAN = "authentication-service";
private static final IAuthenticationService authService;
private LDAPDirectoryConfiguration config;
private LDAPPrincipalQuery query; static {
IAuthenticationService authServiceAux = (IAuthenticationService) CommonServiceProvider.tryToGetBean(AUTH_SERVICE_BEAN);
private static final String SERVER_URL_KEY = "server-url";
private static final String SECURITY_PRINCIPAL_DISTINGUISHED_NAME_KEY = "security-principal-distinguished-name"; if (authServiceAux instanceof StackedAuthenticationService && ((StackedAuthenticationService) authServiceAux).allServicesSupportListingByUserId())
private static final String SECURITY_PRINCIPAL_PASSWORD_KEY = "security-principal-password"; {
authService = authServiceAux;
} else if(authServiceAux.supportsListingByUserId())
{
authService = authServiceAux;
}
else
{
authService = null;
}
}
@Override @Override
public void setUp(String pluginName, Properties properties) { public void setUp(String pluginName, Properties properties) {
operationLog.info("Task " + pluginName + " initialized."); operationLog.info("Task " + pluginName + " initialized.");
config = new LDAPDirectoryConfiguration();
config.setServerUrl(properties.getProperty(SERVER_URL_KEY));
config.setSecurityPrincipalDistinguishedName(properties
.getProperty(SECURITY_PRINCIPAL_DISTINGUISHED_NAME_KEY));
config.setSecurityPrincipalPassword(properties
.getProperty(SECURITY_PRINCIPAL_PASSWORD_KEY));
config.setQueryEmailForAliases("true");
config.setTimeoutStr("1000");
config.setTimeToWaitAfterFailureStr("1000");
query = new LDAPPrincipalQuery(config);
} }
@Override @Override
public void execute() { public void execute()
{
operationLog.info("execution started"); operationLog.info("execution started");
//0. Initial Check
if(authService == null)
{
operationLog.info("This plugin doesn't work with authentication services that don't support listing by user idt.");
return;
}
// 1. Grab all users, user roles and user authorization groups // 1. Grab all users, user roles and user authorization groups
IPersonDAO personDAO = CommonServiceProvider.getDAOFactory() IPersonDAO personDAO = CommonServiceProvider.getDAOFactory().getPersonDAO();
.getPersonDAO(); IRoleAssignmentDAO rolesDAO = CommonServiceProvider.getDAOFactory().getRoleAssignmentDAO();
IRoleAssignmentDAO rolesDAO = CommonServiceProvider.getDAOFactory()
.getRoleAssignmentDAO();
// Used to manage the authorization groups since the IPersonDAO throw a session exception when accessing this information. // Used to manage the authorization groups since the IPersonDAO throw a session exception when accessing this information.
ICommonServerForInternalUse server = CommonServiceProvider ICommonServerForInternalUse server = CommonServiceProvider.getCommonServer();
.getCommonServer();
SessionContextDTO contextOrNull = server.tryToAuthenticateAsSystem(); SessionContextDTO contextOrNull = server.tryToAuthenticateAsSystem();
List<PersonPE> people = personDAO.listActivePersons(); List<PersonPE> people = personDAO.listActivePersons();
...@@ -95,14 +96,16 @@ public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask { ...@@ -95,14 +96,16 @@ public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask {
List<PersonPE> peopleToRevoke = new ArrayList<PersonPE>(); List<PersonPE> peopleToRevoke = new ArrayList<PersonPE>();
// 3. Check if the users exists on LDAP currently // 3. Check if the users exists on LDAP currently
personCheck: for (PersonPE person : people) { personCheck:
if (false == person.isSystemUser() && person.isActive() for (PersonPE person : people)
&& false == isUserAtLDAP(person.getUserId())) { {
if (false == person.isSystemUser() && person.isActive() && false == isUserValid(person.getUserId()))
List<RoleAssignmentPE> roles = rolesDAO {
.listRoleAssignmentsByPerson(person); List<RoleAssignmentPE> roles = rolesDAO.listRoleAssignmentsByPerson(person);
for (RoleAssignmentPE role : roles) { for (RoleAssignmentPE role : roles)
if (role.getRole().name().equals("ETL_SERVER")) { {
if (role.getRole().name().equals("ETL_SERVER"))
{
continue personCheck; continue personCheck;
} }
} }
...@@ -110,33 +113,31 @@ public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask { ...@@ -110,33 +113,31 @@ public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask {
} }
} }
// 4. If is not found on the LDAP, revoke access // 4. If is not found on the authentication service, revoke access
for (PersonPE person : peopleToRevoke) { for (PersonPE person : peopleToRevoke)
{
String userIdToRevoke = person.getUserId(); String userIdToRevoke = person.getUserId();
operationLog.info("person " + userIdToRevoke operationLog.info("person " + userIdToRevoke + " is going to be revoked.");
+ " is going to be revoked.");
// Delete person roles // Delete person roles
for (RoleAssignmentPE role : rolesDAO for (RoleAssignmentPE role : rolesDAO.listRoleAssignmentsByPerson(person))
.listRoleAssignmentsByPerson(person)) { {
rolesDAO.delete(role); rolesDAO.delete(role);
} }
// Delete person from groups // Delete person from groups
List<AuthorizationGroup> groups = server List<AuthorizationGroup> groups = server.listAuthorizationGroups(contextOrNull.getSessionToken());
.listAuthorizationGroups(contextOrNull.getSessionToken());
for (AuthorizationGroup group : groups)
for (AuthorizationGroup group : groups) { {
List<Person> peopleInGroup = server List<Person> peopleInGroup = server.listPersonInAuthorizationGroup(contextOrNull.getSessionToken(), new TechId(group.getId()));
.listPersonInAuthorizationGroup(contextOrNull for (Person personInGroup : peopleInGroup)
.getSessionToken(), new TechId(group.getId())); {
for (Person personInGroup : peopleInGroup) { if (personInGroup.getUserId().equals(userIdToRevoke))
if (personInGroup.getUserId().equals(userIdToRevoke)) { {
List<String> toRemoveFromGroup = new ArrayList<String>(); List<String> toRemoveFromGroup = new ArrayList<String>();
toRemoveFromGroup.add(person.getUserId()); toRemoveFromGroup.add(person.getUserId());
server.removePersonsFromAuthorizationGroup( server.removePersonsFromAuthorizationGroup(contextOrNull.getSessionToken(), new TechId(group.getId()), toRemoveFromGroup);
contextOrNull.getSessionToken(), new TechId(
group.getId()), toRemoveFromGroup);
} }
} }
} }
...@@ -146,16 +147,17 @@ public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask { ...@@ -146,16 +147,17 @@ public class RevokeLDAPUserAccessMaintenanceTask implements IMaintenanceTask {
person.setActive(false); person.setActive(false);
personDAO.updatePerson(person); personDAO.updatePerson(person);
operationLog operationLog.info("person " + userIdToRevoke + " has been revoked.");
.info("person " + userIdToRevoke + " has been revoked.");
} }
operationLog.info("task executed"); operationLog.info("task executed");
} }
private boolean isUserAtLDAP(String userId) { /*
List<Principal> principals = query.listPrincipalsByUserId(userId); * We can only delete the users if, the Principals are listable and they are not available.
return false == principals.isEmpty(); */
private boolean isUserValid(String userId) {
return authService.supportsListingByUserId() && false == authService.listPrincipalsByUserId(userId).isEmpty();
} }
private String getTimeStamp() { private String getTimeStamp() {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment