Yair Zaslavsky has uploaded a new change for review.
Change subject: aaa: Fix group name issues for legacy provider
......................................................................
aaa: Fix group name issues for legacy provider
Chagning format from: authz/a/b/c/d to: a/b/c/d@authz
to conform to the users format.
Removed specific code at rest-api that handled old format.
Change-Id: I8c1feed08e33156c794b230fa04f33f2ebd82240
Topic: AAA
Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com>
---
M
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java
M
backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapBrokerUtils.java
M
backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResource.java
M
backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendUsersResource.java
M
backend/manager/modules/restapi/jaxrs/src/test/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResourceTest.java
5 files changed, 36 insertions(+), 40 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/52/32652/1
diff --git
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java
index ea9cfa0..dae3df2 100644
---
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java
+++
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/KerberosLdapAuthz.java
@@ -272,13 +272,13 @@
user.getSurName()
).mput(
Authz.PrincipalRecord.NAME,
- removeUpnSuffix(user.getUserName())
+ formatValue(user.getUserName(),
Authz.PrincipalRecord.NAME)
).mput(
Authz.PrincipalRecord.TITLE,
user.getTitle()
).mput(
Authz.PrincipalRecord.PRINCIPAL,
- removeUpnSuffix(user.getUserName())
+ formatValue(user.getUserName(),
Authz.PrincipalRecord.PRINCIPAL)
);
if (user.getGroups() != null) {
List<ExtMap> groups = new ArrayList<>();
@@ -327,7 +327,7 @@
String.format(
"(%1$s%2$s%3$s)", keysToAttributes.get(key),
operatorsToChars.get(queryFilterRecord.get(QueryFilterRecord.OPERATOR)),
-
removeUpnSuffix(queryFilterRecord.get(key).toString())
+ formatValue(queryFilterRecord.get(key).toString(),
key)
)
);
} else {
@@ -346,8 +346,14 @@
return query;
}
- private String removeUpnSuffix(String value) {
- return value.contains("@") ? value.substring(0, value.indexOf("@")) :
value;
+ private String formatValue(String value, ExtKey key) {
+ String result = value;
+ if (key.equals(Authz.PrincipalRecord.NAME) ||
key.equals(Authz.PrincipalRecord.PRINCIPAL)) {
+ result = value.contains("@") ? value.substring(0,
value.indexOf("@")) : value;
+ } else if (key.equals(Authz.GroupRecord.NAME)) {
+ result = value.contains("/") ?
value.substring(value.lastIndexOf('/') + 1) : value;
+ }
+ return result;
}
}
diff --git
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapBrokerUtils.java
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapBrokerUtils.java
index eec7e24..ea7e32b 100644
---
a/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapBrokerUtils.java
+++
b/backend/manager/modules/builtin-extensions/src/main/java/org/ovirt/engine/extensions/aaa/builtin/kerberosldap/LdapBrokerUtils.java
@@ -44,19 +44,25 @@
}
StringBuilder sb = new StringBuilder();
+ StringBuilder domainName = new StringBuilder();
List<Rdn> rdns = name.getRdns();
for (Rdn rdn : rdns) {
String type = rdn.getType();
String val = (String) rdn.getValue();
if (type.equalsIgnoreCase("dc")) {
- sb.insert(0, "." + val);
+ if (domainName.length() > 0) {
+ domainName.insert(0, ".");
+ }
+ domainName.insert(0, val);
continue;
+ } else {
+ sb.append("/" + val);
}
- sb.append("/" + val);
}
// remove the first "." character.
sb.delete(0, 1);
+ sb.append("@").append(domainName);
return sb.toString();
}
diff --git
a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResource.java
b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResource.java
index d524491..003b3fb 100644
---
a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResource.java
+++
b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResource.java
@@ -16,6 +16,7 @@
import org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource;
import org.ovirt.engine.api.restapi.resource.ResourceConstants;
import org.ovirt.engine.api.restapi.resource.SingleEntityResource;
+import org.ovirt.engine.api.restapi.utils.AuthzUtils;
import org.ovirt.engine.api.restapi.utils.DirectoryEntryIdUtils;
import org.ovirt.engine.core.aaa.DirectoryGroup;
import org.ovirt.engine.core.common.action.AddGroupParameters;
@@ -87,10 +88,7 @@
Response.Status.BAD_REQUEST
);
}
- else if (group.isSetName() && group.getName().contains("/")) {
- return group.getName().substring(0, group.getName().indexOf("/"));
- }
- return null;
+ return AuthzUtils.getAuthzNameFromEntityName(group.getName());
}
/**
@@ -151,7 +149,7 @@
@Override
public Response add(Group group) {
validateParameters(group, "name");
- if (!isNameContainsDomain(group)) {
+ if (AuthzUtils.getAuthzNameFromEntityName(group.getName()) == null) {
validateParameters(group, "domain.id|name");
}
String directoryName = getDirectoryName(group);
@@ -182,16 +180,11 @@
} else if (groupModel.isSetDomainEntryId()) {
return getGroupById(directoryName, namespace,
groupModel.getDomainEntryId());
} else if (groupModel.isSetName()) {
- String groupName = groupModel.getName();
- if (groupName.startsWith(directoryName + "/")) {
- int lastSlash = groupName.lastIndexOf("/");
- groupName = groupName.substring(lastSlash + 1);
- }
return getEntity(
- DirectoryGroup.class,
- SearchType.DirectoryGroup,
- getDirectoryGroupSearchPattern(groupName, directoryName)
- );
+ DirectoryGroup.class,
+ SearchType.DirectoryGroup,
+
getDirectoryGroupSearchPattern(AuthzUtils.getEntityNameWithoutAuthz(groupModel.getName()),
directoryName)
+ );
}
return null;
@@ -210,11 +203,6 @@
@Override
public Response performRemove(String id) {
return performAction(VdcActionType.RemoveGroup, new
IdParameters(asGuid(id)));
- }
-
- private boolean isNameContainsDomain(Group group) {
- String name = group.getName();
- return name.contains("/") && name.indexOf('/') != name.length() - 1;
}
}
diff --git
a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendUsersResource.java
b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendUsersResource.java
index fe0a8dd..6273f88 100644
---
a/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendUsersResource.java
+++
b/backend/manager/modules/restapi/jaxrs/src/main/java/org/ovirt/engine/api/restapi/resource/aaa/BackendUsersResource.java
@@ -19,6 +19,7 @@
import org.ovirt.engine.api.restapi.resource.AbstractBackendCollectionResource;
import org.ovirt.engine.api.restapi.resource.ResourceConstants;
import org.ovirt.engine.api.restapi.resource.SingleEntityResource;
+import org.ovirt.engine.api.restapi.utils.AuthzUtils;
import org.ovirt.engine.api.restapi.utils.DirectoryEntryIdUtils;
import org.ovirt.engine.core.aaa.DirectoryUser;
import org.ovirt.engine.core.common.action.AddUserParameters;
@@ -93,10 +94,7 @@
}
throw new WebFaultException(null, "Domain: '" +
user.getDomain().getId().toString() + "' does not exist.",
Response.Status.BAD_REQUEST);
}
- else if (isNameContainsDomain(user)) {
- return
user.getUserName().substring(user.getUserName().lastIndexOf("@") + 1);
- }
- return null;
+ return AuthzUtils.getAuthzNameFromEntityName(user.getUserName());
}
/**
@@ -174,7 +172,7 @@
@Override
public Response add(User user) {
validateParameters(user, "userName");
- if (!isNameContainsDomain(user)) {// user-name may contain the domain
(e.g: ol...@xxx.yyy)
+ if (AuthzUtils.getAuthzNameFromEntityName(user.getUserName()) == null)
{// user-name may contain the domain (e.g: ol...@xxx.yyy)
validateParameters(user, "domain.id|name");
}
String domain = getDomain(user);
@@ -187,11 +185,6 @@
AddUserParameters parameters = new AddUserParameters(new
DbUser(directoryUser));
QueryIdResolver<Guid> resolver = new
QueryIdResolver<>(VdcQueryType.GetDbUserByUserId, IdQueryParameters.class);
return performCreate(VdcActionType.AddUser, parameters, resolver,
BaseResource.class);
- }
-
- private boolean isNameContainsDomain(User user) {
- return ((user.getUserName().contains("@")) &&
(user.getUserName().lastIndexOf('@') != user.getUserName()
- .length() - 1));
}
/**
@@ -217,7 +210,7 @@
DirectoryUser.class,
SearchType.DirectoryUser,
getDirectoryUserSearchPattern(
- isNameContainsDomain(user) ?
user.getUserName().substring(0, user.getUserName().lastIndexOf("@")) :
user.getUserName(),
+
AuthzUtils.getEntityNameWithoutAuthz(user.getUserName()),
user.getNamespace(),
directoryName)
);
diff --git
a/backend/manager/modules/restapi/jaxrs/src/test/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResourceTest.java
b/backend/manager/modules/restapi/jaxrs/src/test/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResourceTest.java
index 7999513..12c286c 100644
---
a/backend/manager/modules/restapi/jaxrs/src/test/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResourceTest.java
+++
b/backend/manager/modules/restapi/jaxrs/src/test/java/org/ovirt/engine/api/restapi/resource/aaa/BackendGroupsResourceTest.java
@@ -45,11 +45,14 @@
* searches, thus then must have the same format that we generate when
searching in directories.
*/
private static final String[] GROUP_NAMES;
+ private static final String[] GROUP_NAMES_WITH_NO_DOMAIN;
static {
GROUP_NAMES = new String[NAMES.length];
+ GROUP_NAMES_WITH_NO_DOMAIN = new String[NAMES.length];
for (int i = 0; i < NAMES.length; i++) {
- GROUP_NAMES[i] = DOMAIN + "/Groups/" + NAMES[i];
+ GROUP_NAMES_WITH_NO_DOMAIN[i] = "Groups/" + NAMES[i];
+ GROUP_NAMES[i] = GROUP_NAMES_WITH_NO_DOMAIN[i] + "@" + DOMAIN;
}
}
@@ -205,7 +208,7 @@
public void testAddGroupWithExplicitDirectoryName() throws Exception {
setUriInfo(setUpBasicUriExpectations());
setUpGetEntityExpectations(
- "ADGROUP@" + DOMAIN + ":: name=" + NAMES[0],
+ "ADGROUP@" + DOMAIN + ":: name=" +
GROUP_NAMES_WITH_NO_DOMAIN[0],
SearchType.DirectoryGroup,
getDirectoryGroup(0)
);
@@ -244,7 +247,7 @@
public void testAddGroupWithImplicitDirectoryName() throws Exception {
setUriInfo(setUpBasicUriExpectations());
setUpGetEntityExpectations(
- "ADGROUP@" + DOMAIN + ":: name=" + NAMES[0],
+ "ADGROUP@" + DOMAIN + ":: name=" +
GROUP_NAMES_WITH_NO_DOMAIN[0],
SearchType.DirectoryGroup,
getDirectoryGroup(0)
);
--
To view, visit http://gerrit.ovirt.org/32652
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I8c1feed08e33156c794b230fa04f33f2ebd82240
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
