Hi Jeffery, that´s in any case very cool to do this fluxTooling! ;-)
I checked out your GitHub project fluxtest and I may have found the bug (in Turbine). The issue is that the Turbine service class org.apache.turbine.services.security.DefaultSecurityService implementing org.apache.turbine.services.security.SecurityService requires as user model org.apache.turbine.om.security.User (=User). On the other side the Fulcrum implementation of the grant method uses a method (update) (defined in org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity) seems to expect as contract fulcrum user object, but also TorqueAbstractSecurityEntity, which is implemented by the Turbineuser om class by extending the appropriate baseClass org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineUser in the schema (= TurbineUser). How to match this? It WOULD be possible to retrieve the backing TurbineUser object from the User with the getUserDelegate() method. But the interface TurbineUserDelegate is not part of the contract of turbine.om.security.User (though DefaultUserImpl DOES implement TurbineUserDelegate) this is somewhat hidden in the SecurityService (a cast would be required later on). The easiest and most transparent solution would be (in my view), that org.apache.turbine.om.security.User interface extends TurbineUserDelegate and that at one point the delegate is called (as the TurbineUser OM class does implement Fulcrum TurbineUser, which implements Fulcrum User this would be no problem. We have to call getUserDelegate before the modelManager grant method is called, i.e. in DefaultSecurityService). No other changes seem to be needed .. I'll create an issue in TRB JIRA as soon as possible.. As a result you may have to use the Torque mapper for now, cft. your action FluxUserAction, cft. the github patch (https://github.com/jlpainter/turbine-flux/pull/1, you might just review the changes). I posted a copy to the dev list, where the discussion might continue ... Best regards, Georg Von: Jeffery Painter <[email protected]> An: [email protected] Datum: 18.11.2017 00:43 Betreff: Re: Problem with grant and revoke user roles in turbine-4 I gave it one last shot, but I am still having trouble with casting the user object. The security service seems to only want to give me the wrapper version and I cannot cast it to anything that the removeUser() method likes.... maybe you can take a look at the following method. Here is my logging output. 2017-11-17 18:32:39,818 [http-nio-8080-exec-4] DEBUG org.apache.turbine.flux.modules.actions.user.FluxUserAction - getUser() type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper 2017-11-17 18:32:41,105 [http-nio-8080-exec-4] DEBUG org.apache.turbine.flux.modules.actions.user.FluxUserAction - o.a.t.o.s.User type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper 2017-11-17 18:32:42,598 [http-nio-8080-exec-4] DEBUG org.apache.turbine.flux.modules.actions.user.FluxUserAction - o.a.f.s.m.t.e.TurbineUser type: org.apache.turbine.fluxtest.wrapper.TurbineUserWrapper 2017-11-17 18:33:06,031 [http-nio-8080-exec-4] ERROR org.apache.turbine.flux.modules.actions.user.FluxUserAction - Could not remove user: org.apache.fulcrum.security.util.UnknownEntityException: Could not find User/Group/Role and the method call I am trying to use to delete the user... /** * ActionEvent responsible for removing a user from the Tambora system. */ public void doDelete(PipelineData pipelineData, Context context) throws Exception { try { RunData data = getRunData(pipelineData); String username = data.getParameters().getString("username"); if (!StringUtils.isEmpty(username)) { if (security.accountExists(username)) { // this is always returning the wrapper version of our user User user1 = security.getUser(username); log.debug("getUser() type: " + user1.getClass().getTypeName().toString() ); // same and does not work User user2 = (org.apache.turbine.om.security.User) security.getUser(username); log.debug("o.a.t.o.s.User type: " + user2.getClass().getTypeName().toString() ); // no change - and you cannot use the interface class as a parameter to the removeUser method org.apache.fulcrum.security.model.turbine.entity.TurbineUser user3 = (org.apache.fulcrum.security.model.turbine.entity.TurbineUser) security.getUser(username); log.debug("o.a.f.s.m.t.e.TurbineUser type: " + user3.getClass().getTypeName().toString() ); // Tried using reflection to cast and still doesn't work org.apache.turbine.om.security.User forceUser = org.apache.turbine.om.security.User.class.cast( security.getUser(username) ); log.debug("o.a.t.o.s.User type: " + forceUser.getClass().getTypeName().toString() ); //security.revokeAll(user); // remove user does the revokeAll above... security.removeUser(forceUser); } else { log.error("User does not exist!"); } } } catch (Exception e) { log.error("Could not remove user: " + e); } } On 11/17/2017 06:03 PM, Jeffery Painter wrote: > Hi Georg, > > I did a quick test on the remove role method with the following change > and it works. My problem with role removal was that in my test case, > the role was associated with users and could not be removed. Maybe a > better error message would help? :-) The user management needs a bit > more work as well to make it comply with the SecurityService. I will > work on that. The old flux tool also had some weirdness in the way it > handled the getRole() getGroup() getUser() method where it was caching > the last loaded entry... I am fixing that as well. > > I inserted a few new roles and was able to remove them. I am working > on updating the rest of the FluxTool methods so they behave > appropriately. When I get it into decent shape, I will push updates > to my github project for you to test out if you like before we make a > space to put it into the apache source control. > > That will most likely be after Nov 25th when I get back into town. Who > knows - if I get bored, I may open up some code on my laptop, but not > likely as we are going on a cruise where it will be nice and warm! > > Thanks, > Jeff > > > > On 11/17/2017 05:17 PM, Georg Kallidis wrote: >> Hi Jeff, >> >> as far as I can see, I assume the implementation class might be >> TorqueTurbineModelManagerImpl? Could you check this? Your second >> attempt may be indeed close, but the reason is missing. Could you >> provide the stack/cause of the exception? >> >> Probably, if this is the case, at this point of the code of the model >> manager the role, group and user are already checked, but what might >> have caused the exception is a failing cast to >> >> - org.apache.fulcrum.security.model.turbine.entity.TurbineUser of the >> user object or >> - >> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity >> of any of the objects, which may be the reason, if in your schema the >> baseclass attribute is not set to >> org.apache.fulcrum.security.torque.turbine.DefaultAbstractTurbineXXX >> (XXX = User|Role|Group) class (or another class implementing the >> required interface, cft. the example torque-security-schem.xml in the >> Turbine webapp archetype)... >> >> And thanks for your efforts to migrate / use the flux library! >> >> Best regards, Georg >> >> -----Jeffery Painter <[email protected]> schrieb: ----- >> An: [email protected] >> Von: Jeffery Painter <[email protected]> >> Datum: 16.11.2017 23:29 >> Betreff: Re: Problem with grant and revoke user roles in turbine-4 >> >> I looked a little more at the test cases, and got my code setup enough >> to try and call the fulcrum security service directly... >> >> // try using fulcrum service >> ((TurbineModelManager)fulcrumSecurityService.getModelManager()).grant(fulcrumUser, >> >> group, role); >> >> The error logs are still reporting problems: >> >> I verified that this loaded the user "dean" from the database as a >> fulcrumUser and it came through with a class type of >> com.jivecast.smartorder.om.TurbineUser rather than the wrapper that the >> turbine security service provided. and now I get a DataBackendException >> error on the grant call... >> >> 2017-11-16 17:24:43,722 [http-nio-8080-exec-3] DEBUG avalon - Located >> the service 'org.apache.fulcrum.security.UserManager' in the local >> container >> 2017-11-16 17:24:47,895 [http-nio-8080-exec-3] DEBUG >> com.jivecast.smartorder.modules.actions.admin.UserAction - fulcrumUser: >> com.jivecast.smartorder.om.TurbineUser >> 2017-11-16 17:24:54,147 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >> 2017-11-16 17:24:55,750 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >> 2017-11-16 17:24:56,031 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >> 2017-11-16 17:24:56,315 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >> 2017-11-16 17:24:56,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >> 2017-11-16 17:25:03,129 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >> 2017-11-16 17:25:03,143 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >> 2017-11-16 17:25:09,097 [http-nio-8080-exec-3] DEBUG >> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new >> role to user: inventory >> 2017-11-16 17:25:10,535 [http-nio-8080-exec-3] DEBUG avalon - Located >> the service 'org.apache.fulcrum.security.ModelManager' in the local >> container >> 2017-11-16 17:25:10,545 [http-nio-8080-exec-3] DEBUG avalon - Located >> the service 'org.apache.fulcrum.security.RoleManager' in the local >> container >> 2017-11-16 17:25:10,547 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@1f7f807 >> 2017-11-16 17:25:10,560 [http-nio-8080-exec-3] DEBUG avalon - Located >> the service 'org.apache.fulcrum.security.UserManager' in the local >> container >> 2017-11-16 17:25:10,561 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@86cedb4 >> 2017-11-16 17:25:10,598 [http-nio-8080-exec-3] DEBUG avalon - Located >> the service 'org.apache.fulcrum.security.GroupManager' in the local >> container >> 2017-11-16 17:25:10,599 [http-nio-8080-exec-3] DEBUG avalon.peerManager >> - get cached >> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@3ccc32c >> 2017-11-16 17:25:25,202 [http-nio-8080-exec-3] ERROR >> com.jivecast.smartorder.modules.actions.admin.UserAction - Error setting >> roles: org.apache.fulcrum.security.util.DataBackendException: >> grant('dean', 'global', 'inventory') failed >> >> >> any ideas? >> >> -- >> Jeff >> >> >> >> On 11/16/2017 05:00 PM, Jeffery Painter wrote: >>> Hi Georg, >>> >>> I am making some good progress. I don't know if you remember the old >>> flux library for user management, but I have started to re-write that >>> to work with Turbine 4.0. I am having some troubles however with the >>> grant/revoke roles with casting the user object incorrectly from the >>> TurbineWrapper class. Can you help me with the issue I am having >>> below? I looked at the unit tests in the Turbine source for >>> inspiration on migrating, but it isn't recognizing the user class >>> properly. I even tried to manually downcast (see my code below), and >>> still cannot make it work. >>> >>> If I can get this all working, I thought it might be useful to publish >>> a new flux library compatible with Turbine-4.0 for user management as >>> a guide to others on how to get started. >>> >>> >>> My logs show the following error when calling the grant/revoke method >>> on the security service when trying to add the "inventory" role to a >>> user: >>> >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>> com.jivecast.smartorder.modules.actions.admin.UserAction - Adding new >>> role to user: inventory >>> >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located >>> the service 'org.apache.fulcrum.security.RoleManager' in the local >>> container >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>> avalon.peerManager - get cached >>> PeerInstance():com.jivecast.smartorder.om.TurbineRolePeerImpl@71897a2b >>> >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located >>> the service 'org.apache.fulcrum.security.UserManager' in the local >>> container >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>> avalon.peerManager - get cached >>> PeerInstance():com.jivecast.smartorder.om.TurbineUserPeerImpl@448e6624 >>> >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG avalon - Located >>> the service 'org.apache.fulcrum.security.GroupManager' in the local >>> container >>> 2017-11-16 16:49:26,918 [http-nio-8080-exec-13] DEBUG >>> avalon.peerManager - get cached >>> PeerInstance():com.jivecast.smartorder.om.TurbineGroupPeerImpl@151d470d >>> >>> 2017-11-16 16:49:26,919 [http-nio-8080-exec-13] ERROR >>> com.jivecast.smartorder.modules.actions.admin.UserAction - Error >>> setting roles: java.lang.ClassCastException: >>> com.jivecast.smartorder.wrapper.TurbineUserWrapper cannot be cast to >>> org.apache.fulcrum.security.torque.security.TorqueAbstractSecurityEntity >>> >>> >>> >>> Here is the relevant code in my doRoles() method to make the new >>> assignment... it is modeled after the old flux methods: >>> >>> I have the following import: >>> >>> import org.apache.turbine.services.security.SecurityService; >>> >>> and in the body of the class, I use the injection to get the instance >>> mapped >>> >>> /** Injected service instance */ >>> @TurbineService >>> private SecurityService security; >>> >>> .... then my action class method is called doRoles() which does the >>> role assignment and fails >>> >>> /** >>> * Update the roles that are to assigned to a user for a project. >>> */ >>> public void doRoles(PipelineData pipelineData, Context context) >>> throws Exception { >>> >>> try { >>> >>> RunData data = getRunData(pipelineData); >>> >>> // Get the Turbine ACL implementation for our current >>> user, only admin can update user roles >>> TurbineAccessControlList adminAcl = >>> getRunData(data).getACL(); >>> if (adminAcl.hasRole("administrator")) { >>> >>> // Username of the account we are updating >>> String username = >>> data.getParameters().getString("username"); >>> if (security.accountExists(username)) { >>> >>> // Try to downcast for the security grant function >>> org.apache.turbine.om.security.User user = >>> (org.apache.turbine.om.security.User) security.getUser(username); >>> >>> // Get the Turbine ACL implementation >>> TurbineAccessControlList acl = >>> security.getACL(user); >>> >>> /* >>> * Grab all the Groups and Roles in the system. >>> */ >>> GroupSet groups = security.getAllGroups(); >>> RoleSet roles = security.getAllRoles(); >>> >>> for (Group group : groups) { >>> String groupName = group.getName(); >>> for (Role role : roles) { >>> String roleName = role.getName(); >>> >>> /* >>> * In the UserRoleForm.vm we made a >>> checkbox for every possible Group/Role >>> * combination so we will compare every >>> possible combination with the values >>> * that were checked off in the form. If >>> we have a match then we will grant the >>> * user the role in the group. >>> */ >>> String groupRole = groupName + roleName; >>> String formGroupRole = >>> data.getParameters().getString(groupRole); >>> >>> if (formGroupRole != null && >>> !acl.hasRole(role, group)) { >>> // add the role for this user >>> if (acl.hasRole(role) == false) { >>> log.debug("Adding new role to >>> user: " + role.getName()); >>> security.grant(user, group, role); >>> } >>> } else if (formGroupRole == null && >>> acl.hasRole(role, group)) { >>> // revoke the role for this user >>> log.debug("Revoke role: " + >>> role.getName()); >>> security.revoke(user, group, role); >>> } >>> } >>> } >>> >>> } else { >>> log.error("User does not exist!"); >>> } >>> } else { >>> data.setMessage("You do not have access to perform >>> this action."); >>> } >>> } catch (Exception e) { >>> log.error("Error setting roles: " + e.toString()); >>> } >>> >>> } >>> >>> > -- Jeff Painter CEO and Founder of JiveCast Software and analytics, made together http://jivecast.com 301 Fayetteville St. Unit 2301, Raleigh, NC 27601 (919) 533-9024 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
