src/main/java/org/apache/directory/fortress/core/impl/SDUtil.java - directory-fortress-core - Git at Google

 /*
  *   Licensed to the Apache Software Foundation (ASF) under one
  *   or more contributor license agreements.  See the NOTICE file
  *   distributed with this work for additional information
  *   regarding copyright ownership.  The ASF licenses this file
  *   to you under the Apache License, Version 2.0 (the
  *   "License"); you may not use this file except in compliance
  *   with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  *   Unless required by applicable law or agreed to in writing,
  *   software distributed under the License is distributed on an
  *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  *   KIND, either express or implied.  See the License for the
  *   specific language governing permissions and limitations
  *   under the License.
  *
  */
 package org.apache.directory.fortress.core.impl;

 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;

 import net.sf.ehcache.search.Attribute;
 import net.sf.ehcache.search.Query;
 import net.sf.ehcache.search.Result;
 import net.sf.ehcache.search.Results;

 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.api.ldap.model.constants.SchemaConstants;
 import org.apache.directory.fortress.core.*;
 import org.apache.directory.fortress.core.SecurityException;
 import org.apache.directory.fortress.core.model.*;
 import org.apache.directory.fortress.core.util.Config;
 import org.apache.directory.fortress.core.util.cache.Cache;
 import org.apache.directory.fortress.core.util.cache.CacheMgr;
 import org.apache.directory.fortress.core.util.cache.DsdCacheEntry;

 /**
  * This utilty provides functionality necessary for SSD and DSD processing and cannot be called by components outside fortress.
  * This class also contains utility functions for maintaining the SSD and DSD cache.
  * <p>
  * This class is thread safe.
  *
  * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
  * @created September 3, 2010
  */
 final class SDUtil
 {
     private Cache m_dsdCache;
     private static final String FORTRESS_DSDS = "fortress.dsd";
     private Cache m_ssdCache;
     private static final String FORTRESS_SSDS = "fortress.ssd";
     private SdP sp;
     private static final String IS_DSD_CACHE_DISABLED_PARM = "enable.dsd.cache";
     private static final String DSD_NAME = "name";
     private static final String EMPTY_ELEMENT = "empty";
     private static final String CONTEXT_ID = "contextId";

     private static volatile SDUtil sINSTANCE = null;

     static SDUtil getInstance()
     {
         if(sINSTANCE == null)
         {
             synchronized (SDUtil.class)
             {
                 if(sINSTANCE == null)
                 {
                     sINSTANCE = new SDUtil();
                 }
             }
         }
         return sINSTANCE;
     }

     private void init()
     {
         sp = new SdP();

         // Get a reference to the CacheManager Singleton object:
         CacheMgr cacheMgr = CacheMgr.getInstance();
         // This cache contains a wrapper entry for DSD and is searchable by both DSD and Role name:
         m_dsdCache = cacheMgr.getCache(FORTRESS_DSDS);
         // This cache is not searchable and contains Lists of SSD objects by Role:
         m_ssdCache = cacheMgr.getCache(FORTRESS_SSDS);
     }

     /**
      * Private constructor
      *
      */
     private SDUtil()
     {
         init();
     }

     /**
      * This method is called by AdminMgr.assignUser and is used to validate Static Separation of Duty
      * constraints when assigning a role to user.
      *
      * @param uRole
      * @throws org.apache.directory.fortress.core.SecurityException
      *
      */
     void validateSSD(UserRole uRole)
         throws SecurityException
     {
         validateSSD(new User(uRole.getUserId()), new Role(uRole.getName()));
     }

     /**
      * This method is called by AdminMgr.assignUser and is used to validate Static Separation of Duty
      * constraints when assigning a role to user.
      *
      * @param user
      * @param role
      * @throws org.apache.directory.fortress.core.SecurityException
      *
      */
     void validateSSD(User user, Role role)
         throws SecurityException
     {
         // get all authorized roles for user
         String contextId = user.getContextId();
         ReviewMgr rMgr = ReviewMgrFactory.createInstance( contextId );
         Set<String> rls = rMgr.authorizedRoles( user );

         checkSSD( role, rls, contextId);
     }

     /**
      * This method is called by GroupMgr.assign and is used to validate Static Separation of Duty
      * constraints when assigning a role to group.
      *
      * @param group
      * @param role
      * @throws org.apache.directory.fortress.core.SecurityException
      *
      */
     void validateSSD( Group group, Role role ) throws SecurityException
     {
         // get all authorized roles for this group
         String contextId = group.getContextId();
         GroupMgr groupMgr = GroupMgrFactory.createInstance(contextId);
         List<UserRole> roles = groupMgr.groupRoles( group );
         Set<String> rls = RoleUtil.getInstance().getInheritedRoles( roles, contextId);
         // check SSD constraints
         checkSSD( role, rls, contextId);
     }

     private void checkSSD( Role role, Set<String> authorizedRls, String contextId ) throws SecurityException
     {
         int matchCount;
         // Need to proceed?
         if (CollectionUtils.isEmpty( authorizedRls ))
         {
             return;
         }

         // get all SSD sets that contain the new role
         List<SDSet> ssdSets = getSsdCache( role.getName(), contextId );
         for ( SDSet ssd : ssdSets )
         {
             matchCount = 0;
             Set<String> map = ssd.getMembers();
             // iterate over every authorized role for user/group:
             for ( String authRole : authorizedRls )
             {
                 // is there a match found between authorized role and SSD set's members?
                 if ( map.contains( authRole ) )
                 {
                     matchCount++;
                     // does the match count exceed the cardinality allowed for this particular SSD set?
                     if ( matchCount >= ssd.getCardinality() - 1 )
                     {
                         String error = "validateSSD new role [" + role.getName() + "] validates SSD Set Name:"
                                 + ssd.getName() + " Cardinality:" + ssd.getCardinality();
                         throw new SecurityException( GlobalErrIds.SSD_VALIDATION_FAILED, error );
                     }
                 }
             }
         }
     }

     /**
      * This method is called by AccessMgr.addActiveRole and is used to validate Dynamic Separation of Duty
      * constraints when activating a role one at a time.  For activation of multiple roles simultaneously use
      * the DSD.validate API which is used during createSession sequence.
      *
      * @param session
      * @param role
      * @throws org.apache.directory.fortress.core.SecurityException
      *
      */
     void validateDSD(Session session, Constraint role)
         throws SecurityException
     {
         // get all activated roles from user's session:
         List<UserRole> rls = session.getRoles();
         if (CollectionUtils.isEmpty( rls ))
         {
             // An empty list of roles was passed in the session variable.
             // No need to continue.
             return;
         }

         // get all DSD sets that contain the target role
         Set<SDSet> dsdSets = getDsdCache(role.getName(), session.getContextId());
         for (SDSet dsd : dsdSets)
         {
             // Keeps the number of matched roles to a particular DSD set.
             int matchCount = 0;

             // Contains the list of roles assigned to a particular DSD set.
             Set<String> map = dsd.getMembers();

             // iterate over every role active in session for match wth DSD members:
             for (UserRole actRole : rls)
             {
                 // is there a match found between active role in session and DSD set members?
                 if (map.contains(actRole.getName()))
                 {
                     // Yes, we found a match, increment the count.
                     matchCount++;

                     // Does the match count exceed the cardinality allowed for this particular DSD set?
                     if (matchCount >= dsd.getCardinality() - 1)
                     {
                         // Yes, the target role violates DSD cardinality rule.
                         String error = "validateDSD failed for role [" + role.getName() + "] DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
                         throw new SecurityException(GlobalErrIds.DSD_VALIDATION_FAILED, error);
                     }
                 }
                 else // Check the parents of activated role for DSD match:
                 {
                     // Now pull the activated role's list of parents.
                     Set<String> parentSet = RoleUtil.getInstance().getAscendants(actRole.getName(), session.getContextId());

                     // Iterate over the list of parent roles:
                     for (String parentRole : parentSet)
                     {
                         if (map.contains(parentRole)) // is there match between parent and DSD member?
                         {
                             matchCount++;
                             if (matchCount >= dsd.getCardinality() - 1) // Does the counter exceed max per cardinality on this DSD set?
                             {
                                 String error = "validateDSD failed for role [" + role.getName() + "] parent role [" + parentRole + "] DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
                                 throw new SecurityException(GlobalErrIds.DSD_VALIDATION_FAILED, error);
                             }
                             // Breaking out of the loop here means the DSD algorithm will only match one
                             // role per parent of active role candidate.
                             break;
                         }
                     }
                 }
             }
         }
     }

     /**
      * Given DSD entry name, clear its corresponding object values from the cache.
      *
      * @param name contains the name of object to be cleared.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.     *
      * @throws SecurityException in the event of system or rule violation.
      */
     void clearDsdCacheEntry(String name, String contextId)
     {
         Attribute<String> context = m_dsdCache.getSearchAttribute(CONTEXT_ID);
         Attribute<String> dsdName = m_dsdCache.getSearchAttribute(DSD_NAME);
         Query query = m_dsdCache.createQuery();
         query.includeKeys();
         query.includeValues();
         query.addCriteria(dsdName.eq(name).and(context.eq(contextId)));
         Results results = query.execute();
         for (Result result : results.all())
         {
             m_dsdCache.clear(result.getKey());
         }
     }

     /**
      * Given a role name, return the set of DSD's that have a matching member.
      *
      * @param name contains name of authorized Role used to search the cache.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @return un-ordered set of matching DSD's.
      * @throws SecurityException in the event of system or rule violation.
      */
     private Set<SDSet> getDsdCache(String name, String contextId)
         throws SecurityException
     {
         contextId = getContextId(contextId);
         Set<SDSet> finalSet = new HashSet<>();
         Attribute<String> context = m_dsdCache.getSearchAttribute(CONTEXT_ID);
         Attribute<String> member = m_dsdCache.getSearchAttribute(SchemaConstants.MEMBER_AT);
         Query query = m_dsdCache.createQuery();
         query.includeKeys();
         query.includeValues();
         query.addCriteria(member.eq(name).and(context.eq(contextId)));
         Results results = query.execute();
         boolean empty = false;
         for (Result result : results.all())
         {
             DsdCacheEntry entry = (DsdCacheEntry) result.getValue();
             if (!entry.isEmpty())
             {
                 finalSet.add(entry.getSdSet());
                 finalSet = putDsdCache(name, contextId);
             }
             else
             {
                 empty = true;
             }
             finalSet.add(entry.getSdSet());
         }
         // If nothing was found in the cache, determine if it needs to be seeded:
         if (finalSet.size() == 0 && !empty)
         {
             finalSet = putDsdCache(name, contextId);
         }
         return finalSet;
     }

     /**
      * Given a Set of authorized Roles, return the set of DSD's that have matching members.
      *
      * @param authorizedRoleSet contains an un-order Set of authorized Roles.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @return un-ordered set of matching DSD's.
      * @throws SecurityException in the event of system or rule violation.
      */
     Set<SDSet> getDsdCache(Set<String> authorizedRoleSet, String contextId)
         throws SecurityException
     {
         contextId = getContextId(contextId);
         Set<SDSet> dsdRetSets = new HashSet<>();
         // Need to proceed?
         if (!CollectionUtils.isNotEmpty( authorizedRoleSet ))
         {
             return dsdRetSets;
         }
         // Was the DSD Cache switched off?
         boolean isCacheDisabled = Config.getInstance().getBoolean(IS_DSD_CACHE_DISABLED_PARM, false);
         // If so, get DSD's from LDAP:
         if (isCacheDisabled)
         {
             SDSet sdSet = new SDSet();
             sdSet.setType(SDSet.SDType.DYNAMIC);
             sdSet.setContextId(contextId);
             dsdRetSets = sp.search(authorizedRoleSet, sdSet);
         }
         // Search the DSD cache for matching Role members:
         else
         {
             // Search on roleName attribute which maps to 'member' attr on the cache record:
             Attribute<String> member = m_dsdCache.getSearchAttribute(SchemaConstants.MEMBER_AT);
             Attribute<String> context = m_dsdCache.getSearchAttribute(CONTEXT_ID);
             Query query = m_dsdCache.createQuery();
             query.includeKeys();
             query.includeValues();
             // Add the passed in authorized Role names to this cache query:
             Set<String> roles = new HashSet<>(authorizedRoleSet);
             query.addCriteria(member.in(roles).and(context.eq(contextId)));
             // Return all DSD cache entries that match roleName to the 'member' attribute in cache entry:
             Results results = query.execute();
             for (Result result : results.all())
             {
                 DsdCacheEntry entry = (DsdCacheEntry) result.getValue();
                 // Do not add dummy DSD sets to the final list:
                 if (!entry.isEmpty())
                 {
                     dsdRetSets.add(entry.getSdSet());
                 }
                 // Remove role member from authorizedRoleSet to preclude from upcoming DSD search:
                 //authorizedRoleSet.remove(entry.getMember());
             }
             // Authorized roles remaining in this set correspond to missed cache hits from above:
             if (authorizedRoleSet.size() > 0)
             {
                 dsdRetSets = putDsdCache(authorizedRoleSet, contextId);
             }
         }
         return dsdRetSets;
     }

     /**
      * Get the matching DSD's from directory and add to the cache (if found).  If matching DSD not found,
      * add dummy entry to cache to prevent repeated searches.
      *
      * @param authorizedRoleSet contains set of Roles used to search directory for matching DSD's.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @return List of DSD's who have matching Role members.
      * @throws SecurityException in the event of system or rule violation.
      */
     private Set<SDSet> putDsdCache(Set<String> authorizedRoleSet, String contextId)
         throws SecurityException
     {
         contextId = getContextId(contextId);
         Set<SDSet> dsdSets = new HashSet<>();
         // Search the DSD's iteratively to seed the DSD cache by Role name:
         for (String roleName : authorizedRoleSet)
         {
             Role role = new Role(roleName);
             role.setContextId(contextId);
             List<SDSet> dsdList = sp.search(role, SDSet.SDType.DYNAMIC);
             if (CollectionUtils.isNotEmpty( dsdList ))
             {
                 for (SDSet dsd : dsdList)
                 {
                     dsd.setContextId(contextId);
                     Set<String> members = dsd.getMembers();
                     if (members != null)
                     {
                         // Seed the cache with DSD objects mapped to role name:
                         for (String member : members)
                         {
                             String key = buildKey(dsd.getName(), member);
                             DsdCacheEntry entry = new DsdCacheEntry(member, dsd, false);
                             entry.setName(dsd.getName());
                             m_dsdCache.put(getKey(key, contextId), entry);
                         }
                     }
                 }
                 // Maintain the set of DSD's to be returned to the caller:
                 dsdSets.addAll(dsdList);
             }
             else
             {
                 // Seed the cache with dummy entry for a Role that is not referenced by DSD:
                 String key = buildKey(EMPTY_ELEMENT, roleName);
                 SDSet sdSet = new SDSet();
                 sdSet.setType(SDSet.SDType.DYNAMIC);
                 sdSet.setName(key);
                 sdSet.setMember(roleName);
                 sdSet.setContextId(contextId);
                 DsdCacheEntry entry = new DsdCacheEntry(roleName, sdSet, true);
                 entry.setName(key);
                 m_dsdCache.put(getKey(sdSet.getName(), contextId), entry);
             }
         }
         return dsdSets;
     }

     /**
      * Get the matching DSD's from directory and add to the cache (if found).  If matching DSD not found,
      * add dummy entry to cache to prevent repeated searches.
      *
      * @param roleName of Role is used to search directory for matching DSD's.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @return Set of DSD's who have matching Role member.
      * @throws SecurityException in the event of system or rule violation.
      */
     private Set<SDSet> putDsdCache(String roleName, String contextId)
         throws SecurityException
     {
         contextId = getContextId(contextId);
         Role role = new Role(roleName);
         role.setContextId(contextId);
         List<SDSet> dsdList = sp.search(role, SDSet.SDType.DYNAMIC);
         Set<SDSet> finalSet = new HashSet<>(dsdList);
         if ( CollectionUtils.isNotEmpty( dsdList ))
         {
             for (SDSet dsd : dsdList)
             {
                 dsd.setContextId(contextId);
                 Set<String> members = dsd.getMembers();
                 if (members != null)
                 {
                     // Seed the cache with DSD objects mapped to role name:
                     for (String member : members)
                     {
                         String key = buildKey(dsd.getName(), member);
                         DsdCacheEntry entry = new DsdCacheEntry(member, dsd, false);
                         entry.setName(dsd.getName());
                         m_dsdCache.put(getKey(key, contextId), entry);
                     }
                 }
             }
         }
         else
         {
             // Seed the cache with dummy entry for Role that does not have DSD:
             String key = buildKey(EMPTY_ELEMENT, roleName);
             SDSet sdSet = new SDSet();
             sdSet.setType(SDSet.SDType.DYNAMIC);
             sdSet.setName(key);
             sdSet.setMember(roleName);
             sdSet.setContextId(contextId);
             DsdCacheEntry entry = new DsdCacheEntry(roleName, sdSet, true);
             entry.setName(key);
             m_dsdCache.put(getKey(sdSet.getName(), contextId), entry);
         }
         return finalSet;
     }

     /**
      * Given entry name, clear its corresponding object value from the cache.
      *
      * @param name contains the name of object to be cleared.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @throws SecurityException in the event of system or rule violation.
      */
     void clearSsdCacheEntry(String name, String contextId)
     {
         contextId = getContextId(contextId);
         m_ssdCache.clear(getKey(name, contextId));
     }

     /**
      * Get the matching SSD's from directory and add to the cache (if found).
      *
      * @param name of Role is used to search directory for matching SSD's.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @return List of SSD's who have matching Role member.
      * @throws SecurityException in the event of system or rule violation.
      */
     private List<SDSet> putSsdCache(String name, String contextId)
         throws SecurityException
     {
         Role role = new Role(name);
         role.setContextId(contextId);
         List<SDSet> ssdSets = sp.search(role, SDSet.SDType.STATIC);
         m_ssdCache.put(getKey(name, contextId), ssdSets);
         return ssdSets;
     }

     /**
      * Look in cache for matching List of SSD's.
      *
      * @param name of Role is used to search directory for matching SSD's.
      * @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
      * @return List of SSD's who have matching Role member.
      * @throws SecurityException in the event of system or rule violation.
      */
     private List<SDSet> getSsdCache(String name, String contextId)
         throws SecurityException
     {
         List<SDSet> ssdSets = (List<SDSet>) m_ssdCache.get(getKey(name, contextId));
         if (ssdSets == null)
         {
             ssdSets = putSsdCache(name, contextId);
         }
         return ssdSets;
     }

     /**
      *
      * @param parm1
      * @param parm2
      * @return
      */
     private static String buildKey(String parm1, String parm2)
     {
         return parm1 + ":" + parm2;
     }

     /**
      *
      * @param name
      * @param contextId
      * @return
      */
     private static String getKey(String name, String contextId)
     {
         contextId = getContextId(contextId);
         return name += ":" + contextId;
     }

     /**
      *
      * @param contextId
      * @return
      */
     private static String getContextId(String contextId)
     {
         String szContextId = GlobalIds.HOME;
         if( StringUtils.isNotEmpty( contextId ) && !contextId.equals(GlobalIds.NULL))
         {
             szContextId = contextId;
         }
         return szContextId;
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*/
	package org.apache.directory.fortress.core.impl;

	import java.util.HashSet;
	import java.util.List;
	import java.util.Set;

	import net.sf.ehcache.search.Attribute;
	import net.sf.ehcache.search.Query;
	import net.sf.ehcache.search.Result;
	import net.sf.ehcache.search.Results;

	import org.apache.commons.collections.CollectionUtils;
	import org.apache.commons.lang.StringUtils;
	import org.apache.directory.api.ldap.model.constants.SchemaConstants;
	import org.apache.directory.fortress.core.*;
	import org.apache.directory.fortress.core.SecurityException;
	import org.apache.directory.fortress.core.model.*;
	import org.apache.directory.fortress.core.util.Config;
	import org.apache.directory.fortress.core.util.cache.Cache;
	import org.apache.directory.fortress.core.util.cache.CacheMgr;
	import org.apache.directory.fortress.core.util.cache.DsdCacheEntry;

	/**
	* This utilty provides functionality necessary for SSD and DSD processing and cannot be called by components outside fortress.
	* This class also contains utility functions for maintaining the SSD and DSD cache.
	* <p>
	* This class is thread safe.
	*
	* @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
	* @created September 3, 2010
	*/
	final class SDUtil
	{
	private Cache m_dsdCache;
	private static final String FORTRESS_DSDS = "fortress.dsd";
	private Cache m_ssdCache;
	private static final String FORTRESS_SSDS = "fortress.ssd";
	private SdP sp;
	private static final String IS_DSD_CACHE_DISABLED_PARM = "enable.dsd.cache";
	private static final String DSD_NAME = "name";
	private static final String EMPTY_ELEMENT = "empty";
	private static final String CONTEXT_ID = "contextId";

	private static volatile SDUtil sINSTANCE = null;

	static SDUtil getInstance()
	{
	if(sINSTANCE == null)
	{
	synchronized (SDUtil.class)
	{
	if(sINSTANCE == null)
	{
	sINSTANCE = new SDUtil();
	}
	}
	}
	return sINSTANCE;
	}

	private void init()
	{
	sp = new SdP();

	// Get a reference to the CacheManager Singleton object:
	CacheMgr cacheMgr = CacheMgr.getInstance();
	// This cache contains a wrapper entry for DSD and is searchable by both DSD and Role name:
	m_dsdCache = cacheMgr.getCache(FORTRESS_DSDS);
	// This cache is not searchable and contains Lists of SSD objects by Role:
	m_ssdCache = cacheMgr.getCache(FORTRESS_SSDS);
	}

	/**
	* Private constructor
	*
	*/
	private SDUtil()
	{
	init();
	}

	/**
	* This method is called by AdminMgr.assignUser and is used to validate Static Separation of Duty
	* constraints when assigning a role to user.
	*
	* @param uRole
	* @throws org.apache.directory.fortress.core.SecurityException
	*
	*/
	void validateSSD(UserRole uRole)
	throws SecurityException
	{
	validateSSD(new User(uRole.getUserId()), new Role(uRole.getName()));
	}

	/**
	* This method is called by AdminMgr.assignUser and is used to validate Static Separation of Duty
	* constraints when assigning a role to user.
	*
	* @param user
	* @param role
	* @throws org.apache.directory.fortress.core.SecurityException
	*
	*/
	void validateSSD(User user, Role role)
	throws SecurityException
	{
	// get all authorized roles for user
	String contextId = user.getContextId();
	ReviewMgr rMgr = ReviewMgrFactory.createInstance( contextId );
	Set<String> rls = rMgr.authorizedRoles( user );

	checkSSD( role, rls, contextId);
	}

	/**
	* This method is called by GroupMgr.assign and is used to validate Static Separation of Duty
	* constraints when assigning a role to group.
	*
	* @param group
	* @param role
	* @throws org.apache.directory.fortress.core.SecurityException
	*
	*/
	void validateSSD( Group group, Role role ) throws SecurityException
	{
	// get all authorized roles for this group
	String contextId = group.getContextId();
	GroupMgr groupMgr = GroupMgrFactory.createInstance(contextId);
	List<UserRole> roles = groupMgr.groupRoles( group );
	Set<String> rls = RoleUtil.getInstance().getInheritedRoles( roles, contextId);
	// check SSD constraints
	checkSSD( role, rls, contextId);
	}

	private void checkSSD( Role role, Set<String> authorizedRls, String contextId ) throws SecurityException
	{
	int matchCount;
	// Need to proceed?
	if (CollectionUtils.isEmpty( authorizedRls ))
	{
	return;
	}

	// get all SSD sets that contain the new role
	List<SDSet> ssdSets = getSsdCache( role.getName(), contextId );
	for ( SDSet ssd : ssdSets )
	{
	matchCount = 0;
	Set<String> map = ssd.getMembers();
	// iterate over every authorized role for user/group:
	for ( String authRole : authorizedRls )
	{
	// is there a match found between authorized role and SSD set's members?
	if ( map.contains( authRole ) )
	{
	matchCount++;
	// does the match count exceed the cardinality allowed for this particular SSD set?
	if ( matchCount >= ssd.getCardinality() - 1 )
	{
	String error = "validateSSD new role [" + role.getName() + "] validates SSD Set Name:"
	+ ssd.getName() + " Cardinality:" + ssd.getCardinality();
	throw new SecurityException( GlobalErrIds.SSD_VALIDATION_FAILED, error );
	}
	}
	}
	}
	}

	/**
	* This method is called by AccessMgr.addActiveRole and is used to validate Dynamic Separation of Duty
	* constraints when activating a role one at a time. For activation of multiple roles simultaneously use
	* the DSD.validate API which is used during createSession sequence.
	*
	* @param session
	* @param role
	* @throws org.apache.directory.fortress.core.SecurityException
	*
	*/
	void validateDSD(Session session, Constraint role)
	throws SecurityException
	{
	// get all activated roles from user's session:
	List<UserRole> rls = session.getRoles();
	if (CollectionUtils.isEmpty( rls ))
	{
	// An empty list of roles was passed in the session variable.
	// No need to continue.
	return;
	}

	// get all DSD sets that contain the target role
	Set<SDSet> dsdSets = getDsdCache(role.getName(), session.getContextId());
	for (SDSet dsd : dsdSets)
	{
	// Keeps the number of matched roles to a particular DSD set.
	int matchCount = 0;

	// Contains the list of roles assigned to a particular DSD set.
	Set<String> map = dsd.getMembers();

	// iterate over every role active in session for match wth DSD members:
	for (UserRole actRole : rls)
	{
	// is there a match found between active role in session and DSD set members?
	if (map.contains(actRole.getName()))
	{
	// Yes, we found a match, increment the count.
	matchCount++;

	// Does the match count exceed the cardinality allowed for this particular DSD set?
	if (matchCount >= dsd.getCardinality() - 1)
	{
	// Yes, the target role violates DSD cardinality rule.
	String error = "validateDSD failed for role [" + role.getName() + "] DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
	throw new SecurityException(GlobalErrIds.DSD_VALIDATION_FAILED, error);
	}
	}
	else // Check the parents of activated role for DSD match:
	{
	// Now pull the activated role's list of parents.
	Set<String> parentSet = RoleUtil.getInstance().getAscendants(actRole.getName(), session.getContextId());

	// Iterate over the list of parent roles:
	for (String parentRole : parentSet)
	{
	if (map.contains(parentRole)) // is there match between parent and DSD member?
	{
	matchCount++;
	if (matchCount >= dsd.getCardinality() - 1) // Does the counter exceed max per cardinality on this DSD set?
	{
	String error = "validateDSD failed for role [" + role.getName() + "] parent role [" + parentRole + "] DSD Set Name:" + dsd.getName() + " Cardinality:" + dsd.getCardinality();
	throw new SecurityException(GlobalErrIds.DSD_VALIDATION_FAILED, error);
	}
	// Breaking out of the loop here means the DSD algorithm will only match one
	// role per parent of active role candidate.
	break;
	}
	}
	}
	}
	}
	}

	/**
	* Given DSD entry name, clear its corresponding object values from the cache.
	*
	* @param name contains the name of object to be cleared.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com. *
	* @throws SecurityException in the event of system or rule violation.
	*/
	void clearDsdCacheEntry(String name, String contextId)
	{
	Attribute<String> context = m_dsdCache.getSearchAttribute(CONTEXT_ID);
	Attribute<String> dsdName = m_dsdCache.getSearchAttribute(DSD_NAME);
	Query query = m_dsdCache.createQuery();
	query.includeKeys();
	query.includeValues();
	query.addCriteria(dsdName.eq(name).and(context.eq(contextId)));
	Results results = query.execute();
	for (Result result : results.all())
	{
	m_dsdCache.clear(result.getKey());
	}
	}

	/**
	* Given a role name, return the set of DSD's that have a matching member.
	*
	* @param name contains name of authorized Role used to search the cache.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @return un-ordered set of matching DSD's.
	* @throws SecurityException in the event of system or rule violation.
	*/
	private Set<SDSet> getDsdCache(String name, String contextId)
	throws SecurityException
	{
	contextId = getContextId(contextId);
	Set<SDSet> finalSet = new HashSet<>();
	Attribute<String> context = m_dsdCache.getSearchAttribute(CONTEXT_ID);
	Attribute<String> member = m_dsdCache.getSearchAttribute(SchemaConstants.MEMBER_AT);
	Query query = m_dsdCache.createQuery();
	query.includeKeys();
	query.includeValues();
	query.addCriteria(member.eq(name).and(context.eq(contextId)));
	Results results = query.execute();
	boolean empty = false;
	for (Result result : results.all())
	{
	DsdCacheEntry entry = (DsdCacheEntry) result.getValue();
	if (!entry.isEmpty())
	{
	finalSet.add(entry.getSdSet());
	finalSet = putDsdCache(name, contextId);
	}
	else
	{
	empty = true;
	}
	finalSet.add(entry.getSdSet());
	}
	// If nothing was found in the cache, determine if it needs to be seeded:
	if (finalSet.size() == 0 && !empty)
	{
	finalSet = putDsdCache(name, contextId);
	}
	return finalSet;
	}

	/**
	* Given a Set of authorized Roles, return the set of DSD's that have matching members.
	*
	* @param authorizedRoleSet contains an un-order Set of authorized Roles.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @return un-ordered set of matching DSD's.
	* @throws SecurityException in the event of system or rule violation.
	*/
	Set<SDSet> getDsdCache(Set<String> authorizedRoleSet, String contextId)
	throws SecurityException
	{
	contextId = getContextId(contextId);
	Set<SDSet> dsdRetSets = new HashSet<>();
	// Need to proceed?
	if (!CollectionUtils.isNotEmpty( authorizedRoleSet ))
	{
	return dsdRetSets;
	}
	// Was the DSD Cache switched off?
	boolean isCacheDisabled = Config.getInstance().getBoolean(IS_DSD_CACHE_DISABLED_PARM, false);
	// If so, get DSD's from LDAP:
	if (isCacheDisabled)
	{
	SDSet sdSet = new SDSet();
	sdSet.setType(SDSet.SDType.DYNAMIC);
	sdSet.setContextId(contextId);
	dsdRetSets = sp.search(authorizedRoleSet, sdSet);
	}
	// Search the DSD cache for matching Role members:
	else
	{
	// Search on roleName attribute which maps to 'member' attr on the cache record:
	Attribute<String> member = m_dsdCache.getSearchAttribute(SchemaConstants.MEMBER_AT);
	Attribute<String> context = m_dsdCache.getSearchAttribute(CONTEXT_ID);
	Query query = m_dsdCache.createQuery();
	query.includeKeys();
	query.includeValues();
	// Add the passed in authorized Role names to this cache query:
	Set<String> roles = new HashSet<>(authorizedRoleSet);
	query.addCriteria(member.in(roles).and(context.eq(contextId)));
	// Return all DSD cache entries that match roleName to the 'member' attribute in cache entry:
	Results results = query.execute();
	for (Result result : results.all())
	{
	DsdCacheEntry entry = (DsdCacheEntry) result.getValue();
	// Do not add dummy DSD sets to the final list:
	if (!entry.isEmpty())
	{
	dsdRetSets.add(entry.getSdSet());
	}
	// Remove role member from authorizedRoleSet to preclude from upcoming DSD search:
	//authorizedRoleSet.remove(entry.getMember());
	}
	// Authorized roles remaining in this set correspond to missed cache hits from above:
	if (authorizedRoleSet.size() > 0)
	{
	dsdRetSets = putDsdCache(authorizedRoleSet, contextId);
	}
	}
	return dsdRetSets;
	}

	/**
	* Get the matching DSD's from directory and add to the cache (if found). If matching DSD not found,
	* add dummy entry to cache to prevent repeated searches.
	*
	* @param authorizedRoleSet contains set of Roles used to search directory for matching DSD's.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @return List of DSD's who have matching Role members.
	* @throws SecurityException in the event of system or rule violation.
	*/
	private Set<SDSet> putDsdCache(Set<String> authorizedRoleSet, String contextId)
	throws SecurityException
	{
	contextId = getContextId(contextId);
	Set<SDSet> dsdSets = new HashSet<>();
	// Search the DSD's iteratively to seed the DSD cache by Role name:
	for (String roleName : authorizedRoleSet)
	{
	Role role = new Role(roleName);
	role.setContextId(contextId);
	List<SDSet> dsdList = sp.search(role, SDSet.SDType.DYNAMIC);
	if (CollectionUtils.isNotEmpty( dsdList ))
	{
	for (SDSet dsd : dsdList)
	{
	dsd.setContextId(contextId);
	Set<String> members = dsd.getMembers();
	if (members != null)
	{
	// Seed the cache with DSD objects mapped to role name:
	for (String member : members)
	{
	String key = buildKey(dsd.getName(), member);
	DsdCacheEntry entry = new DsdCacheEntry(member, dsd, false);
	entry.setName(dsd.getName());
	m_dsdCache.put(getKey(key, contextId), entry);
	}
	}
	}
	// Maintain the set of DSD's to be returned to the caller:
	dsdSets.addAll(dsdList);
	}
	else
	{
	// Seed the cache with dummy entry for a Role that is not referenced by DSD:
	String key = buildKey(EMPTY_ELEMENT, roleName);
	SDSet sdSet = new SDSet();
	sdSet.setType(SDSet.SDType.DYNAMIC);
	sdSet.setName(key);
	sdSet.setMember(roleName);
	sdSet.setContextId(contextId);
	DsdCacheEntry entry = new DsdCacheEntry(roleName, sdSet, true);
	entry.setName(key);
	m_dsdCache.put(getKey(sdSet.getName(), contextId), entry);
	}
	}
	return dsdSets;
	}

	/**
	* Get the matching DSD's from directory and add to the cache (if found). If matching DSD not found,
	* add dummy entry to cache to prevent repeated searches.
	*
	* @param roleName of Role is used to search directory for matching DSD's.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @return Set of DSD's who have matching Role member.
	* @throws SecurityException in the event of system or rule violation.
	*/
	private Set<SDSet> putDsdCache(String roleName, String contextId)
	throws SecurityException
	{
	contextId = getContextId(contextId);
	Role role = new Role(roleName);
	role.setContextId(contextId);
	List<SDSet> dsdList = sp.search(role, SDSet.SDType.DYNAMIC);
	Set<SDSet> finalSet = new HashSet<>(dsdList);
	if ( CollectionUtils.isNotEmpty( dsdList ))
	{
	for (SDSet dsd : dsdList)
	{
	dsd.setContextId(contextId);
	Set<String> members = dsd.getMembers();
	if (members != null)
	{
	// Seed the cache with DSD objects mapped to role name:
	for (String member : members)
	{
	String key = buildKey(dsd.getName(), member);
	DsdCacheEntry entry = new DsdCacheEntry(member, dsd, false);
	entry.setName(dsd.getName());
	m_dsdCache.put(getKey(key, contextId), entry);
	}
	}
	}
	}
	else
	{
	// Seed the cache with dummy entry for Role that does not have DSD:
	String key = buildKey(EMPTY_ELEMENT, roleName);
	SDSet sdSet = new SDSet();
	sdSet.setType(SDSet.SDType.DYNAMIC);
	sdSet.setName(key);
	sdSet.setMember(roleName);
	sdSet.setContextId(contextId);
	DsdCacheEntry entry = new DsdCacheEntry(roleName, sdSet, true);
	entry.setName(key);
	m_dsdCache.put(getKey(sdSet.getName(), contextId), entry);
	}
	return finalSet;
	}

	/**
	* Given entry name, clear its corresponding object value from the cache.
	*
	* @param name contains the name of object to be cleared.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @throws SecurityException in the event of system or rule violation.
	*/
	void clearSsdCacheEntry(String name, String contextId)
	{
	contextId = getContextId(contextId);
	m_ssdCache.clear(getKey(name, contextId));
	}

	/**
	* Get the matching SSD's from directory and add to the cache (if found).
	*
	* @param name of Role is used to search directory for matching SSD's.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @return List of SSD's who have matching Role member.
	* @throws SecurityException in the event of system or rule violation.
	*/
	private List<SDSet> putSsdCache(String name, String contextId)
	throws SecurityException
	{
	Role role = new Role(name);
	role.setContextId(contextId);
	List<SDSet> ssdSets = sp.search(role, SDSet.SDType.STATIC);
	m_ssdCache.put(getKey(name, contextId), ssdSets);
	return ssdSets;
	}

	/**
	* Look in cache for matching List of SSD's.
	*
	* @param name of Role is used to search directory for matching SSD's.
	* @param contextId maps to sub-tree in DIT, e.g. ou=contextId, dc=example, dc=com.
	* @return List of SSD's who have matching Role member.
	* @throws SecurityException in the event of system or rule violation.
	*/
	private List<SDSet> getSsdCache(String name, String contextId)
	throws SecurityException
	{
	List<SDSet> ssdSets = (List<SDSet>) m_ssdCache.get(getKey(name, contextId));
	if (ssdSets == null)
	{
	ssdSets = putSsdCache(name, contextId);
	}
	return ssdSets;
	}

	/**
	*
	* @param parm1
	* @param parm2
	* @return
	*/
	private static String buildKey(String parm1, String parm2)
	{
	return parm1 + ":" + parm2;
	}

	/**
	*
	* @param name
	* @param contextId
	* @return
	*/
	private static String getKey(String name, String contextId)
	{
	contextId = getContextId(contextId);
	return name += ":" + contextId;
	}

	/**
	*
	* @param contextId
	* @return
	*/
	private static String getContextId(String contextId)
	{
	String szContextId = GlobalIds.HOME;
	if( StringUtils.isNotEmpty( contextId ) && !contextId.equals(GlobalIds.NULL))
	{
	szContextId = contextId;
	}
	return szContextId;
	}
	}