example rule and changes

ca749b04 · michael.simon · 3de32de1 · ca749b04 · ca749b04
Commit ca749b04 authored Oct 27, 2015 by michael.simon
--- a/bwreg-service/src/main/java/edu/kit/scc/webreg/drools/impl/KnowledgeSessionServiceImpl.java
+++ b/bwreg-service/src/main/java/edu/kit/scc/webreg/drools/impl/KnowledgeSessionServiceImpl.java
@@ -131,7 +131,8 @@ public class KnowledgeSessionServiceImpl implements KnowledgeSessionService {
 		List<Object> objectList = new ArrayList<Object>(ksession.getObjects());

 		for (Object o : objectList) {
-			logger.debug("Deleting fact handle for Object {}", o);
+			if (logger.isTraceEnabled())
+				logger.trace("Deleting fact handle for Object {}", o);
 			FactHandle factHandle = ksession.getFactHandle(o);
 			if (factHandle != null)
 				ksession.delete(factHandle);
@@ -149,6 +150,8 @@ public class KnowledgeSessionServiceImpl implements KnowledgeSessionService {
 			Set<GroupEntity> groups, Set<RoleEntity> roles) 
 			throws MisconfiguredServiceException {
 		
+		user = userDao.merge(user);
+
 		KieSession ksession = getStatefulSession(unitId);

 		if (ksession == null)
@@ -242,7 +245,8 @@ public class KnowledgeSessionServiceImpl implements KnowledgeSessionService {
 		List<Object> objectList = new ArrayList<Object>(ksession.getObjects());

 		for (Object o : objectList) {
-			logger.debug("Deleting fact handle for Object {}", o);
+			if (logger.isTraceEnabled())
+				logger.trace("Deleting fact handle for Object {}", o);
 			FactHandle factHandle = ksession.getFactHandle(o);
 			if (factHandle != null)
 				ksession.delete(factHandle);

--- a/rules/service-filter.drl
+++ b/rules/service-filter.drl
@@ -4,28 +4,102 @@ import edu.kit.scc.webreg.entity.UserEntity;
 import edu.kit.scc.webreg.entity.GroupEntity;
 import edu.kit.scc.webreg.entity.LocalGroupEntity;
 import edu.kit.scc.webreg.entity.ServiceEntity;
+import edu.kit.scc.webreg.entity.SamlIdpMetadataEntity;

 global org.slf4j.Logger logger;

-rule "Filter test"
+rule "FH1 Filter"
+
+    when
+        $user : UserEntity()
+        $service : ServiceEntity( shortName == "fh1" )
+        $group : LocalGroupEntity( name == "fh1-access" )
+    then
+    	logger.debug( "allow user {} for service {}, because of membership in group {}", $user.getEppn(), $service.getName(), $group.getName() );
+    	retract( $service );
+
+end
+
+rule "UC1 Filter"

    when
-        $user : UserEntity( eppn == "ugcne@student.kit.edu" )
+        $user : UserEntity( ( idp.getEntityCategoryList() contains "http://aai.dfn.de/category/bwidm-member" )
+        	&& 
+        	( attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"] 
+        		matches ".*(^|;)http://bwidm.de/entitlement/bwUniCluster(;|$).*" ) )
+        $service : ServiceEntity( shortName == "uc1" )
+    then
+    	logger.debug( "allow user {} for service {}, because of entitlement", $user.getEppn(), $service.getName() );
+    	retract( $service );
+
+end
+
+rule "UCB Filter"
+
+    when
+        $user : UserEntity( ( idp.getEntityCategoryList() contains "http://aai.dfn.de/category/bwidm-member" )
+        	&& 
+        	( attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"] 
+        		matches ".*(^|;)http://bwidm.de/entitlement/bwUniClusterTest(;|$).*" ) )
        $service : ServiceEntity( shortName == "ucb" )
    then
-    	logger.debug( "allow user {} for service {}", $user.getEppn(), $service.getName() );
+    	logger.debug( "allow user {} for service {}, because of entitlement", $user.getEppn(), $service.getName() );
    	retract( $service );

 end

-rule "FH1 Filter"
+rule "HC3 Filter"

    when
-        $user : UserEntity()
-        $service : ServiceEntity( shortName == "fh1" )
-        $group : LocalGroupEntity( name == "fh1-access" )
+        $user : UserEntity( ( idp.entityId == "https://idp.scc.kit.edu/idp/shibboleth" ) 
+        	&& 
+        	( attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"] 
+        		matches ".*(^|;)http://bwidm.scc.kit.edu/entitlement/hc3(;|$).*" ) )
+        $service : ServiceEntity( shortName == "hc3" )
    then
-    	logger.debug( "allow user {} for service {}, because of membership in group {}", $user.getEppn(), $service.getName(), $group.getName() );
+    	logger.debug( "allow user {} for service {}, because of entitlement", $user.getEppn(), $service.getName() );
+    	retract( $service );
+
+end
+
+rule "HCD Filter"
+
+    when
+        $user : UserEntity( ( idp.entityId == "https://idp.scc.kit.edu/idp/shibboleth" ) 
+        	&& 
+        	( attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"] 
+        		matches ".*(^|;)http://bwidm.scc.kit.edu/entitlement/hcd(;|$).*" ) )
+        $service : ServiceEntity( shortName == "hcd" )
+    then
+    	logger.debug( "allow user {} for service {}, because of entitlement", $user.getEppn(), $service.getName() );
+    	retract( $service );
+
+end
+
+rule "IC2 Filter"
+
+    when
+        $user : UserEntity( ( idp.entityId == "https://idp.scc.kit.edu/idp/shibboleth" ) 
+        	&& 
+        	( attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"] 
+        		matches ".*(^|;)http://bwidm.scc.kit.edu/entitlement/ic2(;|$).*" ) )
+        $service : ServiceEntity( shortName == "ic2" )
+    then
+    	logger.debug( "allow user {} for service {}, because of entitlement", $user.getEppn(), $service.getName() );
+    	retract( $service );
+
+end
+
+rule "ICC Filter"
+
+    when
+        $user : UserEntity( ( idp.entityId == "https://idp.scc.kit.edu/idp/shibboleth" ) 
+        	&& 
+        	( attributeStore["urn:oid:1.3.6.1.4.1.5923.1.1.1.7"] 
+        		matches ".*(^|;)http://bwidm.scc.kit.edu/entitlement/icc(;|$).*" ) )
+        $service : ServiceEntity( shortName == "icc" )
+    then
+    	logger.debug( "allow user {} for service {}, because of entitlement", $user.getEppn(), $service.getName() );
    	retract( $service );

 end