@BeforeClass
 public void setup() throws Exception {
   SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
   AMIdentityRepository amir = new AMIdentityRepository(adminToken, "/");
   group1 = amir.createIdentity(IdType.GROUP, GROUP_NAME1, Collections.EMPTY_MAP);
   group2 = amir.createIdentity(IdType.GROUP, GROUP_NAME2, Collections.EMPTY_MAP);
 }
Beispiel #2
0
  @Parameters({"realm", "uid"})
  @AfterTest(groups = {"cli-idrepo", "delete-identities"})
  public void deleteIdentity(String realm, String uid)
      throws CLIException, IdRepoException, SSOException {
    String[] param = {realm, uid};
    entering("deleteRealm", param);
    String[] args = {
      "delete-identities",
      CLIConstants.PREFIX_ARGUMENT_LONG + IArgument.REALM_NAME,
      realm,
      CLIConstants.PREFIX_ARGUMENT_LONG + IdentityCommand.ARGUMENT_ID_TYPE,
      "User",
      CLIConstants.PREFIX_ARGUMENT_LONG + IdentityCommand.ARGUMENT_ID_NAMES,
      uid
    };

    SSOToken adminSSOToken = getAdminSSOToken();
    CLIRequest req = new CLIRequest(null, args, adminSSOToken);
    cmdManager.addToRequestQueue(req);
    cmdManager.serviceRequestQueue();

    AMIdentityRepository amir = new AMIdentityRepository(adminSSOToken, realm);
    IdSearchControl isCtl = new IdSearchControl();
    IdSearchResults isr = amir.searchIdentities(IdType.USER, uid, isCtl);
    Set results = isr.getSearchResults();
    assert (results.isEmpty());
    exiting("deleteIdentities");
  }
Beispiel #3
0
 private void deleteDummyRole(String realm) throws IdRepoException, SSOException {
   SSOToken adminSSOToken = getAdminSSOToken();
   AMIdentityRepository amir = new AMIdentityRepository(adminSSOToken, realm);
   AMIdentity amid = new AMIdentity(adminSSOToken, DUMMY_ROLE, IdType.ROLE, realm, null);
   Set<AMIdentity> set = new HashSet<AMIdentity>(2);
   set.add(amid);
   amir.deleteIdentities(set);
 }
 @AfterClass
 public void cleanup() throws Exception {
   SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
   AMIdentityRepository amir = new AMIdentityRepository(adminToken, "/");
   Set<AMIdentity> identities = new HashSet<AMIdentity>();
   identities.add(group1);
   identities.add(group2);
   amir.deleteIdentities(identities);
 }
 private void addIdentityUnassignedServices(String realmName, Set names) {
   /*
    * It is ok that administrator such as policy administrator
    * does not have access to AMIdentityRepository. We just ignore it.
    */
   try {
     AMIdentityRepository repo = new AMIdentityRepository(getUserSSOToken(), realmName);
     AMIdentity realmIdentity = repo.getRealmIdentity();
     names.addAll(realmIdentity.getAssignableServices());
   } catch (IdRepoException e) {
     debug.warning("ServicesModelImpl.addIdentityUnassignedServices", e);
   } catch (SSOException e) {
     debug.warning("ServicesModelImpl.addIdentityUnassignedServices", e);
   }
 }
  /**
   * Services a Commandline Request.
   *
   * @param rc Request Context.
   * @throws CLIException if the request cannot serviced.
   */
  public void handleRequest(RequestContext rc) throws CLIException {
    super.handleRequest(rc);

    SSOToken adminSSOToken = getAdminSSOToken();
    IOutput outputWriter = getOutputWriter();
    String realm = getStringOptionValue(IArgument.REALM_NAME);
    String idName = getStringOptionValue(ARGUMENT_ID_NAME);
    String type = getStringOptionValue(ARGUMENT_ID_TYPE);
    IdType idType = convert2IdType(type);
    String[] params = {realm, type, idName};

    try {
      AMIdentityRepository amir = new AMIdentityRepository(adminSSOToken, realm);
      Set set = amir.getAllowedIdOperations(idType);
      if (!set.contains(IdOperation.SERVICE)) {
        throw new CLIException(
            MessageFormat.format(
                getResourceString("realm-does-not-support-service"), (Object[]) params),
            ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
      }

      writeLog(LogWriter.LOG_ACCESS, Level.INFO, "ATTEMPT_GET_ASSIGNED_SERVICES", params);
      AMIdentity amid = new AMIdentity(adminSSOToken, idName, idType, realm, null);
      Set services = amid.getAssignedServices();

      if ((services != null) && !services.isEmpty()) {
        String msg = getResourceString("assigned-service-result");
        String[] arg = {""};
        for (Iterator i = services.iterator(); i.hasNext(); ) {
          arg[0] = (String) i.next();
          outputWriter.printlnMessage(MessageFormat.format(msg, (Object[]) arg));
        }
      } else {
        outputWriter.printlnMessage(getResourceString("no-service-assigned"));
      }
      writeLog(LogWriter.LOG_ACCESS, Level.INFO, "SUCCEED_GET_ASSIGNED_SERVICES", params);
    } catch (IdRepoException e) {
      String[] args = {realm, type, idName, e.getMessage()};
      debugError("GetAssignedServices.handleRequest", e);
      writeLog(LogWriter.LOG_ERROR, Level.INFO, "FAILED_GET_ASSIGNED_SERVICES", args);
      throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
    } catch (SSOException e) {
      String[] args = {realm, type, idName, e.getMessage()};
      debugError("GetAssignedServices.handleRequest", e);
      writeLog(LogWriter.LOG_ERROR, Level.INFO, "FAILED_GET_ASSIGNED_SERVICES", args);
      throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
    }
  }
  /**
   * Unassigns services from realm.
   *
   * @param realmName Name of Realm.
   * @param names Names of services that are to be unassigned.
   * @throws AMConsoleException if services cannot be unassigned.
   */
  public void unassignServices(String realmName, Set names) throws AMConsoleException {
    if ((names != null) && !names.isEmpty()) {
      if ((realmName == null) || (realmName.trim().length() == 0)) {
        realmName = "/";
      }

      String[] params = new String[2];
      params[0] = realmName;
      String curServiceName = "";

      try {
        OrganizationConfigManager scm = new OrganizationConfigManager(getUserSSOToken(), realmName);
        AMIdentityRepository repo = new AMIdentityRepository(getUserSSOToken(), realmName);
        AMIdentity realmIdentity = repo.getRealmIdentity();
        Set realmServices = realmIdentity.getAssignedServices();

        for (Iterator iter = names.iterator(); iter.hasNext(); ) {
          String name = (String) iter.next();
          curServiceName = name;
          params[1] = name;
          logEvent("ATTEMPT_UNASSIGN_SERVICE_FROM_REALM", params);

          if (realmServices.contains(name)) {
            realmIdentity.unassignService(name);
          } else {
            scm.unassignService(name);
          }

          logEvent("SUCCEED_UNASSIGN_SERVICE_FROM_REALM", params);
        }
      } catch (SMSException e) {
        String strError = getErrorString(e);
        String[] paramsEx = {realmName, curServiceName, strError};
        logEvent("SMS_EXCEPTION_UNASSIGN_SERVICE_FROM_REALM", paramsEx);
        throw new AMConsoleException(strError);
      } catch (SSOException e) {
        String strError = getErrorString(e);
        String[] paramsEx = {realmName, curServiceName, strError};
        logEvent("SSO_EXCEPTION_UNASSIGN_SERVICE_FROM_REALM", paramsEx);
        throw new AMConsoleException(strError);
      } catch (IdRepoException e) {
        String strError = getErrorString(e);
        String[] paramsEx = {realmName, curServiceName, strError};
        logEvent("IDREPO_EXCEPTION_UNASSIGN_SERVICE_FROM_REALM", paramsEx);
        throw new AMConsoleException(strError);
      }
    }
  }
  /** {@inheritDoc} */
  public AMIdentity provisionUser(AMIdentityRepository idrepo, Map<String, Set<String>> attributes)
      throws AuthLoginException {

    AMIdentity identity = null;
    try {
      String userId;
      Set<String> idAttribute = attributes.get(idNameAttribute);
      if (idAttribute != null && !idAttribute.isEmpty()) {
        userId = idAttribute.iterator().next();
      } else {
        userId = UUID.randomUUID().toString();
      }
      identity = idrepo.createIdentity(IdType.USER, userId, attributes);
    } catch (IdRepoException ire) {
      debug.error("DefaultAccountMapper.getAccount: IRE ", ire);
      debug.error("LDAPERROR Code = " + ire.getLDAPErrorCode());
      if (ire.getLDAPErrorCode() != null && !ire.getLDAPErrorCode().equalsIgnoreCase("68")) {
        throw new AuthLoginException("Failed to create user");
      }
    } catch (SSOException ex) {
      debug.error(
          "DefaultAccountMapper.getAttributes: Problem while creating the user. SSOExc", ex);
      throw new AuthLoginException("Failed to create user");
    }

    return identity;
  }
  /** {@inheritDoc} */
  public AMIdentity searchUser(AMIdentityRepository idrepo, Map<String, Set<String>> attr) {
    AMIdentity identity = null;

    if (attr == null || attr.isEmpty()) {
      debug.warning("DefaultAccountMapper.searchUser: empty search");
      return null;
    }

    IdSearchControl ctrl = getSearchControl(IdSearchOpModifier.OR, attr);
    IdSearchResults results;
    try {
      results = idrepo.searchIdentities(IdType.USER, "*", ctrl);
      Iterator<AMIdentity> iter = results.getSearchResults().iterator();
      if (iter.hasNext()) {
        identity = iter.next();
        if (debug.messageEnabled()) {
          debug.message("getUser: user found : " + identity.getName());
        }
      }
    } catch (IdRepoException ex) {
      debug.error(
          "DefaultAccountMapper.searchUser: Problem while searching for the user. IdRepo", ex);
    } catch (SSOException ex) {
      debug.error(
          "DefaultAccountMapper.searchUser: Problem while searching for the user. SSOExc", ex);
    }

    return identity;
  }
Beispiel #10
0
 /**
  * Returns attribute map of the specified service in the specified organization.
  *
  * @param orgDN Organization DN in which the service exists.
  * @param serviceName Service name of which the attributes are retrieved.
  * @return Map containing the attributes of the service.
  */
 public Map getOrgServiceAttributes(String orgDN, String serviceName) {
   Map map = Collections.EMPTY_MAP;
   try {
     AMIdentityRepository idRepo = getAMIdentityRepository(orgDN);
     AMIdentity realmIdentity = idRepo.getRealmIdentity();
     Set set = realmIdentity.getAssignedServices();
     if (set.contains(serviceName)) {
       map = realmIdentity.getServiceAttributes(serviceName);
     }
   } catch (Exception e) {
     if (debug.messageEnabled()) {
       debug.message(
           "Exception in getting service attributes for " + serviceName + " in org " + orgDN);
     }
   }
   return map;
 }
  private void testIdRepoAccess(SSOToken token) throws Exception {
    try {
      AMIdentityRepository idrepo = new AMIdentityRepository(token, "/");
      IdSearchResults result = idrepo.searchIdentities(IdType.USER, "*", new IdSearchControl());
      result.getSearchResults();
    } catch (IdRepoException e) {
      // permission denied
    }

    // ok to search current realm
    AMIdentityRepository idrepo = new AMIdentityRepository(token, SUB_REALM);
    IdSearchResults result = idrepo.searchIdentities(IdType.USER, "*", new IdSearchControl());
    result.getSearchResults();

    // ok to search sub realm
    idrepo = new AMIdentityRepository(token, SUB_REALM + "/" + SUB_SUB_REALM);
    result = idrepo.searchIdentities(IdType.USER, "*", new IdSearchControl());
    result.getSearchResults();
  }
Beispiel #12
0
 private AMIdentity createDummyRole(String realm) throws IdRepoException, SSOException {
   AMIdentityRepository amir = new AMIdentityRepository(getAdminSSOToken(), realm);
   return amir.createIdentity(IdType.ROLE, DUMMY_ROLE, Collections.EMPTY_MAP);
 }
Beispiel #13
0
  /**
   * Returns the <code>AMIdentity</code> object for the given parameters. If there is no such
   * identity, or there is more then one matching identity, then an AuthException will be thrown.
   *
   * @param idType Identity Type.
   * @param idName Identity Name.
   * @param orgName organization name.
   * @return <code>AMIdentity</code> object.
   * @throws AuthException if there was no result, or if there was more results then one.
   */
  public AMIdentity getIdentity(IdType idType, String idName, String orgName) throws AuthException {
    if (debug.messageEnabled()) {
      debug.message("IdType is :" + idType);
      debug.message("IdName is :" + idName);
      debug.message("orgName is :" + orgName);
    }
    AMIdentity amIdentity = null;

    // Try getting the identity using IdUtils.getIdentity(...)
    try {
      if (debug.messageEnabled()) {
        debug.message("AuthD.getIdentity() from IdUtils Name: " + idName + " Org: " + orgName);
      }
      amIdentity = IdUtils.getIdentity(getSSOAuthSession(), idName, orgName);
      if ((amIdentity != null)
          && (amIdentity.isExists())
          && (amIdentity.getType().equals(idType))
          && (amIdentity.getAttributes() != null)) {
        if (debug.messageEnabled()) {
          debug.message(
              "AuthD.getIdentity obtained identity" + "using IdUtil.getIdentity: " + amIdentity);
        }
        return (amIdentity);
      }
    } catch (IdRepoException e) {
      // Ignore this exception and continue with search
      if (debug.messageEnabled()) {
        debug.message(
            "AuthD.getIdentity: Got IdRepoException while "
                + "getting Identity from IdUtils: "
                + e.getMessage());
      }
    } catch (SSOException ssoe) {
      // Ignore this exception and continue with search
      if (debug.messageEnabled()) {
        debug.message(
            "AuthD.getIdentity: Got SSOException while "
                + "getting Identity from IdUtils: "
                + ssoe.getMessage());
      }
    }

    // Obtain AMIdentity object by searching within IdRepo
    try {
      amIdentity = null;
      idName = DNUtils.DNtoName(idName);
      AMIdentityRepository amIdRepo = getAMIdentityRepository(orgName);
      IdSearchControl idsc = new IdSearchControl();
      idsc.setRecursive(true);
      idsc.setTimeOut(0);
      idsc.setMaxResults(0);
      idsc.setAllReturnAttributes(false);
      IdSearchResults searchResults = amIdRepo.searchIdentities(idType, idName, idsc);
      Set results = Collections.EMPTY_SET;
      if (searchResults != null) {
        results = searchResults.getSearchResults();
      }

      if ((results != null) && (results.size() > 1)) {
        // multiple user match found, throw exception,
        // user need to login as super admin to fix it
        debug.error("getIdentity: Multiple matches found for " + "user '" + idName);
        throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
      }

      Iterator users = results.iterator();
      if (users.hasNext()) {
        amIdentity = (AMIdentity) users.next();
      }
    } catch (SSOException sso) {
      if (debug.messageEnabled()) {
        debug.message("getIdentity error " + sso.getMessage());
      }
    } catch (IdRepoException ide) {
      if (debug.messageEnabled()) {
        debug.message("IdRepoException error " + ide.getMessage());
      }
    }
    if (amIdentity == null) {
      throw new AuthException(AMAuthErrorCode.AUTH_PROFILE_ERROR, null);
    }

    return amIdentity;
  }