@BeforeClass
public void setup() throws Exception {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository amir = new AMIdentityRepository(adminToken, "/");
group1 = amir.createIdentity(IdType.GROUP, GROUP_NAME1, Collections.EMPTY_MAP);
group2 = amir.createIdentity(IdType.GROUP, GROUP_NAME2, Collections.EMPTY_MAP);
}
@Parameters({"realm", "uid"})
@AfterTest(groups = {"cli-idrepo", "delete-identities"})
public void deleteIdentity(String realm, String uid)
throws CLIException, IdRepoException, SSOException {
String[] param = {realm, uid};
entering("deleteRealm", param);
String[] args = {
"delete-identities",
CLIConstants.PREFIX_ARGUMENT_LONG + IArgument.REALM_NAME,
realm,
CLIConstants.PREFIX_ARGUMENT_LONG + IdentityCommand.ARGUMENT_ID_TYPE,
"User",
CLIConstants.PREFIX_ARGUMENT_LONG + IdentityCommand.ARGUMENT_ID_NAMES,
uid
};
SSOToken adminSSOToken = getAdminSSOToken();
CLIRequest req = new CLIRequest(null, args, adminSSOToken);
cmdManager.addToRequestQueue(req);
cmdManager.serviceRequestQueue();
AMIdentityRepository amir = new AMIdentityRepository(adminSSOToken, realm);
IdSearchControl isCtl = new IdSearchControl();
IdSearchResults isr = amir.searchIdentities(IdType.USER, uid, isCtl);
Set results = isr.getSearchResults();
assert (results.isEmpty());
exiting("deleteIdentities");
}
private void deleteDummyRole(String realm) throws IdRepoException, SSOException {
SSOToken adminSSOToken = getAdminSSOToken();
AMIdentityRepository amir = new AMIdentityRepository(adminSSOToken, realm);
AMIdentity amid = new AMIdentity(adminSSOToken, DUMMY_ROLE, IdType.ROLE, realm, null);
Set<AMIdentity> set = new HashSet<AMIdentity>(2);
set.add(amid);
amir.deleteIdentities(set);
}
@AfterClass
public void cleanup() throws Exception {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository amir = new AMIdentityRepository(adminToken, "/");
Set<AMIdentity> identities = new HashSet<AMIdentity>();
identities.add(group1);
identities.add(group2);
amir.deleteIdentities(identities);
}
private void addIdentityUnassignedServices(String realmName, Set names) {
/*
* It is ok that administrator such as policy administrator
* does not have access to AMIdentityRepository. We just ignore it.
*/
try {
AMIdentityRepository repo = new AMIdentityRepository(getUserSSOToken(), realmName);
AMIdentity realmIdentity = repo.getRealmIdentity();
names.addAll(realmIdentity.getAssignableServices());
} catch (IdRepoException e) {
debug.warning("ServicesModelImpl.addIdentityUnassignedServices", e);
} catch (SSOException e) {
debug.warning("ServicesModelImpl.addIdentityUnassignedServices", e);
}
}
/**
* Services a Commandline Request.
*
* @param rc Request Context.
* @throws CLIException if the request cannot serviced.
*/
public void handleRequest(RequestContext rc) throws CLIException {
super.handleRequest(rc);
SSOToken adminSSOToken = getAdminSSOToken();
IOutput outputWriter = getOutputWriter();
String realm = getStringOptionValue(IArgument.REALM_NAME);
String idName = getStringOptionValue(ARGUMENT_ID_NAME);
String type = getStringOptionValue(ARGUMENT_ID_TYPE);
IdType idType = convert2IdType(type);
String[] params = {realm, type, idName};
try {
AMIdentityRepository amir = new AMIdentityRepository(adminSSOToken, realm);
Set set = amir.getAllowedIdOperations(idType);
if (!set.contains(IdOperation.SERVICE)) {
throw new CLIException(
MessageFormat.format(
getResourceString("realm-does-not-support-service"), (Object[]) params),
ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
}
writeLog(LogWriter.LOG_ACCESS, Level.INFO, "ATTEMPT_GET_ASSIGNED_SERVICES", params);
AMIdentity amid = new AMIdentity(adminSSOToken, idName, idType, realm, null);
Set services = amid.getAssignedServices();
if ((services != null) && !services.isEmpty()) {
String msg = getResourceString("assigned-service-result");
String[] arg = {""};
for (Iterator i = services.iterator(); i.hasNext(); ) {
arg[0] = (String) i.next();
outputWriter.printlnMessage(MessageFormat.format(msg, (Object[]) arg));
}
} else {
outputWriter.printlnMessage(getResourceString("no-service-assigned"));
}
writeLog(LogWriter.LOG_ACCESS, Level.INFO, "SUCCEED_GET_ASSIGNED_SERVICES", params);
} catch (IdRepoException e) {
String[] args = {realm, type, idName, e.getMessage()};
debugError("GetAssignedServices.handleRequest", e);
writeLog(LogWriter.LOG_ERROR, Level.INFO, "FAILED_GET_ASSIGNED_SERVICES", args);
throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
} catch (SSOException e) {
String[] args = {realm, type, idName, e.getMessage()};
debugError("GetAssignedServices.handleRequest", e);
writeLog(LogWriter.LOG_ERROR, Level.INFO, "FAILED_GET_ASSIGNED_SERVICES", args);
throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
}
}
/**
* Unassigns services from realm.
*
* @param realmName Name of Realm.
* @param names Names of services that are to be unassigned.
* @throws AMConsoleException if services cannot be unassigned.
*/
public void unassignServices(String realmName, Set names) throws AMConsoleException {
if ((names != null) && !names.isEmpty()) {
if ((realmName == null) || (realmName.trim().length() == 0)) {
realmName = "/";
}
String[] params = new String[2];
params[0] = realmName;
String curServiceName = "";
try {
OrganizationConfigManager scm = new OrganizationConfigManager(getUserSSOToken(), realmName);
AMIdentityRepository repo = new AMIdentityRepository(getUserSSOToken(), realmName);
AMIdentity realmIdentity = repo.getRealmIdentity();
Set realmServices = realmIdentity.getAssignedServices();
for (Iterator iter = names.iterator(); iter.hasNext(); ) {
String name = (String) iter.next();
curServiceName = name;
params[1] = name;
logEvent("ATTEMPT_UNASSIGN_SERVICE_FROM_REALM", params);
if (realmServices.contains(name)) {
realmIdentity.unassignService(name);
} else {
scm.unassignService(name);
}
logEvent("SUCCEED_UNASSIGN_SERVICE_FROM_REALM", params);
}
} catch (SMSException e) {
String strError = getErrorString(e);
String[] paramsEx = {realmName, curServiceName, strError};
logEvent("SMS_EXCEPTION_UNASSIGN_SERVICE_FROM_REALM", paramsEx);
throw new AMConsoleException(strError);
} catch (SSOException e) {
String strError = getErrorString(e);
String[] paramsEx = {realmName, curServiceName, strError};
logEvent("SSO_EXCEPTION_UNASSIGN_SERVICE_FROM_REALM", paramsEx);
throw new AMConsoleException(strError);
} catch (IdRepoException e) {
String strError = getErrorString(e);
String[] paramsEx = {realmName, curServiceName, strError};
logEvent("IDREPO_EXCEPTION_UNASSIGN_SERVICE_FROM_REALM", paramsEx);
throw new AMConsoleException(strError);
}
}
}
/** {@inheritDoc} */
public AMIdentity provisionUser(AMIdentityRepository idrepo, Map<String, Set<String>> attributes)
throws AuthLoginException {
AMIdentity identity = null;
try {
String userId;
Set<String> idAttribute = attributes.get(idNameAttribute);
if (idAttribute != null && !idAttribute.isEmpty()) {
userId = idAttribute.iterator().next();
} else {
userId = UUID.randomUUID().toString();
}
identity = idrepo.createIdentity(IdType.USER, userId, attributes);
} catch (IdRepoException ire) {
debug.error("DefaultAccountMapper.getAccount: IRE ", ire);
debug.error("LDAPERROR Code = " + ire.getLDAPErrorCode());
if (ire.getLDAPErrorCode() != null && !ire.getLDAPErrorCode().equalsIgnoreCase("68")) {
throw new AuthLoginException("Failed to create user");
}
} catch (SSOException ex) {
debug.error(
"DefaultAccountMapper.getAttributes: Problem while creating the user. SSOExc", ex);
throw new AuthLoginException("Failed to create user");
}
return identity;
}
/** {@inheritDoc} */
public AMIdentity searchUser(AMIdentityRepository idrepo, Map<String, Set<String>> attr) {
AMIdentity identity = null;
if (attr == null || attr.isEmpty()) {
debug.warning("DefaultAccountMapper.searchUser: empty search");
return null;
}
IdSearchControl ctrl = getSearchControl(IdSearchOpModifier.OR, attr);
IdSearchResults results;
try {
results = idrepo.searchIdentities(IdType.USER, "*", ctrl);
Iterator<AMIdentity> iter = results.getSearchResults().iterator();
if (iter.hasNext()) {
identity = iter.next();
if (debug.messageEnabled()) {
debug.message("getUser: user found : " + identity.getName());
}
}
} catch (IdRepoException ex) {
debug.error(
"DefaultAccountMapper.searchUser: Problem while searching for the user. IdRepo", ex);
} catch (SSOException ex) {
debug.error(
"DefaultAccountMapper.searchUser: Problem while searching for the user. SSOExc", ex);
}
return identity;
}
/**
* Returns attribute map of the specified service in the specified organization.
*
* @param orgDN Organization DN in which the service exists.
* @param serviceName Service name of which the attributes are retrieved.
* @return Map containing the attributes of the service.
*/
public Map getOrgServiceAttributes(String orgDN, String serviceName) {
Map map = Collections.EMPTY_MAP;
try {
AMIdentityRepository idRepo = getAMIdentityRepository(orgDN);
AMIdentity realmIdentity = idRepo.getRealmIdentity();
Set set = realmIdentity.getAssignedServices();
if (set.contains(serviceName)) {
map = realmIdentity.getServiceAttributes(serviceName);
}
} catch (Exception e) {
if (debug.messageEnabled()) {
debug.message(
"Exception in getting service attributes for " + serviceName + " in org " + orgDN);
}
}
return map;
}
private void testIdRepoAccess(SSOToken token) throws Exception {
try {
AMIdentityRepository idrepo = new AMIdentityRepository(token, "/");
IdSearchResults result = idrepo.searchIdentities(IdType.USER, "*", new IdSearchControl());
result.getSearchResults();
} catch (IdRepoException e) {
// permission denied
}
// ok to search current realm
AMIdentityRepository idrepo = new AMIdentityRepository(token, SUB_REALM);
IdSearchResults result = idrepo.searchIdentities(IdType.USER, "*", new IdSearchControl());
result.getSearchResults();
// ok to search sub realm
idrepo = new AMIdentityRepository(token, SUB_REALM + "/" + SUB_SUB_REALM);
result = idrepo.searchIdentities(IdType.USER, "*", new IdSearchControl());
result.getSearchResults();
}
private AMIdentity createDummyRole(String realm) throws IdRepoException, SSOException {
AMIdentityRepository amir = new AMIdentityRepository(getAdminSSOToken(), realm);
return amir.createIdentity(IdType.ROLE, DUMMY_ROLE, Collections.EMPTY_MAP);
}
/**
* Returns the <code>AMIdentity</code> object for the given parameters. If there is no such
* identity, or there is more then one matching identity, then an AuthException will be thrown.
*
* @param idType Identity Type.
* @param idName Identity Name.
* @param orgName organization name.
* @return <code>AMIdentity</code> object.
* @throws AuthException if there was no result, or if there was more results then one.
*/
public AMIdentity getIdentity(IdType idType, String idName, String orgName) throws AuthException {
if (debug.messageEnabled()) {
debug.message("IdType is :" + idType);
debug.message("IdName is :" + idName);
debug.message("orgName is :" + orgName);
}
AMIdentity amIdentity = null;
// Try getting the identity using IdUtils.getIdentity(...)
try {
if (debug.messageEnabled()) {
debug.message("AuthD.getIdentity() from IdUtils Name: " + idName + " Org: " + orgName);
}
amIdentity = IdUtils.getIdentity(getSSOAuthSession(), idName, orgName);
if ((amIdentity != null)
&& (amIdentity.isExists())
&& (amIdentity.getType().equals(idType))
&& (amIdentity.getAttributes() != null)) {
if (debug.messageEnabled()) {
debug.message(
"AuthD.getIdentity obtained identity" + "using IdUtil.getIdentity: " + amIdentity);
}
return (amIdentity);
}
} catch (IdRepoException e) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
debug.message(
"AuthD.getIdentity: Got IdRepoException while "
+ "getting Identity from IdUtils: "
+ e.getMessage());
}
} catch (SSOException ssoe) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
debug.message(
"AuthD.getIdentity: Got SSOException while "
+ "getting Identity from IdUtils: "
+ ssoe.getMessage());
}
}
// Obtain AMIdentity object by searching within IdRepo
try {
amIdentity = null;
idName = DNUtils.DNtoName(idName);
AMIdentityRepository amIdRepo = getAMIdentityRepository(orgName);
IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setTimeOut(0);
idsc.setMaxResults(0);
idsc.setAllReturnAttributes(false);
IdSearchResults searchResults = amIdRepo.searchIdentities(idType, idName, idsc);
Set results = Collections.EMPTY_SET;
if (searchResults != null) {
results = searchResults.getSearchResults();
}
if ((results != null) && (results.size() > 1)) {
// multiple user match found, throw exception,
// user need to login as super admin to fix it
debug.error("getIdentity: Multiple matches found for " + "user '" + idName);
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
}
Iterator users = results.iterator();
if (users.hasNext()) {
amIdentity = (AMIdentity) users.next();
}
} catch (SSOException sso) {
if (debug.messageEnabled()) {
debug.message("getIdentity error " + sso.getMessage());
}
} catch (IdRepoException ide) {
if (debug.messageEnabled()) {
debug.message("IdRepoException error " + ide.getMessage());
}
}
if (amIdentity == null) {
throw new AuthException(AMAuthErrorCode.AUTH_PROFILE_ERROR, null);
}
return amIdentity;
}