Example #1
0
  @Override
  protected void securityChecks(final User user) {
    // Allows anonymous (during self-registration) and self (during self-update) to read own user,
    // otherwise goes through security checks to see if required entitlements are owned
    if (!AuthContextUtils.getUsername().equals(anonymousUser)
        && !AuthContextUtils.getUsername().equals(user.getUsername())) {

      Set<String> authRealms =
          AuthContextUtils.getAuthorizations().get(StandardEntitlement.USER_READ);
      boolean authorized =
          IterableUtils.matchesAny(
              authRealms,
              new Predicate<String>() {

                @Override
                public boolean evaluate(final String realm) {
                  return user.getRealm().getFullPath().startsWith(realm);
                }
              });
      if (authRealms == null || authRealms.isEmpty() || !authorized) {
        throw new DelegatedAdministrationException(AnyTypeKind.USER, user.getKey());
      }
    }
  }
Example #2
0
  @Transactional(readOnly = true)
  @Override
  public Pair<Boolean, Boolean> enforcePolicies(final User user) {
    // ------------------------------
    // Verify password policies
    // ------------------------------
    LOG.debug("Password Policy enforcement");

    try {
      int maxPPSpecHistory = 0;
      for (PasswordPolicy policy : getPasswordPolicies(user)) {
        if (user.getPassword() == null && !policy.isAllowNullPassword()) {
          throw new PasswordPolicyException("Password mandatory");
        }

        for (PasswordRuleConf ruleConf : policy.getRuleConfs()) {
          Class<? extends PasswordRule> ruleClass =
              implementationLookup.getPasswordRuleClass(ruleConf.getClass());
          if (ruleClass == null) {
            LOG.warn("Could not find matching password rule for {}", ruleConf.getClass());
          } else {
            // fetch (or create) rule
            PasswordRule rule;
            if (ApplicationContextProvider.getBeanFactory()
                .containsSingleton(ruleClass.getName())) {
              rule =
                  (PasswordRule)
                      ApplicationContextProvider.getBeanFactory().getSingleton(ruleClass.getName());
            } else {
              rule =
                  (PasswordRule)
                      ApplicationContextProvider.getBeanFactory()
                          .createBean(ruleClass, AbstractBeanDefinition.AUTOWIRE_BY_TYPE, false);
              ApplicationContextProvider.getBeanFactory()
                  .registerSingleton(ruleClass.getName(), rule);
            }

            // enforce rule
            rule.enforce(ruleConf, user);
          }
        }

        if (user.verifyPasswordHistory(user.getClearPassword(), policy.getHistoryLength())) {
          throw new PasswordPolicyException("Password value was used in the past: not allowed");
        }

        if (policy.getHistoryLength() > maxPPSpecHistory) {
          maxPPSpecHistory = policy.getHistoryLength();
        }
      }

      // update user's password history with encrypted password
      if (maxPPSpecHistory > 0 && user.getPassword() != null) {
        user.getPasswordHistory().add(user.getPassword());
      }
      // keep only the last maxPPSpecHistory items in user's password history
      if (maxPPSpecHistory < user.getPasswordHistory().size()) {
        for (int i = 0; i < user.getPasswordHistory().size() - maxPPSpecHistory; i++) {
          user.getPasswordHistory().remove(i);
        }
      }
    } catch (Exception e) {
      LOG.error("Invalid password for {}", user, e);
      throw new InvalidEntityException(
          User.class, EntityViolationType.InvalidPassword, e.getMessage());
    } finally {
      // password has been validated, let's remove its clear version
      user.removeClearPassword();
    }

    // ------------------------------
    // Verify account policies
    // ------------------------------
    LOG.debug("Account Policy enforcement");

    boolean suspend = false;
    boolean propagateSuspension = false;
    try {
      if (adminUser.equals(user.getUsername()) || anonymousUser.equals(user.getUsername())) {
        throw new AccountPolicyException("Not allowed: " + user.getUsername());
      }

      for (AccountPolicy policy : getAccountPolicies(user)) {
        for (AccountRuleConf ruleConf : policy.getRuleConfs()) {
          Class<? extends AccountRule> ruleClass =
              implementationLookup.getAccountRuleClass(ruleConf.getClass());
          if (ruleClass == null) {
            LOG.warn("Could not find matching password rule for {}", ruleConf.getClass());
          } else {
            // fetch (or create) rule
            AccountRule rule;
            if (ApplicationContextProvider.getBeanFactory()
                .containsSingleton(ruleClass.getName())) {
              rule =
                  (AccountRule)
                      ApplicationContextProvider.getBeanFactory().getSingleton(ruleClass.getName());
            } else {
              rule =
                  (AccountRule)
                      ApplicationContextProvider.getBeanFactory()
                          .createBean(ruleClass, AbstractBeanDefinition.AUTOWIRE_BY_TYPE, false);
              ApplicationContextProvider.getBeanFactory()
                  .registerSingleton(ruleClass.getName(), rule);
            }

            // enforce rule
            rule.enforce(ruleConf, user);
          }
        }

        suspend |=
            user.getFailedLogins() != null
                && policy.getMaxAuthenticationAttempts() > 0
                && user.getFailedLogins() > policy.getMaxAuthenticationAttempts()
                && !user.isSuspended();
        propagateSuspension |= policy.isPropagateSuspension();
      }
    } catch (Exception e) {
      LOG.error("Invalid username for {}", user, e);
      throw new InvalidEntityException(
          User.class, EntityViolationType.InvalidUsername, e.getMessage());
    }

    return ImmutablePair.of(suspend, propagateSuspension);
  }