/**
* Check if the current user is allowed to access the requested resource.
*
* @param httpRequest
* @throws AccessDeniedException If the request is not allowed considering the resource
* permissions.
*/
public boolean isAllowed(HttpServletRequest httpRequest) throws AccessDeniedException {
final String requestURI = httpRequest.getRequestURI();
Set<Entry<String, String[]>> entrySet = this.roleProtectedResources.entrySet();
for (Entry<String, String[]> entry : entrySet) {
if (matches(entry.getKey(), requestURI)) {
Identity identity = getIdentity();
if (!identity.isLoggedIn()) {
return false;
} else {
String[] roles = entry.getValue();
for (String roleName : roles) {
IdentityManager identityManager = getIdentityManager();
Role role = BasicModel.getRole(identityManager, roleName.trim());
if (role == null) {
throw new IllegalStateException(
"The specified role does not exists [" + role + "]. Check your configuration.");
}
if (!BasicModel.hasRole(getRelationshipManager(), identity.getAccount(), role)) {
return false;
}
}
}
}
}
return true;
}
@Test
public void testRemove() throws Exception {
IdentityManager identityManager = getIdentityManager();
Agent someAgent = createIdentityType();
Agent anotherAgent = createAgent("someAnotherAgent");
identityManager.remove(someAgent);
Agent removedUserInstance = getAgent(someAgent.getLoginName());
assertNull(removedUserInstance);
anotherAgent = getAgent(anotherAgent.getLoginName());
assertNotNull(anotherAgent);
Role role = createRole("role");
Group group = createGroup("group", null);
RelationshipManager relationshipManager = getPartitionManager().createRelationshipManager();
BasicModel.grantRole(relationshipManager, anotherAgent, role);
BasicModel.addToGroup(relationshipManager, anotherAgent, group);
RelationshipQuery<?> relationshipQuery =
relationshipManager.createRelationshipQuery(Grant.class);
relationshipQuery.setParameter(Grant.ASSIGNEE, anotherAgent);
assertFalse(relationshipQuery.getResultList().isEmpty());
relationshipQuery = relationshipManager.createRelationshipQuery(GroupMembership.class);
relationshipQuery.setParameter(GroupMembership.MEMBER, anotherAgent);
assertFalse(relationshipQuery.getResultList().isEmpty());
identityManager.remove(anotherAgent);
relationshipQuery = relationshipManager.createRelationshipQuery(Grant.class);
relationshipQuery.setParameter(Grant.ASSIGNEE, anotherAgent);
assertTrue(relationshipQuery.getResultList().isEmpty());
relationshipQuery = relationshipManager.createRelationshipQuery(GroupMembership.class);
relationshipQuery.setParameter(GroupMembership.MEMBER, anotherAgent);
assertTrue(relationshipQuery.getResultList().isEmpty());
}
public boolean isAdmin() {
if (isUserLoggedIn()) {
IdentityManager identityManager = getIdentityManager();
RelationshipManager relationshipManager = getRelationshipManager();
return BasicModel.hasRole(
relationshipManager,
identity.getAccount(),
BasicModel.getRole(identityManager, "Administrator"));
}
return false;
}
/** Loads some users during the <b>first</b> construction. */
@PostConstruct
public void create() {
this.identityManager = partitionManager.createIdentityManager();
this.relationshipManager = partitionManager.createRelationshipManager();
final String DEFAULT_PASSWORD = "******";
final String DEFAULT_DEVELOPER = "developer";
final String DEFAULT_ADMIN = "admin";
User developerUser = BasicModel.getUser(identityManager, DEFAULT_DEVELOPER);
// We only create the Developer user, if there is none;
// if present, there is also no need to add the same 'Developer' user again.
if (developerUser == null) {
developerUser = new User(DEFAULT_DEVELOPER);
identityManager.add(developerUser);
Calendar calendar = expirationDate();
Password password = new Password(DEFAULT_PASSWORD.toCharArray());
identityManager.updateCredential(developerUser, password, new Date(), calendar.getTime());
Role roleDeveloper = new Role(UserRoles.DEVELOPER);
identityManager.add(roleDeveloper);
grantRoles(developerUser, roleDeveloper);
}
// Temp hack to add user with admin rights
User adminUser = BasicModel.getUser(identityManager, DEFAULT_ADMIN);
// We only create the Admin user, if there is none;
// if present, there is also no need to apply the same 'Admin' user again.
if (adminUser == null) {
adminUser = new User(DEFAULT_ADMIN);
identityManager.add(adminUser);
Calendar calendar = expirationDate();
Password password = new Password(DEFAULT_PASSWORD.toCharArray());
identityManager.updateCredential(adminUser, password, new Date(), calendar.getTime());
Role roleAdmin = new Role(UserRoles.ADMIN);
identityManager.add(roleAdmin);
grantRoles(adminUser, roleAdmin);
}
}
@Override
public void updateCredential(UserCredentialModel cred) {
if (!provider.getSupportedCredentialTypes(delegate).contains(cred.getType())) {
delegate.updateCredential(cred);
return;
}
IdentityManager identityManager = provider.getIdentityManager();
try {
User picketlinkUser = BasicModel.getUser(identityManager, getUsername());
if (picketlinkUser == null) {
logger.debugf("User '%s' doesn't exists. Skip password update", getUsername());
throw new IllegalStateException("User doesn't exist in LDAP storage");
}
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
identityManager.updateCredential(
picketlinkUser, new Password(cred.getValue().toCharArray()));
} else if (cred.getType().equals(UserCredentialModel.TOTP)) {
TOTPCredential credential = new TOTPCredential(cred.getValue());
credential.setDevice(cred.getDevice());
identityManager.updateCredential(picketlinkUser, credential);
}
} catch (IdentityManagementException ie) {
throw new ModelException(ie);
}
}
public boolean hasRole(String roleName) {
Account account = getIdentity().getAccount();
Role role = getRole(this.identityManager.get(), roleName);
if (role == null) return false;
return BasicModel.hasRole(this.relationshipManager.get(), account, role);
}
public static boolean removeUser(PartitionManager partitionManager, String username) {
IdentityManager idmManager = getIdentityManager(partitionManager);
User picketlinkUser = BasicModel.getUser(idmManager, username);
if (picketlinkUser == null) {
return false;
}
idmManager.remove(picketlinkUser);
return true;
}
public static User updateUser(
PartitionManager partitionManager,
String username,
String firstName,
String lastName,
String email) {
IdentityManager idmManager = getIdentityManager(partitionManager);
User picketlinkUser = BasicModel.getUser(idmManager, username);
picketlinkUser.setFirstName(firstName);
picketlinkUser.setLastName(lastName);
picketlinkUser.setEmail(email);
idmManager.update(picketlinkUser);
return picketlinkUser;
}
@Override
public void setFirstName(String first) {
IdentityManager identityManager = provider.getIdentityManager();
try {
User picketlinkUser = BasicModel.getUser(identityManager, delegate.getUsername());
if (picketlinkUser == null) {
throw new IllegalStateException("User not found in LDAP storage!");
}
picketlinkUser.setFirstName(first);
identityManager.update(picketlinkUser);
} catch (IdentityManagementException ie) {
throw new ModelException(ie);
}
delegate.setFirstName(first);
}
public static User addUser(
PartitionManager partitionManager,
String username,
String firstName,
String lastName,
String email) {
IdentityManager identityManager = getIdentityManager(partitionManager);
if (BasicModel.getUser(identityManager, username) != null) {
throw new ModelDuplicateException("User with same username already exists");
}
if (getUserByEmail(identityManager, email) != null) {
throw new ModelDuplicateException("User with same email already exists");
}
User picketlinkUser = new User(username);
picketlinkUser.setFirstName(firstName);
picketlinkUser.setLastName(lastName);
picketlinkUser.setEmail(email);
picketlinkUser.setAttribute(
new Attribute("fullName", getFullName(username, firstName, lastName)));
identityManager.add(picketlinkUser);
return picketlinkUser;
}
private void grantRoles(User user, Role role) {
BasicModel.grantRole(relationshipManager, user, role);
}
public static User getUser(PartitionManager partitionManager, String username) {
IdentityManager idmManager = getIdentityManager(partitionManager);
return BasicModel.getUser(idmManager, username);
}