@Override public String getConsolidatorToken(PerunSession sess) throws PerunException { Map<String, Object> value = new HashMap<String, Object>(); String actor = sess.getPerunPrincipal().getActor(); String extSourceName = sess.getPerunPrincipal().getExtSourceName(); String extSourceType = sess.getPerunPrincipal().getExtSourceType(); Integer extSourceLoa = sess.getPerunPrincipal().getExtSourceLoa(); User user = sess.getPerunPrincipal().getUser(); value.put("actor", actor); value.put("extSourceName", extSourceName); value.put("extSourceType", extSourceType); value.put("extSourceLoa", extSourceLoa); value.put("user", user); // create token from actual properties String token = registrarManager .getMailManager() .getMessageAuthenticationCode( System.currentTimeMillis() + actor + extSourceName + extSourceType + extSourceLoa); requestCache.putIfAbsent(token, value); return token; }
public Member addMember( PerunSession sess, Group group, Member member, MembershipType type, int sourceGroupId) throws InternalErrorException, AlreadyMemberException, WrongAttributeValueException, WrongReferenceAttributeValueException { // TODO already member exception member.setMembershipType(type); try { jdbc.update( "insert into groups_members (group_id, member_id, created_by, created_at, modified_by, modified_at, created_by_uid, modified_by_uid, membership_type, source_group_id) " + "values (?,?,?," + Compatibility.getSysdate() + ",?," + Compatibility.getSysdate() + ",?,?,?,?)", group.getId(), member.getId(), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getUserId(), sess.getPerunPrincipal().getUserId(), type.getCode(), sourceGroupId); } catch (RuntimeException ex) { throw new InternalErrorException(ex); } return member; }
/** * Retrieves whole application object from DB (authz in parent methods) * * @param sess PerunSession for Authz and to resolve User * @param vo VO to get application for * @param group Group * @return application object / null if not exists */ private Application getLatestApplication( PerunSession sess, Vo vo, Group group, Application.AppType type) { try { if (sess.getPerunPrincipal().getUser() != null) { if (group != null) { return jdbc.queryForObject( RegistrarManagerImpl.APP_SELECT + " where a.id=(select max(id) from application where vo_id=? and group_id=? and apptype=? and user_id=? )", RegistrarManagerImpl.APP_MAPPER, vo.getId(), group.getId(), String.valueOf(type), sess.getPerunPrincipal().getUserId()); } else { return jdbc.queryForObject( RegistrarManagerImpl.APP_SELECT + " where a.id=(select max(id) from application where vo_id=? and apptype=? and user_id=? )", RegistrarManagerImpl.APP_MAPPER, vo.getId(), String.valueOf(type), sess.getPerunPrincipal().getUserId()); } } else { if (group != null) { return jdbc.queryForObject( RegistrarManagerImpl.APP_SELECT + " where a.id=(select max(id) from application where vo_id=? and group_id=? and apptype=? and created_by=? and extsourcename=? )", RegistrarManagerImpl.APP_MAPPER, vo.getId(), group.getId(), String.valueOf(type), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getExtSourceName()); } else { return jdbc.queryForObject( RegistrarManagerImpl.APP_SELECT + " where a.id=(select max(id) from application where vo_id=? and apptype=? and created_by=? and extsourcename=? )", RegistrarManagerImpl.APP_MAPPER, vo.getId(), String.valueOf(type), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getExtSourceName()); } } } catch (EmptyResultDataAccessException ex) { return null; } }
public int deletePublicationById(PerunSession sess, Integer id) throws CabinetException { Publication pub = findPublicationById(id); if (pub == null) throw new CabinetException(ErrorCodes.PUBLICATION_NOT_EXISTS); // To delete publication user must be either PERUNADMIN // or user who created record (publication.createdBy==actor property) try { if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN) && !pub.getCreatedBy().equalsIgnoreCase(sess.getPerunPrincipal().getActor()) && !pub.getCreatedByUid().equals(sess.getPerunPrincipal().getUserId())) { // not perun admin or author of record throw new CabinetException( "You are not allowed to delete publications you didn't created.", ErrorCodes.NOT_AUTHORIZED); } } catch (PerunException pe) { throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, pe); } // delete action try { // delete authors for (Authorship a : authorshipService.findAuthorshipsByPublicationId(id)) { authorshipService.deleteAuthorshipById(sess, a.getId()); } // delete thanks for (Thanks t : thanksService.findThanksByPublicationId(id)) { thanksService.deleteThanksById(sess, t.getId()); } // delete publication if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) { // only perun admin can actually delete publication return publicationDao.deletePublicationById(id); } else { return 1; // for others return as OK - perunadmin then deletes pubs manually } } catch (DataIntegrityViolationException ex) { throw new CabinetException( "Can't delete publication with authors or thanks. Please remove them first in order to delete publication.", ErrorCodes.PUBLICATION_HAS_AUTHORS_OR_THANKS); } catch (PerunException ex) { throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, ex); } }
public Group updateGroupName(PerunSession sess, Group group) throws InternalErrorException { Utils.notNull(group.getName(), "group.getName()"); // Get the group stored in the DB Group dbGroup; try { dbGroup = this.getGroupById(sess, group.getId()); } catch (GroupNotExistsException e) { throw new InternalErrorException("Group existence was checked at the higher level", e); } if (!dbGroup.getName().equals(group.getName())) { dbGroup.setName(group.getName()); try { jdbc.update( "update groups set name=?,modified_by=?, modified_by_uid=?, modified_at=" + Compatibility.getSysdate() + " where id=?", dbGroup.getName(), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getUserId(), dbGroup.getId()); } catch (RuntimeException e) { throw new InternalErrorException(e); } } return dbGroup; }
@Before public void setUpSession() throws Exception { session = perun.getPerunSession( new PerunPrincipal( "perunTests", ExtSourcesManager.EXTSOURCE_INTERNAL, ExtSourcesManager.EXTSOURCE_INTERNAL)); user1 = setUpUser1(); setUpBackground(); session.getPerunPrincipal().setUser(user1); }
public List<Vo> getVos(PerunSession sess) throws InternalErrorException, PrivilegeException { Utils.notNull(sess, "sess"); // Perun admin can see everything if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) { return vosManagerBl.getVos(sess); } else { if (sess.getPerunPrincipal().getRoles().hasRole(Role.VOADMIN) || sess.getPerunPrincipal().getRoles().hasRole(Role.GROUPADMIN)) { Set<Vo> vos = new HashSet<Vo>(); // Get Vos where user is VO Admin for (PerunBean vo : AuthzResolver.getComplementaryObjectsForRole(sess, Role.VOADMIN, Vo.class)) { vos.add((Vo) vo); } // Get Vos where user has an group admin right on some of the group for (PerunBean group : AuthzResolver.getComplementaryObjectsForRole(sess, Role.GROUPADMIN, Group.class)) { try { vos.add(vosManagerBl.getVoById(sess, ((Group) group).getVoId())); } catch (VoNotExistsException e) { throw new ConsistencyErrorException( "User has group admin role for group from non-existent VO id:" + ((Group) group).getVoId(), e); } } return new ArrayList<Vo>(vos); } else { throw new PrivilegeException(sess, "getVos"); } } }
/** All new members will be given role VOOBSERVER and TOPGROUPCREATOR */ @Override public Application approveApplication(PerunSession session, Application app) throws PerunException { if (Application.AppType.INITIAL.equals(app.getType())) { Vo vo = app.getVo(); User user = app.getUser(); AuthzResolver.setRole(session, user, vo, Role.TOPGROUPCREATOR); Group membersGroup = session.getPerun().getGroupsManager().getGroupByName(session, vo, "members"); AuthzResolver.setRole(session, user, membersGroup, Role.GROUPADMIN); } return app; }
public int createPublication(PerunSession sess, Publication p) throws CabinetException { if (p.getCreatedDate() == null) p.setCreatedDate(new Date()); if (p.getLocked() == null) { p.setLocked(false); } if (p.getCreatedByUid() == null && sess != null) { p.setCreatedByUid(sess.getPerunPrincipal().getUserId()); } if (p.getExternalId() == 0 && p.getPublicationSystemId() == 0) { // check existence if (publicationExists(p)) { throw new CabinetException( "Cannot create duplicate publication: " + p, ErrorCodes.PUBLICATION_ALREADY_EXISTS); } // get internal pub. system PublicationSystem filter = new PublicationSystem(); filter.setFriendlyName("INTERNAL"); List<PublicationSystem> list = publicationSystemService.findPublicationSystemsByFilter(filter); if (list == null || list.isEmpty()) { throw new CabinetException( "Can't create publication, internal publication system is missing"); } // There is only one internal system so, get(0) is safe p.setPublicationSystemId(list.get(0).getId()); // stripLongParams(p); // create internal return publicationDao.createInternalPublication(sess, p); } else { if (publicationExists(p)) throw new CabinetException( "Cannot create duplicate publication: " + p, ErrorCodes.PUBLICATION_ALREADY_EXISTS); stripLongParams(p); return publicationDao.createPublication(sess, p); } }
@Override public List<Identity> checkForSimilarUsers( PerunSession sess, List<ApplicationFormItemData> formItems) throws PerunException { if (sess.getPerunPrincipal().getUser() != null || formItems == null) { return new ArrayList<Identity>(); } Set<RichUser> res = new HashSet<RichUser>(); List<String> attrNames = new ArrayList<String>(); attrNames.add("urn:perun:user:attribute-def:def:preferredMail"); attrNames.add("urn:perun:user:attribute-def:def:organization"); for (ApplicationFormItemData item : formItems) { String value = item.getValue(); if (item.getFormItem().getType().equals(ApplicationFormItem.Type.VALIDATED_EMAIL)) { // search by email if (value != null && !value.isEmpty()) res.addAll( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, value, attrNames)); } if (Objects.equals( item.getFormItem().getPerunDestinationAttribute(), "urn:perun:user:attribute-def:core:displayName")) { // search by name if (value != null && !value.isEmpty()) res.addAll( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, value, attrNames)); } } return convertToIdentities(new ArrayList<RichUser>(res)); }
public Group createGroup(PerunSession sess, Vo vo, Group group) throws GroupExistsException, InternalErrorException { Utils.notNull(group, "group"); Utils.notNull(group.getName(), "group.getName()"); // Check if the group already exists if (group.getParentGroupId() == null) { if (1 == jdbc.queryForInt( "select count('x') from groups where lower(name)=lower(?) and vo_id=? and parent_group_id IS NULL", group.getName(), vo.getId())) { throw new GroupExistsException( "Group [" + group.getName() + "] already exists under VO [" + vo.getShortName() + "] and has parent Group with id is [NULL]"); } } else { if (1 == jdbc.queryForInt( "select count('x') from groups where lower(name)=lower(?) and vo_id=? and parent_group_id=?", group.getName(), vo.getId(), group.getParentGroupId())) { throw new GroupExistsException( "Group [" + group.getName() + "] already exists under VO [" + vo.getShortName() + "] and has parent Group with id [" + group.getParentGroupId() + "]"); } } // Check the group name, it can contain only a-Z0-9_- and space if (!group.getShortName().matches("^[- a-zA-Z.0-9_]+$")) { throw new InternalErrorException( new IllegalArgumentException( "Wrong group name, group name can contain only a-Z0-9.-_: and space characters. " + group)); } try { // Store the group into the DB int newId = Utils.getNewId(jdbc, "groups_id_seq"); jdbc.update( "insert into groups (id, parent_group_id, name, dsc, vo_id, created_by,created_at,modified_by,modified_at,created_by_uid,modified_by_uid) " + "values (?,?,?,?,?,?," + Compatibility.getSysdate() + ",?," + Compatibility.getSysdate() + ",?,?)", newId, group.getParentGroupId(), group.getName(), group.getDescription(), vo.getId(), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getUserId(), sess.getPerunPrincipal().getUserId()); group.setId(newId); group.setVoId(vo.getId()); return group; } catch (RuntimeException err) { throw new InternalErrorException(err); } }
@Override public List<Identity> checkForSimilarUsers(PerunSession sess) throws PerunException { // if user known, doesn't actually search and offer joining. if (sess.getPerunPrincipal().getUser() != null) { return new ArrayList<Identity>(); } // if user known, doesn't actually search and offer joining. try { perun .getUsersManager() .getUserByExtSourceNameAndExtLogin( registrarSession, sess.getPerunPrincipal().getExtSourceName(), sess.getPerunPrincipal().getActor()); return new ArrayList<Identity>(); } catch (Exception ex) { // we don't care, that search failed. That is actually OK case. } String name = ""; String mail = ""; Set<RichUser> res = new HashSet<RichUser>(); List<String> attrNames = new ArrayList<String>(); attrNames.add("urn:perun:user:attribute-def:def:preferredMail"); attrNames.add("urn:perun:user:attribute-def:def:organization"); mail = sess.getPerunPrincipal().getAdditionalInformations().get("mail"); if (mail != null) { if (mail.contains(";")) { String mailSearch[] = mail.split(";"); for (String m : mailSearch) { if (m != null && !m.isEmpty()) res.addAll( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, m, attrNames)); } } else { res.addAll( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, mail, attrNames)); } } // check by mail is more precise, so check by name only if nothing is found. if (res.isEmpty()) { name = sess.getPerunPrincipal().getAdditionalInformations().get("cn"); if (name != null && !name.isEmpty()) res.addAll( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames)); name = sess.getPerunPrincipal().getAdditionalInformations().get("displayName"); if (name != null && !name.isEmpty()) res.addAll( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames)); } return convertToIdentities(new ArrayList<RichUser>(res)); }
@Override public List<UserExtSource> consolidateIdentityUsingToken(PerunSession sess, String token) throws PerunException { Map<String, Object> originalIdentity = requestCache.get(token); if (originalIdentity == null) { throw new InvalidTokenException( "Your token for joining identities is no longer valid. Please retry from the start."); } User originalUser = (User) originalIdentity.get("user"); User currentUser = sess.getPerunPrincipal().getUser(); if (originalUser == null && currentUser == null) { IdentityUnknownException ex = new IdentityUnknownException( "Neither original or current identity is know to Perun. Please use at least one identity known to Perun."); ex.setLogin((String) originalIdentity.get("actor")); ex.setSource2((String) originalIdentity.get("extSourceName")); ex.setSourceType2((String) originalIdentity.get("extSourceType")); ex.setLogin2(sess.getPerunPrincipal().getActor()); ex.setSource2(sess.getPerunPrincipal().getExtSourceName()); ex.setSourceType2(sess.getPerunPrincipal().getExtSourceType()); throw ex; } if (originalIdentity.get("extSourceName").equals(sess.getPerunPrincipal().getExtSourceName()) && originalIdentity.get("actor").equals(sess.getPerunPrincipal().getActor()) && originalIdentity .get("extSourceType") .equals(sess.getPerunPrincipal().getExtSourceType())) { IdentityIsSameException ex = new IdentityIsSameException( "You tried to join same identity with itself. Please try again but select different identity."); ex.setLogin(sess.getPerunPrincipal().getActor()); ex.setSource(sess.getPerunPrincipal().getExtSourceName()); ex.setSourceType(sess.getPerunPrincipal().getExtSourceType()); throw ex; } if (originalUser != null && currentUser != null && originalUser.equals(currentUser)) { throw new IdentitiesAlreadyJoinedException("You already have both identities joined."); } if (originalUser != null && currentUser != null && !originalUser.equals(currentUser)) { throw new IdentityAlreadyInUseException( "Your identity is already associated with a different user. If you are really the same person, please contact support to help you.", originalUser, currentUser); } // merge original identity into current user if (originalUser == null) { createExtSourceAndUserExtSource( currentUser, (String) originalIdentity.get("actor"), (String) originalIdentity.get("extSourceName"), (String) originalIdentity.get("extSourceType"), (Integer) originalIdentity.get("extSourceLoa")); } // merge current identity into original user if (currentUser == null) { createExtSourceAndUserExtSource( originalUser, sess.getPerunPrincipal().getActor(), sess.getPerunPrincipal().getExtSourceName(), sess.getPerunPrincipal().getExtSourceType(), sess.getPerunPrincipal().getExtSourceLoa()); } AuthzResolverBlImpl.refreshSession(sess); requestCache.remove(token); return perun.getUsersManager().getUserExtSources(sess, sess.getPerunPrincipal().getUser()); }
@Override public List<Identity> checkForSimilarUsers(PerunSession sess, int appId) throws PerunException { String email = ""; String name = ""; List<RichUser> result = new ArrayList<RichUser>(); List<String> attrNames = new ArrayList<String>(); attrNames.add("urn:perun:user:attribute-def:def:preferredMail"); attrNames.add("urn:perun:user:attribute-def:def:organization"); Application app = registrarManager.getApplicationById(registrarSession, appId); if (app.getGroup() == null) { if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())) { if (sess.getPerunPrincipal().getUser() != null) { // check if application to find similar users by belongs to user if (!sess.getPerunPrincipal().getUser().equals(app.getUser())) throw new PrivilegeException("checkForSimilarUsers"); } else { if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName()) && !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy())) throw new PrivilegeException("checkForSimilarUsers"); } } } else { if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo()) && !AuthzResolver.isAuthorized(sess, Role.GROUPADMIN, app.getGroup())) { if (sess.getPerunPrincipal().getUser() != null) { // check if application to find similar users by belongs to user if (!sess.getPerunPrincipal().getUser().equals(app.getUser())) throw new PrivilegeException("checkForSimilarUsers"); } else { if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName()) && !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy())) throw new PrivilegeException("checkForSimilarUsers"); } } } // only for initial VO applications if user==null if (app.getType().equals(Application.AppType.INITIAL) && app.getGroup() == null && app.getUser() == null) { try { User u = perun .getUsersManager() .getUserByExtSourceNameAndExtLogin( registrarSession, app.getExtSourceName(), app.getCreatedBy()); if (u != null) { // user connected his identity after app creation and before it's approval. // do not show error message in GUI by returning an empty array. return convertToIdentities(result); } } catch (Exception ex) { // we don't care, let's try to search by name } List<ApplicationFormItemData> data = registrarManager.getApplicationDataById(sess, appId); // search by email, which should be unique (check is more precise) for (ApplicationFormItemData item : data) { if ("urn:perun:user:attribute-def:def:preferredMail" .equals(item.getFormItem().getPerunDestinationAttribute())) { email = item.getValue(); } if (email != null && !email.isEmpty()) break; } List<RichUser> users = (email != null && !email.isEmpty()) ? perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames) : new ArrayList<RichUser>(); if (users != null && !users.isEmpty()) { // found by preferredMail return convertToIdentities(users); } // search by different mail email = ""; // clear previous value for (ApplicationFormItemData item : data) { if ("urn:perun:member:attribute-def:def:mail" .equals(item.getFormItem().getPerunDestinationAttribute())) { email = item.getValue(); } if (email != null && !email.isEmpty()) break; } users = (email != null && !email.isEmpty()) ? perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames) : new ArrayList<RichUser>(); if (users != null && !users.isEmpty()) { // found by member mail return convertToIdentities(users); } // continue to search by display name for (ApplicationFormItemData item : data) { if (RegistrarManagerImpl.URN_USER_DISPLAY_NAME.equals( item.getFormItem().getPerunDestinationAttribute())) { name = item.getValue(); // use parsed name to drop mistakes on IDP side try { if (name != null && !name.isEmpty()) { Map<String, String> nameMap = Utils.parseCommonName(name); // drop name titles to spread search String newName = ""; if (nameMap.get("firstName") != null && !nameMap.get("firstName").isEmpty()) { newName += nameMap.get("firstName") + " "; } if (nameMap.get("lastName") != null && !nameMap.get("lastName").isEmpty()) { newName += nameMap.get("lastName"); } // fill parsed name instead of input if (newName != null && !newName.isEmpty()) { name = newName; } } } catch (Exception ex) { log.error( "[REGISTRAR] Unable to parse new user's display/common name when searching for similar users. Exception: {}", ex); } if (name != null && !name.isEmpty()) break; } } users = (name != null && !name.isEmpty()) ? perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames) : new ArrayList<RichUser>(); if (users != null && !users.isEmpty()) { // found by member display name return convertToIdentities(users); } // continue to search by last name name = ""; // clear previous value for (ApplicationFormItemData item : data) { if (RegistrarManagerImpl.URN_USER_LAST_NAME.equals( item.getFormItem().getPerunDestinationAttribute())) { name = item.getValue(); if (name != null && !name.isEmpty()) break; } } if (name != null && !name.isEmpty()) { // what was found by name return convertToIdentities( perun .getUsersManager() .findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames)); } else { // not found by name return convertToIdentities(result); } } else { // not found, since not proper type of application to check users for return convertToIdentities(result); } }