/**
* There can be sensitive information like passwords in configuration file. If they are encrypted
* using secure vault, this method will resolve them and replace with original values.
*/
private static void resolveSecrets(Properties properties) {
SecretResolver secretResolver = SecretResolverFactory.create(properties);
Enumeration propertyNames = properties.propertyNames();
if (secretResolver != null && secretResolver.isInitialized()) {
// Iterate through whole config file and find encrypted properties and resolve them
while (propertyNames.hasMoreElements()) {
String key = (String) propertyNames.nextElement();
if (secretResolver.isTokenProtected(key)) {
if (log.isDebugEnabled()) {
log.debug("Resolving and replacing secret for " + key);
}
// Resolving the secret password.
String value = secretResolver.resolve(key);
// Replaces the original encrypted property with resolved property
properties.put(key, value);
} else {
if (log.isDebugEnabled()) {
log.debug("No encryption done for value with key :" + key);
}
}
}
} else {
log.warn(
"Secret Resolver is not present. Will not resolve encryptions in "
+ Constants.TenantConstants.CONFIG_RELATIVE_PATH
+ " file");
}
}
public static synchronized String loadFromSecureVault(String alias) {
if (secretResolver == null) {
secretResolver = SecretResolverFactory.create((OMElement) null, false);
secretResolver.init(
DataServicesDSComponent.getSecretCallbackHandlerService().getSecretCallbackHandler());
}
return secretResolver.resolve(alias);
}
/**
* Check the given password is encrypted or not, if its encrypted resolve the password.
*
* @param dataService Data service object
* @param password Password before resolving
* @return Resolved password
*/
public static String resolvePasswordValue(DataService dataService, String password) {
SecretResolver secretResolver = dataService.getSecretResolver();
if (secretResolver != null && secretResolver.isTokenProtected(password)) {
return secretResolver.resolve(password);
} else {
return password;
}
}
private static synchronized String loadFromSecureVault(String alias) {
if (secretResolver == null) {
secretResolver = SecretResolverFactory.create((OMElement) null, false);
secretResolver.init(
RSSManagerDataHolder.getInstance()
.getSecretCallbackHandlerService()
.getSecretCallbackHandler());
}
return secretResolver.resolve(alias);
}
private void loadCredentials(
final IaasProvider iaas, final OMElement iaasElt, final String xpath) {
Iterator<?> it =
iaasElt.getChildrenWithName(new QName(CloudControllerConstants.CREDENTIAL_ELEMENT));
if (it.hasNext()) {
OMElement credentialElt = (OMElement) it.next();
// retrieve the value using secure vault
SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false);
String alias =
credentialElt.getAttributeValue(new QName(CloudControllerConstants.ALIAS_ATTRIBUTE));
// retrieve the secured password
if (secretResolver != null
&& secretResolver.isInitialized()
&& secretResolver.isTokenProtected(alias)) {
iaas.setCredential(secretResolver.resolve(alias));
}
// if we still cannot find a value, we try to assign the value which
// is specified
// in the element, if any
if (iaas.getCredential() == null) {
log.warn(
"Unable to find a value for "
+ CloudControllerConstants.CREDENTIAL_ELEMENT
+ " element from Secure Vault."
+ "Hence we will try to assign the plain text value (if specified).");
iaas.setCredential(credentialElt.getText());
}
}
if (it.hasNext()) {
log.warn(
xmlSource
+ " contains more than one "
+ CloudControllerConstants.CREDENTIAL_ELEMENT
+ " elements!"
+ " Elements other than the first will be neglected.");
}
if (iaas.getCredential() == null) {
String msg =
"Essential '"
+ CloudControllerConstants.CREDENTIAL_ELEMENT
+ "' element"
+ " has not specified in "
+ xmlSource;
handleException(msg);
}
}
private String resolveSecret(final OMElement elt) {
// retrieve the value using secure vault
SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false);
String alias = elt.getAttributeValue(new QName(CloudControllerConstants.ALIAS_ATTRIBUTE));
// retrieve the secured password
if (secretResolver != null
&& secretResolver.isInitialized()
&& secretResolver.isTokenProtected(alias)) {
return secretResolver.resolve(alias);
}
return null;
}
private Map<String, String> getChildPropertyElements(
OMElement omElement, SecretResolver secretResolver) {
Map<String, String> map = new HashMap<String, String>();
Iterator<?> ite =
omElement.getChildrenWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PROPERTY));
while (ite.hasNext()) {
OMElement propElem = (OMElement) ite.next();
String propName =
propElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_PROP_NAME));
String propValue = propElem.getText();
if (secretResolver != null && secretResolver.isInitialized()) {
if (secretResolver.isTokenProtected("UserManager.Configuration.Property." + propName)) {
propValue = secretResolver.resolve("UserManager.Configuration.Property." + propName);
}
if (secretResolver.isTokenProtected("UserStoreManager.Property." + propName)) {
propValue = secretResolver.resolve("UserStoreManager.Property." + propName);
}
}
map.put(propName.trim(), propValue.trim());
}
return map;
}
public RealmConfiguration buildRealmConfiguration(OMElement realmElem, boolean supperTenant)
throws UserStoreException {
RealmConfiguration realmConfig = null;
String userStoreClass = null;
String authorizationManagerClass = null;
String addAdmin = null;
String adminRoleName = null;
String adminUserName = null;
String adminPassword = null;
String everyOneRoleName = null;
String realmClass = null;
String description = null;
Map<String, String> userStoreProperties = null;
Map<String, String> authzProperties = null;
Map<String, String> realmProperties = null;
boolean passwordsExternallyManaged = false;
realmClass =
(String)
realmElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
OMElement mainConfig =
realmElem.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_CONFIGURATION));
realmProperties = getChildPropertyElements(mainConfig, secretResolver);
String dbUrl = constructDatabaseURL(realmProperties.get(JDBCRealmConstants.URL));
realmProperties.put(JDBCRealmConstants.URL, dbUrl);
if (mainConfig.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN))
!= null
&& !mainConfig
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN))
.getText()
.trim()
.equals("")) {
addAdmin =
mainConfig
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN))
.getText()
.trim();
} else {
if (supperTenant) {
log.error(
"AddAdmin configuration not found or invalid in user-mgt.xml. Cannot start server!");
throw new UserStoreException(
"AddAdmin configuration not found or invalid user-mgt.xml. Cannot start server!");
} else {
log.debug("AddAdmin configuration not found");
addAdmin = "true";
}
}
OMElement reservedRolesElm =
mainConfig.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_RESERVED_ROLE_NAMES));
String[] reservedRoles = new String[0];
if (reservedRolesElm != null && !reservedRolesElm.getText().trim().equals("")) {
String rolesStr = reservedRolesElm.getText().trim();
if (rolesStr.contains(",")) {
reservedRoles = rolesStr.split(",");
} else {
reservedRoles = rolesStr.split(";");
}
}
OMElement restrictedDomainsElm =
mainConfig.getFirstChildWithName(
new QName(
UserCoreConstants.RealmConfig.LOCAL_NAME_RESTRICTED_DOMAINS_FOR_SELF_SIGN_UP));
String[] restrictedDomains = new String[0];
if (restrictedDomainsElm != null && !restrictedDomainsElm.getText().trim().equals("")) {
String domain = restrictedDomainsElm.getText().trim();
if (domain.contains(",")) {
restrictedDomains = domain.split(",");
} else {
restrictedDomains = domain.split(";");
}
}
OMElement adminUser =
mainConfig.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_USER));
adminUserName =
adminUser
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_NAME))
.getText()
.trim();
adminPassword =
adminUser
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PASSWORD))
.getText()
.trim();
if (secretResolver != null
&& secretResolver.isInitialized()
&& secretResolver.isTokenProtected("UserManager.AdminUser.Password")) {
adminPassword = secretResolver.resolve("UserManager.AdminUser.Password");
}
adminRoleName =
mainConfig
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_ROLE))
.getText()
.trim();
everyOneRoleName =
mainConfig
.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_EVERYONE_ROLE))
.getText()
.trim();
OMElement authzConfig =
realmElem.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ATHZ_MANAGER));
authorizationManagerClass =
authzConfig
.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS))
.trim();
authzProperties = getChildPropertyElements(authzConfig, null);
Iterator<OMElement> iterator =
realmElem.getChildrenWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_STORE_MANAGER));
RealmConfiguration primaryConfig = null;
RealmConfiguration tmpConfig = null;
for (; iterator.hasNext(); ) {
OMElement usaConfig = iterator.next();
userStoreClass =
usaConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
if (usaConfig.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.CLASS_DESCRIPTION))
!= null) {
description =
usaConfig
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.CLASS_DESCRIPTION))
.getText()
.trim();
}
userStoreProperties = getChildPropertyElements(usaConfig, secretResolver);
String sIsPasswordExternallyManaged =
userStoreProperties.get(UserCoreConstants.RealmConfig.LOCAL_PASSWORDS_EXTERNALLY_MANAGED);
Map<String, String> multipleCredentialsProperties =
getMultipleCredentialsProperties(usaConfig);
if (null != sIsPasswordExternallyManaged && !sIsPasswordExternallyManaged.trim().equals("")) {
passwordsExternallyManaged = Boolean.parseBoolean(sIsPasswordExternallyManaged);
} else {
if (log.isDebugEnabled()) {
log.debug("External password management is disabled.");
}
}
realmConfig = new RealmConfiguration();
realmConfig.setRealmClassName(realmClass);
realmConfig.setUserStoreClass(userStoreClass);
realmConfig.setDescription(description);
realmConfig.setAuthorizationManagerClass(authorizationManagerClass);
if (primaryConfig == null) {
realmConfig.setPrimary(true);
realmConfig.setAddAdmin(addAdmin);
realmConfig.setAdminPassword(adminPassword);
// if domain name not provided, add default primary domain name
String domain = userStoreProperties.get(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME);
if (domain == null) {
userStoreProperties.put(
UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME,
UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME);
}
for (int i = 0; i < reservedRoles.length; i++) {
realmConfig.addReservedRoleName(reservedRoles[i].trim().toUpperCase());
}
for (int i = 0; i < restrictedDomains.length; i++) {
realmConfig.addRestrictedDomainForSelfSignUp(restrictedDomains[i].trim().toUpperCase());
}
if (supperTenant
&& userStoreProperties.get(UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER)
== null) {
log.error(
"Required property '"
+ UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER
+ "' not found for the primary UserStoreManager in user_mgt.xml. Cannot start server!");
throw new UserStoreException(
"Required property '"
+ UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER
+ "' not found for the primary UserStoreManager in user_mgt.xml. Cannot start server!");
}
}
// If the domain name still empty
String domain = userStoreProperties.get(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME);
if (domain == null) {
log.warn(
"Required property "
+ UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME
+ " missing in secondary user store. Skip adding the user store.");
continue;
}
// Making user stores added using user-mgt.xml non-editable(static) at runtime
userStoreProperties.put(UserCoreConstants.RealmConfig.STATIC_USER_STORE, "true");
realmConfig.setEveryOneRoleName(
UserCoreConstants.INTERNAL_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + everyOneRoleName);
realmConfig.setAdminRoleName(adminRoleName);
realmConfig.setAdminUserName(adminUserName);
realmConfig.setUserStoreProperties(userStoreProperties);
realmConfig.setAuthzProperties(authzProperties);
realmConfig.setRealmProperties(realmProperties);
realmConfig.setPasswordsExternallyManaged(passwordsExternallyManaged);
realmConfig.addMultipleCredentialProperties(userStoreClass, multipleCredentialsProperties);
if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST)
== null) {
realmConfig
.getUserStoreProperties()
.put(
UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST,
UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_MAX_COUNT);
}
if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY)
== null) {
realmConfig
.getUserStoreProperties()
.put(
UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY,
UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_READ_ONLY);
}
if (primaryConfig == null) {
primaryConfig = realmConfig;
} else {
tmpConfig.setSecondaryRealmConfig(realmConfig);
}
tmpConfig = realmConfig;
}
if (primaryConfig != null && primaryConfig.isPrimary()) {
// Check if Admin user name has been provided with domain
String primaryDomainName =
primaryConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME);
String readOnly =
primaryConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY);
Boolean isReadOnly = false;
if (readOnly != null) {
isReadOnly = Boolean.parseBoolean(readOnly);
}
if (primaryDomainName != null && primaryDomainName.trim().length() > 0) {
if (adminUserName.indexOf(CarbonConstants.DOMAIN_SEPARATOR) > 0) {
// Using the short-circuit. User name comes with the domain name.
String adminUserDomain =
adminUserName.substring(0, adminUserName.indexOf(CarbonConstants.DOMAIN_SEPARATOR));
if (!primaryDomainName.equalsIgnoreCase(adminUserDomain)) {
throw new UserStoreException(
"Admin User domain does not match primary user store domain.");
}
} else {
primaryConfig.setAdminUserName(
UserCoreUtil.addDomainToName(adminUserName, primaryDomainName));
}
if (adminRoleName.indexOf(CarbonConstants.DOMAIN_SEPARATOR) > 0) {
// Using the short-circuit. User name comes with the domain name.
String adminRoleDomain =
adminRoleName.substring(0, adminRoleName.indexOf(CarbonConstants.DOMAIN_SEPARATOR));
if ((!primaryDomainName.equalsIgnoreCase(adminRoleDomain))
|| (isReadOnly)
&& (!primaryDomainName.equalsIgnoreCase(UserCoreConstants.INTERNAL_DOMAIN))) {
throw new UserStoreException(
"Admin Role domain does not match primary user store domain.");
}
}
}
// This will be overridden inside the UserStoreManager constructor.
primaryConfig.setAdminRoleName(
UserCoreUtil.addDomainToName(adminRoleName, primaryDomainName));
}
return primaryConfig;
}
public RealmConfiguration buildRealmConfiguration(OMElement realmElem) {
RealmConfiguration realmConfig = null;
String userStoreClass = null;
String authorizationManagerClass = null;
String adminRoleName = null;
String adminUserName = null;
String adminPassword = null;
String everyOneRoleName = null;
String realmClass = null;
Map<String, String> userStoreProperties = null;
Map<String, String> authzProperties = null;
Map<String, String> realmProperties = null;
boolean passwordsExternallyManaged = false;
realmClass =
(String)
realmElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
OMElement mainConfig =
realmElem.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_CONFIGURATION));
realmProperties = getChildPropertyElements(mainConfig, secretResolver);
String dbUrl = constructDatabaseURL(realmProperties.get(JDBCRealmConstants.URL));
realmProperties.put(JDBCRealmConstants.URL, dbUrl);
OMElement adminUser =
mainConfig.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_USER));
adminUserName =
adminUser
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_NAME))
.getText();
adminPassword =
adminUser
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PASSWORD))
.getText();
if (secretResolver != null
&& secretResolver.isInitialized()
&& secretResolver.isTokenProtected("UserManager.AdminUser.Password")) {
adminPassword = secretResolver.resolve("UserManager.AdminUser.Password");
}
adminRoleName =
mainConfig
.getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_ROLE))
.getText();
everyOneRoleName =
mainConfig
.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_EVERYONE_ROLE))
.getText();
OMElement authzConfig =
realmElem.getFirstChildWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ATHZ_MANAGER));
authorizationManagerClass =
authzConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
authzProperties = getChildPropertyElements(authzConfig, null);
Iterator<OMElement> iterator =
realmElem.getChildrenWithName(
new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_STORE_MANAGER));
RealmConfiguration primaryConfig = null;
RealmConfiguration tmpConfig = null;
for (; iterator.hasNext(); ) {
OMElement usaConfig = iterator.next();
userStoreClass =
usaConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
userStoreProperties = getChildPropertyElements(usaConfig, secretResolver);
String sIsPasswordExternallyManaged =
userStoreProperties.get(UserCoreConstants.RealmConfig.LOCAL_PASSWORDS_EXTERNALLY_MANAGED);
Map<String, String> multipleCredentialsProperties =
getMultipleCredentialsProperties(usaConfig);
if (null != sIsPasswordExternallyManaged && !sIsPasswordExternallyManaged.trim().equals("")) {
passwordsExternallyManaged = Boolean.parseBoolean(sIsPasswordExternallyManaged);
} else {
if (log.isDebugEnabled()) {
log.debug("External password management is disabled.");
}
}
realmConfig = new RealmConfiguration();
realmConfig.setRealmClassName(realmClass);
realmConfig.setUserStoreClass(userStoreClass);
realmConfig.setAuthorizationManagerClass(authorizationManagerClass);
realmConfig.setAdminRoleName(adminRoleName);
realmConfig.setAdminUserName(adminUserName);
realmConfig.setAdminPassword(adminPassword);
realmConfig.setEveryOneRoleName(everyOneRoleName);
realmConfig.setUserStoreProperties(userStoreProperties);
realmConfig.setAuthzProperties(authzProperties);
realmConfig.setRealmProperties(realmProperties);
realmConfig.setPasswordsExternallyManaged(passwordsExternallyManaged);
realmConfig.addMultipleCredentialProperties(userStoreClass, multipleCredentialsProperties);
if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST)
== null) {
realmConfig
.getUserStoreProperties()
.put(
UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST,
UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_MAX_COUNT);
}
if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY)
== null) {
realmConfig
.getUserStoreProperties()
.put(
UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY,
UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_READ_ONLY);
}
if (primaryConfig == null) {
primaryConfig = realmConfig;
} else {
tmpConfig.setSecondaryRealmConfig(realmConfig);
}
tmpConfig = realmConfig;
}
return primaryConfig;
}
