private void validateRequest(String groupId, ScimGroupMember member) {
    if (!StringUtils.hasText(groupId)
        || !StringUtils.hasText(member.getMemberId())
        || !StringUtils.hasText(member.getOrigin())) {
      throw new InvalidScimResourceException(
          "group-id, member-id, origin and member-type must be non-empty");
    }

    if (groupId.equals(member.getMemberId())) { // oops! cycle detected
      throw new InvalidScimResourceException("trying to nest group within itself, aborting");
    }

    // check if the group exists and the member-id is a valid group or user
    // id
    ScimGroup group = groupProvisioning.retrieve(groupId); // this will throw a ScimException
    String memberZoneId;
    // if the group does not exist
    // this will throw a ScimException if the group or user does not exist
    if (member.getType() == ScimGroupMember.Type.GROUP) {
      memberZoneId = groupProvisioning.retrieve(member.getMemberId()).getZoneId();
    } else {
      memberZoneId = userProvisioning.retrieve(member.getMemberId()).getZoneId();
    }
    if (!memberZoneId.equals(group.getZoneId())) {
      throw new ScimResourceConstraintFailedException(
          "The zone of the group and the member must be the same.");
    }
    if (!memberZoneId.equals(IdentityZoneHolder.get().getId())) {
      throw new ScimResourceConstraintFailedException(
          "Unable to make membership changes in a different zone");
    }
  }
 public boolean isDefaultGroup(String groupId) {
   for (ScimGroup g : getDefaultUserGroups(IdentityZoneHolder.get())) {
     if (g.getId().equals(groupId)) {
       return true;
     }
   }
   return false;
 }
Esempio n. 3
0
 private String[] getGroupNames(Set<ScimGroup> groups) {
   String[] result = new String[groups != null ? groups.size() : 0];
   if (result.length == 0) {
     return result;
   }
   int index = 0;
   for (ScimGroup group : groups) {
     result[index++] = group.getDisplayName();
   }
   return result;
 }
  private void validateUserGroups(String id, String... gNm) {
    Set<ScimGroup> directGroups = dao.getGroupsWithMember(id, false);
    assertNotNull(directGroups);
    Set<ScimGroup> indirectGroups = dao.getGroupsWithMember(id, true);
    indirectGroups.removeAll(directGroups);
    assertNotNull(indirectGroups);

    Set<String> expectedAuthorities = Collections.<String>emptySet();
    if (gNm != null) {
      expectedAuthorities = new HashSet<>(Arrays.asList(gNm));
    }
    expectedAuthorities.add("uaa.user");

    assertEquals(expectedAuthorities.size(), directGroups.size() + indirectGroups.size());
    for (ScimGroup group : directGroups) {
      assertTrue(expectedAuthorities.contains(group.getDisplayName()));
    }
    for (ScimGroup group : indirectGroups) {
      assertTrue(expectedAuthorities.contains(group.getDisplayName() + ".i"));
    }
  }
  @Override
  public ScimGroupExternalMember mapExternalGroup(final String groupId, final String externalGroup)
      throws ScimResourceNotFoundException, MemberAlreadyExistsException {
    ScimGroup group = scimGroupProvisioning.retrieve(groupId);

    if (null != group) {
      try {
        jdbcTemplate.update(
            ADD_EXTERNAL_GROUP_MAPPING_SQL,
            new PreparedStatementSetter() {
              @Override
              public void setValues(PreparedStatement ps) throws SQLException {
                ps.setString(1, groupId);
                ps.setString(2, externalGroup);
                ps.setTimestamp(3, new Timestamp(new Date().getTime()));
              }
            });
      } catch (DuplicateKeyException e) {
        // we should not throw, if the mapping exist, we should leave it
        // there.
        logger.info(
            "The mapping between group "
                + group.getDisplayName()
                + " and external group "
                + externalGroup
                + " already exists");
        // throw new
        // MemberAlreadyExistsException("The mapping between group " +
        // group.getDisplayName() + " and external group " +
        // externalGroup + " already exists");
      }
      return getExternalGroupMap(groupId, externalGroup);
    } else {
      throw new ScimResourceNotFoundException("Group does not exist");
    }
  }
Esempio n. 6
0
  @Test
  public void testApprovingAnApp() throws Exception {
    ResponseEntity<SearchResults<ScimGroup>> getGroups =
        restTemplate.exchange(
            baseUrl + "/Groups?filter=displayName eq '{displayName}'",
            HttpMethod.GET,
            null,
            new ParameterizedTypeReference<SearchResults<ScimGroup>>() {},
            "cloud_controller.read");
    ScimGroup group = getGroups.getBody().getResources().stream().findFirst().get();

    group.setDescription("Read about your clouds.");
    HttpHeaders headers = new HttpHeaders();
    headers.add("If-Match", Integer.toString(group.getVersion()));
    HttpEntity request = new HttpEntity(group, headers);
    restTemplate.exchange(
        baseUrl + "/Groups/{group-id}", HttpMethod.PUT, request, Object.class, group.getId());

    ScimUser user = createUnapprovedUser();

    // Visit app
    webDriver.get(appUrl);

    // Sign in to login server
    webDriver.findElement(By.name("username")).sendKeys(user.getUserName());
    webDriver.findElement(By.name("password")).sendKeys(user.getPassword());
    webDriver.findElement(By.xpath("//input[@value='Sign in']")).click();

    // Authorize the app for some scopes
    Assert.assertEquals(
        "Application Authorization", webDriver.findElement(By.cssSelector("h1")).getText());

    webDriver
        .findElement(By.xpath("//label[text()='Change your password']/preceding-sibling::input"))
        .click();
    webDriver
        .findElement(
            By.xpath(
                "//label[text()='Read user IDs and retrieve users by ID']/preceding-sibling::input"))
        .click();
    webDriver.findElement(
        By.xpath("//label[text()='Read about your clouds.']/preceding-sibling::input"));

    webDriver.findElement(By.xpath("//button[text()='Authorize']")).click();

    Assert.assertEquals("Sample Home Page", webDriver.findElement(By.cssSelector("h1")).getText());

    // View profile on the login server
    webDriver.get(baseUrl + "/profile");

    Assert.assertFalse(
        webDriver.findElement(By.xpath("//input[@value='app-password.write']")).isSelected());
    Assert.assertFalse(
        webDriver.findElement(By.xpath("//input[@value='app-scim.userids']")).isSelected());
    Assert.assertTrue(
        webDriver
            .findElement(By.xpath("//input[@value='app-cloud_controller.read']"))
            .isSelected());
    Assert.assertTrue(
        webDriver
            .findElement(By.xpath("//input[@value='app-cloud_controller.write']"))
            .isSelected());

    // Add approvals
    webDriver.findElement(By.xpath("//input[@value='app-password.write']")).click();
    webDriver.findElement(By.xpath("//input[@value='app-scim.userids']")).click();

    webDriver.findElement(By.xpath("//button[text()='Update']")).click();

    Assert.assertTrue(
        webDriver.findElement(By.xpath("//input[@value='app-password.write']")).isSelected());
    Assert.assertTrue(
        webDriver.findElement(By.xpath("//input[@value='app-scim.userids']")).isSelected());
    Assert.assertTrue(
        webDriver
            .findElement(By.xpath("//input[@value='app-cloud_controller.read']"))
            .isSelected());
    Assert.assertTrue(
        webDriver
            .findElement(By.xpath("//input[@value='app-cloud_controller.write']"))
            .isSelected());

    // Revoke app
    webDriver.findElement(By.linkText("Revoke Access")).click();

    Assert.assertEquals(
        "Are you sure you want to revoke access to The Ultimate Oauth App?",
        webDriver.findElement(By.cssSelector(".revocation-modal p")).getText());

    // click cancel
    webDriver.findElement(By.cssSelector("#app-form .revocation-cancel")).click();

    webDriver.findElement(By.linkText("Revoke Access")).click();

    // click confirm
    webDriver.findElement(By.cssSelector("#app-form .revocation-confirm")).click();

    Assert.assertThat(
        webDriver.findElements(By.xpath("//input[@value='app-password.write']")), Matchers.empty());
  }