/**
   * There can be sensitive information like passwords in configuration file. If they are encrypted
   * using secure vault, this method will resolve them and replace with original values.
   */
  private static void resolveSecrets(Properties properties) {

    SecretResolver secretResolver = SecretResolverFactory.create(properties);
    Enumeration propertyNames = properties.propertyNames();
    if (secretResolver != null && secretResolver.isInitialized()) {
      // Iterate through whole config file and find encrypted properties and resolve them
      while (propertyNames.hasMoreElements()) {
        String key = (String) propertyNames.nextElement();
        if (secretResolver.isTokenProtected(key)) {
          if (log.isDebugEnabled()) {
            log.debug("Resolving and replacing secret for " + key);
          }
          // Resolving the secret password.
          String value = secretResolver.resolve(key);
          // Replaces the original encrypted property with resolved property
          properties.put(key, value);
        } else {
          if (log.isDebugEnabled()) {
            log.debug("No encryption done for value with key :" + key);
          }
        }
      }
    } else {
      log.warn(
          "Secret Resolver is not present. Will not resolve encryptions in "
              + Constants.TenantConstants.CONFIG_RELATIVE_PATH
              + " file");
    }
  }
Esempio n. 2
0
 public static synchronized String loadFromSecureVault(String alias) {
   if (secretResolver == null) {
     secretResolver = SecretResolverFactory.create((OMElement) null, false);
     secretResolver.init(
         DataServicesDSComponent.getSecretCallbackHandlerService().getSecretCallbackHandler());
   }
   return secretResolver.resolve(alias);
 }
Esempio n. 3
0
 /**
  * Check the given password is encrypted or not, if its encrypted resolve the password.
  *
  * @param dataService Data service object
  * @param password Password before resolving
  * @return Resolved password
  */
 public static String resolvePasswordValue(DataService dataService, String password) {
   SecretResolver secretResolver = dataService.getSecretResolver();
   if (secretResolver != null && secretResolver.isTokenProtected(password)) {
     return secretResolver.resolve(password);
   } else {
     return password;
   }
 }
 private static synchronized String loadFromSecureVault(String alias) {
   if (secretResolver == null) {
     secretResolver = SecretResolverFactory.create((OMElement) null, false);
     secretResolver.init(
         RSSManagerDataHolder.getInstance()
             .getSecretCallbackHandlerService()
             .getSecretCallbackHandler());
   }
   return secretResolver.resolve(alias);
 }
Esempio n. 5
0
  private void loadCredentials(
      final IaasProvider iaas, final OMElement iaasElt, final String xpath) {

    Iterator<?> it =
        iaasElt.getChildrenWithName(new QName(CloudControllerConstants.CREDENTIAL_ELEMENT));

    if (it.hasNext()) {
      OMElement credentialElt = (OMElement) it.next();

      // retrieve the value using secure vault
      SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false);
      String alias =
          credentialElt.getAttributeValue(new QName(CloudControllerConstants.ALIAS_ATTRIBUTE));

      // retrieve the secured password
      if (secretResolver != null
          && secretResolver.isInitialized()
          && secretResolver.isTokenProtected(alias)) {

        iaas.setCredential(secretResolver.resolve(alias));
      }

      // if we still cannot find a value, we try to assign the value which
      // is specified
      // in the element, if any
      if (iaas.getCredential() == null) {
        log.warn(
            "Unable to find a value for "
                + CloudControllerConstants.CREDENTIAL_ELEMENT
                + " element from Secure Vault."
                + "Hence we will try to assign the plain text value (if specified).");
        iaas.setCredential(credentialElt.getText());
      }
    }

    if (it.hasNext()) {
      log.warn(
          xmlSource
              + " contains more than one "
              + CloudControllerConstants.CREDENTIAL_ELEMENT
              + " elements!"
              + " Elements other than the first will be neglected.");
    }

    if (iaas.getCredential() == null) {
      String msg =
          "Essential '"
              + CloudControllerConstants.CREDENTIAL_ELEMENT
              + "' element"
              + " has not specified in "
              + xmlSource;
      handleException(msg);
    }
  }
Esempio n. 6
0
  private String resolveSecret(final OMElement elt) {
    // retrieve the value using secure vault
    SecretResolver secretResolver = SecretResolverFactory.create(documentElement, false);

    String alias = elt.getAttributeValue(new QName(CloudControllerConstants.ALIAS_ATTRIBUTE));

    // retrieve the secured password
    if (secretResolver != null
        && secretResolver.isInitialized()
        && secretResolver.isTokenProtected(alias)) {

      return secretResolver.resolve(alias);
    }

    return null;
  }
 private Map<String, String> getChildPropertyElements(
     OMElement omElement, SecretResolver secretResolver) {
   Map<String, String> map = new HashMap<String, String>();
   Iterator<?> ite =
       omElement.getChildrenWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PROPERTY));
   while (ite.hasNext()) {
     OMElement propElem = (OMElement) ite.next();
     String propName =
         propElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_PROP_NAME));
     String propValue = propElem.getText();
     if (secretResolver != null && secretResolver.isInitialized()) {
       if (secretResolver.isTokenProtected("UserManager.Configuration.Property." + propName)) {
         propValue = secretResolver.resolve("UserManager.Configuration.Property." + propName);
       }
       if (secretResolver.isTokenProtected("UserStoreManager.Property." + propName)) {
         propValue = secretResolver.resolve("UserStoreManager.Property." + propName);
       }
     }
     map.put(propName.trim(), propValue.trim());
   }
   return map;
 }
  public RealmConfiguration buildRealmConfiguration(OMElement realmElem, boolean supperTenant)
      throws UserStoreException {
    RealmConfiguration realmConfig = null;
    String userStoreClass = null;
    String authorizationManagerClass = null;
    String addAdmin = null;
    String adminRoleName = null;
    String adminUserName = null;
    String adminPassword = null;
    String everyOneRoleName = null;
    String realmClass = null;
    String description = null;
    Map<String, String> userStoreProperties = null;
    Map<String, String> authzProperties = null;
    Map<String, String> realmProperties = null;
    boolean passwordsExternallyManaged = false;

    realmClass =
        (String)
            realmElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));

    OMElement mainConfig =
        realmElem.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_CONFIGURATION));
    realmProperties = getChildPropertyElements(mainConfig, secretResolver);
    String dbUrl = constructDatabaseURL(realmProperties.get(JDBCRealmConstants.URL));
    realmProperties.put(JDBCRealmConstants.URL, dbUrl);

    if (mainConfig.getFirstChildWithName(
                new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN))
            != null
        && !mainConfig
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN))
            .getText()
            .trim()
            .equals("")) {
      addAdmin =
          mainConfig
              .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADD_ADMIN))
              .getText()
              .trim();
    } else {
      if (supperTenant) {
        log.error(
            "AddAdmin configuration not found or invalid in user-mgt.xml. Cannot start server!");
        throw new UserStoreException(
            "AddAdmin configuration not found or invalid user-mgt.xml. Cannot start server!");
      } else {
        log.debug("AddAdmin configuration not found");
        addAdmin = "true";
      }
    }

    OMElement reservedRolesElm =
        mainConfig.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_RESERVED_ROLE_NAMES));

    String[] reservedRoles = new String[0];

    if (reservedRolesElm != null && !reservedRolesElm.getText().trim().equals("")) {
      String rolesStr = reservedRolesElm.getText().trim();

      if (rolesStr.contains(",")) {
        reservedRoles = rolesStr.split(",");
      } else {
        reservedRoles = rolesStr.split(";");
      }
    }

    OMElement restrictedDomainsElm =
        mainConfig.getFirstChildWithName(
            new QName(
                UserCoreConstants.RealmConfig.LOCAL_NAME_RESTRICTED_DOMAINS_FOR_SELF_SIGN_UP));

    String[] restrictedDomains = new String[0];

    if (restrictedDomainsElm != null && !restrictedDomainsElm.getText().trim().equals("")) {
      String domain = restrictedDomainsElm.getText().trim();

      if (domain.contains(",")) {
        restrictedDomains = domain.split(",");
      } else {
        restrictedDomains = domain.split(";");
      }
    }

    OMElement adminUser =
        mainConfig.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_USER));
    adminUserName =
        adminUser
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_NAME))
            .getText()
            .trim();
    adminPassword =
        adminUser
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PASSWORD))
            .getText()
            .trim();
    if (secretResolver != null
        && secretResolver.isInitialized()
        && secretResolver.isTokenProtected("UserManager.AdminUser.Password")) {
      adminPassword = secretResolver.resolve("UserManager.AdminUser.Password");
    }
    adminRoleName =
        mainConfig
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_ROLE))
            .getText()
            .trim();
    everyOneRoleName =
        mainConfig
            .getFirstChildWithName(
                new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_EVERYONE_ROLE))
            .getText()
            .trim();

    OMElement authzConfig =
        realmElem.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ATHZ_MANAGER));
    authorizationManagerClass =
        authzConfig
            .getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS))
            .trim();
    authzProperties = getChildPropertyElements(authzConfig, null);

    Iterator<OMElement> iterator =
        realmElem.getChildrenWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_STORE_MANAGER));

    RealmConfiguration primaryConfig = null;
    RealmConfiguration tmpConfig = null;

    for (; iterator.hasNext(); ) {
      OMElement usaConfig = iterator.next();
      userStoreClass =
          usaConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
      if (usaConfig.getFirstChildWithName(
              new QName(UserCoreConstants.RealmConfig.CLASS_DESCRIPTION))
          != null) {
        description =
            usaConfig
                .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.CLASS_DESCRIPTION))
                .getText()
                .trim();
      }
      userStoreProperties = getChildPropertyElements(usaConfig, secretResolver);

      String sIsPasswordExternallyManaged =
          userStoreProperties.get(UserCoreConstants.RealmConfig.LOCAL_PASSWORDS_EXTERNALLY_MANAGED);

      Map<String, String> multipleCredentialsProperties =
          getMultipleCredentialsProperties(usaConfig);

      if (null != sIsPasswordExternallyManaged && !sIsPasswordExternallyManaged.trim().equals("")) {
        passwordsExternallyManaged = Boolean.parseBoolean(sIsPasswordExternallyManaged);
      } else {
        if (log.isDebugEnabled()) {
          log.debug("External password management is disabled.");
        }
      }

      realmConfig = new RealmConfiguration();
      realmConfig.setRealmClassName(realmClass);
      realmConfig.setUserStoreClass(userStoreClass);
      realmConfig.setDescription(description);
      realmConfig.setAuthorizationManagerClass(authorizationManagerClass);
      if (primaryConfig == null) {
        realmConfig.setPrimary(true);
        realmConfig.setAddAdmin(addAdmin);
        realmConfig.setAdminPassword(adminPassword);

        // if domain name not provided, add default primary domain name
        String domain = userStoreProperties.get(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME);
        if (domain == null) {
          userStoreProperties.put(
              UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME,
              UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME);
        }

        for (int i = 0; i < reservedRoles.length; i++) {
          realmConfig.addReservedRoleName(reservedRoles[i].trim().toUpperCase());
        }

        for (int i = 0; i < restrictedDomains.length; i++) {
          realmConfig.addRestrictedDomainForSelfSignUp(restrictedDomains[i].trim().toUpperCase());
        }

        if (supperTenant
            && userStoreProperties.get(UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER)
                == null) {
          log.error(
              "Required property '"
                  + UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER
                  + "' not found for the primary UserStoreManager in user_mgt.xml. Cannot start server!");
          throw new UserStoreException(
              "Required property '"
                  + UserCoreConstants.TenantMgtConfig.LOCAL_NAME_TENANT_MANAGER
                  + "' not found for the primary UserStoreManager in user_mgt.xml. Cannot start server!");
        }
      }

      // If the domain name still empty
      String domain = userStoreProperties.get(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME);
      if (domain == null) {
        log.warn(
            "Required property "
                + UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME
                + " missing in secondary user store. Skip adding the user store.");
        continue;
      }
      // Making user stores added using user-mgt.xml non-editable(static) at runtime
      userStoreProperties.put(UserCoreConstants.RealmConfig.STATIC_USER_STORE, "true");

      realmConfig.setEveryOneRoleName(
          UserCoreConstants.INTERNAL_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + everyOneRoleName);
      realmConfig.setAdminRoleName(adminRoleName);
      realmConfig.setAdminUserName(adminUserName);
      realmConfig.setUserStoreProperties(userStoreProperties);
      realmConfig.setAuthzProperties(authzProperties);
      realmConfig.setRealmProperties(realmProperties);
      realmConfig.setPasswordsExternallyManaged(passwordsExternallyManaged);
      realmConfig.addMultipleCredentialProperties(userStoreClass, multipleCredentialsProperties);

      if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST)
          == null) {
        realmConfig
            .getUserStoreProperties()
            .put(
                UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST,
                UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_MAX_COUNT);
      }

      if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY)
          == null) {
        realmConfig
            .getUserStoreProperties()
            .put(
                UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY,
                UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_READ_ONLY);
      }

      if (primaryConfig == null) {
        primaryConfig = realmConfig;
      } else {
        tmpConfig.setSecondaryRealmConfig(realmConfig);
      }

      tmpConfig = realmConfig;
    }
    if (primaryConfig != null && primaryConfig.isPrimary()) {
      // Check if Admin user name has been provided with domain
      String primaryDomainName =
          primaryConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_DOMAIN_NAME);
      String readOnly =
          primaryConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY);
      Boolean isReadOnly = false;
      if (readOnly != null) {
        isReadOnly = Boolean.parseBoolean(readOnly);
      }
      if (primaryDomainName != null && primaryDomainName.trim().length() > 0) {
        if (adminUserName.indexOf(CarbonConstants.DOMAIN_SEPARATOR) > 0) {
          // Using the short-circuit. User name comes with the domain name.
          String adminUserDomain =
              adminUserName.substring(0, adminUserName.indexOf(CarbonConstants.DOMAIN_SEPARATOR));
          if (!primaryDomainName.equalsIgnoreCase(adminUserDomain)) {
            throw new UserStoreException(
                "Admin User domain does not match primary user store domain.");
          }
        } else {
          primaryConfig.setAdminUserName(
              UserCoreUtil.addDomainToName(adminUserName, primaryDomainName));
        }
        if (adminRoleName.indexOf(CarbonConstants.DOMAIN_SEPARATOR) > 0) {
          // Using the short-circuit. User name comes with the domain name.
          String adminRoleDomain =
              adminRoleName.substring(0, adminRoleName.indexOf(CarbonConstants.DOMAIN_SEPARATOR));

          if ((!primaryDomainName.equalsIgnoreCase(adminRoleDomain))
              || (isReadOnly)
                  && (!primaryDomainName.equalsIgnoreCase(UserCoreConstants.INTERNAL_DOMAIN))) {
            throw new UserStoreException(
                "Admin Role domain does not match primary user store domain.");
          }
        }
      }

      // This will be overridden inside the UserStoreManager constructor.
      primaryConfig.setAdminRoleName(
          UserCoreUtil.addDomainToName(adminRoleName, primaryDomainName));
    }
    return primaryConfig;
  }
  public RealmConfiguration buildRealmConfiguration(OMElement realmElem) {
    RealmConfiguration realmConfig = null;
    String userStoreClass = null;
    String authorizationManagerClass = null;
    String adminRoleName = null;
    String adminUserName = null;
    String adminPassword = null;
    String everyOneRoleName = null;
    String realmClass = null;
    Map<String, String> userStoreProperties = null;
    Map<String, String> authzProperties = null;
    Map<String, String> realmProperties = null;
    boolean passwordsExternallyManaged = false;

    realmClass =
        (String)
            realmElem.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));

    OMElement mainConfig =
        realmElem.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_CONFIGURATION));
    realmProperties = getChildPropertyElements(mainConfig, secretResolver);
    String dbUrl = constructDatabaseURL(realmProperties.get(JDBCRealmConstants.URL));
    realmProperties.put(JDBCRealmConstants.URL, dbUrl);

    OMElement adminUser =
        mainConfig.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_USER));
    adminUserName =
        adminUser
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_NAME))
            .getText();
    adminPassword =
        adminUser
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_PASSWORD))
            .getText();
    if (secretResolver != null
        && secretResolver.isInitialized()
        && secretResolver.isTokenProtected("UserManager.AdminUser.Password")) {
      adminPassword = secretResolver.resolve("UserManager.AdminUser.Password");
    }
    adminRoleName =
        mainConfig
            .getFirstChildWithName(new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ADMIN_ROLE))
            .getText();
    everyOneRoleName =
        mainConfig
            .getFirstChildWithName(
                new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_EVERYONE_ROLE))
            .getText();

    OMElement authzConfig =
        realmElem.getFirstChildWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_ATHZ_MANAGER));
    authorizationManagerClass =
        authzConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
    authzProperties = getChildPropertyElements(authzConfig, null);

    Iterator<OMElement> iterator =
        realmElem.getChildrenWithName(
            new QName(UserCoreConstants.RealmConfig.LOCAL_NAME_USER_STORE_MANAGER));

    RealmConfiguration primaryConfig = null;
    RealmConfiguration tmpConfig = null;

    for (; iterator.hasNext(); ) {
      OMElement usaConfig = iterator.next();
      userStoreClass =
          usaConfig.getAttributeValue(new QName(UserCoreConstants.RealmConfig.ATTR_NAME_CLASS));
      userStoreProperties = getChildPropertyElements(usaConfig, secretResolver);

      String sIsPasswordExternallyManaged =
          userStoreProperties.get(UserCoreConstants.RealmConfig.LOCAL_PASSWORDS_EXTERNALLY_MANAGED);

      Map<String, String> multipleCredentialsProperties =
          getMultipleCredentialsProperties(usaConfig);

      if (null != sIsPasswordExternallyManaged && !sIsPasswordExternallyManaged.trim().equals("")) {
        passwordsExternallyManaged = Boolean.parseBoolean(sIsPasswordExternallyManaged);
      } else {
        if (log.isDebugEnabled()) {
          log.debug("External password management is disabled.");
        }
      }

      realmConfig = new RealmConfiguration();
      realmConfig.setRealmClassName(realmClass);
      realmConfig.setUserStoreClass(userStoreClass);
      realmConfig.setAuthorizationManagerClass(authorizationManagerClass);
      realmConfig.setAdminRoleName(adminRoleName);
      realmConfig.setAdminUserName(adminUserName);
      realmConfig.setAdminPassword(adminPassword);
      realmConfig.setEveryOneRoleName(everyOneRoleName);
      realmConfig.setUserStoreProperties(userStoreProperties);
      realmConfig.setAuthzProperties(authzProperties);
      realmConfig.setRealmProperties(realmProperties);
      realmConfig.setPasswordsExternallyManaged(passwordsExternallyManaged);
      realmConfig.addMultipleCredentialProperties(userStoreClass, multipleCredentialsProperties);

      if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST)
          == null) {
        realmConfig
            .getUserStoreProperties()
            .put(
                UserCoreConstants.RealmConfig.PROPERTY_MAX_USER_LIST,
                UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_MAX_COUNT);
      }

      if (realmConfig.getUserStoreProperty(UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY)
          == null) {
        realmConfig
            .getUserStoreProperties()
            .put(
                UserCoreConstants.RealmConfig.PROPERTY_READ_ONLY,
                UserCoreConstants.RealmConfig.PROPERTY_VALUE_DEFAULT_READ_ONLY);
      }

      if (primaryConfig == null) {
        primaryConfig = realmConfig;
      } else {
        tmpConfig.setSecondaryRealmConfig(realmConfig);
      }

      tmpConfig = realmConfig;
    }

    return primaryConfig;
  }