コード例 #1
0
  public String getGroupingIdentifiers(String loginResponse) {

    JSONObject obj;
    String username = null;
    Boolean isSuperTenant;
    int tenantId = MultitenantConstants.SUPER_TENANT_ID;
    String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
    String claim = "http://wso2.org/claims/organization";
    String organization = null;
    try {
      obj = new JSONObject(loginResponse);
      username = (String) obj.get("user");
      isSuperTenant = (Boolean) obj.get("isSuperTenant");

      RealmService realmService = ServiceReferenceHolder.getInstance().getRealmService();

      // if the user is not in the super tenant domain then find the domain name and tenant id.
      if (!isSuperTenant) {
        tenantDomain = MultitenantUtils.getTenantDomain(username);
        tenantId =
            ServiceReferenceHolder.getInstance()
                .getRealmService()
                .getTenantManager()
                .getTenantId(tenantDomain);
      }

      UserRealm realm = (UserRealm) realmService.getTenantUserRealm(tenantId);
      UserStoreManager manager = realm.getUserStoreManager();
      organization =
          manager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(username), claim, null);
      if (organization != null) {
        organization = tenantDomain + "/" + organization.trim();
      }
    } catch (JSONException e) {
      log.error("Exception occured while trying to get group Identifier from login response");
    } catch (org.wso2.carbon.user.api.UserStoreException e) {
      log.error("Error while checking user existence for " + username);
    }

    return organization;
  }
コード例 #2
0
  /**
   * This method locks the accounts after a configured number of authentication failure attempts.
   * And unlocks accounts based on successful authentications.
   */
  @Override
  public boolean doPostAuthenticate(
      String userName, boolean authenticated, UserStoreManager userStoreManager)
      throws UserStoreException {

    if (log.isDebugEnabled()) {
      log.debug("Post authenticator is called in IdentityMgtEventListener");
    }

    IdentityMgtConfig config = IdentityMgtConfig.getInstance();

    if (!config.isEnableAuthPolicy()) {
      return authenticated;
    }

    UserIdentityClaimsDO userIdentityDTO = module.load(userName, userStoreManager);
    if (userIdentityDTO == null) {
      userIdentityDTO = new UserIdentityClaimsDO(userName);
    }

    boolean userOTPEnabled = userIdentityDTO.getOneTimeLogin();

    // One time password check
    if (authenticated
        && config.isAuthPolicyOneTimePasswordCheck()
        && (!userStoreManager.isReadOnly())) {

      // reset password of the user and notify user of the new password
      if (userOTPEnabled) {

        String password = UserIdentityManagementUtil.generateTemporaryPassword().toString();
        userStoreManager.updateCredentialByAdmin(userName, password);

        // Get email user claim value
        String email =
            userStoreManager.getUserClaimValue(
                userName, UserCoreConstants.ClaimTypeURIs.EMAIL_ADDRESS, null);

        if (email == null) {
          throw new UserStoreException("No user email provided for user " + userName);
        }

        List<NotificationSendingModule> notificationModules =
            config.getNotificationSendingModules();

        if (notificationModules != null) {

          NotificationDataDTO notificationData = new NotificationDataDTO();

          NotificationData emailNotificationData = new NotificationData();
          String emailTemplate = null;
          int tenantId = userStoreManager.getTenantId();
          String firstName = null;
          try {
            firstName =
                Utils.getClaimFromUserStoreManager(
                    userName, tenantId, "http://wso2.org/claims/givenname");
          } catch (IdentityException e2) {
            throw new UserStoreException("Could not load user given name");
          }
          emailNotificationData.setTagData("first-name", firstName);
          emailNotificationData.setTagData("user-name", userName);
          emailNotificationData.setTagData("otp-password", password);

          emailNotificationData.setSendTo(email);

          Config emailConfig = null;
          ConfigBuilder configBuilder = ConfigBuilder.getInstance();
          try {
            emailConfig =
                configBuilder.loadConfiguration(ConfigType.EMAIL, StorageType.REGISTRY, tenantId);
          } catch (Exception e1) {
            throw new UserStoreException("Could not load the email template configuration");
          }

          emailTemplate = emailConfig.getProperty("otp");

          Notification emailNotification = null;
          try {
            emailNotification =
                NotificationBuilder.createNotification(
                    "EMAIL", emailTemplate, emailNotificationData);
          } catch (Exception e) {
            throw new UserStoreException("Could not create the email notification");
          }
          NotificationSender sender = new NotificationSender();

          for (NotificationSendingModule notificationSendingModule : notificationModules) {

            if (IdentityMgtConfig.getInstance().isNotificationInternallyManaged()) {
              notificationSendingModule.setNotificationData(notificationData);
              notificationSendingModule.setNotification(emailNotification);
              sender.sendNotification(notificationSendingModule);
              notificationData.setNotificationSent(true);
            }
          }

        } else {
          throw new UserStoreException("No notification modules configured");
        }
      }
    }

    // Password expire check. Not for OTP enabled users.
    if (authenticated
        && config.isAuthPolicyExpirePasswordCheck()
        && !userOTPEnabled
        && (!userStoreManager.isReadOnly())) {
      // TODO - password expire impl
      // Refactor adduser and change password api to stamp the time
      // Check user's expire time in the claim
      // if expired redirect to change password
      // else pass through
      /*
      long timestamp = userIdentityDTO.getPasswordTimeStamp();
      // Only allow behavior to users with this claim. Intent bypass for admin?
      if (timestamp > 0) {
      	Calendar passwordExpireTime = Calendar.getInstance();
      	passwordExpireTime.setTimeInMillis(timestamp);

      	int expireDuration = config.getAuthPolicyPasswordExpireTime();
      	if (expireDuration > 0) {

      		passwordExpireTime.add(Calendar.DATE, expireDuration);

      		Calendar currentTime = Calendar.getInstance();

      		if (currentTime.compareTo(passwordExpireTime) > 0) {
      			// password expired
      			// set flag to redirect
      			log.error("Password is expired ...........");
      			// throw new UserStoreException("Password is expired");
      		}

      	}
      }
      */
    }

    if (!authenticated && config.isAuthPolicyAccountLockOnFailure()) {
      userIdentityDTO.setFailAttempts();
      // reading the max allowed #of failure attempts

      if (userIdentityDTO.getFailAttempts() >= config.getAuthPolicyMaxLoginAttempts()) {
        if (log.isDebugEnabled()) {
          log.debug(
              "User, "
                  + userName
                  + " has exceed the max failed login attempts. "
                  + "User account would be locked");
        }
        userIdentityDTO.setAccountLock(true);
        // lock time from the config
        int lockTime = IdentityMgtConfig.getInstance().getAuthPolicyLockingTime();
        if (lockTime != 0) {
          userIdentityDTO.setUnlockTime(System.currentTimeMillis() + (lockTime * 60 * 1000));
        }
      }

      try {
        module.store(userIdentityDTO, userStoreManager);
      } catch (IdentityException e) {
        throw new UserStoreException("Error while doPostAuthenticate", e);
      }

    } else {
      // if the account was locked due to account verification process,
      // the unlock the account and reset the number of failedAttempts
      if (userIdentityDTO.isAccountLocked() || userIdentityDTO.getFailAttempts() > 0) {
        userIdentityDTO.setAccountLock(false);
        userIdentityDTO.setFailAttempts(0);
        userIdentityDTO.setUnlockTime(0);
        try {
          module.store(userIdentityDTO, userStoreManager);
        } catch (IdentityException e) {
          throw new UserStoreException("Error while doPostAuthenticate", e);
        }
      }
    }

    return true;
  }
コード例 #3
0
  public void doClaimStuff() throws Exception {
    UserStoreManager usWriter = realm.getUserStoreManager();
    String[] allClaims = {
      ClaimTestUtil.CLAIM_URI1, ClaimTestUtil.CLAIM_URI2, ClaimTestUtil.CLAIM_URI3
    };

    // add DEFAULT
    usWriter.setUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, "claim1default", null);
    try {
      usWriter.setUserClaimValue(null, ClaimTestUtil.CLAIM_URI1, "claim1default", null);
      fail("Exception at set claim values to null users");
    } catch (Exception e) {
      // expected exception
      if (log.isDebugEnabled()) {
        log.debug("Expected error, hence ignored", e);
      }
    }
    try {
      usWriter.setUserClaimValue("isuru", null, "claim1default", null);
      fail("Exception at set claim values to null claimURI");
    } catch (Exception e) {
      // expected exception
      if (log.isDebugEnabled()) {
        log.debug("Expected error, hence ignored", e);
      }
    }
    try {
      usWriter.setUserClaimValue("isuru", ClaimTestUtil.CLAIM_URI1, null, null);
      fail("Exception at set claim values to null claimValue");
    } catch (Exception e) {
      // expected exception
      if (log.isDebugEnabled()) {
        log.debug("Expected error, hence ignored", e);
      }
    }

    String value = usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
    assertEquals("claim1default", value);
    // Non existing user
    String value1 = usWriter.getUserClaimValue("isuru", ClaimTestUtil.CLAIM_URI1, null);
    assertEquals(null, value1);
    // update default
    usWriter.setUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, "dimzi lee", null);
    value = usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
    assertEquals("dimzi lee", value);

    // multiple additions
    Map<String, String> map = new HashMap<String, String>();
    map.put(ClaimTestUtil.CLAIM_URI1, "lee");
    map.put(ClaimTestUtil.CLAIM_URI3, "muthu");

    usWriter.setUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI2, "claim2default", null);
    assertEquals(
        "dimzi lee", usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null));
    assertEquals(
        "claim2default", usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI2, null));
    assertNull(usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI3, null));

    usWriter.setUserClaimValues("dimuthu", map, ClaimTestUtil.HOME_PROFILE_NAME);
    assertEquals(
        "lee",
        usWriter.getUserClaimValue(
            "dimuthu", ClaimTestUtil.CLAIM_URI1, ClaimTestUtil.HOME_PROFILE_NAME));
    assertNull(
        usWriter.getUserClaimValue(
            "dimuthu", ClaimTestUtil.CLAIM_URI2, ClaimTestUtil.HOME_PROFILE_NAME));
    assertEquals(
        "muthu",
        usWriter.getUserClaimValue(
            "dimuthu", ClaimTestUtil.CLAIM_URI3, ClaimTestUtil.HOME_PROFILE_NAME));

    usWriter.setUserClaimValue(
        "dimuthu",
        UserCoreConstants.PROFILE_CONFIGURATION,
        ClaimTestUtil.HOME_PROFILE_NAME,
        ClaimTestUtil.HOME_PROFILE_NAME);
    Map<String, String> obtained =
        usWriter.getUserClaimValues("dimuthu", allClaims, ClaimTestUtil.HOME_PROFILE_NAME);
    // assertNull(obtained.get(ClaimTestUtil.CLAIM_URI1)); // hidden
    // assertEquals("claim2default", obtained.get(ClaimTestUtil.CLAIM_URI2)); // overridden
    assertEquals("muthu", obtained.get(ClaimTestUtil.CLAIM_URI3)); // normal

    // UPDATE
    map.put(ClaimTestUtil.CLAIM_URI3, "muthulee");
    usWriter.setUserClaimValues("dimuthu", map, ClaimTestUtil.HOME_PROFILE_NAME);
    value =
        usWriter.getUserClaimValue(
            "dimuthu", ClaimTestUtil.CLAIM_URI3, ClaimTestUtil.HOME_PROFILE_NAME);
    assertEquals("muthulee", value);

    // DELETE
    usWriter.deleteUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
    value = usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
    assertNull(value);
    try {
      usWriter.deleteUserClaimValue("dimuthu", null, null);
      fail("Exception at null Claim URI");
    } catch (Exception e) {
      // expected exception
      if (log.isDebugEnabled()) {
        log.debug("Expected error, hence ignored", e);
      }
    }
    try {
      usWriter.deleteUserClaimValue(null, ClaimTestUtil.CLAIM_URI1, null);
      fail("Exception at giving null user name to delete user claim values");
    } catch (Exception e) {
      // expected exception
      if (log.isDebugEnabled()) {
        log.debug("Expected error, hence ignored", e);
      }
    }

    usWriter.deleteUserClaimValues("dimuthu", allClaims, ClaimTestUtil.HOME_PROFILE_NAME);
    obtained = usWriter.getUserClaimValues("dimuthu", allClaims, ClaimTestUtil.HOME_PROFILE_NAME);
    assertNull(obtained.get(ClaimTestUtil.CLAIM_URI2)); // overridden
    assertNull(obtained.get(ClaimTestUtil.CLAIM_URI3));

    // UserStoreManager admin = realm.getUserStoreManager();
    // admin.deleteUser("dimuthu");
  }