/**
* Returns <code>true</code> if attribute value for the given user represented by
* <class>Subject</class> object is present.
*
* @param subject identity of the user
* @param attrName attribute name to check
* @param attrValue attribute value to check
* @return <code>true</code> if attribute value for the given user represented by
* <class>Subject</class> object is present.
* @throws com.sun.identity.entitlement.EntitlementException if this operation failed.
*/
public boolean hasAttribute(Subject subject, String attrName, String attrValue)
throws EntitlementException {
String uuid = SubjectUtils.getPrincipalId(subject);
try {
SSOToken adminToken =
(SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentity amid = new AMIdentity(adminToken, uuid);
if (attrName.startsWith(NAMESPACE_ATTR)) {
Set<String> values = amid.getAttribute(attrName.substring(NAMESPACE_ATTR.length()));
return (values != null) ? values.contains(attrValue) : false;
} else if (attrName.startsWith(NAMESPACE_MEMBERSHIP)) {
IdType type = IdUtils.getType(attrName.substring(NAMESPACE_MEMBERSHIP.length()));
if (type != null) {
AMIdentity parent = new AMIdentity(adminToken, attrValue);
if (parent.getType().equals(type)) {
Set<String> members = parent.getMembers(IdType.USER);
return members.contains(amid.getUniversalId());
}
}
}
return false;
} catch (IdRepoException e) {
Object[] params = {uuid};
throw new EntitlementException(601, params, e);
} catch (SSOException e) {
Object[] params = {uuid};
throw new EntitlementException(601, params, e);
}
}
public String getDisplayName(String universalId) throws AMConsoleException {
try {
AMIdentity amid = IdUtils.getIdentity(getUserSSOToken(), universalId);
return amid.getName();
} catch (IdRepoException e) {
throw new AMConsoleException(getErrorString(e));
}
}
public Map getAttributeValues(String universalId) throws AMConsoleException {
try {
AMIdentity amid = IdUtils.getIdentity(adminSSOToken, universalId);
Map values = AgentConfiguration.getAgentAttributes(amid, true);
return values;
} catch (IdRepoException re) {
throw new AMConsoleException(re.getMessage());
} catch (SMSException se) {
throw new AMConsoleException(se.getMessage());
} catch (SSOException ssoe) {
throw new AMConsoleException(ssoe.getMessage());
}
}
private SSOToken validateAssertionSubjectSession(
TokenGenerationServiceInvocationState invocationState) throws ForbiddenException {
SSOToken subjectToken;
SSOTokenManager tokenManager;
try {
tokenManager = SSOTokenManager.getInstance();
subjectToken = tokenManager.createSSOToken(invocationState.getSsoTokenString());
} catch (SSOException e) {
logger.debug(
"Exception caught creating the SSO token from the token string, almost certainly "
+ "because token string does not correspond to a valid session: "
+ e);
throw new ForbiddenException(e.toString(), e);
}
if (!tokenManager.isValidToken(subjectToken)) {
throw new ForbiddenException("SSO token string does not correspond to a valid SSOToken");
}
try {
AMIdentity subjectIdentity = IdUtils.getIdentity(subjectToken);
String invocationRealm = invocationState.getRealm();
String subjectSessionRealm = DNMapper.orgNameToRealmName(subjectIdentity.getRealm());
logger.debug(
"TokenGenerationService:validateAssertionSubjectSession subjectRealm "
+ subjectSessionRealm
+ " invocation realm: "
+ invocationRealm);
if (!invocationRealm.equalsIgnoreCase(subjectSessionRealm)) {
logger.error(
"TokenGenerationService:validateAssertionSubjectSession realms do not match: Subject realm : "
+ subjectSessionRealm
+ " invocation realm: "
+ invocationRealm);
throw new ForbiddenException("SSO token subject realm does not match invocation realm");
}
} catch (SSOException | IdRepoException e) {
logger.error(
"TokenGenerationService:validateAssertionSubjectSession error while validating identity : "
+ e);
throw new ForbiddenException(e.toString(), e);
}
return subjectToken;
}
protected AMIdentity createIdentity(String username, String realm) {
return IdUtils.getIdentity(username, realm);
}
/**
* Returns the attribute values of the given user represented by <class>Subject</class> object.
*
* @param subject identity of the user
* @param attrNames requested attribute names
* @return a map of attribute names and their values
* @throws com.sun.identity.entitlement.EntitlementException if this operation failed.
*/
public Map<String, Set<String>> getAttributes(Subject subject, Set<String> attrNames)
throws EntitlementException {
String uuid = SubjectUtils.getPrincipalId(subject);
try {
Map<String, Set<String>> results = new HashMap<String, Set<String>>();
Map<String, Set<String>> pubCreds = new HashMap<String, Set<String>>();
SSOToken adminToken =
(SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentity amid = new AMIdentity(adminToken, uuid);
Set<String> set = new HashSet<String>(2);
set.add(getIDWithoutOrgName(amid));
results.put(NAMESPACE_IDENTITY, set);
set = new HashSet<String>(2);
set.add(uuid);
pubCreds.put(NAMESPACE_IDENTITY, set);
Set<String> primitiveAttrNames = getAttributeNames(attrNames, NAMESPACE_ATTR);
if (!primitiveAttrNames.isEmpty()) {
Map<String, Set<String>> primitiveAttrValues = amid.getAttributes(primitiveAttrNames);
for (String name : primitiveAttrValues.keySet()) {
Set<String> values = primitiveAttrValues.get(name);
if (values != null) {
results.put(NAMESPACE_ATTR + name, values);
pubCreds.put(NAMESPACE_ATTR + name, values);
}
}
}
Set<String> membershipAttrNames = getAttributeNames(attrNames, NAMESPACE_MEMBERSHIP);
if (!membershipAttrNames.isEmpty()) {
for (String m : membershipAttrNames) {
IdType type = IdUtils.getType(m);
if (type != null) {
Set<AMIdentity> memberships = amid.getMemberships(type);
if (memberships != null) {
Set<String> setMemberships = new HashSet<String>();
Set<String> membershipsCred = new HashSet<String>();
for (AMIdentity a : memberships) {
setMemberships.add(getIDWithoutOrgName(a));
membershipsCred.add(a.getUniversalId());
}
results.put(NAMESPACE_MEMBERSHIP + m, setMemberships);
pubCreds.put(NAMESPACE_MEMBERSHIP + m, membershipsCred);
}
}
}
}
Set<Object> publicCreds = subject.getPublicCredentials();
publicCreds.add(pubCreds);
return results;
} catch (SSOException e) {
Object[] params = {uuid};
throw new EntitlementException(600, params, e);
} catch (IdRepoException e) {
Object[] params = {uuid};
throw new EntitlementException(600, params, e);
}
}
/**
* get inetDomainStatus attribute for the org
*
* @param orgName org name to check inetDomainStatus
* @return true if org is active
* @throws IdRepoException if can not can any information for org
* @throws SSOException if can not use <code>SSOToken</code> for admin
*/
boolean getInetDomainStatus(String orgName) throws IdRepoException, SSOException {
return IdUtils.isOrganizationActive(ssoAuthSession, orgName);
}
/**
* Returns the <code>AMIdentity</code> object for the given parameters. If there is no such
* identity, or there is more then one matching identity, then an AuthException will be thrown.
*
* @param idType Identity Type.
* @param idName Identity Name.
* @param orgName organization name.
* @return <code>AMIdentity</code> object.
* @throws AuthException if there was no result, or if there was more results then one.
*/
public AMIdentity getIdentity(IdType idType, String idName, String orgName) throws AuthException {
if (debug.messageEnabled()) {
debug.message("IdType is :" + idType);
debug.message("IdName is :" + idName);
debug.message("orgName is :" + orgName);
}
AMIdentity amIdentity = null;
// Try getting the identity using IdUtils.getIdentity(...)
try {
if (debug.messageEnabled()) {
debug.message("AuthD.getIdentity() from IdUtils Name: " + idName + " Org: " + orgName);
}
amIdentity = IdUtils.getIdentity(getSSOAuthSession(), idName, orgName);
if ((amIdentity != null)
&& (amIdentity.isExists())
&& (amIdentity.getType().equals(idType))
&& (amIdentity.getAttributes() != null)) {
if (debug.messageEnabled()) {
debug.message(
"AuthD.getIdentity obtained identity" + "using IdUtil.getIdentity: " + amIdentity);
}
return (amIdentity);
}
} catch (IdRepoException e) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
debug.message(
"AuthD.getIdentity: Got IdRepoException while "
+ "getting Identity from IdUtils: "
+ e.getMessage());
}
} catch (SSOException ssoe) {
// Ignore this exception and continue with search
if (debug.messageEnabled()) {
debug.message(
"AuthD.getIdentity: Got SSOException while "
+ "getting Identity from IdUtils: "
+ ssoe.getMessage());
}
}
// Obtain AMIdentity object by searching within IdRepo
try {
amIdentity = null;
idName = DNUtils.DNtoName(idName);
AMIdentityRepository amIdRepo = getAMIdentityRepository(orgName);
IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setTimeOut(0);
idsc.setMaxResults(0);
idsc.setAllReturnAttributes(false);
IdSearchResults searchResults = amIdRepo.searchIdentities(idType, idName, idsc);
Set results = Collections.EMPTY_SET;
if (searchResults != null) {
results = searchResults.getSearchResults();
}
if ((results != null) && (results.size() > 1)) {
// multiple user match found, throw exception,
// user need to login as super admin to fix it
debug.error("getIdentity: Multiple matches found for " + "user '" + idName);
throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
}
Iterator users = results.iterator();
if (users.hasNext()) {
amIdentity = (AMIdentity) users.next();
}
} catch (SSOException sso) {
if (debug.messageEnabled()) {
debug.message("getIdentity error " + sso.getMessage());
}
} catch (IdRepoException ide) {
if (debug.messageEnabled()) {
debug.message("IdRepoException error " + ide.getMessage());
}
}
if (amIdentity == null) {
throw new AuthException(AMAuthErrorCode.AUTH_PROFILE_ERROR, null);
}
return amIdentity;
}
