/** * Returns <code>true</code> if attribute value for the given user represented by * <class>Subject</class> object is present. * * @param subject identity of the user * @param attrName attribute name to check * @param attrValue attribute value to check * @return <code>true</code> if attribute value for the given user represented by * <class>Subject</class> object is present. * @throws com.sun.identity.entitlement.EntitlementException if this operation failed. */ public boolean hasAttribute(Subject subject, String attrName, String attrValue) throws EntitlementException { String uuid = SubjectUtils.getPrincipalId(subject); try { SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); AMIdentity amid = new AMIdentity(adminToken, uuid); if (attrName.startsWith(NAMESPACE_ATTR)) { Set<String> values = amid.getAttribute(attrName.substring(NAMESPACE_ATTR.length())); return (values != null) ? values.contains(attrValue) : false; } else if (attrName.startsWith(NAMESPACE_MEMBERSHIP)) { IdType type = IdUtils.getType(attrName.substring(NAMESPACE_MEMBERSHIP.length())); if (type != null) { AMIdentity parent = new AMIdentity(adminToken, attrValue); if (parent.getType().equals(type)) { Set<String> members = parent.getMembers(IdType.USER); return members.contains(amid.getUniversalId()); } } } return false; } catch (IdRepoException e) { Object[] params = {uuid}; throw new EntitlementException(601, params, e); } catch (SSOException e) { Object[] params = {uuid}; throw new EntitlementException(601, params, e); } }
/** * Returns the attribute values of the given user represented by <class>Subject</class> object. * * @param subject identity of the user. * @param attrNames requested attribute names. * @return a map of attribute names and their values * @throws com.sun.identity.entitlement.EntitlementException if this operation failed. */ public Map<String, Set<String>> getUserAttributes(Subject subject, Set<String> attrNames) throws EntitlementException { String uuid = SubjectUtils.getPrincipalId(subject); try { SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); AMIdentity amid = new AMIdentity(adminToken, uuid); return amid.getAttributes(attrNames); } catch (IdRepoException e) { Object[] params = {uuid}; throw new EntitlementException(601, params, e); } catch (SSOException e) { Object[] params = {uuid}; throw new EntitlementException(601, params, e); } }
private static void registerListener() { SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); EntitlementConfiguration ec = EntitlementConfiguration.getInstance(SubjectUtils.createSubject(adminToken), "/"); if (ec.migratedToEntitlementService()) { try { ServiceConfigManager scm = new ServiceConfigManager(IdConstants.REPO_SERVICE, adminToken); scm.addListener(new SubRealmObserver()); } catch (SMSException e) { PrivilegeManager.debug.error("SubRealmObserver.registerListener", e); } catch (SSOException e) { PrivilegeManager.debug.error("SubRealmObserver.registerListener", e); } } }
/** * Returns the attribute values of the given user represented by <class>Subject</class> object. * * @param subject identity of the user * @param attrNames requested attribute names * @return a map of attribute names and their values * @throws com.sun.identity.entitlement.EntitlementException if this operation failed. */ public Map<String, Set<String>> getAttributes(Subject subject, Set<String> attrNames) throws EntitlementException { String uuid = SubjectUtils.getPrincipalId(subject); try { Map<String, Set<String>> results = new HashMap<String, Set<String>>(); Map<String, Set<String>> pubCreds = new HashMap<String, Set<String>>(); SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); AMIdentity amid = new AMIdentity(adminToken, uuid); Set<String> set = new HashSet<String>(2); set.add(getIDWithoutOrgName(amid)); results.put(NAMESPACE_IDENTITY, set); set = new HashSet<String>(2); set.add(uuid); pubCreds.put(NAMESPACE_IDENTITY, set); Set<String> primitiveAttrNames = getAttributeNames(attrNames, NAMESPACE_ATTR); if (!primitiveAttrNames.isEmpty()) { Map<String, Set<String>> primitiveAttrValues = amid.getAttributes(primitiveAttrNames); for (String name : primitiveAttrValues.keySet()) { Set<String> values = primitiveAttrValues.get(name); if (values != null) { results.put(NAMESPACE_ATTR + name, values); pubCreds.put(NAMESPACE_ATTR + name, values); } } } Set<String> membershipAttrNames = getAttributeNames(attrNames, NAMESPACE_MEMBERSHIP); if (!membershipAttrNames.isEmpty()) { for (String m : membershipAttrNames) { IdType type = IdUtils.getType(m); if (type != null) { Set<AMIdentity> memberships = amid.getMemberships(type); if (memberships != null) { Set<String> setMemberships = new HashSet<String>(); Set<String> membershipsCred = new HashSet<String>(); for (AMIdentity a : memberships) { setMemberships.add(getIDWithoutOrgName(a)); membershipsCred.add(a.getUniversalId()); } results.put(NAMESPACE_MEMBERSHIP + m, setMemberships); pubCreds.put(NAMESPACE_MEMBERSHIP + m, membershipsCred); } } } } Set<Object> publicCreds = subject.getPublicCredentials(); publicCreds.add(pubCreds); return results; } catch (SSOException e) { Object[] params = {uuid}; throw new EntitlementException(600, params, e); } catch (IdRepoException e) { Object[] params = {uuid}; throw new EntitlementException(600, params, e); } }
/** * This observer will remove all referral and application privileges that have reference to a delete * sub realm. */ public class SubRealmObserver implements ServiceListener, SetupListener { private static Subject adminSubject = SubjectUtils.createSuperAdminSubject(); public void addListener() { registerListener(); } private static void registerListener() { SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); EntitlementConfiguration ec = EntitlementConfiguration.getInstance(SubjectUtils.createSubject(adminToken), "/"); if (ec.migratedToEntitlementService()) { try { ServiceConfigManager scm = new ServiceConfigManager(IdConstants.REPO_SERVICE, adminToken); scm.addListener(new SubRealmObserver()); } catch (SMSException e) { PrivilegeManager.debug.error("SubRealmObserver.registerListener", e); } catch (SSOException e) { PrivilegeManager.debug.error("SubRealmObserver.registerListener", e); } } } public void schemaChanged(String serviceName, String version) { // do nothing } public void globalConfigChanged( String serviceName, String version, String groupName, String serviceComponent, int type) { // do nothing } public void organizationConfigChanged( String serviceName, String version, String orgName, String groupName, String serviceComponent, int type) { if (type == ServiceListener.REMOVED) { ApplicationManager.clearCache(DNMapper.orgNameToRealmName(orgName)); try { OpenSSOApplicationPrivilegeManager.removeAllPrivileges(orgName); } catch (EntitlementException ex) { PrivilegeManager.debug.error( "SubRealmObserver.organizationConfigChanged: " + "Unable to remove application privileges", ex); } String deletedRealm = DNMapper.orgNameToRealmName(orgName); try { EntitlementService es = new EntitlementService(deletedRealm); Set<String> parentAndPeerRealms = es.getParentAndPeerRealmNames(); if ((parentAndPeerRealms != null) && !parentAndPeerRealms.isEmpty()) { for (String r : parentAndPeerRealms) { removeReferrals(r, deletedRealm); } } } catch (EntitlementException ex) { PrivilegeManager.debug.error( "SubRealmObserver.organizationConfigChanged: " + "Unable to remove referral privileges", ex); } } else if (type == ServiceListener.MODIFIED) { ApplicationManager.clearCache(DNMapper.orgNameToRealmName(orgName)); } } private void removeReferrals(String realm, String deletedRealm) throws EntitlementException { Set<String> referralNames = DataStore.getReferralNames(realm, deletedRealm); if ((referralNames != null) && !referralNames.isEmpty()) { ReferralPrivilegeManager rfm = new ReferralPrivilegeManager(realm, adminSubject); for (String name : referralNames) { ReferralPrivilege referral = rfm.getReferral(name); Set<String> realms = referral.getRealms(); for (Iterator<String> i = realms.iterator(); i.hasNext(); ) { String r = i.next(); if (r.equalsIgnoreCase(deletedRealm)) { i.remove(); } } if (realms.isEmpty()) { rfm.delete(name); } else { referral.setRealms(realms); rfm.modify(referral); } } } } }