/**
  * Returns <code>true</code> if attribute value for the given user represented by
  * <class>Subject</class> object is present.
  *
  * @param subject identity of the user
  * @param attrName attribute name to check
  * @param attrValue attribute value to check
  * @return <code>true</code> if attribute value for the given user represented by
  *     <class>Subject</class> object is present.
  * @throws com.sun.identity.entitlement.EntitlementException if this operation failed.
  */
 public boolean hasAttribute(Subject subject, String attrName, String attrValue)
     throws EntitlementException {
   String uuid = SubjectUtils.getPrincipalId(subject);
   try {
     SSOToken adminToken =
         (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
     AMIdentity amid = new AMIdentity(adminToken, uuid);
     if (attrName.startsWith(NAMESPACE_ATTR)) {
       Set<String> values = amid.getAttribute(attrName.substring(NAMESPACE_ATTR.length()));
       return (values != null) ? values.contains(attrValue) : false;
     } else if (attrName.startsWith(NAMESPACE_MEMBERSHIP)) {
       IdType type = IdUtils.getType(attrName.substring(NAMESPACE_MEMBERSHIP.length()));
       if (type != null) {
         AMIdentity parent = new AMIdentity(adminToken, attrValue);
         if (parent.getType().equals(type)) {
           Set<String> members = parent.getMembers(IdType.USER);
           return members.contains(amid.getUniversalId());
         }
       }
     }
     return false;
   } catch (IdRepoException e) {
     Object[] params = {uuid};
     throw new EntitlementException(601, params, e);
   } catch (SSOException e) {
     Object[] params = {uuid};
     throw new EntitlementException(601, params, e);
   }
 }
Пример #2
0
 public String getDisplayName(String universalId) throws AMConsoleException {
   try {
     AMIdentity amid = IdUtils.getIdentity(getUserSSOToken(), universalId);
     return amid.getName();
   } catch (IdRepoException e) {
     throw new AMConsoleException(getErrorString(e));
   }
 }
Пример #3
0
 public Map getAttributeValues(String universalId) throws AMConsoleException {
   try {
     AMIdentity amid = IdUtils.getIdentity(adminSSOToken, universalId);
     Map values = AgentConfiguration.getAgentAttributes(amid, true);
     return values;
   } catch (IdRepoException re) {
     throw new AMConsoleException(re.getMessage());
   } catch (SMSException se) {
     throw new AMConsoleException(se.getMessage());
   } catch (SSOException ssoe) {
     throw new AMConsoleException(ssoe.getMessage());
   }
 }
 private SSOToken validateAssertionSubjectSession(
     TokenGenerationServiceInvocationState invocationState) throws ForbiddenException {
   SSOToken subjectToken;
   SSOTokenManager tokenManager;
   try {
     tokenManager = SSOTokenManager.getInstance();
     subjectToken = tokenManager.createSSOToken(invocationState.getSsoTokenString());
   } catch (SSOException e) {
     logger.debug(
         "Exception caught creating the SSO token from the token string, almost certainly "
             + "because token string does not correspond to a valid session: "
             + e);
     throw new ForbiddenException(e.toString(), e);
   }
   if (!tokenManager.isValidToken(subjectToken)) {
     throw new ForbiddenException("SSO token string does not correspond to a valid SSOToken");
   }
   try {
     AMIdentity subjectIdentity = IdUtils.getIdentity(subjectToken);
     String invocationRealm = invocationState.getRealm();
     String subjectSessionRealm = DNMapper.orgNameToRealmName(subjectIdentity.getRealm());
     logger.debug(
         "TokenGenerationService:validateAssertionSubjectSession subjectRealm "
             + subjectSessionRealm
             + " invocation realm: "
             + invocationRealm);
     if (!invocationRealm.equalsIgnoreCase(subjectSessionRealm)) {
       logger.error(
           "TokenGenerationService:validateAssertionSubjectSession realms do not match: Subject realm : "
               + subjectSessionRealm
               + " invocation realm: "
               + invocationRealm);
       throw new ForbiddenException("SSO token subject realm does not match invocation realm");
     }
   } catch (SSOException | IdRepoException e) {
     logger.error(
         "TokenGenerationService:validateAssertionSubjectSession error while validating identity : "
             + e);
     throw new ForbiddenException(e.toString(), e);
   }
   return subjectToken;
 }
 protected AMIdentity createIdentity(String username, String realm) {
   return IdUtils.getIdentity(username, realm);
 }
  /**
   * Returns the attribute values of the given user represented by <class>Subject</class> object.
   *
   * @param subject identity of the user
   * @param attrNames requested attribute names
   * @return a map of attribute names and their values
   * @throws com.sun.identity.entitlement.EntitlementException if this operation failed.
   */
  public Map<String, Set<String>> getAttributes(Subject subject, Set<String> attrNames)
      throws EntitlementException {
    String uuid = SubjectUtils.getPrincipalId(subject);
    try {
      Map<String, Set<String>> results = new HashMap<String, Set<String>>();
      Map<String, Set<String>> pubCreds = new HashMap<String, Set<String>>();

      SSOToken adminToken =
          (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
      AMIdentity amid = new AMIdentity(adminToken, uuid);

      Set<String> set = new HashSet<String>(2);
      set.add(getIDWithoutOrgName(amid));
      results.put(NAMESPACE_IDENTITY, set);
      set = new HashSet<String>(2);
      set.add(uuid);
      pubCreds.put(NAMESPACE_IDENTITY, set);

      Set<String> primitiveAttrNames = getAttributeNames(attrNames, NAMESPACE_ATTR);
      if (!primitiveAttrNames.isEmpty()) {
        Map<String, Set<String>> primitiveAttrValues = amid.getAttributes(primitiveAttrNames);
        for (String name : primitiveAttrValues.keySet()) {
          Set<String> values = primitiveAttrValues.get(name);
          if (values != null) {
            results.put(NAMESPACE_ATTR + name, values);
            pubCreds.put(NAMESPACE_ATTR + name, values);
          }
        }
      }

      Set<String> membershipAttrNames = getAttributeNames(attrNames, NAMESPACE_MEMBERSHIP);
      if (!membershipAttrNames.isEmpty()) {
        for (String m : membershipAttrNames) {
          IdType type = IdUtils.getType(m);

          if (type != null) {
            Set<AMIdentity> memberships = amid.getMemberships(type);

            if (memberships != null) {
              Set<String> setMemberships = new HashSet<String>();
              Set<String> membershipsCred = new HashSet<String>();
              for (AMIdentity a : memberships) {
                setMemberships.add(getIDWithoutOrgName(a));
                membershipsCred.add(a.getUniversalId());
              }
              results.put(NAMESPACE_MEMBERSHIP + m, setMemberships);
              pubCreds.put(NAMESPACE_MEMBERSHIP + m, membershipsCred);
            }
          }
        }
      }

      Set<Object> publicCreds = subject.getPublicCredentials();
      publicCreds.add(pubCreds);
      return results;
    } catch (SSOException e) {
      Object[] params = {uuid};
      throw new EntitlementException(600, params, e);
    } catch (IdRepoException e) {
      Object[] params = {uuid};
      throw new EntitlementException(600, params, e);
    }
  }
Пример #7
0
 /**
  * get inetDomainStatus attribute for the org
  *
  * @param orgName org name to check inetDomainStatus
  * @return true if org is active
  * @throws IdRepoException if can not can any information for org
  * @throws SSOException if can not use <code>SSOToken</code> for admin
  */
 boolean getInetDomainStatus(String orgName) throws IdRepoException, SSOException {
   return IdUtils.isOrganizationActive(ssoAuthSession, orgName);
 }
Пример #8
0
  /**
   * Returns the <code>AMIdentity</code> object for the given parameters. If there is no such
   * identity, or there is more then one matching identity, then an AuthException will be thrown.
   *
   * @param idType Identity Type.
   * @param idName Identity Name.
   * @param orgName organization name.
   * @return <code>AMIdentity</code> object.
   * @throws AuthException if there was no result, or if there was more results then one.
   */
  public AMIdentity getIdentity(IdType idType, String idName, String orgName) throws AuthException {
    if (debug.messageEnabled()) {
      debug.message("IdType is :" + idType);
      debug.message("IdName is :" + idName);
      debug.message("orgName is :" + orgName);
    }
    AMIdentity amIdentity = null;

    // Try getting the identity using IdUtils.getIdentity(...)
    try {
      if (debug.messageEnabled()) {
        debug.message("AuthD.getIdentity() from IdUtils Name: " + idName + " Org: " + orgName);
      }
      amIdentity = IdUtils.getIdentity(getSSOAuthSession(), idName, orgName);
      if ((amIdentity != null)
          && (amIdentity.isExists())
          && (amIdentity.getType().equals(idType))
          && (amIdentity.getAttributes() != null)) {
        if (debug.messageEnabled()) {
          debug.message(
              "AuthD.getIdentity obtained identity" + "using IdUtil.getIdentity: " + amIdentity);
        }
        return (amIdentity);
      }
    } catch (IdRepoException e) {
      // Ignore this exception and continue with search
      if (debug.messageEnabled()) {
        debug.message(
            "AuthD.getIdentity: Got IdRepoException while "
                + "getting Identity from IdUtils: "
                + e.getMessage());
      }
    } catch (SSOException ssoe) {
      // Ignore this exception and continue with search
      if (debug.messageEnabled()) {
        debug.message(
            "AuthD.getIdentity: Got SSOException while "
                + "getting Identity from IdUtils: "
                + ssoe.getMessage());
      }
    }

    // Obtain AMIdentity object by searching within IdRepo
    try {
      amIdentity = null;
      idName = DNUtils.DNtoName(idName);
      AMIdentityRepository amIdRepo = getAMIdentityRepository(orgName);
      IdSearchControl idsc = new IdSearchControl();
      idsc.setRecursive(true);
      idsc.setTimeOut(0);
      idsc.setMaxResults(0);
      idsc.setAllReturnAttributes(false);
      IdSearchResults searchResults = amIdRepo.searchIdentities(idType, idName, idsc);
      Set results = Collections.EMPTY_SET;
      if (searchResults != null) {
        results = searchResults.getSearchResults();
      }

      if ((results != null) && (results.size() > 1)) {
        // multiple user match found, throw exception,
        // user need to login as super admin to fix it
        debug.error("getIdentity: Multiple matches found for " + "user '" + idName);
        throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null);
      }

      Iterator users = results.iterator();
      if (users.hasNext()) {
        amIdentity = (AMIdentity) users.next();
      }
    } catch (SSOException sso) {
      if (debug.messageEnabled()) {
        debug.message("getIdentity error " + sso.getMessage());
      }
    } catch (IdRepoException ide) {
      if (debug.messageEnabled()) {
        debug.message("IdRepoException error " + ide.getMessage());
      }
    }
    if (amIdentity == null) {
      throw new AuthException(AMAuthErrorCode.AUTH_PROFILE_ERROR, null);
    }

    return amIdentity;
  }