/** * Returns <code>true</code> if attribute value for the given user represented by * <class>Subject</class> object is present. * * @param subject identity of the user * @param attrName attribute name to check * @param attrValue attribute value to check * @return <code>true</code> if attribute value for the given user represented by * <class>Subject</class> object is present. * @throws com.sun.identity.entitlement.EntitlementException if this operation failed. */ public boolean hasAttribute(Subject subject, String attrName, String attrValue) throws EntitlementException { String uuid = SubjectUtils.getPrincipalId(subject); try { SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); AMIdentity amid = new AMIdentity(adminToken, uuid); if (attrName.startsWith(NAMESPACE_ATTR)) { Set<String> values = amid.getAttribute(attrName.substring(NAMESPACE_ATTR.length())); return (values != null) ? values.contains(attrValue) : false; } else if (attrName.startsWith(NAMESPACE_MEMBERSHIP)) { IdType type = IdUtils.getType(attrName.substring(NAMESPACE_MEMBERSHIP.length())); if (type != null) { AMIdentity parent = new AMIdentity(adminToken, attrValue); if (parent.getType().equals(type)) { Set<String> members = parent.getMembers(IdType.USER); return members.contains(amid.getUniversalId()); } } } return false; } catch (IdRepoException e) { Object[] params = {uuid}; throw new EntitlementException(601, params, e); } catch (SSOException e) { Object[] params = {uuid}; throw new EntitlementException(601, params, e); } }
public String getDisplayName(String universalId) throws AMConsoleException { try { AMIdentity amid = IdUtils.getIdentity(getUserSSOToken(), universalId); return amid.getName(); } catch (IdRepoException e) { throw new AMConsoleException(getErrorString(e)); } }
public Map getAttributeValues(String universalId) throws AMConsoleException { try { AMIdentity amid = IdUtils.getIdentity(adminSSOToken, universalId); Map values = AgentConfiguration.getAgentAttributes(amid, true); return values; } catch (IdRepoException re) { throw new AMConsoleException(re.getMessage()); } catch (SMSException se) { throw new AMConsoleException(se.getMessage()); } catch (SSOException ssoe) { throw new AMConsoleException(ssoe.getMessage()); } }
private SSOToken validateAssertionSubjectSession( TokenGenerationServiceInvocationState invocationState) throws ForbiddenException { SSOToken subjectToken; SSOTokenManager tokenManager; try { tokenManager = SSOTokenManager.getInstance(); subjectToken = tokenManager.createSSOToken(invocationState.getSsoTokenString()); } catch (SSOException e) { logger.debug( "Exception caught creating the SSO token from the token string, almost certainly " + "because token string does not correspond to a valid session: " + e); throw new ForbiddenException(e.toString(), e); } if (!tokenManager.isValidToken(subjectToken)) { throw new ForbiddenException("SSO token string does not correspond to a valid SSOToken"); } try { AMIdentity subjectIdentity = IdUtils.getIdentity(subjectToken); String invocationRealm = invocationState.getRealm(); String subjectSessionRealm = DNMapper.orgNameToRealmName(subjectIdentity.getRealm()); logger.debug( "TokenGenerationService:validateAssertionSubjectSession subjectRealm " + subjectSessionRealm + " invocation realm: " + invocationRealm); if (!invocationRealm.equalsIgnoreCase(subjectSessionRealm)) { logger.error( "TokenGenerationService:validateAssertionSubjectSession realms do not match: Subject realm : " + subjectSessionRealm + " invocation realm: " + invocationRealm); throw new ForbiddenException("SSO token subject realm does not match invocation realm"); } } catch (SSOException | IdRepoException e) { logger.error( "TokenGenerationService:validateAssertionSubjectSession error while validating identity : " + e); throw new ForbiddenException(e.toString(), e); } return subjectToken; }
protected AMIdentity createIdentity(String username, String realm) { return IdUtils.getIdentity(username, realm); }
/** * Returns the attribute values of the given user represented by <class>Subject</class> object. * * @param subject identity of the user * @param attrNames requested attribute names * @return a map of attribute names and their values * @throws com.sun.identity.entitlement.EntitlementException if this operation failed. */ public Map<String, Set<String>> getAttributes(Subject subject, Set<String> attrNames) throws EntitlementException { String uuid = SubjectUtils.getPrincipalId(subject); try { Map<String, Set<String>> results = new HashMap<String, Set<String>>(); Map<String, Set<String>> pubCreds = new HashMap<String, Set<String>>(); SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance()); AMIdentity amid = new AMIdentity(adminToken, uuid); Set<String> set = new HashSet<String>(2); set.add(getIDWithoutOrgName(amid)); results.put(NAMESPACE_IDENTITY, set); set = new HashSet<String>(2); set.add(uuid); pubCreds.put(NAMESPACE_IDENTITY, set); Set<String> primitiveAttrNames = getAttributeNames(attrNames, NAMESPACE_ATTR); if (!primitiveAttrNames.isEmpty()) { Map<String, Set<String>> primitiveAttrValues = amid.getAttributes(primitiveAttrNames); for (String name : primitiveAttrValues.keySet()) { Set<String> values = primitiveAttrValues.get(name); if (values != null) { results.put(NAMESPACE_ATTR + name, values); pubCreds.put(NAMESPACE_ATTR + name, values); } } } Set<String> membershipAttrNames = getAttributeNames(attrNames, NAMESPACE_MEMBERSHIP); if (!membershipAttrNames.isEmpty()) { for (String m : membershipAttrNames) { IdType type = IdUtils.getType(m); if (type != null) { Set<AMIdentity> memberships = amid.getMemberships(type); if (memberships != null) { Set<String> setMemberships = new HashSet<String>(); Set<String> membershipsCred = new HashSet<String>(); for (AMIdentity a : memberships) { setMemberships.add(getIDWithoutOrgName(a)); membershipsCred.add(a.getUniversalId()); } results.put(NAMESPACE_MEMBERSHIP + m, setMemberships); pubCreds.put(NAMESPACE_MEMBERSHIP + m, membershipsCred); } } } } Set<Object> publicCreds = subject.getPublicCredentials(); publicCreds.add(pubCreds); return results; } catch (SSOException e) { Object[] params = {uuid}; throw new EntitlementException(600, params, e); } catch (IdRepoException e) { Object[] params = {uuid}; throw new EntitlementException(600, params, e); } }
/** * get inetDomainStatus attribute for the org * * @param orgName org name to check inetDomainStatus * @return true if org is active * @throws IdRepoException if can not can any information for org * @throws SSOException if can not use <code>SSOToken</code> for admin */ boolean getInetDomainStatus(String orgName) throws IdRepoException, SSOException { return IdUtils.isOrganizationActive(ssoAuthSession, orgName); }
/** * Returns the <code>AMIdentity</code> object for the given parameters. If there is no such * identity, or there is more then one matching identity, then an AuthException will be thrown. * * @param idType Identity Type. * @param idName Identity Name. * @param orgName organization name. * @return <code>AMIdentity</code> object. * @throws AuthException if there was no result, or if there was more results then one. */ public AMIdentity getIdentity(IdType idType, String idName, String orgName) throws AuthException { if (debug.messageEnabled()) { debug.message("IdType is :" + idType); debug.message("IdName is :" + idName); debug.message("orgName is :" + orgName); } AMIdentity amIdentity = null; // Try getting the identity using IdUtils.getIdentity(...) try { if (debug.messageEnabled()) { debug.message("AuthD.getIdentity() from IdUtils Name: " + idName + " Org: " + orgName); } amIdentity = IdUtils.getIdentity(getSSOAuthSession(), idName, orgName); if ((amIdentity != null) && (amIdentity.isExists()) && (amIdentity.getType().equals(idType)) && (amIdentity.getAttributes() != null)) { if (debug.messageEnabled()) { debug.message( "AuthD.getIdentity obtained identity" + "using IdUtil.getIdentity: " + amIdentity); } return (amIdentity); } } catch (IdRepoException e) { // Ignore this exception and continue with search if (debug.messageEnabled()) { debug.message( "AuthD.getIdentity: Got IdRepoException while " + "getting Identity from IdUtils: " + e.getMessage()); } } catch (SSOException ssoe) { // Ignore this exception and continue with search if (debug.messageEnabled()) { debug.message( "AuthD.getIdentity: Got SSOException while " + "getting Identity from IdUtils: " + ssoe.getMessage()); } } // Obtain AMIdentity object by searching within IdRepo try { amIdentity = null; idName = DNUtils.DNtoName(idName); AMIdentityRepository amIdRepo = getAMIdentityRepository(orgName); IdSearchControl idsc = new IdSearchControl(); idsc.setRecursive(true); idsc.setTimeOut(0); idsc.setMaxResults(0); idsc.setAllReturnAttributes(false); IdSearchResults searchResults = amIdRepo.searchIdentities(idType, idName, idsc); Set results = Collections.EMPTY_SET; if (searchResults != null) { results = searchResults.getSearchResults(); } if ((results != null) && (results.size() > 1)) { // multiple user match found, throw exception, // user need to login as super admin to fix it debug.error("getIdentity: Multiple matches found for " + "user '" + idName); throw new AuthException(AMAuthErrorCode.AUTH_ERROR, null); } Iterator users = results.iterator(); if (users.hasNext()) { amIdentity = (AMIdentity) users.next(); } } catch (SSOException sso) { if (debug.messageEnabled()) { debug.message("getIdentity error " + sso.getMessage()); } } catch (IdRepoException ide) { if (debug.messageEnabled()) { debug.message("IdRepoException error " + ide.getMessage()); } } if (amIdentity == null) { throw new AuthException(AMAuthErrorCode.AUTH_PROFILE_ERROR, null); } return amIdentity; }