public String getGroupingIdentifiers(String loginResponse) {
JSONObject obj;
String username = null;
Boolean isSuperTenant;
int tenantId = MultitenantConstants.SUPER_TENANT_ID;
String tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
String claim = "http://wso2.org/claims/organization";
String organization = null;
try {
obj = new JSONObject(loginResponse);
username = (String) obj.get("user");
isSuperTenant = (Boolean) obj.get("isSuperTenant");
RealmService realmService = ServiceReferenceHolder.getInstance().getRealmService();
// if the user is not in the super tenant domain then find the domain name and tenant id.
if (!isSuperTenant) {
tenantDomain = MultitenantUtils.getTenantDomain(username);
tenantId =
ServiceReferenceHolder.getInstance()
.getRealmService()
.getTenantManager()
.getTenantId(tenantDomain);
}
UserRealm realm = (UserRealm) realmService.getTenantUserRealm(tenantId);
UserStoreManager manager = realm.getUserStoreManager();
organization =
manager.getUserClaimValue(MultitenantUtils.getTenantAwareUsername(username), claim, null);
if (organization != null) {
organization = tenantDomain + "/" + organization.trim();
}
} catch (JSONException e) {
log.error("Exception occured while trying to get group Identifier from login response");
} catch (org.wso2.carbon.user.api.UserStoreException e) {
log.error("Error while checking user existence for " + username);
}
return organization;
}
/**
* This method locks the accounts after a configured number of authentication failure attempts.
* And unlocks accounts based on successful authentications.
*/
@Override
public boolean doPostAuthenticate(
String userName, boolean authenticated, UserStoreManager userStoreManager)
throws UserStoreException {
if (log.isDebugEnabled()) {
log.debug("Post authenticator is called in IdentityMgtEventListener");
}
IdentityMgtConfig config = IdentityMgtConfig.getInstance();
if (!config.isEnableAuthPolicy()) {
return authenticated;
}
UserIdentityClaimsDO userIdentityDTO = module.load(userName, userStoreManager);
if (userIdentityDTO == null) {
userIdentityDTO = new UserIdentityClaimsDO(userName);
}
boolean userOTPEnabled = userIdentityDTO.getOneTimeLogin();
// One time password check
if (authenticated
&& config.isAuthPolicyOneTimePasswordCheck()
&& (!userStoreManager.isReadOnly())) {
// reset password of the user and notify user of the new password
if (userOTPEnabled) {
String password = UserIdentityManagementUtil.generateTemporaryPassword().toString();
userStoreManager.updateCredentialByAdmin(userName, password);
// Get email user claim value
String email =
userStoreManager.getUserClaimValue(
userName, UserCoreConstants.ClaimTypeURIs.EMAIL_ADDRESS, null);
if (email == null) {
throw new UserStoreException("No user email provided for user " + userName);
}
List<NotificationSendingModule> notificationModules =
config.getNotificationSendingModules();
if (notificationModules != null) {
NotificationDataDTO notificationData = new NotificationDataDTO();
NotificationData emailNotificationData = new NotificationData();
String emailTemplate = null;
int tenantId = userStoreManager.getTenantId();
String firstName = null;
try {
firstName =
Utils.getClaimFromUserStoreManager(
userName, tenantId, "http://wso2.org/claims/givenname");
} catch (IdentityException e2) {
throw new UserStoreException("Could not load user given name");
}
emailNotificationData.setTagData("first-name", firstName);
emailNotificationData.setTagData("user-name", userName);
emailNotificationData.setTagData("otp-password", password);
emailNotificationData.setSendTo(email);
Config emailConfig = null;
ConfigBuilder configBuilder = ConfigBuilder.getInstance();
try {
emailConfig =
configBuilder.loadConfiguration(ConfigType.EMAIL, StorageType.REGISTRY, tenantId);
} catch (Exception e1) {
throw new UserStoreException("Could not load the email template configuration");
}
emailTemplate = emailConfig.getProperty("otp");
Notification emailNotification = null;
try {
emailNotification =
NotificationBuilder.createNotification(
"EMAIL", emailTemplate, emailNotificationData);
} catch (Exception e) {
throw new UserStoreException("Could not create the email notification");
}
NotificationSender sender = new NotificationSender();
for (NotificationSendingModule notificationSendingModule : notificationModules) {
if (IdentityMgtConfig.getInstance().isNotificationInternallyManaged()) {
notificationSendingModule.setNotificationData(notificationData);
notificationSendingModule.setNotification(emailNotification);
sender.sendNotification(notificationSendingModule);
notificationData.setNotificationSent(true);
}
}
} else {
throw new UserStoreException("No notification modules configured");
}
}
}
// Password expire check. Not for OTP enabled users.
if (authenticated
&& config.isAuthPolicyExpirePasswordCheck()
&& !userOTPEnabled
&& (!userStoreManager.isReadOnly())) {
// TODO - password expire impl
// Refactor adduser and change password api to stamp the time
// Check user's expire time in the claim
// if expired redirect to change password
// else pass through
/*
long timestamp = userIdentityDTO.getPasswordTimeStamp();
// Only allow behavior to users with this claim. Intent bypass for admin?
if (timestamp > 0) {
Calendar passwordExpireTime = Calendar.getInstance();
passwordExpireTime.setTimeInMillis(timestamp);
int expireDuration = config.getAuthPolicyPasswordExpireTime();
if (expireDuration > 0) {
passwordExpireTime.add(Calendar.DATE, expireDuration);
Calendar currentTime = Calendar.getInstance();
if (currentTime.compareTo(passwordExpireTime) > 0) {
// password expired
// set flag to redirect
log.error("Password is expired ...........");
// throw new UserStoreException("Password is expired");
}
}
}
*/
}
if (!authenticated && config.isAuthPolicyAccountLockOnFailure()) {
userIdentityDTO.setFailAttempts();
// reading the max allowed #of failure attempts
if (userIdentityDTO.getFailAttempts() >= config.getAuthPolicyMaxLoginAttempts()) {
if (log.isDebugEnabled()) {
log.debug(
"User, "
+ userName
+ " has exceed the max failed login attempts. "
+ "User account would be locked");
}
userIdentityDTO.setAccountLock(true);
// lock time from the config
int lockTime = IdentityMgtConfig.getInstance().getAuthPolicyLockingTime();
if (lockTime != 0) {
userIdentityDTO.setUnlockTime(System.currentTimeMillis() + (lockTime * 60 * 1000));
}
}
try {
module.store(userIdentityDTO, userStoreManager);
} catch (IdentityException e) {
throw new UserStoreException("Error while doPostAuthenticate", e);
}
} else {
// if the account was locked due to account verification process,
// the unlock the account and reset the number of failedAttempts
if (userIdentityDTO.isAccountLocked() || userIdentityDTO.getFailAttempts() > 0) {
userIdentityDTO.setAccountLock(false);
userIdentityDTO.setFailAttempts(0);
userIdentityDTO.setUnlockTime(0);
try {
module.store(userIdentityDTO, userStoreManager);
} catch (IdentityException e) {
throw new UserStoreException("Error while doPostAuthenticate", e);
}
}
}
return true;
}
public void doClaimStuff() throws Exception {
UserStoreManager usWriter = realm.getUserStoreManager();
String[] allClaims = {
ClaimTestUtil.CLAIM_URI1, ClaimTestUtil.CLAIM_URI2, ClaimTestUtil.CLAIM_URI3
};
// add DEFAULT
usWriter.setUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, "claim1default", null);
try {
usWriter.setUserClaimValue(null, ClaimTestUtil.CLAIM_URI1, "claim1default", null);
fail("Exception at set claim values to null users");
} catch (Exception e) {
// expected exception
if (log.isDebugEnabled()) {
log.debug("Expected error, hence ignored", e);
}
}
try {
usWriter.setUserClaimValue("isuru", null, "claim1default", null);
fail("Exception at set claim values to null claimURI");
} catch (Exception e) {
// expected exception
if (log.isDebugEnabled()) {
log.debug("Expected error, hence ignored", e);
}
}
try {
usWriter.setUserClaimValue("isuru", ClaimTestUtil.CLAIM_URI1, null, null);
fail("Exception at set claim values to null claimValue");
} catch (Exception e) {
// expected exception
if (log.isDebugEnabled()) {
log.debug("Expected error, hence ignored", e);
}
}
String value = usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
assertEquals("claim1default", value);
// Non existing user
String value1 = usWriter.getUserClaimValue("isuru", ClaimTestUtil.CLAIM_URI1, null);
assertEquals(null, value1);
// update default
usWriter.setUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, "dimzi lee", null);
value = usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
assertEquals("dimzi lee", value);
// multiple additions
Map<String, String> map = new HashMap<String, String>();
map.put(ClaimTestUtil.CLAIM_URI1, "lee");
map.put(ClaimTestUtil.CLAIM_URI3, "muthu");
usWriter.setUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI2, "claim2default", null);
assertEquals(
"dimzi lee", usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null));
assertEquals(
"claim2default", usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI2, null));
assertNull(usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI3, null));
usWriter.setUserClaimValues("dimuthu", map, ClaimTestUtil.HOME_PROFILE_NAME);
assertEquals(
"lee",
usWriter.getUserClaimValue(
"dimuthu", ClaimTestUtil.CLAIM_URI1, ClaimTestUtil.HOME_PROFILE_NAME));
assertNull(
usWriter.getUserClaimValue(
"dimuthu", ClaimTestUtil.CLAIM_URI2, ClaimTestUtil.HOME_PROFILE_NAME));
assertEquals(
"muthu",
usWriter.getUserClaimValue(
"dimuthu", ClaimTestUtil.CLAIM_URI3, ClaimTestUtil.HOME_PROFILE_NAME));
usWriter.setUserClaimValue(
"dimuthu",
UserCoreConstants.PROFILE_CONFIGURATION,
ClaimTestUtil.HOME_PROFILE_NAME,
ClaimTestUtil.HOME_PROFILE_NAME);
Map<String, String> obtained =
usWriter.getUserClaimValues("dimuthu", allClaims, ClaimTestUtil.HOME_PROFILE_NAME);
// assertNull(obtained.get(ClaimTestUtil.CLAIM_URI1)); // hidden
// assertEquals("claim2default", obtained.get(ClaimTestUtil.CLAIM_URI2)); // overridden
assertEquals("muthu", obtained.get(ClaimTestUtil.CLAIM_URI3)); // normal
// UPDATE
map.put(ClaimTestUtil.CLAIM_URI3, "muthulee");
usWriter.setUserClaimValues("dimuthu", map, ClaimTestUtil.HOME_PROFILE_NAME);
value =
usWriter.getUserClaimValue(
"dimuthu", ClaimTestUtil.CLAIM_URI3, ClaimTestUtil.HOME_PROFILE_NAME);
assertEquals("muthulee", value);
// DELETE
usWriter.deleteUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
value = usWriter.getUserClaimValue("dimuthu", ClaimTestUtil.CLAIM_URI1, null);
assertNull(value);
try {
usWriter.deleteUserClaimValue("dimuthu", null, null);
fail("Exception at null Claim URI");
} catch (Exception e) {
// expected exception
if (log.isDebugEnabled()) {
log.debug("Expected error, hence ignored", e);
}
}
try {
usWriter.deleteUserClaimValue(null, ClaimTestUtil.CLAIM_URI1, null);
fail("Exception at giving null user name to delete user claim values");
} catch (Exception e) {
// expected exception
if (log.isDebugEnabled()) {
log.debug("Expected error, hence ignored", e);
}
}
usWriter.deleteUserClaimValues("dimuthu", allClaims, ClaimTestUtil.HOME_PROFILE_NAME);
obtained = usWriter.getUserClaimValues("dimuthu", allClaims, ClaimTestUtil.HOME_PROFILE_NAME);
assertNull(obtained.get(ClaimTestUtil.CLAIM_URI2)); // overridden
assertNull(obtained.get(ClaimTestUtil.CLAIM_URI3));
// UserStoreManager admin = realm.getUserStoreManager();
// admin.deleteUser("dimuthu");
}
