@Override
public String getConsolidatorToken(PerunSession sess) throws PerunException {
Map<String, Object> value = new HashMap<String, Object>();
String actor = sess.getPerunPrincipal().getActor();
String extSourceName = sess.getPerunPrincipal().getExtSourceName();
String extSourceType = sess.getPerunPrincipal().getExtSourceType();
Integer extSourceLoa = sess.getPerunPrincipal().getExtSourceLoa();
User user = sess.getPerunPrincipal().getUser();
value.put("actor", actor);
value.put("extSourceName", extSourceName);
value.put("extSourceType", extSourceType);
value.put("extSourceLoa", extSourceLoa);
value.put("user", user);
// create token from actual properties
String token =
registrarManager
.getMailManager()
.getMessageAuthenticationCode(
System.currentTimeMillis() + actor + extSourceName + extSourceType + extSourceLoa);
requestCache.putIfAbsent(token, value);
return token;
}
public Member addMember(
PerunSession sess, Group group, Member member, MembershipType type, int sourceGroupId)
throws InternalErrorException, AlreadyMemberException, WrongAttributeValueException,
WrongReferenceAttributeValueException {
// TODO already member exception
member.setMembershipType(type);
try {
jdbc.update(
"insert into groups_members (group_id, member_id, created_by, created_at, modified_by, modified_at, created_by_uid, modified_by_uid, membership_type, source_group_id) "
+ "values (?,?,?,"
+ Compatibility.getSysdate()
+ ",?,"
+ Compatibility.getSysdate()
+ ",?,?,?,?)",
group.getId(),
member.getId(),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getUserId(),
sess.getPerunPrincipal().getUserId(),
type.getCode(),
sourceGroupId);
} catch (RuntimeException ex) {
throw new InternalErrorException(ex);
}
return member;
}
/**
* Retrieves whole application object from DB (authz in parent methods)
*
* @param sess PerunSession for Authz and to resolve User
* @param vo VO to get application for
* @param group Group
* @return application object / null if not exists
*/
private Application getLatestApplication(
PerunSession sess, Vo vo, Group group, Application.AppType type) {
try {
if (sess.getPerunPrincipal().getUser() != null) {
if (group != null) {
return jdbc.queryForObject(
RegistrarManagerImpl.APP_SELECT
+ " where a.id=(select max(id) from application where vo_id=? and group_id=? and apptype=? and user_id=? )",
RegistrarManagerImpl.APP_MAPPER,
vo.getId(),
group.getId(),
String.valueOf(type),
sess.getPerunPrincipal().getUserId());
} else {
return jdbc.queryForObject(
RegistrarManagerImpl.APP_SELECT
+ " where a.id=(select max(id) from application where vo_id=? and apptype=? and user_id=? )",
RegistrarManagerImpl.APP_MAPPER,
vo.getId(),
String.valueOf(type),
sess.getPerunPrincipal().getUserId());
}
} else {
if (group != null) {
return jdbc.queryForObject(
RegistrarManagerImpl.APP_SELECT
+ " where a.id=(select max(id) from application where vo_id=? and group_id=? and apptype=? and created_by=? and extsourcename=? )",
RegistrarManagerImpl.APP_MAPPER,
vo.getId(),
group.getId(),
String.valueOf(type),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getExtSourceName());
} else {
return jdbc.queryForObject(
RegistrarManagerImpl.APP_SELECT
+ " where a.id=(select max(id) from application where vo_id=? and apptype=? and created_by=? and extsourcename=? )",
RegistrarManagerImpl.APP_MAPPER,
vo.getId(),
String.valueOf(type),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getExtSourceName());
}
}
} catch (EmptyResultDataAccessException ex) {
return null;
}
}
public int deletePublicationById(PerunSession sess, Integer id) throws CabinetException {
Publication pub = findPublicationById(id);
if (pub == null) throw new CabinetException(ErrorCodes.PUBLICATION_NOT_EXISTS);
// To delete publication user must be either PERUNADMIN
// or user who created record (publication.createdBy==actor property)
try {
if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)
&& !pub.getCreatedBy().equalsIgnoreCase(sess.getPerunPrincipal().getActor())
&& !pub.getCreatedByUid().equals(sess.getPerunPrincipal().getUserId())) {
// not perun admin or author of record
throw new CabinetException(
"You are not allowed to delete publications you didn't created.",
ErrorCodes.NOT_AUTHORIZED);
}
} catch (PerunException pe) {
throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, pe);
}
// delete action
try {
// delete authors
for (Authorship a : authorshipService.findAuthorshipsByPublicationId(id)) {
authorshipService.deleteAuthorshipById(sess, a.getId());
}
// delete thanks
for (Thanks t : thanksService.findThanksByPublicationId(id)) {
thanksService.deleteThanksById(sess, t.getId());
}
// delete publication
if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
// only perun admin can actually delete publication
return publicationDao.deletePublicationById(id);
} else {
return 1; // for others return as OK - perunadmin then deletes pubs manually
}
} catch (DataIntegrityViolationException ex) {
throw new CabinetException(
"Can't delete publication with authors or thanks. Please remove them first in order to delete publication.",
ErrorCodes.PUBLICATION_HAS_AUTHORS_OR_THANKS);
} catch (PerunException ex) {
throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, ex);
}
}
public Group updateGroupName(PerunSession sess, Group group) throws InternalErrorException {
Utils.notNull(group.getName(), "group.getName()");
// Get the group stored in the DB
Group dbGroup;
try {
dbGroup = this.getGroupById(sess, group.getId());
} catch (GroupNotExistsException e) {
throw new InternalErrorException("Group existence was checked at the higher level", e);
}
if (!dbGroup.getName().equals(group.getName())) {
dbGroup.setName(group.getName());
try {
jdbc.update(
"update groups set name=?,modified_by=?, modified_by_uid=?, modified_at="
+ Compatibility.getSysdate()
+ " where id=?",
dbGroup.getName(),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getUserId(),
dbGroup.getId());
} catch (RuntimeException e) {
throw new InternalErrorException(e);
}
}
return dbGroup;
}
@Before
public void setUpSession() throws Exception {
session =
perun.getPerunSession(
new PerunPrincipal(
"perunTests",
ExtSourcesManager.EXTSOURCE_INTERNAL,
ExtSourcesManager.EXTSOURCE_INTERNAL));
user1 = setUpUser1();
setUpBackground();
session.getPerunPrincipal().setUser(user1);
}
public List<Vo> getVos(PerunSession sess) throws InternalErrorException, PrivilegeException {
Utils.notNull(sess, "sess");
// Perun admin can see everything
if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
return vosManagerBl.getVos(sess);
} else {
if (sess.getPerunPrincipal().getRoles().hasRole(Role.VOADMIN)
|| sess.getPerunPrincipal().getRoles().hasRole(Role.GROUPADMIN)) {
Set<Vo> vos = new HashSet<Vo>();
// Get Vos where user is VO Admin
for (PerunBean vo :
AuthzResolver.getComplementaryObjectsForRole(sess, Role.VOADMIN, Vo.class)) {
vos.add((Vo) vo);
}
// Get Vos where user has an group admin right on some of the group
for (PerunBean group :
AuthzResolver.getComplementaryObjectsForRole(sess, Role.GROUPADMIN, Group.class)) {
try {
vos.add(vosManagerBl.getVoById(sess, ((Group) group).getVoId()));
} catch (VoNotExistsException e) {
throw new ConsistencyErrorException(
"User has group admin role for group from non-existent VO id:"
+ ((Group) group).getVoId(),
e);
}
}
return new ArrayList<Vo>(vos);
} else {
throw new PrivilegeException(sess, "getVos");
}
}
}
/** All new members will be given role VOOBSERVER and TOPGROUPCREATOR */
@Override
public Application approveApplication(PerunSession session, Application app)
throws PerunException {
if (Application.AppType.INITIAL.equals(app.getType())) {
Vo vo = app.getVo();
User user = app.getUser();
AuthzResolver.setRole(session, user, vo, Role.TOPGROUPCREATOR);
Group membersGroup =
session.getPerun().getGroupsManager().getGroupByName(session, vo, "members");
AuthzResolver.setRole(session, user, membersGroup, Role.GROUPADMIN);
}
return app;
}
public int createPublication(PerunSession sess, Publication p) throws CabinetException {
if (p.getCreatedDate() == null) p.setCreatedDate(new Date());
if (p.getLocked() == null) {
p.setLocked(false);
}
if (p.getCreatedByUid() == null && sess != null) {
p.setCreatedByUid(sess.getPerunPrincipal().getUserId());
}
if (p.getExternalId() == 0 && p.getPublicationSystemId() == 0) {
// check existence
if (publicationExists(p)) {
throw new CabinetException(
"Cannot create duplicate publication: " + p, ErrorCodes.PUBLICATION_ALREADY_EXISTS);
}
// get internal pub. system
PublicationSystem filter = new PublicationSystem();
filter.setFriendlyName("INTERNAL");
List<PublicationSystem> list =
publicationSystemService.findPublicationSystemsByFilter(filter);
if (list == null || list.isEmpty()) {
throw new CabinetException(
"Can't create publication, internal publication system is missing");
}
// There is only one internal system so, get(0) is safe
p.setPublicationSystemId(list.get(0).getId());
//
stripLongParams(p);
// create internal
return publicationDao.createInternalPublication(sess, p);
} else {
if (publicationExists(p))
throw new CabinetException(
"Cannot create duplicate publication: " + p, ErrorCodes.PUBLICATION_ALREADY_EXISTS);
stripLongParams(p);
return publicationDao.createPublication(sess, p);
}
}
@Override
public List<Identity> checkForSimilarUsers(
PerunSession sess, List<ApplicationFormItemData> formItems) throws PerunException {
if (sess.getPerunPrincipal().getUser() != null || formItems == null) {
return new ArrayList<Identity>();
}
Set<RichUser> res = new HashSet<RichUser>();
List<String> attrNames = new ArrayList<String>();
attrNames.add("urn:perun:user:attribute-def:def:preferredMail");
attrNames.add("urn:perun:user:attribute-def:def:organization");
for (ApplicationFormItemData item : formItems) {
String value = item.getValue();
if (item.getFormItem().getType().equals(ApplicationFormItem.Type.VALIDATED_EMAIL)) {
// search by email
if (value != null && !value.isEmpty())
res.addAll(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, value, attrNames));
}
if (Objects.equals(
item.getFormItem().getPerunDestinationAttribute(),
"urn:perun:user:attribute-def:core:displayName")) {
// search by name
if (value != null && !value.isEmpty())
res.addAll(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, value, attrNames));
}
}
return convertToIdentities(new ArrayList<RichUser>(res));
}
public Group createGroup(PerunSession sess, Vo vo, Group group)
throws GroupExistsException, InternalErrorException {
Utils.notNull(group, "group");
Utils.notNull(group.getName(), "group.getName()");
// Check if the group already exists
if (group.getParentGroupId() == null) {
if (1
== jdbc.queryForInt(
"select count('x') from groups where lower(name)=lower(?) and vo_id=? and parent_group_id IS NULL",
group.getName(),
vo.getId())) {
throw new GroupExistsException(
"Group ["
+ group.getName()
+ "] already exists under VO ["
+ vo.getShortName()
+ "] and has parent Group with id is [NULL]");
}
} else {
if (1
== jdbc.queryForInt(
"select count('x') from groups where lower(name)=lower(?) and vo_id=? and parent_group_id=?",
group.getName(),
vo.getId(),
group.getParentGroupId())) {
throw new GroupExistsException(
"Group ["
+ group.getName()
+ "] already exists under VO ["
+ vo.getShortName()
+ "] and has parent Group with id ["
+ group.getParentGroupId()
+ "]");
}
}
// Check the group name, it can contain only a-Z0-9_- and space
if (!group.getShortName().matches("^[- a-zA-Z.0-9_]+$")) {
throw new InternalErrorException(
new IllegalArgumentException(
"Wrong group name, group name can contain only a-Z0-9.-_: and space characters. "
+ group));
}
try {
// Store the group into the DB
int newId = Utils.getNewId(jdbc, "groups_id_seq");
jdbc.update(
"insert into groups (id, parent_group_id, name, dsc, vo_id, created_by,created_at,modified_by,modified_at,created_by_uid,modified_by_uid) "
+ "values (?,?,?,?,?,?,"
+ Compatibility.getSysdate()
+ ",?,"
+ Compatibility.getSysdate()
+ ",?,?)",
newId,
group.getParentGroupId(),
group.getName(),
group.getDescription(),
vo.getId(),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getUserId(),
sess.getPerunPrincipal().getUserId());
group.setId(newId);
group.setVoId(vo.getId());
return group;
} catch (RuntimeException err) {
throw new InternalErrorException(err);
}
}
@Override
public List<Identity> checkForSimilarUsers(PerunSession sess) throws PerunException {
// if user known, doesn't actually search and offer joining.
if (sess.getPerunPrincipal().getUser() != null) {
return new ArrayList<Identity>();
}
// if user known, doesn't actually search and offer joining.
try {
perun
.getUsersManager()
.getUserByExtSourceNameAndExtLogin(
registrarSession,
sess.getPerunPrincipal().getExtSourceName(),
sess.getPerunPrincipal().getActor());
return new ArrayList<Identity>();
} catch (Exception ex) {
// we don't care, that search failed. That is actually OK case.
}
String name = "";
String mail = "";
Set<RichUser> res = new HashSet<RichUser>();
List<String> attrNames = new ArrayList<String>();
attrNames.add("urn:perun:user:attribute-def:def:preferredMail");
attrNames.add("urn:perun:user:attribute-def:def:organization");
mail = sess.getPerunPrincipal().getAdditionalInformations().get("mail");
if (mail != null) {
if (mail.contains(";")) {
String mailSearch[] = mail.split(";");
for (String m : mailSearch) {
if (m != null && !m.isEmpty())
res.addAll(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, m, attrNames));
}
} else {
res.addAll(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, mail, attrNames));
}
}
// check by mail is more precise, so check by name only if nothing is found.
if (res.isEmpty()) {
name = sess.getPerunPrincipal().getAdditionalInformations().get("cn");
if (name != null && !name.isEmpty())
res.addAll(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames));
name = sess.getPerunPrincipal().getAdditionalInformations().get("displayName");
if (name != null && !name.isEmpty())
res.addAll(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames));
}
return convertToIdentities(new ArrayList<RichUser>(res));
}
@Override
public List<UserExtSource> consolidateIdentityUsingToken(PerunSession sess, String token)
throws PerunException {
Map<String, Object> originalIdentity = requestCache.get(token);
if (originalIdentity == null) {
throw new InvalidTokenException(
"Your token for joining identities is no longer valid. Please retry from the start.");
}
User originalUser = (User) originalIdentity.get("user");
User currentUser = sess.getPerunPrincipal().getUser();
if (originalUser == null && currentUser == null) {
IdentityUnknownException ex =
new IdentityUnknownException(
"Neither original or current identity is know to Perun. Please use at least one identity known to Perun.");
ex.setLogin((String) originalIdentity.get("actor"));
ex.setSource2((String) originalIdentity.get("extSourceName"));
ex.setSourceType2((String) originalIdentity.get("extSourceType"));
ex.setLogin2(sess.getPerunPrincipal().getActor());
ex.setSource2(sess.getPerunPrincipal().getExtSourceName());
ex.setSourceType2(sess.getPerunPrincipal().getExtSourceType());
throw ex;
}
if (originalIdentity.get("extSourceName").equals(sess.getPerunPrincipal().getExtSourceName())
&& originalIdentity.get("actor").equals(sess.getPerunPrincipal().getActor())
&& originalIdentity
.get("extSourceType")
.equals(sess.getPerunPrincipal().getExtSourceType())) {
IdentityIsSameException ex =
new IdentityIsSameException(
"You tried to join same identity with itself. Please try again but select different identity.");
ex.setLogin(sess.getPerunPrincipal().getActor());
ex.setSource(sess.getPerunPrincipal().getExtSourceName());
ex.setSourceType(sess.getPerunPrincipal().getExtSourceType());
throw ex;
}
if (originalUser != null && currentUser != null && originalUser.equals(currentUser)) {
throw new IdentitiesAlreadyJoinedException("You already have both identities joined.");
}
if (originalUser != null && currentUser != null && !originalUser.equals(currentUser)) {
throw new IdentityAlreadyInUseException(
"Your identity is already associated with a different user. If you are really the same person, please contact support to help you.",
originalUser,
currentUser);
}
// merge original identity into current user
if (originalUser == null) {
createExtSourceAndUserExtSource(
currentUser,
(String) originalIdentity.get("actor"),
(String) originalIdentity.get("extSourceName"),
(String) originalIdentity.get("extSourceType"),
(Integer) originalIdentity.get("extSourceLoa"));
}
// merge current identity into original user
if (currentUser == null) {
createExtSourceAndUserExtSource(
originalUser,
sess.getPerunPrincipal().getActor(),
sess.getPerunPrincipal().getExtSourceName(),
sess.getPerunPrincipal().getExtSourceType(),
sess.getPerunPrincipal().getExtSourceLoa());
}
AuthzResolverBlImpl.refreshSession(sess);
requestCache.remove(token);
return perun.getUsersManager().getUserExtSources(sess, sess.getPerunPrincipal().getUser());
}
@Override
public List<Identity> checkForSimilarUsers(PerunSession sess, int appId) throws PerunException {
String email = "";
String name = "";
List<RichUser> result = new ArrayList<RichUser>();
List<String> attrNames = new ArrayList<String>();
attrNames.add("urn:perun:user:attribute-def:def:preferredMail");
attrNames.add("urn:perun:user:attribute-def:def:organization");
Application app = registrarManager.getApplicationById(registrarSession, appId);
if (app.getGroup() == null) {
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())) {
if (sess.getPerunPrincipal().getUser() != null) {
// check if application to find similar users by belongs to user
if (!sess.getPerunPrincipal().getUser().equals(app.getUser()))
throw new PrivilegeException("checkForSimilarUsers");
} else {
if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName())
&& !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy()))
throw new PrivilegeException("checkForSimilarUsers");
}
}
} else {
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())
&& !AuthzResolver.isAuthorized(sess, Role.GROUPADMIN, app.getGroup())) {
if (sess.getPerunPrincipal().getUser() != null) {
// check if application to find similar users by belongs to user
if (!sess.getPerunPrincipal().getUser().equals(app.getUser()))
throw new PrivilegeException("checkForSimilarUsers");
} else {
if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName())
&& !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy()))
throw new PrivilegeException("checkForSimilarUsers");
}
}
}
// only for initial VO applications if user==null
if (app.getType().equals(Application.AppType.INITIAL)
&& app.getGroup() == null
&& app.getUser() == null) {
try {
User u =
perun
.getUsersManager()
.getUserByExtSourceNameAndExtLogin(
registrarSession, app.getExtSourceName(), app.getCreatedBy());
if (u != null) {
// user connected his identity after app creation and before it's approval.
// do not show error message in GUI by returning an empty array.
return convertToIdentities(result);
}
} catch (Exception ex) {
// we don't care, let's try to search by name
}
List<ApplicationFormItemData> data = registrarManager.getApplicationDataById(sess, appId);
// search by email, which should be unique (check is more precise)
for (ApplicationFormItemData item : data) {
if ("urn:perun:user:attribute-def:def:preferredMail"
.equals(item.getFormItem().getPerunDestinationAttribute())) {
email = item.getValue();
}
if (email != null && !email.isEmpty()) break;
}
List<RichUser> users =
(email != null && !email.isEmpty())
? perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames)
: new ArrayList<RichUser>();
if (users != null && !users.isEmpty()) {
// found by preferredMail
return convertToIdentities(users);
}
// search by different mail
email = ""; // clear previous value
for (ApplicationFormItemData item : data) {
if ("urn:perun:member:attribute-def:def:mail"
.equals(item.getFormItem().getPerunDestinationAttribute())) {
email = item.getValue();
}
if (email != null && !email.isEmpty()) break;
}
users =
(email != null && !email.isEmpty())
? perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames)
: new ArrayList<RichUser>();
if (users != null && !users.isEmpty()) {
// found by member mail
return convertToIdentities(users);
}
// continue to search by display name
for (ApplicationFormItemData item : data) {
if (RegistrarManagerImpl.URN_USER_DISPLAY_NAME.equals(
item.getFormItem().getPerunDestinationAttribute())) {
name = item.getValue();
// use parsed name to drop mistakes on IDP side
try {
if (name != null && !name.isEmpty()) {
Map<String, String> nameMap = Utils.parseCommonName(name);
// drop name titles to spread search
String newName = "";
if (nameMap.get("firstName") != null && !nameMap.get("firstName").isEmpty()) {
newName += nameMap.get("firstName") + " ";
}
if (nameMap.get("lastName") != null && !nameMap.get("lastName").isEmpty()) {
newName += nameMap.get("lastName");
}
// fill parsed name instead of input
if (newName != null && !newName.isEmpty()) {
name = newName;
}
}
} catch (Exception ex) {
log.error(
"[REGISTRAR] Unable to parse new user's display/common name when searching for similar users. Exception: {}",
ex);
}
if (name != null && !name.isEmpty()) break;
}
}
users =
(name != null && !name.isEmpty())
? perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames)
: new ArrayList<RichUser>();
if (users != null && !users.isEmpty()) {
// found by member display name
return convertToIdentities(users);
}
// continue to search by last name
name = ""; // clear previous value
for (ApplicationFormItemData item : data) {
if (RegistrarManagerImpl.URN_USER_LAST_NAME.equals(
item.getFormItem().getPerunDestinationAttribute())) {
name = item.getValue();
if (name != null && !name.isEmpty()) break;
}
}
if (name != null && !name.isEmpty()) {
// what was found by name
return convertToIdentities(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames));
} else {
// not found by name
return convertToIdentities(result);
}
} else {
// not found, since not proper type of application to check users for
return convertToIdentities(result);
}
}
