/** * This method locks the created accounts based on the account policies or based on the account * confirmation method being used. Two account confirmation methods are used : Temporary Password * and Verification Code. In the case of temporary password is used the temporary password will be * emailed to the user. In the case of verification code, the code will be emailed to the user. * The security questions filter ad doPreAddUser will be persisted in this method. */ @Override public boolean doPostAddUser( String userName, Object credential, String[] roleList, Map<String, String> claims, String profile, UserStoreManager userStoreManager) throws UserStoreException { if (log.isDebugEnabled()) { log.debug("Post add user is called in IdentityMgtEventListener"); } IdentityMgtConfig config = IdentityMgtConfig.getInstance(); if (!config.isListenerEnable()) { return true; } // reading the value from the thread local UserIdentityClaimsDO userIdentityClaimsDO = (UserIdentityClaimsDO) threadLocalProperties.get().get(USER_IDENTITY_DO); if (config.isEnableUserAccountVerification()) { // empty password account creation if (threadLocalProperties.get().containsKey(EMPTY_PASSWORD_USED)) { // store identity data userIdentityClaimsDO.setAccountLock(false).setPasswordTimeStamp(System.currentTimeMillis()); try { module.store(userIdentityClaimsDO, userStoreManager); } catch (IdentityException e) { throw new UserStoreException("Error while doPostAddUser", e); } // store identity metadata UserRecoveryDataDO metadataDO = new UserRecoveryDataDO(); metadataDO .setUserName(userName) .setTenantId(userStoreManager.getTenantId()) .setCode((String) credential); // try { // UserIdentityManagementUtil.storeUserIdentityMetadata(metadataDO); // } catch (IdentityException e) { // throw new UserStoreException("Error while doPreAddUser", e); // } // set recovery data RecoveryProcessor processor = new RecoveryProcessor(); VerificationBean verificationBean = new VerificationBean(); try { verificationBean = processor.updateConfirmationCode(1, userName, userStoreManager.getTenantId()); } catch (IdentityException e) { // TODO Auto-generated catch block e.printStackTrace(); } // preparing a bean to send the email UserIdentityMgtBean bean = new UserIdentityMgtBean(); bean.setUserId(userName) .setConfirmationCode(verificationBean.getKey()) .setRecoveryType(IdentityMgtConstants.Notification.TEMPORARY_PASSWORD) .setEmail(claims.get(config.getAccountRecoveryClaim())); UserRecoveryDTO recoveryDto = new UserRecoveryDTO(userName); recoveryDto.setNotification(IdentityMgtConstants.Notification.ASK_PASSWORD); recoveryDto.setNotificationType("EMAIL"); recoveryDto.setTenantId(userStoreManager.getTenantId()); recoveryDto.setConfirmationCode(verificationBean.getKey()); NotificationDataDTO notificationDto = null; try { notificationDto = processor.recoverWithNotification(recoveryDto); } catch (IdentityException e) { if (log.isDebugEnabled()) { log.debug(e.getMessage()); } throw new UserStoreException("Error while sending notification. " + e.getMessage()); } if (notificationDto != null && notificationDto.isNotificationSent()) { return true; } else { return false; } // sending email // UserIdentityManagementUtil.notifyViaEmail(bean); } else { // none-empty passwords. lock account and persist /* This scenario needs to be validated. * userIdentityClaimsDO.setAccountLock(true) .setPasswordTimeStamp(System.currentTimeMillis()); try { UserIdentityManagementUtil.storeUserIdentityClaims(userIdentityClaimsDO, userStoreManager); } catch (IdentityException e) { throw new UserStoreException("Error while doPostAddUser", e); } String confirmationCode = UserIdentityManagementUtil.generateRandomConfirmationCode(); // store identity metadata UserRecoveryDataDO metadataDO = new UserRecoveryDataDO(); metadataDO.setUserName(userName).setTenantId(userStoreManager.getTenantId()) .setCode(confirmationCode); try { UserIdentityManagementUtil.storeUserIdentityMetadata(metadataDO); } catch (IdentityException e) { throw new UserStoreException("Error while doPostAddUser", e); } // sending a mail with the confirmation code UserIdentityMgtBean bean = new UserIdentityMgtBean(); bean.setUserId(userName) .setRecoveryType(IdentityMgtConstants.Notification.ACCOUNT_CONFORM) .setConfirmationCode(confirmationCode); UserIdentityManagementUtil.notifyViaEmail(bean); return true; */ } } // No account recoveries are defined, no email will be sent. if (config.isAuthPolicyAccountLockOnCreation()) { // accounts are locked. Admin should unlock userIdentityClaimsDO.setAccountLock(true); userIdentityClaimsDO.setPasswordTimeStamp(System.currentTimeMillis()); try { config.getIdentityDataStore().store(userIdentityClaimsDO, userStoreManager); } catch (IdentityException e) { throw new UserStoreException("Error while doPostAddUser", e); } } return true; }
/** * To get the challenge question for the user. * * @param userName * @param confirmation * @param questionId - Question id returned from the getUserChanllegneQuestionIds method. * @return Populated question bean with the question details and the key. * @throws IdentityMgtServiceException */ public UserChallengesDTO getUserChallengeQuestion( String userName, String confirmation, String questionId) throws IdentityMgtServiceException { UserDTO userDTO = null; UserChallengesDTO userChallengesDTO = new UserChallengesDTO(); if (log.isDebugEnabled()) { log.debug("User challenge question request received with username :"******"Error validating user : "******"Invalid confirmation code for user : "******"User challenge question retrieved successfully"); } } else { if (log.isDebugEnabled()) { log.debug("Verification failed for user. Error : " + bean.getError()); } userChallengesDTO.setError( VerificationBean.ERROR_CODE_INVALID_USER + " " + bean.getError()); } } finally { if (IdentityMgtConfig.getInstance().isSaasEnabled()) { PrivilegedCarbonContext.endTenantFlow(); } } return userChallengesDTO; }
/** * This method is used to register an user in the system. The account will be locked if the * Authentication.Policy.Account.Lock.On.Creation is set to true. Else user will be able to login * after registration. * * @param userName * @param password * @param claims * @param profileName * @param tenantDomain * @return * @throws IdentityMgtServiceException */ public VerificationBean registerUser( String userName, String password, UserIdentityClaimDTO[] claims, String profileName, String tenantDomain) throws IdentityMgtServiceException { VerificationBean vBean = new VerificationBean(); org.wso2.carbon.user.core.UserStoreManager userStoreManager = null; Permission permission = null; if (!IdentityMgtConfig.getInstance().isSaasEnabled()) { String loggedInTenant = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); if (tenantDomain != null && !tenantDomain.isEmpty() && !loggedInTenant.equals(tenantDomain)) { String msg = "Trying to create users in unauthorized tenant space"; log.error(msg); throw new IdentityMgtServiceException(msg); } if (tenantDomain == null || tenantDomain.isEmpty()) { tenantDomain = loggedInTenant; } } RealmService realmService = IdentityMgtServiceComponent.getRealmService(); int tenantId; try { tenantId = Utils.getTenantId(tenantDomain); if (realmService.getTenantUserRealm(tenantId) != null) { userStoreManager = (org.wso2.carbon.user.core.UserStoreManager) realmService.getTenantUserRealm(tenantId).getUserStoreManager(); } } catch (Exception e) { vBean = handleError( VerificationBean.ERROR_CODE_UNEXPECTED + " Error retrieving the user store manager for the tenant", e); return vBean; } try { if (userStoreManager == null) { vBean = new VerificationBean(); vBean.setVerified(false); vBean.setError( VerificationBean.ERROR_CODE_UNEXPECTED + " Error retrieving the user store manager for the tenant"); return vBean; } Map<String, String> claimsMap = new HashMap<String, String>(); for (UserIdentityClaimDTO userIdentityClaimDTO : claims) { claimsMap.put(userIdentityClaimDTO.getClaimUri(), userIdentityClaimDTO.getClaimValue()); } userStoreManager.addUser(userName, password, null, claimsMap, profileName); String identityRoleName = UserCoreConstants.INTERNAL_DOMAIN + CarbonConstants.DOMAIN_SEPARATOR + IdentityConstants.IDENTITY_DEFAULT_ROLE; if (!userStoreManager.isExistingRole(identityRoleName, false)) { permission = new Permission("/permission/admin/login", UserMgtConstants.EXECUTE_ACTION); userStoreManager.addRole( identityRoleName, new String[] {userName}, new Permission[] {permission}, false); } else { userStoreManager.updateUserListOfRole( identityRoleName, new String[] {}, new String[] {userName}); } IdentityEventListener identityEventListener = IdentityUtil.readEventListenerProperty( UserOperationEventListener.class.getName(), IdentityMgtEventListener.class.getName()); boolean isListenerEnable = true; if (identityEventListener != null) { if (StringUtils.isNotBlank(identityEventListener.getEnable())) { isListenerEnable = Boolean.parseBoolean(identityEventListener.getEnable()); } } IdentityMgtConfig config = IdentityMgtConfig.getInstance(); if (isListenerEnable && config.isAuthPolicyAccountLockOnCreation()) { UserDTO userDTO = new UserDTO(userName); userDTO.setTenantId(tenantId); UserRecoveryDTO dto = new UserRecoveryDTO(userDTO); dto.setNotification(IdentityMgtConstants.Notification.ACCOUNT_CONFORM); dto.setNotificationType("EMAIL"); RecoveryProcessor processor = IdentityMgtServiceComponent.getRecoveryProcessor(); vBean = processor.updateConfirmationCode(1, userName, tenantId); dto.setConfirmationCode(vBean.getKey()); NotificationDataDTO notificationDto = processor.notifyWithEmail(dto); vBean.setVerified(notificationDto.isNotificationSent()); // Send email data only if not internally managed. if (!(IdentityMgtConfig.getInstance().isNotificationInternallyManaged())) { vBean.setNotificationData(notificationDto); } } else { vBean.setVerified(true); } } catch (UserStoreException | IdentityException e) { UserIdentityManagementUtil.getCustomErrorMessages(e, userName); // Rollback if user exists try { if (userStoreManager.isExistingUser(userName)) { userStoreManager.deleteUser(userName); } } catch (org.wso2.carbon.user.core.UserStoreException e1) { UserIdentityManagementUtil.getCustomErrorMessages(e1, userName); } return vBean; } return vBean; }
public ChallengeQuestionIdsDTO getUserChallengeQuestionIds(String username, String confirmation) throws IdentityMgtServiceException { UserDTO userDTO = null; ChallengeQuestionIdsDTO idsDTO = new ChallengeQuestionIdsDTO(); if (log.isDebugEnabled()) { log.debug("User challenge questions id request received with username: "******"Error while getting challenge question ids for user : "******"Error when validating code", e1); return idsDTO; } if (bean.isVerified()) { try { idsDTO = processor .getQuestionProcessor() .getUserChallengeQuestionIds(userDTO.getUserId(), userDTO.getTenantId()); idsDTO.setKey(bean.getKey()); if (log.isDebugEnabled()) { log.debug("User challenge question response successful for user: "******"Error when getting user challenge questions for user : "******"Verification failed for user. Error : " + bean.getError(); log.error(msg); idsDTO.setError(VerificationBean.ERROR_CODE_UNEXPECTED + " " + msg); idsDTO.setKey(""); } } finally { if (IdentityMgtConfig.getInstance().isSaasEnabled()) { PrivilegedCarbonContext.endTenantFlow(); } } return idsDTO; }