Example 1 with IdSearchResults
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getPermissions.
/**
* Returns a set of permissions that a user has.
*
* @param token sso token of the user requesting permissions
* @param orgName The name of the realm from which the delegation
* permissions are fetched.
*
* @return a <code>Set</code> of permissions that a user has
*
* @throws SSOException if single-sign-on token invalid or expired
* @throws DelegationException for any other abnormal condition
*/
public Set getPermissions(SSOToken token, String orgName) throws SSOException, DelegationException {
DelegationPrivilege dp;
Set perms = new HashSet();
Set subjects;
AMIdentity userIdentity = null;
AMIdentity subjectIdentity = null;
IdSearchResults results = null;
if (token == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "user sso token is null");
}
return perms;
}
try {
userIdentity = IdUtils.getIdentity(token);
if (userIdentity == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "could not get user's identity from token");
}
return perms;
}
Set privileges = getPrivileges(appToken, orgName);
if ((privileges != null) && (!privileges.isEmpty())) {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
Iterator it = privileges.iterator();
while (it.hasNext()) {
dp = (DelegationPrivilege) it.next();
subjects = dp.getSubjects();
if ((subjects != null) && (!subjects.isEmpty())) {
Iterator sit = subjects.iterator();
while (sit.hasNext()) {
String subject = (String) sit.next();
String subjectId = LDAPUtils.rdnValueFromDn(subject);
if (subjectId != null) {
results = idRepo.searchIdentities(IdType.ROLE, subjectId, ctrl);
if (results != null) {
Set idSet = results.getSearchResults();
if ((idSet != null) && !idSet.isEmpty()) {
subjectIdentity = (AMIdentity) (idSet.iterator().next());
if (userIdentity.isMember(subjectIdentity)) {
perms.addAll(dp.getPermissions());
}
}
}
}
}
}
}
}
} catch (Exception e) {
throw new DelegationException(e);
}
return perms;
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Example 2 with IdSearchResults
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getSubjects.
/**
* Returns a set of selected subjects of specified types matching the
* pattern in the given realm. The pattern accepts "*" as the wild card for
* searching subjects. For example, "a*c" matches with any subject starting
* with a and ending with c.
*
* @param token The <code>SSOToken</code> of the requesting user
* @param orgName The name of the realm from which the subjects are fetched.
* @param types a set of subject types. e.g. ROLE, GROUP.
* @param pattern a filter used to select the subjects.
*
* @return a set of subjects associated with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*
* @return <code>Set</code> of universal Ids of the subjects associated
* with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*/
public Set getSubjects(SSOToken token, String orgName, Set types, String pattern) throws SSOException, DelegationException {
Set results = new HashSet();
// All Authenticated Users would be returned only if pattern is *
if ((pattern != null) && pattern.equals("*")) {
results.add(AUTHN_USERS_ID);
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): types=" + types);
}
try {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
Set supportedTypes = idRepo.getSupportedIdTypes();
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): " + "supported subject types=" + supportedTypes);
}
if ((supportedTypes != null) && (!supportedTypes.isEmpty()) && (types != null) && (!types.isEmpty())) {
Iterator it = types.iterator();
while (it.hasNext()) {
IdType idType = IdUtils.getType((String) it.next());
if (supportedTypes.contains(idType)) {
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
IdSearchResults idsr = idRepo.searchIdentities(idType, pattern, ctrl);
if (idsr != null) {
Set searchRes = idsr.getSearchResults();
if ((searchRes != null) && (!searchRes.isEmpty())) {
Iterator iter = searchRes.iterator();
while (iter.hasNext()) {
AMIdentity id = (AMIdentity) iter.next();
results.add(IdUtils.getUniversalId(id));
}
}
}
}
}
}
return results;
} catch (IdRepoException ide) {
throw new DelegationException(ide);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
IdRepoException(com.sun.identity.idm.IdRepoException)
DelegationException(com.sun.identity.delegation.DelegationException)
HashSet(java.util.HashSet)
IdType(com.sun.identity.idm.IdType)
Example 3 with IdSearchResults
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement)
SSOException(com.iplanet.sso.SSOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
List(java.util.List)
HashSet(java.util.HashSet)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IdRepoException(com.sun.identity.idm.IdRepoException)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 4 with IdSearchResults
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class CramMD5MechanismHandler method getUserPassword.
private static String getUserPassword(String userName) {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, SMSEntry.getRootSuffix());
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, userName, searchControl);
Set users = searchResults.getSearchResults();
if (users == null || users.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "no user found");
}
return null;
}
if (users.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "more than 1 user found");
}
return null;
}
AMIdentity user = (AMIdentity) users.iterator().next();
Set passwords = user.getAttribute("userPassword");
if (passwords == null || passwords.isEmpty()) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has no password");
}
return null;
}
if (passwords.size() > 1) {
if (debug.messageEnabled()) {
debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has more than 1 passwords");
}
return null;
}
String password = (String) passwords.iterator().next();
if (password.startsWith("{CLEAR}")) {
password = password.substring(7);
}
return password;
} catch (Exception ex) {
AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", ex);
return null;
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
IdRepoException(com.sun.identity.idm.IdRepoException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
SSOException(com.iplanet.sso.SSOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Example 5 with IdSearchResults
use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.
the class IdentityServicesImpl method fetchAMIdentities.
private List<AMIdentity> fetchAMIdentities(IdType type, CrestQuery crestQuery, boolean fetchAllAttrs, AMIdentityRepository repo, Map searchModifiers) throws IdRepoException, ObjectNotFound, SSOException {
IdSearchControl searchControl = new IdSearchControl();
IdSearchResults searchResults;
List<AMIdentity> identities;
if (isOperationSupported(repo, type, IdOperation.READ)) {
Set<AMIdentity> resultSet;
if (fetchAllAttrs) {
searchControl.setAllReturnAttributes(true);
} else {
searchControl.setAllReturnAttributes(false);
}
if (searchModifiers != null) {
searchControl.setSearchModifiers(IdSearchOpModifier.AND, searchModifiers);
}
searchResults = repo.searchIdentities(type, crestQuery, searchControl);
resultSet = searchResults.getSearchResults();
identities = new ArrayList<>(resultSet);
} else {
// A list is expected back
/*
* TODO: throw an exception instead of returning an empty list
*/
identities = new ArrayList<>();
}
return identities;
}
Also used :
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
Aggregations
IdSearchResults (com.sun.identity.idm.IdSearchResults)60
IdRepoException (com.sun.identity.idm.IdRepoException)46
IdSearchControl (com.sun.identity.idm.IdSearchControl)43
SSOException (com.iplanet.sso.SSOException)39
AMIdentity (com.sun.identity.idm.AMIdentity)39
Set (java.util.Set)37
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)36
HashSet (java.util.HashSet)28
SSOToken (com.iplanet.sso.SSOToken)17
Iterator (java.util.Iterator)16
Map (java.util.Map)12
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)11
HashMap (java.util.HashMap)11
IdType (com.sun.identity.idm.IdType)9
AMHashMap (com.iplanet.am.sdk.AMHashMap)6
CaseInsensitiveHashMap (com.sun.identity.common.CaseInsensitiveHashMap)4
UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)4
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)3
CLIException (com.sun.identity.cli.CLIException)3
IOutput (com.sun.identity.cli.IOutput)3
