use of com.sun.identity.idsvcs.Attribute in project OpenAM by OpenRock.
the class IdentityResourceV3 method patchInstance.
/**
* Patch the user's password and only the password. No other value may be patched. The old value of the
* password does not have to be known. Admin only. The only patch operation supported is "replace", i.e. not
* "add" or "move", etc.
*
* @param context The context
* @param resourceId The username we're patching
* @param request The patch request
*/
@Override
public Promise<ResourceResponse, ResourceException> patchInstance(final Context context, final String resourceId, final PatchRequest request) {
if (!objectType.equals(IdentityRestUtils.USER_TYPE)) {
return new BadRequestException("Cannot patch object type " + objectType).asPromise();
}
RealmContext realmContext = context.asContext(RealmContext.class);
final String realm = realmContext.getResolvedRealm();
try {
if (!isAdmin(context)) {
return new ForbiddenException("Only admin can patch user values").asPromise();
}
SSOToken ssoToken = getSSOToken(RestUtils.getToken().getTokenID().toString());
IdentityServicesImpl identityServices = getIdentityServices();
IdentityDetails identityDetails = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), ssoToken);
Attribute[] existingAttributes = identityDetails.getAttributes();
Map<String, Set<String>> existingAttributeMap = attributesToMap(existingAttributes);
Map<String, Set<String>> newAttributeMap = new HashMap<>();
if (existingAttributeMap.containsKey(IdentityRestUtils.UNIVERSAL_ID)) {
Set<String> values = existingAttributeMap.get(IdentityRestUtils.UNIVERSAL_ID);
if (isNotEmpty(values) && !isUserActive(values.iterator().next())) {
return new ForbiddenException("User " + resourceId + " is not active: Request is forbidden").asPromise();
}
}
boolean updateNeeded = false;
for (PatchOperation patchOperation : request.getPatchOperations()) {
switch(patchOperation.getOperation()) {
case PatchOperation.OPERATION_REPLACE:
{
String name = getFieldName(patchOperation.getField());
if (!patchableAttributes.contains(name)) {
return new BadRequestException("For the object type " + IdentityRestUtils.USER_TYPE + ", field \"" + name + "\" cannot be altered by PATCH").asPromise();
}
JsonValue value = patchOperation.getValue();
newAttributeMap.put(name, identityAttributeJsonToSet(value));
updateNeeded = true;
break;
}
default:
return new BadRequestException("PATCH of " + IdentityRestUtils.USER_TYPE + " does not support operation " + patchOperation.getOperation()).asPromise();
}
}
if (updateNeeded) {
identityDetails.setAttributes(mapToAttributes(newAttributeMap));
identityServices.update(identityDetails, ssoToken);
// re-read the altered identity details from the repo.
identityDetails = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), ssoToken);
}
return newResultPromise(newResourceResponse("result", "1", identityDetailsToJsonValue(identityDetails)));
} catch (final ObjectNotFound notFound) {
logger.error("IdentityResourceV3.patchInstance cannot find resource " + resourceId, notFound);
return new NotFoundException("Resource cannot be found.", notFound).asPromise();
} catch (final TokenExpired tokenExpired) {
logger.error("IdentityResourceV3.patchInstance, token expired", tokenExpired);
return new PermanentException(401, "Unauthorized", null).asPromise();
} catch (final AccessDenied accessDenied) {
logger.error("IdentityResourceV3.patchInstance, access denied", accessDenied);
return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
} catch (final GeneralFailure generalFailure) {
logger.error("IdentityResourceV3.patchInstance, general failure " + generalFailure.getMessage());
return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
} catch (ForbiddenException fex) {
logger.warning("IdentityResourceV3.patchInstance, insufficient privileges.", fex);
return fex.asPromise();
} catch (NotFoundException notFound) {
logger.warning("IdentityResourceV3.patchInstance " + resourceId + " not found", notFound);
return new NotFoundException("Resource " + resourceId + " cannot be found.", notFound).asPromise();
} catch (ResourceException resourceException) {
logger.warning("IdentityResourceV3.patchInstance caught ResourceException", resourceException);
return resourceException.asPromise();
} catch (Exception exception) {
logger.error("IdentityResourceV3.patchInstance caught exception", exception);
return new InternalServerErrorException(exception.getMessage(), exception).asPromise();
}
}
use of com.sun.identity.idsvcs.Attribute in project OpenAM by OpenRock.
the class IdentityResourceV3 method mapToAttributes.
/**
* Convert a map back into an array of attributes.
* @param map The map to convert.
* @return The, possibly empty, array of attributes.
*/
private Attribute[] mapToAttributes(Map<String, Set<String>> map) {
Attribute[] result = new Attribute[map.size()];
int index = 0;
for (Map.Entry<String, Set<String>> entry : map.entrySet()) {
result[index] = new Attribute();
result[index].setName(entry.getKey());
result[index].setValues(entry.getValue().toArray(new String[0]));
index++;
}
return result;
}
use of com.sun.identity.idsvcs.Attribute in project OpenAM by OpenRock.
the class IdentityRestUtils method enforceWhiteList.
/**
* When an instance of a user is created via self service, we impose additional rules for security purposes.
* Namely, we strictly apply a whitelist of valid attribute names to each attribute in the incoming JSON
* representation of the user object. This ensures a hacker can't manipulate the request and thereby pretend
* to be a manager, demigod or individual they are not.
*
* There is no return value. If you survive calling this function without an exception being thrown, there
* are no illegal values in the incoming JSON
*
* @param context The context
* @param jsonValue The request
* @param objectType The type of object we're creating, user, group, etc.
* @param validUserAttributes The set of valid user attributes
* @throws BadRequestException If any attribute is found in the JSON representation of the user object containing
* an attribute that is not in our whitelist
*/
public static void enforceWhiteList(final Context context, final JsonValue jsonValue, final String objectType, final Set<String> validUserAttributes) throws BadRequestException {
if (!context.containsContext(SelfServiceContext.class) || !objectType.equals(USER_TYPE)) {
return;
}
final String realm = RealmContext.getRealm(context);
if (validUserAttributes == null || validUserAttributes.isEmpty()) {
throw new BadRequestException("Null/empty whitelist of valid attributes for self service user creation");
}
IdentityDetails identityDetails = jsonValueToIdentityDetails(objectType, jsonValue, realm);
Attribute[] attributes = identityDetails.getAttributes();
for (Attribute attribute : attributes) {
if (!validUserAttributes.contains(attribute.getName())) {
throw new BadRequestException("User attribute " + attribute.getName() + " is not valid for self service creation");
}
}
}
use of com.sun.identity.idsvcs.Attribute in project OpenAM by OpenRock.
the class IdentityServicesImpl method read.
public IdentityDetails read(String name, Map<String, Set<String>> attributes, SSOToken admin) throws IdServicesException {
IdentityDetails rv = null;
String realm = null;
String repoRealm;
String identityType = null;
List<String> attrsToGet = null;
if (attributes != null) {
for (Attribute attr : asAttributeArray(attributes)) {
String attrName = attr.getName();
if ("realm".equalsIgnoreCase(attrName)) {
String[] values = attr.getValues();
if (values != null && values.length > 0) {
realm = values[0];
}
} else if ("objecttype".equalsIgnoreCase(attrName)) {
String[] values = attr.getValues();
if (values != null && values.length > 0) {
identityType = values[0];
}
} else {
if (attrsToGet == null) {
attrsToGet = new ArrayList<>();
}
attrsToGet.add(attrName);
}
}
}
if (StringUtils.isEmpty(realm)) {
repoRealm = "/";
} else {
repoRealm = realm;
}
if (StringUtils.isEmpty(identityType)) {
identityType = "User";
}
try {
AMIdentity amIdentity = getAMIdentity(admin, identityType, name, repoRealm);
if (amIdentity == null) {
debug.error("IdentityServicesImpl:read identity not found");
throw new ObjectNotFound(name);
}
if (isSpecialUser(amIdentity)) {
throw new AccessDenied("Cannot retrieve attributes for this user.");
}
rv = convertToIdentityDetails(amIdentity, attrsToGet);
if (!StringUtils.isEmpty(realm)) {
// use the realm specified by the request
rv.setRealm(realm);
}
} catch (IdRepoException e) {
debug.error("IdentityServicesImpl:read", e);
mapIdRepoException(e);
} catch (SSOException e) {
debug.error("IdentityServicesImpl:read", e);
throw new GeneralFailure(e.getMessage());
}
return rv;
}
use of com.sun.identity.idsvcs.Attribute in project OpenAM by OpenRock.
the class IdentityServicesImpl method attributes.
private UserDetails attributes(List<String> attributeNames, Token subject, Boolean refresh) throws TokenExpired, GeneralFailure, AccessDenied {
UserDetails details = new UserDetails();
try {
SSOToken ssoToken = getSSOToken(subject);
if (refresh != null && refresh) {
SSOTokenManager.getInstance().refreshSession(ssoToken);
}
Map<String, Set<String>> sessionAttributes = new HashMap<>();
Set<String> s;
if (attributeNames != null) {
String propertyNext;
for (String attrNext : attributeNames) {
s = new HashSet<>();
if (attrNext.equalsIgnoreCase("idletime")) {
s.add(Long.toString(ssoToken.getIdleTime()));
} else if (attrNext.equalsIgnoreCase("timeleft")) {
s.add(Long.toString(ssoToken.getTimeLeft()));
} else if (attrNext.equalsIgnoreCase("maxsessiontime")) {
s.add(Long.toString(ssoToken.getMaxSessionTime()));
} else if (attrNext.equalsIgnoreCase("maxidletime")) {
s.add(Long.toString(ssoToken.getMaxIdleTime()));
} else {
propertyNext = ssoToken.getProperty(attrNext);
if (propertyNext != null && !propertyNext.isEmpty()) {
s.add(propertyNext);
}
}
if (!s.isEmpty()) {
sessionAttributes.put(attrNext, s);
}
}
}
// Obtain user memberships (roles and groups)
AMIdentity userIdentity = IdUtils.getIdentity(ssoToken);
if (isSpecialUser(userIdentity)) {
throw new AccessDenied("Cannot retrieve attributes for this user.");
}
// Determine the types that can have members
SSOToken adminToken = AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository idrepo = new AMIdentityRepository(userIdentity.getRealm(), adminToken);
Set<IdType> supportedTypes = idrepo.getSupportedIdTypes();
Set<IdType> membersTypes = new HashSet<>();
for (IdType type : supportedTypes) {
if (type.canHaveMembers().contains(userIdentity.getType())) {
membersTypes.add(type);
}
}
// Determine the roles and groups
List<String> roles = new ArrayList<>();
for (IdType type : membersTypes) {
try {
Set<AMIdentity> memberships = userIdentity.getMemberships(type);
for (AMIdentity membership : memberships) {
roles.add(membership.getUniversalId());
}
} catch (IdRepoException ire) {
debug.message("IdentityServicesImpl:attributes", ire);
// Ignore and continue
}
}
String[] r = new String[roles.size()];
details.setRoles(roles.toArray(r));
Map<String, Set<String>> userAttributes;
if (attributeNames != null) {
Set<String> attrNames = new HashSet<>(attributeNames);
userAttributes = userIdentity.getAttributes(attrNames);
} else {
userAttributes = userIdentity.getAttributes();
}
if (userAttributes != null) {
for (Map.Entry<String, Set<String>> entry : sessionAttributes.entrySet()) {
if (userAttributes.keySet().contains(entry.getKey())) {
userAttributes.get(entry.getKey()).addAll(entry.getValue());
} else {
userAttributes.put(entry.getKey(), entry.getValue());
}
}
} else {
userAttributes = sessionAttributes;
}
List<Attribute> attributes = new ArrayList<>(userAttributes.size());
for (String name : userAttributes.keySet()) {
Attribute attribute = new Attribute();
attribute.setName(name);
Set<String> value = userAttributes.get(name);
if (value != null && !value.isEmpty()) {
List<String> valueList = new ArrayList<>(value.size());
// Convert the set to a List of String
for (String next : value) {
if (next != null) {
valueList.add(next);
}
}
String[] v = new String[valueList.size()];
attribute.setValues(valueList.toArray(v));
attributes.add(attribute);
}
}
Attribute[] a = new Attribute[attributes.size()];
details.setAttributes(attributes.toArray(a));
} catch (IdRepoException e) {
debug.error("IdentityServicesImpl:attributes", e);
throw new GeneralFailure(e.getMessage());
} catch (SSOException e) {
debug.error("IdentityServicesImpl:attributes", e);
throw new GeneralFailure(e.getMessage());
} catch (TokenExpired e) {
debug.warning("IdentityServicesImpl:attributes original error", e);
throw new TokenExpired("Cannot retrieve Token.");
}
//TODO handle token translation
details.setToken(subject);
return details;
}
Aggregations