use of cz.metacentrum.perun.core.api.exceptions.InvalidLoginException in project perun by CESNET.
the class ModulesUtilsBlImpl method checkLoginNamespaceRegex.
@Override
public void checkLoginNamespaceRegex(String namespace, String login, Pattern defaultRegex) throws InvalidLoginException {
Utils.notNull(namespace, "namespace to check login syntax");
Utils.notNull(login, "login to check syntax for");
checkPerunNamespacesMap();
String regex = perunNamespaces.get("login-namespace:" + namespace + ":regex");
if (regex != null) {
// Check if regex is valid
try {
Pattern.compile(regex);
} catch (PatternSyntaxException e) {
log.error("Regex pattern \"{}\" from \"login-namespace:{}:regex\" property of perun-namespaces.properties file is invalid.", regex, namespace);
throw new InternalErrorException("Regex pattern \"" + regex + "\" from \"login-namespace:" + namespace + ":regex\" property of perun-namespaces.properties file is invalid.");
}
// check syntax or if its between exceptions
if (!login.matches(regex) && !isLoginExceptionallyAllowed(namespace, login)) {
log.warn("Login '{}' in {} namespace doesn't match regex: {}", login, namespace, regex);
throw new InvalidLoginException("Login doesn't matches expected regex: \"" + regex + "\"");
}
} else {
// check syntax or if its between exceptions
if (!defaultRegex.matcher(login).matches() && !isLoginExceptionallyAllowed(namespace, login)) {
log.warn("Login '{}' in {} namespace doesn't match regex: {}", login, namespace, regex);
throw new InvalidLoginException("Login doesn't matches expected regex: \"" + defaultRegex + "\"");
}
}
}
use of cz.metacentrum.perun.core.api.exceptions.InvalidLoginException in project perun by CESNET.
the class EinfraPasswordManagerModule method validatePassword.
@Override
public void validatePassword(PerunSession sess, String userLogin, User user) throws InvalidLoginException {
if (user == null) {
user = ((PerunBl) sess.getPerun()).getModulesUtilsBl().getUserByLoginInNamespace(sess, userLogin, actualLoginNamespace);
}
if (user == null) {
log.warn("No user was found by login '{}' in {} namespace.", userLogin, actualLoginNamespace);
} else {
PerunBl perunBl = ((PerunBl) sess.getPerun());
// FIXME - find out more convenient place and support other namespaces
try {
Attribute attribute = perunBl.getAttributesManagerBl().getAttribute(sess, user, AttributesManager.NS_USER_ATTR_DEF + ":lastPwdChangeTimestamp:einfra");
LocalDateTime now = LocalDateTime.now();
String value = now.format(DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss"));
attribute.setValue(value);
perunBl.getAttributesManagerBl().setAttribute(sess, user, attribute);
} catch (AttributeNotExistsException ignore) {
// not supported by namespace
} catch (Exception ex) {
log.warn("Unable to set last password change timestamp for {} in {}", userLogin, actualLoginNamespace, ex);
}
// set extSources and extSource related attributes
try {
List<String> kerberosLogins = new ArrayList<>();
// Set META and EINFRA userExtSources
ExtSource extSource = perunBl.getExtSourcesManagerBl().getExtSourceByName(sess, "META");
UserExtSource ues = new UserExtSource(extSource, userLogin + "@META");
ues.setLoa(0);
try {
perunBl.getUsersManagerBl().addUserExtSource(sess, user, ues);
} catch (UserExtSourceExistsException ex) {
// this is OK
}
extSource = perunBl.getExtSourcesManagerBl().getExtSourceByName(sess, "EINFRA");
ues = new UserExtSource(extSource, userLogin + "@EINFRA");
ues.setLoa(0);
try {
perunBl.getUsersManagerBl().addUserExtSource(sess, user, ues);
} catch (UserExtSourceExistsException ex) {
// this is OK
}
extSource = perunBl.getExtSourcesManagerBl().getExtSourceByName(sess, "https://login.ics.muni.cz/idp/shibboleth");
ues = new UserExtSource(extSource, userLogin + "@meta.cesnet.cz");
ues.setLoa(0);
try {
perunBl.getUsersManagerBl().addUserExtSource(sess, user, ues);
} catch (UserExtSourceExistsException ex) {
// this is OK
}
// Store E-INFRA IdP UES
extSource = perunBl.getExtSourcesManagerBl().getExtSourceByName(sess, "https://idp.e-infra.cz/idp/");
ues = new UserExtSource(extSource, userLogin + "@idp.e-infra.cz");
ues.setLoa(0);
try {
perunBl.getUsersManagerBl().addUserExtSource(sess, user, ues);
} catch (UserExtSourceExistsException ex) {
// this is OK
}
// Store E-INFRA CERT IdP UES
extSource = perunBl.getExtSourcesManagerBl().getExtSourceByName(sess, "https://idp-cert.e-infra.cz/idp/");
ues = new UserExtSource(extSource, userLogin + "@idp-cert.e-infra.cz");
ues.setLoa(0);
try {
perunBl.getUsersManagerBl().addUserExtSource(sess, user, ues);
} catch (UserExtSourceExistsException ex) {
// this is OK
}
// Store also Kerberos logins
Attribute kerberosLoginsAttr = perunBl.getAttributesManagerBl().getAttribute(sess, user, AttributesManager.NS_USER_ATTR_DEF + ":" + "kerberosLogins");
if (kerberosLoginsAttr != null && kerberosLoginsAttr.getValue() != null) {
kerberosLogins.addAll(kerberosLoginsAttr.valueAsList());
}
boolean someChange = false;
if (!kerberosLogins.contains(userLogin + "@EINFRA")) {
kerberosLogins.add(userLogin + "@EINFRA");
someChange = true;
}
if (!kerberosLogins.contains(userLogin + "@META")) {
kerberosLogins.add(userLogin + "@META");
someChange = true;
}
if (someChange && kerberosLoginsAttr != null) {
kerberosLoginsAttr.setValue(kerberosLogins);
perunBl.getAttributesManagerBl().setAttribute(sess, user, kerberosLoginsAttr);
}
} catch (WrongAttributeAssignmentException | AttributeNotExistsException | ExtSourceNotExistsException | WrongAttributeValueException | WrongReferenceAttributeValueException ex) {
throw new InternalErrorException(ex);
}
}
// validate password
super.validatePassword(sess, userLogin, user);
}
use of cz.metacentrum.perun.core.api.exceptions.InvalidLoginException in project perun by CESNET.
the class UsersManagerBlImpl method reserveRandomPassword.
@Override
public void reserveRandomPassword(PerunSession sess, User user, String loginNamespace) throws PasswordCreationFailedException, LoginNotExistsException, PasswordOperationTimeoutException, PasswordStrengthFailedException, InvalidLoginException {
log.info("Reserving password for {} in login-namespace {}.", user, loginNamespace);
// Get login.
try {
Attribute attr = getPerunBl().getAttributesManagerBl().getAttribute(sess, user, AttributesManager.NS_USER_ATTR_DEF + ":" + AttributesManager.LOGIN_NAMESPACE + ":" + loginNamespace);
if (attr.getValue() == null) {
throw new LoginNotExistsException("Attribute containing login has empty value. Namespace: " + loginNamespace);
}
// Create the password
PasswordManagerModule module = getPasswordManagerModule(sess, loginNamespace);
try {
module.reserveRandomPassword(sess, attr.valueAsString());
} catch (PasswordCreationFailedRuntimeException e) {
throw new PasswordCreationFailedException(e);
} catch (PasswordOperationTimeoutRuntimeException e) {
throw new PasswordOperationTimeoutException(e);
} catch (PasswordStrengthFailedRuntimeException e) {
throw new PasswordStrengthFailedException(e);
} catch (InvalidLoginException e) {
throw e;
} catch (Exception ex) {
// fallback for exception compatibility
throw new PasswordCreationFailedException("Password creation failed for " + loginNamespace + ":" + attr.valueAsString() + ".", ex);
}
} catch (AttributeNotExistsException e) {
throw new LoginNotExistsException(e);
} catch (WrongAttributeAssignmentException e) {
throw new InternalErrorException(e);
}
}
use of cz.metacentrum.perun.core.api.exceptions.InvalidLoginException in project perun by CESNET.
the class UsersManagerBlImpl method reservePassword.
@Override
public void reservePassword(PerunSession sess, User user, String loginNamespace, String password) throws PasswordCreationFailedException, LoginNotExistsException, PasswordOperationTimeoutException, PasswordStrengthFailedException, InvalidLoginException, PasswordStrengthException {
log.info("Reserving password for {} in login-namespace {}.", user, loginNamespace);
// Get login.
try {
Attribute attr = getPerunBl().getAttributesManagerBl().getAttribute(sess, user, AttributesManager.NS_USER_ATTR_DEF + ":" + AttributesManager.LOGIN_NAMESPACE + ":" + loginNamespace);
if (attr.getValue() == null) {
throw new LoginNotExistsException("Attribute containing login has empty value. Namespace: " + loginNamespace);
}
// Create the password
PasswordManagerModule module = getPasswordManagerModule(sess, loginNamespace);
try {
module.reservePassword(sess, attr.valueAsString(), password);
} catch (PasswordCreationFailedRuntimeException e) {
throw new PasswordCreationFailedException(e);
} catch (PasswordOperationTimeoutRuntimeException e) {
throw new PasswordOperationTimeoutException(e);
} catch (PasswordStrengthFailedRuntimeException e) {
throw new PasswordStrengthFailedException(e);
} catch (InvalidLoginException | PasswordStrengthException e) {
throw e;
} catch (Exception ex) {
// fallback for exception compatibility
throw new PasswordCreationFailedException("Password creation failed for " + loginNamespace + ":" + attr.valueAsString() + ".", ex);
}
} catch (AttributeNotExistsException e) {
throw new LoginNotExistsException(e);
} catch (WrongAttributeAssignmentException e) {
throw new InternalErrorException(e);
}
}
use of cz.metacentrum.perun.core.api.exceptions.InvalidLoginException in project perun by CESNET.
the class GroupsManagerBlImpl method deleteAnyGroup.
/**
* If forceDelete is false, delete only group which has no subgroup and no member.
* If forceDelete is true, delete group with all subgroups and members.
*
* @param sess
* @param group
* @param forceDelete if false, delete only empty group without subgroups. If true, delete group including subgroups and members.
* @throws InternalErrorException
* @throws RelationExistsException Raise only if forceDelete is false and the group has any subgroup or member.
* @throws GroupAlreadyRemovedException if there are 0 rows affected by deleting from DB
*/
private void deleteAnyGroup(PerunSession sess, Group group, boolean forceDelete) throws RelationExistsException, GroupAlreadyRemovedException, GroupAlreadyRemovedFromResourceException, GroupNotExistsException, GroupRelationDoesNotExist, GroupRelationCannotBeRemoved {
Vo vo = this.getVo(sess, group);
if (getGroupsManagerImpl().getSubGroupsCount(sess, group) > 0) {
if (!forceDelete)
throw new RelationExistsException("Group group=" + group + " contains subgroups");
// get subgroups of this group
List<Group> subGroups = getSubGroups(sess, group);
for (Group subGroup : subGroups) {
deleteAnyGroup(sess, subGroup, true);
}
}
if ((this.getGroupMembersCount(sess, group) > 0) && !forceDelete) {
throw new RelationExistsException("Group group=" + group + " contains members");
}
List<AssignedResource> assignedResources = getPerunBl().getResourcesManagerBl().getResourceAssignments(sess, group, List.of());
try {
for (AssignedResource assignedResource : assignedResources) {
if (assignedResource.getSourceGroupId() == null) {
getPerunBl().getResourcesManagerBl().removeGroupFromResource(sess, group, assignedResource.getEnrichedResource().getResource());
} else {
getPerunBl().getResourcesManagerBl().removeAutomaticGroupFromResource(sess, group, assignedResource.getEnrichedResource().getResource(), assignedResource.getSourceGroupId());
}
}
// remove group's attributes
getPerunBl().getAttributesManagerBl().removeAllAttributes(sess, group);
} catch (GroupNotDefinedOnResourceException ex) {
throw new ConsistencyErrorException(ex);
} catch (AttributeValueException ex) {
throw new ConsistencyErrorException("All resources was removed from this group, so no attributes should remain assigned.", ex);
}
// delete all Groups reserved logins from KDC
List<Integer> list = getGroupsManagerImpl().getGroupApplicationIds(sess, group);
for (Integer appId : list) {
// for each application
for (Pair<String, String> login : getGroupsManagerImpl().getApplicationReservedLogins(appId)) {
// for all reserved logins - delete them in ext. system (e.g. KDC)
try {
// left = namespace / right = login
getPerunBl().getUsersManagerBl().deletePassword(sess, login.getRight(), login.getLeft());
} catch (LoginNotExistsException ex) {
log.error("Login: {} not exists in namespace: {} while deleting passwords.", login.getRight(), login.getLeft());
} catch (InvalidLoginException e) {
throw new InternalErrorException("We are deleting reserved login from group applications, but its syntax is not allowed by namespace configuration.", e);
} catch (PasswordDeletionFailedException | PasswordOperationTimeoutException ex) {
throw new InternalErrorException("Failed to delete reserved login " + login.getRight() + " from KDC.", ex);
}
}
}
// delete all Groups reserved logins from DB
getGroupsManagerImpl().deleteGroupReservedLogins(sess, group);
// remove all assigned ExtSources to this group
List<ExtSource> assignedSources = getPerunBl().getExtSourcesManagerBl().getGroupExtSources(sess, group);
for (ExtSource source : assignedSources) {
try {
getPerunBl().getExtSourcesManagerBl().removeExtSource(sess, group, source);
} catch (ExtSourceNotAssignedException | ExtSourceAlreadyRemovedException ex) {
// Just log this, because if method can't remove it, it is probably not assigned now
log.warn("Try to remove not existing extSource {} from group {} when deleting group.", source, group);
}
}
// 1. remove all relations with group g as an operand group.
// this removes all relations that depend on this group
List<Integer> relations = groupsManagerImpl.getResultGroupsIds(sess, group.getId());
for (Integer groupId : relations) {
removeGroupUnion(sess, groupsManagerImpl.getGroupById(sess, groupId), group, true);
}
// 2. remove all relations with group as a result group
// We can remove relations without recalculation (@see removeRelationMembers)
// because all dependencies of group were deleted in step 1.
groupsManagerImpl.removeResultGroupRelations(sess, group);
// Group applications, submitted data and app_form are deleted on cascade with "deleteGroup()"
List<Member> membersFromDeletedGroup = getGroupMembers(sess, group);
// delete all member-group attributes
for (Member member : membersFromDeletedGroup) {
try {
perunBl.getAttributesManagerBl().removeAllAttributes(sess, member, group);
} catch (AttributeValueException ex) {
throw new ConsistencyErrorException("All members were removed from this group. So all member-group attribute values can be removed.", ex);
} catch (MemberGroupMismatchException e) {
throw new InternalErrorException("Member we tried to remove all member-group attributes doesn't come from the same VO as group", e);
}
}
// remove admin roles of group
List<Facility> facilitiesWhereGroupIsAdmin = getGroupsManagerImpl().getFacilitiesWhereGroupIsAdmin(sess, group);
for (Facility facility : facilitiesWhereGroupIsAdmin) {
try {
AuthzResolverBlImpl.unsetRole(sess, group, facility, Role.FACILITYADMIN);
} catch (GroupNotAdminException e) {
log.warn("Can't unset group {} as admin of facility {} due to group not admin exception {}.", group, facility, e);
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
List<Group> groupsWhereGroupIsAdmin = getGroupsManagerImpl().getGroupsWhereGroupIsAdmin(sess, group);
for (Group group1 : groupsWhereGroupIsAdmin) {
try {
AuthzResolverBlImpl.unsetRole(sess, group, group1, Role.GROUPADMIN);
} catch (GroupNotAdminException e) {
log.warn("Can't unset group {} as admin of group {} due to group not admin exception {}.", group, group1, e);
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
List<Resource> resourcesWhereGroupIsAdmin = getGroupsManagerImpl().getResourcesWhereGroupIsAdmin(sess, group);
for (Resource resource : resourcesWhereGroupIsAdmin) {
try {
AuthzResolverBlImpl.unsetRole(sess, group, resource, Role.RESOURCEADMIN);
} catch (GroupNotAdminException e) {
log.warn("Can't unset group {} as admin of resource {} due to group not admin exception {}.", group, resource, e);
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
List<Resource> resourcesWhereGroupIsResourceSelfService = getGroupsManagerImpl().getResourcesWhereGroupIsResourceSelfService(sess, group);
for (Resource resource : resourcesWhereGroupIsResourceSelfService) {
try {
perunBl.getResourcesManagerBl().removeResourceSelfServiceGroup(sess, resource, group);
} catch (GroupNotAdminException e) {
log.warn("Can't unset group {} as admin of resource {} due to group not admin exception {}.", group, resource, e);
}
}
List<SecurityTeam> securityTeamsWhereGroupIsAdmin = getGroupsManagerImpl().getSecurityTeamsWhereGroupIsAdmin(sess, group);
for (SecurityTeam securityTeam : securityTeamsWhereGroupIsAdmin) {
try {
AuthzResolverBlImpl.unsetRole(sess, group, securityTeam, Role.SECURITYADMIN);
} catch (GroupNotAdminException e) {
log.warn("Can't unset group {} as admin of security team {} due to group not admin exception {}.", group, securityTeam, e);
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
List<Vo> vosWhereGroupIsAdmin = getGroupsManagerImpl().getVosWhereGroupIsAdmin(sess, group);
for (Vo vo1 : vosWhereGroupIsAdmin) {
try {
AuthzResolverBlImpl.unsetRole(sess, group, vo1, Role.VOADMIN);
} catch (GroupNotAdminException e) {
log.warn("Can't unset group {} as admin of facility {} due to group not admin exception {}.", group, vo1, e);
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
// remove admins of this group
List<Group> adminGroups = getGroupsManagerImpl().getGroupAdmins(sess, group);
for (Group adminGroup : adminGroups) {
try {
AuthzResolverBlImpl.unsetRole(sess, adminGroup, group, Role.GROUPADMIN);
} catch (GroupNotAdminException e) {
log.warn("When trying to unsetRole GroupAdmin for group {} in the group {} the exception was thrown {}", adminGroup, group, e);
// skip and log as warning
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
List<User> adminUsers = getGroupsManagerImpl().getAdmins(sess, group);
for (User adminUser : adminUsers) {
try {
AuthzResolverBlImpl.unsetRole(sess, adminUser, group, Role.GROUPADMIN);
} catch (UserNotAdminException e) {
log.warn("When trying to unsetRole GroupAdmin for user {} in the group {} the exception was thrown {}", adminUser, group, e);
// skip and log as warning
} catch (RoleCannotBeManagedException e) {
throw new InternalErrorException(e);
}
}
// Deletes also all direct and indirect members of the group
getGroupsManagerImpl().deleteGroup(sess, vo, group);
logTotallyRemovedMembers(sess, group.getParentGroupId(), membersFromDeletedGroup);
getPerunBl().getAuditer().log(sess, new GroupDeleted(group));
}
Aggregations