Examples with ProtectedStringType com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType used on opensource projects

Example 1 with ProtectedStringType

use of com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType in project midpoint by Evolveum.

the class XNodeProcessorUtil method parseProtectedType.

public static <T> void parseProtectedType(ProtectedDataType<T> protectedType, MapXNode xmap, PrismContext prismContext, ParsingContext pc) throws SchemaException {
    RootXNode xEncryptedData = xmap.getEntryAsRoot(ProtectedDataType.F_ENCRYPTED_DATA);
    if (xEncryptedData != null) {
        if (!(xEncryptedData.getSubnode() instanceof MapXNode)) {
            throw new SchemaException("Cannot parse encryptedData from " + xEncryptedData);
        }
        EncryptedDataType encryptedDataType = prismContext.parserFor(xEncryptedData).context(pc).parseRealValue(EncryptedDataType.class);
        protectedType.setEncryptedData(encryptedDataType);
    } else {
        // Check for legacy EncryptedData
        RootXNode xLegacyEncryptedData = xmap.getEntryAsRoot(ProtectedDataType.F_XML_ENC_ENCRYPTED_DATA);
        if (xLegacyEncryptedData != null) {
            if (!(xLegacyEncryptedData.getSubnode() instanceof MapXNode)) {
                throw new SchemaException("Cannot parse EncryptedData from " + xEncryptedData);
            }
            RootXNode xConvertedEncryptedData = (RootXNode) xLegacyEncryptedData.cloneTransformKeys(in -> {
                String elementName = StringUtils.uncapitalize(in.getLocalPart());
                if (elementName.equals("type")) {
                    return null;
                }
                return new QName(null, elementName);
            });
            EncryptedDataType encryptedDataType = prismContext.parserFor(xConvertedEncryptedData).context(pc).parseRealValue(EncryptedDataType.class);
            protectedType.setEncryptedData(encryptedDataType);
            if (protectedType instanceof ProtectedStringType) {
                transformEncryptedValue(protectedType, prismContext);
            }
        }
    }
    RootXNode xHashedData = xmap.getEntryAsRoot(ProtectedDataType.F_HASHED_DATA);
    if (xHashedData != null) {
        if (!(xHashedData.getSubnode() instanceof MapXNode)) {
            throw new SchemaException("Cannot parse hashedData from " + xHashedData);
        }
        HashedDataType hashedDataType = prismContext.parserFor(xHashedData).context(pc).parseRealValue(HashedDataType.class);
        protectedType.setHashedData(hashedDataType);
    }
    // protected data empty..check for clear value
    if (protectedType.isEmpty()) {
        XNode xClearValue = xmap.get(ProtectedDataType.F_CLEAR_VALUE);
        if (xClearValue == null) {
            //TODO: try to use common namespace (only to be compatible with previous versions)
            //FIXME maybe add some warning, info...
            xClearValue = xmap.get(new QName(ProtectedDataType.F_CLEAR_VALUE.getLocalPart()));
        }
        if (xClearValue == null) {
            return;
        }
        if (!(xClearValue instanceof PrimitiveXNode)) {
            //this is maybe not good..
            throw new SchemaException("Cannot parse clear value from " + xClearValue);
        }
        // TODO: clearValue
        T clearValue = (T) ((PrimitiveXNode) xClearValue).getParsedValue(DOMUtil.XSD_STRING, String.class);
        protectedType.setClearValue(clearValue);
    }
}

Example 2 with ProtectedStringType

use of com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType in project midpoint by Evolveum.

the class ModelClientUtil method createProtectedString.

public static ProtectedStringType createProtectedString(String clearValue) {
    ProtectedStringType protectedString = new ProtectedStringType();
    // this is a bit of workaround: it should be possible to add clearValue by itself, but there seems to be a parsing bug on the server side that needs to be fixed first (TODO)
    protectedString.getContent().add(toJaxbElement(TYPES_CLEAR_VALUE, clearValue));
    return protectedString;
}

Example 3 with ProtectedStringType

use of com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType in project midpoint by Evolveum.

the class ProjectionCredentialsProcessor method processProjectionPasswordMapping.

private <F extends FocusType> void processProjectionPasswordMapping(LensContext<F> context, final LensProjectionContext projCtx, final ValuePolicyType passwordPolicy, XMLGregorianCalendar now, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, CommunicationException, ConfigurationException, SecurityViolationException {
    LensFocusContext<F> focusContext = context.getFocusContext();
    PrismObject<F> userNew = focusContext.getObjectNew();
    if (userNew == null) {
        // This must be a user delete or something similar. No point in proceeding
        LOGGER.trace("userNew is null, skipping credentials processing");
        return;
    }
    PrismObjectDefinition<ShadowType> accountDefinition = prismContext.getSchemaRegistry().findObjectDefinitionByCompileTimeClass(ShadowType.class);
    PrismPropertyDefinition<ProtectedStringType> projPasswordPropertyDefinition = accountDefinition.findPropertyDefinition(SchemaConstants.PATH_PASSWORD_VALUE);
    ResourceShadowDiscriminator rsd = projCtx.getResourceShadowDiscriminator();
    RefinedObjectClassDefinition refinedProjDef = projCtx.getStructuralObjectClassDefinition();
    if (refinedProjDef == null) {
        LOGGER.trace("No RefinedObjectClassDefinition, therefore also no password outbound definition, skipping credentials processing for projection {}", rsd);
        return;
    }
    List<MappingType> outboundMappingTypes = refinedProjDef.getPasswordOutbound();
    if (outboundMappingTypes == null || outboundMappingTypes.isEmpty()) {
        LOGGER.trace("No outbound password mapping for {}, skipping credentials processing", rsd);
        return;
    }
    // HACK
    if (!projCtx.isDoReconciliation() && !projCtx.isAdd() && !isActivated(outboundMappingTypes, focusContext.getDelta())) {
        LOGGER.trace("Outbound password mappings not activated for type {}, skipping credentials processing", rsd);
        return;
    }
    final ObjectDelta<ShadowType> projDelta = projCtx.getDelta();
    final PropertyDelta<ProtectedStringType> projPasswordDelta;
    if (projDelta != null && projDelta.getChangeType() == MODIFY) {
        projPasswordDelta = projDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
    } else {
        projPasswordDelta = null;
    }
    checkExistingDeltaSanity(projCtx, projPasswordDelta);
    boolean evaluateWeak = getEvaluateWeak(projCtx);
    final ItemDeltaItem<PrismPropertyValue<PasswordType>, PrismPropertyDefinition<ProtectedStringType>> userPasswordIdi = focusContext.getObjectDeltaObject().findIdi(SchemaConstants.PATH_PASSWORD_VALUE);
    StringPolicyResolver stringPolicyResolver = new StringPolicyResolver() {

        @Override
        public void setOutputPath(ItemPath outputPath) {
        }

        @Override
        public void setOutputDefinition(ItemDefinition outputDefinition) {
        }

        @Override
        public StringPolicyType resolve() {
            if (passwordPolicy == null) {
                return null;
            }
            return passwordPolicy.getStringPolicy();
        }
    };
    MappingInitializer<PrismPropertyValue<ProtectedStringType>, PrismPropertyDefinition<ProtectedStringType>> initializer = (builder) -> {
        builder.defaultTargetDefinition(projPasswordPropertyDefinition);
        builder.defaultSource(new Source<>(userPasswordIdi, ExpressionConstants.VAR_INPUT));
        builder.stringPolicyResolver(stringPolicyResolver);
        return builder;
    };
    MappingOutputProcessor<PrismPropertyValue<ProtectedStringType>> processor = (mappingOutputPath, outputStruct) -> {
        PrismValueDeltaSetTriple<PrismPropertyValue<ProtectedStringType>> outputTriple = outputStruct.getOutputTriple();
        if (outputTriple == null) {
            LOGGER.trace("Credentials 'password' expression resulted in null output triple, skipping credentials processing for {}", rsd);
            return false;
        }
        boolean projectionIsNew = projDelta != null && (projDelta.getChangeType() == ChangeType.ADD || projCtx.getSynchronizationPolicyDecision() == SynchronizationPolicyDecision.ADD);
        Collection<PrismPropertyValue<ProtectedStringType>> newValues = outputTriple.getPlusSet();
        if (projectionIsNew) {
            newValues = outputTriple.getNonNegativeValues();
        } else {
            newValues = outputTriple.getPlusSet();
        }
        if (!canGetCleartext(newValues)) {
            ObjectDelta<ShadowType> projectionPrimaryDelta = projCtx.getPrimaryDelta();
            if (projectionPrimaryDelta != null) {
                PropertyDelta<ProtectedStringType> passwordPrimaryDelta = projectionPrimaryDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
                if (passwordPrimaryDelta != null) {
                    // We have only hashed value coming from the mapping. There are not very useful
                    // for provisioning. But we have primary projection delta - and that is very likely
                    // to be better.
                    // Skip all password mappings in this case. Primary delta trumps everything. 
                    // No weak, normal or even strong mapping can change that.
                    // We need to disregard even strong mapping in this case. If we would heed the strong
                    // mapping then account initialization won't be possible.
                    LOGGER.trace("We have primary password delta in projection, skipping credentials processing");
                    return false;
                }
            }
        }
        return true;
    };
    mappingEvaluator.evaluateOutboundMapping(context, projCtx, outboundMappingTypes, SchemaConstants.PATH_PASSWORD_VALUE, SchemaConstants.PATH_PASSWORD_VALUE, initializer, processor, now, true, evaluateWeak, "password mapping", task, result);
}

Example 4 with ProtectedStringType

use of com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType in project midpoint by Evolveum.

the class ProjectionCredentialsProcessor method applyMetadata.

private <F extends FocusType> void applyMetadata(LensContext<F> context, final LensProjectionContext projectionContext, XMLGregorianCalendar now, Task task, OperationResult result) throws ExpressionEvaluationException, ObjectNotFoundException, SchemaException, PolicyViolationException {
    ObjectDelta<ShadowType> accountDelta = projectionContext.getDelta();
    if (projectionContext.isDelete()) {
        return;
    }
    if (accountDelta == null) {
        LOGGER.trace("Skipping application of password metadata. Shadow delta not specified.");
        return;
    }
    PropertyDelta<ProtectedStringType> passwordValueDelta = accountDelta.findPropertyDelta(SchemaConstants.PATH_PASSWORD_VALUE);
    if (passwordValueDelta == null) {
        LOGGER.trace("Skipping application of password metadata. No password change.");
        return;
    }
    if (projectionContext.isAdd()) {
        MetadataType metadataType = operationalDataManager.createCreateMetadata(context, now, task);
        ContainerDelta<MetadataType> metadataDelta = ContainerDelta.createDelta(SchemaConstants.PATH_PASSWORD_METADATA, projectionContext.getObjectDefinition());
        PrismContainerValue cval = metadataType.asPrismContainerValue();
        cval.setOriginTypeRecursive(OriginType.OUTBOUND);
        metadataDelta.addValuesToAdd(metadataType.asPrismContainerValue());
        projectionContext.swallowToSecondaryDelta(metadataDelta);
    } else if (projectionContext.isModify()) {
        ContainerDelta<MetadataType> metadataDelta = accountDelta.findContainerDelta(SchemaConstants.PATH_PASSWORD_METADATA);
        if (metadataDelta == null) {
            Collection<? extends ItemDelta<?, ?>> modifyMetadataDeltas = operationalDataManager.createModifyMetadataDeltas(context, SchemaConstants.PATH_PASSWORD_METADATA, projectionContext.getObjectDefinition(), now, task);
            for (ItemDelta itemDelta : modifyMetadataDeltas) {
                itemDelta.setOriginTypeRecursive(OriginType.OUTBOUND);
                projectionContext.swallowToSecondaryDelta(itemDelta);
            }
        }
    }
}

Example 5 with ProtectedStringType

use of com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType in project midpoint by Evolveum.

the class SecurityQuestionsPolicyEvaluator method validateCredentialContainerValues.

@Override
protected void validateCredentialContainerValues(PrismContainerValue<SecurityQuestionsCredentialsType> cVal) throws PolicyViolationException, SchemaException, ObjectNotFoundException, ExpressionEvaluationException {
    SecurityQuestionsCredentialsType securityQuestions = cVal.asContainerable();
    if (securityQuestions != null) {
        List<SecurityQuestionAnswerType> questionAnswers = securityQuestions.getQuestionAnswer();
        for (SecurityQuestionAnswerType questionAnswer : questionAnswers) {
            ProtectedStringType answer = questionAnswer.getQuestionAnswer();
            validateProtectedStringValue(answer);
        }
    }
}