Example 16 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class AuthenticatedSharedAgents method isMember.
/**
* Determines if the agent belongs to the
* <code>AuthenticatedSharedAgents</code> object.
* @param token SSOToken of the agent
* @return <code>true</code> if the agent SSOToken is valid.
* <code>false</code> otherwise.
* @exception SSOException if error occurs while validating the token.
*/
public boolean isMember(SSOToken token) throws SSOException {
boolean ismember = false;
int errCode = 0;
if ((token != null) && (SSOTokenManager.getInstance().isValidToken(token))) {
try {
String userDN = null;
String userDNUnivId = null;
AMIdentity amId = IdUtils.getIdentity(token);
IdType idType = amId.getType();
userDN = amId.getName();
userDNUnivId = amId.getUniversalId();
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isMember:" + "idType = " + idType + ", userDN = " + userDN);
}
if ((userDN != null) && (idType.equals(IdType.AGENT) || idType.equals(IdType.AGENTONLY))) {
String rlmName = amId.getRealm();
if (isSharedAgent(token, userDN, userDNUnivId, rlmName)) {
errCode = 1;
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isMember:" + "YES");
}
} else {
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents:isMember:" + "NO");
}
}
} else {
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgents.isMember():" + "userDN is null or invalid IdType " + userDN + "IdType :" + idType);
debug.message("AuthenticatedSharedAgents.isMember():" + "returning false");
}
errCode = 0;
}
} catch (IdRepoException ire) {
debug.error("AuthenticatedSharedAgents:isMember:" + " IdRepoException:msg = " + ire.getMessage());
errCode = 0;
}
if (errCode == 1) {
ismember = true;
}
}
return ismember;
}
Also used :
AMIdentity(com.sun.identity.idm.AMIdentity)
IdRepoException(com.sun.identity.idm.IdRepoException)
IdType(com.sun.identity.idm.IdType)
Example 17 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class AMIdentityMembershipConditionTest method conditionShouldEvaluateToFalseWhenConfiguredIdentityCanHaveMembersButInvocatorIsNotAMember.
@Test
public void conditionShouldEvaluateToFalseWhenConfiguredIdentityCanHaveMembersButInvocatorIsNotAMember() throws EntitlementException, IdRepoException, SSOException {
//Given
String realm = "REALM";
Subject subject = new Subject();
String resourceName = "RESOURCE_NAME";
Map<String, Set<String>> env = new HashMap<String, Set<String>>();
AMIdentity invocatorIdentity = mock(AMIdentity.class);
AMIdentity identity = mock(AMIdentity.class);
IdType invocatorIdType = mock(IdType.class);
IdType identityIdType = mock(IdType.class);
env.put(INVOCATOR_PRINCIPAL_UUID, Collections.singleton("INVOCATOR_UUID"));
condition.setState("{\"amIdentityName\": [\"IDENTITY\"]}");
given(coreWrapper.getIdentity(adminToken, "INVOCATOR_UUID")).willReturn(invocatorIdentity);
given(coreWrapper.getIdentity(adminToken, "IDENTITY")).willReturn(identity);
given(invocatorIdentity.getType()).willReturn(invocatorIdType);
given(identity.getType()).willReturn(identityIdType);
given(identityIdType.canHaveMembers()).willReturn(Collections.singleton(invocatorIdType));
given(invocatorIdentity.isMember(identity)).willReturn(false);
//When
ConditionDecision decision = condition.evaluate(realm, subject, resourceName, env);
//Then
assertThat(decision.isSatisfied()).isFalse();
assertThat(decision.getAdvice()).isEmpty();
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
AMIdentity(com.sun.identity.idm.AMIdentity)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Subject(javax.security.auth.Subject)
IdType(com.sun.identity.idm.IdType)
Test(org.testng.annotations.Test)
Example 18 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class AMIdentityMembershipConditionTest method conditionShouldEvaluateToTrueWhenUsingIdentitiesMatch.
@Test
public void conditionShouldEvaluateToTrueWhenUsingIdentitiesMatch() throws EntitlementException, IdRepoException, SSOException {
//Given
String realm = "REALM";
Subject subject = new Subject();
String resourceName = "RESOURCE_NAME";
Map<String, Set<String>> env = new HashMap<String, Set<String>>();
AMIdentity invocatorIdentity = mock(AMIdentity.class);
AMIdentity identity = invocatorIdentity;
env.put(INVOCATOR_PRINCIPAL_UUID, Collections.singleton("INVOCATOR_UUID"));
condition.setState("{\"amIdentityName\": [\"IDENTITY\"]}");
given(coreWrapper.getIdentity(adminToken, "INVOCATOR_UUID")).willReturn(invocatorIdentity);
given(coreWrapper.getIdentity(adminToken, "IDENTITY")).willReturn(identity);
//When
ConditionDecision decision = condition.evaluate(realm, subject, resourceName, env);
//Then
assertThat(decision.isSatisfied()).isTrue();
assertThat(decision.getAdvice()).isEmpty();
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
AMIdentity(com.sun.identity.idm.AMIdentity)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Subject(javax.security.auth.Subject)
Test(org.testng.annotations.Test)
Example 19 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class FSDefaultSPAdapter method postSSOFederationSuccess.
/**
* Invokes this method after the successful Single Sign-On or Federation.
* @param hostedEntityID provider ID for the hosted SP
* @param request servlet request
* @param response servlet response
* @param ssoToken user's SSO token
* @param authnRequest the original authentication request sent from SP
* @param authnResponse response from IDP if Browser POST or LECP profile
* is used for the request, value will be null if Browser Artifact
* profile is used.
* @param samlResponse response from IDP if Browser Artifact profile is used
* for the request, value will be null if Browser POST or LECP
* profile is used.
* @exception FederationException if user want to fail the process.
* @return true if browser redirection happened, false otherwise.
*/
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
}
// find out if this is a federation request
boolean isFederation = false;
if (authnRequest == null) {
FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
} else {
String nameIDPolicy = authnRequest.getNameIDPolicy();
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
}
if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
isFederation = true;
}
}
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
if (isFederation && adminToken != null) {
try {
// get name Identifier
String nameId = null;
List assertions = null;
String idpEntityId = null;
if (authnResponse != null) {
// POST profile
assertions = authnResponse.getAssertion();
idpEntityId = authnResponse.getProviderId();
} else {
// Artifact profile
assertions = samlResponse.getAssertion();
}
FSAssertion assertion = (FSAssertion) assertions.iterator().next();
if (idpEntityId == null) {
idpEntityId = assertion.getIssuer();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
}
Iterator stmtIter = assertion.getStatement().iterator();
while (stmtIter.hasNext()) {
Statement statement = (Statement) stmtIter.next();
int stmtType = statement.getStatementType();
if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
FSSubject subject = (FSSubject) authStatement.getSubject();
NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
if (ni == null) {
ni = subject.getNameIdentifier();
}
if (ni != null) {
nameId = ni.getName();
}
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
}
break;
}
}
if (nameId == null) {
FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
return false;
}
Map map = new HashMap();
Set set = new HashSet();
set.add("|" + hostedEntityID + "|" + nameId + "|");
map.put("iplanet-am-user-federation-info-key", set);
AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
IdSearchControl searchControl = new IdSearchControl();
searchControl.setTimeOut(0);
searchControl.setMaxResults(0);
searchControl.setAllReturnAttributes(false);
searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
Set amIdSet = searchResults.getSearchResults();
if (amIdSet.size() > 1) {
String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
}
String metaAlias = null;
try {
IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
if (metaManager != null) {
SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
if (spConfig != null) {
metaAlias = spConfig.getMetaAlias();
}
}
} catch (IDFFMetaException ie) {
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
}
}
FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
// previous federation exists with different users
Iterator it = amIdSet.iterator();
while (it.hasNext()) {
AMIdentity amId = (AMIdentity) it.next();
// compare with the SSO token
String tmpUnivId = IdUtils.getUniversalId(amId);
if (univId.equalsIgnoreCase(tmpUnivId)) {
continue;
}
// remove federation information for this user
if (FSUtils.debug.messageEnabled()) {
FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
}
accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
}
}
} catch (FSAccountMgmtException f) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
} catch (IdRepoException i) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
} catch (SSOException e) {
FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
}
}
return false;
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
FSSubject(com.sun.identity.federation.message.FSSubject)
NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement)
SSOException(com.iplanet.sso.SSOException)
FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey)
FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager)
FSAssertion(com.sun.identity.federation.message.FSAssertion)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
List(java.util.List)
HashSet(java.util.HashSet)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
Statement(com.sun.identity.saml.assertion.Statement)
FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement)
IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException)
IdRepoException(com.sun.identity.idm.IdRepoException)
IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 20 with AMIdentity
use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.
the class GlobalDiscoEntryHandler method modifyDiscoEntries.
/**
* Modify DiscoEntries for the default organization.
* @param userID This is not used in this implementation.
*
* @param removes List of
* com.sun.identity.liberty.ws.disco.jaxb.RemoveEntryType jaxb
* objects.
* @param inserts List of
* com.sun.identity.liberty.ws.disco.jaxb.InsertEntryType jaxb
* objects.
* @return Map which contains the following key value pairs:
* Key: <code>DiscoEntryHandler.STATUS_CODE</code>
* Value: status code String such as "OK", "Failed", etc.
* Key: <code>DiscoEntryHandler.NEW_ENTRY_IDS</code>
* Value: List of entryIds for the entries that were added.
* The second key/value pair will only exist when status code is
* "OK", and there are InsertEntry elements in the Modify request.
* When successful, all modification (removes and inserts) should
* be done. No partial changes should be done.
*/
public Map modifyDiscoEntries(String userID, List removes, List inserts) {
if (DiscoUtils.debug.messageEnabled()) {
DiscoUtils.debug.message("GlobalDiscoEntryHandler.modifyDisco" + "Entries: init ");
}
Map result = new HashMap();
result.put(STATUS_CODE, DiscoConstants.STATUS_FAILED);
Map discoEntries = new HashMap();
try {
// Try to register discovery service if not already registered
registerDiscoveryService();
AMIdentity amId = getRealmIdentity();
DiscoEntryHandlerImplUtils.getGlobalDiscoEntries(getRealmIdentity(), DYNAMIC_ATTR_NAME, discoEntries, userID);
if ((removes != null) && (removes.size() != 0)) {
if (!DiscoEntryHandlerImplUtils.handleRemoves(discoEntries, removes)) {
return result;
}
}
Set entries = new HashSet();
entries.addAll(discoEntries.values());
List newEntryIDs = null;
if ((inserts != null) && (inserts.size() != 0)) {
Map insertResults = DiscoEntryHandlerImplUtils.handleInserts(entries, inserts);
if (!((String) insertResults.get(STATUS_CODE)).equals(DiscoConstants.STATUS_OK)) {
return result;
}
newEntryIDs = (List) insertResults.get(NEW_ENTRY_IDS);
}
if (!DiscoEntryHandlerImplUtils.setGlobalDiscoEntries(amId, DYNAMIC_ATTR_NAME, entries)) {
return result;
} else {
result.put(STATUS_CODE, DiscoConstants.STATUS_OK);
if ((newEntryIDs != null) && (newEntryIDs.size() != 0)) {
result.put(NEW_ENTRY_IDS, newEntryIDs);
}
return result;
}
} catch (DiscoveryException de) {
DiscoUtils.debug.error("GlobalDiscoEntryHandler.modify" + "DiscoEntries: Exception", de);
return result;
} catch (Exception ex) {
DiscoUtils.debug.error("GlobalDiscoEntryHandler.modify" + "DiscoEntries: Exception", ex);
return result;
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
AMIdentity(com.sun.identity.idm.AMIdentity)
List(java.util.List)
HashMap(java.util.HashMap)
Map(java.util.Map)
DiscoveryException(com.sun.identity.liberty.ws.disco.DiscoveryException)
DiscoveryException(com.sun.identity.liberty.ws.disco.DiscoveryException)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
HashSet(java.util.HashSet)
Aggregations
AMIdentity (com.sun.identity.idm.AMIdentity)373
IdRepoException (com.sun.identity.idm.IdRepoException)243
SSOException (com.iplanet.sso.SSOException)215
Set (java.util.Set)170
HashSet (java.util.HashSet)150
SSOToken (com.iplanet.sso.SSOToken)112
Iterator (java.util.Iterator)91
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)85
Map (java.util.Map)83
HashMap (java.util.HashMap)78
IdType (com.sun.identity.idm.IdType)52
SMSException (com.sun.identity.sm.SMSException)52
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)44
CLIException (com.sun.identity.cli.CLIException)43
IOutput (com.sun.identity.cli.IOutput)42
IdSearchResults (com.sun.identity.idm.IdSearchResults)39
IdSearchControl (com.sun.identity.idm.IdSearchControl)35
OrganizationConfigManager (com.sun.identity.sm.OrganizationConfigManager)23
Test (org.testng.annotations.Test)23
List (java.util.List)22
