Search in sources :

Example 26 with IdSearchResults

use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.

the class DelegationPolicyImpl method getSubjects.

/**
     * Returns a set of selected subjects of specified types matching the
     * pattern in the given realm. The pattern accepts "*" as the wild card for
     * searching subjects. For example, "a*c" matches with any subject starting
     * with a and ending with c.
     * 
     * @param token The <code>SSOToken</code> of the requesting user
     * @param orgName The name of the realm from which the subjects are fetched.
     * @param types a set of subject types. e.g. ROLE, GROUP.
     * @param pattern a filter used to select the subjects.
     * 
     * @return a set of subjects associated with the realm.
     * 
     * @throws SSOException invalid or expired single-sign-on token
     * @throws DelegationException for any abnormal condition
     *
     * @return <code>Set</code> of universal Ids of the subjects associated 
     *         with the realm.
     *
     * @throws SSOException invalid or expired single-sign-on token
     * @throws DelegationException for any abnormal condition
     */
public Set getSubjects(SSOToken token, String orgName, Set types, String pattern) throws SSOException, DelegationException {
    Set results = new HashSet();
    // All Authenticated Users would be returned only if pattern is *
    if ((pattern != null) && pattern.equals("*")) {
        results.add(AUTHN_USERS_ID);
    }
    if (DelegationManager.debug.messageEnabled()) {
        DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): types=" + types);
    }
    try {
        AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
        Set supportedTypes = idRepo.getSupportedIdTypes();
        if (DelegationManager.debug.messageEnabled()) {
            DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): " + "supported subject types=" + supportedTypes);
        }
        if ((supportedTypes != null) && (!supportedTypes.isEmpty()) && (types != null) && (!types.isEmpty())) {
            Iterator it = types.iterator();
            while (it.hasNext()) {
                IdType idType = IdUtils.getType((String) it.next());
                if (supportedTypes.contains(idType)) {
                    IdSearchControl ctrl = new IdSearchControl();
                    ctrl.setRecursive(true);
                    ctrl.setMaxResults(-1);
                    ctrl.setTimeOut(-1);
                    IdSearchResults idsr = idRepo.searchIdentities(idType, pattern, ctrl);
                    if (idsr != null) {
                        Set searchRes = idsr.getSearchResults();
                        if ((searchRes != null) && (!searchRes.isEmpty())) {
                            Iterator iter = searchRes.iterator();
                            while (iter.hasNext()) {
                                AMIdentity id = (AMIdentity) iter.next();
                                results.add(IdUtils.getUniversalId(id));
                            }
                        }
                    }
                }
            }
        }
        return results;
    } catch (IdRepoException ide) {
        throw new DelegationException(ide);
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) IdSearchResults(com.sun.identity.idm.IdSearchResults) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) Iterator(java.util.Iterator) IdSearchControl(com.sun.identity.idm.IdSearchControl) IdRepoException(com.sun.identity.idm.IdRepoException) DelegationException(com.sun.identity.delegation.DelegationException) HashSet(java.util.HashSet) IdType(com.sun.identity.idm.IdType)

Example 27 with IdSearchResults

use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.

the class FSDefaultSPAdapter method postSSOFederationSuccess.

/**
     * Invokes this method after the successful Single Sign-On or Federation.
     * @param hostedEntityID provider ID for the hosted SP
     * @param request servlet request
     * @param response servlet response
     * @param ssoToken user's SSO token
     * @param authnRequest the original authentication request sent from SP 
     * @param authnResponse response from IDP if Browser POST or LECP profile
     *        is used for the request, value will be null if Browser Artifact
     *        profile is used. 
     * @param samlResponse response from IDP if Browser Artifact profile is used
     *        for the request, value will be null if Browser POST or LECP 
     *        profile is used.
     * @exception FederationException if user want to fail the process.
     * @return true if browser redirection happened, false otherwise.
     */
public boolean postSSOFederationSuccess(String hostedEntityID, HttpServletRequest request, HttpServletResponse response, Object ssoToken, FSAuthnRequest authnRequest, FSAuthnResponse authnResponse, FSResponse samlResponse) throws FederationException {
    if (FSUtils.debug.messageEnabled()) {
        FSUtils.debug.message("FSDefaultSPAdapter.postFedSuccess, " + "process " + hostedEntityID);
    }
    // find out if this is a federation request
    boolean isFederation = false;
    if (authnRequest == null) {
        FSUtils.debug.error("FSDefaultSPAdapter.postFedSuccess null");
    } else {
        String nameIDPolicy = authnRequest.getNameIDPolicy();
        if (FSUtils.debug.messageEnabled()) {
            FSUtils.debug.message("FSDefaultSPAdapter.postSuccess " + nameIDPolicy);
        }
        if (nameIDPolicy.equals(IFSConstants.NAME_ID_POLICY_FEDERATED)) {
            isFederation = true;
        }
    }
    SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    if (isFederation && adminToken != null) {
        try {
            // get name Identifier
            String nameId = null;
            List assertions = null;
            String idpEntityId = null;
            if (authnResponse != null) {
                // POST profile
                assertions = authnResponse.getAssertion();
                idpEntityId = authnResponse.getProviderId();
            } else {
                // Artifact profile
                assertions = samlResponse.getAssertion();
            }
            FSAssertion assertion = (FSAssertion) assertions.iterator().next();
            if (idpEntityId == null) {
                idpEntityId = assertion.getIssuer();
            }
            if (FSUtils.debug.messageEnabled()) {
                FSUtils.debug.message("FSAdapter.postSuccess: idp=" + idpEntityId);
            }
            Iterator stmtIter = assertion.getStatement().iterator();
            while (stmtIter.hasNext()) {
                Statement statement = (Statement) stmtIter.next();
                int stmtType = statement.getStatementType();
                if (stmtType == Statement.AUTHENTICATION_STATEMENT) {
                    FSAuthenticationStatement authStatement = (FSAuthenticationStatement) statement;
                    FSSubject subject = (FSSubject) authStatement.getSubject();
                    NameIdentifier ni = subject.getIDPProvidedNameIdentifier();
                    if (ni == null) {
                        ni = subject.getNameIdentifier();
                    }
                    if (ni != null) {
                        nameId = ni.getName();
                    }
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSuccess: " + "found name id =" + nameId);
                    }
                    break;
                }
            }
            if (nameId == null) {
                FSUtils.debug.warning("FSAdapter.postSuc : null nameID");
                return false;
            }
            Map map = new HashMap();
            Set set = new HashSet();
            set.add("|" + hostedEntityID + "|" + nameId + "|");
            map.put("iplanet-am-user-federation-info-key", set);
            AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, ((SSOToken) ssoToken).getProperty(ISAuthConstants.ORGANIZATION));
            IdSearchControl searchControl = new IdSearchControl();
            searchControl.setTimeOut(0);
            searchControl.setMaxResults(0);
            searchControl.setAllReturnAttributes(false);
            searchControl.setSearchModifiers(IdSearchOpModifier.AND, map);
            IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
            Set amIdSet = searchResults.getSearchResults();
            if (amIdSet.size() > 1) {
                String univId = ((SSOToken) ssoToken).getProperty(Constants.UNIVERSAL_IDENTIFIER);
                if (FSUtils.debug.messageEnabled()) {
                    FSUtils.debug.message("FSAdapter.postSuccess: found " + amIdSet.size() + " federation with same ID as " + univId);
                }
                String metaAlias = null;
                try {
                    IDFFMetaManager metaManager = new IDFFMetaManager(ssoToken);
                    if (metaManager != null) {
                        SPDescriptorConfigElement spConfig = metaManager.getSPDescriptorConfig(realm, hostedEntityID);
                        if (spConfig != null) {
                            metaAlias = spConfig.getMetaAlias();
                        }
                    }
                } catch (IDFFMetaException ie) {
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSuccess: " + "couldn't find meta alias:", ie);
                    }
                }
                FSAccountManager accManager = FSAccountManager.getInstance(metaAlias);
                FSAccountFedInfoKey fedInfoKey = new FSAccountFedInfoKey(hostedEntityID, nameId);
                // previous federation exists with different users
                Iterator it = amIdSet.iterator();
                while (it.hasNext()) {
                    AMIdentity amId = (AMIdentity) it.next();
                    // compare with the SSO token
                    String tmpUnivId = IdUtils.getUniversalId(amId);
                    if (univId.equalsIgnoreCase(tmpUnivId)) {
                        continue;
                    }
                    // remove federation information for this user
                    if (FSUtils.debug.messageEnabled()) {
                        FSUtils.debug.message("FSAdapter.postSucces, " + "remove fed info for user " + tmpUnivId);
                    }
                    accManager.removeAccountFedInfo(tmpUnivId, fedInfoKey, idpEntityId);
                }
            }
        } catch (FSAccountMgmtException f) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", f);
        } catch (IdRepoException i) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", i);
        } catch (SSOException e) {
            FSUtils.debug.warning("FSDefaultSPAdapter.postSSOSuccess", e);
        }
    }
    return false;
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) HashSet(java.util.HashSet) FSSubject(com.sun.identity.federation.message.FSSubject) NameIdentifier(com.sun.identity.saml.assertion.NameIdentifier) HashMap(java.util.HashMap) IdSearchResults(com.sun.identity.idm.IdSearchResults) SPDescriptorConfigElement(com.sun.identity.federation.jaxb.entityconfig.SPDescriptorConfigElement) SSOException(com.iplanet.sso.SSOException) FSAccountFedInfoKey(com.sun.identity.federation.accountmgmt.FSAccountFedInfoKey) FSAccountManager(com.sun.identity.federation.accountmgmt.FSAccountManager) FSAssertion(com.sun.identity.federation.message.FSAssertion) Iterator(java.util.Iterator) IdSearchControl(com.sun.identity.idm.IdSearchControl) List(java.util.List) HashSet(java.util.HashSet) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) Statement(com.sun.identity.saml.assertion.Statement) FSAuthenticationStatement(com.sun.identity.federation.message.FSAuthenticationStatement) IDFFMetaException(com.sun.identity.federation.meta.IDFFMetaException) IdRepoException(com.sun.identity.idm.IdRepoException) IDFFMetaManager(com.sun.identity.federation.meta.IDFFMetaManager) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) FSAccountMgmtException(com.sun.identity.federation.accountmgmt.FSAccountMgmtException) Map(java.util.Map) HashMap(java.util.HashMap)

Example 28 with IdSearchResults

use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.

the class CramMD5MechanismHandler method getUserPassword.

private static String getUserPassword(String userName) {
    try {
        SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        AMIdentityRepository idRepo = new AMIdentityRepository(adminToken, SMSEntry.getRootSuffix());
        IdSearchControl searchControl = new IdSearchControl();
        searchControl.setTimeOut(0);
        searchControl.setMaxResults(0);
        searchControl.setAllReturnAttributes(false);
        IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, userName, searchControl);
        Set users = searchResults.getSearchResults();
        if (users == null || users.isEmpty()) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "no user found");
            }
            return null;
        }
        if (users.size() > 1) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "more than 1 user found");
            }
            return null;
        }
        AMIdentity user = (AMIdentity) users.iterator().next();
        Set passwords = user.getAttribute("userPassword");
        if (passwords == null || passwords.isEmpty()) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has no password");
            }
            return null;
        }
        if (passwords.size() > 1) {
            if (debug.messageEnabled()) {
                debug.message("CramMD5MechanismHandler.getUserPassword: " + "user has more than 1 passwords");
            }
            return null;
        }
        String password = (String) passwords.iterator().next();
        if (password.startsWith("{CLEAR}")) {
            password = password.substring(7);
        }
        return password;
    } catch (Exception ex) {
        AuthnSvcUtils.debug.error("CramMD5MechanismHandler.getUserPassword: ", ex);
        return null;
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) IdSearchResults(com.sun.identity.idm.IdSearchResults) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) IdSearchControl(com.sun.identity.idm.IdSearchControl) IdRepoException(com.sun.identity.idm.IdRepoException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException)

Example 29 with IdSearchResults

use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.

the class IdRepoDataStoreProvider method getUserID.

/**
     * Returns user matching the search criteria.
     * @param orgDN The realm to search the user. If null,
     *  searches the root realm.
     * @param avPairs Attribute key/value pairs that will be used for 
     *  searching the user. Key is the attribute name, value 
     *  is a Set containing attribute value(s).
     * @return Universal identifier of the matching user, null if
     *  the matching user could not be found. 
     * @throws DataStoreProviderException if error occurs during search or
     *  multiple matching users found.
     */
public String getUserID(String orgDN, Map<String, Set<String>> avPairs) throws DataStoreProviderException {
    if (orgDN == null) {
        orgDN = SMSEntry.getRootSuffix();
    }
    if (avPairs == null || avPairs.isEmpty()) {
        throw new DataStoreProviderException(bundle.getString("nullAvPair"));
    }
    Set amIdSet = null;
    try {
        IdSearchControl searchControl = getIdSearchControl(avPairs, IdSearchOpModifier.AND);
        AMIdentityRepository idRepo = getAMIdentityRepository(orgDN);
        IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
        amIdSet = searchResults.getSearchResults();
    } catch (IdRepoException ame) {
        debug.error("IdRepoDataStoreProvider.getUserID(): IdRepoException", ame);
        throw new DataStoreProviderException(ame);
    } catch (SSOException ssoe) {
        debug.error("IdRepoDataStoreProvider.getUserID() : SSOException", ssoe);
        throw new DataStoreProviderException(ssoe);
    }
    if (amIdSet == null || amIdSet.isEmpty()) {
        debug.message("IdRepoDataStoreProvider.getUserID : user not found");
        return null;
    } else if (amIdSet.size() > 1) {
        debug.message("IdRepoDataStoreProvider.getUserID : multiple match");
        throw new DataStoreProviderException(bundle.getString("multipleMatches"));
    }
    // single user found.
    final AMIdentity amId = (AMIdentity) amIdSet.iterator().next();
    final String universalId = IdUtils.getUniversalId(amId);
    if (debug.messageEnabled()) {
        debug.message("IdRepoDataStoreProvider.getUserID()" + " Name=: " + amId.getName() + " DN=: " + amId.getDN() + " univId=: " + universalId);
    }
    return universalId;
}
Also used : DataStoreProviderException(com.sun.identity.plugin.datastore.DataStoreProviderException) Set(java.util.Set) IdSearchResults(com.sun.identity.idm.IdSearchResults) AMIdentity(com.sun.identity.idm.AMIdentity) IdSearchControl(com.sun.identity.idm.IdSearchControl) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) IdRepoException(com.sun.identity.idm.IdRepoException) SSOException(com.iplanet.sso.SSOException)

Example 30 with IdSearchResults

use of com.sun.identity.idm.IdSearchResults in project OpenAM by OpenRock.

the class DeviceIdSave method getIdentity.

/**
     * Gets the identity of the user.
     *
     * @return The user's identity.
     */
private AMIdentityWrapper getIdentity() {
    AMIdentityWrapper amIdentity = null;
    AMIdentityRepository amIdRepo = getAMIdentityRepository(getRequestOrg());
    IdSearchControl idsc = new IdSearchControl();
    idsc.setAllReturnAttributes(true);
    Set<AMIdentity> results = Collections.emptySet();
    try {
        idsc.setMaxResults(0);
        IdSearchResults searchResults = amIdRepo.searchIdentities(IdType.USER, userName, idsc);
        if (searchResults != null) {
            results = searchResults.getSearchResults();
        }
        if (results.isEmpty()) {
            DEBUG.error("DeviceIdSave.getIdentity : User " + userName + " is not found");
        } else if (results.size() > 1) {
            DEBUG.error("DeviceIdSave.getIdentity : More than one user found for the userName " + userName);
        } else {
            amIdentity = new AMIdentityWrapper(results.iterator().next());
        }
    } catch (IdRepoException e) {
        DEBUG.error("DeviceIdSave.getIdentity : Error searching Identities with username : " + userName, e);
    } catch (SSOException e) {
        DEBUG.error("DeviceIdSave.getIdentity : Module exception : ", e);
    }
    return amIdentity;
}
Also used : IdSearchResults(com.sun.identity.idm.IdSearchResults) AMIdentity(com.sun.identity.idm.AMIdentity) AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository) IdSearchControl(com.sun.identity.idm.IdSearchControl) IdRepoException(com.sun.identity.idm.IdRepoException) SSOException(com.iplanet.sso.SSOException)

Aggregations

IdSearchResults (com.sun.identity.idm.IdSearchResults)60 IdRepoException (com.sun.identity.idm.IdRepoException)46 IdSearchControl (com.sun.identity.idm.IdSearchControl)43 SSOException (com.iplanet.sso.SSOException)39 AMIdentity (com.sun.identity.idm.AMIdentity)39 Set (java.util.Set)37 AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)36 HashSet (java.util.HashSet)28 SSOToken (com.iplanet.sso.SSOToken)17 Iterator (java.util.Iterator)16 Map (java.util.Map)12 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)11 HashMap (java.util.HashMap)11 IdType (com.sun.identity.idm.IdType)9 AMHashMap (com.iplanet.am.sdk.AMHashMap)6 CaseInsensitiveHashMap (com.sun.identity.common.CaseInsensitiveHashMap)4 UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)4 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)3 CLIException (com.sun.identity.cli.CLIException)3 IOutput (com.sun.identity.cli.IOutput)3