use of com.sun.identity.idsvcs.ObjectNotFound in project OpenAM by OpenRock.
the class IdentityResourceV3 method patchInstance.
/**
* Patch the user's password and only the password. No other value may be patched. The old value of the
* password does not have to be known. Admin only. The only patch operation supported is "replace", i.e. not
* "add" or "move", etc.
*
* @param context The context
* @param resourceId The username we're patching
* @param request The patch request
*/
@Override
public Promise<ResourceResponse, ResourceException> patchInstance(final Context context, final String resourceId, final PatchRequest request) {
if (!objectType.equals(IdentityRestUtils.USER_TYPE)) {
return new BadRequestException("Cannot patch object type " + objectType).asPromise();
}
RealmContext realmContext = context.asContext(RealmContext.class);
final String realm = realmContext.getResolvedRealm();
try {
if (!isAdmin(context)) {
return new ForbiddenException("Only admin can patch user values").asPromise();
}
SSOToken ssoToken = getSSOToken(RestUtils.getToken().getTokenID().toString());
IdentityServicesImpl identityServices = getIdentityServices();
IdentityDetails identityDetails = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), ssoToken);
Attribute[] existingAttributes = identityDetails.getAttributes();
Map<String, Set<String>> existingAttributeMap = attributesToMap(existingAttributes);
Map<String, Set<String>> newAttributeMap = new HashMap<>();
if (existingAttributeMap.containsKey(IdentityRestUtils.UNIVERSAL_ID)) {
Set<String> values = existingAttributeMap.get(IdentityRestUtils.UNIVERSAL_ID);
if (isNotEmpty(values) && !isUserActive(values.iterator().next())) {
return new ForbiddenException("User " + resourceId + " is not active: Request is forbidden").asPromise();
}
}
boolean updateNeeded = false;
for (PatchOperation patchOperation : request.getPatchOperations()) {
switch(patchOperation.getOperation()) {
case PatchOperation.OPERATION_REPLACE:
{
String name = getFieldName(patchOperation.getField());
if (!patchableAttributes.contains(name)) {
return new BadRequestException("For the object type " + IdentityRestUtils.USER_TYPE + ", field \"" + name + "\" cannot be altered by PATCH").asPromise();
}
JsonValue value = patchOperation.getValue();
newAttributeMap.put(name, identityAttributeJsonToSet(value));
updateNeeded = true;
break;
}
default:
return new BadRequestException("PATCH of " + IdentityRestUtils.USER_TYPE + " does not support operation " + patchOperation.getOperation()).asPromise();
}
}
if (updateNeeded) {
identityDetails.setAttributes(mapToAttributes(newAttributeMap));
identityServices.update(identityDetails, ssoToken);
// re-read the altered identity details from the repo.
identityDetails = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), ssoToken);
}
return newResultPromise(newResourceResponse("result", "1", identityDetailsToJsonValue(identityDetails)));
} catch (final ObjectNotFound notFound) {
logger.error("IdentityResourceV3.patchInstance cannot find resource " + resourceId, notFound);
return new NotFoundException("Resource cannot be found.", notFound).asPromise();
} catch (final TokenExpired tokenExpired) {
logger.error("IdentityResourceV3.patchInstance, token expired", tokenExpired);
return new PermanentException(401, "Unauthorized", null).asPromise();
} catch (final AccessDenied accessDenied) {
logger.error("IdentityResourceV3.patchInstance, access denied", accessDenied);
return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
} catch (final GeneralFailure generalFailure) {
logger.error("IdentityResourceV3.patchInstance, general failure " + generalFailure.getMessage());
return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
} catch (ForbiddenException fex) {
logger.warning("IdentityResourceV3.patchInstance, insufficient privileges.", fex);
return fex.asPromise();
} catch (NotFoundException notFound) {
logger.warning("IdentityResourceV3.patchInstance " + resourceId + " not found", notFound);
return new NotFoundException("Resource " + resourceId + " cannot be found.", notFound).asPromise();
} catch (ResourceException resourceException) {
logger.warning("IdentityResourceV3.patchInstance caught ResourceException", resourceException);
return resourceException.asPromise();
} catch (Exception exception) {
logger.error("IdentityResourceV3.patchInstance caught exception", exception);
return new InternalServerErrorException(exception.getMessage(), exception).asPromise();
}
}
use of com.sun.identity.idsvcs.ObjectNotFound in project OpenAM by OpenRock.
the class IdentityServicesImpl method searchIdentityDetails.
/**
* Searches the identity repository to find all identities that match the search criteria and returns them as a
* list of identities.
*
* @param crestQuery A CREST Query object which will contain either a _queryId or a _queryFilter.
* @param searchModifiers The search modifiers
* @param admin Your SSO token.
* @return a list of matching identities.
* @throws ResourceException
*/
public List<IdentityDetails> searchIdentityDetails(CrestQuery crestQuery, Map<String, Set<String>> searchModifiers, SSOToken admin) throws ResourceException {
try {
String realm = "/";
String objectType = "User";
if (searchModifiers != null) {
realm = attractValues("realm", searchModifiers, "/");
objectType = attractValues("objecttype", searchModifiers, "User");
}
AMIdentityRepository repo = getRepo(admin, realm);
IdType idType = getIdType(objectType);
if (idType != null) {
List<AMIdentity> identities = fetchAMIdentities(idType, crestQuery, true, repo, searchModifiers);
List<IdentityDetails> result = new ArrayList<>();
for (AMIdentity identity : identities) {
result.add(convertToIdentityDetails(identity, null));
}
return result;
}
debug.error("IdentityServicesImpl.searchIdentities unsupported IdType " + objectType);
throw new BadRequestException("searchIdentities: unsupported IdType " + objectType);
} catch (IdRepoException e) {
debug.error("IdentityServicesImpl.searchIdentities", e);
throw new InternalServerErrorException(e.getMessage());
} catch (SSOException e) {
debug.error("IdentityServicesImpl.searchIdentities", e);
throw new InternalServerErrorException(e.getMessage());
} catch (ObjectNotFound e) {
debug.error("IdentityServicesImpl.searchIdentities", e);
throw new NotFoundException(e.getMessage());
}
}
use of com.sun.identity.idsvcs.ObjectNotFound in project OpenAM by OpenRock.
the class IdentityServicesImpl method create.
/**
* Creates a new {@code AMIdentity} in the identity repository with the
* details specified in {@code identity}.
*
* @param identity The identity details.
* @param admin The admin token.
* @throws ResourceException If a problem occurs.
*/
public void create(IdentityDetails identity, SSOToken admin) throws ResourceException {
Reject.ifNull(identity, admin);
// Obtain identity details & verify
String idName = identity.getName();
String idType = identity.getType();
String realm = identity.getRealm();
if (StringUtils.isEmpty(idName)) {
// TODO: add a message to the exception
throw new BadRequestException("Identity name not provided");
}
if (StringUtils.isEmpty(idType)) {
idType = "user";
}
if (realm == null) {
realm = "/";
}
try {
// Obtain IdRepo to create validate IdType & operations
IdType objectIdType = getIdType(idType);
AMIdentityRepository repo = getRepo(admin, realm);
if (!isOperationSupported(repo, objectIdType, IdOperation.CREATE)) {
// TODO: add message to exception
throw new UnsupportedOperationException("Unsupported: Type: " + idType + " Operation: CREATE");
}
// Obtain creation attributes
Map<String, Set<String>> idAttrs = asMap(identity.getAttributes());
// Create the identity, special case of Agents to merge
// and validate the attributes
AMIdentity amIdentity;
if (isTypeAgent(objectIdType)) {
createAgent(idAttrs, objectIdType, idType, idName, realm, admin);
} else {
// Create other identites like User, Group, Role, etc.
amIdentity = repo.createIdentity(objectIdType, idName, idAttrs);
// Process roles, groups & memberships
if (IdType.USER.equals(objectIdType)) {
Set<String> roles = asSet(identity.getRoleList());
if (roles != null && !roles.isEmpty()) {
if (!isOperationSupported(repo, IdType.ROLE, IdOperation.EDIT)) {
// TODO: localize message
throw new UnsupportedOperationException("Unsupported: Type: " + IdType.ROLE + " Operation: EDIT");
}
for (String roleName : roles) {
AMIdentity role = fetchAMIdentity(repo, IdType.ROLE, roleName, false);
if (role != null) {
role.addMember(amIdentity);
role.store();
}
}
}
Set<String> groups = asSet(identity.getGroupList());
if (groups != null && !groups.isEmpty()) {
if (!isOperationSupported(repo, IdType.GROUP, IdOperation.EDIT)) {
// TODO: localize message
throw new UnsupportedOperationException("Unsupported: Type: " + IdType.GROUP + " Operation: EDIT");
}
for (String groupName : groups) {
AMIdentity group = fetchAMIdentity(repo, IdType.GROUP, groupName, false);
if (group != null) {
group.addMember(amIdentity);
group.store();
}
}
}
}
if (IdType.GROUP.equals(objectIdType) || IdType.ROLE.equals(objectIdType)) {
Set<String> members = asSet(identity.getMemberList());
if (members != null) {
if (IdType.GROUP.equals(objectIdType) && !isOperationSupported(repo, IdType.GROUP, IdOperation.EDIT)) {
throw new ForbiddenException("Token is not authorized");
}
if (IdType.ROLE.equals(objectIdType) && !isOperationSupported(repo, IdType.ROLE, IdOperation.EDIT)) {
throw new ForbiddenException("Token is not authorized");
}
for (String memberName : members) {
AMIdentity user = fetchAMIdentity(repo, IdType.USER, memberName, false);
if (user != null) {
amIdentity.addMember(user);
}
}
amIdentity.store();
}
}
}
} catch (IdRepoDuplicateObjectException ex) {
throw new ConflictException("Resource already exists", ex);
} catch (IdRepoException e) {
debug.error("IdentityServicesImpl:create", e);
if (IdRepoErrorCode.ACCESS_DENIED.equals(e.getErrorCode())) {
throw new ForbiddenException(e.getMessage());
} else if (e.getLdapErrorIntCode() == LDAPConstants.LDAP_CONSTRAINT_VIOLATION) {
debug.error(e.getMessage(), e);
throw new BadRequestException();
} else {
throw new NotFoundException(e.getMessage());
}
} catch (SSOException | SMSException | ConfigurationException | MalformedURLException | UnsupportedOperationException e) {
debug.error("IdentityServicesImpl:create", e);
throw new NotFoundException(e.getMessage());
} catch (ObjectNotFound e) {
debug.error("IdentityServicesImpl:create", e);
throw new NotFoundException(e.getMessage());
}
}
use of com.sun.identity.idsvcs.ObjectNotFound in project OpenAM by OpenRock.
the class IdentityServicesImpl method update.
/**
* Updates an {@code AMIdentity} in the identity repository with the
* details specified in {@code identity}.
*
* @param identity The updated identity details.
* @param admin The admin token.
* @throws ResourceException If a problem occurs.
*/
public void update(IdentityDetails identity, SSOToken admin) throws ResourceException {
String idName = identity.getName();
String idType = identity.getType();
String realm = identity.getRealm();
if (StringUtils.isEmpty(idName)) {
// TODO: add a message to the exception
throw new BadRequestException("");
}
if (StringUtils.isEmpty(idType)) {
idType = "user";
}
if (realm == null) {
realm = "";
}
try {
IdType objectIdType = getIdType(idType);
AMIdentityRepository repo = getRepo(admin, realm);
if (!isOperationSupported(repo, objectIdType, IdOperation.EDIT)) {
// TODO: add message to exception
throw new ForbiddenException("");
}
AMIdentity amIdentity = getAMIdentity(admin, repo, idType, idName);
if (amIdentity == null) {
String msg = "Object \'" + idName + "\' of type \'" + idType + "\' not found.'";
throw new NotFoundException(msg);
}
if (isSpecialUser(amIdentity)) {
throw new ForbiddenException("Cannot update attributes for this user.");
}
Map<String, Set<String>> attrs = asMap(identity.getAttributes());
if (attrs != null && !attrs.isEmpty()) {
Map<String, Set<String>> idAttrs = new HashMap<>();
Set<String> removeAttrs = new HashSet<>();
for (Map.Entry<String, Set<String>> entry : attrs.entrySet()) {
String attrName = entry.getKey();
Set<String> attrValues = entry.getValue();
if (attrValues != null && !attrValues.isEmpty()) {
// attribute to add or modify
idAttrs.put(attrName, attrValues);
} else {
// attribute to remove
removeAttrs.add(attrName);
}
}
boolean storeNeeded = false;
if (!idAttrs.isEmpty()) {
amIdentity.setAttributes(idAttrs);
storeNeeded = true;
}
if (!removeAttrs.isEmpty()) {
amIdentity.removeAttributes(removeAttrs);
storeNeeded = true;
}
if (storeNeeded) {
amIdentity.store();
}
}
if (IdType.USER.equals(objectIdType)) {
Set<String> roles = asSet(identity.getRoleList());
if (!roles.isEmpty()) {
setMemberships(repo, amIdentity, roles, IdType.ROLE);
}
Set<String> groups = asSet(identity.getGroupList());
if (!groups.isEmpty()) {
setMemberships(repo, amIdentity, groups, IdType.GROUP);
}
}
if (IdType.GROUP.equals(objectIdType) || IdType.ROLE.equals(objectIdType)) {
Set<String> members = asSet(identity.getMemberList());
if (!members.isEmpty()) {
setMembers(repo, amIdentity, members, IdType.USER);
}
}
} catch (IdRepoException ex) {
debug.error("IdentityServicesImpl:update", ex);
if (IdRepoErrorCode.LDAP_EXCEPTION.equals(ex.getErrorCode())) {
throw new InternalServerErrorException(ex.getConstraintViolationDetails());
} else if (LDAPConstants.LDAP_INVALID_SYNTAX.equals(ex.getLDAPErrorCode())) {
throw new BadRequestException("Unrecognized or invalid syntax for an attribute.");
} else if (IdRepoErrorCode.ILLEGAL_ARGUMENTS.equals(ex.getErrorCode())) {
throw new BadRequestException(ex);
}
throw RESOURCE_MAPPING_HANDLER.handleError(ex);
} catch (SSOException ex) {
debug.error("IdentityServicesImpl:update", ex);
throw new BadRequestException(ex.getMessage());
} catch (ObjectNotFound e) {
debug.error("IdentityServicesImpl:update", e);
throw new NotFoundException(e.getMessage());
}
}
use of com.sun.identity.idsvcs.ObjectNotFound in project OpenAM by OpenRock.
the class IdentityResourceV2 method updateInstance.
/**
* {@inheritDoc}
*/
@Override
public Promise<ResourceResponse, ResourceException> updateInstance(final Context context, final String resourceId, final UpdateRequest request) {
RealmContext realmContext = context.asContext(RealmContext.class);
final String realm = realmContext.getResolvedRealm();
final JsonValue jVal = request.getContent();
final String rev = request.getRevision();
IdentityDetails dtls, newDtls;
ResourceResponse resource;
try {
SSOToken token = getSSOToken(getCookieFromServerContext(context));
// Retrieve details about user to be updated
dtls = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), token);
// Continue modifying the identity if read success
boolean isUpdatingHisOwnPassword = SystemProperties.getAsBoolean(Constants.CASE_SENSITIVE_UUID) ? token.getProperty(ISAuthConstants.USER_ID).equals(resourceId) : token.getProperty(ISAuthConstants.USER_ID).equalsIgnoreCase(resourceId);
// If the user wants to modify his password, he should use a different action.
if (isUpdatingHisOwnPassword) {
for (String key : jVal.keys()) {
if (USER_PASSWORD.equalsIgnoreCase(key)) {
return new BadRequestException("Cannot update user password via PUT. " + "Use POST with _action=changePassword or _action=forgotPassword.").asPromise();
}
}
}
newDtls = jsonValueToIdentityDetails(objectType, jVal, realm);
if (newDtls.getAttributes() == null || newDtls.getAttributes().length < 1) {
throw new BadRequestException("Illegal arguments: One or more required arguments is null or empty");
}
if (newDtls.getName() != null && !resourceId.equalsIgnoreCase(newDtls.getName())) {
throw new BadRequestException("id in path does not match id in request body");
}
newDtls.setName(resourceId);
UserAttributeInfo userAttributeInfo = configHandler.getConfig(realm, UserAttributeInfoBuilder.class);
// Handle attribute change when password is required
// Get restSecurity for this realm
RestSecurity restSecurity = restSecurityProvider.get(realm);
// Make sure user is not admin and check to see if we are requiring a password to change any attributes
Set<String> protectedUserAttributes = new HashSet<>();
protectedUserAttributes.addAll(restSecurity.getProtectedUserAttributes());
protectedUserAttributes.addAll(userAttributeInfo.getProtectedUpdateAttributes());
if (!protectedUserAttributes.isEmpty() && !isAdmin(context)) {
boolean hasReauthenticated = false;
for (String protectedAttr : protectedUserAttributes) {
JsonValue jValAttr = jVal.get(protectedAttr);
if (!jValAttr.isNull()) {
// If attribute is not available set newAttr variable to empty string for use in comparison
String newAttr = (jValAttr.isString()) ? jValAttr.asString() : "";
// Get the value of current attribute
String currentAttr = "";
Map<String, Set<String>> attrs = asMap(dtls.getAttributes());
for (Map.Entry<String, Set<String>> attribute : attrs.entrySet()) {
String attributeName = attribute.getKey();
if (protectedAttr.equalsIgnoreCase(attributeName)) {
currentAttr = attribute.getValue().iterator().next();
}
}
// Compare newAttr and currentAttr
if (!currentAttr.equals(newAttr) && !hasReauthenticated) {
// check header to make sure that password is there then check to see if it's correct
String strCurrentPass = RestUtils.getMimeHeaderValue(context, CURRENT_PASSWORD);
if (strCurrentPass != null && !strCurrentPass.isEmpty() && checkValidPassword(resourceId, strCurrentPass.toCharArray(), realm)) {
//set a boolean value so we know reauth has been done
hasReauthenticated = true;
//continue will allow attribute(s) change(s)
} else {
throw new BadRequestException("Must provide a valid confirmation password to change " + "protected attribute (" + protectedAttr + ") from '" + currentAttr + "' to '" + newAttr + "'");
}
}
}
}
}
// update resource with new details
identityServices.update(newDtls, token);
String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
debug.message("IdentityResource.updateInstance :: UPDATE of resourceId={} in realm={} performed " + "by principalName={}", resourceId, realm, principalName);
// read updated identity back to client
IdentityDetails checkIdent = identityServices.read(dtls.getName(), getIdentityServicesAttributes(realm, objectType), token);
return newResultPromise(this.identityResourceV1.buildResourceResponse(resourceId, context, checkIdent));
} catch (final ObjectNotFound onf) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, onf);
return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", onf).asPromise();
} catch (final NeedMoreCredentials needMoreCredentials) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Token is not authorized", resourceId, needMoreCredentials);
return new ForbiddenException("Token is not authorized", needMoreCredentials).asPromise();
} catch (final TokenExpired tokenExpired) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Unauthorized", resourceId, tokenExpired);
return new PermanentException(401, "Unauthorized", null).asPromise();
} catch (final AccessDenied accessDenied) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Access denied", resourceId, accessDenied);
return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
} catch (final GeneralFailure generalFailure) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, generalFailure);
return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
} catch (BadRequestException bre) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, bre);
return bre.asPromise();
} catch (NotFoundException e) {
debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, e);
return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", e).asPromise();
} catch (ResourceException re) {
debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} ", resourceId, re);
return re.asPromise();
} catch (final Exception e) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, e);
return new NotFoundException(e.getMessage(), e).asPromise();
}
}
Aggregations