Search in sources :

Example 1 with UserIdentifier

use of edu.harvard.iq.dataverse.authorization.UserIdentifier in project dataverse by IQSS.

the class Admin method builtin2shib.

/**
 * This is used in testing via AdminIT.java but we don't expect sysadmins to
 * use this.
 */
@Path("authenticatedUsers/convert/builtin2shib")
@PUT
public Response builtin2shib(String content) {
    logger.info("entering builtin2shib...");
    try {
        AuthenticatedUser userToRunThisMethod = findAuthenticatedUserOrDie();
        if (!userToRunThisMethod.isSuperuser()) {
            return error(Response.Status.FORBIDDEN, "Superusers only.");
        }
    } catch (WrappedResponse ex) {
        return error(Response.Status.FORBIDDEN, "Superusers only.");
    }
    boolean disabled = false;
    if (disabled) {
        return error(Response.Status.BAD_REQUEST, "API endpoint disabled.");
    }
    AuthenticatedUser builtInUserToConvert = null;
    String emailToFind;
    String password;
    // could let people specify id on authuser table. probably better to let them tell us their
    String authuserId = "0";
    String newEmailAddressToUse;
    try {
        String[] args = content.split(":");
        emailToFind = args[0];
        password = args[1];
        newEmailAddressToUse = args[2];
    // authuserId = args[666];
    } catch (ArrayIndexOutOfBoundsException ex) {
        return error(Response.Status.BAD_REQUEST, "Problem with content <<<" + content + ">>>: " + ex.toString());
    }
    AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailToFind);
    String existing = "NOT FOUND";
    if (existingAuthUserFoundByEmail != null) {
        builtInUserToConvert = existingAuthUserFoundByEmail;
        existing = existingAuthUserFoundByEmail.getIdentifier();
    } else {
        long longToLookup = Long.parseLong(authuserId);
        AuthenticatedUser specifiedUserToConvert = authSvc.findByID(longToLookup);
        if (specifiedUserToConvert != null) {
            builtInUserToConvert = specifiedUserToConvert;
        } else {
            return error(Response.Status.BAD_REQUEST, "No user to convert. We couldn't find a *single* existing user account based on " + emailToFind + " and no user was found using specified id " + longToLookup);
        }
    }
    String shibProviderId = ShibAuthenticationProvider.PROVIDER_ID;
    Map<String, String> randomUser = authTestDataService.getRandomUser();
    // String eppn = UUID.randomUUID().toString().substring(0, 8);
    String eppn = randomUser.get("eppn");
    String idPEntityId = randomUser.get("idp");
    String notUsed = null;
    String separator = "|";
    UserIdentifier newUserIdentifierInLookupTable = new UserIdentifier(idPEntityId + separator + eppn, notUsed);
    String overwriteFirstName = randomUser.get("firstName");
    String overwriteLastName = randomUser.get("lastName");
    String overwriteEmail = randomUser.get("email");
    overwriteEmail = newEmailAddressToUse;
    logger.info("overwriteEmail: " + overwriteEmail);
    boolean validEmail = EMailValidator.isEmailValid(overwriteEmail, null);
    if (!validEmail) {
        // See https://github.com/IQSS/dataverse/issues/2998
        return error(Response.Status.BAD_REQUEST, "invalid email: " + overwriteEmail);
    }
    /**
     * @todo If affiliation is not null, put it in RoleAssigneeDisplayInfo
     * constructor.
     */
    /**
     * Here we are exercising (via an API test) shibService.getAffiliation
     * with the TestShib IdP and a non-production DevShibAccountType.
     */
    idPEntityId = ShibUtil.testShibIdpEntityId;
    String overwriteAffiliation = shibService.getAffiliation(idPEntityId, ShibServiceBean.DevShibAccountType.RANDOM);
    logger.info("overwriteAffiliation: " + overwriteAffiliation);
    /**
     * @todo Find a place to put "position" in the authenticateduser table:
     * https://github.com/IQSS/dataverse/issues/1444#issuecomment-74134694
     */
    String overwritePosition = "staff;student";
    AuthenticatedUserDisplayInfo displayInfo = new AuthenticatedUserDisplayInfo(overwriteFirstName, overwriteLastName, overwriteEmail, overwriteAffiliation, overwritePosition);
    JsonObjectBuilder response = Json.createObjectBuilder();
    JsonArrayBuilder problems = Json.createArrayBuilder();
    if (password != null) {
        response.add("password supplied", password);
        boolean knowsExistingPassword = false;
        BuiltinUser oldBuiltInUser = builtinUserService.findByUserName(builtInUserToConvert.getUserIdentifier());
        if (oldBuiltInUser != null) {
            String usernameOfBuiltinAccountToConvert = oldBuiltInUser.getUserName();
            response.add("old username", usernameOfBuiltinAccountToConvert);
            AuthenticatedUser authenticatedUser = authSvc.canLogInAsBuiltinUser(usernameOfBuiltinAccountToConvert, password);
            if (authenticatedUser != null) {
                knowsExistingPassword = true;
                AuthenticatedUser convertedUser = authSvc.convertBuiltInToShib(builtInUserToConvert, shibProviderId, newUserIdentifierInLookupTable);
                if (convertedUser != null) {
                    /**
                     * @todo Display name is not being overwritten. Logic
                     * must be in Shib backing bean
                     */
                    AuthenticatedUser updatedInfoUser = authSvc.updateAuthenticatedUser(convertedUser, displayInfo);
                    if (updatedInfoUser != null) {
                        response.add("display name overwritten with", updatedInfoUser.getName());
                    } else {
                        problems.add("couldn't update display info");
                    }
                } else {
                    problems.add("unable to convert user");
                }
            }
        } else {
            problems.add("couldn't find old username");
        }
        if (!knowsExistingPassword) {
            String message = "User doesn't know password.";
            problems.add(message);
            /**
             * @todo Someday we should make a errorResponse method that
             * takes JSON arrays and objects.
             */
            return error(Status.BAD_REQUEST, problems.build().toString());
        }
    // response.add("knows existing password", knowsExistingPassword);
    }
    response.add("user to convert", builtInUserToConvert.getIdentifier());
    response.add("existing user found by email (prompt to convert)", existing);
    response.add("changing to this provider", shibProviderId);
    response.add("value to overwrite old first name", overwriteFirstName);
    response.add("value to overwrite old last name", overwriteLastName);
    response.add("value to overwrite old email address", overwriteEmail);
    if (overwriteAffiliation != null) {
        response.add("affiliation", overwriteAffiliation);
    }
    response.add("problems", problems);
    return ok(response);
}
Also used : AuthenticatedUserDisplayInfo(edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo) BuiltinUser(edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) JsonArrayBuilder(javax.json.JsonArrayBuilder) UserIdentifier(edu.harvard.iq.dataverse.authorization.UserIdentifier) JsonObjectBuilder(javax.json.JsonObjectBuilder) Path(javax.ws.rs.Path) PUT(javax.ws.rs.PUT)

Example 2 with UserIdentifier

use of edu.harvard.iq.dataverse.authorization.UserIdentifier in project dataverse by IQSS.

the class Admin method builtin2oauth.

/**
 * This is used in testing via AdminIT.java but we don't expect sysadmins to
 * use this.
 */
@Path("authenticatedUsers/convert/builtin2oauth")
@PUT
public Response builtin2oauth(String content) {
    logger.info("entering builtin2oauth...");
    try {
        AuthenticatedUser userToRunThisMethod = findAuthenticatedUserOrDie();
        if (!userToRunThisMethod.isSuperuser()) {
            return error(Response.Status.FORBIDDEN, "Superusers only.");
        }
    } catch (WrappedResponse ex) {
        return error(Response.Status.FORBIDDEN, "Superusers only.");
    }
    boolean disabled = false;
    if (disabled) {
        return error(Response.Status.BAD_REQUEST, "API endpoint disabled.");
    }
    AuthenticatedUser builtInUserToConvert = null;
    String emailToFind;
    String password;
    // could let people specify id on authuser table. probably better to let them tell us their
    String authuserId = "0";
    String newEmailAddressToUse;
    String newProviderId;
    String newPersistentUserIdInLookupTable;
    logger.info("content: " + content);
    try {
        String[] args = content.split(":");
        emailToFind = args[0];
        password = args[1];
        newEmailAddressToUse = args[2];
        newProviderId = args[3];
        newPersistentUserIdInLookupTable = args[4];
    // authuserId = args[666];
    } catch (ArrayIndexOutOfBoundsException ex) {
        return error(Response.Status.BAD_REQUEST, "Problem with content <<<" + content + ">>>: " + ex.toString());
    }
    AuthenticatedUser existingAuthUserFoundByEmail = shibService.findAuthUserByEmail(emailToFind);
    String existing = "NOT FOUND";
    if (existingAuthUserFoundByEmail != null) {
        builtInUserToConvert = existingAuthUserFoundByEmail;
        existing = existingAuthUserFoundByEmail.getIdentifier();
    } else {
        long longToLookup = Long.parseLong(authuserId);
        AuthenticatedUser specifiedUserToConvert = authSvc.findByID(longToLookup);
        if (specifiedUserToConvert != null) {
            builtInUserToConvert = specifiedUserToConvert;
        } else {
            return error(Response.Status.BAD_REQUEST, "No user to convert. We couldn't find a *single* existing user account based on " + emailToFind + " and no user was found using specified id " + longToLookup);
        }
    }
    // String shibProviderId = ShibAuthenticationProvider.PROVIDER_ID;
    Map<String, String> randomUser = authTestDataService.getRandomUser();
    // String eppn = UUID.randomUUID().toString().substring(0, 8);
    String eppn = randomUser.get("eppn");
    String idPEntityId = randomUser.get("idp");
    String notUsed = null;
    String separator = "|";
    // UserIdentifier newUserIdentifierInLookupTable = new UserIdentifier(idPEntityId + separator + eppn, notUsed);
    UserIdentifier newUserIdentifierInLookupTable = new UserIdentifier(newPersistentUserIdInLookupTable, notUsed);
    String overwriteFirstName = randomUser.get("firstName");
    String overwriteLastName = randomUser.get("lastName");
    String overwriteEmail = randomUser.get("email");
    overwriteEmail = newEmailAddressToUse;
    logger.info("overwriteEmail: " + overwriteEmail);
    boolean validEmail = EMailValidator.isEmailValid(overwriteEmail, null);
    if (!validEmail) {
        // See https://github.com/IQSS/dataverse/issues/2998
        return error(Response.Status.BAD_REQUEST, "invalid email: " + overwriteEmail);
    }
    /**
     * @todo If affiliation is not null, put it in RoleAssigneeDisplayInfo
     * constructor.
     */
    /**
     * Here we are exercising (via an API test) shibService.getAffiliation
     * with the TestShib IdP and a non-production DevShibAccountType.
     */
    // idPEntityId = ShibUtil.testShibIdpEntityId;
    // String overwriteAffiliation = shibService.getAffiliation(idPEntityId, ShibServiceBean.DevShibAccountType.RANDOM);
    String overwriteAffiliation = null;
    logger.info("overwriteAffiliation: " + overwriteAffiliation);
    /**
     * @todo Find a place to put "position" in the authenticateduser table:
     * https://github.com/IQSS/dataverse/issues/1444#issuecomment-74134694
     */
    String overwritePosition = "staff;student";
    AuthenticatedUserDisplayInfo displayInfo = new AuthenticatedUserDisplayInfo(overwriteFirstName, overwriteLastName, overwriteEmail, overwriteAffiliation, overwritePosition);
    JsonObjectBuilder response = Json.createObjectBuilder();
    JsonArrayBuilder problems = Json.createArrayBuilder();
    if (password != null) {
        response.add("password supplied", password);
        boolean knowsExistingPassword = false;
        BuiltinUser oldBuiltInUser = builtinUserService.findByUserName(builtInUserToConvert.getUserIdentifier());
        if (oldBuiltInUser != null) {
            String usernameOfBuiltinAccountToConvert = oldBuiltInUser.getUserName();
            response.add("old username", usernameOfBuiltinAccountToConvert);
            AuthenticatedUser authenticatedUser = authSvc.canLogInAsBuiltinUser(usernameOfBuiltinAccountToConvert, password);
            if (authenticatedUser != null) {
                knowsExistingPassword = true;
                AuthenticatedUser convertedUser = authSvc.convertBuiltInUserToRemoteUser(builtInUserToConvert, newProviderId, newUserIdentifierInLookupTable);
                if (convertedUser != null) {
                    /**
                     * @todo Display name is not being overwritten. Logic
                     * must be in Shib backing bean
                     */
                    AuthenticatedUser updatedInfoUser = authSvc.updateAuthenticatedUser(convertedUser, displayInfo);
                    if (updatedInfoUser != null) {
                        response.add("display name overwritten with", updatedInfoUser.getName());
                    } else {
                        problems.add("couldn't update display info");
                    }
                } else {
                    problems.add("unable to convert user");
                }
            }
        } else {
            problems.add("couldn't find old username");
        }
        if (!knowsExistingPassword) {
            String message = "User doesn't know password.";
            problems.add(message);
            /**
             * @todo Someday we should make a errorResponse method that
             * takes JSON arrays and objects.
             */
            return error(Status.BAD_REQUEST, problems.build().toString());
        }
    // response.add("knows existing password", knowsExistingPassword);
    }
    response.add("user to convert", builtInUserToConvert.getIdentifier());
    response.add("existing user found by email (prompt to convert)", existing);
    response.add("changing to this provider", newProviderId);
    response.add("value to overwrite old first name", overwriteFirstName);
    response.add("value to overwrite old last name", overwriteLastName);
    response.add("value to overwrite old email address", overwriteEmail);
    if (overwriteAffiliation != null) {
        response.add("affiliation", overwriteAffiliation);
    }
    response.add("problems", problems);
    return ok(response);
}
Also used : AuthenticatedUserDisplayInfo(edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo) BuiltinUser(edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) JsonArrayBuilder(javax.json.JsonArrayBuilder) UserIdentifier(edu.harvard.iq.dataverse.authorization.UserIdentifier) JsonObjectBuilder(javax.json.JsonObjectBuilder) Path(javax.ws.rs.Path) PUT(javax.ws.rs.PUT)

Example 3 with UserIdentifier

use of edu.harvard.iq.dataverse.authorization.UserIdentifier in project dataverse by IQSS.

the class Shib method confirmAndConvertAccount.

public String confirmAndConvertAccount() {
    visibleTermsOfUse = false;
    ShibAuthenticationProvider shibAuthProvider = new ShibAuthenticationProvider();
    String lookupStringPerAuthProvider = userPersistentId;
    UserIdentifier userIdentifier = new UserIdentifier(lookupStringPerAuthProvider, internalUserIdentifer);
    logger.fine("builtin username: " + builtinUsername);
    AuthenticatedUser builtInUserToConvert = authSvc.canLogInAsBuiltinUser(builtinUsername, builtinPassword);
    if (builtInUserToConvert != null) {
        AuthenticatedUser au = authSvc.convertBuiltInToShib(builtInUserToConvert, shibAuthProvider.getId(), userIdentifier);
        if (au != null) {
            authSvc.updateAuthenticatedUser(au, displayInfo);
            logInUserAndSetShibAttributes(au);
            debugSummary = "Local account validated and successfully converted to a Shibboleth account. The old account username was " + builtinUsername;
            JsfHelper.addSuccessMessage("Your Dataverse account is now associated with your institutional account.");
            return "/dataverseuser.xhtml?selectTab=accountInfo&faces-redirect=true";
        } else {
            debugSummary = "Local account validated but unable to convert to Shibboleth account.";
        }
    } else {
        passwordRejected = true;
        debugSummary = "Username/password combination for local account was invalid";
    }
    return null;
}
Also used : ShibAuthenticationProvider(edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider) UserIdentifier(edu.harvard.iq.dataverse.authorization.UserIdentifier) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)

Aggregations

UserIdentifier (edu.harvard.iq.dataverse.authorization.UserIdentifier)3 AuthenticatedUser (edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)3 AuthenticatedUserDisplayInfo (edu.harvard.iq.dataverse.authorization.AuthenticatedUserDisplayInfo)2 BuiltinUser (edu.harvard.iq.dataverse.authorization.providers.builtin.BuiltinUser)2 JsonArrayBuilder (javax.json.JsonArrayBuilder)2 JsonObjectBuilder (javax.json.JsonObjectBuilder)2 PUT (javax.ws.rs.PUT)2 Path (javax.ws.rs.Path)2 ShibAuthenticationProvider (edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider)1