Search in sources :

Example 6 with AccIdentityAccountFilter

use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.

the class IdentityPasswordProvisioningTest method checkIdentityAccount.

/**
 * Check identity accounts for identity and identity role
 *
 * @param identity
 * @param identityRole
 * @param count
 */
private void checkIdentityAccount(IdmIdentityDto identity, IdmIdentityRoleDto identityRole, int count) {
    AccIdentityAccountFilter filter = new AccIdentityAccountFilter();
    filter.setIdentityId(identity.getId());
    filter.setIdentityRoleId(identityRole.getId());
    List<AccIdentityAccountDto> identityAccounts = identityAccountService.find(filter, null).getContent();
    Assert.assertEquals(count, identityAccounts.size());
}
Also used : AccIdentityAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter) AccIdentityAccountDto(eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)

Example 7 with AccIdentityAccountFilter

use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.

the class DefaultAccAccountManagementService method createIdentityAccountIfNotExists.

/**
 * Create identity-account, but first check if this identity-account already
 * exist, if yes then is only his account ID add to accounts (for provisioning).
 *
 * @param accounts
 * @param identityAccount
 */
private void createIdentityAccountIfNotExists(List<UUID> accounts, AccIdentityAccountDto identityAccount) {
    AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
    identityAccountFilter.setIdentityId(identityAccount.getIdentity());
    identityAccountFilter.setIdentityRoleId(identityAccount.getIdentityRole());
    identityAccountFilter.setAccountId(identityAccount.getAccount());
    identityAccountFilter.setRoleSystemId(identityAccount.getRoleSystem());
    // Check if on exist same identity-account (for same identity-role, account and
    // role-system)
    long count = identityAccountService.count(identityAccountFilter);
    if (count == 0) {
        AccIdentityAccountDto identityAccountDto = identityAccountService.save(identityAccount);
        accounts.add(identityAccountDto.getAccount());
    } else {
        // If this identity-account already exists, then we need to add his account ID
        // (for execute the provisioning).
        accounts.add(identityAccountService.find(identityAccountFilter, null).getContent().get(0).getAccount());
    }
}
Also used : AccIdentityAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter) AccIdentityAccountDto(eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)

Example 8 with AccIdentityAccountFilter

use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.

the class DefaultAccAccountManagementService method resolveUpdatedIdentityRoles.

@Override
public List<UUID> resolveUpdatedIdentityRoles(IdmIdentityDto identity, IdmIdentityRoleDto... identityRoles) {
    Assert.notNull(identity, "Identity is required.");
    if (identityRoles == null || identityRoles.length == 0) {
        // No identity-roles ... we don't have anything to do
        return null;
    }
    List<IdmIdentityRoleDto> identityRolesList = Lists.newArrayList(identityRoles);
    // Find identity-accounts for changed identity-roles (using IN predicate)
    List<UUID> identityRoleIds = // 
    identityRolesList.stream().map(// 
    IdmIdentityRoleDto::getId).collect(// 
    Collectors.toList());
    AccIdentityAccountFilter filter = new AccIdentityAccountFilter();
    filter.setIdentityId(identity.getId());
    filter.setIdentityRoleIds(identityRoleIds);
    List<AccIdentityAccountDto> identityAccountList = identityAccountService.find(filter, null).getContent();
    // create / remove accounts
    List<AccIdentityAccountDto> identityAccountsToCreate = new ArrayList<>();
    List<AccIdentityAccountDto> identityAccountsToDelete = new ArrayList<>();
    // Is role valid in this moment
    resolveIdentityAccountForCreate(identity, identityAccountList, identityRolesList, identityAccountsToCreate, identityAccountsToDelete, false, null);
    // Is role invalid in this moment
    resolveIdentityAccountForDelete(identityAccountList, identityRolesList, identityAccountsToDelete);
    // For this accounts should be execute a provisioning. We have to execute provisioning for all changed accounts
    // although identity-role was not changed (EAV attributes could have been changed).
    List<UUID> accounts = // 
    identityAccountList.stream().map(// 
    AccIdentityAccountDto::getAccount).distinct().collect(Collectors.toList());
    // Create new identity accounts
    identityAccountsToCreate.forEach(identityAccount -> {
        // Check if this identity-account already exists, if yes then is his account ID
        // add to accounts (for provisioning).
        createIdentityAccountIfNotExists(accounts, identityAccount);
    });
    // Delete invalid identity accounts
    identityAccountsToDelete.forEach(identityAccount -> {
        identityAccountService.deleteById(identityAccount.getId());
    });
    return accounts;
}
Also used : AccIdentityAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter) ArrayList(java.util.ArrayList) IdmIdentityRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto) UUID(java.util.UUID) AccIdentityAccountDto(eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)

Example 9 with AccIdentityAccountFilter

use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.

the class DefaultAccAccountManagementService method resolveIdentityAccountForCreate.

/**
 * Resolve Identity account - to create.
 */
private void resolveIdentityAccountForCreate(IdmIdentityDto identity, List<AccIdentityAccountDto> identityAccountList, List<IdmIdentityRoleDto> identityRoles, List<AccIdentityAccountDto> identityAccountsToCreate, List<AccIdentityAccountDto> identityAccountsToDelete, boolean onlyCreateNew, List<UUID> additionalAccountsForProvisioning) {
    identityRoles.forEach(identityRole -> {
        UUID role = identityRole.getRole();
        SysRoleSystemFilter roleSystemFilter = new SysRoleSystemFilter();
        roleSystemFilter.setRoleId(role);
        List<SysRoleSystemDto> roleSystems = roleSystemService.find(roleSystemFilter, null).getContent();
        // Is role valid in this moment or
        // role-system has enabled forward account management (identity-role have to be
        // valid in the future)
        roleSystems.stream().filter(roleSystem -> (identityRole.isValid() || (roleSystem.isForwardAccountManagemen() && identityRole.isValidNowOrInFuture()))).filter(roleSystem -> {
            boolean canBeCreated = roleSystem.isCreateAccountByDefault();
            if (canBeCreated) {
                SysSystemGroupSystemFilter systemGroupSystemFilter = new SysSystemGroupSystemFilter();
                systemGroupSystemFilter.setCrossDomainsGroupsForRoleSystemId(roleSystem.getId());
                if (systemGroupSystemService.count(systemGroupSystemFilter) >= 1) {
                    // This role-system overriding a merge attribute which is using in
                    // active cross-domain group. -> Account will be not created.
                    canBeCreated = false;
                }
            }
            if (!canBeCreated) {
                // We need to made provisioning for skipped identity-role/accounts (because Cross-domains).
                // We have to find all identity-accounts for identity and system.
                AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
                identityAccountFilter.setSystemId(roleSystem.getSystem());
                identityAccountFilter.setIdentityId(identity.getId());
                AccIdentityAccountDto identityAccountDto = identityAccountService.find(identityAccountFilter, null).getContent().stream().filter(identityAccount -> {
                    SysRoleSystemDto roleSystemFromIdentityAccount = lookupService.lookupEmbeddedDto(identityAccount, AccIdentityAccount_.roleSystem);
                    return roleSystemFromIdentityAccount != null && roleSystem.getSystemMapping().equals(roleSystemFromIdentityAccount.getSystemMapping());
                }).findFirst().orElse(null);
                if (identityAccountDto != null && additionalAccountsForProvisioning != null) {
                    additionalAccountsForProvisioning.add(identityAccountDto.getAccount());
                }
            }
            return canBeCreated;
        }).forEach(roleSystem -> {
            String uid = generateUID(identity, roleSystem);
            // Check on change of UID is not executed if all given identity-roles are new
            if (!onlyCreateNew) {
                // Check identity-account for that role-system on change the definition of UID
                checkOnChangeUID(uid, roleSystem, identityAccountList, identityAccountsToDelete);
            }
            // Try to find identity-account for this identity-role. If exists and doesn't in
            // list of identity-account to delete, then we are done.
            AccIdentityAccountDto existsIdentityAccount = findAlreadyExistsIdentityAccount(identityAccountList, identityAccountsToDelete, identityRole, roleSystem);
            if (existsIdentityAccount != null) {
                if (existsIdentityAccount.getRoleSystem() == null) {
                    // IdentityAccount already exist, but doesn't have relation on RoleSystem. This
                    // could happen if system mapping was deleted and recreated or if was role use
                    // as sync default role, but without mapping on this system.
                    // We have to create missing relation, so we will set and save RoleSystem.
                    existsIdentityAccount.setRoleSystem(roleSystem.getId());
                    identityAccountService.save(existsIdentityAccount);
                }
                return;
            }
            // For this system we need to create new (or found exists) account
            AccAccountDto account = createAccountByRoleSystem(uid, identity, roleSystem, identityAccountsToCreate);
            if (account == null) {
                return;
            }
            // Prevent to create the same identity account
            if (identityAccountList.stream().filter(identityAccount -> {
                return identityAccount.getAccount().equals(account.getId()) && identityRole.getId().equals(identityAccount.getIdentityRole()) && roleSystem.getId().equals(identityAccount.getRoleSystem());
            }).count() == 0) {
                AccIdentityAccountDto identityAccount = new AccIdentityAccountDto();
                identityAccount.setAccount(account.getId());
                identityAccount.setIdentity(identity.getId());
                identityAccount.setIdentityRole(identityRole.getId());
                identityAccount.setRoleSystem(roleSystem.getId());
                identityAccount.setOwnership(true);
                identityAccount.getEmbedded().put(AccIdentityAccount_.account.getName(), account);
                identityAccountsToCreate.add(identityAccount);
            }
        });
    });
}
Also used : DtoUtils(eu.bcvsolutions.idm.core.api.utils.DtoUtils) IdmIdentityRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto) Autowired(org.springframework.beans.factory.annotation.Autowired) AccIdentityAccount_(eu.bcvsolutions.idm.acc.entity.AccIdentityAccount_) ProvisioningException(eu.bcvsolutions.idm.acc.exception.ProvisioningException) SysRoleSystemService(eu.bcvsolutions.idm.acc.service.api.SysRoleSystemService) AccAccountDto(eu.bcvsolutions.idm.acc.dto.AccAccountDto) AccIdentityAccountDto(eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto) ImmutableMap(com.google.common.collect.ImmutableMap) IdmRoleRequestDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto) Set(java.util.Set) SysSchemaObjectClassDto(eu.bcvsolutions.idm.acc.dto.SysSchemaObjectClassDto) IdmEntityStateFilter(eu.bcvsolutions.idm.core.api.dto.filter.IdmEntityStateFilter) UUID(java.util.UUID) Collectors(java.util.stream.Collectors) Serializable(java.io.Serializable) IdmEntityStateDto(eu.bcvsolutions.idm.core.api.dto.IdmEntityStateDto) List(java.util.List) AccAccountService(eu.bcvsolutions.idm.acc.service.api.AccAccountService) SysRoleSystemAttributeFilter(eu.bcvsolutions.idm.acc.dto.filter.SysRoleSystemAttributeFilter) CollectionUtils(org.springframework.util.CollectionUtils) AccountType(eu.bcvsolutions.idm.acc.domain.AccountType) AccIdentityAccountService(eu.bcvsolutions.idm.acc.service.api.AccIdentityAccountService) SysRoleSystemDto(eu.bcvsolutions.idm.acc.dto.SysRoleSystemDto) AccAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccAccountFilter) SysSchemaObjectClassService(eu.bcvsolutions.idm.acc.service.api.SysSchemaObjectClassService) DefaultResultModel(eu.bcvsolutions.idm.core.api.dto.DefaultResultModel) AccResultCode(eu.bcvsolutions.idm.acc.domain.AccResultCode) IdmIdentityRole_(eu.bcvsolutions.idm.core.model.entity.IdmIdentityRole_) SysSystemGroupSystemFilter(eu.bcvsolutions.idm.acc.dto.filter.SysSystemGroupSystemFilter) SysRoleSystem_(eu.bcvsolutions.idm.acc.entity.SysRoleSystem_) IdmAccountDto(eu.bcvsolutions.idm.core.api.dto.IdmAccountDto) SysSystemDto(eu.bcvsolutions.idm.acc.dto.SysSystemDto) SysRoleSystemAttribute_(eu.bcvsolutions.idm.acc.entity.SysRoleSystemAttribute_) MessageFormat(java.text.MessageFormat) ArrayList(java.util.ArrayList) AccAccountManagementService(eu.bcvsolutions.idm.acc.service.api.AccAccountManagementService) HashSet(java.util.HashSet) SysRoleSystemFilter(eu.bcvsolutions.idm.acc.dto.filter.SysRoleSystemFilter) SysSystemMappingService(eu.bcvsolutions.idm.acc.service.api.SysSystemMappingService) AbstractDto(eu.bcvsolutions.idm.core.api.dto.AbstractDto) EntityStateManager(eu.bcvsolutions.idm.core.api.service.EntityStateManager) LookupService(eu.bcvsolutions.idm.core.api.service.LookupService) Lists(com.google.common.collect.Lists) SystemEntityType(eu.bcvsolutions.idm.acc.domain.SystemEntityType) Service(org.springframework.stereotype.Service) OperationResultDto(eu.bcvsolutions.idm.core.api.dto.OperationResultDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) SysSystemGroupSystemService(eu.bcvsolutions.idm.acc.service.api.SysSystemGroupSystemService) EntityEvent(eu.bcvsolutions.idm.core.api.event.EntityEvent) SysRoleSystemAttributeService(eu.bcvsolutions.idm.acc.service.api.SysRoleSystemAttributeService) IdmIdentityRoleService(eu.bcvsolutions.idm.core.api.service.IdmIdentityRoleService) SysSchemaObjectClass_(eu.bcvsolutions.idm.acc.entity.SysSchemaObjectClass_) AccIdentityAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) OperationState(eu.bcvsolutions.idm.core.api.domain.OperationState) SysRoleSystemAttributeDto(eu.bcvsolutions.idm.acc.dto.SysRoleSystemAttributeDto) SysSystemAttributeMappingFilter(eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter) IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) CoreResultCode(eu.bcvsolutions.idm.core.api.domain.CoreResultCode) SysSystemAttributeMappingDto(eu.bcvsolutions.idm.acc.dto.SysSystemAttributeMappingDto) SysSystemMappingDto(eu.bcvsolutions.idm.acc.dto.SysSystemMappingDto) SysSystemAttributeMappingService(eu.bcvsolutions.idm.acc.service.api.SysSystemAttributeMappingService) EntityEventManager(eu.bcvsolutions.idm.core.api.service.EntityEventManager) Transactional(org.springframework.transaction.annotation.Transactional) Assert(org.springframework.util.Assert) SysRoleSystemFilter(eu.bcvsolutions.idm.acc.dto.filter.SysRoleSystemFilter) SysSystemGroupSystemFilter(eu.bcvsolutions.idm.acc.dto.filter.SysSystemGroupSystemFilter) AccIdentityAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter) SysRoleSystemDto(eu.bcvsolutions.idm.acc.dto.SysRoleSystemDto) AccAccountDto(eu.bcvsolutions.idm.acc.dto.AccAccountDto) UUID(java.util.UUID) AccIdentityAccountDto(eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)

Example 10 with AccIdentityAccountFilter

use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.

the class ReadAccountByIdentityEvaluator method getPermissions.

@Override
public Set<String> getPermissions(AccAccount authorizable, AuthorizationPolicy policy) {
    Set<String> permissions = super.getPermissions(authorizable, policy);
    if (authorizable == null || !securityService.isAuthenticated()) {
        return permissions;
    }
    AccIdentityAccountFilter identityAccountsFilter = new AccIdentityAccountFilter();
    identityAccountsFilter.setAccountId(authorizable.getId());
    List<AccIdentityAccountDto> identityAccounts = identityAccountService.find(identityAccountsFilter, null).getContent();
    identityAccounts.forEach(identityAccount -> {
        BaseEntity identity = lookupService.lookupEntity(IdmIdentity.class, identityAccount.getIdentity());
        Set<String> identityPermissions = authorizationManager.getPermissions(identity);
        if (PermissionUtils.hasPermission(identityPermissions, IdmBasePermission.READ)) {
            permissions.add(IdmBasePermission.READ.name());
        }
        if (PermissionUtils.hasPermission(identityPermissions, IdmBasePermission.AUTOCOMPLETE)) {
            permissions.add(IdmBasePermission.AUTOCOMPLETE.name());
        }
    });
    return permissions;
}
Also used : AccIdentityAccountFilter(eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter) BaseEntity(eu.bcvsolutions.idm.core.api.entity.BaseEntity) AccIdentityAccountDto(eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)

Aggregations

AccIdentityAccountFilter (eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter)114 IdmIdentityDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)96 AccIdentityAccountDto (eu.bcvsolutions.idm.acc.dto.AccIdentityAccountDto)94 Test (org.junit.Test)86 AbstractIntegrationTest (eu.bcvsolutions.idm.test.api.AbstractIntegrationTest)85 IdmRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)67 SysSystemDto (eu.bcvsolutions.idm.acc.dto.SysSystemDto)55 IdmIdentityRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityRoleDto)44 IdmIdentityContractDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)40 TestResource (eu.bcvsolutions.idm.acc.entity.TestResource)32 SysSystemAttributeMappingDto (eu.bcvsolutions.idm.acc.dto.SysSystemAttributeMappingDto)31 SysSystemMappingDto (eu.bcvsolutions.idm.acc.dto.SysSystemMappingDto)30 IdmRoleRequestDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleRequestDto)29 SysRoleSystemDto (eu.bcvsolutions.idm.acc.dto.SysRoleSystemDto)26 SysSystemAttributeMappingFilter (eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter)26 AccAccountDto (eu.bcvsolutions.idm.acc.dto.AccAccountDto)24 UUID (java.util.UUID)24 IdmIdentityRoleFilter (eu.bcvsolutions.idm.core.api.dto.filter.IdmIdentityRoleFilter)22 AccIdentityAccountService (eu.bcvsolutions.idm.acc.service.api.AccIdentityAccountService)18 Autowired (org.springframework.beans.factory.annotation.Autowired)18