use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.
the class IdentityPasswordProvisioningTest method checkIdentityAccount.
/**
* Check identity accounts for identity and identity role
*
* @param identity
* @param identityRole
* @param count
*/
private void checkIdentityAccount(IdmIdentityDto identity, IdmIdentityRoleDto identityRole, int count) {
AccIdentityAccountFilter filter = new AccIdentityAccountFilter();
filter.setIdentityId(identity.getId());
filter.setIdentityRoleId(identityRole.getId());
List<AccIdentityAccountDto> identityAccounts = identityAccountService.find(filter, null).getContent();
Assert.assertEquals(count, identityAccounts.size());
}
use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.
the class DefaultAccAccountManagementService method createIdentityAccountIfNotExists.
/**
* Create identity-account, but first check if this identity-account already
* exist, if yes then is only his account ID add to accounts (for provisioning).
*
* @param accounts
* @param identityAccount
*/
private void createIdentityAccountIfNotExists(List<UUID> accounts, AccIdentityAccountDto identityAccount) {
AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
identityAccountFilter.setIdentityId(identityAccount.getIdentity());
identityAccountFilter.setIdentityRoleId(identityAccount.getIdentityRole());
identityAccountFilter.setAccountId(identityAccount.getAccount());
identityAccountFilter.setRoleSystemId(identityAccount.getRoleSystem());
// Check if on exist same identity-account (for same identity-role, account and
// role-system)
long count = identityAccountService.count(identityAccountFilter);
if (count == 0) {
AccIdentityAccountDto identityAccountDto = identityAccountService.save(identityAccount);
accounts.add(identityAccountDto.getAccount());
} else {
// If this identity-account already exists, then we need to add his account ID
// (for execute the provisioning).
accounts.add(identityAccountService.find(identityAccountFilter, null).getContent().get(0).getAccount());
}
}
use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.
the class DefaultAccAccountManagementService method resolveUpdatedIdentityRoles.
@Override
public List<UUID> resolveUpdatedIdentityRoles(IdmIdentityDto identity, IdmIdentityRoleDto... identityRoles) {
Assert.notNull(identity, "Identity is required.");
if (identityRoles == null || identityRoles.length == 0) {
// No identity-roles ... we don't have anything to do
return null;
}
List<IdmIdentityRoleDto> identityRolesList = Lists.newArrayList(identityRoles);
// Find identity-accounts for changed identity-roles (using IN predicate)
List<UUID> identityRoleIds = //
identityRolesList.stream().map(//
IdmIdentityRoleDto::getId).collect(//
Collectors.toList());
AccIdentityAccountFilter filter = new AccIdentityAccountFilter();
filter.setIdentityId(identity.getId());
filter.setIdentityRoleIds(identityRoleIds);
List<AccIdentityAccountDto> identityAccountList = identityAccountService.find(filter, null).getContent();
// create / remove accounts
List<AccIdentityAccountDto> identityAccountsToCreate = new ArrayList<>();
List<AccIdentityAccountDto> identityAccountsToDelete = new ArrayList<>();
// Is role valid in this moment
resolveIdentityAccountForCreate(identity, identityAccountList, identityRolesList, identityAccountsToCreate, identityAccountsToDelete, false, null);
// Is role invalid in this moment
resolveIdentityAccountForDelete(identityAccountList, identityRolesList, identityAccountsToDelete);
// For this accounts should be execute a provisioning. We have to execute provisioning for all changed accounts
// although identity-role was not changed (EAV attributes could have been changed).
List<UUID> accounts = //
identityAccountList.stream().map(//
AccIdentityAccountDto::getAccount).distinct().collect(Collectors.toList());
// Create new identity accounts
identityAccountsToCreate.forEach(identityAccount -> {
// Check if this identity-account already exists, if yes then is his account ID
// add to accounts (for provisioning).
createIdentityAccountIfNotExists(accounts, identityAccount);
});
// Delete invalid identity accounts
identityAccountsToDelete.forEach(identityAccount -> {
identityAccountService.deleteById(identityAccount.getId());
});
return accounts;
}
use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.
the class DefaultAccAccountManagementService method resolveIdentityAccountForCreate.
/**
* Resolve Identity account - to create.
*/
private void resolveIdentityAccountForCreate(IdmIdentityDto identity, List<AccIdentityAccountDto> identityAccountList, List<IdmIdentityRoleDto> identityRoles, List<AccIdentityAccountDto> identityAccountsToCreate, List<AccIdentityAccountDto> identityAccountsToDelete, boolean onlyCreateNew, List<UUID> additionalAccountsForProvisioning) {
identityRoles.forEach(identityRole -> {
UUID role = identityRole.getRole();
SysRoleSystemFilter roleSystemFilter = new SysRoleSystemFilter();
roleSystemFilter.setRoleId(role);
List<SysRoleSystemDto> roleSystems = roleSystemService.find(roleSystemFilter, null).getContent();
// Is role valid in this moment or
// role-system has enabled forward account management (identity-role have to be
// valid in the future)
roleSystems.stream().filter(roleSystem -> (identityRole.isValid() || (roleSystem.isForwardAccountManagemen() && identityRole.isValidNowOrInFuture()))).filter(roleSystem -> {
boolean canBeCreated = roleSystem.isCreateAccountByDefault();
if (canBeCreated) {
SysSystemGroupSystemFilter systemGroupSystemFilter = new SysSystemGroupSystemFilter();
systemGroupSystemFilter.setCrossDomainsGroupsForRoleSystemId(roleSystem.getId());
if (systemGroupSystemService.count(systemGroupSystemFilter) >= 1) {
// This role-system overriding a merge attribute which is using in
// active cross-domain group. -> Account will be not created.
canBeCreated = false;
}
}
if (!canBeCreated) {
// We need to made provisioning for skipped identity-role/accounts (because Cross-domains).
// We have to find all identity-accounts for identity and system.
AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
identityAccountFilter.setSystemId(roleSystem.getSystem());
identityAccountFilter.setIdentityId(identity.getId());
AccIdentityAccountDto identityAccountDto = identityAccountService.find(identityAccountFilter, null).getContent().stream().filter(identityAccount -> {
SysRoleSystemDto roleSystemFromIdentityAccount = lookupService.lookupEmbeddedDto(identityAccount, AccIdentityAccount_.roleSystem);
return roleSystemFromIdentityAccount != null && roleSystem.getSystemMapping().equals(roleSystemFromIdentityAccount.getSystemMapping());
}).findFirst().orElse(null);
if (identityAccountDto != null && additionalAccountsForProvisioning != null) {
additionalAccountsForProvisioning.add(identityAccountDto.getAccount());
}
}
return canBeCreated;
}).forEach(roleSystem -> {
String uid = generateUID(identity, roleSystem);
// Check on change of UID is not executed if all given identity-roles are new
if (!onlyCreateNew) {
// Check identity-account for that role-system on change the definition of UID
checkOnChangeUID(uid, roleSystem, identityAccountList, identityAccountsToDelete);
}
// Try to find identity-account for this identity-role. If exists and doesn't in
// list of identity-account to delete, then we are done.
AccIdentityAccountDto existsIdentityAccount = findAlreadyExistsIdentityAccount(identityAccountList, identityAccountsToDelete, identityRole, roleSystem);
if (existsIdentityAccount != null) {
if (existsIdentityAccount.getRoleSystem() == null) {
// IdentityAccount already exist, but doesn't have relation on RoleSystem. This
// could happen if system mapping was deleted and recreated or if was role use
// as sync default role, but without mapping on this system.
// We have to create missing relation, so we will set and save RoleSystem.
existsIdentityAccount.setRoleSystem(roleSystem.getId());
identityAccountService.save(existsIdentityAccount);
}
return;
}
// For this system we need to create new (or found exists) account
AccAccountDto account = createAccountByRoleSystem(uid, identity, roleSystem, identityAccountsToCreate);
if (account == null) {
return;
}
// Prevent to create the same identity account
if (identityAccountList.stream().filter(identityAccount -> {
return identityAccount.getAccount().equals(account.getId()) && identityRole.getId().equals(identityAccount.getIdentityRole()) && roleSystem.getId().equals(identityAccount.getRoleSystem());
}).count() == 0) {
AccIdentityAccountDto identityAccount = new AccIdentityAccountDto();
identityAccount.setAccount(account.getId());
identityAccount.setIdentity(identity.getId());
identityAccount.setIdentityRole(identityRole.getId());
identityAccount.setRoleSystem(roleSystem.getId());
identityAccount.setOwnership(true);
identityAccount.getEmbedded().put(AccIdentityAccount_.account.getName(), account);
identityAccountsToCreate.add(identityAccount);
}
});
});
}
use of eu.bcvsolutions.idm.acc.dto.filter.AccIdentityAccountFilter in project CzechIdMng by bcvsolutions.
the class ReadAccountByIdentityEvaluator method getPermissions.
@Override
public Set<String> getPermissions(AccAccount authorizable, AuthorizationPolicy policy) {
Set<String> permissions = super.getPermissions(authorizable, policy);
if (authorizable == null || !securityService.isAuthenticated()) {
return permissions;
}
AccIdentityAccountFilter identityAccountsFilter = new AccIdentityAccountFilter();
identityAccountsFilter.setAccountId(authorizable.getId());
List<AccIdentityAccountDto> identityAccounts = identityAccountService.find(identityAccountsFilter, null).getContent();
identityAccounts.forEach(identityAccount -> {
BaseEntity identity = lookupService.lookupEntity(IdmIdentity.class, identityAccount.getIdentity());
Set<String> identityPermissions = authorizationManager.getPermissions(identity);
if (PermissionUtils.hasPermission(identityPermissions, IdmBasePermission.READ)) {
permissions.add(IdmBasePermission.READ.name());
}
if (PermissionUtils.hasPermission(identityPermissions, IdmBasePermission.AUTOCOMPLETE)) {
permissions.add(IdmBasePermission.AUTOCOMPLETE.name());
}
});
return permissions;
}
Aggregations