Example 6 with ObjectFactory
use of org.apache.directory.fortress.core.model.ObjectFactory in project directory-fortress-core by apache.
the class UserDAO method checkPwPolicies.
private void checkPwPolicies(PwMessage pwMsg, PasswordPolicy respCtrl) {
int rc = 0;
boolean result = false;
String msgHdr = "checkPwPolicies for userId [" + pwMsg.getUserId() + "] ";
if (respCtrl != null) {
// LDAP has notified of password violation:
if (respCtrl.hasResponse()) {
String errMsg = null;
if (respCtrl.getResponse() != null) {
if (respCtrl.getResponse().getTimeBeforeExpiration() > 0) {
pwMsg.setExpirationSeconds(respCtrl.getResponse().getTimeBeforeExpiration());
pwMsg.setWarning(new ObjectFactory().createWarning(GlobalPwMsgIds.PASSWORD_EXPIRATION_WARNING, "PASSWORD WILL EXPIRE", Warning.Type.PASSWORD));
}
if (respCtrl.getResponse().getGraceAuthNRemaining() > 0) {
pwMsg.setGraceLogins(respCtrl.getResponse().getGraceAuthNRemaining());
pwMsg.setWarning(new ObjectFactory().createWarning(GlobalPwMsgIds.PASSWORD_GRACE_WARNING, "PASSWORD IN GRACE", Warning.Type.PASSWORD));
}
if (respCtrl.getResponse().getPasswordPolicyError() != null) {
switch(respCtrl.getResponse().getPasswordPolicyError()) {
case CHANGE_AFTER_RESET:
// give user a chance to modify their password.
if (!Config.getInstance().isRealm()) {
errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID";
rc = GlobalErrIds.USER_PW_RESET;
} else {
errMsg = msgHdr + "PASSWORD HAS BEEN RESET BY LDAP_ADMIN_POOL_UID BUT ALLOWING TO" + " CONTINUE DUE TO REALM";
result = true;
pwMsg.setWarning(new ObjectFactory().createWarning(GlobalErrIds.USER_PW_RESET, errMsg, Warning.Type.PASSWORD));
}
break;
case ACCOUNT_LOCKED:
errMsg = msgHdr + "ACCOUNT HAS BEEN LOCKED";
rc = GlobalErrIds.USER_PW_LOCKED;
break;
case PASSWORD_EXPIRED:
errMsg = msgHdr + "PASSWORD HAS EXPIRED";
rc = GlobalErrIds.USER_PW_EXPIRED;
break;
case PASSWORD_MOD_NOT_ALLOWED:
errMsg = msgHdr + "PASSWORD MOD NOT ALLOWED";
rc = GlobalErrIds.USER_PW_MOD_NOT_ALLOWED;
break;
case MUST_SUPPLY_OLD_PASSWORD:
errMsg = msgHdr + "MUST SUPPLY OLD PASSWORD";
rc = GlobalErrIds.USER_PW_MUST_SUPPLY_OLD;
break;
case INSUFFICIENT_PASSWORD_QUALITY:
errMsg = msgHdr + "PASSWORD QUALITY VIOLATION";
rc = GlobalErrIds.USER_PW_NSF_QUALITY;
break;
case PASSWORD_TOO_SHORT:
errMsg = msgHdr + "PASSWORD TOO SHORT";
rc = GlobalErrIds.USER_PW_TOO_SHORT;
break;
case PASSWORD_TOO_YOUNG:
errMsg = msgHdr + "PASSWORD TOO YOUNG";
rc = GlobalErrIds.USER_PW_TOO_YOUNG;
break;
case PASSWORD_IN_HISTORY:
errMsg = msgHdr + "PASSWORD IN HISTORY VIOLATION";
rc = GlobalErrIds.USER_PW_IN_HISTORY;
break;
default:
errMsg = msgHdr + "PASSWORD CHECK FAILED";
rc = GlobalErrIds.USER_PW_CHK_FAILED;
break;
}
}
}
if (rc != 0) {
pwMsg.setMsg(errMsg);
pwMsg.setErrorId(rc);
pwMsg.setAuthenticated(result);
LOG.debug(errMsg);
}
}
}
}
Also used :
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
RoleConstraint(org.apache.directory.fortress.core.model.RoleConstraint)
Example 7 with ObjectFactory
use of org.apache.directory.fortress.core.model.ObjectFactory in project directory-fortress-core by apache.
the class UserP method createSessionTrusted.
/**
* Trusted session creation method called internal to this class only. Will do all of the session activations of the public method
*
* @param inUser Contains userId that represents rDn of node in ldap directory.
* @return Session object will contain authentication result code, RBAC and Admin role activations, OpenLDAP pw policy output and more.
* @throws SecurityException in the event of data validation failure, security policy violation or DAO error.
*/
private Session createSessionTrusted(User inUser) throws SecurityException {
User user = read(inUser, true);
user.setContextId(inUser.getContextId());
if (user.isLocked()) {
String warning = "createSession failed for userId [" + inUser.getUserId() + "] reason user is locked";
LOG.warn(warning);
throw new SecurityException(GlobalErrIds.USER_LOCKED_BY_CONST, warning);
}
Session session = new ObjectFactory().createSession();
session.setUserId(inUser.getUserId());
// Set this flag to false because user's password was not authenticated.
session.setAuthenticated(false);
session.setUser(user);
return session;
}
Also used :
User(org.apache.directory.fortress.core.model.User)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
SecurityException(org.apache.directory.fortress.core.SecurityException)
Session(org.apache.directory.fortress.core.model.Session)
Example 8 with ObjectFactory
use of org.apache.directory.fortress.core.model.ObjectFactory in project directory-fortress-core by apache.
the class RoleDAO method unloadDescendants.
/**
* @param le
* @param sequence
* @param contextId
* @return
* @throws LdapInvalidAttributeValueException
* @throws LdapException
*/
private Graphable unloadDescendants(Entry le, long sequence, String contextId) throws LdapInvalidAttributeValueException {
Role entity = new ObjectFactory().createRole();
entity.setSequenceId(sequence);
entity.setName(getAttribute(le, ROLE_NM));
entity.setParents(getAttributeSet(le, GlobalIds.PARENT_NODES));
return entity;
}
Also used :
Role(org.apache.directory.fortress.core.model.Role)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
Example 9 with ObjectFactory
use of org.apache.directory.fortress.core.model.ObjectFactory in project directory-fortress-core by apache.
the class VUtil method validateConstraints.
/**
* This utility iterates over all of the Validators initialized for runtime and calls them passing the {@link org.apache.directory.fortress.core.model.Constraint} contained within the
* targeted entity. If a particular {@link org.apache.directory.fortress.core.model.UserRole} violates constraint it will not be activated. If {@link org.apache.directory.fortress.core.model.User} validation fails a ValidationException will be thrown thus preventing User logon.
*
* @param session contains {@link org.apache.directory.fortress.core.model.User} and {@link org.apache.directory.fortress.core.model.UserRole} constraints {@link org.apache.directory.fortress.core.model.Constraint} to be checked.
* @param type specifies User {@link ConstraintType#USER} or rOLE {@link ConstraintType#ROLE}.
* @param checkDsd will check DSD constraints if true
* @throws org.apache.directory.fortress.core.SecurityException in the event validation fails for User or system error occurs.
*/
public void validateConstraints(Session session, ConstraintType type, boolean checkDsd) throws SecurityException {
String location = "validateConstraints";
String entityId = session.isGroupSession() ? session.getGroupName() : session.getUserId();
String entityType = session.isGroupSession() ? "groupName" : "userId";
int rc;
if (validators == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("{} " + entityType + " [{}] has no constraints enabled", location, entityId);
}
return;
} else // no need to continue if the role list is empty and we're trying to check role constraints:
if (type == ConstraintType.ROLE && CollectionUtils.isEmpty(session.getRoles()) && CollectionUtils.isEmpty(session.getAdminRoles())) {
if (LOG.isDebugEnabled()) {
LOG.debug("{} " + entityType + " [{}] has no roles assigned", location, entityId);
}
return;
}
for (Validator val : validators) {
Time currTime = TUtil.getCurrentTime();
// first check the constraint on the user:
if (type == ConstraintType.USER && !session.isGroupSession()) {
rc = val.validate(session, session.getUser(), currTime, type);
if (rc > 0) {
String info = location + " user [" + entityId + "] was deactivated reason code [" + rc + "]";
throw new ValidationException(rc, info);
}
} else // Check the constraints for each activated role:
{
if (CollectionUtils.isNotEmpty(session.getRoles())) {
// now check the constraint on every role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for (UserRole role : session.getRoles()) {
rc = val.validate(session, role, currTime, type);
if (rc > 0) {
rolesToRemove.add(role);
String msg = location + " role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info(msg);
session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
}
}
// remove all roles not passing validation
session.getRoles().removeAll(rolesToRemove);
}
if (CollectionUtils.isNotEmpty(session.getAdminRoles())) {
// now check the constraint on every arbac role activation candidate contained within session object:
List<UserRole> rolesToRemove = new ArrayList<>();
for (UserRole role : session.getAdminRoles()) {
rc = val.validate(session, role, currTime, type);
if (rc > 0) {
rolesToRemove.add(role);
String msg = location + " admin role [" + role.getName() + "] for " + entityType + "[" + entityId + "]" + " was deactivated reason code [" + rc + "]";
LOG.info(msg);
session.setWarning(new ObjectFactory().createWarning(rc, msg, Warning.Type.ROLE, role.getName()));
}
}
// remove all roles not passing validation
session.getAdminRoles().removeAll(rolesToRemove);
}
}
}
// now perform DSD validation on session's impl roles:
if (checkDsd && DSDVALIDATOR != null && DSDVALIDATOR.length() > 0 && type == ConstraintType.ROLE && CollectionUtils.isNotEmpty(session.getRoles())) {
Validator dsdVal = (Validator) ClassUtil.createInstance(DSDVALIDATOR);
if (session.isGroupSession()) {
// pass session's group wrapped into constraint interface
dsdVal.validate(session, new ConstraintedGroup(session.getGroup()), null, null);
} else {
dsdVal.validate(session, session.getUser(), null, null);
}
}
// reset the user's last access timestamp:
session.setLastAccess();
}
Also used :
ValidationException(org.apache.directory.fortress.core.ValidationException)
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
UserRole(org.apache.directory.fortress.core.model.UserRole)
ArrayList(java.util.ArrayList)
Time(org.apache.directory.fortress.core.util.time.Time)
Constraint(org.apache.directory.fortress.core.model.Constraint)
Validator(org.apache.directory.fortress.core.util.time.Validator)
Example 10 with ObjectFactory
use of org.apache.directory.fortress.core.model.ObjectFactory in project directory-fortress-core by apache.
the class RestUtils method getProps.
/**
* @param properties
* @return Prop contains name value pairs.
*/
public static Props getProps(Properties properties) {
Props props = null;
if (properties != null) {
props = new ObjectFactory().createProps();
for (Enumeration<?> e = properties.propertyNames(); e.hasMoreElements(); ) {
String key = (String) e.nextElement();
String val = properties.getProperty(key);
Props.Entry entry = new Props.Entry();
entry.setKey(key);
entry.setValue(val);
props.getEntry().add(entry);
}
}
return props;
}
Also used :
ObjectFactory(org.apache.directory.fortress.core.model.ObjectFactory)
Props(org.apache.directory.fortress.core.model.Props)
Aggregations
ObjectFactory (org.apache.directory.fortress.core.model.ObjectFactory)25
Role (org.apache.directory.fortress.core.model.Role)3
UserRole (org.apache.directory.fortress.core.model.UserRole)3
ArrayList (java.util.ArrayList)2
AdminRole (org.apache.directory.fortress.core.model.AdminRole)2
Constraint (org.apache.directory.fortress.core.model.Constraint)2
OrgUnit (org.apache.directory.fortress.core.model.OrgUnit)2
SDSet (org.apache.directory.fortress.core.model.SDSet)2
Session (org.apache.directory.fortress.core.model.Session)2
User (org.apache.directory.fortress.core.model.User)2
HashMap (java.util.HashMap)1
PasswordPolicy (org.apache.directory.api.ldap.extras.controls.ppolicy.PasswordPolicy)1
LdapAuthenticationException (org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)1
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)1
BindResponse (org.apache.directory.api.ldap.model.message.BindResponse)1
FinderException (org.apache.directory.fortress.core.FinderException)1
PasswordException (org.apache.directory.fortress.core.PasswordException)1
SecurityException (org.apache.directory.fortress.core.SecurityException)1
ValidationException (org.apache.directory.fortress.core.ValidationException)1
Address (org.apache.directory.fortress.core.model.Address)1
