Example 6 with ExternalIdentityException
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException in project jackrabbit-oak by apache.
the class ExternalLoginModule method login.
@Override
public boolean login() throws LoginException {
if (idp == null || syncHandler == null) {
return false;
}
credentials = getCredentials();
// check if we have a pre authenticated login from a previous login module
final PreAuthenticatedLogin preAuthLogin = getSharedPreAuthLogin();
final String userId = getUserId(preAuthLogin, credentials);
if (userId == null && credentials == null) {
log.debug("No credentials|userId found for external login module. ignoring.");
return false;
}
// remember identification for log-output
Object logId = (userId != null) ? userId : credentials;
try {
// check if there exists a user with the given ID that has been synchronized
// before into the repository.
SyncedIdentity sId = getSyncedIdentity(userId);
// - identity is valid but we have a preAuthLogin and the user doesn't need an updating sync (OAK-3508)
if (ignore(sId, preAuthLogin)) {
return false;
}
if (preAuthLogin != null) {
externalUser = idp.getUser(preAuthLogin.getUserId());
} else {
externalUser = idp.authenticate(credentials);
}
if (externalUser != null) {
log.debug("IDP {} returned valid user {}", idp.getName(), externalUser);
if (credentials != null) {
//noinspection unchecked
sharedState.put(SHARED_KEY_CREDENTIALS, credentials);
}
//noinspection unchecked
sharedState.put(SHARED_KEY_LOGIN_NAME, externalUser.getId());
syncUser(externalUser);
return true;
} else {
debug("IDP {} returned null for {}", idp.getName(), logId.toString());
if (sId != null) {
// invalidate the user if it exists as synced variant
log.debug("local user exists for '{}'. re-validating.", sId.getId());
validateUser(sId.getId());
}
return false;
}
} catch (ExternalIdentityException e) {
log.error("Error while authenticating '{}' with {}", logId, idp.getName(), e);
return false;
} catch (LoginException e) {
log.debug("IDP {} throws login exception for '{}': {}", idp.getName(), logId, e.getMessage());
throw e;
} catch (Exception e) {
log.debug("SyncHandler {} throws sync exception for '{}'", syncHandler.getName(), logId, e);
LoginException le = new LoginException("Error while syncing user.");
le.initCause(e);
throw le;
}
}
Also used :
LoginException(javax.security.auth.login.LoginException)
SyncedIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
PreAuthenticatedLogin(org.apache.jackrabbit.oak.spi.security.authentication.PreAuthenticatedLogin)
LoginException(javax.security.auth.login.LoginException)
CommitFailedException(org.apache.jackrabbit.oak.api.CommitFailedException)
RepositoryException(javax.jcr.RepositoryException)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
SyncException(org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException)
Example 7 with ExternalIdentityException
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException in project jackrabbit-oak by apache.
the class DefaultSyncContext method syncMembership.
/**
* Recursively sync the memberships of an authorizable up-to the specified depth. If the given depth
* is equal or less than 0, no syncing is performed.
*
* @param external the external identity
* @param auth the authorizable
* @param depth recursion depth.
* @throws RepositoryException
*/
protected void syncMembership(@Nonnull ExternalIdentity external, @Nonnull Authorizable auth, long depth) throws RepositoryException {
if (depth <= 0) {
return;
}
if (log.isDebugEnabled()) {
log.debug("Syncing membership '{}' -> '{}'", external.getExternalId().getString(), auth.getID());
}
final DebugTimer timer = new DebugTimer();
Iterable<ExternalIdentityRef> externalGroups;
try {
externalGroups = external.getDeclaredGroups();
} catch (ExternalIdentityException e) {
log.error("Error while retrieving external declared groups for '{}'", external.getId(), e);
return;
}
timer.mark("fetching");
// first get the set of the existing groups that are synced ones
Map<String, Group> declaredExternalGroups = new HashMap<String, Group>();
Iterator<Group> grpIter = auth.declaredMemberOf();
while (grpIter.hasNext()) {
Group grp = grpIter.next();
if (isSameIDP(grp)) {
declaredExternalGroups.put(grp.getID(), grp);
}
}
timer.mark("reading");
for (ExternalIdentityRef ref : externalGroups) {
log.debug("- processing membership {}", ref.getId());
// get group
ExternalGroup extGroup;
try {
ExternalIdentity extId = idp.getIdentity(ref);
if (extId instanceof ExternalGroup) {
extGroup = (ExternalGroup) extId;
} else {
log.warn("No external group found for ref '{}'.", ref.getString());
continue;
}
} catch (ExternalIdentityException e) {
log.warn("Unable to retrieve external group '{}' from provider.", ref.getString(), e);
continue;
}
log.debug("- idp returned '{}'", extGroup.getId());
Group grp;
Authorizable a = userManager.getAuthorizable(extGroup.getId());
if (a == null) {
grp = createGroup(extGroup);
log.debug("- created new group");
} else if (a.isGroup() && isSameIDP(a)) {
grp = (Group) a;
} else {
log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", extGroup.getId(), idp.getName());
continue;
}
log.debug("- user manager returned '{}'", grp);
syncGroup(extGroup, grp);
// ensure membership
grp.addMember(auth);
log.debug("- added '{}' as member to '{}'", auth, grp);
// remember the declared group
declaredExternalGroups.remove(grp.getID());
// recursively apply further membership
if (depth > 1) {
log.debug("- recursively sync group membership of '{}' (depth = {}).", grp.getID(), depth);
syncMembership(extGroup, grp, depth - 1);
} else {
log.debug("- group nesting level for '{}' reached", grp.getID());
}
}
timer.mark("adding");
// remove us from the lost membership groups
for (Group grp : declaredExternalGroups.values()) {
grp.removeMember(auth);
log.debug("- removing member '{}' for group '{}'", auth.getID(), grp.getID());
}
if (log.isDebugEnabled()) {
timer.mark("removing");
log.debug("syncMembership({}) {}", external.getId(), timer.getString());
}
}
Also used :
DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer)
Group(org.apache.jackrabbit.api.security.user.Group)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
HashMap(java.util.HashMap)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
ExternalIdentity(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
Example 8 with ExternalIdentityException
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException in project jackrabbit-oak by apache.
the class DefaultSyncContext method sync.
/**
* {@inheritDoc}
*/
@Nonnull
@Override
public SyncResult sync(@Nonnull String id) throws SyncException {
try {
DebugTimer timer = new DebugTimer();
DefaultSyncResultImpl ret;
// find authorizable
Authorizable auth = userManager.getAuthorizable(id);
if (auth == null) {
return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, null, false, -1), SyncResult.Status.NO_SUCH_AUTHORIZABLE);
}
// check if we need to deal with this authorizable
ExternalIdentityRef ref = getIdentityRef(auth);
if (ref == null || !isSameIDP(ref)) {
return new DefaultSyncResultImpl(new DefaultSyncedIdentity(id, ref, auth.isGroup(), -1), SyncResult.Status.FOREIGN);
}
if (auth.isGroup()) {
ExternalGroup external = idp.getGroup(id);
timer.mark("retrieve");
if (external == null) {
ret = handleMissingIdentity(id, auth, timer);
} else {
ret = syncGroup(external, (Group) auth);
timer.mark("sync");
}
} else {
ExternalUser external = idp.getUser(id);
timer.mark("retrieve");
if (external == null) {
ret = handleMissingIdentity(id, auth, timer);
} else {
ret = syncUser(external, (User) auth);
timer.mark("sync");
}
}
if (log.isDebugEnabled()) {
log.debug("sync({}) -> {} {}", id, ref.getString(), timer.getString());
}
return ret;
} catch (RepositoryException e) {
throw new SyncException(e);
} catch (ExternalIdentityException e) {
throw new SyncException(e);
}
}
Also used :
DebugTimer(org.apache.jackrabbit.oak.commons.DebugTimer)
Group(org.apache.jackrabbit.api.security.user.Group)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
User(org.apache.jackrabbit.api.security.user.User)
ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)
ExternalIdentityRef(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)
ExternalGroup(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup)
ExternalUser(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)
Authorizable(org.apache.jackrabbit.api.security.user.Authorizable)
RepositoryException(javax.jcr.RepositoryException)
SyncException(org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
Nonnull(javax.annotation.Nonnull)
Example 9 with ExternalIdentityException
use of org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException in project jackrabbit-oak by apache.
the class DelegateeTest method testSyncAllExternalUsersThrowingIDP.
@Test(expected = SyncRuntimeException.class)
public void testSyncAllExternalUsersThrowingIDP() {
Delegatee dg = createDelegatee(new TestIdentityProvider("throwing") {
@Nonnull
@Override
public Iterator<ExternalUser> listUsers() throws ExternalIdentityException {
throw new ExternalIdentityException();
}
});
dg.syncAllExternalUsers();
}
Also used :
Nonnull(javax.annotation.Nonnull)
TestIdentityProvider(org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider)
Iterator(java.util.Iterator)
ExternalIdentityException(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)
Test(org.junit.Test)
Aggregations
ExternalIdentityException (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException)9
DebugTimer (org.apache.jackrabbit.oak.commons.DebugTimer)5
ExternalIdentityRef (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef)5
Nonnull (javax.annotation.Nonnull)4
LoginException (javax.security.auth.login.LoginException)4
IOException (java.io.IOException)3
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3
HashMap (java.util.HashMap)3
NoSuchElementException (java.util.NoSuchElementException)3
CursorException (org.apache.directory.api.ldap.model.cursor.CursorException)3
LdapAuthenticationException (org.apache.directory.api.ldap.model.exception.LdapAuthenticationException)3
LdapException (org.apache.directory.api.ldap.model.exception.LdapException)3
LdapInvalidAttributeValueException (org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException)3
LdapConnection (org.apache.directory.ldap.client.api.LdapConnection)3
ExternalUser (org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser)3
ArrayList (java.util.ArrayList)2
RepositoryException (javax.jcr.RepositoryException)2
Entry (org.apache.directory.api.ldap.model.entry.Entry)2
SearchResultEntry (org.apache.directory.api.ldap.model.message.SearchResultEntry)2
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)2
