use of org.apache.syncope.common.lib.patch.UserPatch in project syncope by apache.
the class PropagationManagerImpl method getUserUpdateTasks.
@Override
public List<PropagationTaskTO> getUserUpdateTasks(final WorkflowResult<Pair<UserPatch, Boolean>> wfResult) {
UserPatch userPatch = wfResult.getResult().getKey();
// Propagate password update only to requested resources
List<PropagationTaskTO> tasks = new ArrayList<>();
if (userPatch.getPassword() == null) {
// a. no specific password propagation request: generate propagation tasks for any resource associated
tasks = getUserUpdateTasks(wfResult, false, null);
} else {
// b. generate the propagation task list in two phases: first the ones containing password,
// the the rest (with no password)
WorkflowResult<Pair<UserPatch, Boolean>> pwdWFResult = new WorkflowResult<>(wfResult.getResult(), new PropagationByResource(), wfResult.getPerformedTasks());
Set<String> pwdResourceNames = new HashSet<>(userPatch.getPassword().getResources());
Collection<String> allResourceNames = userDAO.findAllResourceKeys(userPatch.getKey());
pwdResourceNames.retainAll(allResourceNames);
pwdWFResult.getPropByRes().addAll(ResourceOperation.UPDATE, pwdResourceNames);
if (!pwdWFResult.getPropByRes().isEmpty()) {
Set<String> toBeExcluded = new HashSet<>(allResourceNames);
toBeExcluded.addAll(userPatch.getResources().stream().map(patchItem -> patchItem.getValue()).collect(Collectors.toList()));
toBeExcluded.removeAll(pwdResourceNames);
tasks.addAll(getUserUpdateTasks(pwdWFResult, true, toBeExcluded));
}
WorkflowResult<Pair<UserPatch, Boolean>> noPwdWFResult = new WorkflowResult<>(wfResult.getResult(), new PropagationByResource(), wfResult.getPerformedTasks());
noPwdWFResult.getPropByRes().merge(wfResult.getPropByRes());
noPwdWFResult.getPropByRes().removeAll(pwdResourceNames);
noPwdWFResult.getPropByRes().purge();
if (!noPwdWFResult.getPropByRes().isEmpty()) {
tasks.addAll(getUserUpdateTasks(noPwdWFResult, false, pwdResourceNames));
}
}
return tasks;
}
use of org.apache.syncope.common.lib.patch.UserPatch in project syncope by apache.
the class DBPasswordPullActions method beforeUpdate.
@Transactional(readOnly = true)
@Override
public <M extends AnyPatch> void beforeUpdate(final ProvisioningProfile<?, ?> profile, final SyncDelta delta, final EntityTO entityTO, final M anyPatch) throws JobExecutionException {
if (anyPatch instanceof UserPatch) {
PasswordPatch modPassword = ((UserPatch) anyPatch).getPassword();
parseEncodedPassword(modPassword == null ? null : modPassword.getValue(), profile.getConnector());
}
}
use of org.apache.syncope.common.lib.patch.UserPatch in project syncope by apache.
the class AuthenticationITCase method anyTypeEntitlement.
@Test
public void anyTypeEntitlement() {
final String anyTypeKey = "FOLDER " + getUUIDString();
// 1. no entitlement exists (yet) for the any type to be created
assertFalse(syncopeService.platform().getEntitlements().stream().anyMatch(entitlement -> entitlement.contains(anyTypeKey)));
// 2. create plain schema, any type class and any type
PlainSchemaTO path = new PlainSchemaTO();
path.setKey("path" + getUUIDString());
path.setType(AttrSchemaType.String);
path = createSchema(SchemaType.PLAIN, path);
AnyTypeClassTO anyTypeClass = new AnyTypeClassTO();
anyTypeClass.setKey("folder" + getUUIDString());
anyTypeClass.getPlainSchemas().add(path.getKey());
anyTypeClassService.create(anyTypeClass);
AnyTypeTO anyTypeTO = new AnyTypeTO();
anyTypeTO.setKey(anyTypeKey);
anyTypeTO.setKind(AnyTypeKind.ANY_OBJECT);
anyTypeTO.getClasses().add(anyTypeClass.getKey());
anyTypeService.create(anyTypeTO);
// 2. now entitlement exists for the any type just created
assertTrue(syncopeService.platform().getEntitlements().stream().anyMatch(entitlement -> entitlement.contains(anyTypeKey)));
// 3. attempt to create an instance of the type above: fail because no entitlement was assigned
AnyObjectTO folder = new AnyObjectTO();
folder.setName("home");
folder.setRealm(SyncopeConstants.ROOT_REALM);
folder.setType(anyTypeKey);
folder.getPlainAttrs().add(attrTO(path.getKey(), "/home"));
SyncopeClient belliniClient = clientFactory.create("bellini", ADMIN_PWD);
try {
belliniClient.getService(AnyObjectService.class).create(folder);
fail("This should not happen");
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
}
// 4. give create entitlement for the any type just created
RoleTO role = new RoleTO();
role.setKey("role" + getUUIDString());
role.getRealms().add(SyncopeConstants.ROOT_REALM);
role.getEntitlements().add(anyTypeKey + "_READ");
role.getEntitlements().add(anyTypeKey + "_CREATE");
role = createRole(role);
UserTO bellini = userService.read("bellini");
UserPatch patch = new UserPatch();
patch.setKey(bellini.getKey());
patch.getRoles().add(new StringPatchItem.Builder().operation(PatchOperation.ADD_REPLACE).value(role.getKey()).build());
bellini = updateUser(patch).getEntity();
assertTrue(bellini.getRoles().contains(role.getKey()));
// 5. now the instance of the type above can be created successfully
belliniClient.logout();
belliniClient.login(new BasicAuthenticationHandler("bellini", ADMIN_PWD));
belliniClient.getService(AnyObjectService.class).create(folder);
}
use of org.apache.syncope.common.lib.patch.UserPatch in project syncope by apache.
the class AuthenticationITCase method issueSYNCOPE164.
@Test
public void issueSYNCOPE164() throws Exception {
// 1. create user with db resource
UserTO user = UserITCase.getUniqueSampleTO("syncope164@syncope.apache.org");
user.setRealm("/even/two");
user.setPassword("password123");
user.getResources().add(RESOURCE_NAME_TESTDB);
user = createUser(user).getEntity();
assertNotNull(user);
// 2. unlink the resource from the created user
DeassociationPatch deassociationPatch = new DeassociationPatch.Builder().key(user.getKey()).action(ResourceDeassociationAction.UNLINK).resource(RESOURCE_NAME_TESTDB).build();
assertNotNull(userService.deassociate(deassociationPatch).readEntity(BulkActionResult.class));
// 3. change password on Syncope
UserPatch userPatch = new UserPatch();
userPatch.setKey(user.getKey());
userPatch.setPassword(new PasswordPatch.Builder().value("password234").build());
user = updateUser(userPatch).getEntity();
assertNotNull(user);
// 4. check that the db resource has still the initial password value
final JdbcTemplate jdbcTemplate = new JdbcTemplate(testDataSource);
String value = queryForObject(jdbcTemplate, 50, "SELECT PASSWORD FROM test WHERE ID=?", String.class, user.getUsername());
assertEquals(Encryptor.getInstance().encode("password123", CipherAlgorithm.SHA1), value.toUpperCase());
// 5. successfully authenticate with old (on db resource) and new (on internal storage) password values
Pair<Map<String, Set<String>>, UserTO> self = clientFactory.create(user.getUsername(), "password123").self();
assertNotNull(self);
self = clientFactory.create(user.getUsername(), "password234").self();
assertNotNull(self);
}
use of org.apache.syncope.common.lib.patch.UserPatch in project syncope by apache.
the class AuthenticationITCase method delegatedUserCRUD.
@Test
public void delegatedUserCRUD() {
String roleKey = null;
String delegatedAdminKey = null;
try {
// 1. create role for full user administration, under realm /even/two
RoleTO role = new RoleTO();
role.setKey("Delegated user admin");
role.getEntitlements().add(StandardEntitlement.USER_CREATE);
role.getEntitlements().add(StandardEntitlement.USER_UPDATE);
role.getEntitlements().add(StandardEntitlement.USER_DELETE);
role.getEntitlements().add(StandardEntitlement.USER_SEARCH);
role.getEntitlements().add(StandardEntitlement.USER_READ);
role.getRealms().add("/even/two");
roleKey = roleService.create(role).getHeaderString(RESTHeaders.RESOURCE_KEY);
assertNotNull(roleKey);
// 2. as admin, create delegated admin user, and assign the role just created
UserTO delegatedAdmin = UserITCase.getUniqueSampleTO("admin@syncope.apache.org");
delegatedAdmin.getRoles().add(roleKey);
delegatedAdmin = createUser(delegatedAdmin).getEntity();
delegatedAdminKey = delegatedAdmin.getKey();
// 3. instantiate a delegate user service client, for further operatins
UserService delegatedUserService = clientFactory.create(delegatedAdmin.getUsername(), "password123").getService(UserService.class);
// 4. as delegated, create user under realm / -> fail
UserTO user = UserITCase.getUniqueSampleTO("delegated@syncope.apache.org");
try {
delegatedUserService.create(user, true);
fail("This should not happen");
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
}
// 5. set realm to /even/two -> succeed
user.setRealm("/even/two");
Response response = delegatedUserService.create(user, true);
assertEquals(Response.Status.CREATED.getStatusCode(), response.getStatus());
user = response.readEntity(new GenericType<ProvisioningResult<UserTO>>() {
}).getEntity();
assertEquals("surname", user.getPlainAttr("surname").get().getValues().get(0));
// 5. as delegated, update user attempting to move under realm / -> fail
UserPatch userPatch = new UserPatch();
userPatch.setKey(user.getKey());
userPatch.setRealm(new StringReplacePatchItem.Builder().value("/odd").build());
userPatch.getPlainAttrs().add(attrAddReplacePatch("surname", "surname2"));
try {
delegatedUserService.update(userPatch);
fail("This should not happen");
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
}
// 6. revert realm change -> succeed
userPatch.setRealm(null);
response = delegatedUserService.update(userPatch);
assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
user = response.readEntity(new GenericType<ProvisioningResult<UserTO>>() {
}).getEntity();
assertEquals("surname2", user.getPlainAttr("surname").get().getValues().get(0));
// 7. as delegated, delete user
delegatedUserService.delete(user.getKey());
try {
userService.read(user.getKey());
fail("This should not happen");
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.NotFound, e.getType());
}
} finally {
if (roleKey != null) {
roleService.delete(roleKey);
}
if (delegatedAdminKey != null) {
userService.delete(delegatedAdminKey);
}
}
}
Aggregations