use of org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException in project syncope by apache.
the class JPAUserDAO method enforcePolicies.
@Transactional(readOnly = true)
@Override
public Pair<Boolean, Boolean> enforcePolicies(final User user) {
// ------------------------------
// Verify password policies
// ------------------------------
LOG.debug("Password Policy enforcement");
try {
int maxPPSpecHistory = 0;
for (PasswordPolicy policy : getPasswordPolicies(user)) {
if (user.getPassword() == null && !policy.isAllowNullPassword()) {
throw new PasswordPolicyException("Password mandatory");
}
for (Implementation impl : policy.getRules()) {
Optional<PasswordRule> rule = ImplementationManager.buildPasswordRule(impl);
if (rule.isPresent()) {
rule.get().enforce(user);
}
}
if (user.verifyPasswordHistory(user.getClearPassword(), policy.getHistoryLength())) {
throw new PasswordPolicyException("Password value was used in the past: not allowed");
}
if (policy.getHistoryLength() > maxPPSpecHistory) {
maxPPSpecHistory = policy.getHistoryLength();
}
}
// update user's password history with encrypted password
if (maxPPSpecHistory > 0 && user.getPassword() != null && !user.getPasswordHistory().contains(user.getPassword())) {
user.getPasswordHistory().add(user.getPassword());
}
// keep only the last maxPPSpecHistory items in user's password history
if (maxPPSpecHistory < user.getPasswordHistory().size()) {
for (int i = 0; i < user.getPasswordHistory().size() - maxPPSpecHistory; i++) {
user.getPasswordHistory().remove(i);
}
}
} catch (Exception e) {
LOG.error("Invalid password for {}", user, e);
throw new InvalidEntityException(User.class, EntityViolationType.InvalidPassword, e.getMessage());
} finally {
// password has been validated, let's remove its clear version
user.removeClearPassword();
}
// ------------------------------
// Verify account policies
// ------------------------------
LOG.debug("Account Policy enforcement");
boolean suspend = false;
boolean propagateSuspension = false;
try {
if (user.getUsername() == null) {
throw new AccountPolicyException("Null username");
}
if (adminUser.equals(user.getUsername()) || anonymousUser.equals(user.getUsername())) {
throw new AccountPolicyException("Not allowed: " + user.getUsername());
}
if (!USERNAME_PATTERN.matcher(user.getUsername()).matches()) {
throw new AccountPolicyException("Character(s) not allowed");
}
for (AccountPolicy policy : getAccountPolicies(user)) {
for (Implementation impl : policy.getRules()) {
Optional<AccountRule> rule = ImplementationManager.buildAccountRule(impl);
if (rule.isPresent()) {
rule.get().enforce(user);
}
}
suspend |= user.getFailedLogins() != null && policy.getMaxAuthenticationAttempts() > 0 && user.getFailedLogins() > policy.getMaxAuthenticationAttempts() && !user.isSuspended();
propagateSuspension |= policy.isPropagateSuspension();
}
} catch (Exception e) {
LOG.error("Invalid username for {}", user, e);
throw new InvalidEntityException(User.class, EntityViolationType.InvalidUsername, e.getMessage());
}
return ImmutablePair.of(suspend, propagateSuspension);
}
use of org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException in project syncope by apache.
the class JPAUserDAO method doSave.
private Pair<User, Pair<Set<String>, Set<String>>> doSave(final User user) {
// 1. save clear password value before save
String clearPwd = user.getClearPassword();
// 2. save and flush to trigger entity validation
User merged = super.save(user);
entityManager().flush();
// 3. set back the sole clear password value
JPAUser.class.cast(merged).setClearPassword(clearPwd);
// 4. enforce password and account policies
try {
enforcePolicies(merged);
} catch (InvalidEntityException e) {
entityManager().remove(merged);
throw e;
}
publisher.publishEvent(new AnyCreatedUpdatedEvent<>(this, merged, AuthContextUtils.getDomain()));
roleDAO.refreshDynMemberships(merged);
Pair<Set<String>, Set<String>> dynGroupMembs = groupDAO().refreshDynMemberships(merged);
dynRealmDAO().refreshDynMemberships(merged);
return Pair.of(merged, dynGroupMembs);
}
use of org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException in project syncope by apache.
the class EntityValidationListener method validate.
@PrePersist
@PreUpdate
public void validate(final Object object) {
final Validator validator = ApplicationContextProvider.getBeanFactory().getBean(Validator.class);
Set<ConstraintViolation<Object>> violations = validator.validate(object);
if (!violations.isEmpty()) {
LOG.warn("Bean validation errors found: {}", violations);
Class<?> entityInt = null;
for (Class<?> interf : ClassUtils.getAllInterfaces(object.getClass())) {
if (!Entity.class.equals(interf) && !AnnotatedEntity.class.equals(interf) && !ProvidedKeyEntity.class.equals(interf) && !Schema.class.equals(interf) && !Task.class.equals(interf) && !Policy.class.equals(interf) && !GroupableRelatable.class.equals(interf) && !Any.class.equals(interf) && !DynMembership.class.equals(interf) && Entity.class.isAssignableFrom(interf)) {
entityInt = interf;
}
}
throw new InvalidEntityException(entityInt == null ? "Entity" : entityInt.getSimpleName(), violations);
}
}
use of org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException in project syncope by apache.
the class UserTest method membershipWithAttrs.
@Test
public void membershipWithAttrs() {
User user = userDAO.findByUsername("vivaldi");
assertNotNull(user);
assertTrue(user.getMemberships().isEmpty());
// add 'obscure' to user (no membership): works because 'obscure' is from 'other', default class for USER
UPlainAttr attr = entityFactory.newEntity(UPlainAttr.class);
attr.setOwner(user);
attr.setSchema(plainSchemaDAO.find("obscure"));
attr.add("testvalue", anyUtilsFactory.getInstance(AnyTypeKind.USER));
user.add(attr);
// add 'obscure' to user (via 'artDirector' membership): does not work because 'obscure' is from 'other'
// but 'artDirector' defines no type extension
UMembership membership = entityFactory.newEntity(UMembership.class);
membership.setLeftEnd(user);
membership.setRightEnd(groupDAO.findByName("artDirector"));
user.add(membership);
attr = entityFactory.newEntity(UPlainAttr.class);
attr.setOwner(user);
attr.setMembership(membership);
attr.setSchema(plainSchemaDAO.find("obscure"));
attr.add("testvalue2", anyUtilsFactory.getInstance(AnyTypeKind.USER));
user.add(attr);
try {
userDAO.save(user);
fail("This should not happen");
} catch (InvalidEntityException e) {
assertNotNull(e);
}
// replace 'artDirector' with 'additional', which defines type extension with class 'other' and 'csv':
// now it works
membership = user.getMembership(groupDAO.findByName("artDirector").getKey()).get();
user.remove(user.getPlainAttr("obscure", membership).get());
user.getMemberships().remove(membership);
membership.setLeftEnd(null);
membership = entityFactory.newEntity(UMembership.class);
membership.setLeftEnd(user);
membership.setRightEnd(groupDAO.findByName("additional"));
user.add(membership);
attr = entityFactory.newEntity(UPlainAttr.class);
attr.setOwner(user);
attr.setMembership(membership);
attr.setSchema(plainSchemaDAO.find("obscure"));
attr.add("testvalue2", anyUtilsFactory.getInstance(AnyTypeKind.USER));
user.add(attr);
userDAO.save(user);
userDAO.flush();
user = userDAO.findByUsername("vivaldi");
assertEquals(1, user.getMemberships().size());
final UMembership newM = user.getMembership(groupDAO.findByName("additional").getKey()).get();
assertEquals(1, user.getPlainAttrs(newM).size());
assertNull(user.getPlainAttr("obscure").get().getMembership());
assertEquals(2, user.getPlainAttrs("obscure").size());
assertTrue(user.getPlainAttrs("obscure").contains(user.getPlainAttr("obscure").get()));
assertTrue(user.getPlainAttrs("obscure").stream().anyMatch(plainAttr -> plainAttr.getMembership() == null));
assertTrue(user.getPlainAttrs("obscure").stream().anyMatch(plainAttr -> newM.equals(plainAttr.getMembership())));
}
use of org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException in project syncope by apache.
the class DerSchemaTest method issueSYNCOPE418.
@Test
public void issueSYNCOPE418() {
DerSchema schema = entityFactory.newEntity(DerSchema.class);
schema.setKey("http://schemas.examples.org/security/authorization/organizationUnit");
try {
derSchemaDAO.save(schema);
fail("This should not happen");
} catch (InvalidEntityException e) {
assertTrue(e.hasViolation(EntityViolationType.InvalidKey));
}
}
Aggregations