use of org.apache.syncope.core.persistence.api.dao.NotFoundException in project syncope by apache.
the class SAML2IdPLogic method update.
@PreAuthorize("hasRole('" + SAML2SPEntitlement.IDP_UPDATE + "')")
public void update(final SAML2IdPTO saml2IdpTO) {
check();
SAML2IdP saml2Idp = idpDAO.find(saml2IdpTO.getKey());
if (saml2Idp == null) {
throw new NotFoundException("SAML 2.0 IdP '" + saml2IdpTO.getKey() + "'");
}
SAML2IdPEntity idpEntity = cache.get(saml2Idp.getEntityID());
if (idpEntity == null) {
try {
idpEntity = cache.put(saml2Idp);
} catch (Exception e) {
LOG.error("Unexpected error while updating {}", saml2Idp.getEntityID(), e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidEntity);
sce.getElements().add(e.getMessage());
throw sce;
}
}
if (idpEntity.getSSOLocation(saml2IdpTO.getBindingType()) == null) {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidEntity);
sce.getElements().add(saml2IdpTO.getBindingType() + " not supported by " + saml2Idp.getEntityID());
throw sce;
}
saml2Idp = idpDAO.save(binder.update(saml2Idp, saml2IdpTO));
idpEntity.setIdpTO(binder.getIdPTO(saml2Idp));
}
use of org.apache.syncope.core.persistence.api.dao.NotFoundException in project syncope by apache.
the class SAML2SPLogic method validateLoginResponse.
@PreAuthorize("hasRole('" + StandardEntitlement.ANONYMOUS + "')")
public SAML2LoginResponseTO validateLoginResponse(final SAML2ReceivedResponseTO response) {
check();
// 1. first checks for the provided relay state
if (response.getRelayState() == null) {
throw new IllegalArgumentException("No Relay State was provided");
}
Boolean useDeflateEncoding = false;
String requestId = null;
if (!IDP_INITIATED_RELAY_STATE.equals(response.getRelayState())) {
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
if (!relayState.verifySignatureWith(jwsSignatureVerifier)) {
throw new IllegalArgumentException("Invalid signature found in Relay State");
}
useDeflateEncoding = Boolean.valueOf(relayState.getJwtClaims().getClaim(JWT_CLAIM_IDP_DEFLATE).toString());
requestId = relayState.getJwtClaims().getSubject();
Long expiryTime = relayState.getJwtClaims().getExpiryTime();
if (expiryTime == null || (expiryTime * 1000L) < new Date().getTime()) {
throw new IllegalArgumentException("Relay State is expired");
}
}
// 2. parse the provided SAML response
if (response.getSamlResponse() == null) {
throw new IllegalArgumentException("No SAML Response was provided");
}
Response samlResponse;
try {
XMLObject responseObject = saml2rw.read(useDeflateEncoding, response.getSamlResponse());
if (!(responseObject instanceof Response)) {
throw new IllegalArgumentException("Expected " + Response.class.getName() + ", got " + responseObject.getClass().getName());
}
samlResponse = (Response) responseObject;
} catch (Exception e) {
LOG.error("While parsing AuthnResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 3. validate the SAML response and, if needed, decrypt the provided assertion(s)
if (samlResponse.getIssuer() == null || samlResponse.getIssuer().getValue() == null) {
throw new IllegalArgumentException("The SAML Response must contain an Issuer");
}
final SAML2IdPEntity idp = getIdP(samlResponse.getIssuer().getValue());
if (idp.getConnObjectKeyItem() == null) {
throw new IllegalArgumentException("No mapping provided for SAML 2.0 IdP '" + idp.getId() + "'");
}
if (IDP_INITIATED_RELAY_STATE.equals(response.getRelayState()) && !idp.isSupportUnsolicited()) {
throw new IllegalArgumentException("An unsolicited request is not allowed for idp: " + idp.getId());
}
SSOValidatorResponse validatorResponse = null;
try {
validatorResponse = saml2rw.validate(samlResponse, idp, getAssertionConsumerURL(response.getSpEntityID(), response.getUrlContext()), requestId, response.getSpEntityID());
} catch (Exception e) {
LOG.error("While validating AuthnResponse", e);
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.Unknown);
sce.getElements().add(e.getMessage());
throw sce;
}
// 4. prepare the result: find matching user (if any) and return the received attributes
final SAML2LoginResponseTO responseTO = new SAML2LoginResponseTO();
responseTO.setIdp(idp.getId());
responseTO.setSloSupported(idp.getSLOLocation(idp.getBindingType()) != null);
Assertion assertion = validatorResponse.getOpensamlAssertion();
NameID nameID = assertion.getSubject().getNameID();
if (nameID == null) {
throw new IllegalArgumentException("NameID not found");
}
String keyValue = null;
if (StringUtils.isNotBlank(nameID.getValue()) && idp.getConnObjectKeyItem().getExtAttrName().equals("NameID")) {
keyValue = nameID.getValue();
}
if (assertion.getConditions().getNotOnOrAfter() != null) {
responseTO.setNotOnOrAfter(assertion.getConditions().getNotOnOrAfter().toDate());
}
assertion.getAuthnStatements().forEach(authnStmt -> {
responseTO.setSessionIndex(authnStmt.getSessionIndex());
responseTO.setAuthInstant(authnStmt.getAuthnInstant().toDate());
if (authnStmt.getSessionNotOnOrAfter() != null) {
responseTO.setNotOnOrAfter(authnStmt.getSessionNotOnOrAfter().toDate());
}
});
for (AttributeStatement attrStmt : assertion.getAttributeStatements()) {
for (Attribute attr : attrStmt.getAttributes()) {
if (!attr.getAttributeValues().isEmpty()) {
String attrName = attr.getFriendlyName() == null ? attr.getName() : attr.getFriendlyName();
if (attrName.equals(idp.getConnObjectKeyItem().getExtAttrName())) {
if (attr.getAttributeValues().get(0) instanceof XSString) {
keyValue = ((XSString) attr.getAttributeValues().get(0)).getValue();
} else if (attr.getAttributeValues().get(0) instanceof XSAny) {
keyValue = ((XSAny) attr.getAttributeValues().get(0)).getTextContent();
}
}
AttrTO attrTO = new AttrTO();
attrTO.setSchema(attrName);
attr.getAttributeValues().stream().filter(value -> value.getDOM() != null).forEachOrdered(value -> {
attrTO.getValues().add(value.getDOM().getTextContent());
});
responseTO.getAttrs().add(attrTO);
}
}
}
final List<String> matchingUsers = keyValue == null ? Collections.<String>emptyList() : userManager.findMatchingUser(keyValue, idp.getKey());
LOG.debug("Found {} matching users for {}", matchingUsers.size(), keyValue);
String username;
if (matchingUsers.isEmpty()) {
if (idp.isCreateUnmatching()) {
LOG.debug("No user matching {}, about to create", keyValue);
username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.create(idp, responseTO, nameID.getValue()));
} else if (idp.isSelfRegUnmatching()) {
responseTO.setNameID(nameID.getValue());
UserTO userTO = new UserTO();
userManager.fill(idp.getKey(), responseTO, userTO);
responseTO.getAttrs().clear();
responseTO.getAttrs().addAll(userTO.getPlainAttrs());
responseTO.getAttrs().addAll(userTO.getVirAttrs());
if (StringUtils.isNotBlank(userTO.getUsername())) {
responseTO.setUsername(userTO.getUsername());
}
responseTO.setSelfReg(true);
return responseTO;
} else {
throw new NotFoundException("User matching the provided value " + keyValue);
}
} else if (matchingUsers.size() > 1) {
throw new IllegalArgumentException("Several users match the provided value " + keyValue);
} else {
if (idp.isUpdateMatching()) {
LOG.debug("About to update {} for {}", matchingUsers.get(0), keyValue);
username = AuthContextUtils.execWithAuthContext(AuthContextUtils.getDomain(), () -> userManager.update(matchingUsers.get(0), idp, responseTO));
} else {
username = matchingUsers.get(0);
}
}
responseTO.setUsername(username);
responseTO.setNameID(nameID.getValue());
// 5. generate JWT for further access
Map<String, Object> claims = new HashMap<>();
claims.put(JWT_CLAIM_IDP_ENTITYID, idp.getId());
claims.put(JWT_CLAIM_NAMEID_FORMAT, nameID.getFormat());
claims.put(JWT_CLAIM_NAMEID_VALUE, nameID.getValue());
claims.put(JWT_CLAIM_SESSIONINDEX, responseTO.getSessionIndex());
byte[] authorities = null;
try {
authorities = ENCRYPTOR.encode(POJOHelper.serialize(authDataAccessor.getAuthorities(responseTO.getUsername())), CipherAlgorithm.AES).getBytes();
} catch (Exception e) {
LOG.error("Could not fetch authorities", e);
}
Pair<String, Date> accessTokenInfo = accessTokenDataBinder.create(responseTO.getUsername(), claims, authorities, true);
responseTO.setAccessToken(accessTokenInfo.getLeft());
responseTO.setAccessTokenExpiryTime(accessTokenInfo.getRight());
return responseTO;
}
use of org.apache.syncope.core.persistence.api.dao.NotFoundException in project syncope by apache.
the class AbstractPullResultHandler method delete.
protected List<ProvisioningReport> delete(final SyncDelta delta, final List<String> anyKeys, final Provision provision) throws JobExecutionException {
if (!profile.getTask().isPerformDelete()) {
LOG.debug("PullTask not configured for delete");
finalize(ResourceOperation.DELETE.name().toLowerCase(), Result.SUCCESS, null, null, delta);
return Collections.<ProvisioningReport>emptyList();
}
LOG.debug("About to delete {}", anyKeys);
List<ProvisioningReport> results = new ArrayList<>();
for (String key : anyKeys) {
Object output;
Result resultStatus = Result.FAILURE;
ProvisioningReport result = new ProvisioningReport();
try {
AnyTO before = getAnyTO(key);
result.setKey(key);
result.setName(getName(before));
result.setOperation(ResourceOperation.DELETE);
result.setAnyType(provision.getAnyType().getKey());
result.setStatus(ProvisioningReport.Status.SUCCESS);
if (!profile.isDryRun()) {
for (PullActions action : profile.getActions()) {
action.beforeDelete(profile, delta, before);
}
try {
doDelete(provision.getAnyType().getKind(), key);
output = null;
resultStatus = Result.SUCCESS;
for (PullActions action : profile.getActions()) {
action.after(profile, delta, before, result);
}
} catch (Exception e) {
throwIgnoreProvisionException(delta, e);
result.setStatus(ProvisioningReport.Status.FAILURE);
result.setMessage(ExceptionUtils.getRootCauseMessage(e));
LOG.error("Could not delete {} {}", provision.getAnyType().getKey(), key, e);
output = e;
if (profile.getTask().isRemediation()) {
Remediation entity = entityFactory.newEntity(Remediation.class);
entity.setAnyType(provision.getAnyType());
entity.setOperation(ResourceOperation.DELETE);
entity.setPayload(key);
entity.setError(result.getMessage());
entity.setInstant(new Date());
entity.setRemoteName(delta.getObject().getName().getNameValue());
entity.setPullTask(profile.getTask());
remediationDAO.save(entity);
}
}
finalize(ResourceOperation.DELETE.name().toLowerCase(), resultStatus, before, output, delta);
}
results.add(result);
} catch (NotFoundException e) {
LOG.error("Could not find {} {}", provision.getAnyType().getKey(), key, e);
} catch (DelegatedAdministrationException e) {
LOG.error("Not allowed to read {} {}", provision.getAnyType().getKey(), key, e);
} catch (Exception e) {
LOG.error("Could not delete {} {}", provision.getAnyType().getKey(), key, e);
}
}
return results;
}
use of org.apache.syncope.core.persistence.api.dao.NotFoundException in project syncope by apache.
the class ConfigurationDataBinderImpl method getAttr.
@Override
public CPlainAttr getAttr(final AttrTO attrTO) {
PlainSchema schema = getPlainSchema(attrTO.getSchema());
if (schema == null) {
throw new NotFoundException("Conf schema " + attrTO.getSchema());
} else {
SyncopeClientException invalidValues = SyncopeClientException.build(ClientExceptionType.InvalidValues);
CPlainAttr attr = entityFactory.newEntity(CPlainAttr.class);
attr.setSchema(schema);
fillAttr(attrTO.getValues(), schema, attr, invalidValues);
if (!invalidValues.isEmpty()) {
throw invalidValues;
}
return attr;
}
}
use of org.apache.syncope.core.persistence.api.dao.NotFoundException in project syncope by apache.
the class ConnInstanceDataBinderImpl method update.
@Override
public ConnInstance update(final ConnInstanceTO connInstanceTO) {
ConnInstance connInstance = connInstanceDAO.authFind(connInstanceTO.getKey());
if (connInstance == null) {
throw new NotFoundException("Connector '" + connInstanceTO.getKey() + "'");
}
ConnInstanceTO current = getConnInstanceTO(connInstance);
if (!current.equals(connInstanceTO)) {
// 1. save the current configuration, before update
ConnInstanceHistoryConf connInstanceHistoryConf = entityFactory.newEntity(ConnInstanceHistoryConf.class);
connInstanceHistoryConf.setCreator(AuthContextUtils.getUsername());
connInstanceHistoryConf.setCreation(new Date());
connInstanceHistoryConf.setEntity(connInstance);
connInstanceHistoryConf.setConf(current);
connInstanceHistoryConfDAO.save(connInstanceHistoryConf);
// 2. ensure the maximum history size is not exceeded
List<ConnInstanceHistoryConf> history = connInstanceHistoryConfDAO.findByEntity(connInstance);
long maxHistorySize = confDAO.find("connector.conf.history.size", 10L);
if (maxHistorySize < history.size()) {
// always remove the last item since history was obtained by a query with ORDER BY creation DESC
for (int i = 0; i < history.size() - maxHistorySize; i++) {
connInstanceHistoryConfDAO.delete(history.get(history.size() - 1).getKey());
}
}
}
// 3. actual update
connInstance.getCapabilities().clear();
connInstance.getCapabilities().addAll(connInstanceTO.getCapabilities());
if (connInstanceTO.getAdminRealm() != null) {
Realm realm = realmDAO.findByFullPath(connInstanceTO.getAdminRealm());
if (realm == null) {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidRealm);
sce.getElements().add("Invalid or null realm specified: " + connInstanceTO.getAdminRealm());
throw sce;
}
connInstance.setAdminRealm(realm);
}
if (connInstanceTO.getLocation() != null) {
connInstance.setLocation(connInstanceTO.getLocation());
}
if (connInstanceTO.getBundleName() != null) {
connInstance.setBundleName(connInstanceTO.getBundleName());
}
if (connInstanceTO.getVersion() != null) {
connInstance.setVersion(connInstanceTO.getVersion());
}
if (connInstanceTO.getConnectorName() != null) {
connInstance.setConnectorName(connInstanceTO.getConnectorName());
}
if (connInstanceTO.getConf() != null && !connInstanceTO.getConf().isEmpty()) {
connInstance.setConf(connInstanceTO.getConf());
}
if (connInstanceTO.getDisplayName() != null) {
connInstance.setDisplayName(connInstanceTO.getDisplayName());
}
if (connInstanceTO.getConnRequestTimeout() != null) {
connInstance.setConnRequestTimeout(connInstanceTO.getConnRequestTimeout());
}
if (connInstanceTO.getPoolConf() == null) {
connInstance.setPoolConf(null);
} else {
connInstance.setPoolConf(ConnPoolConfUtils.getConnPoolConf(connInstanceTO.getPoolConf(), entityFactory.newConnPoolConf()));
}
try {
connInstance = connInstanceDAO.save(connInstance);
} catch (Exception e) {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidConnInstance);
sce.getElements().add(e.getMessage());
throw sce;
}
return connInstance;
}
Aggregations