use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.
the class JPAUserDAO method enforcePolicies.
@Transactional(readOnly = true)
@Override
public Pair<Boolean, Boolean> enforcePolicies(final User user) {
// ------------------------------
// Verify password policies
// ------------------------------
LOG.debug("Password Policy enforcement");
try {
int maxPPSpecHistory = 0;
for (PasswordPolicy policy : getPasswordPolicies(user)) {
if (user.getPassword() == null && !policy.isAllowNullPassword()) {
throw new PasswordPolicyException("Password mandatory");
}
for (Implementation impl : policy.getRules()) {
Optional<PasswordRule> rule = ImplementationManager.buildPasswordRule(impl);
if (rule.isPresent()) {
rule.get().enforce(user);
}
}
if (user.verifyPasswordHistory(user.getClearPassword(), policy.getHistoryLength())) {
throw new PasswordPolicyException("Password value was used in the past: not allowed");
}
if (policy.getHistoryLength() > maxPPSpecHistory) {
maxPPSpecHistory = policy.getHistoryLength();
}
}
// update user's password history with encrypted password
if (maxPPSpecHistory > 0 && user.getPassword() != null && !user.getPasswordHistory().contains(user.getPassword())) {
user.getPasswordHistory().add(user.getPassword());
}
// keep only the last maxPPSpecHistory items in user's password history
if (maxPPSpecHistory < user.getPasswordHistory().size()) {
for (int i = 0; i < user.getPasswordHistory().size() - maxPPSpecHistory; i++) {
user.getPasswordHistory().remove(i);
}
}
} catch (Exception e) {
LOG.error("Invalid password for {}", user, e);
throw new InvalidEntityException(User.class, EntityViolationType.InvalidPassword, e.getMessage());
} finally {
// password has been validated, let's remove its clear version
user.removeClearPassword();
}
// ------------------------------
// Verify account policies
// ------------------------------
LOG.debug("Account Policy enforcement");
boolean suspend = false;
boolean propagateSuspension = false;
try {
if (user.getUsername() == null) {
throw new AccountPolicyException("Null username");
}
if (adminUser.equals(user.getUsername()) || anonymousUser.equals(user.getUsername())) {
throw new AccountPolicyException("Not allowed: " + user.getUsername());
}
if (!USERNAME_PATTERN.matcher(user.getUsername()).matches()) {
throw new AccountPolicyException("Character(s) not allowed");
}
for (AccountPolicy policy : getAccountPolicies(user)) {
for (Implementation impl : policy.getRules()) {
Optional<AccountRule> rule = ImplementationManager.buildAccountRule(impl);
if (rule.isPresent()) {
rule.get().enforce(user);
}
}
suspend |= user.getFailedLogins() != null && policy.getMaxAuthenticationAttempts() > 0 && user.getFailedLogins() > policy.getMaxAuthenticationAttempts() && !user.isSuspended();
propagateSuspension |= policy.isPropagateSuspension();
}
} catch (Exception e) {
LOG.error("Invalid username for {}", user, e);
throw new InvalidEntityException(User.class, EntityViolationType.InvalidUsername, e.getMessage());
}
return ImmutablePair.of(suspend, propagateSuspension);
}
use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.
the class JPARealmDAO method findSamePolicyChildren.
private <T extends Policy> List<Realm> findSamePolicyChildren(final Realm realm, final T policy) {
List<Realm> result = new ArrayList<>();
for (Realm child : findChildren(realm)) {
if ((policy instanceof AccountPolicy && child.getAccountPolicy() == null || policy.equals(child.getAccountPolicy())) || (policy instanceof PasswordPolicy && child.getPasswordPolicy() == null || policy.equals(child.getPasswordPolicy()))) {
result.add(child);
result.addAll(findSamePolicyChildren(child, policy));
}
}
return result;
}
use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.
the class PolicyDataBinderImpl method getPolicy.
@SuppressWarnings("unchecked")
private <T extends Policy> T getPolicy(final T policy, final PolicyTO policyTO) {
T result = policy;
if (policyTO instanceof PasswordPolicyTO) {
if (result == null) {
result = (T) entityFactory.newEntity(PasswordPolicy.class);
}
PasswordPolicy passwordPolicy = PasswordPolicy.class.cast(result);
PasswordPolicyTO passwordPolicyTO = PasswordPolicyTO.class.cast(policyTO);
passwordPolicy.setAllowNullPassword(passwordPolicyTO.isAllowNullPassword());
passwordPolicy.setHistoryLength(passwordPolicyTO.getHistoryLength());
passwordPolicyTO.getRules().forEach(ruleKey -> {
Implementation rule = implementationDAO.find(ruleKey);
if (rule == null) {
LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", ruleKey);
} else {
passwordPolicy.add(rule);
}
});
// remove all implementations not contained in the TO
passwordPolicy.getRules().removeIf(implementation -> !passwordPolicyTO.getRules().contains(implementation.getKey()));
} else if (policyTO instanceof AccountPolicyTO) {
if (result == null) {
result = (T) entityFactory.newEntity(AccountPolicy.class);
}
AccountPolicy accountPolicy = AccountPolicy.class.cast(result);
AccountPolicyTO accountPolicyTO = AccountPolicyTO.class.cast(policyTO);
accountPolicy.setMaxAuthenticationAttempts(accountPolicyTO.getMaxAuthenticationAttempts());
accountPolicy.setPropagateSuspension(accountPolicyTO.isPropagateSuspension());
accountPolicyTO.getRules().forEach(ruleKey -> {
Implementation rule = implementationDAO.find(ruleKey);
if (rule == null) {
LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", ruleKey);
} else {
accountPolicy.add(rule);
}
});
// remove all implementations not contained in the TO
accountPolicy.getRules().removeIf(implementation -> !accountPolicyTO.getRules().contains(implementation.getKey()));
accountPolicy.getResources().clear();
accountPolicyTO.getPassthroughResources().forEach(resourceName -> {
ExternalResource resource = resourceDAO.find(resourceName);
if (resource == null) {
LOG.debug("Ignoring invalid resource {} ", resourceName);
} else {
accountPolicy.add(resource);
}
});
} else if (policyTO instanceof PullPolicyTO) {
if (result == null) {
result = (T) entityFactory.newEntity(PullPolicy.class);
}
PullPolicy pullPolicy = PullPolicy.class.cast(result);
PullPolicyTO pullPolicyTO = PullPolicyTO.class.cast(policyTO);
pullPolicy.setConflictResolutionAction(pullPolicyTO.getConflictResolutionAction());
pullPolicyTO.getCorrelationRules().forEach((type, impl) -> {
AnyType anyType = anyTypeDAO.find(type);
if (anyType == null) {
LOG.debug("Invalid AnyType {} specified, ignoring...", type);
} else {
CorrelationRule correlationRule = pullPolicy.getCorrelationRule(anyType).orElse(null);
if (correlationRule == null) {
correlationRule = entityFactory.newEntity(CorrelationRule.class);
correlationRule.setAnyType(anyType);
correlationRule.setPullPolicy(pullPolicy);
pullPolicy.add(correlationRule);
}
Implementation rule = implementationDAO.find(impl);
if (rule == null) {
throw new NotFoundException("Implementation " + type);
}
correlationRule.setImplementation(rule);
}
});
// remove all rules not contained in the TO
pullPolicy.getCorrelationRules().removeIf(anyFilter -> !pullPolicyTO.getCorrelationRules().containsKey(anyFilter.getAnyType().getKey()));
}
if (result != null) {
result.setDescription(policyTO.getDescription());
}
return result;
}
use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.
the class RealmDataBinderImpl method create.
@Override
public Realm create(final Realm parent, final RealmTO realmTO) {
Realm realm = entityFactory.newEntity(Realm.class);
realm.setName(realmTO.getName());
realm.setParent(parent);
if (realmTO.getPasswordPolicy() != null) {
Policy policy = policyDAO.find(realmTO.getPasswordPolicy());
if (policy instanceof PasswordPolicy) {
realm.setPasswordPolicy((PasswordPolicy) policy);
} else {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
sce.getElements().add("Expected " + PasswordPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
throw sce;
}
}
if (realmTO.getAccountPolicy() != null) {
Policy policy = policyDAO.find(realmTO.getAccountPolicy());
if (policy instanceof AccountPolicy) {
realm.setAccountPolicy((AccountPolicy) policy);
} else {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
sce.getElements().add("Expected " + AccountPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
throw sce;
}
}
realmTO.getActions().forEach(logicActionsKey -> {
Implementation logicAction = implementationDAO.find(logicActionsKey);
if (logicAction == null) {
LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", logicActionsKey);
} else {
realm.add(logicAction);
}
});
setTemplates(realmTO, realm);
realmTO.getResources().forEach(resourceKey -> {
ExternalResource resource = resourceDAO.find(resourceKey);
if (resource == null) {
LOG.debug("Invalid " + ExternalResource.class.getSimpleName() + " {}, ignoring...", resourceKey);
} else {
realm.add(resource);
}
});
return realm;
}
use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.
the class RealmDataBinderImpl method update.
@Override
public PropagationByResource update(final Realm realm, final RealmTO realmTO) {
realm.setName(realmTO.getName());
realm.setParent(realmTO.getParent() == null ? null : realmDAO.find(realmTO.getParent()));
if (realmTO.getAccountPolicy() == null) {
realm.setAccountPolicy(null);
} else {
Policy policy = policyDAO.find(realmTO.getAccountPolicy());
if (policy instanceof AccountPolicy) {
realm.setAccountPolicy((AccountPolicy) policy);
} else {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
sce.getElements().add("Expected " + AccountPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
throw sce;
}
}
if (realmTO.getPasswordPolicy() == null) {
realm.setPasswordPolicy(null);
} else {
Policy policy = policyDAO.find(realmTO.getPasswordPolicy());
if (policy instanceof PasswordPolicy) {
realm.setPasswordPolicy((PasswordPolicy) policy);
} else {
SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
sce.getElements().add("Expected " + PasswordPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
throw sce;
}
}
realmTO.getActions().forEach(logicActionsKey -> {
Implementation logicActions = implementationDAO.find(logicActionsKey);
if (logicActions == null) {
LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", logicActionsKey);
} else {
realm.add(logicActions);
}
});
// remove all implementations not contained in the TO
realm.getActions().removeIf(implementation -> !realmTO.getActions().contains(implementation.getKey()));
setTemplates(realmTO, realm);
PropagationByResource propByRes = new PropagationByResource();
realmTO.getResources().forEach(resourceKey -> {
ExternalResource resource = resourceDAO.find(resourceKey);
if (resource == null) {
LOG.debug("Invalid " + ExternalResource.class.getSimpleName() + " {}, ignoring...", resourceKey);
} else {
realm.add(resource);
propByRes.add(ResourceOperation.CREATE, resource.getKey());
}
});
// remove all resources not contained in the TO
realm.getResources().removeIf(resource -> {
boolean contained = realmTO.getResources().contains(resource.getKey());
if (!contained) {
propByRes.add(ResourceOperation.DELETE, resource.getKey());
}
return !contained;
});
return propByRes;
}
Aggregations