Search in sources :

Example 1 with AccountPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.

the class JPAUserDAO method enforcePolicies.

@Transactional(readOnly = true)
@Override
public Pair<Boolean, Boolean> enforcePolicies(final User user) {
    // ------------------------------
    // Verify password policies
    // ------------------------------
    LOG.debug("Password Policy enforcement");
    try {
        int maxPPSpecHistory = 0;
        for (PasswordPolicy policy : getPasswordPolicies(user)) {
            if (user.getPassword() == null && !policy.isAllowNullPassword()) {
                throw new PasswordPolicyException("Password mandatory");
            }
            for (Implementation impl : policy.getRules()) {
                Optional<PasswordRule> rule = ImplementationManager.buildPasswordRule(impl);
                if (rule.isPresent()) {
                    rule.get().enforce(user);
                }
            }
            if (user.verifyPasswordHistory(user.getClearPassword(), policy.getHistoryLength())) {
                throw new PasswordPolicyException("Password value was used in the past: not allowed");
            }
            if (policy.getHistoryLength() > maxPPSpecHistory) {
                maxPPSpecHistory = policy.getHistoryLength();
            }
        }
        // update user's password history with encrypted password
        if (maxPPSpecHistory > 0 && user.getPassword() != null && !user.getPasswordHistory().contains(user.getPassword())) {
            user.getPasswordHistory().add(user.getPassword());
        }
        // keep only the last maxPPSpecHistory items in user's password history
        if (maxPPSpecHistory < user.getPasswordHistory().size()) {
            for (int i = 0; i < user.getPasswordHistory().size() - maxPPSpecHistory; i++) {
                user.getPasswordHistory().remove(i);
            }
        }
    } catch (Exception e) {
        LOG.error("Invalid password for {}", user, e);
        throw new InvalidEntityException(User.class, EntityViolationType.InvalidPassword, e.getMessage());
    } finally {
        // password has been validated, let's remove its clear version
        user.removeClearPassword();
    }
    // ------------------------------
    // Verify account policies
    // ------------------------------
    LOG.debug("Account Policy enforcement");
    boolean suspend = false;
    boolean propagateSuspension = false;
    try {
        if (user.getUsername() == null) {
            throw new AccountPolicyException("Null username");
        }
        if (adminUser.equals(user.getUsername()) || anonymousUser.equals(user.getUsername())) {
            throw new AccountPolicyException("Not allowed: " + user.getUsername());
        }
        if (!USERNAME_PATTERN.matcher(user.getUsername()).matches()) {
            throw new AccountPolicyException("Character(s) not allowed");
        }
        for (AccountPolicy policy : getAccountPolicies(user)) {
            for (Implementation impl : policy.getRules()) {
                Optional<AccountRule> rule = ImplementationManager.buildAccountRule(impl);
                if (rule.isPresent()) {
                    rule.get().enforce(user);
                }
            }
            suspend |= user.getFailedLogins() != null && policy.getMaxAuthenticationAttempts() > 0 && user.getFailedLogins() > policy.getMaxAuthenticationAttempts() && !user.isSuspended();
            propagateSuspension |= policy.isPropagateSuspension();
        }
    } catch (Exception e) {
        LOG.error("Invalid username for {}", user, e);
        throw new InvalidEntityException(User.class, EntityViolationType.InvalidUsername, e.getMessage());
    }
    return ImmutablePair.of(suspend, propagateSuspension);
}
Also used : PasswordRule(org.apache.syncope.core.persistence.api.dao.PasswordRule) AccountRule(org.apache.syncope.core.persistence.api.dao.AccountRule) JPAUser(org.apache.syncope.core.persistence.jpa.entity.user.JPAUser) User(org.apache.syncope.core.persistence.api.entity.user.User) AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation) NoResultException(javax.persistence.NoResultException) AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException) PasswordPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException) DelegatedAdministrationException(org.apache.syncope.core.spring.security.DelegatedAdministrationException) InvalidEntityException(org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException) InvalidEntityException(org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) PasswordPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Transactional(org.springframework.transaction.annotation.Transactional)

Example 2 with AccountPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.

the class JPARealmDAO method findSamePolicyChildren.

private <T extends Policy> List<Realm> findSamePolicyChildren(final Realm realm, final T policy) {
    List<Realm> result = new ArrayList<>();
    for (Realm child : findChildren(realm)) {
        if ((policy instanceof AccountPolicy && child.getAccountPolicy() == null || policy.equals(child.getAccountPolicy())) || (policy instanceof PasswordPolicy && child.getPasswordPolicy() == null || policy.equals(child.getPasswordPolicy()))) {
            result.add(child);
            result.addAll(findSamePolicyChildren(child, policy));
        }
    }
    return result;
}
Also used : AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) ArrayList(java.util.ArrayList) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Realm(org.apache.syncope.core.persistence.api.entity.Realm) JPARealm(org.apache.syncope.core.persistence.jpa.entity.JPARealm)

Example 3 with AccountPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.

the class PolicyDataBinderImpl method getPolicy.

@SuppressWarnings("unchecked")
private <T extends Policy> T getPolicy(final T policy, final PolicyTO policyTO) {
    T result = policy;
    if (policyTO instanceof PasswordPolicyTO) {
        if (result == null) {
            result = (T) entityFactory.newEntity(PasswordPolicy.class);
        }
        PasswordPolicy passwordPolicy = PasswordPolicy.class.cast(result);
        PasswordPolicyTO passwordPolicyTO = PasswordPolicyTO.class.cast(policyTO);
        passwordPolicy.setAllowNullPassword(passwordPolicyTO.isAllowNullPassword());
        passwordPolicy.setHistoryLength(passwordPolicyTO.getHistoryLength());
        passwordPolicyTO.getRules().forEach(ruleKey -> {
            Implementation rule = implementationDAO.find(ruleKey);
            if (rule == null) {
                LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", ruleKey);
            } else {
                passwordPolicy.add(rule);
            }
        });
        // remove all implementations not contained in the TO
        passwordPolicy.getRules().removeIf(implementation -> !passwordPolicyTO.getRules().contains(implementation.getKey()));
    } else if (policyTO instanceof AccountPolicyTO) {
        if (result == null) {
            result = (T) entityFactory.newEntity(AccountPolicy.class);
        }
        AccountPolicy accountPolicy = AccountPolicy.class.cast(result);
        AccountPolicyTO accountPolicyTO = AccountPolicyTO.class.cast(policyTO);
        accountPolicy.setMaxAuthenticationAttempts(accountPolicyTO.getMaxAuthenticationAttempts());
        accountPolicy.setPropagateSuspension(accountPolicyTO.isPropagateSuspension());
        accountPolicyTO.getRules().forEach(ruleKey -> {
            Implementation rule = implementationDAO.find(ruleKey);
            if (rule == null) {
                LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", ruleKey);
            } else {
                accountPolicy.add(rule);
            }
        });
        // remove all implementations not contained in the TO
        accountPolicy.getRules().removeIf(implementation -> !accountPolicyTO.getRules().contains(implementation.getKey()));
        accountPolicy.getResources().clear();
        accountPolicyTO.getPassthroughResources().forEach(resourceName -> {
            ExternalResource resource = resourceDAO.find(resourceName);
            if (resource == null) {
                LOG.debug("Ignoring invalid resource {} ", resourceName);
            } else {
                accountPolicy.add(resource);
            }
        });
    } else if (policyTO instanceof PullPolicyTO) {
        if (result == null) {
            result = (T) entityFactory.newEntity(PullPolicy.class);
        }
        PullPolicy pullPolicy = PullPolicy.class.cast(result);
        PullPolicyTO pullPolicyTO = PullPolicyTO.class.cast(policyTO);
        pullPolicy.setConflictResolutionAction(pullPolicyTO.getConflictResolutionAction());
        pullPolicyTO.getCorrelationRules().forEach((type, impl) -> {
            AnyType anyType = anyTypeDAO.find(type);
            if (anyType == null) {
                LOG.debug("Invalid AnyType {} specified, ignoring...", type);
            } else {
                CorrelationRule correlationRule = pullPolicy.getCorrelationRule(anyType).orElse(null);
                if (correlationRule == null) {
                    correlationRule = entityFactory.newEntity(CorrelationRule.class);
                    correlationRule.setAnyType(anyType);
                    correlationRule.setPullPolicy(pullPolicy);
                    pullPolicy.add(correlationRule);
                }
                Implementation rule = implementationDAO.find(impl);
                if (rule == null) {
                    throw new NotFoundException("Implementation " + type);
                }
                correlationRule.setImplementation(rule);
            }
        });
        // remove all rules not contained in the TO
        pullPolicy.getCorrelationRules().removeIf(anyFilter -> !pullPolicyTO.getCorrelationRules().containsKey(anyFilter.getAnyType().getKey()));
    }
    if (result != null) {
        result.setDescription(policyTO.getDescription());
    }
    return result;
}
Also used : PullPolicy(org.apache.syncope.core.persistence.api.entity.policy.PullPolicy) Realm(org.apache.syncope.core.persistence.api.entity.Realm) LoggerFactory(org.slf4j.LoggerFactory) AnyType(org.apache.syncope.core.persistence.api.entity.AnyType) Autowired(org.springframework.beans.factory.annotation.Autowired) Entity(org.apache.syncope.core.persistence.api.entity.Entity) PolicyDataBinder(org.apache.syncope.core.provisioning.api.data.PolicyDataBinder) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) RealmDAO(org.apache.syncope.core.persistence.api.dao.RealmDAO) ImplementationDAO(org.apache.syncope.core.persistence.api.dao.ImplementationDAO) PolicyTO(org.apache.syncope.common.lib.policy.PolicyTO) PasswordPolicyTO(org.apache.syncope.common.lib.policy.PasswordPolicyTO) Logger(org.slf4j.Logger) Policy(org.apache.syncope.core.persistence.api.entity.policy.Policy) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation) Collectors(java.util.stream.Collectors) AnyTypeDAO(org.apache.syncope.core.persistence.api.dao.AnyTypeDAO) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) EntityFactory(org.apache.syncope.core.persistence.api.entity.EntityFactory) ExternalResource(org.apache.syncope.core.persistence.api.entity.resource.ExternalResource) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) Component(org.springframework.stereotype.Component) CorrelationRule(org.apache.syncope.core.persistence.api.entity.policy.CorrelationRule) AccountPolicyTO(org.apache.syncope.common.lib.policy.AccountPolicyTO) PullPolicyTO(org.apache.syncope.common.lib.policy.PullPolicyTO) ExternalResourceDAO(org.apache.syncope.core.persistence.api.dao.ExternalResourceDAO) PullPolicyTO(org.apache.syncope.common.lib.policy.PullPolicyTO) NotFoundException(org.apache.syncope.core.persistence.api.dao.NotFoundException) AccountPolicyTO(org.apache.syncope.common.lib.policy.AccountPolicyTO) ExternalResource(org.apache.syncope.core.persistence.api.entity.resource.ExternalResource) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) PullPolicy(org.apache.syncope.core.persistence.api.entity.policy.PullPolicy) CorrelationRule(org.apache.syncope.core.persistence.api.entity.policy.CorrelationRule) AnyType(org.apache.syncope.core.persistence.api.entity.AnyType) PasswordPolicyTO(org.apache.syncope.common.lib.policy.PasswordPolicyTO)

Example 4 with AccountPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.

the class RealmDataBinderImpl method create.

@Override
public Realm create(final Realm parent, final RealmTO realmTO) {
    Realm realm = entityFactory.newEntity(Realm.class);
    realm.setName(realmTO.getName());
    realm.setParent(parent);
    if (realmTO.getPasswordPolicy() != null) {
        Policy policy = policyDAO.find(realmTO.getPasswordPolicy());
        if (policy instanceof PasswordPolicy) {
            realm.setPasswordPolicy((PasswordPolicy) policy);
        } else {
            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
            sce.getElements().add("Expected " + PasswordPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
            throw sce;
        }
    }
    if (realmTO.getAccountPolicy() != null) {
        Policy policy = policyDAO.find(realmTO.getAccountPolicy());
        if (policy instanceof AccountPolicy) {
            realm.setAccountPolicy((AccountPolicy) policy);
        } else {
            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
            sce.getElements().add("Expected " + AccountPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
            throw sce;
        }
    }
    realmTO.getActions().forEach(logicActionsKey -> {
        Implementation logicAction = implementationDAO.find(logicActionsKey);
        if (logicAction == null) {
            LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", logicActionsKey);
        } else {
            realm.add(logicAction);
        }
    });
    setTemplates(realmTO, realm);
    realmTO.getResources().forEach(resourceKey -> {
        ExternalResource resource = resourceDAO.find(resourceKey);
        if (resource == null) {
            LOG.debug("Invalid " + ExternalResource.class.getSimpleName() + " {}, ignoring...", resourceKey);
        } else {
            realm.add(resource);
        }
    });
    return realm;
}
Also used : PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Policy(org.apache.syncope.core.persistence.api.entity.policy.Policy) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Realm(org.apache.syncope.core.persistence.api.entity.Realm) AnyTemplateRealm(org.apache.syncope.core.persistence.api.entity.AnyTemplateRealm) ExternalResource(org.apache.syncope.core.persistence.api.entity.resource.ExternalResource) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation)

Example 5 with AccountPolicy

use of org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy in project syncope by apache.

the class RealmDataBinderImpl method update.

@Override
public PropagationByResource update(final Realm realm, final RealmTO realmTO) {
    realm.setName(realmTO.getName());
    realm.setParent(realmTO.getParent() == null ? null : realmDAO.find(realmTO.getParent()));
    if (realmTO.getAccountPolicy() == null) {
        realm.setAccountPolicy(null);
    } else {
        Policy policy = policyDAO.find(realmTO.getAccountPolicy());
        if (policy instanceof AccountPolicy) {
            realm.setAccountPolicy((AccountPolicy) policy);
        } else {
            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
            sce.getElements().add("Expected " + AccountPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
            throw sce;
        }
    }
    if (realmTO.getPasswordPolicy() == null) {
        realm.setPasswordPolicy(null);
    } else {
        Policy policy = policyDAO.find(realmTO.getPasswordPolicy());
        if (policy instanceof PasswordPolicy) {
            realm.setPasswordPolicy((PasswordPolicy) policy);
        } else {
            SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidPolicy);
            sce.getElements().add("Expected " + PasswordPolicy.class.getSimpleName() + ", found " + policy.getClass().getSimpleName());
            throw sce;
        }
    }
    realmTO.getActions().forEach(logicActionsKey -> {
        Implementation logicActions = implementationDAO.find(logicActionsKey);
        if (logicActions == null) {
            LOG.debug("Invalid " + Implementation.class.getSimpleName() + " {}, ignoring...", logicActionsKey);
        } else {
            realm.add(logicActions);
        }
    });
    // remove all implementations not contained in the TO
    realm.getActions().removeIf(implementation -> !realmTO.getActions().contains(implementation.getKey()));
    setTemplates(realmTO, realm);
    PropagationByResource propByRes = new PropagationByResource();
    realmTO.getResources().forEach(resourceKey -> {
        ExternalResource resource = resourceDAO.find(resourceKey);
        if (resource == null) {
            LOG.debug("Invalid " + ExternalResource.class.getSimpleName() + " {}, ignoring...", resourceKey);
        } else {
            realm.add(resource);
            propByRes.add(ResourceOperation.CREATE, resource.getKey());
        }
    });
    // remove all resources not contained in the TO
    realm.getResources().removeIf(resource -> {
        boolean contained = realmTO.getResources().contains(resource.getKey());
        if (!contained) {
            propByRes.add(ResourceOperation.DELETE, resource.getKey());
        }
        return !contained;
    });
    return propByRes;
}
Also used : PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) Policy(org.apache.syncope.core.persistence.api.entity.policy.Policy) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy) PropagationByResource(org.apache.syncope.core.provisioning.api.PropagationByResource) ExternalResource(org.apache.syncope.core.persistence.api.entity.resource.ExternalResource) Implementation(org.apache.syncope.core.persistence.api.entity.Implementation)

Aggregations

AccountPolicy (org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy)7 PasswordPolicy (org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy)7 Implementation (org.apache.syncope.core.persistence.api.entity.Implementation)5 Realm (org.apache.syncope.core.persistence.api.entity.Realm)4 ExternalResource (org.apache.syncope.core.persistence.api.entity.resource.ExternalResource)4 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)3 Policy (org.apache.syncope.core.persistence.api.entity.policy.Policy)3 PullPolicy (org.apache.syncope.core.persistence.api.entity.policy.PullPolicy)3 AccountPolicyTO (org.apache.syncope.common.lib.policy.AccountPolicyTO)2 PasswordPolicyTO (org.apache.syncope.common.lib.policy.PasswordPolicyTO)2 PullPolicyTO (org.apache.syncope.common.lib.policy.PullPolicyTO)2 AnyType (org.apache.syncope.core.persistence.api.entity.AnyType)2 Entity (org.apache.syncope.core.persistence.api.entity.Entity)2 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 Collectors (java.util.stream.Collectors)1 NoResultException (javax.persistence.NoResultException)1 SyncopeClientCompositeException (org.apache.syncope.common.lib.SyncopeClientCompositeException)1 IteratorChain (org.apache.syncope.common.lib.collections.IteratorChain)1 PolicyTO (org.apache.syncope.common.lib.policy.PolicyTO)1