Example 1 with AccountPolicyException
use of org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException in project syncope by apache.
the class JPAUserDAO method enforcePolicies.
@Transactional(readOnly = true)
@Override
public Pair<Boolean, Boolean> enforcePolicies(final User user) {
// ------------------------------
// Verify password policies
// ------------------------------
LOG.debug("Password Policy enforcement");
try {
int maxPPSpecHistory = 0;
for (PasswordPolicy policy : getPasswordPolicies(user)) {
if (user.getPassword() == null && !policy.isAllowNullPassword()) {
throw new PasswordPolicyException("Password mandatory");
}
for (Implementation impl : policy.getRules()) {
Optional<PasswordRule> rule = ImplementationManager.buildPasswordRule(impl);
if (rule.isPresent()) {
rule.get().enforce(user);
}
}
if (user.verifyPasswordHistory(user.getClearPassword(), policy.getHistoryLength())) {
throw new PasswordPolicyException("Password value was used in the past: not allowed");
}
if (policy.getHistoryLength() > maxPPSpecHistory) {
maxPPSpecHistory = policy.getHistoryLength();
}
}
// update user's password history with encrypted password
if (maxPPSpecHistory > 0 && user.getPassword() != null && !user.getPasswordHistory().contains(user.getPassword())) {
user.getPasswordHistory().add(user.getPassword());
}
// keep only the last maxPPSpecHistory items in user's password history
if (maxPPSpecHistory < user.getPasswordHistory().size()) {
for (int i = 0; i < user.getPasswordHistory().size() - maxPPSpecHistory; i++) {
user.getPasswordHistory().remove(i);
}
}
} catch (Exception e) {
LOG.error("Invalid password for {}", user, e);
throw new InvalidEntityException(User.class, EntityViolationType.InvalidPassword, e.getMessage());
} finally {
// password has been validated, let's remove its clear version
user.removeClearPassword();
}
// ------------------------------
// Verify account policies
// ------------------------------
LOG.debug("Account Policy enforcement");
boolean suspend = false;
boolean propagateSuspension = false;
try {
if (user.getUsername() == null) {
throw new AccountPolicyException("Null username");
}
if (adminUser.equals(user.getUsername()) || anonymousUser.equals(user.getUsername())) {
throw new AccountPolicyException("Not allowed: " + user.getUsername());
}
if (!USERNAME_PATTERN.matcher(user.getUsername()).matches()) {
throw new AccountPolicyException("Character(s) not allowed");
}
for (AccountPolicy policy : getAccountPolicies(user)) {
for (Implementation impl : policy.getRules()) {
Optional<AccountRule> rule = ImplementationManager.buildAccountRule(impl);
if (rule.isPresent()) {
rule.get().enforce(user);
}
}
suspend |= user.getFailedLogins() != null && policy.getMaxAuthenticationAttempts() > 0 && user.getFailedLogins() > policy.getMaxAuthenticationAttempts() && !user.isSuspended();
propagateSuspension |= policy.isPropagateSuspension();
}
} catch (Exception e) {
LOG.error("Invalid username for {}", user, e);
throw new InvalidEntityException(User.class, EntityViolationType.InvalidUsername, e.getMessage());
}
return ImmutablePair.of(suspend, propagateSuspension);
}
Also used :
PasswordRule(org.apache.syncope.core.persistence.api.dao.PasswordRule)
AccountRule(org.apache.syncope.core.persistence.api.dao.AccountRule)
JPAUser(org.apache.syncope.core.persistence.jpa.entity.user.JPAUser)
User(org.apache.syncope.core.persistence.api.entity.user.User)
AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException)
Implementation(org.apache.syncope.core.persistence.api.entity.Implementation)
NoResultException(javax.persistence.NoResultException)
AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException)
PasswordPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException)
DelegatedAdministrationException(org.apache.syncope.core.spring.security.DelegatedAdministrationException)
InvalidEntityException(org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException)
InvalidEntityException(org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException)
AccountPolicy(org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy)
PasswordPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException)
PasswordPolicy(org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy)
Transactional(org.springframework.transaction.annotation.Transactional)
Example 2 with AccountPolicyException
use of org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException in project syncope by apache.
the class DefaultAccountRule method enforce.
@Transactional(readOnly = true)
@Override
public void enforce(final User user) {
this.conf.getSchemasNotPermitted().stream().map(schema -> user.getPlainAttr(schema)).filter(attr -> attr.isPresent()).map(attr -> attr.get().getValuesAsStrings()).filter(values -> (values != null && !values.isEmpty())).forEachOrdered(values -> this.conf.getWordsNotPermitted().add(values.get(0)));
if (user.getUsername() == null) {
throw new AccountPolicyException("Invalid account");
}
// check min length
if (this.conf.getMinLength() > 0 && this.conf.getMinLength() > user.getUsername().length()) {
throw new AccountPolicyException("Username too short");
}
// check max length
if (this.conf.getMaxLength() > 0 && this.conf.getMaxLength() < user.getUsername().length()) {
throw new AccountPolicyException("Username too long");
}
// check words not permitted
this.conf.getWordsNotPermitted().stream().filter(word -> StringUtils.containsIgnoreCase(user.getUsername(), word)).forEachOrdered(item -> {
throw new AccountPolicyException("Used word(s) not permitted");
});
// check case
if (this.conf.isAllUpperCase() && !user.getUsername().equals(user.getUsername().toUpperCase())) {
throw new AccountPolicyException("No lowercase characters permitted");
}
if (this.conf.isAllLowerCase() && !user.getUsername().equals(user.getUsername().toLowerCase())) {
throw new AccountPolicyException("No uppercase characters permitted");
}
// check pattern
Pattern pattern = (this.conf.getPattern() == null) ? DEFAULT_PATTERN : Pattern.compile(this.conf.getPattern());
if (!pattern.matcher(user.getUsername()).matches()) {
throw new AccountPolicyException("Username does not match pattern");
}
// check prefix
this.conf.getPrefixesNotPermitted().stream().filter(prefix -> user.getUsername().startsWith(prefix)).forEachOrdered(item -> {
throw new AccountPolicyException("Prefix not permitted");
});
// check suffix
this.conf.getSuffixesNotPermitted().stream().filter(suffix -> user.getUsername().endsWith(suffix)).forEachOrdered(item -> {
throw new AccountPolicyException("Suffix not permitted");
});
}
Also used :
AccountRuleConf(org.apache.syncope.common.lib.policy.AccountRuleConf)
AccountRule(org.apache.syncope.core.persistence.api.dao.AccountRule)
AccountRuleConfClass(org.apache.syncope.core.persistence.api.dao.AccountRuleConfClass)
User(org.apache.syncope.core.persistence.api.entity.user.User)
Pattern(java.util.regex.Pattern)
AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException)
DefaultAccountRuleConf(org.apache.syncope.common.lib.policy.DefaultAccountRuleConf)
StringUtils(org.apache.commons.lang3.StringUtils)
Transactional(org.springframework.transaction.annotation.Transactional)
Pattern(java.util.regex.Pattern)
AccountPolicyException(org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException)
Transactional(org.springframework.transaction.annotation.Transactional)
Aggregations
AccountRule (org.apache.syncope.core.persistence.api.dao.AccountRule)2
User (org.apache.syncope.core.persistence.api.entity.user.User)2
AccountPolicyException (org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException)2
Transactional (org.springframework.transaction.annotation.Transactional)2
Pattern (java.util.regex.Pattern)1
NoResultException (javax.persistence.NoResultException)1
StringUtils (org.apache.commons.lang3.StringUtils)1
AccountRuleConf (org.apache.syncope.common.lib.policy.AccountRuleConf)1
DefaultAccountRuleConf (org.apache.syncope.common.lib.policy.DefaultAccountRuleConf)1
InvalidEntityException (org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException)1
AccountRuleConfClass (org.apache.syncope.core.persistence.api.dao.AccountRuleConfClass)1
PasswordRule (org.apache.syncope.core.persistence.api.dao.PasswordRule)1
Implementation (org.apache.syncope.core.persistence.api.entity.Implementation)1
AccountPolicy (org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy)1
PasswordPolicy (org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy)1
JPAUser (org.apache.syncope.core.persistence.jpa.entity.user.JPAUser)1
PasswordPolicyException (org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException)1
DelegatedAdministrationException (org.apache.syncope.core.spring.security.DelegatedAdministrationException)1
