Search in sources :

Example 21 with JsonValue

use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.

the class IdentityResourceV2 method validateGoto.

/**
     * Validates the current goto against the list of allowed gotos, and returns either the allowed
     * goto as sent in, or the server's default goto value.
     *
     * @param context Current Server Context
     * @param request Request from client to confirm registration
     */
/* package private for access by UserIdentityResourceV3
     */
Promise<ActionResponse, ResourceException> validateGoto(final Context context, final ActionRequest request) {
    final JsonValue jVal = request.getContent();
    JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
    try {
        SSOTokenManager mgr = SSOTokenManager.getInstance();
        SSOToken ssoToken = mgr.createSSOToken(getCookieFromServerContext(context));
        String gotoURL = URL_VALIDATOR.getRedirectUrl(ssoToken.getProperty(ISAuthConstants.ORGANIZATION), URL_VALIDATOR.getValueFromJson(jVal, RedirectUrlValidator.GOTO), ssoToken.getProperty("successURL"));
        result.put("successURL", gotoURL);
        return newResultPromise(newActionResponse(result));
    } catch (SSOException ssoe) {
        if (debug.errorEnabled()) {
            debug.error("IdentityResource.validateGoto() :: Invalid SSOToken.", ssoe);
        }
        return new ForbiddenException(ssoe.getMessage(), ssoe).asPromise();
    }
}
Also used : SSOTokenManager(com.iplanet.sso.SSOTokenManager) ForbiddenException(org.forgerock.json.resource.ForbiddenException) SSOToken(com.iplanet.sso.SSOToken) JsonValue(org.forgerock.json.JsonValue) SSOException(com.iplanet.sso.SSOException)

Example 22 with JsonValue

use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.

the class IdentityResourceV2 method generateNewPasswordEmail.

/**
     * Generates the e-mail contents based on the incoming request.
     *
     * Will only send the e-mail if all the following conditions are true:
     *
     * - Forgotten Password service is enabled
     * - User exists
     * - User has an e-mail address in their profile
     * - E-mail service is correctly configured.
     *
     * @param context Non null.
     * @param request Non null.
     * @param realm Used as part of user lookup.
     * @param restSecurity Non null.
     */
private Promise<ActionResponse, ResourceException> generateNewPasswordEmail(final Context context, final ActionRequest request, final String realm, final RestSecurity restSecurity) {
    JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
    final JsonValue jsonBody = request.getContent();
    try {
        // Check to make sure forgotPassword enabled
        if (restSecurity == null) {
            if (debug.warningEnabled()) {
                debug.warning("Rest Security not created. restSecurity={}", restSecurity);
            }
            throw getException(UNAVAILABLE, "Rest Security Service not created");
        }
        if (!restSecurity.isSelfServiceRestEndpointEnabled()) {
            if (debug.warningEnabled()) {
                debug.warning("Forgot Password set to : {}", restSecurity.isSelfServiceRestEndpointEnabled());
            }
            throw getException(UNAVAILABLE, "Legacy Self Service REST Endpoint is not enabled.");
        }
        if (!restSecurity.isForgotPassword()) {
            if (debug.warningEnabled()) {
                debug.warning("Forgot Password set to : {}", restSecurity.isForgotPassword());
            }
            throw getException(UNAVAILABLE, "Forgot password is not accessible.");
        }
        // Generate Admin Token
        SSOToken adminToken = getSSOToken(RestUtils.getToken().getTokenID().toString());
        Map<String, Set<String>> searchAttributes = getIdentityServicesAttributes(realm, objectType);
        searchAttributes.putAll(getAttributeFromRequest(jsonBody));
        List<String> searchResults = identityServices.search(new CrestQuery("*"), searchAttributes, adminToken);
        if (searchResults.isEmpty()) {
            throw new NotFoundException("User not found");
        } else if (searchResults.size() > 1) {
            throw new ConflictException("Multiple users found");
        } else {
            String username = searchResults.get(0);
            IdentityDetails identityDetails = identityServices.read(username, getIdentityServicesAttributes(realm, objectType), adminToken);
            String email = null;
            String uid = null;
            for (Map.Entry<String, Set<String>> attribute : asMap(identityDetails.getAttributes()).entrySet()) {
                String attributeName = attribute.getKey();
                if (MAIL.equalsIgnoreCase(attributeName)) {
                    if (attribute.getValue() != null && !attribute.getValue().isEmpty()) {
                        email = attribute.getValue().iterator().next();
                    }
                } else if (UNIVERSAL_ID.equalsIgnoreCase(attributeName)) {
                    if (attribute.getValue() != null && !attribute.getValue().isEmpty()) {
                        uid = attribute.getValue().iterator().next();
                    }
                }
            }
            // Check to see if user is Active/Inactive
            if (!isUserActive(uid)) {
                throw new ForbiddenException("Request is forbidden for this user");
            }
            // Check if email is provided
            if (email == null || email.isEmpty()) {
                throw new BadRequestException("No email provided in profile.");
            }
            // Get full deployment URL
            HttpContext header = context.asContext(HttpContext.class);
            String baseURL = baseURLProviderFactory.get(realm).getRootURL(header);
            String subject = jsonBody.get("subject").asString();
            String message = jsonBody.get("message").asString();
            // Retrieve email registration token life time
            if (restSecurity == null) {
                if (debug.warningEnabled()) {
                    debug.warning("Rest Security not created. restSecurity={}", restSecurity);
                }
                throw new NotFoundException("Rest Security Service not created");
            }
            Long tokenLifeTime = restSecurity.getForgotPassTLT();
            // Generate Token
            org.forgerock.openam.cts.api.tokens.Token ctsToken = generateToken(email, username, tokenLifeTime, realm);
            // Store token in datastore
            CTSHolder.getCTS().createAsync(ctsToken);
            // Create confirmationId
            String confirmationId = Hash.hash(ctsToken.getTokenId() + username + SystemProperties.get(AM_ENCRYPTION_PWD));
            // Build Confirmation URL
            String confURL = restSecurity.getForgotPasswordConfirmationUrl();
            StringBuilder confURLBuilder = new StringBuilder(100);
            if (StringUtils.isEmpty(confURL)) {
                confURLBuilder.append(baseURL).append("/json/confirmation/forgotPassword");
            } else if (confURL.startsWith("/")) {
                confURLBuilder.append(baseURL).append(confURL);
            } else {
                confURLBuilder.append(confURL);
            }
            String confirmationLink = confURLBuilder.append("?confirmationId=").append(requestParamEncode(confirmationId)).append("&tokenId=").append(requestParamEncode(ctsToken.getTokenId())).append("&username=").append(requestParamEncode(username)).append("&realm=").append(realm).toString();
            // Send Registration
            sendNotification(email, subject, message, realm, confirmationLink);
            String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
            if (debug.messageEnabled()) {
                debug.message("IdentityResource.generateNewPasswordEmail :: ACTION of generate new password email " + " for username={} in realm={} performed by principalName={}", username, realm, principalName);
            }
        }
        return newResultPromise(newActionResponse(result));
    } catch (ResourceException re) {
        // Service not available, Neither or both Username/Email provided, User inactive
        debug.warning(re.getMessage(), re);
        return re.asPromise();
    } catch (Exception e) {
        // Intentional - all other errors are considered Internal Error.
        debug.error("Internal error", e);
        return new InternalServerErrorException("Failed to send mail", e).asPromise();
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) HashSet(java.util.HashSet) ConflictException(org.forgerock.json.resource.ConflictException) NotFoundException(org.forgerock.json.resource.NotFoundException) ServiceNotFoundException(com.sun.identity.sm.ServiceNotFoundException) SSOToken(com.iplanet.sso.SSOToken) ResourceException(org.forgerock.json.resource.ResourceException) CrestQuery(org.forgerock.openam.utils.CrestQuery) ForbiddenException(org.forgerock.json.resource.ForbiddenException) JsonValue(org.forgerock.json.JsonValue) HttpContext(org.forgerock.json.resource.http.HttpContext) MessagingException(javax.mail.MessagingException) ConflictException(org.forgerock.json.resource.ConflictException) PermanentException(org.forgerock.json.resource.PermanentException) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException) ForbiddenException(org.forgerock.json.resource.ForbiddenException) DeleteFailedException(org.forgerock.openam.cts.exceptions.DeleteFailedException) SSOException(com.iplanet.sso.SSOException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) NotFoundException(org.forgerock.json.resource.NotFoundException) ServiceNotFoundException(com.sun.identity.sm.ServiceNotFoundException) NotSupportedException(org.forgerock.json.resource.NotSupportedException) BadRequestException(org.forgerock.json.resource.BadRequestException) IdRepoException(com.sun.identity.idm.IdRepoException) SMSException(com.sun.identity.sm.SMSException) ResourceException(org.forgerock.json.resource.ResourceException) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException) IdentityDetails(com.sun.identity.idsvcs.IdentityDetails) BadRequestException(org.forgerock.json.resource.BadRequestException) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException)

Example 23 with JsonValue

use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.

the class IdentityResourceV2 method anonymousCreate.

private Promise<ActionResponse, ResourceException> anonymousCreate(final Context context, final ActionRequest request, final String realm, RestSecurity restSecurity) {
    final JsonValue jVal = request.getContent();
    String tokenID = null;
    String confirmationId;
    String email;
    try {
        if (!restSecurity.isSelfRegistration()) {
            throw new BadRequestException("Self-registration disabled");
        }
        tokenID = jVal.get(TOKEN_ID).asString();
        jVal.remove(TOKEN_ID);
        confirmationId = jVal.get(CONFIRMATION_ID).asString();
        jVal.remove(CONFIRMATION_ID);
        email = jVal.get(EMAIL).asString();
        if (email == null || email.isEmpty()) {
            throw new BadRequestException("Email not provided");
        }
        // Convert to IDRepo Attribute schema
        jVal.put("mail", email);
        if (confirmationId == null || confirmationId.isEmpty()) {
            throw new BadRequestException("confirmationId not provided");
        }
        if (tokenID == null || tokenID.isEmpty()) {
            throw new BadRequestException("tokenId not provided");
        }
        validateToken(tokenID, realm, email, confirmationId);
        // create an Identity
        SSOToken admin = RestUtils.getToken();
        final String finalTokenID = tokenID;
        return createInstance(admin, jVal, realm).thenAsync(new AsyncFunction<ActionResponse, ActionResponse, ResourceException>() {

            @Override
            public Promise<ActionResponse, ResourceException> apply(ActionResponse response) {
                // Only remove the token if the create was successful, errors will be set in the handler.
                try {
                    // Even though the generated token will eventually timeout, delete it after a successful read
                    // so that the completed registration request cannot be made again using the same token.
                    CTSHolder.getCTS().deleteAsync(finalTokenID);
                } catch (DeleteFailedException e) {
                    // reading and deleting, the token has expired.
                    if (debug.messageEnabled()) {
                        debug.message("IdentityResource.anonymousCreate: Deleting token " + finalTokenID + " after a successful read failed due to " + e.getMessage(), e);
                    }
                } catch (CoreTokenException cte) {
                    // For any unexpected CTS error
                    debug.error("IdentityResource.anonymousCreate(): CTS Error : " + cte.getMessage());
                    return new InternalServerErrorException(cte.getMessage(), cte).asPromise();
                }
                return newResultPromise(response);
            }
        });
    } catch (BadRequestException bre) {
        debug.warning("IdentityResource.anonymousCreate() :: Invalid Parameter", bre);
        return bre.asPromise();
    } catch (ResourceException re) {
        debug.warning("IdentityResource.anonymousCreate() :: Resource error", re);
        return re.asPromise();
    } catch (CoreTokenException cte) {
        // For any unexpected CTS error
        debug.error("IdentityResource.anonymousCreate() :: CTS error", cte);
        return new InternalServerErrorException(cte).asPromise();
    } catch (ServiceNotFoundException snfe) {
        // Failure from RestSecurity
        debug.error("IdentityResource.anonymousCreate() :: Internal error", snfe);
        return new InternalServerErrorException(snfe).asPromise();
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) JsonValue(org.forgerock.json.JsonValue) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException) ActionResponse(org.forgerock.json.resource.ActionResponse) Responses.newActionResponse(org.forgerock.json.resource.Responses.newActionResponse) Promises.newResultPromise(org.forgerock.util.promise.Promises.newResultPromise) Promise(org.forgerock.util.promise.Promise) DeleteFailedException(org.forgerock.openam.cts.exceptions.DeleteFailedException) ServiceNotFoundException(com.sun.identity.sm.ServiceNotFoundException) BadRequestException(org.forgerock.json.resource.BadRequestException) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException) ResourceException(org.forgerock.json.resource.ResourceException)

Example 24 with JsonValue

use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.

the class IdentityResourceV3 method patchInstance.

/**
     * Patch the user's password and only the password.  No other value may be patched.  The old value of the
     * password does not have to be known.  Admin only.  The only patch operation supported is "replace", i.e. not
     * "add" or "move", etc.
     *
     * @param context The context
     * @param resourceId The username we're patching
     * @param request The patch request
     */
@Override
public Promise<ResourceResponse, ResourceException> patchInstance(final Context context, final String resourceId, final PatchRequest request) {
    if (!objectType.equals(IdentityRestUtils.USER_TYPE)) {
        return new BadRequestException("Cannot patch object type " + objectType).asPromise();
    }
    RealmContext realmContext = context.asContext(RealmContext.class);
    final String realm = realmContext.getResolvedRealm();
    try {
        if (!isAdmin(context)) {
            return new ForbiddenException("Only admin can patch user values").asPromise();
        }
        SSOToken ssoToken = getSSOToken(RestUtils.getToken().getTokenID().toString());
        IdentityServicesImpl identityServices = getIdentityServices();
        IdentityDetails identityDetails = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), ssoToken);
        Attribute[] existingAttributes = identityDetails.getAttributes();
        Map<String, Set<String>> existingAttributeMap = attributesToMap(existingAttributes);
        Map<String, Set<String>> newAttributeMap = new HashMap<>();
        if (existingAttributeMap.containsKey(IdentityRestUtils.UNIVERSAL_ID)) {
            Set<String> values = existingAttributeMap.get(IdentityRestUtils.UNIVERSAL_ID);
            if (isNotEmpty(values) && !isUserActive(values.iterator().next())) {
                return new ForbiddenException("User " + resourceId + " is not active: Request is forbidden").asPromise();
            }
        }
        boolean updateNeeded = false;
        for (PatchOperation patchOperation : request.getPatchOperations()) {
            switch(patchOperation.getOperation()) {
                case PatchOperation.OPERATION_REPLACE:
                    {
                        String name = getFieldName(patchOperation.getField());
                        if (!patchableAttributes.contains(name)) {
                            return new BadRequestException("For the object type " + IdentityRestUtils.USER_TYPE + ", field \"" + name + "\" cannot be altered by PATCH").asPromise();
                        }
                        JsonValue value = patchOperation.getValue();
                        newAttributeMap.put(name, identityAttributeJsonToSet(value));
                        updateNeeded = true;
                        break;
                    }
                default:
                    return new BadRequestException("PATCH of " + IdentityRestUtils.USER_TYPE + " does not support operation " + patchOperation.getOperation()).asPromise();
            }
        }
        if (updateNeeded) {
            identityDetails.setAttributes(mapToAttributes(newAttributeMap));
            identityServices.update(identityDetails, ssoToken);
            // re-read the altered identity details from the repo.
            identityDetails = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), ssoToken);
        }
        return newResultPromise(newResourceResponse("result", "1", identityDetailsToJsonValue(identityDetails)));
    } catch (final ObjectNotFound notFound) {
        logger.error("IdentityResourceV3.patchInstance cannot find resource " + resourceId, notFound);
        return new NotFoundException("Resource cannot be found.", notFound).asPromise();
    } catch (final TokenExpired tokenExpired) {
        logger.error("IdentityResourceV3.patchInstance, token expired", tokenExpired);
        return new PermanentException(401, "Unauthorized", null).asPromise();
    } catch (final AccessDenied accessDenied) {
        logger.error("IdentityResourceV3.patchInstance, access denied", accessDenied);
        return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
    } catch (final GeneralFailure generalFailure) {
        logger.error("IdentityResourceV3.patchInstance, general failure " + generalFailure.getMessage());
        return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
    } catch (ForbiddenException fex) {
        logger.warning("IdentityResourceV3.patchInstance, insufficient privileges.", fex);
        return fex.asPromise();
    } catch (NotFoundException notFound) {
        logger.warning("IdentityResourceV3.patchInstance " + resourceId + " not found", notFound);
        return new NotFoundException("Resource " + resourceId + " cannot be found.", notFound).asPromise();
    } catch (ResourceException resourceException) {
        logger.warning("IdentityResourceV3.patchInstance caught ResourceException", resourceException);
        return resourceException.asPromise();
    } catch (Exception exception) {
        logger.error("IdentityResourceV3.patchInstance caught exception", exception);
        return new InternalServerErrorException(exception.getMessage(), exception).asPromise();
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) HashSet(java.util.HashSet) Attribute(com.sun.identity.idsvcs.Attribute) HashMap(java.util.HashMap) NotFoundException(org.forgerock.json.resource.NotFoundException) IdentityServicesImpl(com.sun.identity.idsvcs.opensso.IdentityServicesImpl) ObjectNotFound(com.sun.identity.idsvcs.ObjectNotFound) PermanentException(org.forgerock.json.resource.PermanentException) PatchOperation(org.forgerock.json.resource.PatchOperation) TokenExpired(com.sun.identity.idsvcs.TokenExpired) ResourceException(org.forgerock.json.resource.ResourceException) ForbiddenException(org.forgerock.json.resource.ForbiddenException) RealmContext(org.forgerock.openam.rest.RealmContext) JsonValue(org.forgerock.json.JsonValue) AccessDenied(com.sun.identity.idsvcs.AccessDenied) PermanentException(org.forgerock.json.resource.PermanentException) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException) ForbiddenException(org.forgerock.json.resource.ForbiddenException) NotFoundException(org.forgerock.json.resource.NotFoundException) BadRequestException(org.forgerock.json.resource.BadRequestException) ResourceException(org.forgerock.json.resource.ResourceException) GeneralFailure(com.sun.identity.idsvcs.GeneralFailure) BadRequestException(org.forgerock.json.resource.BadRequestException) IdentityDetails(com.sun.identity.idsvcs.IdentityDetails) InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException)

Example 25 with JsonValue

use of org.forgerock.json.JsonValue in project OpenAM by OpenRock.

the class IdentityRestUtils method identityDetailsToJsonValue.

/**
     * Convert an {@link IdentityDetails} object into a {@link JsonValue}.  Package private for IdentityResourceV2.
     *
     * @param details The IdentityDetails
     * @return The JsonValue
     */
public static JsonValue identityDetailsToJsonValue(IdentityDetails details) {
    JsonValue result = new JsonValue(new LinkedHashMap<String, Object>());
    try {
        result.put(USERNAME, details.getName());
        result.put("realm", details.getRealm());
        Map<String, Set<String>> attrs = asMap(details.getAttributes());
        for (Map.Entry<String, Set<String>> entry : attrs.entrySet()) {
            // back and forth.
            if (entry.getKey().equals(USER_KBA_ATTRIBUTE)) {
                List<Object> kbaChildren = new ArrayList<>();
                for (String kbaString : entry.getValue()) {
                    JsonValue kbaValue = JsonValueBuilder.toJsonValue(kbaString);
                    kbaChildren.add(kbaValue.getObject());
                }
                result.put(USER_KBA_ATTRIBUTE, kbaChildren);
            } else if (isPasswordAttribute(entry.getKey())) {
                continue;
            } else {
                result.put(entry.getKey(), new ArrayList<>(entry.getValue()));
            }
        }
        return result;
    } catch (final Exception e) {
        throw new JsonValueException(result);
    }
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) JsonValue(org.forgerock.json.JsonValue) ArrayList(java.util.ArrayList) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) IdentityServicesImpl.asMap(com.sun.identity.idsvcs.opensso.IdentityServicesImpl.asMap) JsonValueException(org.forgerock.json.JsonValueException) NotFoundException(org.forgerock.json.resource.NotFoundException) BadRequestException(org.forgerock.json.resource.BadRequestException) IdRepoException(com.sun.identity.idm.IdRepoException) PermanentException(org.forgerock.json.resource.PermanentException) JsonValueException(org.forgerock.json.JsonValueException) ResourceException(org.forgerock.json.resource.ResourceException) SSOException(com.iplanet.sso.SSOException)

Aggregations

JsonValue (org.forgerock.json.JsonValue)575 Test (org.testng.annotations.Test)333 ResourceException (org.forgerock.json.resource.ResourceException)144 ResourceResponse (org.forgerock.json.resource.ResourceResponse)123 RealmContext (org.forgerock.openam.rest.RealmContext)70 Context (org.forgerock.services.context.Context)63 HashSet (java.util.HashSet)56 SSOException (com.iplanet.sso.SSOException)54 ArrayList (java.util.ArrayList)51 BadRequestException (org.forgerock.json.resource.BadRequestException)47 Privilege (com.sun.identity.entitlement.Privilege)46 InternalServerErrorException (org.forgerock.json.resource.InternalServerErrorException)46 SSOToken (com.iplanet.sso.SSOToken)43 SMSException (com.sun.identity.sm.SMSException)42 HashMap (java.util.HashMap)42 NotFoundException (org.forgerock.json.resource.NotFoundException)41 SSOTokenContext (org.forgerock.openam.rest.resource.SSOTokenContext)41 CreateRequest (org.forgerock.json.resource.CreateRequest)40 OpenSSOPrivilege (com.sun.identity.entitlement.opensso.OpenSSOPrivilege)39 Subject (javax.security.auth.Subject)32