use of org.forgerock.json.resource.BadRequestException in project OpenAM by OpenRock.
the class IdentityResourceV1 method confirmationIdCheck.
/**
* Will validate confirmationId is correct
* @param context Current Server Context
* @param request Request from client to confirm registration
*/
private Promise<ActionResponse, ResourceException> confirmationIdCheck(final Context context, final ActionRequest request, final String realm) {
final String METHOD = "IdentityResource.confirmationIdCheck";
final JsonValue jVal = request.getContent();
String tokenID;
String confirmationId;
String email = null;
String username = null;
//email or username value used to create confirmationId
String hashComponent = null;
String hashComponentAttr = null;
JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
try {
tokenID = jVal.get(TOKEN_ID).asString();
confirmationId = jVal.get(CONFIRMATION_ID).asString();
email = jVal.get(EMAIL).asString();
username = jVal.get(USERNAME).asString();
if (StringUtils.isBlank(confirmationId)) {
if (debug.errorEnabled()) {
debug.error("{} :: Bad Request - confirmationId not found in request.", METHOD);
}
throw new BadRequestException("confirmationId not provided");
}
if (StringUtils.isBlank(email) && !StringUtils.isBlank(username)) {
hashComponent = username;
hashComponentAttr = USERNAME;
}
if (!StringUtils.isBlank(email) && StringUtils.isBlank(username)) {
hashComponent = email;
hashComponentAttr = EMAIL;
}
if (StringUtils.isBlank(hashComponent)) {
if (debug.errorEnabled()) {
debug.error("{} :: Bad Request - hashComponent not found in request.", METHOD);
}
throw new BadRequestException("Required information not provided");
}
if (StringUtils.isBlank(tokenID)) {
if (debug.errorEnabled()) {
debug.error("{} :: Bad Request - tokenID not found in request.", METHOD);
}
throw new BadRequestException("tokenId not provided");
}
validateToken(tokenID, realm, hashComponent, confirmationId);
// build resource
result.put(hashComponentAttr, hashComponent);
result.put(TOKEN_ID, tokenID);
result.put(CONFIRMATION_ID, confirmationId);
if (debug.messageEnabled()) {
debug.message("{} :: Confirmed for token '{}' with confirmation '{}'", METHOD, tokenID, confirmationId);
}
return newResultPromise(newActionResponse(result));
} catch (BadRequestException bre) {
debug.warning("{} :: Cannot confirm registration/forgotPassword for : {}", METHOD, hashComponent, bre);
return bre.asPromise();
} catch (ResourceException re) {
debug.warning("{} :: Resource error for : {}", METHOD, hashComponent, re);
return re.asPromise();
} catch (CoreTokenException cte) {
debug.error("{} :: CTE error for : {}", METHOD, hashComponent, cte);
return new InternalServerErrorException(cte).asPromise();
}
}
use of org.forgerock.json.resource.BadRequestException in project OpenAM by OpenRock.
the class IdentityResourceV1 method createRegistrationEmail.
/**
* This method will create a confirmation email that contains a {@link org.forgerock.openam.cts.api.tokens.Token},
* confirmationId and email that was provided in the request.
* @param context Current Server Context
* @param request Request from client to retrieve id
*/
private Promise<ActionResponse, ResourceException> createRegistrationEmail(final Context context, final ActionRequest request, final String realm, final RestSecurity restSecurity) {
JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
final JsonValue jVal = request.getContent();
String emailAddress = null;
String confirmationLink;
String tokenID;
try {
if (restSecurity == null) {
if (debug.warningEnabled()) {
debug.warning("IdentityResource.createRegistrationEmail(): Rest Security not created. " + "restSecurity={}", restSecurity);
}
throw new NotFoundException("Rest Security Service not created");
}
if (!restSecurity.isSelfRegistration()) {
if (debug.warningEnabled()) {
debug.warning("IdentityResource.createRegistrationEmail(): Self-Registration set to : {}", restSecurity.isSelfRegistration());
}
throw new NotSupportedException("Self Registration is not enabled.");
}
// Get full deployment URL
HttpContext header = context.asContext(HttpContext.class);
StringBuilder deploymentURL = RestUtils.getFullDeploymentURI(header.getPath());
// Get the email address provided from registration page
emailAddress = jVal.get(EMAIL).asString();
if (StringUtils.isBlank(emailAddress)) {
throw new BadRequestException("Email not provided");
}
String subject = jVal.get("subject").asString();
String message = jVal.get("message").asString();
// Retrieve email registration token life time
Long tokenLifeTime = restSecurity.getSelfRegTLT();
// Create CTS Token
org.forgerock.openam.cts.api.tokens.Token ctsToken = generateToken(emailAddress, "anonymous", tokenLifeTime, realm);
// Store token in datastore
CTSHolder.getCTS().createAsync(ctsToken);
tokenID = ctsToken.getTokenId();
// Create confirmationId
String confirmationId = Hash.hash(tokenID + emailAddress + SystemProperties.get(AM_ENCRYPTION_PWD));
// Build Confirmation URL
String confURL = restSecurity.getSelfRegistrationConfirmationUrl();
StringBuilder confURLBuilder = new StringBuilder(100);
if (StringUtils.isBlank(confURL)) {
confURLBuilder.append(deploymentURL.append("/json/confirmation/register").toString());
} else {
confURLBuilder.append(confURL);
}
confirmationLink = confURLBuilder.append("?confirmationId=").append(requestParamEncode(confirmationId)).append("&email=").append(requestParamEncode(emailAddress)).append("&tokenId=").append(requestParamEncode(tokenID)).append("&realm=").append(realm).toString();
// Send Registration
sendNotification(emailAddress, subject, message, realm, confirmationLink);
if (debug.messageEnabled()) {
debug.message("IdentityResource.createRegistrationEmail() :: Sent notification to={} with subject={}. " + "In realm={} for token ID={}", emailAddress, subject, realm, tokenID);
}
return newResultPromise(newActionResponse(result));
} catch (BadRequestException | NotFoundException be) {
debug.warning("IdentityResource.createRegistrationEmail: Cannot send email to {}", emailAddress, be);
return be.asPromise();
} catch (NotSupportedException nse) {
debug.error("IdentityResource.createRegistrationEmail: Operation not enabled", nse);
return nse.asPromise();
} catch (Exception e) {
debug.error("IdentityResource.createRegistrationEmail: Cannot send email to {}", emailAddress, e);
return new NotFoundException("Email not sent").asPromise();
}
}
use of org.forgerock.json.resource.BadRequestException in project OpenAM by OpenRock.
the class IdentityResourceV1 method updateInstance.
@Override
public Promise<ResourceResponse, ResourceException> updateInstance(final Context context, final String resourceId, final UpdateRequest request) {
RealmContext realmContext = context.asContext(RealmContext.class);
final String realm = realmContext.getResolvedRealm();
final JsonValue jsonValue = request.getContent();
final String rev = request.getRevision();
IdentityDetails dtls, newDtls;
ResourceResponse resource;
try {
SSOToken admin = getSSOToken(getCookieFromServerContext(context));
// Retrieve details about user to be updated
dtls = identityServices.read(resourceId, getIdentityServicesAttributes(realm), admin);
//be removed from the IdentityDetails object.
if (!isAdmin(context)) {
for (String attrName : jsonValue.keys()) {
if ("userpassword".equalsIgnoreCase(attrName)) {
String newPassword = jsonValue.get(attrName).asString();
if (!StringUtils.isBlank(newPassword)) {
String oldPassword = RestUtils.getMimeHeaderValue(context, OLD_PASSWORD);
if (StringUtils.isBlank(oldPassword)) {
throw new BadRequestException("The old password is missing from the request");
}
//This is an end-user trying to change the password, so let's change the password by
//verifying that the provided old password is correct. We also remove the password from the
//list of attributes to prevent the administrative password reset via the update call.
jsonValue.remove(attrName);
IdentityRestUtils.changePassword(context, realm, resourceId, oldPassword, newPassword);
}
break;
}
}
}
newDtls = jsonValueToIdentityDetails(objectType, jsonValue, realm);
if (newDtls.getName() != null && !resourceId.equalsIgnoreCase(newDtls.getName())) {
throw new BadRequestException("id in path does not match id in request body");
}
newDtls.setName(resourceId);
// update resource with new details
identityServices.update(newDtls, admin);
// read updated identity back to client
IdentityDetails checkIdent = identityServices.read(dtls.getName(), getIdentityServicesAttributes(realm), admin);
// handle updated resource
resource = newResourceResponse(resourceId, "0", identityDetailsToJsonValue(checkIdent));
return newResultPromise(resource);
} catch (final ObjectNotFound onf) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, onf);
return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", onf).asPromise();
} catch (final NeedMoreCredentials needMoreCredentials) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Token is not authorized", resourceId, needMoreCredentials);
return new ForbiddenException("Token is not authorized", needMoreCredentials).asPromise();
} catch (final TokenExpired tokenExpired) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Unauthorized", resourceId, tokenExpired);
return new PermanentException(401, "Unauthorized", null).asPromise();
} catch (final AccessDenied accessDenied) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Access denied", resourceId, accessDenied);
return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
} catch (final GeneralFailure generalFailure) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, generalFailure);
return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
} catch (NotFoundException e) {
debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, e);
return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", e).asPromise();
} catch (ResourceException re) {
debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} ", resourceId, re);
return re.asPromise();
} catch (SSOException ssoe) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, ssoe);
return new ForbiddenException(ssoe).asPromise();
} catch (final Exception e) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, e);
return new NotFoundException(e).asPromise();
}
}
use of org.forgerock.json.resource.BadRequestException in project OpenAM by OpenRock.
the class IdentityResourceV2 method generateNewPasswordEmail.
/**
* Generates the e-mail contents based on the incoming request.
*
* Will only send the e-mail if all the following conditions are true:
*
* - Forgotten Password service is enabled
* - User exists
* - User has an e-mail address in their profile
* - E-mail service is correctly configured.
*
* @param context Non null.
* @param request Non null.
* @param realm Used as part of user lookup.
* @param restSecurity Non null.
*/
private Promise<ActionResponse, ResourceException> generateNewPasswordEmail(final Context context, final ActionRequest request, final String realm, final RestSecurity restSecurity) {
JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
final JsonValue jsonBody = request.getContent();
try {
// Check to make sure forgotPassword enabled
if (restSecurity == null) {
if (debug.warningEnabled()) {
debug.warning("Rest Security not created. restSecurity={}", restSecurity);
}
throw getException(UNAVAILABLE, "Rest Security Service not created");
}
if (!restSecurity.isSelfServiceRestEndpointEnabled()) {
if (debug.warningEnabled()) {
debug.warning("Forgot Password set to : {}", restSecurity.isSelfServiceRestEndpointEnabled());
}
throw getException(UNAVAILABLE, "Legacy Self Service REST Endpoint is not enabled.");
}
if (!restSecurity.isForgotPassword()) {
if (debug.warningEnabled()) {
debug.warning("Forgot Password set to : {}", restSecurity.isForgotPassword());
}
throw getException(UNAVAILABLE, "Forgot password is not accessible.");
}
// Generate Admin Token
SSOToken adminToken = getSSOToken(RestUtils.getToken().getTokenID().toString());
Map<String, Set<String>> searchAttributes = getIdentityServicesAttributes(realm, objectType);
searchAttributes.putAll(getAttributeFromRequest(jsonBody));
List<String> searchResults = identityServices.search(new CrestQuery("*"), searchAttributes, adminToken);
if (searchResults.isEmpty()) {
throw new NotFoundException("User not found");
} else if (searchResults.size() > 1) {
throw new ConflictException("Multiple users found");
} else {
String username = searchResults.get(0);
IdentityDetails identityDetails = identityServices.read(username, getIdentityServicesAttributes(realm, objectType), adminToken);
String email = null;
String uid = null;
for (Map.Entry<String, Set<String>> attribute : asMap(identityDetails.getAttributes()).entrySet()) {
String attributeName = attribute.getKey();
if (MAIL.equalsIgnoreCase(attributeName)) {
if (attribute.getValue() != null && !attribute.getValue().isEmpty()) {
email = attribute.getValue().iterator().next();
}
} else if (UNIVERSAL_ID.equalsIgnoreCase(attributeName)) {
if (attribute.getValue() != null && !attribute.getValue().isEmpty()) {
uid = attribute.getValue().iterator().next();
}
}
}
// Check to see if user is Active/Inactive
if (!isUserActive(uid)) {
throw new ForbiddenException("Request is forbidden for this user");
}
// Check if email is provided
if (email == null || email.isEmpty()) {
throw new BadRequestException("No email provided in profile.");
}
// Get full deployment URL
HttpContext header = context.asContext(HttpContext.class);
String baseURL = baseURLProviderFactory.get(realm).getRootURL(header);
String subject = jsonBody.get("subject").asString();
String message = jsonBody.get("message").asString();
// Retrieve email registration token life time
if (restSecurity == null) {
if (debug.warningEnabled()) {
debug.warning("Rest Security not created. restSecurity={}", restSecurity);
}
throw new NotFoundException("Rest Security Service not created");
}
Long tokenLifeTime = restSecurity.getForgotPassTLT();
// Generate Token
org.forgerock.openam.cts.api.tokens.Token ctsToken = generateToken(email, username, tokenLifeTime, realm);
// Store token in datastore
CTSHolder.getCTS().createAsync(ctsToken);
// Create confirmationId
String confirmationId = Hash.hash(ctsToken.getTokenId() + username + SystemProperties.get(AM_ENCRYPTION_PWD));
// Build Confirmation URL
String confURL = restSecurity.getForgotPasswordConfirmationUrl();
StringBuilder confURLBuilder = new StringBuilder(100);
if (StringUtils.isEmpty(confURL)) {
confURLBuilder.append(baseURL).append("/json/confirmation/forgotPassword");
} else if (confURL.startsWith("/")) {
confURLBuilder.append(baseURL).append(confURL);
} else {
confURLBuilder.append(confURL);
}
String confirmationLink = confURLBuilder.append("?confirmationId=").append(requestParamEncode(confirmationId)).append("&tokenId=").append(requestParamEncode(ctsToken.getTokenId())).append("&username=").append(requestParamEncode(username)).append("&realm=").append(realm).toString();
// Send Registration
sendNotification(email, subject, message, realm, confirmationLink);
String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
if (debug.messageEnabled()) {
debug.message("IdentityResource.generateNewPasswordEmail :: ACTION of generate new password email " + " for username={} in realm={} performed by principalName={}", username, realm, principalName);
}
}
return newResultPromise(newActionResponse(result));
} catch (ResourceException re) {
// Service not available, Neither or both Username/Email provided, User inactive
debug.warning(re.getMessage(), re);
return re.asPromise();
} catch (Exception e) {
// Intentional - all other errors are considered Internal Error.
debug.error("Internal error", e);
return new InternalServerErrorException("Failed to send mail", e).asPromise();
}
}
use of org.forgerock.json.resource.BadRequestException in project OpenAM by OpenRock.
the class IdentityResourceV2 method anonymousCreate.
private Promise<ActionResponse, ResourceException> anonymousCreate(final Context context, final ActionRequest request, final String realm, RestSecurity restSecurity) {
final JsonValue jVal = request.getContent();
String tokenID = null;
String confirmationId;
String email;
try {
if (!restSecurity.isSelfRegistration()) {
throw new BadRequestException("Self-registration disabled");
}
tokenID = jVal.get(TOKEN_ID).asString();
jVal.remove(TOKEN_ID);
confirmationId = jVal.get(CONFIRMATION_ID).asString();
jVal.remove(CONFIRMATION_ID);
email = jVal.get(EMAIL).asString();
if (email == null || email.isEmpty()) {
throw new BadRequestException("Email not provided");
}
// Convert to IDRepo Attribute schema
jVal.put("mail", email);
if (confirmationId == null || confirmationId.isEmpty()) {
throw new BadRequestException("confirmationId not provided");
}
if (tokenID == null || tokenID.isEmpty()) {
throw new BadRequestException("tokenId not provided");
}
validateToken(tokenID, realm, email, confirmationId);
// create an Identity
SSOToken admin = RestUtils.getToken();
final String finalTokenID = tokenID;
return createInstance(admin, jVal, realm).thenAsync(new AsyncFunction<ActionResponse, ActionResponse, ResourceException>() {
@Override
public Promise<ActionResponse, ResourceException> apply(ActionResponse response) {
// Only remove the token if the create was successful, errors will be set in the handler.
try {
// Even though the generated token will eventually timeout, delete it after a successful read
// so that the completed registration request cannot be made again using the same token.
CTSHolder.getCTS().deleteAsync(finalTokenID);
} catch (DeleteFailedException e) {
// reading and deleting, the token has expired.
if (debug.messageEnabled()) {
debug.message("IdentityResource.anonymousCreate: Deleting token " + finalTokenID + " after a successful read failed due to " + e.getMessage(), e);
}
} catch (CoreTokenException cte) {
// For any unexpected CTS error
debug.error("IdentityResource.anonymousCreate(): CTS Error : " + cte.getMessage());
return new InternalServerErrorException(cte.getMessage(), cte).asPromise();
}
return newResultPromise(response);
}
});
} catch (BadRequestException bre) {
debug.warning("IdentityResource.anonymousCreate() :: Invalid Parameter", bre);
return bre.asPromise();
} catch (ResourceException re) {
debug.warning("IdentityResource.anonymousCreate() :: Resource error", re);
return re.asPromise();
} catch (CoreTokenException cte) {
// For any unexpected CTS error
debug.error("IdentityResource.anonymousCreate() :: CTS error", cte);
return new InternalServerErrorException(cte).asPromise();
} catch (ServiceNotFoundException snfe) {
// Failure from RestSecurity
debug.error("IdentityResource.anonymousCreate() :: Internal error", snfe);
return new InternalServerErrorException(snfe).asPromise();
}
}
Aggregations