use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.
the class IdentityResourceV2 method updateInstance.
/**
* {@inheritDoc}
*/
@Override
public Promise<ResourceResponse, ResourceException> updateInstance(final Context context, final String resourceId, final UpdateRequest request) {
RealmContext realmContext = context.asContext(RealmContext.class);
final String realm = realmContext.getResolvedRealm();
final JsonValue jVal = request.getContent();
final String rev = request.getRevision();
IdentityDetails dtls, newDtls;
ResourceResponse resource;
try {
SSOToken token = getSSOToken(getCookieFromServerContext(context));
// Retrieve details about user to be updated
dtls = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), token);
// Continue modifying the identity if read success
boolean isUpdatingHisOwnPassword = SystemProperties.getAsBoolean(Constants.CASE_SENSITIVE_UUID) ? token.getProperty(ISAuthConstants.USER_ID).equals(resourceId) : token.getProperty(ISAuthConstants.USER_ID).equalsIgnoreCase(resourceId);
// If the user wants to modify his password, he should use a different action.
if (isUpdatingHisOwnPassword) {
for (String key : jVal.keys()) {
if (USER_PASSWORD.equalsIgnoreCase(key)) {
return new BadRequestException("Cannot update user password via PUT. " + "Use POST with _action=changePassword or _action=forgotPassword.").asPromise();
}
}
}
newDtls = jsonValueToIdentityDetails(objectType, jVal, realm);
if (newDtls.getAttributes() == null || newDtls.getAttributes().length < 1) {
throw new BadRequestException("Illegal arguments: One or more required arguments is null or empty");
}
if (newDtls.getName() != null && !resourceId.equalsIgnoreCase(newDtls.getName())) {
throw new BadRequestException("id in path does not match id in request body");
}
newDtls.setName(resourceId);
UserAttributeInfo userAttributeInfo = configHandler.getConfig(realm, UserAttributeInfoBuilder.class);
// Handle attribute change when password is required
// Get restSecurity for this realm
RestSecurity restSecurity = restSecurityProvider.get(realm);
// Make sure user is not admin and check to see if we are requiring a password to change any attributes
Set<String> protectedUserAttributes = new HashSet<>();
protectedUserAttributes.addAll(restSecurity.getProtectedUserAttributes());
protectedUserAttributes.addAll(userAttributeInfo.getProtectedUpdateAttributes());
if (!protectedUserAttributes.isEmpty() && !isAdmin(context)) {
boolean hasReauthenticated = false;
for (String protectedAttr : protectedUserAttributes) {
JsonValue jValAttr = jVal.get(protectedAttr);
if (!jValAttr.isNull()) {
// If attribute is not available set newAttr variable to empty string for use in comparison
String newAttr = (jValAttr.isString()) ? jValAttr.asString() : "";
// Get the value of current attribute
String currentAttr = "";
Map<String, Set<String>> attrs = asMap(dtls.getAttributes());
for (Map.Entry<String, Set<String>> attribute : attrs.entrySet()) {
String attributeName = attribute.getKey();
if (protectedAttr.equalsIgnoreCase(attributeName)) {
currentAttr = attribute.getValue().iterator().next();
}
}
// Compare newAttr and currentAttr
if (!currentAttr.equals(newAttr) && !hasReauthenticated) {
// check header to make sure that password is there then check to see if it's correct
String strCurrentPass = RestUtils.getMimeHeaderValue(context, CURRENT_PASSWORD);
if (strCurrentPass != null && !strCurrentPass.isEmpty() && checkValidPassword(resourceId, strCurrentPass.toCharArray(), realm)) {
//set a boolean value so we know reauth has been done
hasReauthenticated = true;
//continue will allow attribute(s) change(s)
} else {
throw new BadRequestException("Must provide a valid confirmation password to change " + "protected attribute (" + protectedAttr + ") from '" + currentAttr + "' to '" + newAttr + "'");
}
}
}
}
}
// update resource with new details
identityServices.update(newDtls, token);
String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
debug.message("IdentityResource.updateInstance :: UPDATE of resourceId={} in realm={} performed " + "by principalName={}", resourceId, realm, principalName);
// read updated identity back to client
IdentityDetails checkIdent = identityServices.read(dtls.getName(), getIdentityServicesAttributes(realm, objectType), token);
return newResultPromise(this.identityResourceV1.buildResourceResponse(resourceId, context, checkIdent));
} catch (final ObjectNotFound onf) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, onf);
return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", onf).asPromise();
} catch (final NeedMoreCredentials needMoreCredentials) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Token is not authorized", resourceId, needMoreCredentials);
return new ForbiddenException("Token is not authorized", needMoreCredentials).asPromise();
} catch (final TokenExpired tokenExpired) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Unauthorized", resourceId, tokenExpired);
return new PermanentException(401, "Unauthorized", null).asPromise();
} catch (final AccessDenied accessDenied) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Access denied", resourceId, accessDenied);
return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
} catch (final GeneralFailure generalFailure) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, generalFailure);
return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
} catch (BadRequestException bre) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, bre);
return bre.asPromise();
} catch (NotFoundException e) {
debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, e);
return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", e).asPromise();
} catch (ResourceException re) {
debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} ", resourceId, re);
return re.asPromise();
} catch (final Exception e) {
debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, e);
return new NotFoundException(e.getMessage(), e).asPromise();
}
}
use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.
the class IdentityResourceV2 method idFromSession.
/**
* Gets the user id from the session provided in the server context
*
* @param context Current Server Context
*/
private Promise<ActionResponse, ResourceException> idFromSession(final Context context) {
JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
SSOToken ssotok;
AMIdentity amIdentity;
try {
SSOTokenManager mgr = SSOTokenManager.getInstance();
ssotok = mgr.createSSOToken(getCookieFromServerContext(context));
amIdentity = new AMIdentity(ssotok);
// build resource
result.put("id", amIdentity.getName());
result.put("realm", getRelativeRealmFromSession(context, amIdentity));
result.put("dn", amIdentity.getUniversalId());
result.put("successURL", ssotok.getProperty(ISAuthConstants.SUCCESS_URL, false));
result.put("fullLoginURL", ssotok.getProperty(ISAuthConstants.FULL_LOGIN_URL, false));
if (debug.messageEnabled()) {
debug.message("IdentityResource.idFromSession() :: Retrieved ID for user={}", amIdentity.getName());
}
return newResultPromise(newActionResponse(result));
} catch (SSOException e) {
debug.error("IdentityResource.idFromSession() :: Cannot retrieve SSO Token", e);
return new ForbiddenException("SSO Token cannot be retrieved.", e).asPromise();
} catch (IdRepoException ex) {
debug.error("IdentityResource.idFromSession() :: Cannot retrieve user from IdRepo", ex);
return new ForbiddenException("Cannot retrieve id from session.", ex).asPromise();
}
}
use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.
the class RealmResource method queryCollection.
/**
* Returns names of all realms included in the subtree rooted by the realm indicated
* in the query url.
*
* Names are unsorted and given as full paths.
*
* Filtering, sorting, and paging of results is not supported.
*
* {@inheritDoc}
*/
@Override
public Promise<QueryResponse, ResourceException> queryCollection(Context context, QueryRequest request, QueryResourceHandler handler) {
final String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
final RealmContext realmContext = context.asContext(RealmContext.class);
final String realmPath = realmContext.getResolvedRealm();
try {
final SSOTokenManager mgr = SSOTokenManager.getInstance();
final SSOToken ssoToken = mgr.createSSOToken(getCookieFromServerContext(context));
final OrganizationConfigManager ocm = new OrganizationConfigManager(ssoToken, realmPath);
final List<String> realmsInSubTree = new ArrayList<String>();
realmsInSubTree.add(realmPath);
for (final Object subRealmRelativePath : ocm.getSubOrganizationNames("*", true)) {
if (realmPath.endsWith("/")) {
realmsInSubTree.add(realmPath + subRealmRelativePath);
} else {
realmsInSubTree.add(realmPath + "/" + subRealmRelativePath);
}
}
debug.message("RealmResource :: QUERY : performed by " + principalName);
for (final Object realmName : realmsInSubTree) {
JsonValue val = new JsonValue(realmName);
ResourceResponse resource = newResourceResponse((String) realmName, "0", val);
handler.handleResource(resource);
}
return newResultPromise(newQueryResponse());
} catch (SSOException ex) {
debug.error("RealmResource :: QUERY by " + principalName + " failed : " + ex);
return new ForbiddenException().asPromise();
} catch (SMSException ex) {
debug.error("RealmResource :: QUERY by " + principalName + " failed :" + ex);
switch(ex.getExceptionCode()) {
case STATUS_NO_PERMISSION:
// This exception will be thrown if permission to read realms from SMS has not been delegated
return new ForbiddenException().asPromise();
default:
return new InternalServerErrorException().asPromise();
}
}
}
use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.
the class RealmResource method deleteInstance.
/**
* {@inheritDoc}
*/
@Override
public Promise<ResourceResponse, ResourceException> deleteInstance(Context context, String resourceId, DeleteRequest request) {
RealmContext realmContext = context.asContext(RealmContext.class);
String realmPath = realmContext.getResolvedRealm();
boolean recursive = false;
ResourceResponse resource;
String holdResourceId = checkForTopLevelRealm(resourceId);
try {
hasPermission(context);
if (holdResourceId != null && !holdResourceId.startsWith("/")) {
holdResourceId = "/" + holdResourceId;
}
if (!realmPath.equalsIgnoreCase("/")) {
holdResourceId = realmPath + holdResourceId;
}
OrganizationConfigManager ocm = new OrganizationConfigManager(getSSOToken(), holdResourceId);
ocm.deleteSubOrganization(null, recursive);
String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
debug.message("RealmResource.deleteInstance :: DELETE of realm " + holdResourceId + " performed by " + principalName);
// handle resource
resource = newResourceResponse(resourceId, "0", createJsonMessage("success", "true"));
return newResultPromise(resource);
} catch (SMSException smse) {
try {
configureErrorMessage(smse);
return new BadRequestException(smse.getMessage(), smse).asPromise();
} catch (NotFoundException nf) {
debug.error("RealmResource.deleteInstance() : Cannot find " + resourceId + ":" + smse);
return nf.asPromise();
} catch (ForbiddenException fe) {
// User does not have authorization
debug.error("RealmResource.deleteInstance() : Cannot DELETE " + resourceId + ":" + smse);
return fe.asPromise();
} catch (PermanentException pe) {
debug.error("RealmResource.deleteInstance() : Cannot DELETE " + resourceId + ":" + smse);
// Cannot recover from this exception
return pe.asPromise();
} catch (ConflictException ce) {
debug.error("RealmResource.deleteInstance() : Cannot DELETE " + resourceId + ":" + smse);
return ce.asPromise();
} catch (BadRequestException be) {
debug.error("RealmResource.deleteInstance() : Cannot DELETE " + resourceId + ":" + smse);
return be.asPromise();
} catch (Exception e) {
return new BadRequestException(e.getMessage(), e).asPromise();
}
} catch (SSOException sso) {
debug.error("RealmResource.updateInstance() : Cannot DELETE " + resourceId + ":" + sso);
return new PermanentException(401, "Access Denied", null).asPromise();
} catch (ForbiddenException fe) {
debug.error("RealmResource.updateInstance() : Cannot DELETE " + resourceId + ":" + fe);
return fe.asPromise();
} catch (Exception e) {
return new BadRequestException(e.getMessage(), e).asPromise();
}
}
use of org.forgerock.json.resource.ForbiddenException in project OpenAM by OpenRock.
the class IdentityResourceV1 method attemptResourceCreation.
private Promise<IdentityDetails, ResourceException> attemptResourceCreation(String realm, SSOToken admin, IdentityDetails identity, String resourceId) {
try {
identityServices.create(identity, admin);
IdentityDetails dtls = identityServices.read(resourceId, getIdentityServicesAttributes(realm), admin);
if (debug.messageEnabled()) {
debug.message("IdentityResource.createInstance() :: Created resourceId={} in realm={} by AdminID={}", resourceId, realm, admin.getTokenID());
}
return newResultPromise(dtls);
} catch (final ObjectNotFound notFound) {
debug.error("IdentityResource.createInstance() :: Cannot READ resourceId={} : Resource cannot be found.", resourceId, notFound);
return new NotFoundException("Resource not found.", notFound).asPromise();
} catch (final TokenExpired tokenExpired) {
debug.error("IdentityResource.createInstance() :: Cannot CREATE resourceId={} : Unauthorized", resourceId, tokenExpired);
return new PermanentException(401, "Unauthorized", null).asPromise();
} catch (final NeedMoreCredentials needMoreCredentials) {
debug.error("IdentityResource.createInstance() :: Cannot CREATE resourceId={} : Token is not authorized", resourceId, needMoreCredentials);
return new ForbiddenException("Token is not authorized", needMoreCredentials).asPromise();
} catch (ResourceException re) {
debug.warning("IdentityResource.createInstance() :: Cannot CREATE resourceId={}", resourceId, re);
return re.asPromise();
} catch (final Exception e) {
debug.error("IdentityResource.createInstance() :: Cannot CREATE resourceId={}", resourceId, e);
return new NotFoundException(e.getMessage(), e).asPromise();
}
}
Aggregations