Examples with RestSecurity org.forgerock.openam.services.RestSecurity used on opensource projects

Example 1 with RestSecurity

use of org.forgerock.openam.services.RestSecurity in project OpenAM by OpenRock.

the class ServerInfoResource method getAllServerInfo.

/**
     * Retrieves all server info set on the server.
     *
     * @param context
     *         Current Server Context.
     * @param realm
     *         realm in whose security context we use.
     */
private Promise<ResourceResponse, ResourceException> getAllServerInfo(Context context, String realm) {
    JsonValue result = new JsonValue(new LinkedHashMap<String, Object>(1));
    Set<String> cookieDomains;
    ResourceResponse resource;
    //added for the XUI to be able to understand its locale to request the appropriate translations to cache
    ISLocaleContext localeContext = new ISLocaleContext();
    HttpContext httpContext = context.asContext(HttpContext.class);
    //we have nothing else to go on at this point other than their request
    localeContext.setLocale(httpContext);
    SelfServiceInfo selfServiceInfo = configHandler.getConfig(realm, SelfServiceInfoBuilder.class);
    RestSecurity restSecurity = restSecurityProvider.get(realm);
    Set<String> protectedUserAttributes = new HashSet<>();
    protectedUserAttributes.addAll(selfServiceInfo.getProtectedUserAttributes());
    protectedUserAttributes.addAll(restSecurity.getProtectedUserAttributes());
    try {
        cookieDomains = AuthClientUtils.getCookieDomains();
        result.put("domains", cookieDomains);
        result.put("protectedUserAttributes", protectedUserAttributes);
        result.put("cookieName", SystemProperties.get(Constants.AM_COOKIE_NAME, "iPlanetDirectoryPro"));
        result.put("secureCookie", CookieUtils.isCookieSecure());
        result.put("forgotPassword", String.valueOf(selfServiceInfo.isForgottenPasswordEnabled()));
        result.put("forgotUsername", String.valueOf(selfServiceInfo.isForgottenUsernameEnabled()));
        result.put("kbaEnabled", String.valueOf(selfServiceInfo.isKbaEnabled()));
        result.put("selfRegistration", String.valueOf(selfServiceInfo.isUserRegistrationEnabled()));
        result.put("lang", getJsLocale(localeContext.getLocale()));
        result.put("successfulUserRegistrationDestination", "default");
        result.put("socialImplementations", getSocialAuthnImplementations(realm));
        result.put("referralsEnabled", Boolean.FALSE.toString());
        result.put("zeroPageLogin", AuthUtils.getZeroPageLoginConfig(realm));
        result.put("realm", realm);
        result.put("xuiUserSessionValidationEnabled", SystemProperties.getAsBoolean(Constants.XUI_USER_SESSION_VALIDATION_ENABLED, true));
        if (debug.messageEnabled()) {
            debug.message("ServerInfoResource.getAllServerInfo ::" + " Added resource to response: " + ALL_SERVER_INFO);
        }
        resource = newResourceResponse(ALL_SERVER_INFO, Integer.toString(result.asMap().hashCode()), result);
        return newResultPromise(resource);
    } catch (Exception e) {
        debug.error("ServerInfoResource.getAllServerInfo : Cannot retrieve all server info domains.", e);
        return new NotFoundException(e.getMessage()).asPromise();
    }
}

Example 2 with RestSecurity

use of org.forgerock.openam.services.RestSecurity in project OpenAM by OpenRock.

the class IdentityResourceV2 method updateInstance.

/**
     * {@inheritDoc}
     */
@Override
public Promise<ResourceResponse, ResourceException> updateInstance(final Context context, final String resourceId, final UpdateRequest request) {
    RealmContext realmContext = context.asContext(RealmContext.class);
    final String realm = realmContext.getResolvedRealm();
    final JsonValue jVal = request.getContent();
    final String rev = request.getRevision();
    IdentityDetails dtls, newDtls;
    ResourceResponse resource;
    try {
        SSOToken token = getSSOToken(getCookieFromServerContext(context));
        // Retrieve details about user to be updated
        dtls = identityServices.read(resourceId, getIdentityServicesAttributes(realm, objectType), token);
        // Continue modifying the identity if read success
        boolean isUpdatingHisOwnPassword = SystemProperties.getAsBoolean(Constants.CASE_SENSITIVE_UUID) ? token.getProperty(ISAuthConstants.USER_ID).equals(resourceId) : token.getProperty(ISAuthConstants.USER_ID).equalsIgnoreCase(resourceId);
        // If the user wants to modify his password, he should use a different action.
        if (isUpdatingHisOwnPassword) {
            for (String key : jVal.keys()) {
                if (USER_PASSWORD.equalsIgnoreCase(key)) {
                    return new BadRequestException("Cannot update user password via PUT. " + "Use POST with _action=changePassword or _action=forgotPassword.").asPromise();
                }
            }
        }
        newDtls = jsonValueToIdentityDetails(objectType, jVal, realm);
        if (newDtls.getAttributes() == null || newDtls.getAttributes().length < 1) {
            throw new BadRequestException("Illegal arguments: One or more required arguments is null or empty");
        }
        if (newDtls.getName() != null && !resourceId.equalsIgnoreCase(newDtls.getName())) {
            throw new BadRequestException("id in path does not match id in request body");
        }
        newDtls.setName(resourceId);
        UserAttributeInfo userAttributeInfo = configHandler.getConfig(realm, UserAttributeInfoBuilder.class);
        // Handle attribute change when password is required
        // Get restSecurity for this realm
        RestSecurity restSecurity = restSecurityProvider.get(realm);
        // Make sure user is not admin and check to see if we are requiring a password to change any attributes
        Set<String> protectedUserAttributes = new HashSet<>();
        protectedUserAttributes.addAll(restSecurity.getProtectedUserAttributes());
        protectedUserAttributes.addAll(userAttributeInfo.getProtectedUpdateAttributes());
        if (!protectedUserAttributes.isEmpty() && !isAdmin(context)) {
            boolean hasReauthenticated = false;
            for (String protectedAttr : protectedUserAttributes) {
                JsonValue jValAttr = jVal.get(protectedAttr);
                if (!jValAttr.isNull()) {
                    // If attribute is not available set newAttr variable to empty string for use in comparison
                    String newAttr = (jValAttr.isString()) ? jValAttr.asString() : "";
                    // Get the value of current attribute
                    String currentAttr = "";
                    Map<String, Set<String>> attrs = asMap(dtls.getAttributes());
                    for (Map.Entry<String, Set<String>> attribute : attrs.entrySet()) {
                        String attributeName = attribute.getKey();
                        if (protectedAttr.equalsIgnoreCase(attributeName)) {
                            currentAttr = attribute.getValue().iterator().next();
                        }
                    }
                    // Compare newAttr and currentAttr
                    if (!currentAttr.equals(newAttr) && !hasReauthenticated) {
                        // check header to make sure that password is there then check to see if it's correct
                        String strCurrentPass = RestUtils.getMimeHeaderValue(context, CURRENT_PASSWORD);
                        if (strCurrentPass != null && !strCurrentPass.isEmpty() && checkValidPassword(resourceId, strCurrentPass.toCharArray(), realm)) {
                            //set a boolean value so we know reauth has been done
                            hasReauthenticated = true;
                        //continue will allow attribute(s) change(s)
                        } else {
                            throw new BadRequestException("Must provide a valid confirmation password to change " + "protected attribute (" + protectedAttr + ") from '" + currentAttr + "' to '" + newAttr + "'");
                        }
                    }
                }
            }
        }
        // update resource with new details
        identityServices.update(newDtls, token);
        String principalName = PrincipalRestUtils.getPrincipalNameFromServerContext(context);
        debug.message("IdentityResource.updateInstance :: UPDATE of resourceId={} in realm={} performed " + "by principalName={}", resourceId, realm, principalName);
        // read updated identity back to client
        IdentityDetails checkIdent = identityServices.read(dtls.getName(), getIdentityServicesAttributes(realm, objectType), token);
        return newResultPromise(this.identityResourceV1.buildResourceResponse(resourceId, context, checkIdent));
    } catch (final ObjectNotFound onf) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, onf);
        return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", onf).asPromise();
    } catch (final NeedMoreCredentials needMoreCredentials) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Token is not authorized", resourceId, needMoreCredentials);
        return new ForbiddenException("Token is not authorized", needMoreCredentials).asPromise();
    } catch (final TokenExpired tokenExpired) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Unauthorized", resourceId, tokenExpired);
        return new PermanentException(401, "Unauthorized", null).asPromise();
    } catch (final AccessDenied accessDenied) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Access denied", resourceId, accessDenied);
        return new ForbiddenException(accessDenied.getMessage(), accessDenied).asPromise();
    } catch (final GeneralFailure generalFailure) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, generalFailure);
        return new BadRequestException(generalFailure.getMessage(), generalFailure).asPromise();
    } catch (BadRequestException bre) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, bre);
        return bre.asPromise();
    } catch (NotFoundException e) {
        debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} : Could not find the " + "resource", resourceId, e);
        return new NotFoundException("Could not find the resource [ " + resourceId + " ] to update", e).asPromise();
    } catch (ResourceException re) {
        debug.warning("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={} ", resourceId, re);
        return re.asPromise();
    } catch (final Exception e) {
        debug.error("IdentityResource.updateInstance() :: Cannot UPDATE resourceId={}", resourceId, e);
        return new NotFoundException(e.getMessage(), e).asPromise();
    }
}

Example 3 with RestSecurity

use of org.forgerock.openam.services.RestSecurity in project OpenAM by OpenRock.

the class IdentityResourceV2 method actionCollection.

/**
     * {@inheritDoc}
     */
@Override
public Promise<ActionResponse, ResourceException> actionCollection(Context context, ActionRequest request) {
    RealmContext realmContext = context.asContext(RealmContext.class);
    final String realm = realmContext.getResolvedRealm();
    RestSecurity restSecurity = restSecurityProvider.get(realm);
    final String action = request.getAction();
    if (action.equalsIgnoreCase("idFromSession")) {
        return idFromSession(context);
    } else if (action.equalsIgnoreCase("register")) {
        return createRegistrationEmail(context, request, realm, restSecurity);
    } else if (action.equalsIgnoreCase("confirm")) {
        return confirmationIdCheck(request, realm);
    } else if (action.equalsIgnoreCase("anonymousCreate")) {
        return anonymousCreate(context, request, realm, restSecurity);
    } else if (action.equalsIgnoreCase("forgotPassword")) {
        return generateNewPasswordEmail(context, request, realm, restSecurity);
    } else if (action.equalsIgnoreCase("forgotPasswordReset")) {
        return anonymousUpdate(context, request, realm);
    } else if (action.equalsIgnoreCase("validateGoto")) {
        return validateGoto(context, request);
    } else {
        // for now this is the only case coming in, so fail if otherwise
        return RestUtils.generateUnsupportedOperation();
    }
}

Example 4 with RestSecurity

use of org.forgerock.openam.services.RestSecurity in project OpenAM by OpenRock.

the class IdentityResourceV1 method actionCollection.

/**
     * {@inheritDoc}
     */
@Override
public Promise<ActionResponse, ResourceException> actionCollection(final Context context, final ActionRequest request) {
    RealmContext realmContext = context.asContext(RealmContext.class);
    final String realm = realmContext.getResolvedRealm();
    RestSecurity restSecurity = restSecurityProvider.get(realm);
    final String action = request.getAction();
    if (action.equalsIgnoreCase("idFromSession")) {
        return idFromSession(context, request);
    } else if (action.equalsIgnoreCase("register")) {
        return createRegistrationEmail(context, request, realm, restSecurity);
    } else if (action.equalsIgnoreCase("confirm")) {
        return confirmationIdCheck(context, request, realm);
    } else if (action.equalsIgnoreCase("anonymousCreate")) {
        return anonymousCreate(context, request, realm, restSecurity);
    } else if (action.equalsIgnoreCase("forgotPassword")) {
        return generateNewPasswordEmail(context, request, realm, restSecurity);
    } else if (action.equalsIgnoreCase("forgotPasswordReset")) {
        return anonymousUpdate(context, request, realm);
    } else {
        // for now this is the only case coming in, so fail if otherwise
        return new NotSupportedException("Actions are not supported for resource instances").asPromise();
    }
}