private String getQuotedUsername(MidPointPrincipal principal) { if (principal == null) { return "(none)"; } return "'"+ principal.getUsername()+"'"; }
private String getUsername(MidPointPrincipal principal) { return principal==null?null:principal.getUsername(); }
private String getQuotedUsername(Authentication authentication) { String username = "(none)"; Object principal = authentication.getPrincipal(); if (principal != null) { if (principal instanceof MidPointPrincipal) { username = "'"+((MidPointPrincipal)principal).getUsername()+"'"; } else { username = "(unknown:"+principal+")"; } } return username; }
/** * Returns short description of the subject suitable for log * and error messages. * Does not throw errors. Safe to toString-like methods. * May return null (means anonymous or unknown) */ public static String getSubjectDescription() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null) { return null; } Object principalObject = authentication.getPrincipal(); if (principalObject == null) { return null; } if (!(principalObject instanceof MidPointPrincipal)) { return principalObject.toString(); } return ((MidPointPrincipal)principalObject).getUsername(); }
protected void recordAuthenticationFailure(@NotNull MidPointPrincipal principal, ConnectionEnvironment connEnv, String reason) { securityHelper.auditLoginFailure(principal.getUsername(), principal.getUser(), connEnv, reason); }
protected boolean decryptAndMatch(ConnectionEnvironment connEnv, @NotNull MidPointPrincipal principal, ProtectedStringType protectedString, String enteredPassword) { ProtectedStringType entered = new ProtectedStringType(); entered.setClearValue(enteredPassword); try { return protector.compare(entered, protectedString); } catch (SchemaException | EncryptionException e) { // This is a serious error. It is not business as usual (e.g. wrong password or missing authorization). // This is either bug or serious misconfiguration (e.g. missing decryption key in keystore). // We do not want to just audit the failure. That would just log it on debug level. // But that would be too hard for system administrator to figure out what is going on - especially // if the administrator himself cannot log in. Therefore explicitly log those errors here. LOGGER.error("Error dealing with credentials of user \"{}\" credentials: {}", principal.getUsername(), e.getMessage()); recordAuthenticationFailure(principal, connEnv, "error decrypting password: "+e.getMessage()); throw new AuthenticationServiceException("web.security.provider.unavailable", e); } }
private void assertGoodPasswordAuthentication(Authentication authentication, String expectedUsername) { assertNotNull("No authentication", authentication); assertTrue("authentication: not authenticated", authentication.isAuthenticated()); MidPointAsserts.assertInstanceOf("authentication", authentication, UsernamePasswordAuthenticationToken.class); assertEquals("authentication: principal mismatch", expectedUsername, ((MidPointPrincipal)authentication.getPrincipal()).getUsername()); }
protected void assertJack(MidPointPrincipal principal) { display("Principal jack", principal); assertEquals("wrong username", USER_JACK_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_JACK_OID, principal.getOid()); assertJack(principal.getUser()); }
private void assertPrincipalJack(MidPointPrincipal principal) { display("principal", principal); assertEquals("Bad principal name", USER_JACK_USERNAME, principal.getName().getOrig()); assertEquals("Bad principal name", USER_JACK_USERNAME, principal.getUsername()); UserType user = principal.getUser(); assertNotNull("No user in principal",user); assertEquals("Bad name in user in principal", USER_JACK_USERNAME, user.getName().getOrig()); }
private void assertPrincipalJack(MidPointPrincipal principal) { display("principal", principal); assertEquals("Bad principal name", USER_JACK_USERNAME, principal.getName().getOrig()); assertEquals("Bad principal name", USER_JACK_USERNAME, principal.getUsername()); UserType user = principal.getUser(); assertNotNull("No user in principal",user); assertEquals("Bad name in user in principal", USER_JACK_USERNAME, user.getName().getOrig()); }
@Test public void test052GetUserGuybrush() throws Exception { final String TEST_NAME = "test052GetUserGuybrush"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test051GetUserBarbossa() throws Exception { final String TEST_NAME = "test051GetUserBarbossa"; displayTestTitle(TEST_NAME); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_BARBOSSA_USERNAME); // THEN display("Principal barbossa", principal); assertNotNull("No principal for username "+USER_BARBOSSA_USERNAME, principal); assertEquals("wrong username", USER_BARBOSSA_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_BARBOSSA_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal barbossa", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test062GuybrushConditionalRoleUnassign() throws Exception { final String TEST_NAME = "test062GuybrushConditionalRoleUnassign"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); unassignRole(USER_GUYBRUSH_OID, ROLE_CONDITIONAL_OID); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); }
@Test public void test060GuybrushConditionalRoleFalse() throws Exception { final String TEST_NAME = "test060GuybrushConditionalRoleFalse"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); assignRole(USER_GUYBRUSH_OID, ROLE_CONDITIONAL_OID); resetAuthentication(); // WHEN MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); assertTrue("Unexpected authorizations", principal.getAuthorities().isEmpty()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); assertNotAuthorized(principal, AUTZ_SUPERSPECIAL_URL); assertNotAuthorized(principal, AUTZ_NONSENSE_URL); }
@Test public void test061GuybrushConditionalRoleTrue() throws Exception { final String TEST_NAME = "test061GuybrushConditionalRoleTrue"; displayTestTitle(TEST_NAME); login(USER_ADMINISTRATOR_USERNAME); Task task = createTask(TEST_NAME); OperationResult result = task.getResult(); modifyUserReplace(USER_GUYBRUSH_OID, UserType.F_SUBTYPE, task, result, "special"); resetAuthentication(); // WHEN TestUtil.displayWhen(TEST_NAME); MidPointPrincipal principal = userProfileService.getPrincipal(USER_GUYBRUSH_USERNAME); // THEN TestUtil.displayThen(TEST_NAME); display("Principal guybrush", principal); assertEquals("wrong username", USER_GUYBRUSH_USERNAME, principal.getUsername()); assertEquals("wrong oid", USER_GUYBRUSH_OID, principal.getOid()); display("User in principal guybrush", principal.getUser().asPrismObject()); principal.getUser().asPrismObject().checkConsistence(true, true); assertAuthorized(principal, AUTZ_SUPERSPECIAL_URL); assertNotAuthorized(principal, AUTZ_LOOT_URL); assertNotAuthorized(principal, AUTZ_COMMAND_URL); assertNotAuthorized(principal, AUTZ_CAPSIZE_URL); assertNotAuthorized(principal, AUTZ_NONSENSE_URL); }