@Override public boolean isAccountLocked(String username, String tenantDomain, String userStoreDomain) throws AccountLockServiceException { return isAccountLocked(IdentityUtil.addDomainToName(username, userStoreDomain), tenantDomain); }
/** * Returns full qualified username of the {@link User} object. * ie. We append the tenantDomain and userStoreDomain to the username. * <p> * Note that the PRIMARY domain will not be appended to username when building the full qualified username. * Therefore a full qualified name without the userStoreDomain indicates the user belongs to the PRIMARY * userStoreDomain. * * @return full qualified username */ public String toFullQualifiedUsername() { String username = null; if (StringUtils.isNotBlank(this.userName)) { username = this.userName; if (StringUtils.isNotBlank(this.tenantDomain)) { username = UserCoreUtil.addTenantDomainToEntry(username, tenantDomain); } if (StringUtils.isNotBlank(this.userStoreDomain)) { username = IdentityUtil.addDomainToName(username, userStoreDomain); } } return username; }
/** * Checks whether the given user name is admin user name and the currently logged in user also admin. * Only admin user is allowed for admin user profile related operations. * * @param username Username to be checked. * @return True only if admin user. * @throws UserStoreException Error occurred while retrieving realm configuration. */ private boolean isAdminProfileSpoof(String username) throws UserStoreException { if (StringUtils.isEmpty(username)) { return false; } RealmConfiguration realmConfiguration = getUserRealm().getRealmConfiguration(); String adminUsername = IdentityUtil.addDomainToName(realmConfiguration.getAdminUserName(), IdentityUtil.getPrimaryDomainName()); String targetUsername = IdentityUtil.addDomainToName(username, IdentityUtil.getPrimaryDomainName()); // If the given user name is not the admin username, simply we can allow and return false. Our intention is to // check whether a non admin user is trying to do operations on an admin profile. if (!StringUtils.equalsIgnoreCase(targetUsername, adminUsername)) { return false; } String loggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername(); if (loggedInUsername != null) { loggedInUsername = IdentityUtil.addDomainToName(loggedInUsername, IdentityUtil.getPrimaryDomainName()); } // If the currently logged in user is also the admin user this isn't a spoof attempt. Hence returning false. return !StringUtils.equalsIgnoreCase(loggedInUsername, adminUsername); }
/** * Checks whether the given user name is admin user name and the currently logged in user also admin. * Only admin user is allowed for admin user profile related operations. * * @param username Username to be checked. * @return True only if admin user. * @throws UserStoreException Error occurred while retrieving realm configuration. */ private boolean isAdminProfileSpoof(String username) throws UserStoreException { if (StringUtils.isEmpty(username)) { return false; } RealmConfiguration realmConfiguration = getUserRealm().getRealmConfiguration(); String adminUsername = IdentityUtil.addDomainToName(realmConfiguration.getAdminUserName(), IdentityUtil.getPrimaryDomainName()); String targetUsername = IdentityUtil.addDomainToName(username, IdentityUtil.getPrimaryDomainName()); // If the given user name is not the admin username, simply we can allow and return false. Our intention is to // check whether a non admin user is trying to do operations on an admin profile. if (!StringUtils.equalsIgnoreCase(targetUsername, adminUsername)) { return false; } String loggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername(); if (loggedInUsername != null) { loggedInUsername = IdentityUtil.addDomainToName(loggedInUsername, IdentityUtil.getPrimaryDomainName()); } // If the currently logged in user is also the admin user this isn't a spoof attempt. Hence returning false. return !StringUtils.equalsIgnoreCase(loggedInUsername, adminUsername); }
/** * Notify users about account inactivity via Email. */ private void notifyUsers(String tenantDomain, long suspensionDelay, long[] notificationDelays) { EmailUtil util = new EmailUtil(); for (long delay : notificationDelays) { List<NotificationReceiver> receivers = null; try { receivers = NotificationReceiversRetrievalManager.getReceivers(delay, tenantDomain, suspensionDelay); } catch (AccountSuspensionNotificationException e) { log.error("Error occurred while retrieving notification receivers", e); } if (CollectionUtils.isNotEmpty(receivers)) { for (NotificationReceiver receiver : receivers) { if (log.isDebugEnabled()) { log.debug("Sending notification to: " + IdentityUtil.addDomainToName(receiver.getUsername(), receiver.getUserStoreDomain()) + "@" + tenantDomain); } util.sendEmail(receiver); } } } }
/** * Sets authenticated subject identifier according to the useTenantDomainInLocalSubjectIdentifier and * useUserstoreDomainInLocalSubjectIdentifier properties. * * @param authenticatedSubjectIdentifier authenticated subject identifier * @param serviceProvider service provider */ public void setAuthenticatedSubjectIdentifier(String authenticatedSubjectIdentifier, ServiceProvider serviceProvider) { if (!isFederatedUser() && serviceProvider != null) { boolean useUserstoreDomainInLocalSubjectIdentifier = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseUserstoreDomainInLocalSubjectIdentifier(); boolean useTenantDomainInLocalSubjectIdentifier = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseTenantDomainInLocalSubjectIdentifier(); if (useUserstoreDomainInLocalSubjectIdentifier && StringUtils.isNotEmpty(userStoreDomain)) { authenticatedSubjectIdentifier = IdentityUtil.addDomainToName(userName, userStoreDomain); } if (useTenantDomainInLocalSubjectIdentifier && StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(authenticatedSubjectIdentifier)) { authenticatedSubjectIdentifier = UserCoreUtil.addTenantDomainToEntry(authenticatedSubjectIdentifier, tenantDomain); } } this.authenticatedSubjectIdentifier = authenticatedSubjectIdentifier; }
/** * Sets authenticated subject identifier according to the useTenantDomainInLocalSubjectIdentifier and * useUserstoreDomainInLocalSubjectIdentifier properties. * * @param authenticatedSubjectIdentifier authenticated subject identifier * @param serviceProvider service provider */ public void setAuthenticatedSubjectIdentifier(String authenticatedSubjectIdentifier, ServiceProvider serviceProvider) { if (!isFederatedUser() && serviceProvider != null) { boolean useUserstoreDomainInLocalSubjectIdentifier = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseUserstoreDomainInLocalSubjectIdentifier(); boolean useTenantDomainInLocalSubjectIdentifier = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseTenantDomainInLocalSubjectIdentifier(); if (useUserstoreDomainInLocalSubjectIdentifier && StringUtils.isNotEmpty(userStoreDomain)) { authenticatedSubjectIdentifier = IdentityUtil.addDomainToName(userName, userStoreDomain); } if (useTenantDomainInLocalSubjectIdentifier && StringUtils.isNotEmpty(tenantDomain) && StringUtils.isNotEmpty(authenticatedSubjectIdentifier)) { authenticatedSubjectIdentifier = UserCoreUtil.addTenantDomainToEntry(authenticatedSubjectIdentifier, tenantDomain); } } this.authenticatedSubjectIdentifier = authenticatedSubjectIdentifier; }
/** * Method to validate confirmation code of password reset flow. * * @param code confirmation code * @param recoveryStep recovery step * @throws IdentityRecoveryException */ public void validateConfirmationCode(String code, String recoveryStep) throws IdentityRecoveryException { UserRecoveryDataStore userRecoveryDataStore = JDBCRecoveryDataStore.getInstance(); UserRecoveryData userRecoveryData = userRecoveryDataStore.load(code); String contextTenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); String userTenantDomain = userRecoveryData.getUser().getTenantDomain(); if (!StringUtils.equals(contextTenantDomain, userTenantDomain)) { throw new IdentityRecoveryClientException("Invalid tenant domain: " + userTenantDomain); } if (StringUtils.isNotBlank(recoveryStep) && !recoveryStep.equals(userRecoveryData.getRecoveryStep().name())) { throw Utils.handleClientException(IdentityRecoveryConstants.ErrorMessages.ERROR_CODE_INVALID_CODE, null); } String domainQualifiedName = IdentityUtil.addDomainToName(userRecoveryData.getUser().getUserName(), userRecoveryData.getUser().getUserStoreDomain()); if (log.isDebugEnabled()) { log.debug("Valid confirmation code for user: " + domainQualifiedName); } } }
private String getFormattedSubjectClaim(ServiceProvider serviceProvider, String subjectClaimValue, String userStoreDomain, String tenantDomain) { boolean appendUserStoreDomainToSubjectClaim = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseUserstoreDomainInLocalSubjectIdentifier(); boolean appendTenantDomainToSubjectClaim = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseTenantDomainInLocalSubjectIdentifier(); if (appendTenantDomainToSubjectClaim) { subjectClaimValue = UserCoreUtil.addTenantDomainToEntry(subjectClaimValue, tenantDomain); } if (appendUserStoreDomainToSubjectClaim) { subjectClaimValue = IdentityUtil.addDomainToName(subjectClaimValue, userStoreDomain); } return subjectClaimValue; }
private String buildSubjectClaim(String sub, String userTenantDomain, String userStoreDomain, String clientId, String spTenantDomain) throws UserInfoEndpointException { ServiceProvider serviceProvider = getServiceProvider(spTenantDomain, clientId); if (serviceProvider != null) { boolean isUseTenantDomainInLocalSubject = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseTenantDomainInLocalSubjectIdentifier(); boolean isUseUserStoreDomainInLocalSubject = serviceProvider.getLocalAndOutBoundAuthenticationConfig() .isUseUserstoreDomainInLocalSubjectIdentifier(); if (isNotEmpty(sub)) { // Build subject in accordance with Local and Outbound Authentication Configuration preferences if (isUseUserStoreDomainInLocalSubject) { sub = IdentityUtil.addDomainToName(sub, userStoreDomain); } if (isUseTenantDomainInLocalSubject) { sub = UserCoreUtil.addTenantDomainToEntry(sub, userTenantDomain); } } } return sub; }
AttributeUtil.getStringValueOfAttribute(displayNameAttribute.getValue(), displayNameAttribute.getType()); displayNameAttribute.setValue(IdentityUtil.addDomainToName( UserCoreUtil.removeDomainFromName(displayName), userStoreDomain));
/** * Set claim to user store manager * * @param user user * @param claim claim uri * @param value claim value * @throws IdentityException if fails */ public static void setClaimInUserStoreManager(User user, String claim, String value) throws UserStoreException { String fullUserName = IdentityUtil.addDomainToName(user.getUserName(), user.getUserStoreDomain()); int tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain()); org.wso2.carbon.user.core.UserStoreManager userStoreManager = null; RealmService realmService = IdentityRecoveryServiceDataHolder.getInstance().getRealmService(); if (realmService.getTenantUserRealm(tenantId) != null) { userStoreManager = (org.wso2.carbon.user.core.UserStoreManager) realmService.getTenantUserRealm(tenantId). getUserStoreManager(); } if (userStoreManager != null) { Map<String, String> values = userStoreManager.getUserClaimValues(fullUserName, new String[]{ claim}, UserCoreConstants.DEFAULT_PROFILE); String oldValue = values.get(claim); if (oldValue == null || !oldValue.equals(value)) { Map<String, String> claimMap = new HashMap<String, String>(); claimMap.put(claim, value); userStoreManager.setUserClaimValues(fullUserName, claimMap, UserCoreConstants.DEFAULT_PROFILE); } } }
public static String getClaimFromUserStoreManager(User user, String claim) throws UserStoreException { String userStoreQualifiedUsername = IdentityUtil.addDomainToName(user.getUserName(), user.getUserStoreDomain()); org.wso2.carbon.user.core.UserStoreManager userStoreManager = null; RealmService realmService = IdentityRecoveryServiceDataHolder.getInstance().getRealmService(); String claimValue = ""; int tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain()); if (realmService.getTenantUserRealm(tenantId) != null) { userStoreManager = (org.wso2.carbon.user.core.UserStoreManager) realmService.getTenantUserRealm(tenantId). getUserStoreManager(); } if (userStoreManager != null) { Map<String, String> claimsMap = userStoreManager .getUserClaimValues(userStoreQualifiedUsername, new String[]{claim}, UserCoreConstants.DEFAULT_PROFILE); if (claimsMap != null && !claimsMap.isEmpty()) { claimValue = claimsMap.get(claim); } } return claimValue; }
public static Map<String, String> getClaimValues(User user, int tenantId, String[] claimUris) throws CaptchaServerException { String username = user.getUserName(); if (!StringUtils.isBlank(user.getUserStoreDomain()) && !"PRIMARY".equals(user.getUserStoreDomain())) { username = IdentityUtil.addDomainToName(user.getUserName(), user.getUserStoreDomain()); } RealmService realmService = CaptchaDataHolder.getInstance().getRealmService(); UserRealm userRealm; try { userRealm = (UserRealm) realmService.getTenantUserRealm(tenantId); } catch (UserStoreException e) { throw new CaptchaServerException("Failed to retrieve user realm from tenant id : " + tenantId, e); } UserStoreManager userStoreManager; try { userStoreManager = userRealm.getUserStoreManager(); } catch (UserStoreException e) { throw new CaptchaServerException("Failed to retrieve user store manager.", e); } Map<String, String> claimValues = null; try { claimValues = userStoreManager.getUserClaimValues(username, claimUris, UserCoreConstants.DEFAULT_PROFILE); } catch (org.wso2.carbon.user.core.UserStoreException e) { if (log.isDebugEnabled()) { log.debug("Error occurred while retrieving user claims.", e); } } return claimValues; }
userNameWithDomain = IdentityUtil.addDomainToName(userName, userStoreDomain);
updatedClaims.put(IdentityRecoveryConstants.PASSWORD_RESET_FAIL_ATTEMPTS_CLAIM, "0"); try { userStoreManager.setUserClaimValues(IdentityUtil.addDomainToName(user.getUserName(), user.getUserStoreDomain()), updatedClaims, UserCoreConstants.DEFAULT_PROFILE); } catch (org.wso2.carbon.user.core.UserStoreException e) {
public static boolean isAccountDisabled(User user) throws IdentityRecoveryException { int tenantId = IdentityTenantUtil.getTenantId(user.getTenantDomain()); RealmService realmService = IdentityRecoveryServiceDataHolder.getInstance().getRealmService(); UserRealm userRealm; try { userRealm = (UserRealm) realmService.getTenantUserRealm(tenantId); } catch (UserStoreException e) { throw Utils.handleServerException(IdentityRecoveryConstants.ErrorMessages .ERROR_CODE_FAILED_TO_LOAD_REALM_SERVICE, user.getTenantDomain(), e); } org.wso2.carbon.user.core.UserStoreManager userStoreManager; try { userStoreManager = userRealm.getUserStoreManager(); } catch (UserStoreException e) { throw Utils.handleServerException(IdentityRecoveryConstants.ErrorMessages .ERROR_CODE_FAILED_TO_LOAD_USER_STORE_MANAGER, null, e); } try { Map<String, String> values = userStoreManager.getUserClaimValues(IdentityUtil.addDomainToName(user .getUserName(), user.getUserStoreDomain()), new String[]{ IdentityRecoveryConstants.ACCOUNT_DISABLED_CLAIM}, UserCoreConstants.DEFAULT_PROFILE); boolean accountDisable = Boolean.parseBoolean(values.get(IdentityRecoveryConstants.ACCOUNT_DISABLED_CLAIM)); return accountDisable; } catch (org.wso2.carbon.user.core.UserStoreException e) { throw Utils.handleServerException(IdentityRecoveryConstants.ErrorMessages .ERROR_CODE_FAILED_TO_LOAD_USER_CLAIMS, null, e); } }
/** * * This is the post authenticate hook. * * A custom authentication handler can provide its own implementation for the hook. * * The default behaviour is to set the user details in {@link org.wso2.carbon.context.CarbonContext} * * @param messageContext */ protected void postAuthenticate(MessageContext messageContext, AuthenticationResult authenticationResult) { AuthenticationContext authenticationContext = (AuthenticationContext) messageContext; if (AuthenticationStatus.SUCCESS.equals(authenticationResult.getAuthenticationStatus())) { User user = authenticationContext.getUser(); if (user != null) { // Set the user in to the Carbon context if the user belongs to same tenant. Skip this for cross tenant // scenarios. if (user.getTenantDomain() != null && user.getTenantDomain().equalsIgnoreCase(PrivilegedCarbonContext .getThreadLocalCarbonContext().getTenantDomain())) { PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(IdentityUtil.addDomainToName (user.getUserName(), user.getUserStoreDomain())); } } } } }
@Override public boolean doPreDeleteRole(String roleName, UserStoreManager userStoreManager) throws UserStoreException { try { if (!isEnable() || userStoreManager == null || !userStoreManager.isSCIMEnabled()) { return true; } } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserStoreException("Error while reading isScimEnabled from userstore manager", e); } try { SCIMGroupHandler scimGroupHandler = new SCIMGroupHandler(userStoreManager.getTenantId()); String domainName = UserCoreUtil.getDomainName(userStoreManager.getRealmConfiguration()); if (domainName == null) { domainName = UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME; } String roleNameWithDomain = IdentityUtil.addDomainToName(roleName, domainName); try { //delete group attributes - no need to check existence here, //since it is checked in below method. scimGroupHandler.deleteGroupAttributes(roleNameWithDomain); } catch (IdentitySCIMException e) { throw new UserStoreException("Error retrieving group information from SCIM Tables.", e); } return true; } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserStoreException(e); } }
@Override public boolean doPostDeleteRole(String roleName, UserStoreManager userStoreManager) throws UserStoreException { try { if (!isEnable() || !userStoreManager.isSCIMEnabled()) { return true; } } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserStoreException("Error while reading isScimEnabled from userstore manager", e); } try { SCIMGroupHandler scimGroupHandler = new SCIMGroupHandler(userStoreManager.getTenantId()); String domainName = UserCoreUtil.getDomainName(userStoreManager.getRealmConfiguration()); if (domainName == null) { domainName = UserCoreConstants.PRIMARY_DEFAULT_DOMAIN_NAME; } String roleNameWithDomain = IdentityUtil.addDomainToName(roleName, domainName); try { //delete group attributes - no need to check existence here, since it is checked in below method. //remove SCIM attributes for the group added via mgt console, not via SCIM endpoint scimGroupHandler.deleteGroupAttributes(roleNameWithDomain); } catch (IdentitySCIMException e) { throw new UserStoreException("Error retrieving group information from SCIM Tables.", e); } return true; } catch (org.wso2.carbon.user.api.UserStoreException e) { throw new UserStoreException(e); } }