/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved * * The contents of this file are subject to the terms * of the Common Development and Distribution License * (the License). You may not use this file except in * compliance with the License. * * You can obtain a copy of the License at * https://opensso.dev.java.net/public/CDDLv1.0.html or * opensso/legal/CDDLv1.0.txt * See the License for the specific language governing * permission and limitations under the License. * * When distributing Covered Code, include this CDDL * Header Notice in each file and include the License file * at opensso/legal/CDDLv1.0.txt. * If applicable, add the following below the CDDL Header, * with the fields enclosed by brackets [] replaced by * your own identifying information: * "Portions Copyrighted [year] [name of copyright owner]" * * $Id: AMUserImpl.java,v 1.7 2009/11/20 23:52:51 ww203982 Exp $ * * Portions Copyright 2015 ForgeRock AS. */ package com.iplanet.am.sdk; import java.util.Map; import java.util.HashSet; import java.util.Iterator; import java.util.Set; import java.security.AccessController; import com.iplanet.sso.SSOException; import com.iplanet.sso.SSOToken; import com.iplanet.sso.SSOTokenManager; import com.sun.identity.sm.SMSException; import com.sun.identity.sm.SchemaType; import com.sun.identity.sm.ServiceSchema; import com.sun.identity.sm.ServiceSchemaManager; import com.sun.identity.security.AdminTokenAction; import org.forgerock.opendj.ldap.DN; import org.forgerock.opendj.ldap.RDN; /** * The AMUserImpl implementation of interface AMUser * * @deprecated As of Sun Java System Access Manager 7.1. */ class AMUserImpl extends AMObjectImpl implements AMUser { static String roleDNsAN = "nsroledn"; static String statusAN = "inetUserStatus"; static String nsroleAN = "nsrole"; static RDN ContainerDefaultTemplateRoleRDN = RDN.valueOf(AMNamingAttrManager .getNamingAttr(FILTERED_ROLE) + "=" + CONTAINER_DEFAULT_TEMPLATE_ROLE); private static AMStoreConnection amsc = null; public AMUserImpl(SSOToken ssoToken, String DN) { super(ssoToken, DN, USER); } /** * Renames the user name (ie., naming attribute of user entry) in the * datastore. * *

* Note: This operation directly commits the the user name changes * to the datastore. However, it does not save the modified/added * attributes. For saving them explictly to the datastore, use * {@link AMObject#store store()} method to save the attributes. * * @param newName * The new user name * @param deleteOldName * if true deletes the old name, otherwise retains the old name. * @return the new DN value for the user * * @throws AMException * if an error is encountered when trying to access/retrieve * data from the data store * @throws SSOException * if the single sign on token is no longer valid. */ public String rename(String newName, boolean deleteOldName) throws AMException, SSOException { entryDN = dsServices.renameEntry(token, profileType, entryDN, newName, deleteOldName); return entryDN; } /** * Gets all the filtered roles the user is in. * * @return The Set of filtered role DN's the user is in. * * @throws AMException * if an error is encountered when trying to access/retrieve * data from the data store * @throws SSOException * if the single sign on token is no longer valid. */ public Set getFilteredRoleDNs() throws AMException, SSOException { Set nsroleANSet = new HashSet(1); nsroleANSet.add(nsroleAN); Map nsrolesMap = getAttributesFromDataStore(nsroleANSet); Set nsroles = (Set) nsrolesMap.get(nsroleAN); Set nsroledns = getRoleDNs(); Iterator iter = nsroledns.iterator(); Set normdns = new HashSet(); while (iter.hasNext()) { normdns.add(DN.valueOf((String) iter.next()).toString() .toLowerCase()); } Set result = new HashSet(); if (nsroles != null) { iter = nsroles.iterator(); } else { return result; } getAMStoreConnection(); while (iter.hasNext()) { String nsrole = (String) iter.next(); DN nsroleDN = DN.valueOf(nsrole); if (!normdns.contains(nsroleDN.toString().toLowerCase())) { RDN rdn = nsroleDN.rdn(); if (!rdn.equals(ContainerDefaultTemplateRoleRDN) && isAMManagedRole(nsrole)) { result.add(nsroleDN.toString()); } } } return result; } /** * Gets all the static roles the user is in. * * @return The Set of static role DN's the user is in. */ public Set getRoleDNs() throws AMException, SSOException { return getAttribute(roleDNsAN); } private static void getAMStoreConnection() throws SSOException { if (amsc == null) { SSOToken internalToken = (SSOToken) AccessController .doPrivileged(AdminTokenAction.getInstance()); amsc = new AMStoreConnection(internalToken); } } private boolean isAMManagedRole(String nsrole) throws SSOException { try { int type = amsc.getAMObjectType(nsrole); if (type == AMObject.ROLE || type == AMObject.FILTERED_ROLE) return true; else return false; } catch (AMException e) { debug.message(nsrole + " is not an AM managed role"); return false; } } /** * Gets all the static and filtered roles the user is in. * * @return The Set of static and filtered role DN's the user is in. */ public Set getAllRoleDNs() throws AMException, SSOException { Set nsroleANSet = new HashSet(1); nsroleANSet.add(nsroleAN); Map nsrolesMap = getAttributesFromDataStore(nsroleANSet); Set nsroles = (Set) nsrolesMap.get(nsroleAN); Set result = new HashSet(); Iterator iter = nsroles.iterator(); getAMStoreConnection(); while (iter.hasNext()) { String nsrole = (String) iter.next(); DN nsroleDN = DN.valueOf(nsrole); RDN rdn = nsroleDN.rdn(); if (!rdn.equals(ContainerDefaultTemplateRoleRDN) && isAMManagedRole(nsrole)) { result.add(nsroleDN.toString()); } } // while return result; } /** * Assigns a role to the user. * * @param role * The Role that the user is assigned to. */ public void assignRole(AMRole role) throws AMException, SSOException { assignRole(role.getDN()); } /** * Assigns a role to the user. * * @param roleDN * The role DN that the user is assigned to. */ public void assignRole(String roleDN) throws AMException, SSOException { SSOTokenManager.getInstance().validateToken(super.token); Set userDNs = new HashSet(); userDNs.add(super.entryDN); dsServices.modifyMemberShip(super.token, userDNs, roleDN, ROLE, ADD_MEMBER); } /** * Removes a role that is assigned to the user. * * @param role * The Role that the user is assigned to. */ public void removeRole(AMRole role) throws AMException, SSOException { removeRole(role.getDN()); } /** * Removes a role that is assigned to the user. * * @param roleDN * The role DN that the user is assigned to. */ public void removeRole(String roleDN) throws AMException, SSOException { SSOTokenManager.getInstance().validateToken(super.token); Set userDNs = new HashSet(); userDNs.add(super.entryDN); dsServices.modifyMemberShip(super.token, userDNs, roleDN, ROLE, REMOVE_MEMBER); } /** * Gets all the static groups the user is in. * * @return The Set of static group DN's the user is in. */ public Set getStaticGroupDNs() throws AMException, SSOException { return getAttribute("iplanet-am-static-group-dn"); } /** * Assigns a static group to the user. * * @param group * The AMStaticGroup that the user is assigned to. */ public void assignStaticGroup(AMStaticGroup group) throws AMException, SSOException { assignStaticGroup(group.getDN()); } /** * Assigns a static group to the user. * * @param groupDN * The static group DN that the user is assigned to. */ public void assignStaticGroup(String groupDN) throws AMException, SSOException { SSOTokenManager.getInstance().validateToken(super.token); Set userDNs = new HashSet(); userDNs.add(super.entryDN); dsServices.modifyMemberShip(super.token, userDNs, groupDN, GROUP, ADD_MEMBER); } /** * Removes a static group that is assigned to the user. * * @param group * The AMStaticGroup that the user is assigned to. */ public void removeStaticGroup(AMStaticGroup group) throws AMException, SSOException { removeStaticGroup(group.getDN()); } /** * Removes a static group that is assigned to the user. * * @param groupDN * The static group DN that the user is assigned to. */ public void removeStaticGroup(String groupDN) throws AMException, SSOException { SSOTokenManager.getInstance().validateToken(super.token); Set userDNs = new HashSet(); userDNs.add(super.entryDN); dsServices.modifyMemberShip(super.token, userDNs, groupDN, GROUP, REMOVE_MEMBER); } /** * Gets all the assignable dynamic groups the user is in. * * @return The Set of assignable dynamic group DN's the user is in. * * @throws AMException * if there is an internal error in the AM Store * @throws SSOException * if the single sign on token is no longer valid. */ public Set getAssignableDynamicGroupDNs() throws AMException, SSOException { return getAttribute("memberof"); } /** * Assigns a assignable dynamic group to the user. * * @param assignableDynamicGroup * The AssignableDynamicGroup that the user is assigned to. * * @throws AMException * if there is an internal error in the AM Store * @throws SSOException * if the single sign on token is no longer valid. */ public void assignAssignableDynamicGroup( AMAssignableDynamicGroup assignableDynamicGroup) throws AMException, SSOException { assignAssignableDynamicGroup(assignableDynamicGroup.getDN()); } /** * Assigns a assignable dynamic group to the user. * * @param assignableDynamicGroupDN * The assignable dynamic group DN that the user is assigned to. * * @throws AMException * if there is an internal error in the AM Store * @throws SSOException * if the single sign on token is no longer valid. */ public void assignAssignableDynamicGroup(String assignableDynamicGroupDN) throws AMException, SSOException { SSOTokenManager.getInstance().validateToken(super.token); Set userDNs = new HashSet(); userDNs.add(super.entryDN); dsServices.modifyMemberShip(super.token, userDNs, assignableDynamicGroupDN, ASSIGNABLE_DYNAMIC_GROUP, ADD_MEMBER); } /** * Removes a assignable dynamic group that is assigned to the user. * * @param assignableDynamicGroup * The AssignableDynamicGroup that the user is assigned to. * * @throws AMException * if there is an internal error in the AM Store * @throws SSOException * if the single sign on token is no longer valid. */ public void removeAssignableDynamicGroup( AMAssignableDynamicGroup assignableDynamicGroup) throws AMException, SSOException { removeAssignableDynamicGroup(assignableDynamicGroup.getDN()); } /** * Removes a assignable dynamic group that is assigned to the user. * * @param assignableDynamicGroupDN * The assignable dynamic group DN that the user is assigned to. * * @throws AMException * if there is an internal error in the AM Store * @throws SSOException * if the single sign on token is no longer valid. */ public void removeAssignableDynamicGroup(String assignableDynamicGroupDN) throws AMException, SSOException { SSOTokenManager.getInstance().validateToken(super.token); Set userDNs = new HashSet(); userDNs.add(super.entryDN); dsServices.modifyMemberShip(super.token, userDNs, assignableDynamicGroupDN, ASSIGNABLE_DYNAMIC_GROUP, REMOVE_MEMBER); } /** * Activates the user. */ public void activate() throws AMException, SSOException { setStringAttribute(statusAN, "active"); store(); } /** * Deactivates the user. */ public void deactivate() throws AMException, SSOException { setStringAttribute(statusAN, "inactive"); store(); } /** * Returns true if the user is activated. * * @return true if the user is activated. * @throws AMException * if there is an internal error in the AM Store. * @throws SSOException * if the single sign on token is no longer valid. */ public boolean isActivated() throws AMException, SSOException { return getStringAttribute(statusAN).equalsIgnoreCase("active"); } /** * Assigns services to the user. * * @param serviceNames * Set of service names * @throws AMException * if there is an internal error in the AM Store * @throws SSOException * if the single sign on token is no longer valid. * @see com.iplanet.am.sdk.AMObjectImpl#assignServices(java.util.Map) */ public void assignServices(Set serviceNames) throws AMException, SSOException { if (serviceNames == null || serviceNames.isEmpty()) { return; } Set assignedSerivces = getAssignedServices(); Set newOCs = new HashSet(); Set canAssign = new HashSet(); Iterator iter = serviceNames.iterator(); while (iter.hasNext()) { String serviceName = (String) iter.next(); if (assignedSerivces.contains(serviceName)) { debug.error(AMSDKBundle.getString("125")); throw new AMException(AMSDKBundle .getString("125", super.locale), "125"); } canAssign.add(serviceName); Set serviceOCs = AMServiceUtils.getServiceObjectClasses(token, canAssign); newOCs.addAll(serviceOCs); } Set oldOCs = getAttribute("objectclass"); newOCs = AMCommonUtils.combineOCs(newOCs, oldOCs); setAttribute("objectclass", newOCs); store(); // Check if the service has the schema type (User & Dynamic) // specified. // If not throw an exception. // The object class is assigned above even if the schema type // is not specified. The reason behind this is to support the // "COS" type attributes. Iterator it = canAssign.iterator(); while (it.hasNext()) { String thisService = (String) it.next(); try { ServiceSchemaManager ssm = new ServiceSchemaManager( thisService, token); ServiceSchema ss = null; Object args[] = { thisService }; ss = ssm.getSchema(SchemaType.USER); if (ss == null) { ss = ssm.getSchema(SchemaType.DYNAMIC); } if (ss == null) { debug.error(AMSDKBundle.getString("1001")); throw new AMException(AMSDKBundle.getString("1001", args, super.locale), "1001", args); } } catch (SMSException se) { debug.error("AMUserImpl: schema type validation failed-> " + thisService, se); } } } }