/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: IdUtils.java,v 1.34 2009/11/20 23:52:54 ww203982 Exp $
*
* Portions Copyrighted 2011-2015 ForgeRock AS.
* Portions Copyrighted 2014 Nomura Research Institute, Ltd
*/
/**
* The class defines some static utilities used by other components like policy
* and auth
*
* @supported.api
*/
public final class IdUtils {
// Static map to cache "orgIdentifier" and organization DN
new CaseInsensitiveHashMap());
new CaseInsensitiveHashMap());
// ServiceConfigManager for sunidentityrepository service
// User naming attribute for AMSDK
// Organization naming attribute for AMSDK
// SMS Root Suffix
// DN pointing to the services node
// Special Users
static {
initialize();
}
protected static void initialize() {
if (ServiceManager.isConfigMigratedTo70()) {
// IdRepo service schema exists. Read the supported
// entities from there
try {
} else {
if (serviceNameSet != null &&
!serviceNameSet.isEmpty()) {
}
if (canBeMembersOf != null &&
!canBeMembersOf.isEmpty()) {
}
if (canHaveMembers != null &&
!canHaveMembers.isEmpty()) {
}
if (canAddMembers != null &&
!canAddMembers.isEmpty())
{
}
}
}
} catch (SMSException e) {
"IdUtils.initialize: Loading default types.", e);
}
} catch (SSOException ssoe) {
}
} else {
}
// Register for SMS notifications to root realm
if (notificationId == null) {
try {
if (serviceConfigManager == null) {
}
new IdUtilsListener());
} catch (SMSException e) {
"IdUtils.initialize: Register notification", e);
}
} catch (SSOException ssoe) {
"IdUtils.initialize: Register notification", ssoe);
}
}
}
}
/**
* @supported.api
* Returns a handle of the Identity object based on
* the SSO Token passed in (<code>AMIdentity</code> object of the user
* who is authenticated).
*
* @param token Single sign on token of user.
* @return Identity object.
* @throws IdRepoException if there are repository related error conditions.
* @throws SSOException if user's single sign on token is invalid.
*/
throws IdRepoException, SSOException {
// This could happen during co-existence with AM 6.x
// and SSOToken created by AM 6.x server. In this case
// the principal name would be the DN
}
}
/**
* @supported.api
*
* Returns a string which uniquely represents this identity object.
*
* @param id
* <code>AMIdentity</code> object whose string represenation is
* needed.
* @return universal identifier of <code>id</code>.
*/
return id.getUniversalId();
}
/**
* @supported.api
*
* Returns an <code>AMIdentity</code> object, if provided with a string
* identifier for the object.
*
* @param token SSOToken of the administrator
* @param univId String represenation of the identity.
* @return Identity object
* @throws IdRepoException if the identifier provided is wrong.
*/
throws IdRepoException {
}
/**
* Returns an <code>AMIdentity</code> object, given the
* DN of an authenticated identity, realm name and identity type.
* This interface is mainly for authentication component to get
* back the identity of the user.
*
* @param token SSOToken of the administrator
* @param amsdkdn DN of the authenticated user
* @param realm realm name where the user was authenticated
* @return Identity object or <code>null</code>
* @throws IdRepoException if the underly components throws
* exception while obtaining the identity object
*/
}
// Try constructing the identity object
try {
} catch (IdRepoException ide) {
// this could be a AMSDK DN. Follow the AMSDK rules
if (debug.messageEnabled()) {
"\n\tContinuing with AMSDK DN check");
}
}
}
// Check for Special Users
}
// Since "amsdkdn" is not a UUID, check if realm has AMSDK configured
// This change is to avoid the issue of IdUtils always checking the
// users in AMSDK as IdUtils does not check if AMSDK is configured in
// any of the realms.
try {
(!ServiceManager.isAMSDKConfigured())) {
// Not configured for AMSDK, return
return (null);
}
} catch (SMSException smse) {
// Ignore the exception and continue
}
// Initialize root realm suffix, org and user naming attributes
// Determine if the amsdkdn is valid. Obtain name & type
try {
// Since we would using AMSDK, get AMDirectoryManager preload
// all the attributes and check if it exists
// Mainly for performance reasons, since getObjectType would
// force multiple another directory lookup
try {
}
} catch (Exception e) {
// Ignore the exception and continue since this for cache
}
// Getting object type would use the cached attributes
// Convert the sdkType to IdRepo type
}
} catch (AMException ame) {
// Debug the message and return null
if (debug.messageEnabled()) {
}
return (null);
} catch (SSOException ssoe) {
// Debug the message and return null
if (debug.messageEnabled()) {
"AMSDK DN. Got SSOException", ssoe);
}
return (null);
}
// Need to determine realm for amsdkdn
// Need to get the object type and walk up the tree
if (index == 0) {
} else if (index > 0) {
}
if (debug.messageEnabled()) {
}
// Since amsdkdn points to services node,
// it should be reset to root suffix
}
}
/**
* Returns the name of service which defines the profile information for
* this type. Returns null, if nothing is defined.
*
* @param type IdType whose service name is needed.
* @return Name of the service.
*/
}
/**
* Returns corresponding <code>IdType</code> object given a type.
*
* @param type of object to return.
* @return Idtype of type.
* @throws IdRepoException if there are no corresponding types.
*/
type = "role";
type = "realm";
}
if (returnType == null) {
}
return returnType;
}
/**
* Returns the matching DN from the AM SDK for this entry. This utility is
* required by auth.
*
* @param id <code>AMIdentity</code> object.
* @return <code>DN</code> of the object, as represented in the datastore.
*/
} else {
return id.getUniversalId();
}
}
/**
* Returns an organization which maps to the identifier used by application
*
* @param orgIdentifier Organization identifier
* @return Organization mapping to that identifier.
*/
throws IdRepoException, SSOException {
// Check in cache first
return (id);
}
// Compute the organization name
if (debug.messageEnabled()) {
+ orgIdentifier);
}
// Return base DN
// If orgIdentifier is in "/" format covert to DN and return
try {
} catch (SMSException e) {
}
id = orgIdentifier;
try {
// Search for realms with orgIdentifier name
} catch (SMSException smse) {
// debug message here.
if (debug.messageEnabled()) {
+ "getting org name from SMS", smse);
}
}
} else if (ServiceManager.isCoexistenceMode()) {
// Return the org DN as determined by AMStoreConnection
if (debug.messageEnabled()) {
}
try {
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ "getting org name from AMSDK", ame);
}
throw convertAMException(ame);
}
} else {
// Get the realm name from SMS
if (debug.messageEnabled()) {
"SMS realms");
}
try {
boolean foundOrg = false;
// First search for realms with orgIdentifier name
.getOrganizationConfigManager("/");
true);
foundOrg = true;
} else {
// check for orgIdentifier
subRealmName, "/");
// Need to handle the scenario where multiple
// sub-realm with the same name should not be
// allowed
while (st.hasMoreTokens()) {
orgIdentifier)) {
if (!foundOrg) {
foundOrg = true;
} else {
throw new IdRepoException(IdRepoBundle
}
}
}
}
}
}
// Check if organization name has been determined
if (debug.messageEnabled()) {
"SMS realms aliases");
}
// perform organization alias search
if (!foundOrg &&
if (debug.warningEnabled()) {
" to find Org name for: " + orgIdentifier);
}
// Multiple realms should not have the same alias
if (debug.warningEnabled()) {
" matching Orgs found for: " + orgIdentifier);
}
}
if (!foundOrg) {
}
} catch (SMSException smse) {
// debug message here.
if (debug.messageEnabled()) {
+ "getting org name from SMS", smse);
}
}
}
if (debug.messageEnabled()) {
}
// Add to cache and return id
return id;
}
/**
* Clears the cache containing orgIdentifiers to organization names
*/
protected static void clearOrganizationNamesCache() {
if (debug.messageEnabled()) {
}
}
/**
* Returs true or false, depending on if this organization is enabled or
* not. The organization string passed to this method should be an
* identifier returned from the method
* <code> IdUtils.getOrganization </code>. In the default mode, where
* relams are enabled but backward comaptibility is required, this checks
* for organization status in the AM enabled Sun DS. Otherwise, it checks
* for organization status from the realms tree.
*
* @param token token SSOToken a valid SSOToken.
* @param org name of the organization of interest.
* @return <code>true</code> if org is active;
* otherwise <code>false</code>
* @throws IdRepoException if there are repository related error conditions.
* @throws SSOException If user's single sign on token is invalid.
*/
throws IdRepoException, SSOException {
// Check the cache
}
boolean isActive = true;
// Need to initialize ServiceManager by creating the constructor
if (!ServiceManager.isCoexistenceMode()) {
// Pick it up from the realms tree.
try {
}
isActive = true;
} else {
}
} catch (SMSException smse) {
}
} else if (ServiceManager.isAMSDKEnabled()) {
// Return the org DN as determined by AMStoreConnection.
try {
} catch (AMException ame) {
throw convertAMException(ame);
}
}
// Add to cache
return isActive;
}
private static void initializeForGetIdentity() {
// Initialize root realm, if not already initalized
if (ROOT_SUFFIX == null) {
}
// Initialize organization and user naming attributes
try {
} catch (AMException ame) {
if (debug.warningEnabled()) {
}
ORG_NAMING_ATTR = "o=";
USER_NAMING_ATTR = "uid=";
}
}
}
private static void initializeSpecialUsers() {
// Populate special users
if (specialUsers.isEmpty()) {
susers, "|");
while (st.hasMoreTokens()) {
}
"com.sun.identity.authentication.super.user", "");
}
}
/**
* Returns an IdRepoException based on an <code>AMException</code>
*
* @param ame
* @return IdRepoException based on ame.
*/
} else {
}
return ide;
}
private static void loadDefaultTypes() {
}
}
return memberSet;
}
/**
* Returns the user name extracted from the uuid
* if the orgName supplied in the parameter is
* not same realm name in uuid then <code>IdRepoException</code>
* is thrown
*
* @param uuid uuid of the user
* @param orgName the org user is trying to login to
* @return user name
* @throws IdRepoException
*/
throws IdRepoException {
// Check uuid
// Could be universal id, get the identity object
// Check the realm names
throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.REALM_NAME_NOT_MATCH_AUTHENTICATION_REALM,
args);
}
}
return (username);
}
/**
* Gets the AMIdentity of a user with username equal to uName that exists in realm
*
* @param uName username of the user to get.
* @param realm realm the user belongs to.
* @return The AMIdentity of user with username equal to uName.
*/
idsc.setRecursive(true);
idsc.setAllReturnAttributes(true);
// search for the identity
try {
if (searchResults != null) {
}
throw new IdRepoException("IdUtils" +
".getIdentity : " +
"More than one user found");
}
} catch (IdRepoException e) {
} catch (SSOException e) {
}
return theID;
}
/**
* Returns <code>AMIdentityRepostiory</code> handle for an organization.
*
* @param orgDN the organization name.
* @return <code>AMIdentityRepostiory</code> object
*/
}
// SMS service listener to reinitialize if IdRepo service changes
{
initialize();
}
initialize();
}
}
}
}