/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: OrgConfigViaAMSDK.java,v 1.14 2009/11/20 23:52:56 ww203982 Exp $
*
* Portions Copyrighted 2011-2015 ForgeRock AS.
*/
// This class provides support for OrganizationConfigManager
// in coexistence mode. This class interfaces with AMSDK
// to manage organization names and organization attributes.
public class OrgConfigViaAMSDK {
// Instance variables
private int objType;
// permissions for the user token
boolean hasReadPermissionOnly;
// Cache of organization names to ServiceConfig that
// contains the attribute mappings
// Cache of AMSDK organization names to SMS relam dn
// Debug & Locale
// When DIT not migrated to AM 7.0 we need to use static mapping
static {
if (!ServiceManager.isConfigMigratedTo70()) {
"sunPreferredDomain");
"inetDomainStatus");
"sunOrganizationAlias");
"associatedDomain");
"sunPreferredDomain");
"sunOrganizationStatus");
"sunOrganizationAliases");
"sunDNSAliases");
}
}
/**
* Constructor for Realm management via AMSDK The parameter
* <code>orgName</code> must be LDAP organization name
*/
throws SMSException {
this.smsOrgName = smsOrgName;
// Get admin SSOToken for operations to bypass ACIs and delegation
try {
// Check if the user has realm privileges, if yes use
// admin SSOToken to bypass directory ACIs.
// Look if the incoming request is from client or server.
// If client,(SMSJAXRPCObjectFlg=true), and since it is a JAXRPC
// call, the permission checking would be done at the server.
// So client need not have this check.(checkRealmPermission)
if (!SMSEntry.SMSJAXRPCObjectFlg) {
token = adminToken;
hasReadPermissionOnly = true;
}
}
if (hasReadPermissionOnly) {
// Construct parent org with admin token for reads
}
// Get the Realm <---> LDAP Org attribute mappings.
// To get the service config of idrepo service.
SMSEntry.getAMSdkBaseDN())) {
newOrg = smsOrgName;
}
if (ServiceManager.isConfigMigratedTo70() &&
// Do we need to use internal token?
if (debug.messageEnabled()) {
+ ": serviceConfig" + serviceConfig);
}
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Create a suborganization using AMSDK. The code checks if the DIT has been
* migrated to AM 7.0 to add the objectclass "sunRelamService".
*/
// Check if suborg exists
// Sub-org already exists or it is a hidden realm
return;
}
// Create the organization
try {
if (ServiceManager.isConfigMigratedTo70()) {
} else {
}
} catch (AMException ame) {
// Ignore if it is Organization already exists
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Returns the set of assigned services for the organization
*/
try {
if (hasReadPermissionOnly) {
return (parentOrgWithAdminToken.getRegisteredServiceNames());
} else {
return (parentOrg.getRegisteredServiceNames());
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Assigns the service to the organization
*/
try {
// Check if it is a hidden realm
if (ServiceManager.isCoexistenceMode() &&
{
return;
}
// Check if service is already assigned
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Unassigns the service from the organization
*/
try {
// Check if service is already unassigned
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Returns sub-organization names using AMSKK APIs. The returned names are
* in "/" separated format and are normailized using DNMapper.
*/
throws SMSException {
try {
// Search for sub-organization names
if (hasReadPermissionOnly) {
: AMConstants.SCOPE_ONE);
} else {
: AMConstants.SCOPE_ONE);
}
// Convert DNs to "/" seperated relam names
}
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
return (Collections.EMPTY_SET);
}
/**
* Deletes sub-organiation using AMSDK. If recursive flag is set, then all
* sub-entries are also removed. Else if sub-entries are present this will
* throw an exception.
*/
try {
// Check if subOrgName is empty or null
}
return;
}
// Check if it is a hidden realm
return;
}
// Get the suborg DN
}
}
} else {
}
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Returns the AMSDK Organization attributes. The return attributes are
* defined in the IdRepo service and can be configured per organization.
*/
try {
// Get the list of attribute names
// Perform AMSDK search
if (hasReadPermissionOnly) {
} else {
}
// Do reverse name mapping, and copy to answer
.hasNext();) {
}
}
}
}
}
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
ssoe, "sms-INVALID_SSO_TOKEN"));
}
}
/**
* Adds attributes to AMSDK Organization. The organziation attribute names
* are defined in the IdRepo service.
*/
// Get the attribute values, add the new values
// and set the attribute
// First get the attribute values, remove the
// specified valued and then set the attributes
}
}
}
/**
* Sets attributes to AMSDK Organization. The organziation attribute names
* are defined in the IdRepo service.
*/
// Need to get attributes such as domain name, alias names
// and org status from attributes and set them.
// These attributes must be defined in ../idm/xml/idRepoService.xml
// Iterate through the attribute mappings
.hasNext();) {
if (amsdkAttrs == null) {
amsdkAttrs = new HashMap();
}
boolean notEmptyFlg = false;
.hasNext();) {
// Avoid empty string storage.
notEmptyFlg = true;
}
}
if (notEmptyFlg) {
}
} else {
if (existingValues != null
&& !existingValues.isEmpty()) {
}
}
}
}
}
}
// Update the organization entry
if (amsdkAttrs != null) {
try {
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ "Organization: failed with AMException", ame);
}
} catch (SSOException ssoe) {
throw (new SMSException(bundle
"sms-INVALID_SSO_TOKEN"));
}
}
}
/**
* Removes the specified attribute from AMSDK organization. The organziation
* attribute names are defined in the IdRepo service.
*/
return;
}
// Get the attribute mapping and removed specified attribute
if (amsdkAttrName != null) {
try {
} catch (AMException ame) {
if (debug.messageEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
throw (new SMSException(bundle
"sms-INVALID_SSO_TOKEN"));
}
}
}
/**
* Removes the specified attribute values from AMSDK organization. The
* organziation attribute names are defined in the IdRepo service.
*/
{
// First get the attribute values, remove the
// specified valued and then set the attributes
} else {
}
}
}
}
/**
* Returns the SMS attribute name to AMSDK attribute name mappings for the
* organization
*/
if (!ServiceManager.isConfigMigratedTo70()) {
return (notMigratedAttributeMappings);
}
// Check the cache
return (answer);
// Construct the attribute mappings
answer = new CaseInsensitiveHashMap();
}
}
}
}
}
// Add to cache
return (answer);
}
/**
* Returns the AMSDK attribute name to SMS attribute name mappings for the
* organization
*/
if (!ServiceManager.isConfigMigratedTo70()) {
return (notMigratedReverseAttributeMappings);
}
// Check the cache
return (answer);
// Get the attribute mapping and reverse it
{
answer = new CaseInsensitiveHashMap();
}
}
}
return (answer);
}
// Check to see if the user has realm permissions
boolean answer = false;
try {
} catch (DelegationException dex) {
+ "Got Delegation Exception: ", dex);
} catch (SSOException ssoe) {
if (debug.messageEnabled()) {
+ "Invalid SSOToken: ", ssoe);
}
}
}
return (answer);
}
return (ServiceManager.isAMSDKEnabled()) ?
}
}
try {
} catch (AMException ame) {
if (debug.warningEnabled()) {
+ ": failed with AMException", ame);
}
} catch (SSOException ssoe) {
if (debug.warningEnabled()) {
+ ": failed with SSOException", ssoe);
}
}
return (attrSet);
}
/**
* Clears the cache
*/
protected static void clearCache() {
attributeMappings = new CaseInsensitiveHashMap();
amsdkdn2realmname = new CaseInsensitiveHashMap();
}
protected static void updateAMSDKConfiguredRealms(
}
}
/**
* Returns the true if AMSDK plugin is configured for the realm,
* else returns false.
*/
if (ServiceManager.isCoexistenceMode()) {
return (true);
}
// Check the cache
try {
} catch (SSOException ssoe) {
} catch (SMSException smse) {
}
// Update cache
}
return (answer.booleanValue());
}
/**
* Returns the realm name that contains the AMSDK plugin with the
* given organization dn. The function optionally takes "inrealm"
* the realm, where the initial search would be done
* If not found, returns null.
*/
// If in legacy mode, return amsdkdn
if (ServiceManager.isCoexistenceMode()) {
return (amsdkdn);
}
// Check the cache
// if amsdk was not in DN format then normalizeDN will return null
return null;
}
if (debug.messageEnabled()) {
}
return (orgname);
}
// First check with "inrealm" and then with "amsdkdn"
try {
// Check inrealm first
}
// Need to check for the following conditions before
// using amsdkdn as the realm name to determine the
// AMSDK plugin organization name
// i) "inrealm" is null (realm name is not provided)
// ii) orgname != null && !orgname.equals(realm)
// (since orgname is not null, AMSDK has been configured
// configured for the realm, but it does not match the
// provided "amsdkdn", hence need to check for amsdkdn realm
// iii) !inrealm.equals(amsdkdn)
// If same, the check has been done. No need to repeat
// iv) If the dn starts with ou then the realm for the orgUnit
// is hidden. So first replace values of all ou's in the
// amsdkdn and then find the realm for it.
}
}
} catch (SMSException sme) {
// Ignore the exception, since the realm is not present
// and an explicit search would be done below
} catch (SSOException ssoe) {
// Ignore the exception, since the realm is not present
// and an explicit search would be done below
}
if (debug.messageEnabled()) {
"first realm lookup: orgdn=" + amsdkdn +
" realm=" + realm);
}
} else {
// If realm is still null, need to search the realm tree
try {
if (debug.messageEnabled()) {
}
} catch (SMSException e) {
if (debug.messageEnabled()) {
" Exception: ", e);
}
} catch (SSOException ssoe) {
if (debug.messageEnabled()) {
" SSException: ", ssoe);
}
}
}
return (realm);
}
/**
* This method checks if the dn starts with org unit naming attr.
* If yes, then it replaces values of all ou's by prefixing
* SMSEntry.SUN_INTERNAL_REALM_NAME because all realms mapping to
* orgUnits are hidden.
* If the dn does not start with org unit naming attr then it is
* returned as-is.
* For example,
* ou=X,ou=Y,o=DevSample,dc=red,dc=iplanet,dc=com
* is replaced with
* ou=sunamhiddenrealmX,ou=sunamhiddenrealmY,o=DevSample,dc=red,dc=iplanet,dc=com
*
* @param orgUnitDN String can not be null
*/
return orgUnitDN;
}
} else {
}
}
}
throws SMSException, SSOException {
boolean foundEntry = false;
// Get the AMSDK DN configured for the realm, update cache
foundEntry = true;
}
}
// Walk down the realm tree if entry is not found
if (!foundEntry) {
if ((foundEntry = updateAmsdk2RealmNameCache(
break;
}
}
}
}
return (foundEntry);
}
throws SMSException, SSOException {
if (ServiceManager.isCoexistenceMode()) {
}
// Get idrepo plugins and check for amsdkdn plugin
}
}
break;
}
}
}
}
}
return (orgdn);
}
// Returns the organization type for AMSDK DN.
private int getObjectType() {
if (objType == 0) {
try {
} catch(AMException ame) {
// set as organizational unit
} catch (SSOException ssoe) {
// set as organizational unit
}
}
return (objType);
}
}