8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: OrgConfigViaAMSDK.java,v 1.14 2009/11/20 23:52:56 ww203982 Exp $
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington * Portions Copyrighted 2011-2015 ForgeRock AS.
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport static org.forgerock.openam.ldap.LDAPUtils.*;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.common.CaseInsensitiveHashMap;
ba07e74da87b2caf40d3397e50523632daeb4cacAndrew Forrestimport com.sun.identity.delegation.DelegationEvaluator;
abd4d5547d40141d956adbbd8ac2e0efd5f025e1Andrew Forrestimport com.sun.identity.delegation.DelegationEvaluatorImpl;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.delegation.DelegationException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.delegation.DelegationPermission;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster// This class provides support for OrganizationConfigManager
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster// in coexistence mode. This class interfaces with AMSDK
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster// to manage organization names and organization attributes.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Instance variables
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private AMOrganization parentOrgWithAdminToken;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // permissions for the user token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Cache of organization names to ServiceConfig that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // contains the attribute mappings
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Map attributeMappings = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Map reverseAttributeMappings = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Map attributeMappingServiceConfigs = new HashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final String IDREPO_SERVICE = "sunidentityrepositoryservice";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final String MAPPING_ATTR_NAME = "sunCoexistenceAttributeMapping";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Cache of AMSDK organization names to SMS relam dn
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Map amsdkdn2realmname = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Map amsdkConfiguredRealms = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Debug & Locale
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // When DIT not migrated to AM 7.0 we need to use static mapping
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static Map notMigratedReverseAttributeMappings;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedAttributeMappings = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedAttributeMappings.put("sunPreferredDomain",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunPreferredDomain");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedAttributeMappings.put("sunOrganizationStatus",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "inetDomainStatus");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedAttributeMappings.put("sunOrganizationAliases",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunOrganizationAlias");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedAttributeMappings.put("sunDNSAliases",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "associatedDomain");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedReverseAttributeMappings = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedReverseAttributeMappings.put("sunPreferredDomain",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunPreferredDomain");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedReverseAttributeMappings.put("inetDomainStatus",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunOrganizationStatus");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedReverseAttributeMappings.put("sunOrganizationAlias",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunOrganizationAliases");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster notMigratedReverseAttributeMappings.put("associatedDomain",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sunDNSAliases");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructor for Realm management via AMSDK The parameter
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>orgName</code> must be LDAP organization name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster OrgConfigViaAMSDK(SSOToken token, String orgName, String smsOrgName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get admin SSOToken for operations to bypass ACIs and delegation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken adminToken = (SSOToken) AccessController
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if the user has realm privileges, if yes use
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // admin SSOToken to bypass directory ACIs.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Look if the incoming request is from client or server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // If client,(SMSJAXRPCObjectFlg=true), and since it is a JAXRPC
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // call, the permission checking would be done at the server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // So client need not have this check.(checkRealmPermission)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (checkRealmPermission(token, smsOrgName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMStoreConnection amcom = new AMStoreConnection(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct parent org with admin token for reads
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster parentOrgWithAdminToken = amcom.getOrganization(orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the Realm <---> LDAP Org attribute mappings.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // To get the service config of idrepo service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!SMSEntry.getRootSuffix().equalsIgnoreCase(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (serviceConfig = (ServiceConfig) attributeMappingServiceConfigs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceConfigManager scm = new ServiceConfigManager(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Do we need to use internal token?
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster serviceConfig = scm.getOrganizationConfig(newOrg, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attributeMappingServiceConfigs.put(orgName, serviceConfig);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Create a suborganization using AMSDK. The code checks if the DIT has been
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * migrated to AM 7.0 to add the objectclass "sunRelamService".
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void createSubOrganization(String subOrgName) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if suborg exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!getSubOrganizationNames(subOrgName, false).isEmpty()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || subOrgName.startsWith(SMSEntry.SUN_INTERNAL_REALM_NAME)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Sub-org already exists or it is a hidden realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Create the organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attrs.put(SMSEntry.ATTR_OBJECTCLASS, attrValues);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Ignore if it is Organization already exists
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::createSubOrganization"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the set of assigned services for the organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set getAssignedServices() throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (parentOrgWithAdminToken.getRegisteredServiceNames());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (parentOrg.getRegisteredServiceNames());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::getAssignedServices"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame.getMessage(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Assigns the service to the organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void assignService(String serviceName) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if it is a hidden realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (parentOrgName.startsWith(SMSEntry.SUN_INTERNAL_REALM_PREFIX)))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if service is already assigned
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!getAssignedServices().contains(serviceName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster parentOrg.registerService(serviceName, false, false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::assignService"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame.getMessage(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Unassigns the service from the organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void unassignService(String serviceName) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if service is already unassigned
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (getAssignedServices().contains(serviceName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::unassignService"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame.getMessage(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns sub-organization names using AMSKK APIs. The returned names are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in "/" separated format and are normailized using DNMapper.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set getSubOrganizationNames(String pattern, boolean recursive)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Search for sub-organization names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster subOrgDNs = parentOrgWithAdminToken.searchSubOrganizations(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster subOrgDNs = parentOrg.searchSubOrganizations(pattern,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Convert DNs to "/" seperated relam names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (subOrgDNs != null && !subOrgDNs.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator items = subOrgDNs.iterator(); items.hasNext();) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster subOrgs.add(DNMapper.orgNameToDN((String) items.next()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return SMSEntry.parseResult(subOrgs, smsOrgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::getSubOrganizationNames"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame.getMessage(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Deletes sub-organiation using AMSDK. If recursive flag is set, then all
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * sub-entries are also removed. Else if sub-entries are present this will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * throw an exception.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void deleteSubOrganization(String subOrgName) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if subOrgName is empty or null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (subOrgName == null || subOrgName.trim().length() == 0) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check if it is a hidden realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (subOrgName.startsWith(SMSEntry.SUN_INTERNAL_REALM_NAME)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the suborg DN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set subOrgDNs = parentOrg.searchSubOrganizations(subOrgName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (subOrgDNs != null && !subOrgDNs.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator items = subOrgDNs.iterator(); items.hasNext();) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMOrganization subOrg = parentOrg.getSubOrganization(dn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::deleteSubOrganization"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame.getMessage(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the AMSDK Organization attributes. The return attributes are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * defined in the IdRepo service and can be configured per organization.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the list of attribute names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map attrMapping = getReverseAttributeMapping();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Perform AMSDK search
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attributes = parentOrg.getAttributes(attrNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (attributes != null && !attributes.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Do reverse name mapping, and copy to answer
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator items = attributes.keySet().iterator(); items
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::getAttributes"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame.getMessage(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (answer == null ? Collections.EMPTY_MAP : answer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Adds attributes to AMSDK Organization. The organziation attribute names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are defined in the IdRepo service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void addAttributeValues(String attrName, Set values) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the attribute values, add the new values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and set the attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (attrName != null && values != null && !values.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // First get the attribute values, remove the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // specified valued and then set the attributes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (origValues != null && !origValues.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets attributes to AMSDK Organization. The organziation attribute names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * are defined in the IdRepo service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void setAttributes(Map attributes) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Need to get attributes such as domain name, alias names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and org status from attributes and set them.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // These attributes must be defined in ../idm/xml/idRepoService.xml
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (attributes != null && !attributes.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map smsIdRepoAttrs = new CaseInsensitiveHashMap(attributes);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Iterate through the attribute mappings
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator items = attrs.keySet().iterator(); items
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean notEmptyFlg = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Avoid empty string storage.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Update the organization entry
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Organization: failed with AMException", ame);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sms-INVALID_SSO_TOKEN"));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the specified attribute from AMSDK organization. The organziation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute names are defined in the IdRepo service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void removeAttribute(String attrName) throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the attribute mapping and removed specified attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String amsdkAttrName = (String) attrMap.get(attrName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK::removeAttribute"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new SMSException(AMSDKBundle.BUNDLE_NAME, ame
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "sms-INVALID_SSO_TOKEN"));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the specified attribute values from AMSDK organization. The
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organziation attribute names are defined in the IdRepo service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster void removeAttributeValues(String attrName, Set values) throws SMSException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // First get the attribute values, remove the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // specified valued and then set the attributes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (origValues != null && !origValues.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the SMS attribute name to AMSDK attribute name mappings for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Map getAttributeMapping() throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map answer = (Map) attributeMappings.get(parentOrgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Construct the attribute mappings
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set mapAttrs = (Set) attrs.get(MAPPING_ATTR_NAME);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator items = mapAttrs.iterator(); items.hasNext();) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String[] maps = DNMapper.splitString(attrMapping);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add to cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the AMSDK attribute name to SMS attribute name mappings for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Map getReverseAttributeMapping() throws SMSException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map answer = (Map) reverseAttributeMappings.get(parentOrgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the attribute mapping and reverse it
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator items = attrMaps.entrySet().iterator(); items.hasNext();)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster answer.put(entry.getValue(), entry.getKey().toString());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster reverseAttributeMappings.put(parentOrgName, answer);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check to see if the user has realm permissions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private boolean checkRealmPermission(SSOToken token, String realm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean answer = false;
ba07e74da87b2caf40d3397e50523632daeb4cacAndrew Forrest DelegationEvaluator de = new DelegationEvaluatorImpl();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DelegationPermission dp = new DelegationPermission(realm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster com.sun.identity.sm.SMSEntry.REALM_SERVICE, "1.0", "*",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("OrgConfigViaAMSDK.checkRealmPermission: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK.checkRealmPermission: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMNamingAttrManager.getNamingAttr(AMObject.ORGANIZATION) :
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return AMNamingAttrManager.getNamingAttr(AMObject.ORGANIZATIONAL_UNIT);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("OrgConfigViaAMSDK::getSDKAttributeValue"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.warning("OrgConfigViaAMSDK::getSDKAttributeValue"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Clears the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster attributeMappings = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster reverseAttributeMappings = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster amsdkdn2realmname = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster amsdkConfiguredRealms = new CaseInsensitiveHashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster protected static void updateAMSDKConfiguredRealms(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!amsdkConfiguredRealms.keySet().contains(realm)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster amsdkConfiguredRealms.put(realm, Boolean.valueOf(configured));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the true if AMSDK plugin is configured for the realm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * else returns false.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static boolean isAMSDKConfigured(String realm) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Boolean answer = (Boolean) amsdkConfiguredRealms.get(realm);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster OrganizationConfigManagerImpl.getInstance(token, realm);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Update cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the realm name that contains the AMSDK plugin with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given organization dn. The function optionally takes "inrealm"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the realm, where the initial search would be done
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If not found, returns null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static String getRealmForAMSDK(String amsdkdn,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // If in legacy mode, return amsdkdn
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // if amsdk was not in DN format then normalizeDN will return null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgname = (String) amsdkdn2realmname.get(amsdkdn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK:getRealmForAMSDK " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "from cache: orgdn=" + amsdkdn + " realm=" + orgname);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // First check with "inrealm" and then with "amsdkdn"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Check inrealm first
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ocm = OrganizationConfigManagerImpl.getInstance(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Need to check for the following conditions before
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // using amsdkdn as the realm name to determine the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // AMSDK plugin organization name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // i) "inrealm" is null (realm name is not provided)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // ii) orgname != null && !orgname.equals(realm)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // (since orgname is not null, AMSDK has been configured
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // configured for the realm, but it does not match the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // provided "amsdkdn", hence need to check for amsdkdn realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // iii) !inrealm.equals(amsdkdn)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // If same, the check has been done. No need to repeat
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // iv) If the dn starts with ou then the realm for the orgUnit
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // is hidden. So first replace values of all ou's in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // amsdkdn and then find the realm for it.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ((orgname != null) && !orgname.equals(realm)) ||
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster !amsdkdn.equals(DNUtils.normalizeDN(inrealm)))) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ocm = OrganizationConfigManagerImpl.getInstance(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((orgname != null) && orgname.equals(amsdkdn)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Ignore the exception, since the realm is not present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and an explicit search would be done below
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Ignore the exception, since the realm is not present
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // and an explicit search would be done below
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK:getRealmForAMSDK " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // If realm is still null, need to search the realm tree
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ocm = OrganizationConfigManagerImpl.getInstance(token, "/");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster updateAmsdk2RealmNameCache(token, ocm, amsdkdn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster realm = (String) amsdkdn2realmname.get(amsdkdn);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK:getRealmForAMSDK " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "full search orgdn=" + amsdkdn + " realm=" + realm);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK:getRealmForAMSDK" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster " Exception: ", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("OrgConfigViaAMSDK:getRealmForAMSDK" +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method checks if the dn starts with org unit naming attr.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If yes, then it replaces values of all ou's by prefixing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * SMSEntry.SUN_INTERNAL_REALM_NAME because all realms mapping to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * orgUnits are hidden.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the dn does not start with org unit naming attr then it is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returned as-is.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * For example,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ou=X,ou=Y,o=DevSample,dc=red,dc=iplanet,dc=com
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is replaced with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ou=sunamhiddenrealmX,ou=sunamhiddenrealmY,o=DevSample,dc=red,dc=iplanet,dc=com
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgUnitDN String can not be null
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static String hideOrgUnits(String orgUnitDN) {
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington for (int i = rdns.size() - 1; i >= 0; i--) {
a14393818a78c503f7715c393044b33c86e90195Phill Cunnington result = result.child(new RDN(ou, SMSEntry.SUN_INTERNAL_REALM_NAME + rdnValue(rdn)));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static boolean updateAmsdk2RealmNameCache(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster OrganizationConfigManagerImpl ocm, String amsdkdn)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean foundEntry = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get the AMSDK DN configured for the realm, update cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster amsdkdn2realmname.put(orgname, ocm.getOrgDN());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Walk down the realm tree if entry is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set subRealmNames = ocm.getSubOrganizationNames(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((subRealmNames != null) && !subRealmNames.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator realms = subRealmNames.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static String getAmsdkdn(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Get idrepo plugins and check for amsdkdn plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceConfigManagerImpl sci = ServiceConfigManagerImpl
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .getInstance(token, ServiceManager.REALM_SERVICE, "1.0");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceConfigImpl sc = sci.getOrganizationConfig(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Returns the organization type for AMSDK DN.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMStoreConnection amcom = new AMStoreConnection(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster objType = amcom.getAMObjectType(parentOrgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // set as organizational unit
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("OrgConfigViaAMSDK: Unable to determine type");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // set as organizational unit