AMIdentity.java revision 05f62645a824776ff142194c8816dd3646029a16
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: AMIdentity.java,v 1.37 2009/11/20 23:52:54 ww203982 Exp $
*
*/
/*
* Portions Copyrighted 2011-2014 ForgeRock AS
*/
/**
* This class represents an Identity which needs to be managed by Access
* Manager. This identity could exist in multiple repositories, which are
* configured for a given realm or organization. When any operation is performed
* from this class, it executes all plugins that are configured for performing
* that operation. For eg: getAttributes. The application gets access to
* constructing <code> AMIdentity </code> objects by using
* <code> AMIdentityRepository
* </code> interfaces. For example:
* <p>
*
* <PRE>
*
* AMIdentityRepository idrepo = new AMIdentityRepository(token, org);
* AMIdentity id = idrepo.getRealmIdentity();
*
* </PRE>
*
* The <code>id</code> returned above is the AMIdentity object of the user's
* single sign-on token passed above. The results obtained from search performed
* using AMIdentityRepository also return AMIdentity objects. The type of an
* object can be determined by doing the following:
* <p>
*
* <PRE>
*
* IdType type = identity.getType();
*
* </PRE>
*
* The name of an object can be determined by:
* <p>
*
* <PRE>
*
* String name = identity.getName();
*
* </PRE>
*
* @supported.api
*/
public final class AMIdentity {
private String univIdWithoutDN;
private Set fullyQualifiedNames;
/**
* @supported.api
*
* Constructor for the <code>AMIdentity</code> object.
*
* @param ssotoken
* Single sign on token of the user
* @throws SSOException
* if user's single sign on token is invalid.
* @throws IdRepoException
* if the single sign on token does not have a
* a valid universal identifier
*/
}
/**
* @supported.api
*
* Constructor for the <code>AMIdentity</code> object.
*
* @param ssotoken
* Single sign on token to construct the identity
* object. Access permission to Identity object
* would be based on this user
* @param universalId
* Universal Identifier of the identity.
*
* @throws IdRepoException
* if the universal identifier is invalid
*
*/
throws IdRepoException {
}
// Validate Universal ID
}
// Not a valid UUID since it should have the
// name, type and realm components
}
// Valid UUID, construct rest of the parameters
// Check for AMSDK DN
int index;
// obtain DN and univIdWithoutDN
}
}
/**
* Constructor for the <code>AMIdentity</code> object.
*
* @param token
* Single sign on token to construct the identity
* object. Access permission to Identity object
* would be based on this user
* @param name
* the name associated with this identity.
* @param type
* the <code>IdType</code> of this identity.
* @param orgName
* the organizaton name this identity belongs to.
* @param amsdkdn
* the amsdk name assoicated with this identity if any.
*/
}
}
}
}
}
// General APIs
/**
*
* Returns the name of the identity.
*
* @return Name of the identity
* @supported.api
*/
// Since '0'th location currently has ContainerDefaultTemplate
// the 2nd location would have the realm name
}
return sname;
}
/**
* Returns the Type of the Identity.
*
* @return <code>IdType</code> representing the type of this object.
* @supported.api
*/
return type;
}
/**
* Returns the realm for this identity.
*
* @return String representing realm name.
* @supported.api
*/
return orgName;
}
/**
* If there is a status attribute configured, then verifies if the identity
* is active and returns true. This method is only valid for AMIdentity
* objects of type User and Agent.
*
* @return true if the identity is active or if it is not configured for a
* status attribute, false otherwise.
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
}
/**
* If there is a status attribute configured, then set its status to
* true or activated state if the parameter active is true.
* This method is only valid for AMIdentity objects of type User and Agent.
*
* @param active The state value to assign to status attribute. The actual
* value assigned to the status attribute will depend on what is configured
* for that particular plugin. If active is true, the status will be
* assigned the value corresponding to activated.
* @throws IdRepoException If there are repository related error conditions.
* @throws SSOException If user's single sign on token is invalid.
* @supported.api
*/
public void setActiveStatus(boolean active)
throws IdRepoException, SSOException {
}
/**
* Returns all attributes and values of this identity. This method is only
* valid for AMIdentity objects of type User, Agent, Group, and Role.
*
* @return Map of attribute-values
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
if (debug.messageEnabled()) {
}
return attrs;
}
/**
* Returns requested attributes and values of this object.
*
* This method is only valid for AMIdentity object of type User, Agent,
* Group, and Role.
*
* @param attrNames
* Set of attribute names to be read
* @return Map of attribute-values.
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
}
}
if (debug.messageEnabled()) {
}
return resultMap;
}
/**
* Returns requested attributes and values of this object.
*
* This method is only valid for AMIdentity objects of type User, Agent,
* Group, and Role.
*
* @param attrNames
* Set of attribute names to be read
* @return Map of attribute-values.
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
univDN, false);
}
/**
* Returns the values of the requested attribute. Returns an empty set, if
* the attribute is not set in the object.
*
* This method is only valid for AMIdentity objects of type User, Agent,
* Group, and Role.
*
* @param attrName
* Name of attribute
* @return Set of attribute values.
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
}
/**
* Sets the values of attributes. This method should be followed by the
* method "store" to commit the changes to the Repository.
* This method is only valid for <code>AMIdentity</code> objects of
* type User and Agent.
*
* @param attrMap is a map of attribute name
* <code>(String)</code>
* to a <code>Set</code> of attribute values <code>(String)</code>.
* It is arranged as:
* Map::attrMap -->
* Key: String::AttributeName
* Value: Set::AttributeValues (Set of String)
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
{
}
/**
* Changes password for the identity.
*
* @param oldPassword old password
* @param newPassword new password
* @throws IdRepoException If there are repository related error conditions.
* @throws SSOException If user's single sign on token is invalid.
* @supported.api
*/
throws IdRepoException, SSOException {
}
/**
* Set the values of binary attributes. This method should be followed by
* the method "store" to commit the changes to the Repository
*
* This method is only valid for AMIdentity objects of type User and Agent.
*
* @param attrMap
* Map of attribute-values to be set in the repository or
* repositories (if multiple plugins are configured for "edit").
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
}
/**
* Removes the attributes from the identity entry. This method should be
* followed by a "store" to commit the changes to the Repository.
*
* This method is only valid for AMIdentity objects of type User and Agent.
*
* @param attrNames
* Set of attribute names to be removed
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If the user's single sign on token is invalid
* @supported.api
*/
}
if (agentflg) {
}
} else {
}
}
}
/**
* Stores the attributes of the object.
*
* This method is only valid for AMIdentity objects of type User and Agent.
*
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
univDN, true);
}
}
}
// SERVICE RELATED APIS
/**
* Returns the set of services already assigned to this identity.
*
* This method is only valid for AMIdentity object of type User.
*
* @return Set of serviceNames
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
// Get all service names for the type from SMS
try {
} catch (SMSException smse) {
}
// Get the list of assigned services
try {
} catch (IdRepoException ide) {
// Check if this is permission denied exception
throw (ide);
}
}
return (assigned);
}
/**
* Returns all services which can be assigned to this entity.
*
* This method is only valid for AMIdentity object of type User.
*
* @return Set of service names
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
// Get all service names for the type from SMS
try {
} catch (SMSException smse) {
}
// Get the list of assigned services
try {
} catch (IdRepoException ide) {
// Check if this is permission denied exception
throw (ide);
} else {
// Return the empty set
return (assigned);
}
}
// Return the difference
return (keys);
}
/**
* Assigns the service and service related attributes to the identity.
*
* This method is only valid for AMIdentity object of type User.
*
* @param serviceName
* Name of service to be assigned.
* @param attributes
* Map of attribute-values
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
throws IdRepoException, SSOException {
}
// Validate the service attributes
try {
token);
// Check if attrMap has cos priority attribute
// If present, remove it for validating the attributes
true);
if (cosPriority != null) {
}
} else {
args);
}
if (attributes == null) {
try {
} catch (SMSException smsex) {
"451", args);
}
} else {
orgName, true);
}
}
// TODO: Remove this dependency of AMCrypt
} catch (SMSException smse) {
// debug.error here
}
// The protocol for params is to pass the
// name of the service, and attribute Map containing the
// OCs to be set and validated attribute map
}
/**
* Removes a service from the identity.
*
* This method is only valid for AMIdentity object of type User.
*
* @param serviceName
* Name of service to be removed.
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
}
objectclasses, OCs);
try {
// Get attribute names for USER type only, so plugin knows
// what attributes to remove.
serviceName, token);
}
}
} catch (SMSException smse) {
/*
* debug.error( "AMIdentity.unassignService: Caught SM
* exception", smse); do nothing
*/
}
// The protocol is to pass service Name and Map of objectclasses
// to be removed from entry.
}
}
/**
* Returns attributes related to a service, if the service is assigned to
* the identity.
*
* This method is only valid for AMIdentity object of type User.
*
* @param serviceName
* Name of the service.
* @return Map of attribute-values.
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
}
/**
* Returns attributes related to a service, if the service is assigned
* to the identity.
*
* This method is only valid for AMIdentity object of type User.
*
* @param serviceName Name of the service.
* @return Map of attribute-values in array of byte.
* @throws IdRepoException if there are repository related error conditions.
* @throws SSOException If user's single sign on token is invalid.
* iPlanet-PUBLIC-METHOD
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
}
}
/**
* Returns attributes related to a service, if the service is assigned
* to the identity.
*
* This method is only valid for AMIdentity object of type User.
*
* @param serviceName Name of the service.
* @return Map of attribute-values.
* @throws IdRepoException if there are repository related error conditions.
* @throws SSOException If user's single sign on token is invalid.
* @supported.api
*/
throws IdRepoException, SSOException {
if (debug.messageEnabled()) {
+ "; univDN=" + univDN);
}
}
/**
* Set attributes related to a specific service. The assumption is that the
* service is already assigned to the identity. The attributes for the
* service are validated against the service schema.
*
* This method is only valid for AMIdentity object of type User.
*
* @param serviceName
* Name of the service.
* @param attrMap
* Map of attribute-values.
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
throws IdRepoException, SSOException {
}
// Check if attrMap has cos priority attribute
// If present, remove it for validating the attributes
boolean hasCosPriority = (new CaseInsensitiveHashSet(
if (hasCosPriority) {
}
// Validate the attributes
try {
token);
} else {
"102", args);
}
} catch (SMSException smse) {
// debug.error
}
// Add COS priority if present
if (hasCosPriority) {
}
// modify service attrs
if (debug.messageEnabled()) {
}
}
/**
* Removes attributes value related to a specific service by
* setting it to empty.
* The assumption is that the service is already assigned to
* the identity. The attributes for the service are validated
* against the service schema.
*
* This method is only valid for <AMIdentity> object of type User.
*
* @param serviceName Name of the service.
* @param attrNames Set of attributes name.
* @throws IdRepoException If there are repository related error conditions.
* @throws SSOException If user's single sign on token is invalid.
* @supported.api
*/
throws IdRepoException, SSOException {
}
}
// MEMBERSHIP RELATED APIS
/**
* Verifies if this identity is a member of the identity being passed.
*
* This method is only valid for AMIdentity objects of type Role, Group and
* User.
*
* @param identity
* <code>AMIdentity</code> to check membership with
* @return true if this Identity is a member of the given Identity
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* if user's single sign on token is invalid.
* @supported.api
*/
boolean ismember = false;
try {
//This method should always retrieve all the membership information a user could possibly have (either
//through the user when memberOf attribute is defined, or through the group using uniquemember attribute),
//hence there is no need to try to look up the group and query its members to see if this given identity
//is in that list.
//Generally speaking, this should be the case for every IdRepo implementation -> when we ask for the user
//memberships, we should always get all of them for the sake of consistency.
ismember = true;
// Check for fully qualified names or
// if AM SDK DNs for these identities match
ismember = true;
break;
ismember = true;
break;
}
}
}
}
// If membership is still false, check only the UUID
// without the amsdkdn
// Get UUID without amsdkdn for "membership" identity
}
// Get UUID without amsdkdn for users memberships
if (endIdx >= 0) {
}
}
ismember = true;
break;
}
}
}
} catch (IdRepoException ide) {
// Save the exception to be used later
idException = ide;
}
if (idException != null) {
throw (idException);
}
return ismember;
}
/**
* @supported.api
*
* If membership is supported then add the new identity as a member.
*
* @param identity
* AMIdentity to be added
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* if user's single sign on token is invalid. non-public methods
*/
}
/**
* @supported.api
*
* Removes the identity from this identity's membership.
*
* @param identity
* AMIdentity to be removed from membership.
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* if user's single sign on token is invalid. non-public methods
*/
}
/**
* @supported.api
*
* Removes the identities from this identity's membership.
*
* @param identityObjects
* Set of AMIdentity objects
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* if user's single sign on token is invalid. non-public methods
*/
}
}
/**
* Return all members of a given identity type of this identity as a Set of
* AMIdentity objects.
*
* This method is only valid for AMIdentity objects of type Group and User.
*
* @param mtype
* Type of identity objects
* @return Set of AMIdentity objects that are members of this object.
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* if user's single sign on token is invalid.
* @supported.api
*/
return idServices
}
/**
* Returns the set of identities that this identity belongs to.
*
* This method is only valid for AMIdentity objects of type User and Role.
*
* @param mtype
* Type of member identity.
* @return Set of AMIdentity objects of the given type that this identity
* belongs to.
* @throws IdRepoException
* if there are repository related error conditions.
* @throws SSOException
* if user's single sign on token is invalid.
* @supported.api
*/
getDN());
}
/**
* This method determines if the identity exists and returns true or false.
*
* This method is only valid for AMIdentity objects of type User and Agent.
*
* @return true if the identity exists or false otherwise.
* @throws IdRepoException
* If there are repository related error conditions.
* @throws SSOException
* If user's single sign on token is invalid.
* @supported.api
*/
}
/**
* Returns <code>true</code> if the given object is equal to this object.
*
* @param o Object for comparison.
* @return <code>true</code> if the given object is equal to this object.
* @supported.api
*/
boolean isEqual = false;
if (o instanceof AMIdentity) {
isEqual = true;
// check if the amsdkdn match
isEqual = true;
}
}
// Check fully qualified names
isEqual = true;
break;
}
}
}
}
}
return (isEqual);
}
/**
* Non-javadoc, non-public methods
*/
public int hashCode() {
}
/**
* Nonjavadoc, non-public methods
*
*/
}
/**
* Returns universal distinguished name of this object.
*
* @return universal distinguished name of this object.
*/
return univDN;
}
/**
* Returns the universal identifier of this object.
*
* @return String representing the universal identifier of this object.
* @supported.api
*/
public String getUniversalId() {
return univIdWithoutDN;
}
/**
* Returns String representation of the <code>AMIdentity</code>
* object. It returns universal identifier, orgname, type, etc.
*
* @return String representation of the <code>ServiceConfig</code> object.
*/
}
}
// Returns a set of fully qulified names, as returned by DataStores
protected Set getFullyQualifiedNames() {
if (fullyQualifiedNames == null) {
try {
} catch (IdRepoException ire) {
if (debug.messageEnabled()) {
"got exception: ", ire);
}
} catch (SSOException ssoe) {
if (debug.messageEnabled()) {
"got exception: ", ssoe);
}
}
}
return (fullyQualifiedNames);
}
throws SSOException {
try {
}
}
} catch (SMSException smsex) {
}
return result;
}
/**
* Get service default config from SMS
*
* @param token
* SSOToken a valid SSOToken
* @param serviceName
* the service name
* @param schemaType
* service schema type (Dynamic, Policy etc)
* @return returns a Map of Default Configuration values for the specified
* service.
*/
token);
}
return attrMap;
}
/**
* Returns true if the service has the subSchema. False otherwise.
*
* @param token
* SSOToken a valid SSOToken
* @param serviceName
* the service name
* @param schemaType
* service schema type (Dynamic, Policy etc)
* @return true if the service has the subSchema.
*/
boolean schemaTypeFlg = false;
try {
token);
if (debug.messageEnabled()) {
+ types);
}
} catch (ServiceNotFoundException ex) {
if (debug.warningEnabled()) {
+ "Service does not exist : " + serviceName);
}
}
return (schemaTypeFlg);
}
throws IdRepoException, SSOException {
try {
// Get attribute names for USER type only, so plugin knows
// what attributes to remove.
serviceName, token);
}
// If the identity type is not of role, filteredrole or
// realm, need to add dynamic attributes also
} else {
}
}
} else {
// Add COS priority attribute
}
} catch (SMSException smse) {
if (debug.messageEnabled()) {
"AMIdentity.getServiceAttributes: Caught SM exception",
smse);
}
// just returned whatever we find or empty set
// if services is not found.
}
return attrNames;
}
}