populateRolesFromRelationship.js revision 738dcf53cdbddc9f941ca40c8db8dcf3e472eca5
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync/*global security, properties, openidm */
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync/**
c58f1213e628a545081c70e26c6b67a841cff880vboxsync * This context population script is called when the managed user auth module was used
fe4ab4755267c794c02d7693b5cd2c748a024053vboxsync * to successfully authenticate a user
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync *
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * global properties - auth module-specific properties from authentication.json for the
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * managed user auth module
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync *
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * {
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * "propertyMapping": {
a16eb14ad7a4b5ef91ddc22d3e8e92d930f736fcvboxsync * "userRoles": "roles",
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "userCredential": "password",
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "userId": "_id"
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * },
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "authnPopulateContextScript": "auth/managedPopulateContext.js",
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "defaultUserRoles": [ ]
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync * }
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync *
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * global security - map of security context details as have been determined thus far
2aa23aff01ee136a4dab274f37529b1cf4499195vboxsync *
2aa23aff01ee136a4dab274f37529b1cf4499195vboxsync * {
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "authorization": {
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "id": "jsmith",
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "component": "managed/user",
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync * "roles": [ "openidm-authorized" ]
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync * },
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync * "authenticationId": "jsmith",
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync * }
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync */
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync(function () {
bd22ae3b86e9b0ed466109e988d302674ecf4aeevboxsync
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync var _ = require("lib/lodash"),
4604ab7d38c2bd2dfc255aa1facffdf81c1c9153vboxsync user = openidm.read(security.authorization.component + "/" + security.authorization.id);
if (!_.has(properties.propertyMapping, 'userRoles')) {
throw {
"code" : 500,
"message" : "Authentication not properly configured; missing userRoles propertyMapping entry"
};
}
if (!user || !_.has(user, properties.propertyMapping.userRoles)) {
throw {
"code" : 401,
"message" : "Unable to find property " + properties.propertyMapping.userRoles + " for user"
};
}
security.authorization = {
'id': security.authorization.id,
'component': security.authorization.component,
'roles': _.chain(user[properties.propertyMapping.userRoles])
.filter(function (r) {
return org.forgerock.json.resource.ResourcePath.valueOf(r._ref).startsWith("repo/internal/role");
})
.map(function (r) {
// appending empty string gets the value from java into a format more familiar to JS
return org.forgerock.json.resource.ResourcePath.valueOf(r._ref).leaf() + "";
})
.value()
};
return security;
}());