@Override public List<ConnInstance> findAll() { final Set<String> authRealms = AuthContextUtils.getAuthorizations().get(StandardEntitlement.CONNECTOR_LIST); if (authRealms == null || authRealms.isEmpty()) { return Collections.emptyList(); } TypedQuery<ConnInstance> query = entityManager().createQuery( "SELECT e FROM " + JPAConnInstance.class.getSimpleName() + " e", ConnInstance.class); return query.getResultList().stream().filter(connInstance -> authRealms.stream(). anyMatch(realm -> connInstance.getAdminRealm().getFullPath().startsWith(realm))). collect(Collectors.toList()); }
@Override public Map<String, Integer> countByRealm() { Query query = entityManager().createQuery( "SELECT e.realm, COUNT(e) FROM " + anyUtils().anyClass().getSimpleName() + " e GROUP BY e.realm"); @SuppressWarnings("unchecked") List<Object[]> results = query.getResultList(); return results.stream().collect(Collectors.toMap( result -> ((Realm) result[0]).getFullPath(), result -> ((Number) result[1]).intValue())); }
@Override public Map<String, Integer> countByRealm(final AnyType anyType) { Query query = entityManager().createQuery( "SELECT e.realm, COUNT(e) FROM " + anyUtils().anyClass().getSimpleName() + " e " + "WHERE e.type=:type GROUP BY e.realm"); query.setParameter("type", anyType); @SuppressWarnings("unchecked") List<Object[]> results = query.getResultList(); return results.stream().collect(Collectors.toMap( result -> ((Realm) result[0]).getFullPath(), result -> ((Number) result[1]).intValue())); }
@Override public Map<String, Integer> countByRealm() { Query query = entityManager().createQuery( "SELECT e.realm, COUNT(e) FROM " + anyUtils().anyClass().getSimpleName() + " e GROUP BY e.realm"); @SuppressWarnings("unchecked") List<Object[]> results = query.getResultList(); return results.stream().collect(Collectors.toMap( result -> ((Realm) result[0]).getFullPath(), result -> ((Number) result[1]).intValue())); }
@Override public List<ExternalResource> findAll() { final Set<String> authRealms = AuthContextUtils.getAuthorizations().get(StandardEntitlement.RESOURCE_LIST); if (authRealms == null || authRealms.isEmpty()) { return Collections.emptyList(); } TypedQuery<ExternalResource> query = entityManager().createQuery( "SELECT e FROM " + JPAExternalResource.class.getSimpleName() + " e", ExternalResource.class); return query.getResultList().stream().filter(resource -> authRealms.stream(). anyMatch(realm -> resource.getConnector() != null && resource.getConnector().getAdminRealm().getFullPath().startsWith(realm))). collect(Collectors.toList()); }
@Override public ConnInstance authFind(final String key) { ConnInstance connInstance = find(key); if (connInstance == null) { return null; } Set<String> authRealms = AuthContextUtils.getAuthorizations().get(StandardEntitlement.CONNECTOR_READ); if (authRealms == null || authRealms.isEmpty() || !authRealms.stream().anyMatch( realm -> connInstance.getAdminRealm().getFullPath().startsWith(realm))) { throw new DelegatedAdministrationException( connInstance.getAdminRealm().getFullPath(), ConnInstance.class.getSimpleName(), connInstance.getKey()); } return connInstance; }
@Override protected void securityChecks(final Group group) { Map<String, Set<String>> authorizations = AuthContextUtils.getAuthorizations(); Set<String> authRealms = authorizations.containsKey(StandardEntitlement.GROUP_READ) ? authorizations.get(StandardEntitlement.GROUP_READ) : Collections.emptySet(); boolean authorized = authRealms.stream().anyMatch(realm -> group.getRealm().getFullPath().startsWith(realm) || realm.equals(RealmUtils.getGroupOwnerRealm(group.getRealm().getFullPath(), group.getKey()))); if (!authorized) { authorized = findDynRealms(group.getKey()).stream(). filter(dynRealm -> authRealms.contains(dynRealm)). count() > 0; } if (authRealms.isEmpty() || !authorized) { throw new DelegatedAdministrationException( group.getRealm().getFullPath(), AnyTypeKind.GROUP.name(), group.getKey()); } }
@Override public ExternalResource authFind(final String key) { ExternalResource resource = find(key); if (resource == null) { return null; } Set<String> authRealms = AuthContextUtils.getAuthorizations().get(StandardEntitlement.RESOURCE_READ); if (authRealms == null || authRealms.isEmpty() || !authRealms.stream().anyMatch(realm -> resource.getConnector() != null && resource.getConnector().getAdminRealm().getFullPath().startsWith(realm))) { throw new DelegatedAdministrationException( resource.getConnector().getAdminRealm().getFullPath(), ExternalResource.class.getSimpleName(), resource.getKey()); } return resource; }
@Override protected void securityChecks(final User user) { // Allows anonymous (during self-registration) and self (during self-update) to read own user, // otherwise goes through security checks to see if required entitlements are owned if (!AuthContextUtils.getUsername().equals(anonymousUser) && !AuthContextUtils.getUsername().equals(user.getUsername())) { Map<String, Set<String>> authorizations = AuthContextUtils.getAuthorizations(); Set<String> authRealms = authorizations.containsKey(StandardEntitlement.USER_READ) ? authorizations.get(StandardEntitlement.USER_READ) : Collections.emptySet(); boolean authorized = authRealms.stream(). anyMatch(realm -> user.getRealm().getFullPath().startsWith(realm)); if (!authorized) { authorized = findDynRealms(user.getKey()).stream(). filter(dynRealm -> authRealms.contains(dynRealm)). count() > 0; } if (authRealms.isEmpty() || !authorized) { throw new DelegatedAdministrationException( user.getRealm().getFullPath(), AnyTypeKind.USER.name(), user.getKey()); } } }
LOG.warn("Could not find Realm with path {}, ignoring", parentFullPath); } else { realmTO.setParent(parent.getFullPath());
@Override protected void securityChecks(final AnyObject anyObject) { Map<String, Set<String>> authorizations = AuthContextUtils.getAuthorizations(); Set<String> authRealms = authorizations.containsKey(AnyEntitlement.READ.getFor(anyObject.getType().getKey())) ? authorizations.get(AnyEntitlement.READ.getFor(anyObject.getType().getKey())) : Collections.emptySet(); boolean authorized = authRealms.stream(). anyMatch(realm -> anyObject.getRealm().getFullPath().startsWith(realm)); if (!authorized) { authorized = findDynRealms(anyObject.getKey()).stream(). filter(dynRealm -> authRealms.contains(dynRealm)). count() > 0; } if (authRealms.isEmpty() || !authorized) { throw new DelegatedAdministrationException( anyObject.getRealm().getFullPath(), AnyTypeKind.ANY_OBJECT.name(), anyObject.getKey()); } }
private String getIntValue(final Realm realm, final Item orgUnitItem) { String value = null; switch (orgUnitItem.getIntAttrName()) { case "key": value = realm.getKey(); break; case "name": value = realm.getName(); break; case "fullpath": value = realm.getFullPath(); break; default: } return value; }
@Override public String getFullPath() { return getParent() == null ? SyncopeConstants.ROOT_REALM : StringUtils.appendIfMissing(getParent().getFullPath(), "/") + getName(); }
@PreAuthorize("hasRole('" + StandardEntitlement.RESOURCE_DELETE + "')") public ResourceTO delete(final String key) { ExternalResource resource = resourceDAO.authFind(key); if (resource == null) { throw new NotFoundException("Resource '" + key + "'"); } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.RESOURCE_DELETE), resource.getConnector().getAdminRealm().getFullPath()); securityChecks(effectiveRealms, resource.getConnector().getAdminRealm().getFullPath(), resource.getKey()); ResourceTO resourceToDelete = binder.getResourceTO(resource); resourceDAO.delete(key); return resourceToDelete; }
@PreAuthorize("hasRole('" + StandardEntitlement.CONNECTOR_DELETE + "')") public ConnInstanceTO delete(final String key) { ConnInstance connInstance = connInstanceDAO.authFind(key); if (connInstance == null) { throw new NotFoundException("Connector '" + key + "'"); } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.CONNECTOR_DELETE), connInstance.getAdminRealm().getFullPath()); securityChecks(effectiveRealms, connInstance.getAdminRealm().getFullPath(), connInstance.getKey()); if (!connInstance.getResources().isEmpty()) { SyncopeClientException associatedResources = SyncopeClientException.build( ClientExceptionType.AssociatedResources); connInstance.getResources().forEach(resource -> { associatedResources.getElements().add(resource.getKey()); }); throw associatedResources; } ConnInstanceTO deleted = binder.getConnInstanceTO(connInstance); connInstanceDAO.delete(key); return deleted; }
@PreAuthorize("hasRole('" + StandardEntitlement.RESOURCE_UPDATE + "')") public ResourceTO update(final ResourceTO resourceTO) { ExternalResource resource = resourceDAO.authFind(resourceTO.getKey()); if (resource == null) { throw new NotFoundException("Resource '" + resourceTO.getKey() + "'"); } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.RESOURCE_UPDATE), resource.getConnector().getAdminRealm().getFullPath()); securityChecks(effectiveRealms, resource.getConnector().getAdminRealm().getFullPath(), resource.getKey()); return binder.getResourceTO(resourceDAO.save(binder.update(resource, resourceTO))); }
private SearchCond buildDynMembershipCond(final String baseCondFIQL, final Realm groupRealm) { AssignableCond cond = new AssignableCond(); cond.setRealmFullPath(groupRealm.getFullPath()); cond.setFromGroup(true); return SearchCond.getAndCond(SearchCond.getLeafCond(cond), SearchCondConverter.convert(baseCondFIQL)); }
@PreAuthorize("hasRole('" + StandardEntitlement.RESOURCE_CREATE + "')") public ResourceTO create(final ResourceTO resourceTO) { if (StringUtils.isBlank(resourceTO.getKey())) { SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.RequiredValuesMissing); sce.getElements().add("Resource key"); throw sce; } ConnInstance connInstance = connInstanceDAO.authFind(resourceTO.getConnector()); if (connInstance == null) { SyncopeClientException sce = SyncopeClientException.build(ClientExceptionType.InvalidExternalResource); sce.getElements().add("Connector " + resourceTO.getConnector()); throw sce; } Set<String> effectiveRealms = RealmUtils.getEffective( AuthContextUtils.getAuthorizations().get(StandardEntitlement.RESOURCE_CREATE), connInstance.getAdminRealm().getFullPath()); securityChecks(effectiveRealms, connInstance.getAdminRealm().getFullPath(), null); if (resourceDAO.authFind(resourceTO.getKey()) != null) { throw new DuplicateException(resourceTO.getKey()); } return binder.getResourceTO(resourceDAO.save(binder.create(resourceTO))); }
@Override public RealmTO getRealmTO(final Realm realm, final boolean admin) { RealmTO realmTO = new RealmTO(); realmTO.setKey(realm.getKey()); realmTO.setName(realm.getName()); realmTO.setParent(realm.getParent() == null ? null : realm.getParent().getKey()); realmTO.setFullPath(realm.getFullPath()); if (admin) { realmTO.setAccountPolicy(realm.getAccountPolicy() == null ? null : realm.getAccountPolicy().getKey()); realmTO.setPasswordPolicy(realm.getPasswordPolicy() == null ? null : realm.getPasswordPolicy().getKey()); realm.getActions().forEach(action -> { realmTO.getActions().add(action.getKey()); }); realm.getTemplates().forEach(template -> { realmTO.getTemplates().put(template.getAnyType().getKey(), template.get()); }); realm.getResources().forEach(resource -> { realmTO.getResources().add(resource.getKey()); }); } return realmTO; }
private <T extends AnyTO> T getAnyTOFromConnObject( final ConnectorObject obj, final PullTask pullTask, final Provision provision, final AnyUtils anyUtils) { T anyTO = anyUtils.newAnyTO(); anyTO.setType(provision.getAnyType().getKey()); // 1. fill with data from connector object anyTO.setRealm(pullTask.getDestinatioRealm().getFullPath()); MappingUtils.getPullItems(provision.getMapping().getItems()).forEach(item -> { mappingManager.setIntValues(item, obj.getAttributeByName(item.getExtAttrName()), anyTO); }); // 2. add data from defined template (if any) templateUtils.apply(anyTO, pullTask.getTemplate(provision.getAnyType())); return anyTO; } }