private void handleFederatedUserNameEqualsToSuperAdminUserName(UserRealm realm, String username, UserStoreManager userStoreManager, Collection<String> deletingRoles) throws UserStoreException, FrameworkException { if (userStoreManager.getRealmConfiguration().isPrimary() && username.equals(realm.getRealmConfiguration().getAdminUserName())) { if (log.isDebugEnabled()) { log.debug("Federated user's username is equal to super admin's username of local IdP."); } // Whether superadmin login without superadmin role is permitted if (deletingRoles .contains(realm.getRealmConfiguration().getAdminRoleName())) { if (log.isDebugEnabled()) { log.debug("Federated user doesn't have super admin role. Unable to sync roles, since" + " super admin role cannot be unassigned from super admin user"); } throw new FrameworkException( "Federated user which having same username to super admin username of local IdP," + " trying login without having super admin role assigned"); } } }
private void handleFederatedUserNameEqualsToSuperAdminUserName(UserRealm realm, String username, UserStoreManager userStoreManager, Collection<String> deletingRoles) throws UserStoreException, FrameworkException { if (userStoreManager.getRealmConfiguration().isPrimary() && username.equals(realm.getRealmConfiguration().getAdminUserName())) { if (log.isDebugEnabled()) { log.debug("Federated user's username is equal to super admin's username of local IdP."); } // Whether superadmin login without superadmin role is permitted if (deletingRoles .contains(realm.getRealmConfiguration().getAdminRoleName())) { if (log.isDebugEnabled()) { log.debug("Federated user doesn't have super admin role. Unable to sync roles, since" + " super admin role cannot be unassigned from super admin user"); } throw new FrameworkException( "Federated user which having same username to super admin username of local IdP," + " trying login without having super admin role assigned"); } } }
private void handleFederatedUserNameEqualsToSuperAdminUserName(UserRealm realm, String username, UserStoreManager userStoreManager, Collection<String> deletingRoles) throws UserStoreException, FrameworkException { if (userStoreManager.getRealmConfiguration().isPrimary() && username.equals(realm.getRealmConfiguration().getAdminUserName())) { if (log.isDebugEnabled()) { log.debug("Federated user's username is equal to super admin's username of local IdP."); } // Whether superadmin login without superadmin role is permitted if (deletingRoles .contains(realm.getRealmConfiguration().getAdminRoleName())) { if (log.isDebugEnabled()) { log.debug("Federated user doesn't have super admin role. Unable to sync roles, since" + " super admin role cannot be unassigned from super admin user"); } throw new FrameworkException( "Federated user which having same username to super admin username of local IdP," + " trying login without having super admin role assigned"); } } }
/** * This method will unlock the admin account */ private void unlockAdmin() { String adminUserName = IdentityMgtServiceComponent.getRealmService().getBootstrapRealmConfiguration().getAdminUserName(); try { if (isEnable()) { UserStoreManager userStoreMng = IdentityMgtServiceComponent.getRealmService() .getBootstrapRealm().getUserStoreManager(); Map<String, String> claimMap = new HashMap<String, String>(); claimMap.put(UserIdentityDataStore.ACCOUNT_LOCK, Boolean.toString(false)); claimMap.put(UserIdentityDataStore.ACCOUNT_DISABLED, Boolean.toString(false)); // Directly "do" method of this listener is called because at the time of this execution, // this listener or any other listener may have no registered. doPreSetUserClaimValues(adminUserName, claimMap, null, userStoreMng); } } catch (UserStoreException e) { log.error("Error while unlocking admin account", e); } }
/** * This method will unlock the admin account */ private void unlockAdmin() { String adminUserName = IdentityMgtServiceComponent.getRealmService().getBootstrapRealmConfiguration().getAdminUserName(); try { if (isEnable()) { UserStoreManager userStoreMng = IdentityMgtServiceComponent.getRealmService() .getBootstrapRealm().getUserStoreManager(); Map<String, String> claimMap = new HashMap<String, String>(); claimMap.put(UserIdentityDataStore.ACCOUNT_LOCK, Boolean.toString(false)); claimMap.put(UserIdentityDataStore.ACCOUNT_DISABLED, Boolean.toString(false)); // Directly "do" method of this listener is called because at the time of this execution, // this listener or any other listener may have no registered. doPreSetUserClaimValues(adminUserName, claimMap, null, userStoreMng); } } catch (UserStoreException e) { log.error("Error while unlocking admin account", e); } }
String loggedInUserName = getLoggedInUser(); RealmConfiguration realmConfig = realm.getRealmConfiguration(); if (userName != null && userName.equals(realmConfig.getAdminUserName()) && !userName.equals(loggedInUserName)) { log.warn("An attempt to delete Admin user by user : " + loggedInUserName); if (Arrays.binarySearch(roles, realmConfig.getAdminRoleName()) > -1 && loggedInUserName != null && !userName.equals(loggedInUserName) && !realmConfig.getAdminUserName().equals(loggedInUserName) && !userName.equals(realmConfig.getAdminUserName())) { log.warn("An attempt to delete user in Admin role by user : " + loggedInUserName);
loggedInUserName = addPrimaryDomainIfNotExists(loggedInUserName); String adminUser = addPrimaryDomainIfNotExists(realmConfig.getAdminUserName()); if (realmConfig.getAdminUserName().equalsIgnoreCase(userName) && !adminUser.equalsIgnoreCase(loggedInUserName)) { log.warn("An attempt to change password of Admin user by user : " + loggedInUserName);
public void updateRoleName(String roleName, String newRoleName) throws UserAdminException { try { String loggedInUserName = addPrimaryDomainIfNotExists(getLoggedInUser()); String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); boolean isRoleHasAdminPermission; String roleWithoutDN = roleName.split(UserCoreConstants.TENANT_DOMAIN_COMBINER)[0]; // check whether this role had admin permission isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleWithoutDN, PERMISSION, UserMgtConstants.EXECUTE_ACTION); if (!isRoleHasAdminPermission) { isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleWithoutDN, PERMISSION_ADMIN, UserMgtConstants.EXECUTE_ACTION); } if (isRoleHasAdminPermission && !adminUser.equalsIgnoreCase(loggedInUserName)) { log.warn("An attempt to rename a role with admin permission by user " + loggedInUserName); throw new UserStoreException("You do not have the required privilege to rename a role with admin " + "permission"); } UserStoreManager usAdmin = realm.getUserStoreManager(); usAdmin.updateRoleName(roleName, newRoleName); } catch (UserStoreException e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } catch (Exception e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } }
public void updateRoleName(String roleName, String newRoleName) throws UserAdminException { try { String loggedInUserName = addPrimaryDomainIfNotExists(getLoggedInUser()); String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); boolean isRoleHasAdminPermission; String roleWithoutDN = roleName.split(UserCoreConstants.TENANT_DOMAIN_COMBINER)[0]; // check whether this role had admin permission isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleWithoutDN, PERMISSION, UserMgtConstants.EXECUTE_ACTION); if (!isRoleHasAdminPermission) { isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleWithoutDN, PERMISSION_ADMIN, UserMgtConstants.EXECUTE_ACTION); } if (isRoleHasAdminPermission && !adminUser.equalsIgnoreCase(loggedInUserName)) { log.warn("An attempt to rename role with admin permission by user " + loggedInUserName); throw new UserStoreException("You have not privilege to rename a role with Admin permission"); } UserStoreManager usAdmin = realm.getUserStoreManager(); usAdmin.updateRoleName(roleName, newRoleName); } catch (UserStoreException e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } catch (Exception e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } }
public void deleteRole(String roleName) throws UserAdminException { try { String loggedInUserName = addPrimaryDomainIfNotExists(getLoggedInUser()); String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); boolean isRoleHasAdminPermission; // check whether this role had admin permission isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleName, PERMISSION, UserMgtConstants.EXECUTE_ACTION); if (!isRoleHasAdminPermission) { isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleName, PERMISSION_ADMIN, UserMgtConstants.EXECUTE_ACTION); } if (isRoleHasAdminPermission && !adminUser.equalsIgnoreCase(loggedInUserName)) { log.warn("An attempt to delete role with admin permission by user " + loggedInUserName); throw new UserStoreException("You have not privilege to delete a role with Admin permission"); } realm.getUserStoreManager().deleteRole(roleName); } catch (UserStoreException e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } catch (Exception e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } }
/** * Add permissions to the appmgt/applicationdata collection for given role. * * @param roleName * @throws org.wso2.carbon.appmgt.api.AppManagementException */ public static void addNewRole(String roleName, Permission[] permissions, org.wso2.carbon.user.api.UserRealm userRealm) throws AppManagementException { // TODO: Merge different resource loading methods and create a single method. try { String tenantAdminName = userRealm.getRealmConfiguration().getAdminUserName(); String[] userList = new String[]{tenantAdminName}; String[] existingRoles = userRealm.getUserStoreManager().getRoleNames(); boolean roleExists = false; for(String role : existingRoles){ if(role.equalsIgnoreCase(roleName)){ roleExists = true; break; } } if(!roleExists) { userRealm.getUserStoreManager().addRole(roleName, userList, permissions); } } catch (UserStoreException e) { throw new AppManagementException("Error while adding new role : " + roleName, e); } }
String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); if (rawResources != null && !adminUser.equalsIgnoreCase(loggedInUserName)) {
/** * Checks whether the given user name is admin user name and the currently logged in user also admin. * Only admin user is allowed for admin user profile related operations. * * @param username Username to be checked. * @return True only if admin user. * @throws UserStoreException Error occurred while retrieving realm configuration. */ private boolean isAdminProfileSpoof(String username) throws UserStoreException { if (StringUtils.isEmpty(username)) { return false; } RealmConfiguration realmConfiguration = getUserRealm().getRealmConfiguration(); String adminUsername = IdentityUtil.addDomainToName(realmConfiguration.getAdminUserName(), IdentityUtil.getPrimaryDomainName()); String targetUsername = IdentityUtil.addDomainToName(username, IdentityUtil.getPrimaryDomainName()); // If the given user name is not the admin username, simply we can allow and return false. Our intention is to // check whether a non admin user is trying to do operations on an admin profile. if (!StringUtils.equalsIgnoreCase(targetUsername, adminUsername)) { return false; } String loggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername(); if (loggedInUsername != null) { loggedInUsername = IdentityUtil.addDomainToName(loggedInUsername, IdentityUtil.getPrimaryDomainName()); } // If the currently logged in user is also the admin user this isn't a spoof attempt. Hence returning false. return !StringUtils.equalsIgnoreCase(loggedInUsername, adminUsername); }
public void deleteRole(String roleName) throws UserAdminException { try { String loggedInUserName = addPrimaryDomainIfNotExists(getLoggedInUser()); String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); boolean isRoleHasAdminPermission; // check whether this role had admin permission isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleName, PERMISSION, UserMgtConstants.EXECUTE_ACTION); if (!isRoleHasAdminPermission) { isRoleHasAdminPermission = realm.getAuthorizationManager(). isRoleAuthorized(roleName, PERMISSION_ADMIN, UserMgtConstants.EXECUTE_ACTION); } if (isRoleHasAdminPermission && !adminUser.equalsIgnoreCase(loggedInUserName)) { log.warn("An attempt to delete a role with admin permission by user " + loggedInUserName); throw new UserStoreException("You do not have the required privilege to delete a role with admin " + "permission"); } realm.getUserStoreManager().deleteRole(roleName); } catch (UserStoreException e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } catch (Exception e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } }
/** * Checks whether the given user name is admin user name and the currently logged in user also admin. * Only admin user is allowed for admin user profile related operations. * * @param username Username to be checked. * @return True only if admin user. * @throws UserStoreException Error occurred while retrieving realm configuration. */ private boolean isAdminProfileSpoof(String username) throws UserStoreException { if (StringUtils.isEmpty(username)) { return false; } RealmConfiguration realmConfiguration = getUserRealm().getRealmConfiguration(); String adminUsername = IdentityUtil.addDomainToName(realmConfiguration.getAdminUserName(), IdentityUtil.getPrimaryDomainName()); String targetUsername = IdentityUtil.addDomainToName(username, IdentityUtil.getPrimaryDomainName()); // If the given user name is not the admin username, simply we can allow and return false. Our intention is to // check whether a non admin user is trying to do operations on an admin profile. if (!StringUtils.equalsIgnoreCase(targetUsername, adminUsername)) { return false; } String loggedInUsername = CarbonContext.getThreadLocalCarbonContext().getUsername(); if (loggedInUsername != null) { loggedInUsername = IdentityUtil.addDomainToName(loggedInUsername, IdentityUtil.getPrimaryDomainName()); } // If the currently logged in user is also the admin user this isn't a spoof attempt. Hence returning false. return !StringUtils.equalsIgnoreCase(loggedInUsername, adminUsername); }
String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); if (rawResources != null && !adminUser.equalsIgnoreCase(loggedInUserName)) {
public static void waitAndInitialize() { try { String mgtTransport = CarbonUtils.getManagementTransport(); AxisConfiguration axisConfiguration = ServiceReferenceHolder .getContextService().getServerConfigContext().getAxisConfiguration(); int mgtTransportPort = CarbonUtils.getTransportProxyPort(axisConfiguration, mgtTransport); if (mgtTransportPort <= 0) { mgtTransportPort = CarbonUtils.getTransportPort(axisConfiguration, mgtTransport); } // Using localhost as the hostname since this is always an internal admin service call. // Hostnames that can be retrieved using other approaches does not work in this context. url = mgtTransport + "://" + TenantInitializationConstants.LOCAL_HOST_NAME + ":" + mgtTransportPort + "/services/"; adminName = ServiceDataHolder.getInstance().getRealmService() .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getRealmConfiguration() .getAdminUserName(); adminPwd = ServiceDataHolder.getInstance().getRealmService() .getTenantUserRealm(MultitenantConstants.SUPER_TENANT_ID).getRealmConfiguration() .getAdminPassword().toCharArray(); executor = new ScheduledThreadPoolExecutor(1); executor.scheduleAtFixedRate(new ScheduledThreadPoolExecutorImpl(), TenantInitializationConstants.DEFAULT_WAIT_DURATION, TenantInitializationConstants.DEFAULT_WAIT_DURATION, TimeUnit.SECONDS); } catch (UserStoreException e) { log.error("An error occurred while retrieving admin credentials for initializing on-premise " + "gateway configuration.", e); } }
String superTenantName = ServiceReferenceHolder.getInstance().getRealmService().getBootstrapRealmConfiguration().getAdminUserName(); String[] userList = new String[]{superTenantName}; manager.addRole(role, userList, subscriberPermissions);
getRealmService().getTenantUserRealm(tenantId).getRealmConfiguration().getAdminUserName(); String[] userList = new String[]{tenantAdminName}; manager.addRole(roleName, userList, subscriberPermissions);
public RealmConfigurationDTO getRealmConfiguration() throws UserStoreException { UserRealm userRealm = getApplicableUserRealm(); RealmConfiguration realmConfig = userRealm.getRealmConfiguration(); RealmConfigurationDTO realmConfigDTO = new RealmConfigurationDTO(); realmConfigDTO.setRealmClassName(realmConfig.getRealmClassName()); realmConfigDTO.setUserStoreClass(realmConfig.getUserStoreClass()); realmConfigDTO.setAuthorizationManagerClass(realmConfig.getAuthorizationManagerClass()); realmConfigDTO.setAdminRoleName(realmConfig.getAdminRoleName()); realmConfigDTO.setAdminUserName(realmConfig.getAdminUserName()); realmConfigDTO.setAdminPassword(realmConfig.getAdminPassword()); realmConfigDTO.setEveryOneRoleName(realmConfig.getEveryOneRoleName()); realmConfigDTO.setUserStoreProperties(getPropertyValueArray(realmConfig .getUserStoreProperties())); realmConfigDTO.setAuthzProperties(getPropertyValueArray(realmConfig.getAuthzProperties())); realmConfigDTO.setRealmProperties(getPropertyValueArray(realmConfig.getRealmProperties())); return realmConfigDTO; }