Gitiles
Code Review Sign In
korap.ids-mannheim.de / KorAP / Kustvakt / dda4ef7ada41035520180a0650d18445405dfcbf / . / full / src / main / java / de / ids_mannheim / korap / authentication / KustvaktAuthenticationManager.java
blob: e6bce21d60aca781db2819d0d7cc6687491955bf [file] [log] [blame]
margaretha139d0f72017-11-14 18:56:22 +0100[diff] [blame]1package de.ids_mannheim.korap.authentication;
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]2
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]3import java.io.IOException;
4import java.io.UnsupportedEncodingException;
5import java.net.InetAddress;
6import java.net.UnknownHostException;
7import java.security.NoSuchAlgorithmException;
margaretha4b5c1412017-11-15 20:55:04 +0100[diff] [blame]8import java.util.Arrays;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]9import java.util.Collection;
10import java.util.Map;
11
12import javax.ws.rs.core.HttpHeaders;
13import javax.ws.rs.core.MultivaluedMap;
14
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]15import org.apache.logging.log4j.LogManager;
16import org.apache.logging.log4j.Logger;
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]17import org.springframework.beans.factory.annotation.Autowired;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]18
margaretha6ef00dd2018-09-12 14:06:38 +0200[diff] [blame]19import com.mchange.rmi.NotAuthorizedException;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]20// import com.novell.ldap.*; search() funktioniert nicht korrekt, ausgewechselt gegen unboundID's Bibliothek 20.04.17/FB
21//Using JAR from unboundID:
22import com.unboundid.ldap.sdk.LDAPException;
Bodmoca3dcfb2017-05-24 16:36:00 +0200[diff] [blame]23
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]24import de.ids_mannheim.korap.auditing.AuditRecord;
Michael Hanl00b64e02016-05-24 20:24:27 +0200[diff] [blame]25import de.ids_mannheim.korap.config.Attributes;
Michael Hanldaf86602016-05-12 14:31:52 +0200[diff] [blame]26import de.ids_mannheim.korap.config.BeansFactory;
margaretha56e8e552017-12-05 16:31:21 +0100[diff] [blame]27import de.ids_mannheim.korap.config.FullConfiguration;
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]28import de.ids_mannheim.korap.config.URIParam;
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]29import de.ids_mannheim.korap.constant.AuthenticationMethod;
30import de.ids_mannheim.korap.constant.TokenType;
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]31import de.ids_mannheim.korap.dao.AdminDao;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]32import de.ids_mannheim.korap.exceptions.EmptyResultException;
33import de.ids_mannheim.korap.exceptions.KustvaktException;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]34import de.ids_mannheim.korap.exceptions.StatusCodes;
35import de.ids_mannheim.korap.exceptions.WrappedException;
Michael Hanl19390652016-01-16 11:01:24 +0100[diff] [blame]36import de.ids_mannheim.korap.interfaces.EncryptionIface;
margaretha69e8adc2018-03-15 15:14:22 +0100[diff] [blame]37import de.ids_mannheim.korap.interfaces.EntityHandlerIface;
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]38import de.ids_mannheim.korap.interfaces.ValidatorIface;
Michael Hanlf21773f2015-10-16 23:02:31 +0200[diff] [blame]39import de.ids_mannheim.korap.interfaces.db.AuditingIface;
Michael Hanl415276b2016-01-29 16:39:37 +0100[diff] [blame]40import de.ids_mannheim.korap.interfaces.db.UserDataDbIface;
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]41import de.ids_mannheim.korap.interfaces.defaults.ApacheValidator;
margaretha0e8f4e72018-04-05 14:11:52 +0200[diff] [blame]42import de.ids_mannheim.korap.security.context.TokenContext;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]43import de.ids_mannheim.korap.user.DemoUser;
44import de.ids_mannheim.korap.user.KorAPUser;
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]45import de.ids_mannheim.korap.user.ShibbolethUser;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]46import de.ids_mannheim.korap.user.User;
Bodmoca3dcfb2017-05-24 16:36:00 +0200[diff] [blame]47import de.ids_mannheim.korap.user.User.CorpusAccess;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]48import de.ids_mannheim.korap.user.User.Location;
49import de.ids_mannheim.korap.user.UserDetails;
50import de.ids_mannheim.korap.user.UserSettings;
51import de.ids_mannheim.korap.user.Userdata;
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]52import de.ids_mannheim.korap.utils.TimeUtils;
Bodmoca3dcfb2017-05-24 16:36:00 +0200[diff] [blame]53
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]54/**
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]55 * contains the logic to authentication and registration processes. Uses
56 * interface implementations (AuthenticationIface) for different databases and
57 * handlers
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]58 *
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]59 * @author hanl
60 */
margaretha34954472018-10-24 20:05:17 +0200[diff] [blame]61public class KustvaktAuthenticationManager extends AuthenticationManager {
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]62
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]63 private static Logger jlog = LogManager.getLogger(KustvaktAuthenticationManager.class);
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]64 public static boolean DEBUG = false;
65
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]66 private EncryptionIface crypto;
67 private EntityHandlerIface entHandler;
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]68 @Autowired
69 private AdminDao adminDao;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]70 private AuditingIface auditing;
margaretha56e8e552017-12-05 16:31:21 +0100[diff] [blame]71 private FullConfiguration config;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]72 private Collection userdatadaos;
73 private LoginCounter counter;
74 private ValidatorIface validator;
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]75
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]76 public KustvaktAuthenticationManager(EntityHandlerIface userdb, EncryptionIface crypto,
margaretha56e8e552017-12-05 16:31:21 +0100[diff] [blame]77 FullConfiguration config, AuditingIface auditer, Collection<UserDataDbIface> userdatadaos) {
margaretha2df06602018-11-14 19:10:30 +0100[diff] [blame]78 super("id_tokens");
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]79 this.entHandler = userdb;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]80 this.config = config;
81 this.crypto = crypto;
82 this.auditing = auditer;
83 this.counter = new LoginCounter(config);
84 this.userdatadaos = userdatadaos;
85 // todo: load via beancontext
86 try {
87 this.validator = new ApacheValidator();
88 } catch (IOException e) {
89 e.printStackTrace();
90 }
91 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]92
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]93 /**
94 * get session object if token was a session token
95 *
96 * @param token
97 * @param host
98 * @param useragent
99 * @return
100 * @throws KustvaktException
101 */
102 @Override
margarethadfecb4b2017-12-12 19:32:30 +0100[diff] [blame]103 public TokenContext getTokenContext(TokenType type, String token,
margaretha4b5c1412017-11-15 20:55:04 +0100[diff] [blame]104 String host, String useragent) throws KustvaktException {
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]105
margaretha4de41192017-11-15 11:47:11 +0100[diff] [blame]106 AuthenticationIface provider = getProvider(type , null);
Michael Hanl99cb9632016-06-29 16:24:40 +0200[diff] [blame]107
margaretha6b3ecdd2018-03-01 18:23:56 +0100[diff] [blame]108 if (provider == null){
margaretha4b5c1412017-11-15 20:55:04 +0100[diff] [blame]109 throw new KustvaktException(StatusCodes.ILLEGAL_ARGUMENT,
margaretha6b3ecdd2018-03-01 18:23:56 +0100[diff] [blame]110 "Authentication provider for token type "+type
111 +" is not found.", type.displayName());
112 }
113
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]114 TokenContext context = provider.getTokenContext(token);
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]115 // if (!matchStatus(host, useragent, context))
116 // provider.removeUserSession(token);
117 return context;
118 }
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]119
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]120 @Override
121 public User getUser(String username) throws KustvaktException {
122 // User user;
123 // Object value = this.getCacheValue(username);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]124
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]125 if (User.UserFactory.isDemo(username))
126 return User.UserFactory.getDemoUser();
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]127
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]128 // if (value != null) {
129 // Map map = (Map) value;
130 // user = User.UserFactory.toUser(map);
131 // }
132 // else {
133 // user = entHandler.getAccount(username);
134 // this.storeInCache(username, user.toCache());
135 // todo: not valid. for the duration of the session, the host should not
136 // change!
137 // }
138 // todo:
139 // user.addField(Attributes.HOST, context.getHostAddress());
140 // user.addField(Attributes.USER_AGENT, context.getUserAgent());
margaretha0b63de42017-12-20 18:48:09 +0100[diff] [blame]141
142 //EM:copied from EntityDao
143 KorAPUser user = new KorAPUser(); // oder eigentlich new DemoUser oder new DefaultUser.
144 user.setUsername(username);
145 return user;
146// return entHandler.getAccount(username);
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]147 }
margaretha7d0165c2018-02-26 15:31:37 +0100[diff] [blame]148
149 @Override
150 public User getUser (String username, String method)
151 throws KustvaktException {
152 KorAPUser user = new KorAPUser();
153 user.setUsername(username);
154 String email = null;
155 switch (method.toLowerCase()) {
156 case "ldap":
157 email = config.getTestEmail();
158 break;
159 default:
160 email = config.getTestEmail();
161 break;
162 }
163 user.setEmail(email);
164 return user;
165 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]166
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]167 public TokenContext refresh(TokenContext context) throws KustvaktException {
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]168 AuthenticationIface provider = getProvider(context.getTokenType(), null);
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]169 if (provider == null) {
170 // todo:
171 }
Michael Hanlc4446022016-02-12 18:03:17 +0100[diff] [blame]172
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]173 try {
174 provider.removeUserSession(context.getToken());
175 User user = getUser(context.getUsername());
176 return provider.createTokenContext(user, context.params());
177 } catch (KustvaktException e) {
178 throw new WrappedException(e, StatusCodes.LOGIN_FAILED);
179 }
180 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]181
margarethafde771a2017-11-14 15:02:10 +0100[diff] [blame]182 /** EM: fix type is not flexible
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]183 * @param type
184 * @param attributes
185 * contains username and password to authenticate the user.
186 * Depending of the authentication schema, may contain other
187 * values as well
188 * @return User
189 * @throws KustvaktException
190 */
191 @Override
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]192 public User authenticate(AuthenticationMethod method, String username, String password, Map<String, Object> attributes)
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]193 throws KustvaktException {
194 User user;
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]195 switch (method) {
margaretha139d0f72017-11-14 18:56:22 +0100[diff] [blame]196 case SHIBBOLETH:
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]197 // todo:
198 user = authenticateShib(attributes);
199 break;
margaretha139d0f72017-11-14 18:56:22 +0100[diff] [blame]200 case LDAP:
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]201 // IdM/LDAP: (09.02.17/FB)
202 user = authenticateIdM(username, password, attributes);
203 break;
margaretha6374f722018-04-17 18:45:57 +0200[diff] [blame]204 // EM: added a dummy authentication for testing
205 case TEST:
206 user = getUser(username);
207 break;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]208 default:
209 user = authenticate(username, password, attributes);
210 break;
211 }
212 auditing.audit(AuditRecord.serviceRecord(user.getId(), StatusCodes.LOGIN_SUCCESSFUL, user.toString()));
213 return user;
214 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]215
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]216 // a. set location depending on X-Forwarded-For.
217 // X-Forwarded-For: clientIP, ProxyID, ProxyID...
218 // the following private address spaces may be used to define intranet
219 // spaces:
220 // 10.0.0.0 - 10.255.255.255 (10/8 prefix)
221 // 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
222 // 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
223 // b. set corpusAccess depending on location:
Bodmo11fb6f82017-06-01 11:39:15 +0200[diff] [blame]224 // c. DemoUser only gets corpusAccess=FREE.
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]225 // 16.05.17/FB
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]226
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]227 @Override
228 public void setAccessAndLocation(User user, HttpHeaders headers) {
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]229 MultivaluedMap<String, String> headerMap = headers.getRequestHeaders();
230 Location location = Location.EXTERN;
231 CorpusAccess corpusAccess = CorpusAccess.FREE;
margarethaa89c3f92017-05-30 19:02:08 +0200[diff] [blame]232
Bodmo11fb6f82017-06-01 11:39:15 +0200[diff] [blame]233 if( user instanceof DemoUser )
234 {
235 // to be absolutely sure:
236 user.setCorpusAccess(User.CorpusAccess.FREE);
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]237 if (DEBUG) {
238 jlog.debug("setAccessAndLocation: DemoUser: location="
239 + user.locationtoString() + " access="
240 + user.accesstoString());
241 }
Bodmo11fb6f82017-06-01 11:39:15 +0200[diff] [blame]242 return;
243 }
margarethaa89c3f92017-05-30 19:02:08 +0200[diff] [blame]244
margaretha58e18632018-02-15 13:04:42 +0100[diff] [blame]245 if (headerMap != null && headerMap.containsKey(com.google.common.net.HttpHeaders.X_FORWARDED_FOR)) {
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]246
margaretha58e18632018-02-15 13:04:42 +0100[diff] [blame]247 String[] vals = headerMap.getFirst(com.google.common.net.HttpHeaders.X_FORWARDED_FOR).split(",");
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]248 String clientAddress = vals[0];
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]249
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]250 try {
251 InetAddress ip = InetAddress.getByName(clientAddress);
252 if (ip.isSiteLocalAddress()){
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]253 location = Location.INTERN;
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]254 corpusAccess = CorpusAccess.ALL;
255 }
margarethaa89c3f92017-05-30 19:02:08 +0200[diff] [blame]256 else{
257 corpusAccess = CorpusAccess.PUB;
258 }
259
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]260 if (DEBUG){
261 jlog.debug(String.format(
262 "X-Forwarded-For : '%s' (%d values) -> %s\n",
263 Arrays.toString(vals), vals.length, vals[0]));
264 jlog.debug(String.format(
265 "X-Forwarded-For : location = %s corpusAccess = %s\n",
266 location == Location.INTERN ? "INTERN" : "EXTERN",
267 corpusAccess == CorpusAccess.ALL ? "ALL"
268 : corpusAccess == CorpusAccess.PUB ? "PUB"
269 : "FREE"));
270 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]271
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]272 } catch (UnknownHostException e) {
273 // TODO Auto-generated catch block
274 e.printStackTrace();
275 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]276
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]277 user.setLocation(location);
278 user.setCorpusAccess(corpusAccess);
margarethaa86b1412018-02-21 20:40:35 +0100[diff] [blame]279
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]280 if (DEBUG) {
281 jlog.debug("setAccessAndLocation: KorAPUser: location="
282 + user.locationtoString() + ", access="
283 + user.accesstoString());
284 }
Bodmoc125bf12017-06-01 16:23:59 +0200[diff] [blame]285
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]286 }
287 } // getAccess
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]288
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]289 @Override
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]290 public TokenContext createTokenContext(User user, Map<String, Object> attr, TokenType type)
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]291 throws KustvaktException {
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]292 // use api token
293 AuthenticationIface provider = getProvider(type, TokenType.API);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]294
margaretha38d530e2017-07-11 19:06:50 +0200[diff] [blame]295 // EM: not in the new DB
296// if (attr.get(Attributes.SCOPES) != null)
297// this.getUserData(user, UserDetails.class);
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]298
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]299 TokenContext context = provider.createTokenContext(user, attr);
300 if (context == null)
301 throw new KustvaktException(StatusCodes.NOT_SUPPORTED);
302 context.setUserAgent((String) attr.get(Attributes.USER_AGENT));
303 context.setHostAddress(Attributes.HOST);
304 return context;
305 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]306
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]307 // todo: test
308 @Deprecated
309 private boolean matchStatus(String host, String useragent, TokenContext context) {
310 if (host.equals(context.getHostAddress())) {
311 if (useragent.equals(context.getUserAgent()))
312 return true;
313 }
314 return false;
315 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]316
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]317 private User authenticateShib(Map<String, Object> attributes) throws KustvaktException {
318 // todo use persistent id, since eppn is not unique
319 String eppn = (String) attributes.get(Attributes.EPPN);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]320
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]321 if (eppn == null || eppn.isEmpty())
322 throw new KustvaktException(StatusCodes.REQUEST_INVALID);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]323
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]324 if (!attributes.containsKey(Attributes.EMAIL) && validator.isValid(eppn, Attributes.EMAIL))
325 attributes.put(Attributes.EMAIL, eppn);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]326
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]327 User user = null;
328 if (isRegistered(eppn))
329 user = createShibbUserAccount(attributes);
330 return user;
331 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]332
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]333 // todo: what if attributes null?
334 private User authenticate(String username, String password, Map<String, Object> attr) throws KustvaktException {
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]335
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]336 Map<String, Object> attributes = validator.validateMap(attr);
337 User unknown;
338 // just to make sure that the plain password does not appear anywhere in
339 // the logs!
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]340
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]341 try {
342 validator.validateEntry(username, Attributes.USERNAME);
343 } catch (KustvaktException e) {
344 throw new WrappedException(e, StatusCodes.LOGIN_FAILED, username);
345 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]346
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]347 if (username == null || username.isEmpty())
348 throw new WrappedException(new KustvaktException(username, StatusCodes.BAD_CREDENTIALS),
349 StatusCodes.LOGIN_FAILED);
350 else {
351 try {
352 unknown = entHandler.getAccount(username);
353 } catch (EmptyResultException e) {
354 // mask exception to disable user guessing in possible attacks
355 throw new WrappedException(new KustvaktException(username, StatusCodes.BAD_CREDENTIALS),
356 StatusCodes.LOGIN_FAILED, username);
357 } catch (KustvaktException e) {
358 jlog.error("Error: {}", e);
359 throw new WrappedException(e, StatusCodes.LOGIN_FAILED, attributes.toString());
360 }
361 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]362
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]363 boolean isAdmin = adminDao.isAdmin(unknown.getUsername());
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]364 if (DEBUG) {
365 jlog.debug(
366 "Authentication: found username " + unknown.getUsername());
367 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]368 if (unknown instanceof KorAPUser) {
369 if (password == null || password.isEmpty())
370 throw new WrappedException(new KustvaktException(unknown.getId(), StatusCodes.BAD_CREDENTIALS),
371 StatusCodes.LOGIN_FAILED, username);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]372
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]373 KorAPUser user = (KorAPUser) unknown;
374 boolean check = crypto.checkHash(password, user.getPassword());
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]375
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]376 if (!check) {
377 // the fail counter only applies for wrong password
378 jlog.warn("Wrong Password!");
379 processLoginFail(unknown);
380 throw new WrappedException(new KustvaktException(user.getId(), StatusCodes.BAD_CREDENTIALS),
381 StatusCodes.LOGIN_FAILED, username);
382 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]383
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]384 // bad credentials error has precedence over account locked or
385 // unconfirmed codes
386 // since latter can lead to account guessing of third parties
387 if (user.isAccountLocked()) {
388 URIParam param = (URIParam) user.getField(URIParam.class);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]389
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]390 if (param.hasValues()) {
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]391 if (DEBUG) {
392 jlog.debug("Account is not yet activated for user '"
393 + user.getUsername() + "'");
394 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]395 if (TimeUtils.getNow().isAfter(param.getUriExpiration())) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]396 jlog.error("URI token is expired. Deleting account for user "+ user.getUsername());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]397 deleteAccount(user);
398 throw new WrappedException(
399 new KustvaktException(unknown.getId(), StatusCodes.EXPIRED,
400 "account confirmation uri has expired!", param.getUriFragment()),
401 StatusCodes.LOGIN_FAILED, username);
402 }
403 throw new WrappedException(
404 new KustvaktException(unknown.getId(), StatusCodes.ACCOUNT_NOT_CONFIRMED),
405 StatusCodes.LOGIN_FAILED, username);
406 }
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]407 jlog.error("ACCESS DENIED: account not active for '"+unknown.getUsername()+"'");
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]408 throw new WrappedException(new KustvaktException(unknown.getId(), StatusCodes.ACCOUNT_DEACTIVATED),
409 StatusCodes.LOGIN_FAILED, username);
410 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]411
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]412 } else if (unknown instanceof ShibbolethUser) {
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]413 // todo
414 }
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]415 if (DEBUG) {
416 jlog.debug("Authentication done: " + unknown);
417 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]418 return unknown;
419 }
420
421 /**
422 * authenticate using IdM (Identitätsmanagement) accessed by LDAP.
423 *
424 * @param username
425 * @param password
426 * @param attr
427 * @return
428 * @throws KustvaktException
429 * @date 09.02.17/FB
430 */
431 // todo: what if attributes null?
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]432
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]433 private User authenticateIdM(String username, String password, Map<String, Object> attr) throws KustvaktException {
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]434
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]435 Map<String, Object> attributes = validator.validateMap(attr);
436 User unknown = null;
437 // just to make sure that the plain password does not appear anywhere in
438 // the logs!
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]439
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]440 System.out.printf("Debug: authenticateIdM: entering for '%s'...\n", username);
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]441
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]442 /**
443 * wozu Apache Validatoren für User/Passwort für IdM/LDAP? siehe
444 * validation.properties. Abgeschaltet 21.04.17/FB try {
445 * validator.validateEntry(username, Attributes.USERNAME); } catch
446 * (KustvaktException e) { throw new WrappedException(e,
447 * StatusCodes.LOGIN_FAILED, username); }
448 */
449 if (username == null || username.isEmpty() || password == null || password.isEmpty())
450 throw new WrappedException(new KustvaktException(username, StatusCodes.BAD_CREDENTIALS),
451 StatusCodes.LOGIN_FAILED);
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]452
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]453 // LDAP Access:
454 try {
455 // todo: unknown = ...
margaretha65b67142017-05-29 16:23:16 +0200[diff] [blame]456 int ret = LdapAuth3.login(username, password, config.getLdapConfig());
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]457 if (DEBUG){
458 jlog.debug("Debug: autenticationIdM: Ldap.login(%s) returns: %d.\n", username, ret);
459 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]460 if (ret != LdapAuth3.LDAP_AUTH_ROK) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]461 jlog.error("LdapAuth3.login(username='"+username+"') returns '"+ret+"'='"+LdapAuth3.getErrMessage(ret)+"'!");
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]462
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]463 // mask exception to disable user guessing in possible attacks
464 /*
465 * by Hanl throw new WrappedException(new
466 * KustvaktException(username, StatusCodes.BAD_CREDENTIALS),
467 * StatusCodes.LOGIN_FAILED, username);
468 */
469 throw new WrappedException(new KustvaktException(username, StatusCodes.LDAP_BASE_ERRCODE + ret,
470 LdapAuth3.getErrMessage(ret), null), StatusCodes.LOGIN_FAILED, username);
471 }
472 } catch (LDAPException e) {
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]473
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]474 jlog.error("Error: username='"+username+"' -> '"+e+"'!");
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]475 // mask exception to disable user guessing in possible attacks
476 /*
477 * by Hanl: throw new WrappedException(new
478 * KustvaktException(username, StatusCodes.BAD_CREDENTIALS),
479 * StatusCodes.LOGIN_FAILED, username);
480 */
481 throw new WrappedException(
482 new KustvaktException(username, StatusCodes.LDAP_BASE_ERRCODE + LdapAuth3.LDAP_AUTH_RINTERR,
483 LdapAuth3.getErrMessage(LdapAuth3.LDAP_AUTH_RINTERR), null),
484 StatusCodes.LOGIN_FAILED, username);
485 }
Bodmo3d6bd352017-04-25 11:31:39 +0200[diff] [blame]486
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]487 // Create a User
488 // TODO: KorAPUser für solche mit einem bestehenden Account
489 // DefaultUser sonst.
490 User user = new KorAPUser();
491 user.setUsername(username);
492 /*
493 * folgender Code funktioniert hier noch nicht, da die Headers noch
494 * nicht ausgewertet worden sind - 23.05.17/FB Object o =
495 * attr.get(Attributes.LOCATION); String loc = (String)o.toString(); int
496 * location = Integer.parseInt(loc); user.setLocation(location);
497 * user.setCorpusAccess(Integer.parseInt(attr.get(Attributes.
498 * CORPUS_ACCESS).toString()));
499 */
500 unknown = user;
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]501
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]502 if (DEBUG) {
503 jlog.trace(
504 "Authentication: found username " + unknown.getUsername());
505 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]506 if (unknown instanceof KorAPUser) {
507 /*
508 * password already checked using LDAP: if (password == null ||
509 * password.isEmpty()) throw new WrappedException(new
510 * KustvaktException( unknown.getId(), StatusCodes.BAD_CREDENTIALS),
511 * StatusCodes.LOGIN_FAILED, username);
512 *
513 * KorAPUser user = (KorAPUser) unknown; boolean check =
514 * crypto.checkHash(password, user.getPassword());
515 *
516 * if (!check) { // the fail counter only applies for wrong password
517 * jlog.warn("Wrong Password!"); processLoginFail(unknown); throw
518 * new WrappedException(new KustvaktException(user.getId(),
519 * StatusCodes.BAD_CREDENTIALS), StatusCodes.LOGIN_FAILED,
520 * username); }
521 */
522 // bad credentials error has precedence over account locked or
523 // unconfirmed codes
524 // since latter can lead to account guessing of third parties
525 /*
526 * if (user.isAccountLocked()) {
527 *
528 * URIParam param = (URIParam) user.getField(URIParam.class);
529 *
530 * if (param.hasValues()) {
531 * jlog.debug("Account is not yet activated for user '{}'",
532 * user.getUsername()); if
533 * (TimeUtils.getNow().isAfter(param.getUriExpiration())) {
534 * jlog.error( "URI token is expired. Deleting account for user {}",
535 * user.getUsername()); deleteAccount(user); throw new
536 * WrappedException(new KustvaktException( unknown.getId(),
537 * StatusCodes.EXPIRED, "account confirmation uri has expired!",
538 * param.getUriFragment()), StatusCodes.LOGIN_FAILED, username); }
539 * throw new WrappedException(new KustvaktException(
540 * unknown.getId(), StatusCodes.ACCOUNT_NOT_CONFIRMED),
541 * StatusCodes.LOGIN_FAILED, username); }
542 * jlog.error("ACCESS DENIED: account not active for '{}'",
543 * unknown.getUsername()); throw new WrappedException(new
544 * KustvaktException( unknown.getId(),
545 * StatusCodes.ACCOUNT_DEACTIVATED), StatusCodes.LOGIN_FAILED,
546 * username); }
547 */
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]548
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]549 } else if (unknown instanceof ShibbolethUser) {
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]550 // todo
551 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]552
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]553 if (DEBUG) {
554 jlog.debug("Authentication done: " + username);
555 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]556 return unknown;
Michael Hanl19390652016-01-16 11:01:24 +0100[diff] [blame]557
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]558 } // authenticateIdM
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]559
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]560 public boolean isRegistered(String username) {
561 User user;
562 if (username == null || username.isEmpty())
563 return false;
564 // throw new KustvaktException(username, StatusCodes.ILLEGAL_ARGUMENT,
565 // "username must be set", username);
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]566
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]567 try {
568 user = entHandler.getAccount(username);
569 } catch (EmptyResultException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]570 jlog.debug("user does not exist: "+ username);
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]571 return false;
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]572
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]573 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]574 jlog.error("KorAPException "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]575 return false;
576 // throw new KustvaktException(username,
577 // StatusCodes.ILLEGAL_ARGUMENT,
578 // "username invalid", username);
579 }
580 return user != null;
581 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]582
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]583 public void logout(TokenContext context) throws KustvaktException {
584 try {
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]585 AuthenticationIface provider = getProvider(context.getTokenType(), null);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]586
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]587 if (provider == null) {
margaretha4de41192017-11-15 11:47:11 +0100[diff] [blame]588 throw new KustvaktException(StatusCodes.ILLEGAL_ARGUMENT, "Authentication "
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]589 + "provider not supported!", context.getTokenType().displayName());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]590 }
591 provider.removeUserSession(context.getToken());
592 } catch (KustvaktException e) {
593 throw new WrappedException(e, StatusCodes.LOGOUT_FAILED, context.toString());
594 }
595 auditing.audit(
596 AuditRecord.serviceRecord(context.getUsername(), StatusCodes.LOGOUT_SUCCESSFUL, context.toString()));
597 this.removeCacheEntry(context.getToken());
598 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]599
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]600 private void processLoginFail(User user) throws KustvaktException {
601 counter.registerFail(user.getUsername());
602 if (!counter.validate(user.getUsername())) {
603 try {
604 this.lockAccount(user);
605 } catch (KustvaktException e) {
606 jlog.error("user account could not be locked", e);
607 throw new WrappedException(e, StatusCodes.UPDATE_ACCOUNT_FAILED);
608 }
609 throw new WrappedException(new KustvaktException(user.getId(), StatusCodes.ACCOUNT_DEACTIVATED),
610 StatusCodes.LOGIN_FAILED);
611 }
612 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]613
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]614 public void lockAccount(User user) throws KustvaktException {
615 if (!(user instanceof KorAPUser))
616 throw new KustvaktException(StatusCodes.REQUEST_INVALID);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]617
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]618 KorAPUser u = (KorAPUser) user;
619 u.setAccountLocked(true);
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]620 jlog.info("locking account for user: "+ user.getUsername());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]621 entHandler.updateAccount(u);
622 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]623
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]624 public KorAPUser checkPasswordAllowance(KorAPUser user, String oldPassword, String newPassword)
625 throws KustvaktException {
626 String dbPassword = user.getPassword();
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]627
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]628 if (oldPassword.trim().equals(newPassword.trim())) {
629 // TODO: special error StatusCodes for this?
630 throw new WrappedException(new KustvaktException(user.getId(), StatusCodes.ILLEGAL_ARGUMENT),
631 StatusCodes.PASSWORD_RESET_FAILED, newPassword);
632 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]633
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]634 boolean check = crypto.checkHash(oldPassword, dbPassword);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]635
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]636 if (!check)
637 throw new WrappedException(new KustvaktException(user.getId(), StatusCodes.BAD_CREDENTIALS),
638 StatusCodes.PASSWORD_RESET_FAILED);
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]639
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]640 try {
641 user.setPassword(crypto.secureHash(newPassword));
642 } catch (NoSuchAlgorithmException | UnsupportedEncodingException e) {
643 throw new WrappedException(
644 new KustvaktException(user.getId(), StatusCodes.ILLEGAL_ARGUMENT, "password invalid", newPassword),
645 StatusCodes.PASSWORD_RESET_FAILED, user.toString(), newPassword);
646 }
647 return user;
648 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]649
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]650 // fixme: use clientinfo for logging/auditing?! = from where did he access
651 // the reset function?
652 @Override
653 public void resetPassword(String uriFragment, String username, String newPassphrase) throws KustvaktException {
654 try {
655 validator.validateEntry(username, Attributes.USERNAME);
656 validator.validateEntry(newPassphrase, Attributes.PASSWORD);
657 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]658 jlog.error("Error: "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]659 throw new WrappedException(
660 new KustvaktException(username, StatusCodes.ILLEGAL_ARGUMENT, "password invalid", newPassphrase),
661 StatusCodes.PASSWORD_RESET_FAILED, username, newPassphrase);
662 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]663
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]664 try {
665 newPassphrase = crypto.secureHash(newPassphrase);
666 } catch (NoSuchAlgorithmException | UnsupportedEncodingException e) {
667 jlog.error("Encoding/Algorithm Error", e);
668 throw new WrappedException(
669 new KustvaktException(username, StatusCodes.ILLEGAL_ARGUMENT, "password invalid", newPassphrase),
670 StatusCodes.PASSWORD_RESET_FAILED, username, uriFragment, newPassphrase);
671 }
672 int result = entHandler.resetPassphrase(username, uriFragment, newPassphrase);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]673
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]674 if (result == 0)
675 throw new WrappedException(
676 new KustvaktException(username, StatusCodes.EXPIRED, "URI fragment expired", uriFragment),
677 StatusCodes.PASSWORD_RESET_FAILED, username, uriFragment);
678 else if (result == 1)
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]679 jlog.info("successfully reset password for user "+ username);
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]680 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]681
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]682 public void confirmRegistration(String uriFragment, String username) throws KustvaktException {
683 try {
684 validator.validateEntry(username, Attributes.USERNAME);
685 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]686 jlog.error("Error: "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]687 throw new WrappedException(e, StatusCodes.ACCOUNT_CONFIRMATION_FAILED, username, uriFragment);
688 }
689 int r = entHandler.activateAccount(username, uriFragment);
690 if (r == 0) {
691 User user;
692 try {
693 user = entHandler.getAccount(username);
694 } catch (EmptyResultException e) {
695 throw new WrappedException(new KustvaktException(username, StatusCodes.BAD_CREDENTIALS),
696 StatusCodes.ACCOUNT_CONFIRMATION_FAILED, username, uriFragment);
697 }
698 entHandler.deleteAccount(user.getId());
699 throw new WrappedException(new KustvaktException(user.getId(), StatusCodes.EXPIRED),
700 StatusCodes.ACCOUNT_CONFIRMATION_FAILED, username, uriFragment);
701 } else if (r == 1)
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]702 jlog.info("successfully confirmed user registration for user "+ username);
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]703 // register successful audit!
704 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]705
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]706 /**
707 * @param attributes
708 * @return
709 * @throws KustvaktException
710 */
711 // fixme: remove clientinfo object (not needed), use json representation to
712 // get stuff
713 public User createUserAccount(Map<String, Object> attributes, boolean confirmation_required)
714 throws KustvaktException {
715 Map<String, Object> safeMap = validator.validateMap(attributes);
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]716
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]717 if (safeMap.get(Attributes.USERNAME) == null || ((String) safeMap.get(Attributes.USERNAME)).isEmpty())
718 throw new KustvaktException(StatusCodes.ILLEGAL_ARGUMENT, "username must be set", "username");
719 if (safeMap.get(Attributes.PASSWORD) == null || ((String) safeMap.get(Attributes.PASSWORD)).isEmpty())
720 throw new KustvaktException(safeMap.get(Attributes.USERNAME), StatusCodes.ILLEGAL_ARGUMENT,
721 "password must be set", "password");
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]722
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]723 String username = validator.validateEntry((String) safeMap.get(Attributes.USERNAME), Attributes.USERNAME);
724 String password = validator.validateEntry((String) safeMap.get(Attributes.PASSWORD), Attributes.PASSWORD);
725 String hash;
726 try {
727 hash = crypto.secureHash(password);
728 } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
729 jlog.error("Encryption error", e);
730 throw new KustvaktException(StatusCodes.ILLEGAL_ARGUMENT);
731 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]732
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]733 KorAPUser user = User.UserFactory.getUser(username);
734 Object id = attributes.get(Attributes.ID);
735 if (id != null && id instanceof Integer)
736 user.setId((Integer) id);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]737
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]738 user.setAccountLocked(confirmation_required);
739 if (confirmation_required) {
740 URIParam param = new URIParam(crypto.createToken(),
741 TimeUtils.plusSeconds(config.getTokenTTL()).getMillis());
742 user.addField(param);
743 }
744 user.setPassword(hash);
Michael Hanl7368aa42016-02-05 18:15:47 +0100[diff] [blame]745
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]746// String o = (String) attributes.get(Attributes.IS_ADMIN);
747// boolean b = Boolean.parseBoolean(o);
748// user.setSystemAdmin(b);
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]749
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]750 try {
751 UserDetails details = new UserDetails();
752 details.read(safeMap, true);
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]753
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]754 UserSettings settings = new UserSettings();
755 settings.read(safeMap, true);
Michael Hanl5fac8ab2016-01-29 16:33:04 +0100[diff] [blame]756
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]757 jlog.info("Creating new user account for user "+ user.getUsername());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]758 entHandler.createAccount(user);
margaretha4edc70e2018-03-14 22:34:29 +0100[diff] [blame]759// if (user.isSystemAdmin() && user instanceof KorAPUser) {
760// adminDao.addAccount(user);
761// user.setCorpusAccess(CorpusAccess.ALL);
762// }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]763 details.setUserId(user.getId());
764 settings.setUserId(user.getId());
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]765
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]766 UserDataDbIface dao = BeansFactory.getTypeFactory().getTypeInterfaceBean(userdatadaos, UserDetails.class);
767 // todo: remove this
768 assert dao != null;
769 dao.store(details);
770 dao = BeansFactory.getTypeFactory().getTypeInterfaceBean(userdatadaos, UserSettings.class);
771 assert dao != null;
772 dao.store(settings);
773 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]774 jlog.error("Error: "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]775 throw new WrappedException(e, StatusCodes.CREATE_ACCOUNT_FAILED, user.toString());
776 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]777
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]778 auditing.audit(AuditRecord.serviceRecord(user.getUsername(), StatusCodes.CREATE_ACCOUNT_SUCCESSFUL));
779 return user;
780 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]781
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]782 // todo:
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]783 private ShibbolethUser createShibbUserAccount(Map<String, Object> attributes) throws KustvaktException {
margarethadda4ef72018-12-06 14:20:51 +0100[diff] [blame^]784 if (DEBUG) {
785 jlog.debug("creating shibboleth user account for user attr: "
786 + attributes);
787 }
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]788 Map<String, Object> safeMap = validator.validateMap(attributes);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]789
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]790 // todo eppn non-unique.join with idp or use persistent_id as username
791 // identifier
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]792 // EM: disabled
793// ShibbolethUser user = User.UserFactory.getShibInstance((String) safeMap.get(Attributes.EPPN),
794// (String) safeMap.get(Attributes.MAIL), (String) safeMap.get(Attributes.CN));
795// user.setAffiliation((String) safeMap.get(Attributes.EDU_AFFIL));
796// user.setAccountCreation(TimeUtils.getNow().getMillis());
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]797
margarethafb027f92018-04-23 20:00:13 +0200[diff] [blame]798 ShibbolethUser user = null;
799
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]800 UserDetails d = new UserDetails();
801 d.read(attributes, true);
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]802
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]803 UserSettings s = new UserSettings();
804 s.read(attributes, true);
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]805
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]806 entHandler.createAccount(user);
Michael Hanlc0ed00f2016-06-23 14:33:10 +0200[diff] [blame]807
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]808 s.setUserId(user.getId());
809 d.setUserId(user.getId());
Michael Hanl25aac542016-02-01 18:16:44 +0100[diff] [blame]810
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]811 UserDataDbIface dao = BeansFactory.getTypeFactory().getTypeInterfaceBean(userdatadaos, UserDetails.class);
812 assert dao != null;
813 dao.store(d);
Michael Hanl25aac542016-02-01 18:16:44 +0100[diff] [blame]814
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]815 dao = BeansFactory.getTypeFactory().getTypeInterfaceBean(userdatadaos, UserSettings.class);
816 assert dao != null;
817 dao.store(d);
Michael Hanl25aac542016-02-01 18:16:44 +0100[diff] [blame]818
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]819 return user;
820 }
Michael Hanl25aac542016-02-01 18:16:44 +0100[diff] [blame]821
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]822 /**
823 * link shibboleth and korap user account to one another.
824 *
825 * @param current
826 * currently logged in user
827 * @param for_name
828 * foreign user name the current account should be linked to
829 * @param transstrat
830 * transfer status of user data (details, settings, user queries)
831 * 0 = the currently logged in data should be kept 1 = the
832 * foreign account data should be kept
833 * @throws NotAuthorizedException
834 * @throws KustvaktException
835 */
836 // todo:
837 public void accountLink(User current, String for_name, int transstrat) throws KustvaktException {
838 // User foreign = entHandler.getAccount(for_name);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]839
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]840 // if (current.getAccountLink() == null && current.getAccountLink()
841 // .isEmpty()) {
842 // if (current instanceof KorAPUser && foreign instanceof ShibUser) {
843 // if (transstrat == 1)
844 // current.transfer(foreign);
845 //// foreign.setAccountLink(current.getUsername());
846 //// current.setAccountLink(foreign.getUsername());
847 // // entHandler.purgeDetails(foreign);
848 // // entHandler.purgeSettings(foreign);
849 // }else if (foreign instanceof KorAPUser
850 // && current instanceof ShibUser) {
851 // if (transstrat == 0)
852 // foreign.transfer(current);
853 //// current.setAccountLink(foreign.getUsername());
854 // // entHandler.purgeDetails(current);
855 // // entHandler.purgeSettings(current);
856 // // entHandler.purgeSettings(current);
857 // }
858 // entHandler.updateAccount(current);
859 // entHandler.updateAccount(foreign);
860 // }
861 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]862
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]863 // todo: test and rest usage?!
864 public boolean updateAccount(User user) throws KustvaktException {
865 boolean result;
866 if (user instanceof DemoUser)
867 throw new KustvaktException(user.getId(), StatusCodes.REQUEST_INVALID,
868 "account not updateable for demo user", user.getUsername());
869 else {
870 // crypto.validate(user);
871 try {
872 result = entHandler.updateAccount(user) > 0;
873 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]874 jlog.error("Error: "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]875 throw new WrappedException(e, StatusCodes.UPDATE_ACCOUNT_FAILED);
876 }
877 }
878 if (result) {
879 // this.removeCacheEntry(user.getUsername());
880 auditing.audit(
881 AuditRecord.serviceRecord(user.getId(), StatusCodes.UPDATE_ACCOUNT_SUCCESSFUL, user.toString()));
882 }
883 return result;
884 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]885
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]886 public boolean deleteAccount(User user) throws KustvaktException {
887 boolean result;
888 if (user instanceof DemoUser)
889 return true;
890 else {
891 try {
892 result = entHandler.deleteAccount(user.getId()) > 0;
893 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]894 jlog.error("Error: "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]895 throw new WrappedException(e, StatusCodes.DELETE_ACCOUNT_FAILED);
896 }
897 }
898 if (result) {
899 // this.removeCacheEntry(user.getUsername());
900 auditing.audit(AuditRecord.serviceRecord(user.getUsername(), StatusCodes.DELETE_ACCOUNT_SUCCESSFUL,
901 user.toString()));
902 }
903 return result;
904 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]905
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]906 public Object[] validateResetPasswordRequest(String username, String email) throws KustvaktException {
907 String uritoken;
908 validator.validateEntry(email, Attributes.EMAIL);
909 User ident;
910 try {
911 ident = entHandler.getAccount(username);
912 if (ident instanceof DemoUser)
913 // throw new
914 // NotAuthorizedException(StatusCodes.PERMISSION_DENIED,
915 // "password reset now allowed for DemoUser", "");
916 throw new WrappedException(username, StatusCodes.PASSWORD_RESET_FAILED, username);
917 } catch (EmptyResultException e) {
918 throw new WrappedException(
919 new KustvaktException(username, StatusCodes.ILLEGAL_ARGUMENT, "username not found", username),
920 StatusCodes.PASSWORD_RESET_FAILED, username);
921 }
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]922
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]923 Userdata data = this.getUserData(ident, UserDetails.class);
924 KorAPUser user = (KorAPUser) ident;
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]925
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]926 if (!email.equals(data.get(Attributes.EMAIL)))
927 // throw new NotAuthorizedException(StatusCodes.ILLEGAL_ARGUMENT,
928 // "invalid parameter: email", "email");
929 throw new WrappedException(
930 new KustvaktException(user.getId(), StatusCodes.ILLEGAL_ARGUMENT, "email invalid", email),
931 StatusCodes.PASSWORD_RESET_FAILED, email);
932 uritoken = crypto.encodeBase();
933 URIParam param = new URIParam(uritoken, TimeUtils.plusHours(24).getMillis());
934 user.addField(param);
Michael Hanl8abaf9e2016-05-23 16:46:35 +0200[diff] [blame]935
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]936 try {
937 entHandler.updateAccount(user);
938 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]939 jlog.error("Error "+ e.string());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]940 throw new WrappedException(e, StatusCodes.PASSWORD_RESET_FAILED);
941 }
942 return new Object[] { uritoken, TimeUtils.format(param.getUriExpiration()) };
943 }
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]944
margaretha38d530e2017-07-11 19:06:50 +0200[diff] [blame]945 // EM: not in the new DB
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]946 @Override
947 public <T extends Userdata> T getUserData(User user, Class<T> clazz) throws WrappedException {
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]948 try {
949 UserDataDbIface<T> dao = BeansFactory.getTypeFactory()
950 .getTypeInterfaceBean(BeansFactory.getKustvaktContext().getUserDataProviders(), clazz);
951 T data = null;
952 if (dao != null)
953 data = dao.get(user);
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]954
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]955 if (data == null)
margarethaf6d5a822017-10-19 19:51:20 +0200[diff] [blame]956 throw new KustvaktException(user.getId(), StatusCodes.NO_RESULT_FOUND, "No data found!",
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]957 clazz.getSimpleName());
958 return data;
959 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]960 jlog.error("Error during user data retrieval: "+ e.getEntity());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]961 throw new WrappedException(e, StatusCodes.GET_ACCOUNT_FAILED);
962 }
963 }
Michael Hanl5fac8ab2016-01-29 16:33:04 +0100[diff] [blame]964
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]965 // todo: cache userdata outside of the user object!
966 @Override
967 public void updateUserData(Userdata data) throws WrappedException {
968 try {
969 data.validate(this.validator);
970 UserDataDbIface dao = BeansFactory.getTypeFactory()
971 .getTypeInterfaceBean(BeansFactory.getKustvaktContext().getUserDataProviders(), data.getClass());
972 if (dao != null)
973 dao.update(data);
974 } catch (KustvaktException e) {
margaretha49cb6882018-07-04 04:19:54 +0200[diff] [blame]975 jlog.error("Error during update of user data! "+ e.getEntity());
margarethaebc54962017-05-29 13:23:07 +0200[diff] [blame]976 throw new WrappedException(e, StatusCodes.UPDATE_ACCOUNT_FAILED);
977 }
978 }
margaretha2afb97d2017-12-07 19:18:44 +0100[diff] [blame]979
Michael Hanl87106d12015-09-14 18:13:51 +0200[diff] [blame]980}