exports.setProtectedAttributes = function (security) { var modifiedMap = {}; Object.keys(security.authorization).forEach(function (k) { modifiedMap[k] = security.authorization[k]; }); // find all of the attributes in the managed object schema associated // with the current component which have been declared as isProtected: true modifiedMap.protectedAttributeList = _.chain( _.find(openidm.read("config/managed").objects, function (object) { return modifiedMap.component === "managed/" + object.name; }).schema.properties ) .pairs() .map(function (property) { var propertyName = property[0], propertySchema = property[1]; if (propertySchema.isProtected) { return propertyName; } else { return undefined; } }) .filter() .value(); security.authorization = modifiedMap; return security; };
_.filter(conditionalGrants, function(grant) { // retain the existing conditional grants which are still valid var roleCorrespondingToGrant = _.find(existingConditionalRoles, function (role) { return 'managed/role/' + role._id === grant._ref; }); if (roleCorrespondingToGrant === undefined) { logger.warn("In evaluateConditionalRoles, an existing user grant could not be matched to an " + "existing conditional role. The grant in question: {}", grant); return false; } else { return org.forgerock.openidm.condition.Conditions.newCondition(roleCorrespondingToGrant.condition).evaluate(user, null); } })
policyFunctions.minLength = function(fullObject, value, params, property) { var isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), hasMinLength = isNonEmptyString ? (value.length >= params.minLength) : false; if ((isRequired || isNonEmptyString) && !hasMinLength) { return [ { "policyRequirement" : "MIN_LENGTH", "params" : {"minLength":params.minLength} } ]; } return []; };
policyFunctions.validDate = function(fullObject, value, params, property) { var isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), isValidDate = isNonEmptyString ? !isNaN(new Date(value).getTime()) : false; if ((isRequired || isNonEmptyString) && !isValidDate) { return [ {"policyRequirement": "VALID_DATE"}]; } return []; };
updateLegend: function () { console.log("Filter set, updating legend", this.filters); var category; if (this.filters.question) { category = _.find(this.exploration, { name: this.filters.question }); } this.trigger('updated', { category: category, filters: this.filters }); return; },
policyFunctions.atLeastXNumbers = function(fullObject, value, params, property) { var isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), valuePassesRegexp = (function (v) { var test = isNonEmptyString ? v.match(/\d/g) : null; return test !== null && test.length >= params.numNums; }(value)); if ((isRequired || isNonEmptyString) && !valuePassesRegexp) { return [ { "policyRequirement" : "AT_LEAST_X_NUMBERS", "params" : {"numNums": params.numNums} } ]; } return []; };
(function () { var _ = require("lib/lodash"), authConfig = openidm.read("config/authentication"), authModule = _.find(authConfig.serverAuthContext.authModules, function (am) { return am.name === "OPENAM_SESSION" && am.properties.openamDeploymentUrl.length; }), proxyRequest = { "method" : context.http.method, "headers": { "Cookie": context.http.headers.Cookie } }; if (authModule === null) { throw { "code" : 500, "message" : "Unable to find configured OPENAM_SESSION auth module" }; } proxyRequest.url = authModule.properties.openamDeploymentUrl + "/" + request.resourceName; if (request.action === "logout") { proxyRequest.url += "?_action=logout"; } else { // turn the additionalParameters map into a url proxyRequest.url += "?" + _(request.additionalParameters) .pairs() .map(function (param) { return _.map(param, encodeURIComponent).join("="); }) .value() .join("&"); } if (request.content) { proxyRequest.body = request.content + ""; // implicit toString yields a stringified json value for request.content } else { proxyRequest.body = "{}"; } return openidm.action("external/rest", "call", proxyRequest); }());
policyFunctions.validEmailAddressFormat = function(fullObject, value, params, property) { var pattern = /^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/, isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), valuePassesRegexp = (function (v) { var testResult = isNonEmptyString ? pattern.test(v) : false; return testResult; }(value)); if ((isRequired || isNonEmptyString) && !valuePassesRegexp) { return [ {"policyRequirement": "VALID_EMAIL_ADDRESS_FORMAT"}]; } return []; };
policyFunctions.validNameFormat = function(fullObject, value, params, property) { var pattern = /^([A-Za'-\u0105\u0107\u0119\u0142\u00F3\u015B\u017C\u017A\u0104\u0106\u0118\u0141\u00D3\u015A\u017B\u0179\u00C0\u00C8\u00CC\u00D2\u00D9\u00E0\u00E8\u00EC\u00F2\u00F9\u00C1\u00C9\u00CD\u00D3\u00DA\u00DD\u00E1\u00E9\u00ED\u00F3\u00FA\u00FD\u00C2\u00CA\u00CE\u00D4\u00DB\u00E2\u00EA\u00EE\u00F4\u00FB\u00C3\u00D1\u00D5\u00E3\u00F1\u00F5\u00C4\u00CB\u00CF\u00D6\u00DC\u0178\u00E4\u00EB\u00EF\u00F6\u00FC\u0178\u00A1\u00BF\u00E7\u00C7\u0152\u0153\u00DF\u00D8\u00F8\u00C5\u00E5\u00C6\u00E6\u00DE\u00FE\u00D0\u00F0\-\s])+$/, isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), valuePassesRegexp = (function (v) { var testResult = isNonEmptyString ? pattern.test(v) : false; return testResult; }(value)); if ((isRequired || isNonEmptyString) && !valuePassesRegexp) { return [ {"policyRequirement": "VALID_NAME_FORMAT"}]; } return []; };
policyFunctions.validPhoneFormat = function(fullObject, value, params, property) { var pattern = /^\+?([0-9\- \(\)])*$/, isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), valuePassesRegexp = (function (v) { var testResult = isNonEmptyString ? pattern.test(v) : false; return testResult; }(value)); if ((isRequired || isNonEmptyString) && !valuePassesRegexp) { return [ {"policyRequirement": "VALID_PHONE_FORMAT"}]; } return []; };
policyFunctions.regexpMatches = function(fullObject, value, params, property) { if (typeof(value) === "number") { value = value + ""; // cast to string; } var pattern = new RegExp(params.regexp, (params.flags || "")), isRequired = _.find(this.failedPolicyRequirements, function (fpr) { return fpr.policyRequirement === "REQUIRED"; }), isNonEmptyString = (typeof(value) === "string" && value.length), valuePassesRegexp = (function (v) { var testResult = isNonEmptyString ? pattern.test(v) : false; return testResult; }(value)); if ((isRequired || isNonEmptyString) && !valuePassesRegexp) { return [ {"policyRequirement": "MATCH_REGEXP", "regexp": params.regexp, params: params, "flags": params.flags}]; } return []; };
function (grants) { return _.find(grants, function (grant) {return 'managed/role/' + role._id === grant._ref;}) !== undefined; };
.reject(function (currentGrant) { return _.find(roleLosers, function (roleLoser) {return 'managed/user/' + roleLoser._id === currentGrant._ref;}) !== undefined; })
getToken: function (name, code, redirect_uri) { var resolver = _.find(this.getResolvers(false), function (r) { return r.name === name; }), response, claims, user; if (!resolver) { throw { "code": 400, "message": "Unable to find provider with name '" + name + "'"}; } try { response = openidm.action("external/rest", "call", { "method": "POST", "url": resolver.token_endpoint, "contentType": "application/x-www-form-urlencoded", "body": this.serializeParams({ "grant_type": "authorization_code", "redirect_uri": redirect_uri, "code": code, "client_id": resolver.client_id, "client_secret": resolver.client_secret }) }); } catch (e) { throw { "code" : e.javaException.getCode(), "message" : e.javaException.getMessage(), "detail" : e.javaException.getDetail() }; } if (!response || !response.id_token) { throw { "code": 400, "message": "Incorrect response from server", "detail": response }; } if (response.id_token.split(".")[1] === null || base64.decode( response.id_token.split(".")[1]) === null) { throw { "code": 400, "message": "Unable to parse the response from server", "detail": response }; } if (new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) === null) { throw { "code": 400, "message": "Unable to build string from decoded response", "detail": response }; } claims = JSON.parse( new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) ); user = openidm.read("system/fiddles/users/" + claims.iss + ":" + claims.sub); // if the user isn't found in our local user cache, create a record for them if (user === null) { openidm.create("system/fiddles/users", null, { "issuer" : claims.iss, "subject" : claims.sub, "email" : claims.email }); } return { "token": response.id_token, "header": this.getRequestHeader() } }
(function () { var _ = require("lib/lodash"), base64 = Packages.org.forgerock.util.encode.Base64url, authConfig = openidm.read("config/authentication"), oidcModule = _.find(authConfig.serverAuthContext.authModules, function (a) { return a.name === "OPENID_CONNECT"; }), obj = { serializeParams: function (params) { return _(params) .pairs() .map(function (p) { return p[0] + "=" + encodeURIComponent(p[1]); }) .value() .join("&"); }, getRequestHeader: function () { return oidcModule.properties.openIdConnectHeader; }, getResolvers: function (isExternal) { var resolvers = oidcModule.properties.resolvers; return _.map(resolvers, function (r) { if (isExternal) { return _.omit(r, "client_secret", "well-known"); } else { return r; } }); }, getToken: function (name, code, redirect_uri) { var resolver = _.find(this.getResolvers(false), function (r) { return r.name === name; }), response, claims, user; if (!resolver) { throw { "code": 400, "message": "Unable to find provider with name '" + name + "'"}; } try { response = openidm.action("external/rest", "call", { "method": "POST", "url": resolver.token_endpoint, "contentType": "application/x-www-form-urlencoded", "body": this.serializeParams({ "grant_type": "authorization_code", "redirect_uri": redirect_uri, "code": code, "client_id": resolver.client_id, "client_secret": resolver.client_secret }) }); } catch (e) { throw { "code" : e.javaException.getCode(), "message" : e.javaException.getMessage(), "detail" : e.javaException.getDetail() }; } if (!response || !response.id_token) { throw { "code": 400, "message": "Incorrect response from server", "detail": response }; } if (response.id_token.split(".")[1] === null || base64.decode( response.id_token.split(".")[1]) === null) { throw { "code": 400, "message": "Unable to parse the response from server", "detail": response }; } if (new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) === null) { throw { "code": 400, "message": "Unable to build string from decoded response", "detail": response }; } claims = JSON.parse( new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) ); user = openidm.read("system/fiddles/users/" + claims.iss + ":" + claims.sub); // if the user isn't found in our local user cache, create a record for them if (user === null) { openidm.create("system/fiddles/users", null, { "issuer" : claims.iss, "subject" : claims.sub, "email" : claims.email }); } return { "token": response.id_token, "header": this.getRequestHeader() } } }; exports.process = function (request) { if (!oidcModule || !oidcModule.enabled) { throw { "code": 500, "message": "OpenID Connect not configured"}; } switch (request.method) { case "read": return obj.getResolvers(true); break; case "action": switch (request.action) { case "getToken": if (request.additionalParameters.code === undefined || request.additionalParameters.name === undefined || request.additionalParameters.redirect_uri === undefined ) { throw { "code": 400, "message": "getToken requires 'redirect_uri', 'code' and 'name' as URL parameters"}; } return obj.getToken(request.additionalParameters.name, request.additionalParameters.code, request.additionalParameters.redirect_uri); break; default: throw { "code": 400, "message": "Unsupported action: '" + request.action + "'"}; } break; default: throw { "code": 400, "message": "Unsupported method: '" + request.method + "'"}; } }; exports.impl = obj; }());