exports.setProtectedAttributes = function (security) {
var modifiedMap = {};
Object.keys(security.authorization).forEach(function (k) {
modifiedMap[k] = security.authorization[k];
});
// find all of the attributes in the managed object schema associated
// with the current component which have been declared as isProtected: true
modifiedMap.protectedAttributeList =
_.chain(
_.find(openidm.read("config/managed").objects, function (object) {
return modifiedMap.component === "managed/" + object.name;
}).schema.properties
)
.pairs()
.map(function (property) {
var propertyName = property[0],
propertySchema = property[1];
if (propertySchema.isProtected) {
return propertyName;
} else {
return undefined;
}
})
.filter()
.value();
security.authorization = modifiedMap;
return security;
};
_.filter(conditionalGrants, function(grant) {
// retain the existing conditional grants which are still valid
var roleCorrespondingToGrant = _.find(existingConditionalRoles, function (role) { return 'managed/role/' + role._id === grant._ref; });
if (roleCorrespondingToGrant === undefined) {
logger.warn("In evaluateConditionalRoles, an existing user grant could not be matched to an " +
"existing conditional role. The grant in question: {}", grant);
return false;
} else {
return org.forgerock.openidm.condition.Conditions.newCondition(roleCorrespondingToGrant.condition).evaluate(user, null);
}
})
policyFunctions.minLength = function(fullObject, value, params, property) {
var isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
hasMinLength = isNonEmptyString ? (value.length >= params.minLength) : false;
if ((isRequired || isNonEmptyString) && !hasMinLength) {
return [ { "policyRequirement" : "MIN_LENGTH", "params" : {"minLength":params.minLength} } ];
}
return [];
};
policyFunctions.validDate = function(fullObject, value, params, property) {
var isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
isValidDate = isNonEmptyString ? !isNaN(new Date(value).getTime()) : false;
if ((isRequired || isNonEmptyString) && !isValidDate) {
return [ {"policyRequirement": "VALID_DATE"}];
}
return [];
};
updateLegend: function () {
console.log("Filter set, updating legend", this.filters);
var category;
if (this.filters.question) {
category = _.find(this.exploration, { name: this.filters.question });
}
this.trigger('updated', {
category: category,
filters: this.filters
});
return;
},
policyFunctions.atLeastXNumbers = function(fullObject, value, params, property) {
var isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
valuePassesRegexp = (function (v) {
var test = isNonEmptyString ? v.match(/\d/g) : null;
return test !== null && test.length >= params.numNums;
}(value));
if ((isRequired || isNonEmptyString) && !valuePassesRegexp) {
return [ { "policyRequirement" : "AT_LEAST_X_NUMBERS", "params" : {"numNums": params.numNums} } ];
}
return [];
};
(function () {
var _ = require("lib/lodash"),
authConfig = openidm.read("config/authentication"),
authModule = _.find(authConfig.serverAuthContext.authModules, function (am) {
return am.name === "OPENAM_SESSION" && am.properties.openamDeploymentUrl.length;
}),
proxyRequest = {
"method" : context.http.method,
"headers": {
"Cookie": context.http.headers.Cookie
}
};
if (authModule === null) {
throw {
"code" : 500,
"message" : "Unable to find configured OPENAM_SESSION auth module"
};
}
proxyRequest.url = authModule.properties.openamDeploymentUrl + "/" + request.resourceName;
if (request.action === "logout") {
proxyRequest.url += "?_action=logout";
} else {
// turn the additionalParameters map into a url
proxyRequest.url += "?" + _(request.additionalParameters)
.pairs()
.map(function (param) {
return _.map(param, encodeURIComponent).join("=");
})
.value()
.join("&");
}
if (request.content) {
proxyRequest.body = request.content + ""; // implicit toString yields a stringified json value for request.content
} else {
proxyRequest.body = "{}";
}
return openidm.action("external/rest", "call", proxyRequest);
}());
policyFunctions.validEmailAddressFormat = function(fullObject, value, params, property) {
var pattern = /^([A-Za-z0-9_\-\.])+\@([A-Za-z0-9_\-\.])+\.([A-Za-z]{2,4})$/,
isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
valuePassesRegexp = (function (v) {
var testResult = isNonEmptyString ? pattern.test(v) : false;
return testResult;
}(value));
if ((isRequired || isNonEmptyString) && !valuePassesRegexp) {
return [ {"policyRequirement": "VALID_EMAIL_ADDRESS_FORMAT"}];
}
return [];
};
policyFunctions.validNameFormat = function(fullObject, value, params, property) {
var pattern = /^([A-Za'-\u0105\u0107\u0119\u0142\u00F3\u015B\u017C\u017A\u0104\u0106\u0118\u0141\u00D3\u015A\u017B\u0179\u00C0\u00C8\u00CC\u00D2\u00D9\u00E0\u00E8\u00EC\u00F2\u00F9\u00C1\u00C9\u00CD\u00D3\u00DA\u00DD\u00E1\u00E9\u00ED\u00F3\u00FA\u00FD\u00C2\u00CA\u00CE\u00D4\u00DB\u00E2\u00EA\u00EE\u00F4\u00FB\u00C3\u00D1\u00D5\u00E3\u00F1\u00F5\u00C4\u00CB\u00CF\u00D6\u00DC\u0178\u00E4\u00EB\u00EF\u00F6\u00FC\u0178\u00A1\u00BF\u00E7\u00C7\u0152\u0153\u00DF\u00D8\u00F8\u00C5\u00E5\u00C6\u00E6\u00DE\u00FE\u00D0\u00F0\-\s])+$/,
isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
valuePassesRegexp = (function (v) {
var testResult = isNonEmptyString ? pattern.test(v) : false;
return testResult;
}(value));
if ((isRequired || isNonEmptyString) && !valuePassesRegexp) {
return [ {"policyRequirement": "VALID_NAME_FORMAT"}];
}
return [];
};
policyFunctions.validPhoneFormat = function(fullObject, value, params, property) {
var pattern = /^\+?([0-9\- \(\)])*$/,
isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
valuePassesRegexp = (function (v) {
var testResult = isNonEmptyString ? pattern.test(v) : false;
return testResult;
}(value));
if ((isRequired || isNonEmptyString) && !valuePassesRegexp) {
return [ {"policyRequirement": "VALID_PHONE_FORMAT"}];
}
return [];
};
policyFunctions.regexpMatches = function(fullObject, value, params, property) {
if (typeof(value) === "number") {
value = value + ""; // cast to string;
}
var pattern = new RegExp(params.regexp, (params.flags || "")),
isRequired = _.find(this.failedPolicyRequirements, function (fpr) {
return fpr.policyRequirement === "REQUIRED";
}),
isNonEmptyString = (typeof(value) === "string" && value.length),
valuePassesRegexp = (function (v) {
var testResult = isNonEmptyString ? pattern.test(v) : false;
return testResult;
}(value));
if ((isRequired || isNonEmptyString) && !valuePassesRegexp) {
return [ {"policyRequirement": "MATCH_REGEXP", "regexp": params.regexp, params: params, "flags": params.flags}];
}
return [];
};
function (grants) {
return _.find(grants, function (grant) {return 'managed/role/' + role._id === grant._ref;}) !== undefined;
};
.reject(function (currentGrant) {
return _.find(roleLosers, function (roleLoser) {return 'managed/user/' + roleLoser._id === currentGrant._ref;}) !== undefined;
})
getToken: function (name, code, redirect_uri) {
var resolver = _.find(this.getResolvers(false), function (r) {
return r.name === name;
}),
response,
claims,
user;
if (!resolver) {
throw { "code": 400, "message": "Unable to find provider with name '" + name + "'"};
}
try {
response = openidm.action("external/rest", "call", {
"method": "POST",
"url": resolver.token_endpoint,
"contentType": "application/x-www-form-urlencoded",
"body": this.serializeParams({
"grant_type": "authorization_code",
"redirect_uri": redirect_uri,
"code": code,
"client_id": resolver.client_id,
"client_secret": resolver.client_secret
})
});
} catch (e) {
throw {
"code" : e.javaException.getCode(),
"message" : e.javaException.getMessage(),
"detail" : e.javaException.getDetail()
};
}
if (!response || !response.id_token) {
throw { "code": 400, "message": "Incorrect response from server", "detail": response };
}
if (response.id_token.split(".")[1] === null || base64.decode( response.id_token.split(".")[1]) === null) {
throw { "code": 400, "message": "Unable to parse the response from server", "detail": response };
}
if (new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) === null) {
throw { "code": 400, "message": "Unable to build string from decoded response", "detail": response };
}
claims = JSON.parse( new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) );
user = openidm.read("system/fiddles/users/" + claims.iss + ":" + claims.sub);
// if the user isn't found in our local user cache, create a record for them
if (user === null) {
openidm.create("system/fiddles/users", null, {
"issuer" : claims.iss,
"subject" : claims.sub,
"email" : claims.email
});
}
return {
"token": response.id_token,
"header": this.getRequestHeader()
}
}
(function () {
var _ = require("lib/lodash"),
base64 = Packages.org.forgerock.util.encode.Base64url,
authConfig = openidm.read("config/authentication"),
oidcModule = _.find(authConfig.serverAuthContext.authModules, function (a) {
return a.name === "OPENID_CONNECT";
}),
obj = {
serializeParams: function (params) {
return _(params)
.pairs()
.map(function (p) {
return p[0] + "=" + encodeURIComponent(p[1]);
})
.value()
.join("&");
},
getRequestHeader: function () {
return oidcModule.properties.openIdConnectHeader;
},
getResolvers: function (isExternal) {
var resolvers = oidcModule.properties.resolvers;
return _.map(resolvers, function (r) {
if (isExternal) {
return _.omit(r, "client_secret", "well-known");
} else {
return r;
}
});
},
getToken: function (name, code, redirect_uri) {
var resolver = _.find(this.getResolvers(false), function (r) {
return r.name === name;
}),
response,
claims,
user;
if (!resolver) {
throw { "code": 400, "message": "Unable to find provider with name '" + name + "'"};
}
try {
response = openidm.action("external/rest", "call", {
"method": "POST",
"url": resolver.token_endpoint,
"contentType": "application/x-www-form-urlencoded",
"body": this.serializeParams({
"grant_type": "authorization_code",
"redirect_uri": redirect_uri,
"code": code,
"client_id": resolver.client_id,
"client_secret": resolver.client_secret
})
});
} catch (e) {
throw {
"code" : e.javaException.getCode(),
"message" : e.javaException.getMessage(),
"detail" : e.javaException.getDetail()
};
}
if (!response || !response.id_token) {
throw { "code": 400, "message": "Incorrect response from server", "detail": response };
}
if (response.id_token.split(".")[1] === null || base64.decode( response.id_token.split(".")[1]) === null) {
throw { "code": 400, "message": "Unable to parse the response from server", "detail": response };
}
if (new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) === null) {
throw { "code": 400, "message": "Unable to build string from decoded response", "detail": response };
}
claims = JSON.parse( new java.lang.String(base64.decode( response.id_token.split(".")[1]) ) );
user = openidm.read("system/fiddles/users/" + claims.iss + ":" + claims.sub);
// if the user isn't found in our local user cache, create a record for them
if (user === null) {
openidm.create("system/fiddles/users", null, {
"issuer" : claims.iss,
"subject" : claims.sub,
"email" : claims.email
});
}
return {
"token": response.id_token,
"header": this.getRequestHeader()
}
}
};
exports.process = function (request) {
if (!oidcModule || !oidcModule.enabled) {
throw { "code": 500, "message": "OpenID Connect not configured"};
}
switch (request.method) {
case "read":
return obj.getResolvers(true);
break;
case "action":
switch (request.action) {
case "getToken":
if (request.additionalParameters.code === undefined ||
request.additionalParameters.name === undefined ||
request.additionalParameters.redirect_uri === undefined
) {
throw { "code": 400, "message": "getToken requires 'redirect_uri', 'code' and 'name' as URL parameters"};
}
return obj.getToken(request.additionalParameters.name, request.additionalParameters.code, request.additionalParameters.redirect_uri);
break;
default:
throw { "code": 400, "message": "Unsupported action: '" + request.action + "'"};
}
break;
default:
throw { "code": 400, "message": "Unsupported method: '" + request.method + "'"};
}
};
exports.impl = obj;
}());