-
Notifications
You must be signed in to change notification settings - Fork 188
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add auto-unlocking of locked-out users
When a focus object is locked, a trigger is created on it. Its handler (UnlockTriggerHandler) then unlocks the object, if possible. This should resolve MID-7762. (cherry picked from commit faf154d)
- Loading branch information
Showing
8 changed files
with
164 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
19 changes: 0 additions & 19 deletions
19
model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/ModelConstants.java
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
103 changes: 103 additions & 0 deletions
103
...del-impl/src/main/java/com/evolveum/midpoint/model/impl/trigger/UnlockTriggerHandler.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
/* | ||
* Copyright (c) 2013-2017 Evolveum and contributors | ||
* | ||
* This work is dual-licensed under the Apache License 2.0 | ||
* and European Union Public License. See LICENSE file for details. | ||
*/ | ||
package com.evolveum.midpoint.model.impl.trigger; | ||
|
||
import static javax.xml.datatype.DatatypeConstants.LESSER; | ||
|
||
import java.util.List; | ||
import javax.annotation.PostConstruct; | ||
import javax.xml.datatype.XMLGregorianCalendar; | ||
|
||
import org.jetbrains.annotations.NotNull; | ||
import org.springframework.beans.factory.annotation.Autowired; | ||
import org.springframework.stereotype.Component; | ||
|
||
import com.evolveum.midpoint.common.Clock; | ||
import com.evolveum.midpoint.model.api.ModelPublicConstants; | ||
import com.evolveum.midpoint.model.api.ModelService; | ||
import com.evolveum.midpoint.prism.PrismContext; | ||
import com.evolveum.midpoint.prism.PrismObject; | ||
import com.evolveum.midpoint.schema.result.OperationResult; | ||
import com.evolveum.midpoint.task.api.RunningTask; | ||
import com.evolveum.midpoint.util.exception.CommonException; | ||
import com.evolveum.midpoint.util.logging.LoggingUtils; | ||
import com.evolveum.midpoint.util.logging.Trace; | ||
import com.evolveum.midpoint.util.logging.TraceManager; | ||
import com.evolveum.midpoint.xml.ns._public.common.common_3.*; | ||
|
||
/** | ||
* Unlocks the focus object (if the time has come). | ||
*/ | ||
@Component | ||
public class UnlockTriggerHandler implements SingleTriggerHandler { | ||
|
||
public static final String HANDLER_URI = ModelPublicConstants.UNLOCK_TRIGGER_HANDLER_URI; | ||
|
||
private static final Trace LOGGER = TraceManager.getTrace(UnlockTriggerHandler.class); | ||
|
||
@Autowired private TriggerHandlerRegistry triggerHandlerRegistry; | ||
@Autowired private ModelService modelService; | ||
@Autowired private PrismContext prismContext; | ||
@Autowired private Clock clock; | ||
|
||
@PostConstruct | ||
private void initialize() { | ||
triggerHandlerRegistry.register(HANDLER_URI, this); | ||
} | ||
|
||
@Override | ||
public <O extends ObjectType> void handle(@NotNull PrismObject<O> object, @NotNull TriggerType trigger, | ||
@NotNull RunningTask task, @NotNull OperationResult result) { | ||
O objectable = object.asObjectable(); | ||
LOGGER.trace("Considering unlocking {}", objectable); | ||
if (!(objectable instanceof FocusType)) { | ||
LOGGER.debug("Not a focus object: {}", objectable); | ||
result.recordNotApplicable("Not a focus object"); | ||
return; | ||
} | ||
FocusType focus = (FocusType) objectable; | ||
try { | ||
ActivationType activation = focus.getActivation(); | ||
if (activation == null) { | ||
LOGGER.debug("No activation in {}", objectable); | ||
result.recordNotApplicable("No activation"); | ||
return; | ||
} | ||
|
||
XMLGregorianCalendar lockoutExpirationTimestamp = activation.getLockoutExpirationTimestamp(); | ||
if (lockoutExpirationTimestamp != null | ||
&& clock.currentTimeXMLGregorianCalendar().compare(lockoutExpirationTimestamp) == LESSER) { | ||
LOGGER.debug("The lockout for {} has not expired yet: {}", focus, lockoutExpirationTimestamp); | ||
result.recordNotApplicable("The lockout has not expired yet"); | ||
return; | ||
} | ||
|
||
LOGGER.debug("Unlocking {}", focus); | ||
// We do this intentionally via model API, as there's some non-trivial processing inside | ||
// (e.g., clearing the number of failed logins). | ||
// This also causes the change to be audited. | ||
modelService.executeChanges( | ||
List.of( | ||
prismContext.deltaFor(FocusType.class) | ||
.item(FocusType.F_ACTIVATION, ActivationType.F_LOCKOUT_STATUS) | ||
.replace(LockoutStatusType.NORMAL) | ||
.asObjectDelta(focus.getOid())), | ||
null, | ||
task, | ||
result); | ||
LOGGER.debug("Unlocked {}", focus); | ||
} catch (CommonException | RuntimeException | Error e) { | ||
LoggingUtils.logUnexpectedException(LOGGER, "Couldn't unlock object {}", e, object); | ||
// Intentionally not retrying. | ||
} | ||
} | ||
|
||
@Override | ||
public boolean isIdempotent() { | ||
return true; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
18 changes: 18 additions & 0 deletions
18
model/model-impl/src/test/resources/common/task-trigger-scanner-on-demand.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
<!-- | ||
~ Copyright (c) 2010-2017 Evolveum and contributors | ||
~ | ||
~ This work is dual-licensed under the Apache License 2.0 | ||
~ and European Union Public License. See LICENSE file for details. | ||
--> | ||
|
||
<task oid="2ee5c2a9-0f46-438a-8748-7ac71f46a343" | ||
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"> | ||
|
||
<name>Trigger Scanner (on demand)</name> | ||
|
||
<ownerRef oid="00000000-0000-0000-0000-000000000002"/> | ||
<executionState>closed</executionState> <!-- run on demand only --> | ||
|
||
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/trigger/scanner/handler-3</handlerUri> | ||
</task> |