Package com.evolveum.midpoint.repo.common.security

Class CredentialsStorageManager

java.lang.Object

com.evolveum.midpoint.repo.common.security.CredentialsStorageManager

@Component
public class CredentialsStorageManager
extends Object

Prepares credentials (focus, shadow) for storage in the repository, taking into account the storage method specified in the relevant security policy. Does not actually store the password in the repository. Just prepares the data by transforming the values, items or deltas.

Constructor Summary

Constructors

Constructor	Description
CredentialsStorageManager()

Method Summary

Modifier and Type	Method	Description
@Nullable PropertyDelta<ProtectedStringType>	createShadowPasswordDelta(@Nullable CredentialsPolicyType credentialsPolicy, @Nullable ProtectedStringType oldValue, @NotNull ProtectedStringType newValue)	Prepares the shadow password property for storage (into an existing shadow): returns a delta that does so.
<O extends ObjectType> ObjectDelta<O>	transformFocusExecutionDelta(@Nullable CredentialsPolicyType credentialsPolicy, @NotNull ObjectDelta<O> delta)
PropertyDelta<ProtectedStringType>	transformShadowPasswordDelta(@Nullable CredentialsPolicyType credentialsPolicy, boolean legacyCaching, PropertyDelta<ProtectedStringType> delta)	We assume that only cleartext or encrypted values come in the delta.
void	transformShadowPasswordWithRealValue(@Nullable CredentialsPolicyType credentialsPolicy, boolean legacyCaching, @NotNull PrismProperty<ProtectedStringType> passwordProperty)	Prepares the shadow password property for storage (into a new shadow).
@Nullable PropertyDelta<ProtectedStringType>	updateShadowPasswordIfNeeded(@NotNull ProtectedStringType existingPasswordValue, CredentialsPolicyType credentialsPolicy, boolean legacyCaching)	Returns deltas to update shadow password under (possibly) changed policies: - encrypted -> hashed / none - hashed -> none We assume the value is either encrypted or hashed, i.e., it's not in the cleartext nor in the external form.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

CredentialsStorageManager

public CredentialsStorageManager()

Method Details

transformFocusExecutionDelta

public <O extends ObjectType> ObjectDelta<O> transformFocusExecutionDelta(@Nullable
 @Nullable CredentialsPolicyType credentialsPolicy,
 @NotNull
 @NotNull ObjectDelta<O> delta)
                                                                   throws SchemaException,
EncryptionException

Throws:

SchemaException

EncryptionException

transformShadowPasswordDelta

public PropertyDelta<ProtectedStringType> transformShadowPasswordDelta(@Nullable
 @Nullable CredentialsPolicyType credentialsPolicy,
 boolean legacyCaching,
 PropertyDelta<ProtectedStringType> delta)
                                                                throws SchemaException,
EncryptionException

We assume that only cleartext or encrypted values come in the delta.

Throws:

SchemaException

EncryptionException

transformShadowPasswordWithRealValue

public void transformShadowPasswordWithRealValue(@Nullable
 @Nullable CredentialsPolicyType credentialsPolicy,
 boolean legacyCaching,
 @NotNull
 @NotNull PrismProperty<ProtectedStringType> passwordProperty)
                                          throws SchemaException,
EncryptionException

Prepares the shadow password property for storage (into a new shadow). Expects that the property contains the real value. The legacy caching supports the hashing only.

Throws:

SchemaException

EncryptionException

createShadowPasswordDelta

@Nullable
public @Nullable PropertyDelta<ProtectedStringType> createShadowPasswordDelta(@Nullable
 @Nullable CredentialsPolicyType credentialsPolicy,
 @Nullable
 @Nullable ProtectedStringType oldValue,
 @NotNull
 @NotNull ProtectedStringType newValue)
                                                                       throws SchemaException,
EncryptionException

Prepares the shadow password property for storage (into an existing shadow): returns a delta that does so. Expects that the new value contains the real value that is either clear or encrypted.

Throws:

SchemaException

EncryptionException

updateShadowPasswordIfNeeded

@Nullable
public @Nullable PropertyDelta<ProtectedStringType> updateShadowPasswordIfNeeded(@NotNull
 @NotNull ProtectedStringType existingPasswordValue,
 CredentialsPolicyType credentialsPolicy,
 boolean legacyCaching)
                                                                          throws SchemaException,
EncryptionException

Returns deltas to update shadow password under (possibly) changed policies: - encrypted -> hashed / none - hashed -> none We assume the value is either encrypted or hashed, i.e., it's not in the cleartext nor in the external form.

Throws:

SchemaException

EncryptionException