Example 1 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class AuthSchemeCondition method evaluate.
/**
* {@inheritDoc}
*/
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():entering:authScheme=" + authScheme + ", appName=" + applicationName + ", applicationIdleTimeout=" + applicationIdleTimeout);
}
Set<String> requestAuthSchemes = null;
Set<String> requestAuthSchemesIgnoreRealm = null;
SSOToken token = (subject == null) ? null : (SSOToken) getValue(subject.getPrivateCredentials());
if (env.get(REQUEST_AUTH_SCHEMES) != null) {
requestAuthSchemes = env.get(REQUEST_AUTH_SCHEMES);
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision(): requestAuthSchemes from env= " + requestAuthSchemes);
}
} else {
if (token != null) {
requestAuthSchemes = coreWrapper.getRealmQualifiedAuthenticatedSchemes(token);
requestAuthSchemesIgnoreRealm = coreWrapper.getAuthenticatedSchemes(token);
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision(): requestAuthSchemes from ssoToken= " + requestAuthSchemes);
debug.message("At AuthSchemeCondition.getConditionDecision(): requestAuthSchemesIgnoreRealm from " + "ssoToken= " + requestAuthSchemesIgnoreRealm);
}
}
}
if (requestAuthSchemes == null) {
requestAuthSchemes = Collections.emptySet();
}
if (requestAuthSchemesIgnoreRealm == null) {
requestAuthSchemesIgnoreRealm = Collections.emptySet();
}
boolean allowed = true;
Set<String> adviceMessages = new HashSet<String>(authScheme.size());
for (String authScheme : this.authScheme) {
if (!requestAuthSchemes.contains(authScheme)) {
String schemeRealm = AMAuthUtils.getRealmFromRealmQualifiedData(authScheme);
if ((schemeRealm != null) && (schemeRealm.length() != 0)) {
allowed = false;
adviceMessages.add(authScheme);
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = " + authScheme);
}
break;
} else if (schemeRealm == null || schemeRealm.length() == 0) {
if (!requestAuthSchemesIgnoreRealm.contains(authScheme)) {
allowed = false;
adviceMessages.add(authScheme);
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():authScheme not satisfied = " + authScheme);
}
break;
}
}
}
}
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():authScheme = " + authScheme + "," + " requestAuthSchemes = " + requestAuthSchemes + ", allowed before applicationIdleTimeout " + "check = " + allowed);
}
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
if (!allowed) {
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
}
long timeToLive = Long.MAX_VALUE;
//following additions are to support application idle timeout
long currentTimeMillis = timeService.now();
//a collector
Set<String> expiredAuthSchemes = new HashSet<String>();
if (appIdleTimeoutEnabled) {
if (allowed) {
//condition satisfied pending idletimeout check
//do idle timeout check
long idleTimesOutAtMillis = getApplicationIdleTimesoutAt(token, expiredAuthSchemes, currentTimeMillis);
if (idleTimesOutAtMillis <= currentTimeMillis) {
allowed = false;
}
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():currentTimeMillis = " + currentTimeMillis + ", idleTimesOutAtMillis = " + idleTimesOutAtMillis + ", expiredAuthSchemes = " + expiredAuthSchemes + ", allowed after applicationIdleTimeout " + "check = " + allowed);
}
}
if (allowed) {
//condition satisfied
long appIdleTimesoutAt = currentTimeMillis + getApplicationIdleTimeoutInMilliseconds();
setTokenProperty(token, appIdleTimesoutAtSessionKey, Long.toString(appIdleTimesoutAt));
timeToLive = appIdleTimesoutAt;
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():app access allowed, revised " + "appIdleTimesOutAt=" + appIdleTimesoutAt + ", currentTimeMillis=" + currentTimeMillis);
}
} else {
//condiiton not satisifed
adviceMessages.addAll(expiredAuthSchemes);
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
Set<String> forceAuthAdvices = new HashSet<String>();
forceAuthAdvices.add(Boolean.TRUE.toString());
advices.put(FORCE_AUTH_ADVICE, forceAuthAdvices);
}
}
if (debug.messageEnabled()) {
debug.message("At AuthSchemeCondition.getConditionDecision():just before return:allowed = " + allowed + ", timeToLive = " + timeToLive + ", advices = " + advices);
}
return new ConditionDecision(allowed, advices, timeToLive);
}Example 2 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class AuthenticateToRealmCondition method evaluate.
/**
* {@inheritDoc}
*/
@SuppressWarnings("unchecked")
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
// We don't care about case of the realm when doing the comparison so use a CaseInsensitiveHashSet
Set<String> requestAuthnRealms = new CaseInsensitiveHashSet();
if (env.get(REQUEST_AUTHENTICATED_TO_REALMS) != null) {
requestAuthnRealms.addAll(env.get(REQUEST_AUTHENTICATED_TO_REALMS));
if (debug.messageEnabled()) {
debug.message("At AuthenticateToRealmCondition.getConditionDecision(): requestAuthnRealms, from " + "request = " + requestAuthnRealms);
}
} else {
Set<String> authenticatedRealms = null;
SSOToken token = (subject == null) ? null : (SSOToken) subject.getPrivateCredentials().iterator().next();
if (token != null) {
authenticatedRealms = entitlementCoreWrapper.getAuthenticatedRealms(token);
}
if (authenticatedRealms != null) {
requestAuthnRealms.addAll(authenticatedRealms);
}
if (debug.messageEnabled()) {
debug.message("At AuthenticateToRealmCondition.getConditionDecision(): requestAuthnRealms, from " + "ssoToken = " + requestAuthnRealms);
}
}
boolean allowed = true;
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
Set<String> adviceMessages = new HashSet<String>(1);
if (!requestAuthnRealms.contains(authenticateToRealm)) {
allowed = false;
adviceMessages.add(authenticateToRealm);
advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
if (debug.messageEnabled()) {
debug.message("At AuthenticateToRealmCondition.getConditionDecision():authenticateToRealm not " + "satisfied = " + authenticateToRealm);
}
}
if (debug.messageEnabled()) {
debug.message("At AuthenticateToRealmCondition.getConditionDecision():authenticateToRealm = " + authenticateToRealm + "," + "requestAuthnRealms = " + requestAuthnRealms + ", " + " allowed = " + allowed);
}
return new ConditionDecision(allowed, advices);
}
Also used :
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
SSOToken(com.iplanet.sso.SSOToken)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Example 3 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class ResourceEnvIPCondition method evaluate.
/**
* {@inheritDoc}
*/
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
if (debug.messageEnabled()) {
localDebugName = debugName + ".evaluate(): ";
debug.message(localDebugName + "client environment map: " + env);
}
boolean allowed = false;
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
SSOToken token = (subject == null) ? null : (SSOToken) subject.getPrivateCredentials().iterator().next();
try {
EnvironmentCondition condition = matchEnvironment(env, token);
if (condition != null) {
String adviceName = condition.adviceName;
String adviceValue = condition.adviceValue;
if (debug.messageEnabled()) {
debug.message(localDebugName + "adviceName : " + adviceName + " and adviceValue : " + adviceValue);
}
if (!Utils.isEmpty(adviceName) && !Utils.isEmpty(adviceValue)) {
if (adviceName.equalsIgnoreCase(ISAuthConstants.MODULE_PARAM)) {
Set<String> adviceMessages = getAdviceMessagesforAuthScheme(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.SERVICE_PARAM)) {
Set<String> adviceMessages = getAdviceMessagesforAuthService(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTHENTICATE_TO_SERVICE_CONDITION_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.AUTH_LEVEL_PARAM)) {
Set<String> adviceMessages = getAdviceMessagesforAuthLevel(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTH_LEVEL_CONDITION_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.ROLE_PARAM)) {
Set<String> adviceMessages = getAdviceMessagesforRole(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(PolicyDecisionUtils.AUTH_ROLE_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.USER_PARAM)) {
Set<String> adviceMessages = getAdviceMessagesforUser(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(PolicyDecisionUtils.AUTH_USER_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.REDIRECT_URL_PARAM)) {
Set<String> adviceMessages = getAdviceMessagesforRedirectURL(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(PolicyDecisionUtils.AUTH_REDIRECTION_ADVICE, adviceMessages);
}
} else if ((adviceName.equalsIgnoreCase(ISAuthConstants.REALM_PARAM)) || (adviceName.equalsIgnoreCase(ISAuthConstants.ORG_PARAM))) {
Set<String> adviceMessages = getAdviceMessagesforRealm(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
}
} else if (debug.messageEnabled()) {
debug.message(localDebugName + "adviceName is invalid");
}
}
} else if (debug.messageEnabled()) {
debug.message(localDebugName + "Advice is NULL since there is no matching condition found.");
}
} catch (SSOException e) {
debug.error(debugName + ".evaluate(): Condition evaluation failed", e);
}
return new ConditionDecision(allowed, advices);
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Example 4 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class AuthLevelCondition method evaluate.
/**
* {@inheritDoc}
*/
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
if (subject == null) {
return new ConditionDecision(false, Collections.<String, Set<String>>emptyMap());
}
if (authLevel == null) {
throw new EntitlementException(PROPERTY_VALUE_NOT_DEFINED, new String[] { AUTH_LEVEL }, null);
}
boolean allowed = false;
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
if (debug.messageEnabled()) {
debug.message(getConditionName() + ".getConditionDecision():entering");
}
try {
int maxRequestAuthLevel = getMaxRequestAuthLevel(env);
if (maxRequestAuthLevel == Integer.MIN_VALUE) {
SSOToken token = (SSOToken) subject.getPrivateCredentials().iterator().next();
maxRequestAuthLevel = getMaxRequestAuthLevel(token);
}
allowed = isAllowed(maxRequestAuthLevel, advices);
if (debug.messageEnabled()) {
debug.message("At " + getConditionName() + ".getConditionDecision():authLevel=" + authLevel + ",maxRequestAuthLevel=" + maxRequestAuthLevel + ",allowed = " + allowed);
}
} catch (SSOException e) {
if (debug.messageEnabled()) {
debug.message("Problem getting auth level from SSOToken: " + e.getMessage(), e);
}
}
return new ConditionDecision(allowed, advices);
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
Set(java.util.Set)
HashSet(java.util.HashSet)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Example 5 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class AuthLevelConditionTest method conditionShouldEvaluateToTrueWhenUsingAuthLevelsFromSSOTokenWithRealmAndIsGE.
@Test
public void conditionShouldEvaluateToTrueWhenUsingAuthLevelsFromSSOTokenWithRealmAndIsGE() throws EntitlementException, SSOException {
//Given
String realm = "REALM";
Subject subject = new Subject();
String resourceName = "RESOURCE_NAME";
Map<String, Set<String>> env = new HashMap<String, Set<String>>();
SSOToken ssoToken = mock(SSOToken.class);
Set<String> authenticatedLevels = new HashSet<String>();
given(coreWrapper.getDataFromRealmQualifiedData("3")).willReturn("3");
given(coreWrapper.getDataFromRealmQualifiedData("4")).willReturn("4");
given(coreWrapper.getDataFromRealmQualifiedData("6")).willReturn("6");
condition.setState("{\"authLevel\": 5}");
subject.getPrivateCredentials().add(ssoToken);
authenticatedLevels.add("3");
authenticatedLevels.add("4");
authenticatedLevels.add("6");
given(coreWrapper.getAuthenticatedLevels(ssoToken)).willReturn(authenticatedLevels);
//When
ConditionDecision decision = condition.evaluate(realm, subject, resourceName, env);
//Then
assertThat(decision.isSatisfied()).isTrue();
assertThat(decision.getAdvice()).isEmpty();
}Aggregations
ConditionDecision (com.sun.identity.entitlement.ConditionDecision)59
Set (java.util.Set)56
HashMap (java.util.HashMap)54
HashSet (java.util.HashSet)53
Test (org.testng.annotations.Test)48
Subject (javax.security.auth.Subject)47
SSOToken (com.iplanet.sso.SSOToken)24
AMIdentity (com.sun.identity.idm.AMIdentity)7
SSOException (com.iplanet.sso.SSOException)5
EntitlementException (com.sun.identity.entitlement.EntitlementException)4
IdType (com.sun.identity.idm.IdType)4
Date (java.util.Date)4
CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)1
Entitlement (com.sun.identity.entitlement.Entitlement)1
SubjectDecision (com.sun.identity.entitlement.SubjectDecision)1
PolicyException (com.sun.identity.policy.PolicyException)1
Condition (com.sun.identity.policy.interfaces.Condition)1
AuthSPrincipal (com.sun.identity.rest.AuthSPrincipal)1
ParseException (java.text.ParseException)1
ArrayList (java.util.ArrayList)1
