Search in sources :

Example 1 with IPrivilege

use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.

the class OpenSSOPolicyDataStore method addPolicy.

public void addPolicy(Subject subject, String realm, Privilege privilege) throws EntitlementException {
    // Delegation to applications is currently not configurable, passing super admin (see AME-4959)
    ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
    if (!applPrivilegeMgr.hasPrivilege(privilege, ApplicationPrivilege.Action.MODIFY)) {
        throw new EntitlementException(326);
    }
    String name = "";
    try {
        Object policy = PrivilegeUtils.privilegeToPolicyObject(realm, privilege);
        name = PrivilegeUtils.getPolicyName(policy);
        if (policy instanceof Policy || policy instanceof com.sun.identity.entitlement.xacml3.core.Policy) {
            String dn = getPolicyDistinguishedName(realm, name);
            if (SMSEntry.checkIfEntryExists(dn, dsameUserToken)) {
                throw new EntitlementException(EntitlementException.POLICY_ALREADY_EXISTS);
            }
            createParentNode(dsameUserToken, realm);
            SMSEntry s = new SMSEntry(dsameUserToken, dn);
            Map<String, Set<String>> map = new HashMap<String, Set<String>>();
            Set<String> setServiceID = new HashSet<String>(2);
            map.put(SMSEntry.ATTR_SERVICE_ID, setServiceID);
            setServiceID.add("NamedPolicy");
            Set<String> setObjectClass = new HashSet<String>(4);
            map.put(SMSEntry.ATTR_OBJECTCLASS, setObjectClass);
            setObjectClass.add(SMSEntry.OC_TOP);
            setObjectClass.add(SMSEntry.OC_SERVICE_COMP);
            Set<String> setValue = new HashSet<String>(2);
            map.put(SMSEntry.ATTR_KEYVAL, setValue);
            setValue.add(POLICY_XML + "=" + PrivilegeUtils.policyToXML(policy));
            s.setAttributes(map);
            String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_ADD_PRIVILEGE", logParams, subject);
            s.save();
            OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_ADD_PRIVILEGE", logParams, subject);
            PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
            Set<IPrivilege> privileges = new HashSet<IPrivilege>();
            privileges.add(privilege);
            pis.add(privileges);
        } else {
            PrivilegeManager.debug.error("OpenSSOPolicyDataStore.addPolicy: unknown class " + policy.getClass().getName());
        }
    } catch (PolicyException e) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_PRIVILEGE", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(202, params, e);
    } catch (SSOException e) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_PRIVILEGE", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(202, params, e);
    } catch (SMSException e) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_PRIVILEGE", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(202, params, e);
    }
}
Also used : Policy(com.sun.identity.policy.Policy) HashSet(java.util.HashSet) Set(java.util.Set) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) HashMap(java.util.HashMap) SMSException(com.sun.identity.sm.SMSException) SSOException(com.iplanet.sso.SSOException) ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager) EntitlementException(com.sun.identity.entitlement.EntitlementException) PolicyException(com.sun.identity.policy.PolicyException) IPrivilege(com.sun.identity.entitlement.IPrivilege) SMSEntry(com.sun.identity.sm.SMSEntry) HashSet(java.util.HashSet)

Example 2 with IPrivilege

use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.

the class OpenSSOPolicyDataStore method getReferral.

public ReferralPrivilege getReferral(Subject adminSubject, String realm, String name) throws EntitlementException {
    SSOToken adminToken = (adminSubject == PrivilegeManager.superAdminSubject) ? dsameUserToken : SubjectUtils.getSSOToken(adminSubject);
    if (adminToken == null) {
        Object[] params = { name };
        throw new EntitlementException(262, params);
    }
    String dn = getPolicyDistinguishedName(realm, name);
    if (!SMSEntry.checkIfEntryExists(dn, adminToken)) {
        Object[] params = { name };
        throw new EntitlementException(263, params);
    }
    try {
        SMSEntry s = new SMSEntry(adminToken, dn);
        Map<String, Set<String>> map = s.getAttributes();
        Set<String> set = map.get(SMSEntry.ATTR_KEYVAL);
        String xml = set.iterator().next();
        if (xml.startsWith(POLICY_XML)) {
            xml = xml.substring(POLICY_XML.length() + 1);
        }
        Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(createPolicy(adminToken, realm, xml));
        return (ReferralPrivilege) privileges.iterator().next();
    } catch (SSOException ex) {
        Object[] params = { name };
        throw new EntitlementException(204, params, ex);
    } catch (SMSException ex) {
        Object[] params = { name };
        throw new EntitlementException(204, params, ex);
    } catch (Exception ex) {
        Object[] params = { name };
        throw new EntitlementException(204, params, ex);
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) HashSet(java.util.HashSet) Set(java.util.Set) SMSException(com.sun.identity.sm.SMSException) SSOException(com.iplanet.sso.SSOException) EntitlementException(com.sun.identity.entitlement.EntitlementException) PolicyException(com.sun.identity.policy.PolicyException) SMSException(com.sun.identity.sm.SMSException) SSOException(com.iplanet.sso.SSOException) EntitlementException(com.sun.identity.entitlement.EntitlementException) ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege) IPrivilege(com.sun.identity.entitlement.IPrivilege) SMSEntry(com.sun.identity.sm.SMSEntry)

Example 3 with IPrivilege

use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.

the class OpenSSOPolicyDataStore method addReferral.

public void addReferral(Subject subject, String realm, ReferralPrivilege referral) throws EntitlementException {
    String name = referral.getName();
    String dn = getPolicyDistinguishedName(realm, name);
    SSOToken adminToken = SubjectUtils.getSSOToken(subject);
    if (adminToken == null) {
        Object[] params = { name };
        throw new EntitlementException(260, params);
    }
    // Delegation to applications is currently not configurable, passing super admin (see AME-4959)
    ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
    if (!applPrivilegeMgr.hasPrivilege(referral, ApplicationPrivilege.Action.MODIFY)) {
        throw new EntitlementException(326);
    }
    try {
        createParentNode(dsameUserToken, realm);
        SMSEntry s = new SMSEntry(dsameUserToken, dn);
        Map<String, Set<String>> map = new HashMap<String, Set<String>>();
        Set<String> setServiceID = new HashSet<String>(2);
        map.put(SMSEntry.ATTR_SERVICE_ID, setServiceID);
        setServiceID.add("NamedPolicy");
        Set<String> setObjectClass = new HashSet<String>(4);
        map.put(SMSEntry.ATTR_OBJECTCLASS, setObjectClass);
        setObjectClass.add(SMSEntry.OC_TOP);
        setObjectClass.add(SMSEntry.OC_SERVICE_COMP);
        Set<String> setValue = new HashSet<String>(2);
        map.put(SMSEntry.ATTR_KEYVAL, setValue);
        Policy p = PrivilegeUtils.referralPrivilegeToPolicy(realm, referral);
        setValue.add(POLICY_XML + "=" + p.toXML());
        s.setAttributes(map);
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_ADD_REFERRAL", logParams, subject);
        s.save();
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_ADD_REFERRAL", logParams, subject);
        PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
        Set<IPrivilege> tmp = new HashSet<IPrivilege>();
        tmp.add(referral);
        pis.add(tmp);
    } catch (PolicyException e) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(261, params, e);
    } catch (SSOException e) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(261, params, e);
    } catch (SMSException e) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(261, params, e);
    }
}
Also used : Policy(com.sun.identity.policy.Policy) SSOToken(com.iplanet.sso.SSOToken) HashSet(java.util.HashSet) Set(java.util.Set) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) HashMap(java.util.HashMap) SMSException(com.sun.identity.sm.SMSException) SSOException(com.iplanet.sso.SSOException) ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager) EntitlementException(com.sun.identity.entitlement.EntitlementException) PolicyException(com.sun.identity.policy.PolicyException) IPrivilege(com.sun.identity.entitlement.IPrivilege) SMSEntry(com.sun.identity.sm.SMSEntry) HashSet(java.util.HashSet)

Example 4 with IPrivilege

use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.

the class OpenSSOApplicationPrivilegeManager method removeAllPrivileges.

static void removeAllPrivileges(String realm) throws EntitlementException {
    SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    Subject dsameUserSubject = SubjectUtils.createSubject(adminToken);
    for (Iterator<IPrivilege> i = getPrivileges(realm); i.hasNext(); ) {
        Privilege p = (Privilege) i.next();
        String name = p.getName();
        PrivilegeManager pm = PrivilegeManager.getInstance(getHiddenRealmDN(), dsameUserSubject);
        pm.remove(name);
        pm.remove(GHOST_PRIVILEGE_NAME_PREFIX + name);
    }
}
Also used : SSOToken(com.iplanet.sso.SSOToken) IPrivilege(com.sun.identity.entitlement.IPrivilege) ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager) PrivilegeManager(com.sun.identity.entitlement.PrivilegeManager) ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege) IPrivilege(com.sun.identity.entitlement.IPrivilege) Privilege(com.sun.identity.entitlement.Privilege) ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege) EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) Subject(javax.security.auth.Subject) OrSubject(com.sun.identity.entitlement.OrSubject)

Example 5 with IPrivilege

use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.

the class OpenSSOIndexStore method getPrivilege.

/**
     * Retrieve an individual privilege from the data store.
     *
     * @param privilegeName Name of the privilege to return.
     * @return The privilege, or empty if none was found.
     */
public IPrivilege getPrivilege(String privilegeName) {
    //if we have anything in the cache try to retrieve this one from it before going to DS
    if (policyCacheSize > 0) {
        String dn = DataStore.getPrivilegeDistinguishedName(privilegeName, getRealm(), null);
        IPrivilege priv = policyCache.getPolicy(dn);
        if (priv != null) {
            return priv;
        }
    }
    //only search if we don't know we have everything in the cache
    if (isPolicyCacheBehind(getRealm())) {
        try {
            IPrivilege result = dataStore.getPrivilege(getRealm(), privilegeName);
            cache(result, null, getRealm());
            return result;
        } catch (EntitlementException e) {
            PolicyConstants.DEBUG.error("OpenSSOIndexStore.GetTask.runPolicy", e);
        }
    }
    return null;
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) IPrivilege(com.sun.identity.entitlement.IPrivilege)

Aggregations

IPrivilege (com.sun.identity.entitlement.IPrivilege)16 HashSet (java.util.HashSet)10 EntitlementException (com.sun.identity.entitlement.EntitlementException)9 Privilege (com.sun.identity.entitlement.Privilege)9 SSOToken (com.iplanet.sso.SSOToken)7 ReferralPrivilege (com.sun.identity.entitlement.ReferralPrivilege)7 SSOException (com.iplanet.sso.SSOException)6 SMSException (com.sun.identity.sm.SMSException)6 PrivilegeIndexStore (com.sun.identity.entitlement.PrivilegeIndexStore)5 PolicyException (com.sun.identity.policy.PolicyException)5 Set (java.util.Set)5 ApplicationPrivilege (com.sun.identity.entitlement.ApplicationPrivilege)4 ApplicationPrivilegeManager (com.sun.identity.entitlement.ApplicationPrivilegeManager)4 HashMap (java.util.HashMap)4 EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)3 ResourceSearchIndexes (com.sun.identity.entitlement.ResourceSearchIndexes)3 Policy (com.sun.identity.policy.Policy)3 SMSEntry (com.sun.identity.sm.SMSEntry)3 Test (org.testng.annotations.Test)3 EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)2