use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOPolicyDataStore method addPolicy.
public void addPolicy(Subject subject, String realm, Privilege privilege) throws EntitlementException {
// Delegation to applications is currently not configurable, passing super admin (see AME-4959)
ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
if (!applPrivilegeMgr.hasPrivilege(privilege, ApplicationPrivilege.Action.MODIFY)) {
throw new EntitlementException(326);
}
String name = "";
try {
Object policy = PrivilegeUtils.privilegeToPolicyObject(realm, privilege);
name = PrivilegeUtils.getPolicyName(policy);
if (policy instanceof Policy || policy instanceof com.sun.identity.entitlement.xacml3.core.Policy) {
String dn = getPolicyDistinguishedName(realm, name);
if (SMSEntry.checkIfEntryExists(dn, dsameUserToken)) {
throw new EntitlementException(EntitlementException.POLICY_ALREADY_EXISTS);
}
createParentNode(dsameUserToken, realm);
SMSEntry s = new SMSEntry(dsameUserToken, dn);
Map<String, Set<String>> map = new HashMap<String, Set<String>>();
Set<String> setServiceID = new HashSet<String>(2);
map.put(SMSEntry.ATTR_SERVICE_ID, setServiceID);
setServiceID.add("NamedPolicy");
Set<String> setObjectClass = new HashSet<String>(4);
map.put(SMSEntry.ATTR_OBJECTCLASS, setObjectClass);
setObjectClass.add(SMSEntry.OC_TOP);
setObjectClass.add(SMSEntry.OC_SERVICE_COMP);
Set<String> setValue = new HashSet<String>(2);
map.put(SMSEntry.ATTR_KEYVAL, setValue);
setValue.add(POLICY_XML + "=" + PrivilegeUtils.policyToXML(policy));
s.setAttributes(map);
String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_ADD_PRIVILEGE", logParams, subject);
s.save();
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_ADD_PRIVILEGE", logParams, subject);
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
Set<IPrivilege> privileges = new HashSet<IPrivilege>();
privileges.add(privilege);
pis.add(privileges);
} else {
PrivilegeManager.debug.error("OpenSSOPolicyDataStore.addPolicy: unknown class " + policy.getClass().getName());
}
} catch (PolicyException e) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_PRIVILEGE", logParams, subject);
Object[] params = { name };
throw new EntitlementException(202, params, e);
} catch (SSOException e) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_PRIVILEGE", logParams, subject);
Object[] params = { name };
throw new EntitlementException(202, params, e);
} catch (SMSException e) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_PRIVILEGE", logParams, subject);
Object[] params = { name };
throw new EntitlementException(202, params, e);
}
}
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOPolicyDataStore method getReferral.
public ReferralPrivilege getReferral(Subject adminSubject, String realm, String name) throws EntitlementException {
SSOToken adminToken = (adminSubject == PrivilegeManager.superAdminSubject) ? dsameUserToken : SubjectUtils.getSSOToken(adminSubject);
if (adminToken == null) {
Object[] params = { name };
throw new EntitlementException(262, params);
}
String dn = getPolicyDistinguishedName(realm, name);
if (!SMSEntry.checkIfEntryExists(dn, adminToken)) {
Object[] params = { name };
throw new EntitlementException(263, params);
}
try {
SMSEntry s = new SMSEntry(adminToken, dn);
Map<String, Set<String>> map = s.getAttributes();
Set<String> set = map.get(SMSEntry.ATTR_KEYVAL);
String xml = set.iterator().next();
if (xml.startsWith(POLICY_XML)) {
xml = xml.substring(POLICY_XML.length() + 1);
}
Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(createPolicy(adminToken, realm, xml));
return (ReferralPrivilege) privileges.iterator().next();
} catch (SSOException ex) {
Object[] params = { name };
throw new EntitlementException(204, params, ex);
} catch (SMSException ex) {
Object[] params = { name };
throw new EntitlementException(204, params, ex);
} catch (Exception ex) {
Object[] params = { name };
throw new EntitlementException(204, params, ex);
}
}
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOPolicyDataStore method addReferral.
public void addReferral(Subject subject, String realm, ReferralPrivilege referral) throws EntitlementException {
String name = referral.getName();
String dn = getPolicyDistinguishedName(realm, name);
SSOToken adminToken = SubjectUtils.getSSOToken(subject);
if (adminToken == null) {
Object[] params = { name };
throw new EntitlementException(260, params);
}
// Delegation to applications is currently not configurable, passing super admin (see AME-4959)
ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
if (!applPrivilegeMgr.hasPrivilege(referral, ApplicationPrivilege.Action.MODIFY)) {
throw new EntitlementException(326);
}
try {
createParentNode(dsameUserToken, realm);
SMSEntry s = new SMSEntry(dsameUserToken, dn);
Map<String, Set<String>> map = new HashMap<String, Set<String>>();
Set<String> setServiceID = new HashSet<String>(2);
map.put(SMSEntry.ATTR_SERVICE_ID, setServiceID);
setServiceID.add("NamedPolicy");
Set<String> setObjectClass = new HashSet<String>(4);
map.put(SMSEntry.ATTR_OBJECTCLASS, setObjectClass);
setObjectClass.add(SMSEntry.OC_TOP);
setObjectClass.add(SMSEntry.OC_SERVICE_COMP);
Set<String> setValue = new HashSet<String>(2);
map.put(SMSEntry.ATTR_KEYVAL, setValue);
Policy p = PrivilegeUtils.referralPrivilegeToPolicy(realm, referral);
setValue.add(POLICY_XML + "=" + p.toXML());
s.setAttributes(map);
String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_ADD_REFERRAL", logParams, subject);
s.save();
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_ADD_REFERRAL", logParams, subject);
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
Set<IPrivilege> tmp = new HashSet<IPrivilege>();
tmp.add(referral);
pis.add(tmp);
} catch (PolicyException e) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", logParams, subject);
Object[] params = { name };
throw new EntitlementException(261, params, e);
} catch (SSOException e) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", logParams, subject);
Object[] params = { name };
throw new EntitlementException(261, params, e);
} catch (SMSException e) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, e.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_ADD_REFERRAL", logParams, subject);
Object[] params = { name };
throw new EntitlementException(261, params, e);
}
}
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method removeAllPrivileges.
static void removeAllPrivileges(String realm) throws EntitlementException {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
Subject dsameUserSubject = SubjectUtils.createSubject(adminToken);
for (Iterator<IPrivilege> i = getPrivileges(realm); i.hasNext(); ) {
Privilege p = (Privilege) i.next();
String name = p.getName();
PrivilegeManager pm = PrivilegeManager.getInstance(getHiddenRealmDN(), dsameUserSubject);
pm.remove(name);
pm.remove(GHOST_PRIVILEGE_NAME_PREFIX + name);
}
}
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOIndexStore method getPrivilege.
/**
* Retrieve an individual privilege from the data store.
*
* @param privilegeName Name of the privilege to return.
* @return The privilege, or empty if none was found.
*/
public IPrivilege getPrivilege(String privilegeName) {
//if we have anything in the cache try to retrieve this one from it before going to DS
if (policyCacheSize > 0) {
String dn = DataStore.getPrivilegeDistinguishedName(privilegeName, getRealm(), null);
IPrivilege priv = policyCache.getPolicy(dn);
if (priv != null) {
return priv;
}
}
//only search if we don't know we have everything in the cache
if (isPolicyCacheBehind(getRealm())) {
try {
IPrivilege result = dataStore.getPrivilege(getRealm(), privilegeName);
cache(result, null, getRealm());
return result;
} catch (EntitlementException e) {
PolicyConstants.DEBUG.error("OpenSSOIndexStore.GetTask.runPolicy", e);
}
}
return null;
}
Aggregations