Example 11 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class UMUserPasswordResetOptionsModelImpl method isRealmAdmin.
/**
* Returns <code>true</code> if current user is an realm administrator.
*
* @return <code>true</code> if current user is an realm administrator.
*/
public boolean isRealmAdmin() {
SSOToken token = getUserSSOToken();
try {
Set actionNames = new HashSet();
actionNames.add("MODIFY");
DelegationEvaluator de = new DelegationEvaluatorImpl();
DelegationPermission permission = new DelegationPermission(token.getProperty(Constants.ORGANIZATION), "sunAMRealmService", "1.0", "organization", "default", actionNames, null);
return de.isAllowed(token, permission, null);
} catch (SSOException e) {
debug.warning("UserPasswordResetOptionsModelImpl.isRealmAdmin", e);
} catch (DelegationException e) {
debug.warning("UserPasswordResetOptionsModelImpl.isRealmAdmin", e);
}
return false;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
SSOToken(com.iplanet.sso.SSOToken)
HashSet(java.util.HashSet)
Set(java.util.Set)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
SSOException(com.iplanet.sso.SSOException)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 12 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class ISAuthorizer method isAuthorized.
/**
* Returns <code>true</code> if a given log record should be published.
*
* @param logName Log name on which operation is to be performed.
* @param operation The log operation to be performed.
* @param credential The credential to be authorized.
* @return <code>true</code> if the credential is authorized.
*/
public boolean isAuthorized(String logName, String operation, Object credential) {
SSOToken ssoToken = null;
if (credential instanceof SSOToken) {
ssoToken = (SSOToken) credential;
}
if (ssoToken == null) {
Debug.error("ISAuthorizer.isAuthorized(): SSO Token is null ");
return false;
}
try {
String tmpID = ssoToken.getPrincipal().getName();
if (Debug.messageEnabled()) {
Debug.message("ISAuthorizer.isAuthorized():logName = " + logName + ", op = " + operation + ", uid = " + tmpID);
}
String thisSubConfig = "LogWrite";
if (operation.equalsIgnoreCase("READ")) {
thisSubConfig = "LogRead";
}
SSOTokenManager ssoMgr = SSOTokenManager.getInstance();
if (ssoMgr.isValidToken(ssoToken)) {
Map tmap = new HashMap();
Set actSet;
actSet = Collections.singleton(operation);
try {
String amRealm = ssoToken.getProperty(Constants.ORGANIZATION);
DelegationPermission dp = new // realm
DelegationPermission(// realm
amRealm, // service name
"iPlanetAMLoggingService", // version
"1.0", // config type
"application", // subConfig name
thisSubConfig, // actions
actSet, // extensions
tmap);
DelegationEvaluator de = new DelegationEvaluatorImpl();
if (de.isAllowed(ssoToken, dp, null)) {
return true;
} else {
Debug.error(logName + ":ISAuthorizer.isAuthorized():log rqt to " + operation + " by " + tmpID + " denied.");
}
} catch (DelegationException dex) {
String loggedByID = ssoToken.getPrincipal().getName();
Debug.error("ISAuthorizer.isAuthorized():delegation error: " + "user: " + loggedByID + ", logName = " + logName + ", op = " + operation + ", msg = " + dex.getMessage());
}
} else {
String loggedByID = ssoToken.getPrincipal().getName();
Debug.error("ISAuthorizer.isAuthorized(): access denied " + "for user : " + loggedByID);
}
} catch (SSOException ssoe) {
Debug.error("ISAuthorizer.isAuthorized(): SSOException: ", ssoe);
}
return false;
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashMap(java.util.HashMap)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
Map(java.util.Map)
HashMap(java.util.HashMap)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 13 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class DelegationPolicyImpl method hasDelegationPermissionsForRealm.
/**
* Returns true if the user has delegation permissions for the
* organization
*/
private boolean hasDelegationPermissionsForRealm(SSOToken token, String orgName) throws SSOException, DelegationException {
// Construct delegation permission object
Set action = new HashSet();
action.add(DELEGATE);
DelegationPermission de = new DelegationPermission(orgName, "sunAMRealmService", "1.0", "organizationconfig", null, action, Collections.EMPTY_MAP);
// Call DelegationEvaluator to handle super and internal users
DelegationEvaluator evaluator = new DelegationEvaluatorImpl();
return (evaluator.isAllowed(token, de, Collections.EMPTY_MAP));
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 14 with DelegationEvaluator
use of com.sun.identity.delegation.DelegationEvaluator in project OpenAM by OpenRock.
the class XacmlServiceTest method testPermissionsCheckFail.
@Test
public void testPermissionsCheckFail() {
RestLog restLog = PowerMockito.mock(RestLog.class);
DelegationEvaluator evaluator = mock(DelegationEvaluator.class);
XacmlService xacmlService = new XacmlService(importExport, adminTokenAction, this.debug, restLog, evaluator, jacksonRepresentationFactory);
SSOToken adminToken = mock(SSOToken.class);
DelegationPermission delegationPermission = mock(DelegationPermission.class);
String urlLastSegment = "blah";
try {
// when
when(evaluator.isAllowed(adminToken, delegationPermission, Collections.EMPTY_MAP)).thenReturn(false);
boolean result = xacmlService.checkPermission(delegationPermission, adminToken, urlLastSegment);
assertThat(result).isFalse();
verify(restLog).auditAccessDenied(anyString(), anyString(), anyString(), any(SSOToken.class));
} catch (DelegationException de) {
// then
fail("Did not expect DelegationException");
} catch (SSOException ssoe) {
//then
fail("Did not expect SSOException");
} catch (Exception e) {
fail("Did not expect " + e.getClass().getName() + " with message " + e.getMessage());
}
}
Also used :
RestLog(org.forgerock.openam.forgerockrest.utils.RestLog)
SSOToken(com.iplanet.sso.SSOToken)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
DelegationException(com.sun.identity.delegation.DelegationException)
ResourceException(org.restlet.resource.ResourceException)
SSOException(com.iplanet.sso.SSOException)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
IOException(java.io.IOException)
Test(org.testng.annotations.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Aggregations
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)14
DelegationPermission (com.sun.identity.delegation.DelegationPermission)14
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)12
SSOException (com.iplanet.sso.SSOException)11
DelegationException (com.sun.identity.delegation.DelegationException)11
HashSet (java.util.HashSet)8
Set (java.util.Set)8
SSOToken (com.iplanet.sso.SSOToken)7
IOException (java.io.IOException)3
Iterator (java.util.Iterator)3
Test (org.testng.annotations.Test)3
EntitlementException (com.sun.identity.entitlement.EntitlementException)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
SMSException (com.sun.identity.sm.SMSException)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
RestLog (org.forgerock.openam.forgerockrest.utils.RestLog)2
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)2
ResourceException (org.restlet.resource.ResourceException)2
AMHashMap (com.iplanet.am.sdk.AMHashMap)1
