Example 1 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getPrivileges.
/**
* Returns all the delegation privileges associated with a realm.
*
* @param token The <code>SSOToken</code> of the requesting user
* @param orgName The name of the realm from which the
* delegation privileges are fetched.
*
* @return <code>Set</code> of <code>DelegationPrivilege</code> objects
* associated with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*/
public Set getPrivileges(SSOToken token, String orgName) throws SSOException, DelegationException {
try {
Set privileges = new HashSet();
// Need to check if user has "delegate" permissions for org
if (hasDelegationPermissionsForRealm(token, orgName)) {
// Replace token with AdminToken
token = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
}
PolicyManager pm = new PolicyManager(token, POLICY_REPOSITORY_REALM);
Set pnames = pm.getPolicyNames();
if (pnames != null) {
/* the name of the policy is in the form of
* orgName^^privilegeName, the privilegeName is the
* name of the delegation privilege that the policy
* is corresponding to. In case the orgName is in a
* DN format, the special char ',' is replaced to avoid
* saving problem.
*/
String prefix = null;
if (orgName != null) {
prefix = orgName.toLowerCase() + NAME_DELIMITER;
prefix = prefix.replace(',', REPLACEMENT_FOR_COMMA);
} else {
prefix = NAME_DELIMITER;
}
int prefixLength = prefix.length();
Iterator it = pnames.iterator();
while (it.hasNext()) {
String pname = (String) it.next();
if (pname.toLowerCase().startsWith(prefix)) {
Policy p = pm.getPolicy(pname);
// converts the policy to its corresponding
// delegation privilege
DelegationPrivilege dp = policyToPrivilege(p);
if (dp != null) {
dp.setName(pname.substring(prefixLength));
privileges.add(dp);
}
}
}
}
return (privileges);
} catch (Exception e) {
DelegationManager.debug.error("unable to get privileges from realm " + orgName);
throw new DelegationException(e);
}
}
Also used :
Policy(com.sun.identity.policy.Policy)
PolicyManager(com.sun.identity.policy.PolicyManager)
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Example 2 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method isAllowed.
/**
* Returns a boolean value; if a user has the specified
* permission returns true, false otherwise.
*
* @param token Single sign on token of the user evaluating permission.
* @param permission Delegation permission to be evaluated
* @param envParams Run-time environment parameters.
* @return the result of the evaluation as a boolean value
*
* @throws SSOException single-sign-on token invalid or expired.
* @throws DelegationException for any other abnormal condition.
*/
public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParams) throws SSOException, DelegationException {
SSOTokenID tokenId;
PolicyDecision pd;
String resource = null;
boolean result = false;
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.isAllowed() is called");
}
if ((token != null) && ((tokenId = token.getTokenID()) != null) && (permission != null)) {
String tokenIdStr = tokenId.toString();
Set actions = permission.getActions();
if ((actions != null) && (!actions.isEmpty())) {
//they have read access to global-config endpoints
if (GLOBALCONFIG.equals(permission.getConfigType()) && actions.equals(Collections.singleton(READ))) {
return hasDelegationPermissionsForRealm(token, token.getProperty(ISAuthConstants.ORGANIZATION));
}
try {
resource = getResourceName(permission);
pd = getResultFromCache(tokenIdStr, resource, envParams);
if (pd != null) {
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("got delegation evaluation result from cache.");
}
} else {
// decision not found in the cache. compute it.
pd = pe.getPolicyDecision(token, resource, null, envParams);
// add the result in the cache.
putResultIntoCache(tokenIdStr, resource, envParams, pd);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("put delegation evaluation result into cache.");
}
}
Map ads = pd.getActionDecisions();
if ((ads != null) && (!ads.isEmpty())) {
result = true;
Iterator it = actions.iterator();
while (it.hasNext() && result) {
String actionName = (String) it.next();
ActionDecision ad = (ActionDecision) ads.get(actionName);
if (ad != null) {
Set values = ad.getValues();
if ((values == null) || values.isEmpty() || values.contains(ACTION_DENY)) {
result = false;
}
} else {
result = false;
}
}
}
} catch (PolicyException pe) {
throw new DelegationException(pe);
}
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.isAllowed(): " + "actions=" + actions + " resource=" + resource + " result is:" + result);
}
}
return result;
}
Also used :
SSOTokenID(com.iplanet.sso.SSOTokenID)
PolicyDecision(com.sun.identity.policy.PolicyDecision)
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
ActionDecision(com.sun.identity.policy.ActionDecision)
DelegationException(com.sun.identity.delegation.DelegationException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 3 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method initialize.
/**
* Initialize (or configure) the <code>DelegationInterface</code>
* object. Usually it will be initialized with the environmrnt
* parameters set by the system administrator via Service management service.
*
* @param token <code>SSOToken</code> of an administrator
* @param configParams configuration parameters as a <code>Map</code>.
* The values in the <code>Map</code> is <code>java.util.Set</code>,
* which contains one or more configuration parameters.
*
* @throws DelegationException if an error occurred during
* initialization of <code>DelegationInterface</code> instance
*/
public void initialize(SSOToken token, Map configParams) throws DelegationException {
this.appToken = token;
try {
maxCacheSize = SystemProperties.getAsInt(CONFIGURED_CACHE_SIZE, DEFAULT_CACHE_SIZE);
// specifying cache size as 0 would virtually disable the delegation cache.
if (maxCacheSize < 0) {
maxCacheSize = DEFAULT_CACHE_SIZE;
}
delegationCache = new Cache(maxCacheSize);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.initialize(): cache size=" + maxCacheSize);
}
pe = new PolicyEvaluator(POLICY_REPOSITORY_REALM, DelegationManager.DELEGATION_SERVICE);
// listen on delegation policy changes. once there is
// delegation policy change, we need to update the cache.
pe.addPolicyListener(this);
// listen on root realm subject changes.
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, "/");
idRepo.addEventListener(this);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener added " + "for root realm.");
}
// listen on sub realm subject changes.
OrganizationConfigManager ocm = new OrganizationConfigManager(appToken, "/");
Set orgNames = ocm.getSubOrganizationNames("*", true);
if ((orgNames != null) && (!orgNames.isEmpty())) {
Iterator it = orgNames.iterator();
while (it.hasNext()) {
String org = (String) it.next();
AMIdentityRepository idr = new AMIdentityRepository(appToken, org);
idr.addEventListener(this);
idRepoListeners.put(org, idRepo);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener " + "added for realm (" + org + ").");
}
}
}
scm = new ServiceConfigManager(PolicyConfig.POLICY_CONFIG_SERVICE, token);
//DelegationManager.DELEGATION_SERVICE, token);
/**
* listen on org config changes. once there is realm added,
* or removed, we need to add or remove listeners on the
* affected realm accordingly.
*/
scm.addListener(this);
} catch (Exception e) {
DelegationManager.debug.error("DelegationPolicyImpl: initialize() failed");
throw new DelegationException(e);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
OrganizationConfigManager(com.sun.identity.sm.OrganizationConfigManager)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
ServiceConfigManager(com.sun.identity.sm.ServiceConfigManager)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
Cache(com.iplanet.am.util.Cache)
SubjectEvaluationCache(com.sun.identity.policy.SubjectEvaluationCache)
Example 4 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method policyToPrivilege.
/**
* Converts a policy to a delegation privilege.
* @param policy policy to be converted
* @return priv <code>DelegationPrivilege</code> represting policy.
*/
private DelegationPrivilege policyToPrivilege(Policy policy) throws DelegationException {
String pname = null;
Set permissions = new HashSet();
Set svalues = new HashSet();
if (policy == null) {
return null;
}
try {
// get policy name, which is the privilege name as well
pname = policy.getName();
// get privilege subjects
Set snames = policy.getSubjectNames();
if ((snames != null) && (!snames.isEmpty())) {
if (snames.contains(DELEGATION_AUTHN_USERS)) {
svalues.add(AUTHN_USERS_ID);
}
if (snames.contains(DELEGATION_SUBJECT)) {
Subject subject = policy.getSubject(DELEGATION_SUBJECT);
Set values = subject.getValues();
if (values != null) {
svalues.addAll(values);
}
}
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("SubjectValues=" + svalues);
}
String realmName = null;
String serviceName = null;
String version = null;
String configType = null;
String subconfigName = null;
String resource = null;
Set actions = null;
Set ruleNames = policy.getRuleNames();
if ((ruleNames != null) && (!ruleNames.isEmpty())) {
Iterator rit = ruleNames.iterator();
while (rit.hasNext()) {
String ruleName = (String) rit.next();
// now try to get resource and action names
Rule rule = policy.getRule(ruleName);
String service = rule.getServiceTypeName();
if (service.equalsIgnoreCase(DelegationManager.DELEGATION_SERVICE)) {
resource = rule.getResourceName();
actions = rule.getActionNames();
// required to construct a delegation permission
if (resource.startsWith(PREFIX)) {
String suffix = resource.substring(PREFIX.length());
if (suffix != null) {
StringTokenizer st = new StringTokenizer(suffix, DELIMITER);
realmName = st.nextToken();
if (st.hasMoreTokens()) {
serviceName = st.nextToken();
if (st.hasMoreTokens()) {
version = st.nextToken();
if (st.hasMoreTokens()) {
configType = st.nextToken();
if (st.hasMoreTokens()) {
subconfigName = st.nextToken();
while (st.hasMoreTokens()) {
subconfigName += DELIMITER + st.nextToken();
}
}
}
}
}
}
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.policyToPrivilege(): " + "create DelegationPermission object with: " + "realm=" + realmName + "; service=" + serviceName + "; version=" + version + "; configType=" + configType + "; subconfig=" + subconfigName + "; actions=" + actions);
}
DelegationPermission dp = new DelegationPermission(realmName, serviceName, version, configType, subconfigName, actions, null);
permissions.add(dp);
}
}
}
return new DelegationPrivilege(pname, permissions, svalues);
} catch (Exception e) {
throw new DelegationException(e);
}
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
StringTokenizer(java.util.StringTokenizer)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
Rule(com.sun.identity.policy.Rule)
Subject(com.sun.identity.policy.interfaces.Subject)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Example 5 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getPermissions.
/**
* Returns a set of permissions that a user has.
*
* @param token sso token of the user requesting permissions
* @param orgName The name of the realm from which the delegation
* permissions are fetched.
*
* @return a <code>Set</code> of permissions that a user has
*
* @throws SSOException if single-sign-on token invalid or expired
* @throws DelegationException for any other abnormal condition
*/
public Set getPermissions(SSOToken token, String orgName) throws SSOException, DelegationException {
DelegationPrivilege dp;
Set perms = new HashSet();
Set subjects;
AMIdentity userIdentity = null;
AMIdentity subjectIdentity = null;
IdSearchResults results = null;
if (token == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "user sso token is null");
}
return perms;
}
try {
userIdentity = IdUtils.getIdentity(token);
if (userIdentity == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "could not get user's identity from token");
}
return perms;
}
Set privileges = getPrivileges(appToken, orgName);
if ((privileges != null) && (!privileges.isEmpty())) {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
Iterator it = privileges.iterator();
while (it.hasNext()) {
dp = (DelegationPrivilege) it.next();
subjects = dp.getSubjects();
if ((subjects != null) && (!subjects.isEmpty())) {
Iterator sit = subjects.iterator();
while (sit.hasNext()) {
String subject = (String) sit.next();
String subjectId = LDAPUtils.rdnValueFromDn(subject);
if (subjectId != null) {
results = idRepo.searchIdentities(IdType.ROLE, subjectId, ctrl);
if (results != null) {
Set idSet = results.getSearchResults();
if ((idSet != null) && !idSet.isEmpty()) {
subjectIdentity = (AMIdentity) (idSet.iterator().next());
if (userIdentity.isMember(subjectIdentity)) {
perms.addAll(dp.getPermissions());
}
}
}
}
}
}
}
}
} catch (Exception e) {
throw new DelegationException(e);
}
return perms;
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Aggregations
DelegationException (com.sun.identity.delegation.DelegationException)37
SSOException (com.iplanet.sso.SSOException)29
Set (java.util.Set)27
HashSet (java.util.HashSet)21
Iterator (java.util.Iterator)18
DelegationPermission (com.sun.identity.delegation.DelegationPermission)17
SSOToken (com.iplanet.sso.SSOToken)12
IdRepoException (com.sun.identity.idm.IdRepoException)12
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)11
DelegationManager (com.sun.identity.delegation.DelegationManager)10
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)9
DelegationPrivilege (com.sun.identity.delegation.DelegationPrivilege)9
PolicyException (com.sun.identity.policy.PolicyException)8
AMIdentity (com.sun.identity.idm.AMIdentity)6
HashMap (java.util.HashMap)5
Map (java.util.Map)5
Test (org.testng.annotations.Test)5
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)4
IdType (com.sun.identity.idm.IdType)4
CLIException (com.sun.identity.cli.CLIException)3
