Examples with DelegationException com.sun.identity.delegation.DelegationException used on opensource projects

Example 11 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class IdServicesImpl method checkPermission.

private boolean checkPermission(SSOToken token, String realm, String name, Set attrs, IdOperation op, IdType type) throws IdRepoException, SSOException {
    if (!ServiceManager.isConfigMigratedTo70()) {
        // in coexistence mode. Do not perform any delegation check
        return true;
    }
    Set thisAction = null;
    if (op.equals(IdOperation.READ)) {
        // thisAction = readAction;
        // TODO This is a temporary fix where-in all users are
        // being allowed read permisions, till delegation component
        // is fixed to support "user self read" operations
        thisAction = READ_ACTION;
    } else {
        thisAction = WRITE_ACTION;
    }
    try {
        DelegationEvaluator de = new DelegationEvaluatorImpl();
        String resource = type.getName();
        if (name != null) {
            resource += "/" + name;
        }
        DelegationPermission dp = new DelegationPermission(realm, IdConstants.REPO_SERVICE, "1.0", "application", resource, thisAction, Collections.EMPTY_MAP);
        Map envMap = Collections.EMPTY_MAP;
        if (attrs != null) {
            envMap = new HashMap();
            envMap.put(DELEGATION_ATTRS_NAME, attrs);
        }
        if (!de.isAllowed(token, dp, envMap)) {
            Object[] args = { op.getName(), token.getPrincipal().getName() };
            throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ACCESS_DENIED, args);
        }
        return true;
    } catch (DelegationException dex) {
        DEBUG.error("IdServicesImpl.checkPermission Got Delegation Exception: ", dex);
        Object[] args = { op.getName(), token.getPrincipal().getName() };
        throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ACCESS_DENIED, args);
    }
}

Example 12 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class SMSEntry method isAllowedByDelegation.

private static boolean isAllowedByDelegation(SSOToken token, String dnName, Set actions) throws SMSException {
    boolean delPermFlag = true;
    // Parse the DN
    String[] parseTokens = parseOrgDN(dnName);
    String orgName = parseTokens[0];
    String subConfigName = parseTokens[1];
    String configType = parseTokens[2];
    String version = parseTokens[3];
    String serviceName = parseTokens[4];
    // and subConfigName, except for sunAMRealmService and for read only
    if (!serviceName.equals(REALM_SERVICE) && (configType.equalsIgnoreCase("*") || subConfigName.equalsIgnoreCase("*")) && (actions.size() == 1) && actions.contains(READ)) {
        return (delPermFlag);
    }
    try {
        // get orgName,serviceName,subConfigName from the parsed result.
        // Call DelegatedPermission's constructor
        DelegationPermission dlgPerm = new DelegationPermission(orgName, serviceName, version, configType, subConfigName, actions, Collections.EMPTY_MAP);
        // Perform delegation check
        delPermFlag = DelegationEvaluatorHolder.dlgEval.isAllowed(token, dlgPerm, Collections.EMPTY_MAP);
        if (!delPermFlag) {
            // Debug the message
            if (debug.warningEnabled()) {
                try {
                    debug.warning("SMSEntry: Attempt by:  " + token.getPrincipal().getName() + " to read/modify entry: " + dnName + " has no permissions");
                } catch (SSOException ssoe) {
                    debug.warning("SMSEntry: Attempted to:  " + "read/modify an entry that has invalid " + "delegation privilege: " + dnName, ssoe);
                }
            }
        }
    } catch (SSOException se) {
        debug.error("SMSEntry.isAllowed : " + "Invalid Token: ", se);
        throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"), "sms-INVALID_SSO_TOKEN"));
    } catch (DelegationException de) {
        debug.error("SMSEntry.isAllowed : " + "Invalid DelegationPermission: ", de);
        throw (new SMSException(bundle.getString("sms-invalid_delegation_privilege"), "sms-invalid_delegation_privilege"));
    }
    return delPermFlag;
}

Example 13 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class XacmlServiceTest method testPermissionsCheckSuccess.

@Test
public void testPermissionsCheckSuccess() {
    RestLog restLog = PowerMockito.mock(RestLog.class);
    DelegationEvaluator evaluator = mock(DelegationEvaluator.class);
    XacmlService xacmlService = new XacmlService(importExport, adminTokenAction, this.debug, restLog, evaluator, jacksonRepresentationFactory);
    SSOToken adminToken = mock(SSOToken.class);
    DelegationPermission delegationPermission = mock(DelegationPermission.class);
    String urlLastSegment = "blah";
    try {
        // when
        when(evaluator.isAllowed(adminToken, delegationPermission, Collections.EMPTY_MAP)).thenReturn(true);
        boolean result = xacmlService.checkPermission(delegationPermission, adminToken, urlLastSegment);
        assertThat(result).isTrue();
        verify(restLog).auditAccessGranted(anyString(), anyString(), anyString(), any(SSOToken.class));
    } catch (DelegationException de) {
        // then
        fail("Did not expect DelegationException");
    } catch (SSOException ssoe) {
        //then
        fail("Did not expect SSOException");
    } catch (Exception e) {
        fail("Did not expect " + e.getClass().getName() + " with message " + e.getMessage());
    }
}

Example 14 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class OrgConfigViaAMSDK method checkRealmPermission.

// Check to see if the user has realm permissions
private boolean checkRealmPermission(SSOToken token, String realm, Set action) {
    boolean answer = false;
    if (token != null) {
        try {
            DelegationEvaluator de = new DelegationEvaluatorImpl();
            DelegationPermission dp = new DelegationPermission(realm, com.sun.identity.sm.SMSEntry.REALM_SERVICE, "1.0", "*", "*", action, Collections.EMPTY_MAP);
            answer = de.isAllowed(token, dp, null);
        } catch (DelegationException dex) {
            debug.error("OrgConfigViaAMSDK.checkRealmPermission: " + "Got Delegation Exception: ", dex);
        } catch (SSOException ssoe) {
            if (debug.messageEnabled()) {
                debug.message("OrgConfigViaAMSDK.checkRealmPermission: " + "Invalid SSOToken: ", ssoe);
            }
        }
    }
    return (answer);
}

Example 15 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class DelegationPolicyImpl method getPrivileges.

/**
     * Returns all the delegation privileges associated with a realm.
     * 
     * @param  token  The <code>SSOToken</code> of the requesting user
     * @param  orgName The name of the realm from which the 
     *         delegation privileges are fetched.
     * 
     * @return <code>Set</code> of <code>DelegationPrivilege</code> objects 
     *         associated with the realm.
     * 
     * @throws SSOException  invalid or expired single-sign-on token
     * @throws DelegationException  for any abnormal condition
     */
public Set getPrivileges(SSOToken token, String orgName) throws SSOException, DelegationException {
    try {
        Set privileges = new HashSet();
        // Need to check if user has "delegate" permissions for org
        if (hasDelegationPermissionsForRealm(token, orgName)) {
            // Replace token with AdminToken
            token = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        }
        PolicyManager pm = new PolicyManager(token, POLICY_REPOSITORY_REALM);
        Set pnames = pm.getPolicyNames();
        if (pnames != null) {
            /* the name of the policy is in the form of 
                 * orgName^^privilegeName, the privilegeName is the
                 * name of the delegation privilege that the policy 
                 * is corresponding to. In case the orgName is in a 
                 * DN format, the special char ',' is replaced to avoid
                 * saving problem.
                 */
            String prefix = null;
            if (orgName != null) {
                prefix = orgName.toLowerCase() + NAME_DELIMITER;
                prefix = prefix.replace(',', REPLACEMENT_FOR_COMMA);
            } else {
                prefix = NAME_DELIMITER;
            }
            int prefixLength = prefix.length();
            Iterator it = pnames.iterator();
            while (it.hasNext()) {
                String pname = (String) it.next();
                if (pname.toLowerCase().startsWith(prefix)) {
                    Policy p = pm.getPolicy(pname);
                    // converts the policy to its corresponding 
                    // delegation privilege
                    DelegationPrivilege dp = policyToPrivilege(p);
                    if (dp != null) {
                        dp.setName(pname.substring(prefixLength));
                        privileges.add(dp);
                    }
                }
            }
        }
        return (privileges);
    } catch (Exception e) {
        DelegationManager.debug.error("unable to get privileges from realm " + orgName);
        throw new DelegationException(e);
    }
}