Example 16 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method isAllowed.
/**
* Returns a boolean value; if a user has the specified
* permission returns true, false otherwise.
*
* @param token Single sign on token of the user evaluating permission.
* @param permission Delegation permission to be evaluated
* @param envParams Run-time environment parameters.
* @return the result of the evaluation as a boolean value
*
* @throws SSOException single-sign-on token invalid or expired.
* @throws DelegationException for any other abnormal condition.
*/
public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParams) throws SSOException, DelegationException {
SSOTokenID tokenId;
PolicyDecision pd;
String resource = null;
boolean result = false;
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.isAllowed() is called");
}
if ((token != null) && ((tokenId = token.getTokenID()) != null) && (permission != null)) {
String tokenIdStr = tokenId.toString();
Set actions = permission.getActions();
if ((actions != null) && (!actions.isEmpty())) {
//they have read access to global-config endpoints
if (GLOBALCONFIG.equals(permission.getConfigType()) && actions.equals(Collections.singleton(READ))) {
return hasDelegationPermissionsForRealm(token, token.getProperty(ISAuthConstants.ORGANIZATION));
}
try {
resource = getResourceName(permission);
pd = getResultFromCache(tokenIdStr, resource, envParams);
if (pd != null) {
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("got delegation evaluation result from cache.");
}
} else {
// decision not found in the cache. compute it.
pd = pe.getPolicyDecision(token, resource, null, envParams);
// add the result in the cache.
putResultIntoCache(tokenIdStr, resource, envParams, pd);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("put delegation evaluation result into cache.");
}
}
Map ads = pd.getActionDecisions();
if ((ads != null) && (!ads.isEmpty())) {
result = true;
Iterator it = actions.iterator();
while (it.hasNext() && result) {
String actionName = (String) it.next();
ActionDecision ad = (ActionDecision) ads.get(actionName);
if (ad != null) {
Set values = ad.getValues();
if ((values == null) || values.isEmpty() || values.contains(ACTION_DENY)) {
result = false;
}
} else {
result = false;
}
}
}
} catch (PolicyException pe) {
throw new DelegationException(pe);
}
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.isAllowed(): " + "actions=" + actions + " resource=" + resource + " result is:" + result);
}
}
return result;
}
Also used :
SSOTokenID(com.iplanet.sso.SSOTokenID)
PolicyDecision(com.sun.identity.policy.PolicyDecision)
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
ActionDecision(com.sun.identity.policy.ActionDecision)
DelegationException(com.sun.identity.delegation.DelegationException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 17 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method initialize.
/**
* Initialize (or configure) the <code>DelegationInterface</code>
* object. Usually it will be initialized with the environmrnt
* parameters set by the system administrator via Service management service.
*
* @param token <code>SSOToken</code> of an administrator
* @param configParams configuration parameters as a <code>Map</code>.
* The values in the <code>Map</code> is <code>java.util.Set</code>,
* which contains one or more configuration parameters.
*
* @throws DelegationException if an error occurred during
* initialization of <code>DelegationInterface</code> instance
*/
public void initialize(SSOToken token, Map configParams) throws DelegationException {
this.appToken = token;
try {
maxCacheSize = SystemProperties.getAsInt(CONFIGURED_CACHE_SIZE, DEFAULT_CACHE_SIZE);
// specifying cache size as 0 would virtually disable the delegation cache.
if (maxCacheSize < 0) {
maxCacheSize = DEFAULT_CACHE_SIZE;
}
delegationCache = new Cache(maxCacheSize);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.initialize(): cache size=" + maxCacheSize);
}
pe = new PolicyEvaluator(POLICY_REPOSITORY_REALM, DelegationManager.DELEGATION_SERVICE);
// listen on delegation policy changes. once there is
// delegation policy change, we need to update the cache.
pe.addPolicyListener(this);
// listen on root realm subject changes.
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, "/");
idRepo.addEventListener(this);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener added " + "for root realm.");
}
// listen on sub realm subject changes.
OrganizationConfigManager ocm = new OrganizationConfigManager(appToken, "/");
Set orgNames = ocm.getSubOrganizationNames("*", true);
if ((orgNames != null) && (!orgNames.isEmpty())) {
Iterator it = orgNames.iterator();
while (it.hasNext()) {
String org = (String) it.next();
AMIdentityRepository idr = new AMIdentityRepository(appToken, org);
idr.addEventListener(this);
idRepoListeners.put(org, idRepo);
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl: IdRepo event listener " + "added for realm (" + org + ").");
}
}
}
scm = new ServiceConfigManager(PolicyConfig.POLICY_CONFIG_SERVICE, token);
//DelegationManager.DELEGATION_SERVICE, token);
/**
* listen on org config changes. once there is realm added,
* or removed, we need to add or remove listeners on the
* affected realm accordingly.
*/
scm.addListener(this);
} catch (Exception e) {
DelegationManager.debug.error("DelegationPolicyImpl: initialize() failed");
throw new DelegationException(e);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
OrganizationConfigManager(com.sun.identity.sm.OrganizationConfigManager)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
ServiceConfigManager(com.sun.identity.sm.ServiceConfigManager)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
Cache(com.iplanet.am.util.Cache)
SubjectEvaluationCache(com.sun.identity.policy.SubjectEvaluationCache)
Example 18 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method policyToPrivilege.
/**
* Converts a policy to a delegation privilege.
* @param policy policy to be converted
* @return priv <code>DelegationPrivilege</code> represting policy.
*/
private DelegationPrivilege policyToPrivilege(Policy policy) throws DelegationException {
String pname = null;
Set permissions = new HashSet();
Set svalues = new HashSet();
if (policy == null) {
return null;
}
try {
// get policy name, which is the privilege name as well
pname = policy.getName();
// get privilege subjects
Set snames = policy.getSubjectNames();
if ((snames != null) && (!snames.isEmpty())) {
if (snames.contains(DELEGATION_AUTHN_USERS)) {
svalues.add(AUTHN_USERS_ID);
}
if (snames.contains(DELEGATION_SUBJECT)) {
Subject subject = policy.getSubject(DELEGATION_SUBJECT);
Set values = subject.getValues();
if (values != null) {
svalues.addAll(values);
}
}
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("SubjectValues=" + svalues);
}
String realmName = null;
String serviceName = null;
String version = null;
String configType = null;
String subconfigName = null;
String resource = null;
Set actions = null;
Set ruleNames = policy.getRuleNames();
if ((ruleNames != null) && (!ruleNames.isEmpty())) {
Iterator rit = ruleNames.iterator();
while (rit.hasNext()) {
String ruleName = (String) rit.next();
// now try to get resource and action names
Rule rule = policy.getRule(ruleName);
String service = rule.getServiceTypeName();
if (service.equalsIgnoreCase(DelegationManager.DELEGATION_SERVICE)) {
resource = rule.getResourceName();
actions = rule.getActionNames();
// required to construct a delegation permission
if (resource.startsWith(PREFIX)) {
String suffix = resource.substring(PREFIX.length());
if (suffix != null) {
StringTokenizer st = new StringTokenizer(suffix, DELIMITER);
realmName = st.nextToken();
if (st.hasMoreTokens()) {
serviceName = st.nextToken();
if (st.hasMoreTokens()) {
version = st.nextToken();
if (st.hasMoreTokens()) {
configType = st.nextToken();
if (st.hasMoreTokens()) {
subconfigName = st.nextToken();
while (st.hasMoreTokens()) {
subconfigName += DELIMITER + st.nextToken();
}
}
}
}
}
}
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.policyToPrivilege(): " + "create DelegationPermission object with: " + "realm=" + realmName + "; service=" + serviceName + "; version=" + version + "; configType=" + configType + "; subconfig=" + subconfigName + "; actions=" + actions);
}
DelegationPermission dp = new DelegationPermission(realmName, serviceName, version, configType, subconfigName, actions, null);
permissions.add(dp);
}
}
}
return new DelegationPrivilege(pname, permissions, svalues);
} catch (Exception e) {
throw new DelegationException(e);
}
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
StringTokenizer(java.util.StringTokenizer)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
Rule(com.sun.identity.policy.Rule)
Subject(com.sun.identity.policy.interfaces.Subject)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Example 19 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getPermissions.
/**
* Returns a set of permissions that a user has.
*
* @param token sso token of the user requesting permissions
* @param orgName The name of the realm from which the delegation
* permissions are fetched.
*
* @return a <code>Set</code> of permissions that a user has
*
* @throws SSOException if single-sign-on token invalid or expired
* @throws DelegationException for any other abnormal condition
*/
public Set getPermissions(SSOToken token, String orgName) throws SSOException, DelegationException {
DelegationPrivilege dp;
Set perms = new HashSet();
Set subjects;
AMIdentity userIdentity = null;
AMIdentity subjectIdentity = null;
IdSearchResults results = null;
if (token == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "user sso token is null");
}
return perms;
}
try {
userIdentity = IdUtils.getIdentity(token);
if (userIdentity == null) {
if (DelegationManager.debug.warningEnabled()) {
DelegationManager.debug.warning("DelegationPolicyImpl.getPermissions():" + "could not get user's identity from token");
}
return perms;
}
Set privileges = getPrivileges(appToken, orgName);
if ((privileges != null) && (!privileges.isEmpty())) {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
Iterator it = privileges.iterator();
while (it.hasNext()) {
dp = (DelegationPrivilege) it.next();
subjects = dp.getSubjects();
if ((subjects != null) && (!subjects.isEmpty())) {
Iterator sit = subjects.iterator();
while (sit.hasNext()) {
String subject = (String) sit.next();
String subjectId = LDAPUtils.rdnValueFromDn(subject);
if (subjectId != null) {
results = idRepo.searchIdentities(IdType.ROLE, subjectId, ctrl);
if (results != null) {
Set idSet = results.getSearchResults();
if ((idSet != null) && !idSet.isEmpty()) {
subjectIdentity = (AMIdentity) (idSet.iterator().next());
if (userIdentity.isMember(subjectIdentity)) {
perms.addAll(dp.getPermissions());
}
}
}
}
}
}
}
}
} catch (Exception e) {
throw new DelegationException(e);
}
return perms;
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
HashSet(java.util.HashSet)
Example 20 with DelegationException
use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.
the class DelegationPolicyImpl method getSubjects.
/**
* Returns a set of selected subjects of specified types matching the
* pattern in the given realm. The pattern accepts "*" as the wild card for
* searching subjects. For example, "a*c" matches with any subject starting
* with a and ending with c.
*
* @param token The <code>SSOToken</code> of the requesting user
* @param orgName The name of the realm from which the subjects are fetched.
* @param types a set of subject types. e.g. ROLE, GROUP.
* @param pattern a filter used to select the subjects.
*
* @return a set of subjects associated with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*
* @return <code>Set</code> of universal Ids of the subjects associated
* with the realm.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws DelegationException for any abnormal condition
*/
public Set getSubjects(SSOToken token, String orgName, Set types, String pattern) throws SSOException, DelegationException {
Set results = new HashSet();
// All Authenticated Users would be returned only if pattern is *
if ((pattern != null) && pattern.equals("*")) {
results.add(AUTHN_USERS_ID);
}
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): types=" + types);
}
try {
AMIdentityRepository idRepo = new AMIdentityRepository(appToken, orgName);
Set supportedTypes = idRepo.getSupportedIdTypes();
if (DelegationManager.debug.messageEnabled()) {
DelegationManager.debug.message("DelegationPolicyImpl.getSubjects(): " + "supported subject types=" + supportedTypes);
}
if ((supportedTypes != null) && (!supportedTypes.isEmpty()) && (types != null) && (!types.isEmpty())) {
Iterator it = types.iterator();
while (it.hasNext()) {
IdType idType = IdUtils.getType((String) it.next());
if (supportedTypes.contains(idType)) {
IdSearchControl ctrl = new IdSearchControl();
ctrl.setRecursive(true);
ctrl.setMaxResults(-1);
ctrl.setTimeOut(-1);
IdSearchResults idsr = idRepo.searchIdentities(idType, pattern, ctrl);
if (idsr != null) {
Set searchRes = idsr.getSearchResults();
if ((searchRes != null) && (!searchRes.isEmpty())) {
Iterator iter = searchRes.iterator();
while (iter.hasNext()) {
AMIdentity id = (AMIdentity) iter.next();
results.add(IdUtils.getUniversalId(id));
}
}
}
}
}
}
return results;
} catch (IdRepoException ide) {
throw new DelegationException(ide);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
AMIdentity(com.sun.identity.idm.AMIdentity)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
Iterator(java.util.Iterator)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
IdRepoException(com.sun.identity.idm.IdRepoException)
DelegationException(com.sun.identity.delegation.DelegationException)
HashSet(java.util.HashSet)
IdType(com.sun.identity.idm.IdType)
Aggregations
DelegationException (com.sun.identity.delegation.DelegationException)37
SSOException (com.iplanet.sso.SSOException)29
Set (java.util.Set)27
HashSet (java.util.HashSet)21
Iterator (java.util.Iterator)18
DelegationPermission (com.sun.identity.delegation.DelegationPermission)17
SSOToken (com.iplanet.sso.SSOToken)12
IdRepoException (com.sun.identity.idm.IdRepoException)12
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)11
DelegationManager (com.sun.identity.delegation.DelegationManager)10
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)9
DelegationPrivilege (com.sun.identity.delegation.DelegationPrivilege)9
PolicyException (com.sun.identity.policy.PolicyException)8
AMIdentity (com.sun.identity.idm.AMIdentity)6
HashMap (java.util.HashMap)5
Map (java.util.Map)5
Test (org.testng.annotations.Test)5
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)4
IdType (com.sun.identity.idm.IdType)4
CLIException (com.sun.identity.cli.CLIException)3
