Examples with DelegationException com.sun.identity.delegation.DelegationException used on opensource projects

Example 21 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class RestUtils method isAdmin.

public static boolean isAdmin(Context context) {
    boolean isAdmin = false;
    try {
        String realm = context.asContext(RealmContext.class).getResolvedRealm();
        SSOToken userSSOToken = SSOTokenManager.getInstance().createSSOToken(getCookieFromServerContext(context));
        // Simple check to see if user is super user and if so dont need to perform delegation check
        if (SessionUtils.isAdmin(AccessController.doPrivileged(AdminTokenAction.getInstance()), userSSOToken)) {
            return true;
        }
        DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
        DelegationPermission delegationPermission = new DelegationPermission();
        delegationPermission.setVersion("*");
        delegationPermission.setSubConfigName("default");
        delegationPermission.setOrganizationName(realm);
        delegationPermission.setActions(CollectionUtils.asSet("READ"));
        for (Iterator i = getServiceNames().iterator(); i.hasNext() && !isAdmin; ) {
            String name = (String) i.next();
            delegationPermission.setServiceName(name);
            isAdmin = delegationEvaluator.isAllowed(userSSOToken, delegationPermission, Collections.<String, Set<String>>emptyMap());
        }
    } catch (DelegationException | SSOException | SMSException e) {
        debug.error("RestUtils::Failed to determine if user is an admin", e);
    }
    return isAdmin;
}

Example 22 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class PrivilegeAuthzModule method evaluate.

/**
     * Given the calling context and the privilege definition attempts to authorise the calling subject.
     *
     * @param context
     *         the server context
     * @param definition
     *         the privilege definition
     *
     * @return the authorisation result
     */
protected Promise<AuthorizationResult, ResourceException> evaluate(final Context context, final PrivilegeDefinition definition) {
    // If no realm is specified default to the root realm.
    final String realm = (context.containsContext(RealmContext.class)) ? context.asContext(RealmContext.class).getResolvedRealm() : "/";
    final SubjectContext subjectContext = context.asContext(SubjectContext.class);
    final UriRouterContext routerContext = context.asContext(UriRouterContext.class);
    // Map the set of actions to a set of action strings.
    final Set<String> actions = transformSet(definition.getActions(), ACTION_TO_STRING_MAPPER);
    try {
        Session callerSession = subjectContext.getCallerSession();
        if (callerSession == null) {
            // you don't have a session so return access denied
            return Promises.newResultPromise(AuthorizationResult.accessDenied("No session for request."));
        }
        final String loggedInRealm = coreWrapper.convertOrgNameToRealmName(callerSession.getClientDomain());
        final DelegationPermission permissionRequest = permissionFactory.newInstance(loggedInRealm, REST, VERSION, routerContext.getMatchedUri(), definition.getCommonVerb(), actions, Collections.<String, String>emptyMap());
        if (evaluator.isAllowed(subjectContext.getCallerSSOToken(), permissionRequest, Collections.<String, Set<String>>emptyMap()) && loggedIntoValidRealm(realm, loggedInRealm)) {
            // Authorisation has been approved.
            return Promises.newResultPromise(AuthorizationResult.accessPermitted());
        }
    } catch (DelegationException dE) {
        return new InternalServerErrorException("Attempt to authorise the user has failed", dE).asPromise();
    } catch (SSOException e) {
        //you don't have a user so return access denied
        return Promises.newResultPromise(AuthorizationResult.accessDenied("No user supplied in request."));
    }
    return Promises.newResultPromise(AuthorizationResult.accessDenied("The user has insufficient privileges"));
}

Example 23 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class AccessControlModelImpl method canView.

/**
     * Returns true if a page can be viewed.
     *
     * @param permissions Permissions associated to the page.
     * @param accessLevel Level of access i.e. either global or realm level.
     * @param realmName Currently view realm Name.
     * @param delegateUI true if this is a delegation administration page.
     * @return true if a page can be viewed.
     */
public boolean canView(Set permissions, String accessLevel, String realmName, boolean delegateUI) {
    boolean canView = false;
    if (ssoToken != null) {
        if (permissions.isEmpty()) {
            canView = true;
        } else {
            try {
                DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
                DelegationPermission delegationPermission = new DelegationPermission();
                delegationPermission.setVersion("*");
                delegationPermission.setSubConfigName("default");
                if ((accessLevel != null) && (accessLevel.trim().length() > 0)) {
                    delegationPermission.setConfigType(accessLevel);
                    delegationPermission.setOrganizationName("/");
                } else {
                    delegationPermission.setOrganizationName(realmName);
                }
                if (delegateUI) {
                    Set actions = new HashSet();
                    actions.add(AMAdminConstants.PERMISSION_DELEGATE);
                    delegationPermission.setActions(actions);
                    canView = delegationEvaluator.isAllowed(ssoToken, delegationPermission, Collections.EMPTY_MAP);
                }
                if (!delegateUI || canView) {
                    for (Iterator i = permissions.iterator(); i.hasNext() && !canView; ) {
                        String serviceName = (String) i.next();
                        canView = hasPermission(delegationEvaluator, delegationPermission, serviceName, AMAdminConstants.PERMISSION_READ);
                    }
                }
            } catch (DelegationException e) {
                AMModelBase.debug.error("AccessControlModelImpl.canView", e);
            } catch (SSOException e) {
                AMModelBase.debug.error("AccessControlModelImpl.canView", e);
            }
        }
    }
    return canView;
}

Example 24 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class DelegationModelImpl method setPrivileges.

/**
     * Set privileges of an identity.
     *
     * @param realmName Name of realm.
     * @param uid Universal ID of the identity.
     * @param privileges Map of privilege name to privilege value.
     * @throws AMConsoleException if privilege cannot be set.
     */
public void setPrivileges(String realmName, String uid, Map privileges) throws AMConsoleException {
    String curPrivilegeName = null;
    try {
        DelegationManager mgr = new DelegationManager(getUserSSOToken(), realmName);
        Set privilegeObjects = mgr.getPrivileges();
        String[] params = new String[3];
        params[0] = realmName;
        params[1] = uid;
        for (Iterator i = privileges.keySet().iterator(); i.hasNext(); ) {
            String name = (String) i.next();
            String strVal = (String) AMAdminUtils.getValue((Set) privileges.get(name));
            boolean bVal = strVal.equals(Boolean.TRUE.toString());
            params[2] = name;
            curPrivilegeName = name;
            DelegationPrivilege dp = getDelegationPrivilege(name, privilegeObjects);
            if (dp != null) {
                Set subjects = dp.getSubjects();
                boolean modified = false;
                if (bVal) {
                    if (!subjects.contains(uid)) {
                        subjects.add(uid);
                        modified = true;
                    }
                } else {
                    if (subjects.contains(uid)) {
                        subjects.remove(uid);
                        modified = true;
                    }
                }
                if (modified) {
                    logEvent("ATTEMPT_MODIFY_DELEGATION_PRIVILEGE", params);
                    mgr.addPrivilege(dp);
                    logEvent("SUCCEED_MODIFY_DELEGATION_PRIVILEGE", params);
                }
            } else if (bVal) {
                Set subjects = new HashSet(2);
                subjects.add(uid);
                logEvent("ATTEMPT_MODIFY_DELEGATION_PRIVILEGE", params);
                DelegationPrivilege newDp = new DelegationPrivilege(name, subjects, realmName);
                mgr.addPrivilege(newDp);
                logEvent("SUCCEED_MODIFY_DELEGATION_PRIVILEGE", params);
            }
        }
    } catch (SSOException e) {
        String strError = getErrorString(e);
        String[] paramsEx = { realmName, uid, curPrivilegeName, strError };
        logEvent("SSO_EXCEPTION_MODIFY_DELEGATION_PRIVILEGE", paramsEx);
        throw new AMConsoleException(strError);
    } catch (DelegationException e) {
        String strError = getErrorString(e);
        String[] paramsEx = { realmName, uid, curPrivilegeName, strError };
        logEvent("DELEGATION_EXCEPTION_MODIFY_DELEGATION_PRIVILEGE", paramsEx);
        throw new AMConsoleException(strError);
    }
}

Example 25 with DelegationException

use of com.sun.identity.delegation.DelegationException in project OpenAM by OpenRock.

the class DelegationModelImpl method getSubjects.

/**
     * Returns delegation subjects under a realm. Returning a set of 
     * universal ID of subject.
     *
     * @param realmName Name of realm.
     * @param pattern Wildcard for matching subject name.
     * @return delegation subjects under a realm.
     * @throws AMConsoleException if subject universal ID cannot be obtained.
     */
public Set getSubjects(String realmName, String pattern) throws AMConsoleException {
    String[] params = { realmName, pattern };
    logEvent("ATTEMPT_GET_DELEGATION_SUBJECTS", params);
    try {
        DelegationManager mgr = new DelegationManager(getUserSSOToken(), realmName);
        Set results = mgr.getSubjects(pattern);
        logEvent("SUCCEED_GET_DELEGATION_SUBJECTS", params);
        return (results != null) ? results : Collections.EMPTY_SET;
    } catch (SSOException e) {
        String strError = getErrorString(e);
        String[] paramsEx = { realmName, pattern, strError };
        logEvent("SSO_EXCEPTION_GET_DELEGATION_SUBJECTS", params);
        debug.error("DelegationModelImpl.getSubjects", e);
        throw new AMConsoleException(strError);
    } catch (DelegationException e) {
        String strError = getErrorString(e);
        String[] paramsEx = { realmName, pattern, strError };
        logEvent("DELEGATION_EXCEPTION_GET_DELEGATION_SUBJECTS", params);
        debug.error("DelegationModelImpl.getSubjects", e);
        throw new AMConsoleException(strError);
    }
}