Examples with DelegationPermission com.sun.identity.delegation.DelegationPermission used on opensource projects

Example 1 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class DelegationConfigNode method hasPermission.

boolean hasPermission(String realmName, String serviceName, String action, SSOToken ssoToken) throws DelegationException {
    if (realmName == null) {
        try {
            realmName = DNMapper.orgNameToRealmName(ssoToken.getProperty(Constants.ORGANIZATION));
        } catch (SSOException e) {
            throw new DelegationException(e);
        }
    }
    DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
    DelegationPermission delegationPermission = getDelegationPermission(realmName, action);
    boolean allowed = false;
    if (serviceName != null) {
        allowed = isAllowed(delegationEvaluator, delegationPermission, ssoToken, serviceName);
    } else {
        Set actions = (Set) permissions.get(AMAdminConstants.PERMISSION_MODIFY);
        for (Iterator i = actions.iterator(); i.hasNext() && !allowed; ) {
            allowed = isAllowed(delegationEvaluator, delegationPermission, ssoToken, (String) i.next());
        }
    }
    return allowed;
}

Example 2 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class SessionService method hasTopLevelAdminRole.

/**
     * Returns true if the user has top level admin role
     *
     * @param tokenUsedForSearch Single Sign on token used to do the search.
     * @param clientID           Client ID of the login user.
     * @throws SessionException
     * @throws SSOException
     */
private boolean hasTopLevelAdminRole(SSOToken tokenUsedForSearch, String clientID) throws SessionException, SSOException {
    boolean topLevelAdmin = false;
    Set actions = CollectionUtils.asSet(PERMISSION_READ, PERMISSION_MODIFY, PERMISSION_DELEGATE);
    try {
        DelegationPermission perm = new DelegationPermission("/", "*", "*", "*", "*", actions, Collections.EMPTY_MAP);
        DelegationEvaluator evaluator = new DelegationEvaluatorImpl();
        topLevelAdmin = evaluator.isAllowed(tokenUsedForSearch, perm, Collections.EMPTY_MAP);
    } catch (DelegationException de) {
        sessionDebug.error("SessionService.hasTopLevelAdminRole: failed to check the delegation permission.", de);
    }
    return topLevelAdmin;
}

Example 3 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class XACMLUtils method hasPermission.

public static boolean hasPermission(String realm, SSOToken adminToken, String action) {
    try {
        DelegationEvaluator de = new DelegationEvaluatorImpl();
        DelegationPermission dp = new DelegationPermission(realm, "rest", "1.0", "policies", action, asSet(action), Collections.<String, String>emptyMap());
        return de.isAllowed(adminToken, dp, Collections.EMPTY_MAP);
    } catch (DelegationException de) {
        DEBUG.error("XACMLUtils.hasPermission", de);
        return false;
    } catch (SSOException ssoe) {
        DEBUG.error("XACMLUtils.hasPermission", ssoe);
        return false;
    }
}

Example 4 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class IdServicesImpl method checkPermission.

private boolean checkPermission(SSOToken token, String realm, String name, Set attrs, IdOperation op, IdType type) throws IdRepoException, SSOException {
    if (!ServiceManager.isConfigMigratedTo70()) {
        // in coexistence mode. Do not perform any delegation check
        return true;
    }
    Set thisAction = null;
    if (op.equals(IdOperation.READ)) {
        // thisAction = readAction;
        // TODO This is a temporary fix where-in all users are
        // being allowed read permisions, till delegation component
        // is fixed to support "user self read" operations
        thisAction = READ_ACTION;
    } else {
        thisAction = WRITE_ACTION;
    }
    try {
        DelegationEvaluator de = new DelegationEvaluatorImpl();
        String resource = type.getName();
        if (name != null) {
            resource += "/" + name;
        }
        DelegationPermission dp = new DelegationPermission(realm, IdConstants.REPO_SERVICE, "1.0", "application", resource, thisAction, Collections.EMPTY_MAP);
        Map envMap = Collections.EMPTY_MAP;
        if (attrs != null) {
            envMap = new HashMap();
            envMap.put(DELEGATION_ATTRS_NAME, attrs);
        }
        if (!de.isAllowed(token, dp, envMap)) {
            Object[] args = { op.getName(), token.getPrincipal().getName() };
            throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ACCESS_DENIED, args);
        }
        return true;
    } catch (DelegationException dex) {
        DEBUG.error("IdServicesImpl.checkPermission Got Delegation Exception: ", dex);
        Object[] args = { op.getName(), token.getPrincipal().getName() };
        throw new IdRepoException(IdRepoBundle.BUNDLE_NAME, IdRepoErrorCode.ACCESS_DENIED, args);
    }
}

Example 5 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class SMSEntry method isAllowedByDelegation.

private static boolean isAllowedByDelegation(SSOToken token, String dnName, Set actions) throws SMSException {
    boolean delPermFlag = true;
    // Parse the DN
    String[] parseTokens = parseOrgDN(dnName);
    String orgName = parseTokens[0];
    String subConfigName = parseTokens[1];
    String configType = parseTokens[2];
    String version = parseTokens[3];
    String serviceName = parseTokens[4];
    // and subConfigName, except for sunAMRealmService and for read only
    if (!serviceName.equals(REALM_SERVICE) && (configType.equalsIgnoreCase("*") || subConfigName.equalsIgnoreCase("*")) && (actions.size() == 1) && actions.contains(READ)) {
        return (delPermFlag);
    }
    try {
        // get orgName,serviceName,subConfigName from the parsed result.
        // Call DelegatedPermission's constructor
        DelegationPermission dlgPerm = new DelegationPermission(orgName, serviceName, version, configType, subConfigName, actions, Collections.EMPTY_MAP);
        // Perform delegation check
        delPermFlag = DelegationEvaluatorHolder.dlgEval.isAllowed(token, dlgPerm, Collections.EMPTY_MAP);
        if (!delPermFlag) {
            // Debug the message
            if (debug.warningEnabled()) {
                try {
                    debug.warning("SMSEntry: Attempt by:  " + token.getPrincipal().getName() + " to read/modify entry: " + dnName + " has no permissions");
                } catch (SSOException ssoe) {
                    debug.warning("SMSEntry: Attempted to:  " + "read/modify an entry that has invalid " + "delegation privilege: " + dnName, ssoe);
                }
            }
        }
    } catch (SSOException se) {
        debug.error("SMSEntry.isAllowed : " + "Invalid Token: ", se);
        throw (new SMSException(bundle.getString("sms-INVALID_SSO_TOKEN"), "sms-INVALID_SSO_TOKEN"));
    } catch (DelegationException de) {
        debug.error("SMSEntry.isAllowed : " + "Invalid DelegationPermission: ", de);
        throw (new SMSException(bundle.getString("sms-invalid_delegation_privilege"), "sms-invalid_delegation_privilege"));
    }
    return delPermFlag;
}