Examples with DelegationPermission com.sun.identity.delegation.DelegationPermission used on opensource projects

Example 6 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class SSOTokenAuthZ method doFilter.

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    int statusCode = HttpServletResponse.SC_OK;
    String statusMessage = null;
    Principal clientPrincipal = ((HttpServletRequest) request).getUserPrincipal();
    if (clientPrincipal instanceof ISubjectable) {
        try {
            Subject clientSubject = ((ISubjectable) clientPrincipal).createSubject();
            DelegationEvaluator eval = new DelegationEvaluatorImpl();
            SSOToken token = SubjectUtils.getSSOToken(clientSubject);
            String action = mapMethodToAction.get(((HttpServletRequest) request).getMethod());
            if (action == null) {
                statusCode = HttpServletResponse.SC_UNAUTHORIZED;
                statusMessage = "Unable to get HTTP method for request.";
            } else {
                Set<String> setAction = new HashSet<String>();
                setAction.add(action);
                DelegationPermission permission = new DelegationPermission("/", "sunEntitlementService", "1.0", "application", getURI(request), setAction, null);
                if (!eval.isAllowed(token, permission, Collections.EMPTY_MAP)) {
                    statusCode = HttpServletResponse.SC_UNAUTHORIZED;
                    statusMessage = "Unauthorized.";
                }
            }
        } catch (Exception e) {
            statusCode = HttpServletResponse.SC_UNAUTHORIZED;
            statusMessage = e.getMessage();
        }
    } else {
        statusCode = HttpServletResponse.SC_UNAUTHORIZED;
        statusMessage = "Unable to obtain subject.";
    }
    if (statusCode == HttpServletResponse.SC_OK) {
        statusCode = validateTokenId((HttpServletRequest) request);
        if (statusCode == HttpServletResponse.SC_OK) {
            chain.doFilter(request, response);
        } else {
            statusMessage = "SSO token is invalid or has expired.";
        }
    }
    if (statusCode != HttpServletResponse.SC_OK) {
        ((HttpServletResponse) response).sendError(statusCode, statusMessage);
        return;
    }
}

Example 7 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class XacmlServiceTest method testPermissionsCheckSuccess.

@Test
public void testPermissionsCheckSuccess() {
    RestLog restLog = PowerMockito.mock(RestLog.class);
    DelegationEvaluator evaluator = mock(DelegationEvaluator.class);
    XacmlService xacmlService = new XacmlService(importExport, adminTokenAction, this.debug, restLog, evaluator, jacksonRepresentationFactory);
    SSOToken adminToken = mock(SSOToken.class);
    DelegationPermission delegationPermission = mock(DelegationPermission.class);
    String urlLastSegment = "blah";
    try {
        // when
        when(evaluator.isAllowed(adminToken, delegationPermission, Collections.EMPTY_MAP)).thenReturn(true);
        boolean result = xacmlService.checkPermission(delegationPermission, adminToken, urlLastSegment);
        assertThat(result).isTrue();
        verify(restLog).auditAccessGranted(anyString(), anyString(), anyString(), any(SSOToken.class));
    } catch (DelegationException de) {
        // then
        fail("Did not expect DelegationException");
    } catch (SSOException ssoe) {
        //then
        fail("Did not expect SSOException");
    } catch (Exception e) {
        fail("Did not expect " + e.getClass().getName() + " with message " + e.getMessage());
    }
}

Example 8 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class DelegationIsAllowedSubResourceTest method test.

@Test
public void test() throws Exception {
    Set<String> actions = new HashSet<String>();
    actions.add("READ");
    SSOToken token = AuthUtils.authenticate("/", USER1, USER1);
    DelegationPermission dp = new DelegationPermission("/", "sunEntitlementService", "1.0", "application", "default/application/*", actions, null);
    DelegationEvaluator de = new DelegationEvaluatorImpl();
    if (!de.isAllowed(token, dp, Collections.EMPTY_MAP, true)) {
        throw new Exception("DelegationIsAllowedSubResourceTest.test: failed");
    }
}

Example 9 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class OrgConfigViaAMSDK method checkRealmPermission.

// Check to see if the user has realm permissions
private boolean checkRealmPermission(SSOToken token, String realm, Set action) {
    boolean answer = false;
    if (token != null) {
        try {
            DelegationEvaluator de = new DelegationEvaluatorImpl();
            DelegationPermission dp = new DelegationPermission(realm, com.sun.identity.sm.SMSEntry.REALM_SERVICE, "1.0", "*", "*", action, Collections.EMPTY_MAP);
            answer = de.isAllowed(token, dp, null);
        } catch (DelegationException dex) {
            debug.error("OrgConfigViaAMSDK.checkRealmPermission: " + "Got Delegation Exception: ", dex);
        } catch (SSOException ssoe) {
            if (debug.messageEnabled()) {
                debug.message("OrgConfigViaAMSDK.checkRealmPermission: " + "Invalid SSOToken: ", ssoe);
            }
        }
    }
    return (answer);
}

Example 10 with DelegationPermission

use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.

the class PrivilegeAuthzModuleTest method crestQueryIsAllowed.

@Test
public void crestQueryIsAllowed() throws SSOException, DelegationException, ResourceException {
    // Given...
    final Set<String> actions = new HashSet<>(Arrays.asList("READ"));
    final DelegationPermission permission = new DelegationPermission("/abc", "rest", "1.0", "policies", "read", actions, EXTENSIONS, DUMB_FUNC);
    given(factory.newInstance("/abc", "rest", "1.0", "policies", "read", actions, EXTENSIONS)).willReturn(permission);
    given(subjectContext.getCallerSSOToken()).willReturn(token);
    given(evaluator.isAllowed(eq(token), eq(permission), eq(ENVIRONMENT))).willReturn(true);
    QueryResourceHandler handler = mock(QueryResourceHandler.class);
    Promise<QueryResponse, ResourceException> promise = Promises.newResultPromise(Responses.newQueryResponse("abc-def"));
    given(provider.queryCollection(isA(Context.class), isA(QueryRequest.class), isA(QueryResourceHandler.class))).willReturn(promise);
    // When...
    final FilterChain chain = AuthorizationFilters.createAuthorizationFilter(provider, module);
    final Router router = new Router();
    router.addRoute(RoutingMode.STARTS_WITH, Router.uriTemplate("/policies"), chain);
    final RealmContext context = new RealmContext(subjectContext);
    context.setSubRealm("abc", "abc");
    final QueryRequest request = Requests.newQueryRequest("/policies");
    Promise<QueryResponse, ResourceException> result = router.handleQuery(context, request, handler);
    // Then...
    QueryResponse response = result.getOrThrowUninterruptibly();
    assertThat(response.getPagedResultsCookie()).isEqualTo("abc-def");
}