Example 16 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class AccessControlModelImpl method canView.
/**
* Returns true if a page can be viewed.
*
* @param permissions Permissions associated to the page.
* @param accessLevel Level of access i.e. either global or realm level.
* @param realmName Currently view realm Name.
* @param delegateUI true if this is a delegation administration page.
* @return true if a page can be viewed.
*/
public boolean canView(Set permissions, String accessLevel, String realmName, boolean delegateUI) {
boolean canView = false;
if (ssoToken != null) {
if (permissions.isEmpty()) {
canView = true;
} else {
try {
DelegationEvaluator delegationEvaluator = new DelegationEvaluatorImpl();
DelegationPermission delegationPermission = new DelegationPermission();
delegationPermission.setVersion("*");
delegationPermission.setSubConfigName("default");
if ((accessLevel != null) && (accessLevel.trim().length() > 0)) {
delegationPermission.setConfigType(accessLevel);
delegationPermission.setOrganizationName("/");
} else {
delegationPermission.setOrganizationName(realmName);
}
if (delegateUI) {
Set actions = new HashSet();
actions.add(AMAdminConstants.PERMISSION_DELEGATE);
delegationPermission.setActions(actions);
canView = delegationEvaluator.isAllowed(ssoToken, delegationPermission, Collections.EMPTY_MAP);
}
if (!delegateUI || canView) {
for (Iterator i = permissions.iterator(); i.hasNext() && !canView; ) {
String serviceName = (String) i.next();
canView = hasPermission(delegationEvaluator, delegationPermission, serviceName, AMAdminConstants.PERMISSION_READ);
}
}
} catch (DelegationException e) {
AMModelBase.debug.error("AccessControlModelImpl.canView", e);
} catch (SSOException e) {
AMModelBase.debug.error("AccessControlModelImpl.canView", e);
}
}
}
return canView;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
Iterator(java.util.Iterator)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 17 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class DelegationConfigNode method getDelegationPermission.
private DelegationPermission getDelegationPermission(String realmName, String privilege) throws DelegationException {
DelegationPermission delegationPermission = new DelegationPermission();
delegationPermission.setOrganizationName(realmName);
delegationPermission.setVersion("*");
Set actions = new HashSet(2);
actions.add(privilege);
delegationPermission.setActions(actions);
return delegationPermission;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 18 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class UMUserPasswordResetOptionsModelImpl method isRealmAdmin.
/**
* Returns <code>true</code> if current user is an realm administrator.
*
* @return <code>true</code> if current user is an realm administrator.
*/
public boolean isRealmAdmin() {
SSOToken token = getUserSSOToken();
try {
Set actionNames = new HashSet();
actionNames.add("MODIFY");
DelegationEvaluator de = new DelegationEvaluatorImpl();
DelegationPermission permission = new DelegationPermission(token.getProperty(Constants.ORGANIZATION), "sunAMRealmService", "1.0", "organization", "default", actionNames, null);
return de.isAllowed(token, permission, null);
} catch (SSOException e) {
debug.warning("UserPasswordResetOptionsModelImpl.isRealmAdmin", e);
} catch (DelegationException e) {
debug.warning("UserPasswordResetOptionsModelImpl.isRealmAdmin", e);
}
return false;
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
SSOToken(com.iplanet.sso.SSOToken)
HashSet(java.util.HashSet)
Set(java.util.Set)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
SSOException(com.iplanet.sso.SSOException)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 19 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class ISAuthorizer method isAuthorized.
/**
* Returns <code>true</code> if a given log record should be published.
*
* @param logName Log name on which operation is to be performed.
* @param operation The log operation to be performed.
* @param credential The credential to be authorized.
* @return <code>true</code> if the credential is authorized.
*/
public boolean isAuthorized(String logName, String operation, Object credential) {
SSOToken ssoToken = null;
if (credential instanceof SSOToken) {
ssoToken = (SSOToken) credential;
}
if (ssoToken == null) {
Debug.error("ISAuthorizer.isAuthorized(): SSO Token is null ");
return false;
}
try {
String tmpID = ssoToken.getPrincipal().getName();
if (Debug.messageEnabled()) {
Debug.message("ISAuthorizer.isAuthorized():logName = " + logName + ", op = " + operation + ", uid = " + tmpID);
}
String thisSubConfig = "LogWrite";
if (operation.equalsIgnoreCase("READ")) {
thisSubConfig = "LogRead";
}
SSOTokenManager ssoMgr = SSOTokenManager.getInstance();
if (ssoMgr.isValidToken(ssoToken)) {
Map tmap = new HashMap();
Set actSet;
actSet = Collections.singleton(operation);
try {
String amRealm = ssoToken.getProperty(Constants.ORGANIZATION);
DelegationPermission dp = new // realm
DelegationPermission(// realm
amRealm, // service name
"iPlanetAMLoggingService", // version
"1.0", // config type
"application", // subConfig name
thisSubConfig, // actions
actSet, // extensions
tmap);
DelegationEvaluator de = new DelegationEvaluatorImpl();
if (de.isAllowed(ssoToken, dp, null)) {
return true;
} else {
Debug.error(logName + ":ISAuthorizer.isAuthorized():log rqt to " + operation + " by " + tmpID + " denied.");
}
} catch (DelegationException dex) {
String loggedByID = ssoToken.getPrincipal().getName();
Debug.error("ISAuthorizer.isAuthorized():delegation error: " + "user: " + loggedByID + ", logName = " + logName + ", op = " + operation + ", msg = " + dex.getMessage());
}
} else {
String loggedByID = ssoToken.getPrincipal().getName();
Debug.error("ISAuthorizer.isAuthorized(): access denied " + "for user : " + loggedByID);
}
} catch (SSOException ssoe) {
Debug.error("ISAuthorizer.isAuthorized(): SSOException: ", ssoe);
}
return false;
}
Also used :
SSOTokenManager(com.iplanet.sso.SSOTokenManager)
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashMap(java.util.HashMap)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
Map(java.util.Map)
HashMap(java.util.HashMap)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Example 20 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class DelegationPolicyImpl method privilegeToPolicy.
/**
* Converts a delegation privilege to a policy.
* @param pm PolicyManager object to be used to create the <code>Policy
* </code> object.
* @param priv <code>DelegationPrivilege</code> which needs to be
converted.
* @return policy object.
*/
private Policy privilegeToPolicy(PolicyManager pm, DelegationPrivilege priv, String orgName) throws DelegationException {
try {
/* the name of the policy is in the form of
* orgName^^privilegeName, the privilegeName is the
* name of the delegation privilege that the policy
* is corresponding to. In case the orgName is in a
* DN format, the special char ',' is replaced to
* avoid saving problem.
*/
String prefix = null;
if (orgName != null) {
prefix = orgName.toLowerCase() + NAME_DELIMITER;
prefix = prefix.replace(',', REPLACEMENT_FOR_COMMA);
} else {
prefix = NAME_DELIMITER;
}
String name = prefix + priv.getName();
Policy policy = new Policy(name);
Set permissions = priv.getPermissions();
if ((permissions != null) && (!permissions.isEmpty())) {
Iterator pmit = permissions.iterator();
int seqNum = 0;
while (pmit.hasNext()) {
DelegationPermission perm = (DelegationPermission) pmit.next();
String resourceName = getResourceName(perm);
Map actions = new HashMap();
Set permActions = perm.getActions();
if (permActions != null) {
Set values = new HashSet();
values.add(ACTION_ALLOW);
Iterator it = permActions.iterator();
while (it.hasNext()) {
String actionName = (String) it.next();
actions.put(actionName, values);
}
}
String ruleName = DELEGATION_RULE;
if (seqNum != 0) {
ruleName += seqNum;
}
Rule rule = new Rule(ruleName, DelegationManager.DELEGATION_SERVICE, resourceName, actions);
policy.addRule(rule);
seqNum++;
}
}
Set sv = new HashSet(priv.getSubjects());
if ((sv != null) && (sv.contains(AUTHN_USERS_ID))) {
Subject allauthNUsers = pm.getSubjectTypeManager().getSubject(AUTHENTICATED_USERS_SUBJECT);
policy.addSubject(DELEGATION_AUTHN_USERS, allauthNUsers);
sv.remove(AUTHN_USERS_ID);
}
if ((sv != null) && (!sv.isEmpty())) {
Subject subject = pm.getSubjectTypeManager().getSubject(POLICY_SUBJECT);
subject.setValues(sv);
policy.addSubject(DELEGATION_SUBJECT, subject);
}
return policy;
} catch (Exception e) {
DelegationManager.debug.error("unable to convert a privilege to a policy", e);
throw new DelegationException(e);
}
}
Also used :
Policy(com.sun.identity.policy.Policy)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Subject(com.sun.identity.policy.interfaces.Subject)
DelegationException(com.sun.identity.delegation.DelegationException)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
Iterator(java.util.Iterator)
Rule(com.sun.identity.policy.Rule)
Map(java.util.Map)
HashMap(java.util.HashMap)
HashSet(java.util.HashSet)
Aggregations
DelegationPermission (com.sun.identity.delegation.DelegationPermission)30
HashSet (java.util.HashSet)22
DelegationException (com.sun.identity.delegation.DelegationException)17
SSOException (com.iplanet.sso.SSOException)16
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)14
Set (java.util.Set)13
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)12
Test (org.testng.annotations.Test)12
FilterChain (org.forgerock.json.resource.FilterChain)9
ResourceException (org.forgerock.json.resource.ResourceException)9
Router (org.forgerock.json.resource.Router)9
RealmContext (org.forgerock.openam.rest.RealmContext)9
SubjectContext (org.forgerock.openam.rest.resource.SubjectContext)9
Matchers.anyString (org.mockito.Matchers.anyString)9
Context (org.forgerock.services.context.Context)8
SSOToken (com.iplanet.sso.SSOToken)7
Iterator (java.util.Iterator)6
JsonValue (org.forgerock.json.JsonValue)6
ResourceResponse (org.forgerock.json.resource.ResourceResponse)6
IdRepoException (com.sun.identity.idm.IdRepoException)4
