Example 21 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class DelegationPolicyImpl method hasDelegationPermissionsForRealm.
/**
* Returns true if the user has delegation permissions for the
* organization
*/
private boolean hasDelegationPermissionsForRealm(SSOToken token, String orgName) throws SSOException, DelegationException {
// Construct delegation permission object
Set action = new HashSet();
action.add(DELEGATE);
DelegationPermission de = new DelegationPermission(orgName, "sunAMRealmService", "1.0", "organizationconfig", null, action, Collections.EMPTY_MAP);
// Call DelegationEvaluator to handle super and internal users
DelegationEvaluator evaluator = new DelegationEvaluatorImpl();
return (evaluator.isAllowed(token, de, Collections.EMPTY_MAP));
}
Also used :
DelegationEvaluatorImpl(com.sun.identity.delegation.DelegationEvaluatorImpl)
Set(java.util.Set)
HashSet(java.util.HashSet)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 22 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class SMSMigration70 method migrateDelegationPolicies.
/**
* Migrate delegation policies to have correct policy name, resource name
* and subjects
*/
protected static void migrateDelegationPolicies(SSOToken token, String orgName) throws SSOException {
System.out.println("Migrating delegation policies for org: " + orgName);
try {
DelegationManager dm = new DelegationManager(token, orgName);
Set privileges = dm.getPrivileges();
Set newPrivileges = new HashSet();
for (Iterator items = privileges.iterator(); items.hasNext(); ) {
DelegationPrivilege dp = (DelegationPrivilege) items.next();
String name = dp.getName();
// remove the privilege
dm.removePrivilege(name);
Set permissions = dp.getPermissions();
DelegationPermission perm = null;
int index = -1;
for (Iterator perms = permissions.iterator(); perms.hasNext(); ) {
perm = (DelegationPermission) perms.next();
// change the resource name
String resource = perm.getOrganizationName();
index = resource.toLowerCase().indexOf("," + SMSEntry.getRootSuffix());
if (index != -1) {
resource = resource.substring(0, index) + "," + DNMapper.serviceDN + resource.substring(index + SMSEntry.getRootSuffix().length() + 1);
perm.setOrganizationName(resource);
}
}
// change the subject name
Set subjects = dp.getSubjects();
Set newSubjects = new HashSet();
for (Iterator ss = subjects.iterator(); ss.hasNext(); ) {
String subject = (String) ss.next();
index = subject.toLowerCase().indexOf("," + SMSEntry.getRootSuffix());
if (index != -1) {
subject = subject.substring(0, index) + "," + DNMapper.serviceDN + subject.substring(index + SMSEntry.getRootSuffix().length() + 1);
}
newSubjects.add(subject);
}
dp.setSubjects(newSubjects);
newPrivileges.add(dp);
}
// Normalized orgname to realm name
int index = orgName.toLowerCase().indexOf("," + SMSEntry.getRootSuffix());
if (index != -1) {
orgName = orgName.substring(0, index) + "," + DNMapper.serviceDN + orgName.substring(index + 1 + SMSEntry.getRootSuffix().length());
}
dm = new DelegationManager(token, orgName);
// Add the modified privileges
for (Iterator items = newPrivileges.iterator(); items.hasNext(); ) {
DelegationPrivilege dp = (DelegationPrivilege) items.next();
dm.addPrivilege(dp);
}
System.out.println("Delegation Policies for org: " + orgName + "\n" + privileges);
} catch (DelegationException de) {
System.out.println(" " + de.getMessage());
}
}
Also used :
DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege)
HashSet(java.util.HashSet)
Set(java.util.Set)
DelegationManager(com.sun.identity.delegation.DelegationManager)
Iterator(java.util.Iterator)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 23 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class XacmlService method checkPermission.
/**
* This "lower level" version of checkPermission is really only here to make testing easier.
*
* @return true if the user has the "action" permission (action being "READ" or "MODIFY"), false otherwise.
*/
private boolean checkPermission(String action, String urlLastSegment, String realm, SSOToken token) throws EntitlementException {
boolean result;
try {
final Set<String> actions = new HashSet<String>(Arrays.asList(action));
final DelegationPermissionFactory permissionFactory = new DelegationPermissionFactory();
final DelegationPermission permissionRequest = permissionFactory.newInstance(realm, REST, VERSION, urlLastSegment, action, actions, Collections.<String, String>emptyMap());
result = checkPermission(permissionRequest, token, urlLastSegment);
} catch (SSOException e) {
debug.warning("XacmlService permission evaluation failed", e);
throw new EntitlementException(INTERNAL_ERROR, e);
} catch (DelegationException e) {
debug.warning("XacmlService permission evaluation failed", e);
throw new EntitlementException(INTERNAL_ERROR, e);
}
return result;
}
Also used :
DelegationPermissionFactory(com.sun.identity.delegation.DelegationPermissionFactory)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOException(com.iplanet.sso.SSOException)
DelegationException(com.sun.identity.delegation.DelegationException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
HashSet(java.util.HashSet)
Example 24 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class XacmlServiceTest method testPermissionsCheckFail.
@Test
public void testPermissionsCheckFail() {
RestLog restLog = PowerMockito.mock(RestLog.class);
DelegationEvaluator evaluator = mock(DelegationEvaluator.class);
XacmlService xacmlService = new XacmlService(importExport, adminTokenAction, this.debug, restLog, evaluator, jacksonRepresentationFactory);
SSOToken adminToken = mock(SSOToken.class);
DelegationPermission delegationPermission = mock(DelegationPermission.class);
String urlLastSegment = "blah";
try {
// when
when(evaluator.isAllowed(adminToken, delegationPermission, Collections.EMPTY_MAP)).thenReturn(false);
boolean result = xacmlService.checkPermission(delegationPermission, adminToken, urlLastSegment);
assertThat(result).isFalse();
verify(restLog).auditAccessDenied(anyString(), anyString(), anyString(), any(SSOToken.class));
} catch (DelegationException de) {
// then
fail("Did not expect DelegationException");
} catch (SSOException ssoe) {
//then
fail("Did not expect SSOException");
} catch (Exception e) {
fail("Did not expect " + e.getClass().getName() + " with message " + e.getMessage());
}
}
Also used :
RestLog(org.forgerock.openam.forgerockrest.utils.RestLog)
SSOToken(com.iplanet.sso.SSOToken)
DelegationEvaluator(com.sun.identity.delegation.DelegationEvaluator)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
DelegationException(com.sun.identity.delegation.DelegationException)
ResourceException(org.restlet.resource.ResourceException)
SSOException(com.iplanet.sso.SSOException)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
IOException(java.io.IOException)
Test(org.testng.annotations.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Example 25 with DelegationPermission
use of com.sun.identity.delegation.DelegationPermission in project OpenAM by OpenRock.
the class PrivilegeAuthzModuleTest method crestActionEvaluateIsAllowed.
@Test
public void crestActionEvaluateIsAllowed() throws SSOException, DelegationException {
// Given...
final Set<String> actions = new HashSet<>(Arrays.asList("READ"));
final DelegationPermission permission = new DelegationPermission("/abc", "rest", "1.0", "policies", "evaluate", actions, EXTENSIONS, DUMB_FUNC);
given(factory.newInstance("/abc", "rest", "1.0", "policies", "evaluate", actions, EXTENSIONS)).willReturn(permission);
given(subjectContext.getCallerSSOToken()).willReturn(token);
given(evaluator.isAllowed(eq(token), eq(permission), eq(ENVIRONMENT))).willReturn(true);
JsonValue jsonValue = json(object(field("someKey", "someValue")));
Promise<ActionResponse, ResourceException> promise = Promises.newResultPromise(Responses.newActionResponse(jsonValue));
given(provider.actionCollection(isA(Context.class), isA(ActionRequest.class))).willReturn(promise);
// When...
final FilterChain chain = AuthorizationFilters.createAuthorizationFilter(provider, module);
final Router router = new Router();
router.addRoute(RoutingMode.STARTS_WITH, Router.uriTemplate("/policies"), chain);
final RealmContext context = new RealmContext(subjectContext);
context.setSubRealm("abc", "abc");
final ActionRequest request = Requests.newActionRequest("/policies", "evaluate");
Promise<ActionResponse, ResourceException> result = router.handleAction(context, request);
// Then...
assertThat(result).succeeded().withContent().stringAt("someKey").isEqualTo("someValue");
}
Also used :
RealmContext(org.forgerock.openam.rest.RealmContext)
SubjectContext(org.forgerock.openam.rest.resource.SubjectContext)
Context(org.forgerock.services.context.Context)
RealmContext(org.forgerock.openam.rest.RealmContext)
FilterChain(org.forgerock.json.resource.FilterChain)
JsonValue(org.forgerock.json.JsonValue)
Router(org.forgerock.json.resource.Router)
Matchers.anyString(org.mockito.Matchers.anyString)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
ActionResponse(org.forgerock.json.resource.ActionResponse)
ActionRequest(org.forgerock.json.resource.ActionRequest)
ResourceException(org.forgerock.json.resource.ResourceException)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Aggregations
DelegationPermission (com.sun.identity.delegation.DelegationPermission)30
HashSet (java.util.HashSet)22
DelegationException (com.sun.identity.delegation.DelegationException)17
SSOException (com.iplanet.sso.SSOException)16
DelegationEvaluator (com.sun.identity.delegation.DelegationEvaluator)14
Set (java.util.Set)13
DelegationEvaluatorImpl (com.sun.identity.delegation.DelegationEvaluatorImpl)12
Test (org.testng.annotations.Test)12
FilterChain (org.forgerock.json.resource.FilterChain)9
ResourceException (org.forgerock.json.resource.ResourceException)9
Router (org.forgerock.json.resource.Router)9
RealmContext (org.forgerock.openam.rest.RealmContext)9
SubjectContext (org.forgerock.openam.rest.resource.SubjectContext)9
Matchers.anyString (org.mockito.Matchers.anyString)9
Context (org.forgerock.services.context.Context)8
SSOToken (com.iplanet.sso.SSOToken)7
Iterator (java.util.Iterator)6
JsonValue (org.forgerock.json.JsonValue)6
ResourceResponse (org.forgerock.json.resource.ResourceResponse)6
IdRepoException (com.sun.identity.idm.IdRepoException)4
