Example 31 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class SessionCondition method evaluate.
/**
* {@inheritDoc}
*/
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
SSOToken token = (subject == null) ? null : (SSOToken) getValue(subject.getPrivateCredentials());
if (token == null) {
return new ConditionDecision(true, Collections.<String, Set<String>>emptyMap(), Long.MAX_VALUE);
}
String requestSessionCreationTime = getValue(env.get(REQUEST_SESSION_CREATION_TIME));
long tokenCreationTime;
if (requestSessionCreationTime != null) {
tokenCreationTime = Long.parseLong(requestSessionCreationTime);
} else {
try {
tokenCreationTime = DateUtils.stringToDate(token.getProperty(SSOTOKEN_PROPERTY_AUTHINSTANT)).getTime();
} catch (ParseException e) {
throw new EntitlementException(UNABLE_TO_PARSE_SSOTOKEN_AUTHINSTANT, e);
} catch (SSOException e) {
throw new EntitlementException(CONDITION_EVALUATION_FAILED, e);
}
}
long currentTime = timeService.now();
long expiredTime = tokenCreationTime + maxSessionTime;
if (debug.messageEnabled()) {
debug.message("SessionCondition.getConditionDecision():\n currentTime: " + currentTime + "\n expiredTime: " + expiredTime);
}
if (currentTime < expiredTime) {
return new ConditionDecision(true, Collections.<String, Set<String>>emptyMap(), expiredTime);
} else {
Map<String, Set<String>> advices = new HashMap<String, Set<String>>(1);
Set<String> adviceMessages = new HashSet<String>(2);
adviceMessages.add(ADVICE_DENY);
if (terminateSession) {
// set advice message
adviceMessages.add(ADVICE_TERMINATE_SESSION);
// terminate token session
try {
coreWrapper.destroyToken(token);
debug.message("SessionCondition.getConditionDecision(): successfully terminated user session!");
} catch (SSOException ssoEx) {
if (debug.warningEnabled()) {
debug.warning("SessionCondition.getConditionDecision(): failed to terminate user session!", ssoEx);
}
}
}
advices.put(SESSION_CONDITION_ADVICE, adviceMessages);
return new ConditionDecision(false, advices, Long.MAX_VALUE);
}
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
SSOException(com.iplanet.sso.SSOException)
ParseException(java.text.ParseException)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
HashSet(java.util.HashSet)
Example 32 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class SessionPropertyCondition method evaluate.
/**
* {@inheritDoc}
*/
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
boolean allowed = true;
if (debug.messageEnabled()) {
debug.message("SessionPropertyCondition.evaluate():entering, ignoreValueCase= " + ignoreValueCase);
}
if (subject == null) {
return new ConditionDecision(false, Collections.<String, Set<String>>emptyMap());
}
SSOToken token = (SSOToken) getValue(subject.getPrivateCredentials());
if ((properties != null) && !properties.isEmpty()) {
Set<String> names = properties.keySet();
namesIterLoop: for (String name : names) {
Set<String> values = properties.get(name);
if (debug.messageEnabled()) {
debug.message("SessionPropertyCondition.evaluate():propertyName = " + name + ",conditionValues = " + values);
}
if (name.equals(VALUE_CASE_INSENSITIVE) || values == null || values.isEmpty()) {
continue;
}
try {
String sessionValue = token.getProperty(name);
Set<String> sessionValues = null;
if (sessionValue != null && sessionValue.contains(DELIMITER)) {
sessionValues = coreWrapper.delimStringToSet(sessionValue, DELIMITER);
}
if (debug.messageEnabled()) {
debug.message("SessionPropertyCondition.evaluate():,sessionValue = " + sessionValue + ",sessionValues = " + sessionValues);
}
if (sessionValue == null) {
allowed = false;
continue;
}
if (sessionValues != null) {
//session, multivalued
if (!ignoreValueCase) {
//caseExact match
for (String splitSessionValue : sessionValues) {
if (values.contains(splitSessionValue)) {
continue namesIterLoop;
}
}
} else {
//caseIgnore match
for (String splitSessionValue : sessionValues) {
for (String value : values) {
if (splitSessionValue.equalsIgnoreCase(value)) {
continue namesIterLoop;
}
}
}
}
} else if (!ignoreValueCase) {
//single session value, caseExact
if (values.contains(sessionValue)) {
continue;
}
} else {
//single session value, caseIgnore match
for (String value : values) {
if (sessionValue.equalsIgnoreCase(value)) {
continue namesIterLoop;
}
}
}
allowed = false;
} catch (SSOException e) {
debug.error("Condition evaluation failed", e);
throw new EntitlementException(CONDITION_EVALUATION_FAILED, e);
}
}
} else {
debug.message("SessionPropertyCondition.evaluate():no parameter defined,defaulting allow=true");
allowed = true;
}
if (debug.messageEnabled()) {
debug.message("SessionPropertyCondition.evaluate():allowed= " + allowed);
}
return new ConditionDecision(allowed, Collections.<String, Set<String>>emptyMap());
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
Set(java.util.Set)
HashSet(java.util.HashSet)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Example 33 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class SimpleTimeCondition method evaluate.
/**
* {@inheritDoc}
*/
@Override
public ConditionDecision evaluate(String realm, Subject subject, String resourceName, Map<String, Set<String>> env) throws EntitlementException {
boolean allowed = false;
long currentGmt = timeService.now();
String currentGmtString = getValue(env.get(REQUEST_TIME));
if (currentGmtString != null) {
currentGmt = Long.parseLong(currentGmtString);
}
TimeZone timeZone = enforcementTZ;
if (timeZone == null) {
String timeZoneString = getValue(env.get(REQUEST_TIME_ZONE));
if (timeZoneString != null) {
timeZone = TimeZone.getTimeZone(timeZoneString);
} else {
timeZone = TimeZone.getDefault();
}
}
Pair<Long, Long> effectiveRange = getEffectiveRange(currentGmt, timeZone);
if (debug.messageEnabled()) {
debug.message("At SimpleTimeCondition.getConditionDecision(): effectiveRange = " + new Date(effectiveRange.getFirst()) + "," + new Date(effectiveRange.getSecond()));
}
long timeToLive = Long.MAX_VALUE;
if (currentGmt >= effectiveRange.getFirst() && currentGmt <= effectiveRange.getSecond()) {
allowed = true;
timeToLive = effectiveRange.getSecond();
} else if (currentGmt < effectiveRange.getFirst()) {
timeToLive = effectiveRange.getFirst();
}
return new ConditionDecision(allowed, Collections.<String, Set<String>>emptyMap(), timeToLive);
}
Also used :
TimeZone(java.util.TimeZone)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Date(java.util.Date)
Example 34 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class OAuth2ScopeConditionTest method conditionShouldEvaluateToTrueWhenSingleRequiredScopeSetAndMatchingScopeSetInEnvironment.
@Test
public void conditionShouldEvaluateToTrueWhenSingleRequiredScopeSetAndMatchingScopeSetInEnvironment() throws EntitlementException {
//Given
String realm = "REALM";
Subject subject = new Subject();
String resourceName = "RESOURCE_NAME";
Map<String, Set<String>> env = new HashMap<String, Set<String>>();
env.put("scope", Collections.singleton("cn"));
condition.setRequiredScopes(Collections.singleton("cn"));
//When
ConditionDecision decision = condition.evaluate(realm, subject, resourceName, env);
//Then
assertThat(decision.isSatisfied()).isTrue();
assertThat(decision.getAdvice()).isEmpty();
}Example 35 with ConditionDecision
use of com.sun.identity.entitlement.ConditionDecision in project OpenAM by OpenRock.
the class OAuth2ScopeConditionTest method conditionShouldEvaluateToTrueWhenNoRequiredScopeSetAndSingleScopeSetInEnvironment.
@Test
public void conditionShouldEvaluateToTrueWhenNoRequiredScopeSetAndSingleScopeSetInEnvironment() throws EntitlementException {
//Given
String realm = "REALM";
Subject subject = new Subject();
String resourceName = "RESOURCE_NAME";
Map<String, Set<String>> env = new HashMap<String, Set<String>>();
env.put("scope", Collections.singleton("cn"));
//When
ConditionDecision decision = condition.evaluate(realm, subject, resourceName, env);
//Then
assertThat(decision.isSatisfied()).isTrue();
assertThat(decision.getAdvice()).isEmpty();
}Aggregations
ConditionDecision (com.sun.identity.entitlement.ConditionDecision)59
Set (java.util.Set)56
HashMap (java.util.HashMap)54
HashSet (java.util.HashSet)53
Test (org.testng.annotations.Test)48
Subject (javax.security.auth.Subject)47
SSOToken (com.iplanet.sso.SSOToken)24
AMIdentity (com.sun.identity.idm.AMIdentity)7
SSOException (com.iplanet.sso.SSOException)5
EntitlementException (com.sun.identity.entitlement.EntitlementException)4
IdType (com.sun.identity.idm.IdType)4
Date (java.util.Date)4
CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)1
Entitlement (com.sun.identity.entitlement.Entitlement)1
SubjectDecision (com.sun.identity.entitlement.SubjectDecision)1
PolicyException (com.sun.identity.policy.PolicyException)1
Condition (com.sun.identity.policy.interfaces.Condition)1
AuthSPrincipal (com.sun.identity.rest.AuthSPrincipal)1
ParseException (java.text.ParseException)1
ArrayList (java.util.ArrayList)1
