Examples with Entitlement com.sun.identity.entitlement.Entitlement used on opensource projects

Search in sources :

Example 11 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class PrivilegeUtils method rulesToEntitlement.

private static Set<Entitlement> rulesToEntitlement(Policy policy) throws PolicyException, SSOException, EntitlementException {
    Set<Rule> rules = getRules(policy);
    Set<Entitlement> entitlements = new HashSet<Entitlement>();
    for (Rule rule : rules) {
        String serviceName = rule.getServiceTypeName();
        Map<String, Boolean> actionMap = pavToPrav(rule.getActionValues(), serviceName);
        String entitlementName = rule.getName();
        Set<String> resourceNames = new HashSet<String>();
        Set<String> ruleResources = rule.getResourceNames();
        if (ruleResources != null) {
            resourceNames.addAll(ruleResources);
        }
        Entitlement entitlement = new Entitlement(rule.getApplicationName(), resourceNames, actionMap);
        entitlement.setName(entitlementName);
        entitlements.add(entitlement);
    }
    return entitlements;
}
Also used : Rule(com.sun.identity.policy.Rule) Entitlement(com.sun.identity.entitlement.Entitlement) HashSet(java.util.HashSet)

Example 12 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class XACMLPrivilegeUtils method privilegeToPolicyInternal.

private static Policy privilegeToPolicyInternal(Privilege privilege) throws JAXBException, EntitlementException {
    if (privilege == null) {
        return null;
    }
    Policy policy = new Policy();
    String privilegeName = privilege.getName();
    String applicationName = null;
    String entitlementName = null;
    Entitlement entitlement = privilege.getEntitlement();
    if (entitlement != null) {
        applicationName = entitlement.getApplicationName();
        entitlementName = entitlement.getName();
    }
    String policyId = privilegeNameToPolicyId(privilegeName, applicationName);
    policy.setPolicyId(policyId);
    String description = privilege.getDescription();
    policy.setDescription(description);
    List<Object> vrList = policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition();
    JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
    if (applicationName != null) {
        VariableDefinition appName = new VariableDefinition();
        vrList.add(appName);
        appName.setVariableId(XACMLConstants.APPLICATION_NAME);
        AttributeValue cbv = new AttributeValue();
        cbv.setDataType(XACMLConstants.XS_STRING);
        cbv.getContent().add(applicationName);
        JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
        appName.setExpression(cbve);
    }
    if (entitlementName != null) {
        VariableDefinition entName = new VariableDefinition();
        vrList.add(entName);
        entName.setVariableId(XACMLConstants.ENTITLEMENT_NAME);
        AttributeValue cbv = new AttributeValue();
        cbv.setDataType(XACMLConstants.XS_STRING);
        cbv.getContent().add(entitlementName);
        JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
        entName.setExpression(cbve);
    }
    VariableDefinition createdBy = new VariableDefinition();
    vrList.add(createdBy);
    createdBy.setVariableId(XACMLConstants.PRIVILEGE_CREATED_BY);
    AttributeValue cbv = new AttributeValue();
    cbv.setDataType(XACMLConstants.XS_STRING);
    cbv.getContent().add(privilege.getCreatedBy());
    JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
    createdBy.setExpression(cbve);
    VariableDefinition lastModifiedBy = new VariableDefinition();
    vrList.add(lastModifiedBy);
    lastModifiedBy.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
    AttributeValue lmbv = new AttributeValue();
    lmbv.setDataType(XACMLConstants.XS_STRING);
    lmbv.getContent().add(privilege.getLastModifiedBy());
    JAXBElement<AttributeValue> lmbve = objectFactory.createAttributeValue(lmbv);
    lastModifiedBy.setExpression(lmbve);
    SimpleDateFormat sdf1 = new SimpleDateFormat("yyyy-MM-dd");
    SimpleDateFormat sdf2 = new SimpleDateFormat("HH:mm:ss.SSS");
    SimpleDateFormat sdf3 = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
    sdf1.setTimeZone(TimeZone.getTimeZone("GMT"));
    sdf2.setTimeZone(TimeZone.getTimeZone("GMT"));
    sdf3.setTimeZone(TimeZone.getTimeZone("GMT"));
    VariableDefinition creationDate = new VariableDefinition();
    vrList.add(creationDate);
    creationDate.setVariableId(XACMLConstants.PRIVILEGE_CREATION_DATE);
    AttributeValue cdv = new AttributeValue();
    cdv.setDataType(XACMLConstants.XS_DATE_TIME);
    cdv.getContent().add(sdf1.format(privilege.getCreationDate()) + "T" + sdf2.format(privilege.getCreationDate()));
    JAXBElement<AttributeValue> cdve = objectFactory.createAttributeValue(cdv);
    creationDate.setExpression(cdve);
    VariableDefinition lastModifiedDate = new VariableDefinition();
    vrList.add(lastModifiedDate);
    lastModifiedDate.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE);
    AttributeValue lmdv = new AttributeValue();
    lmdv.setDataType(XACMLConstants.XS_DATE_TIME);
    lmdv.getContent().add(sdf1.format(privilege.getLastModifiedDate()) + "T" + sdf2.format(privilege.getLastModifiedDate()));
    JAXBElement<AttributeValue> lmdve = objectFactory.createAttributeValue(lmdv);
    lastModifiedDate.setExpression(lmdve);
    // PolicyIssuer policyIssuer = null;  // optional, TODO
    Version version = new Version();
    // TODO: use privilege version in future
    version.setValue(sdf3.format(privilege.getLastModifiedDate()));
    policy.setVersion(version);
    // Defaults policyDefaults = null; // optional, TODO
    String rca = getRuleCombiningAlgId(applicationName);
    policy.setRuleCombiningAlgId(rca);
    // String ruleCombiningAlgId = "rca"; // required
    // XACML Target contains a  list of AnyOf(s)
    // XACML AnyOf contains a list of AllOf(s)
    // XACML AllOf contains a list of Match(s)
    Target target = new Target();
    policy.setTarget(target);
    List<AnyOf> targetAnyOfList = target.getAnyOf();
    EntitlementSubject es = privilege.getSubject();
    /* TODO: detect simple subjects and set attribute value and designator
        List<AnyOf> anyOfSubjectList = entitlementSubjectToAnyOfList(es);
        if (anyOfSubjectList != null) {
            targetAnyOfList.addAll(anyOfSubjectList);
        }
        */
    AnyOf anyOfSubject = entitlementSubjectToAnyOf(es);
    if (anyOfSubject != null) {
        targetAnyOfList.add(anyOfSubject);
    }
    Set<String> resources = entitlement.getResourceNames();
    List<AnyOf> anyOfResourceList = resourceNamesToAnyOfList(resources, applicationName);
    if (anyOfResourceList != null) {
        targetAnyOfList.addAll(anyOfResourceList);
    }
    AnyOf anyOfApplication = applicationNameToAnyOf(applicationName);
    if (anyOfApplication != null) {
        targetAnyOfList.add(anyOfApplication);
    }
    Map<String, Boolean> actionValues = entitlement.getActionValues();
    List<AnyOf> anyOfActionList = actionNamesToAnyOfList(actionValues.keySet(), applicationName);
    if (anyOfActionList != null) {
        targetAnyOfList.addAll(anyOfActionList);
    }
    // PermitRule, DenyRule
    Set<String> permitActions = new HashSet<String>();
    Set<String> denyActions = new HashSet<String>();
    if (actionValues != null) {
        Set<String> actionNames = actionValues.keySet();
        for (String actionName : actionNames) {
            if (Boolean.TRUE.equals(actionValues.get(actionName))) {
                permitActions.add(actionName);
            } else {
                denyActions.add(actionName);
            }
        }
    }
    Condition condition = eSubjectConditionToXCondition(privilege.getSubject(), privilege.getCondition());
    // Include resource attributes (ResourceProvider) as AdviceExpressions
    Set<ResourceAttribute> ra = privilege.getResourceAttributes();
    if (ra != null && !ra.isEmpty()) {
        AdviceExpressions adviceExpressions = schemaFactory.resourceAttributesToAdviceExpressions(ra);
        policy.setAdviceExpressions(adviceExpressions);
    }
    if (!permitActions.isEmpty()) {
        Rule permitRule = new Rule();
        vrList.add(permitRule);
        permitRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.PREMIT_RULE_SUFFIX);
        permitRule.setDescription(XACMLConstants.PERMIT_RULE_DESCRIPTION);
        permitRule.setEffect(EffectType.PERMIT);
        Target permitTarget = new Target();
        permitRule.setTarget(permitTarget);
        List<AnyOf> permitTargetAnyOfList = permitTarget.getAnyOf();
        List<AnyOf> anyOfPermitActionList = actionNamesToAnyOfList(permitActions, applicationName);
        if (anyOfPermitActionList != null) {
            permitTargetAnyOfList.addAll(anyOfPermitActionList);
        }
        if (condition != null) {
            permitRule.setCondition(condition);
        }
    }
    if (!denyActions.isEmpty()) {
        Rule denyRule = new Rule();
        vrList.add(denyRule);
        denyRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.DENY_RULE_SUFFIX);
        denyRule.setDescription(XACMLConstants.DENY_RULE_DESCRIPTION);
        denyRule.setEffect(EffectType.DENY);
        Target denyTarget = new Target();
        denyRule.setTarget(denyTarget);
        List<AnyOf> denyTargetAnyOfList = denyTarget.getAnyOf();
        List<AnyOf> anyOfDenyActionList = actionNamesToAnyOfList(denyActions, applicationName);
        if (anyOfDenyActionList != null) {
            denyTargetAnyOfList.addAll(anyOfDenyActionList);
        }
        if (condition != null) {
            denyRule.setCondition(condition);
        }
    }
    return policy;
}
Also used : Policy(com.sun.identity.entitlement.xacml3.core.Policy) EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition) Condition(com.sun.identity.entitlement.xacml3.core.Condition) AttributeValue(com.sun.identity.entitlement.xacml3.core.AttributeValue) VariableDefinition(com.sun.identity.entitlement.xacml3.core.VariableDefinition) AnyOf(com.sun.identity.entitlement.xacml3.core.AnyOf) JAXBContext(javax.xml.bind.JAXBContext) EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) Target(com.sun.identity.entitlement.xacml3.core.Target) Version(com.sun.identity.entitlement.xacml3.core.Version) JSONObject(org.json.JSONObject) AdviceExpressions(com.sun.identity.entitlement.xacml3.core.AdviceExpressions) Rule(com.sun.identity.entitlement.xacml3.core.Rule) Entitlement(com.sun.identity.entitlement.Entitlement) ResourceAttribute(com.sun.identity.entitlement.ResourceAttribute) SimpleDateFormat(java.text.SimpleDateFormat) HashSet(java.util.HashSet)

Example 13 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class OpenSSOApplicationPrivilegeManager method toPrivilege.

/**
     * Creates two privileges here
     */
private Privilege[] toPrivilege(ApplicationPrivilege appPrivilege) throws EntitlementException {
    Privilege[] results = new Privilege[2];
    try {
        Privilege actualP = Privilege.getNewInstance();
        actualP.setName(appPrivilege.getName());
        actualP.setDescription(appPrivilege.getDescription());
        Set<String> res = createDelegationResources(appPrivilege);
        Entitlement entitlement = new Entitlement(APPL_NAME, res, getActionValues(appPrivilege.getActionValues()));
        actualP.setEntitlement(entitlement);
        Privilege ghostP = Privilege.getNewInstance();
        ghostP.setName(GHOST_PRIVILEGE_NAME_PREFIX + appPrivilege.getName());
        Set<String> ghostRes = new HashSet<String>();
        String currentOrgDN = DNMapper.orgNameToDN(realm);
        Object[] param = { currentOrgDN };
        ghostRes.add(MessageFormat.format(SUN_AM_REALM_RESOURCE, param));
        ghostRes.add(MessageFormat.format(SUN_IDREPO_RESOURCE, param));
        entitlement = new Entitlement(APPL_NAME, ghostRes, getActionValues(ApplicationPrivilege.PossibleAction.READ));
        ghostP.setEntitlement(entitlement);
        Set<SubjectImplementation> subjects = appPrivilege.getSubjects();
        Set<EntitlementSubject> eSubjects = new HashSet<EntitlementSubject>();
        for (SubjectImplementation i : subjects) {
            eSubjects.add((EntitlementSubject) i);
        }
        OrSubject orSubject = new OrSubject(eSubjects);
        actualP.setSubject(orSubject);
        actualP.setCondition(appPrivilege.getCondition());
        ghostP.setSubject(orSubject);
        ghostP.setCondition(appPrivilege.getCondition());
        Set<String> applIndexes = new HashSet<String>();
        applIndexes.addAll(appPrivilege.getApplicationNames());
        actualP.setApplicationIndexes(applIndexes);
        results[0] = actualP;
        results[1] = ghostP;
    } catch (UnsupportedEncodingException ex) {
        String[] params = {};
        throw new EntitlementException(324, params);
    }
    return results;
}
Also used : UnsupportedEncodingException(java.io.UnsupportedEncodingException) OrSubject(com.sun.identity.entitlement.OrSubject) EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) EntitlementException(com.sun.identity.entitlement.EntitlementException) SubjectImplementation(com.sun.identity.entitlement.SubjectImplementation) ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege) IPrivilege(com.sun.identity.entitlement.IPrivilege) Privilege(com.sun.identity.entitlement.Privilege) ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege) Entitlement(com.sun.identity.entitlement.Entitlement) HashSet(java.util.HashSet)

Example 14 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class UmaPolicyServiceImplDelegationTest method createPolicyFor.

private void createPolicyFor(String requestingParty, String resourceSetId, String... scopes) throws EntitlementException {
    Map<String, Boolean> actionValues = new HashMap<>();
    for (String scope : scopes) {
        actionValues.put(scope, true);
    }
    given(policyEvaluator.evaluate(loggedInRealm, createSubject(requestingParty), UmaConstants.UMA_POLICY_SCHEME + resourceSetId, null, false)).willReturn(Collections.singletonList(new Entitlement(resourceSetId, actionValues)));
}
Also used : HashMap(java.util.HashMap) Matchers.anyString(org.mockito.Matchers.anyString) Entitlement(com.sun.identity.entitlement.Entitlement)

Example 15 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class UmaPolicyServiceImpl method canUserShareResourceSet.

private boolean canUserShareResourceSet(String resourceOwnerId, String username, String clientId, String realm, String resourceSetId, Set<String> requestedScopes) {
    Subject resourceOwner = UmaUtils.createSubject(coreServicesWrapper.getIdentity(resourceOwnerId, realm));
    Subject user = UmaUtils.createSubject(coreServicesWrapper.getIdentity(username, realm));
    if (resourceOwner.equals(user)) {
        return true;
    }
    if (!isDelegationOn(realm)) {
        return false;
    }
    try {
        Evaluator evaluator = policyEvaluatorFactory.getEvaluator(user, clientId.toLowerCase());
        List<Entitlement> entitlements = evaluator.evaluate(realm, user, UmaConstants.UMA_POLICY_SCHEME + resourceSetId, null, false);
        Set<String> requiredScopes = new HashSet<>(requestedScopes);
        for (Entitlement entitlement : entitlements) {
            for (String requestedScope : requestedScopes) {
                final Boolean actionValue = entitlement.getActionValue(requestedScope);
                if (actionValue != null && actionValue) {
                    requiredScopes.remove(requestedScope);
                }
            }
        }
        return requiredScopes.isEmpty();
    } catch (EntitlementException e) {
        debug.error("Failed to evaluate UAM policies", e);
        return false;
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) Evaluator(com.sun.identity.entitlement.Evaluator) Entitlement(com.sun.identity.entitlement.Entitlement) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet)

Aggregations

Entitlement (com.sun.identity.entitlement.Entitlement)43 Privilege (com.sun.identity.entitlement.Privilege)19 HashMap (java.util.HashMap)19 HashSet (java.util.HashSet)19 EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)14 Test (org.testng.annotations.Test)14 Subject (javax.security.auth.Subject)13 EntitlementException (com.sun.identity.entitlement.EntitlementException)12 Evaluator (com.sun.identity.entitlement.Evaluator)9 Set (java.util.Set)9 JsonValue (org.forgerock.json.JsonValue)9 EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)8 SSOToken (com.iplanet.sso.SSOToken)7 OrSubject (com.sun.identity.entitlement.OrSubject)6 PrivilegeManager (com.sun.identity.entitlement.PrivilegeManager)6 ResourceAttribute (com.sun.identity.entitlement.ResourceAttribute)6 SSOException (com.iplanet.sso.SSOException)5 OpenSSOPrivilege (com.sun.identity.entitlement.opensso.OpenSSOPrivilege)5 OpenSSOUserSubject (com.sun.identity.entitlement.opensso.OpenSSOUserSubject)5 AuthenticatedUsers (org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers)5
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial