Example 16 with Entitlement
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class AuthorizationRequestEndpointTest method shouldReturnTrueWhenRequestedScopesSubsetOfEntitlements.
@Test
public void shouldReturnTrueWhenRequestedScopesSubsetOfEntitlements() throws Exception {
//Given
ArrayList<Entitlement> entitlements = new ArrayList<Entitlement>();
entitlements.add(createEntitlement("Read"));
entitlements.add(createEntitlement("Create"));
given(policyEvaluator.evaluate(anyString(), Matchers.<Subject>anyObject(), eq(RESOURCE_NAME), Matchers.<Map<String, Set<String>>>anyObject(), anyBoolean())).willReturn(entitlements);
Set<String> requestedScopes = new HashSet<String>();
requestedScopes.add("Read");
given(permissionTicket.getScopes()).willReturn(requestedScopes);
//Then
assertThat(endpoint.requestAuthorization(entity)).isNotNull();
InOrder inOrder = inOrder(requestAuthorizationFilter, policyEvaluator, requestAuthorizationFilter);
inOrder.verify(requestAuthorizationFilter).beforeAuthorization(eq(permissionTicket), any(Subject.class), any(Subject.class));
inOrder.verify(policyEvaluator).evaluate(anyString(), any(Subject.class), anyString(), anyMap(), eq(false));
inOrder.verify(requestAuthorizationFilter).afterSuccessfulAuthorization(eq(permissionTicket), any(Subject.class), any(Subject.class));
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
InOrder(org.mockito.InOrder)
ArrayList(java.util.ArrayList)
Matchers.anyString(org.mockito.Matchers.anyString)
Entitlement(com.sun.identity.entitlement.Entitlement)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Example 17 with Entitlement
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class AuthorizationRequestEndpointTest method shouldReturnTrueWhenRequestedScopesExactlyMatchesEntitlements.
@Test
public void shouldReturnTrueWhenRequestedScopesExactlyMatchesEntitlements() throws Exception {
//Given
ArrayList<Entitlement> entitlements = new ArrayList<Entitlement>();
entitlements.add(createEntitlement("Read"));
given(policyEvaluator.evaluate(anyString(), Matchers.<Subject>anyObject(), eq(RESOURCE_NAME), Matchers.<Map<String, Set<String>>>anyObject(), anyBoolean())).willReturn(entitlements);
Set<String> requestedScopes = new HashSet<String>();
requestedScopes.add("Read");
given(permissionTicket.getScopes()).willReturn(requestedScopes);
//Then
assertThat(endpoint.requestAuthorization(entity)).isNotNull();
InOrder inOrder = inOrder(requestAuthorizationFilter, policyEvaluator, requestAuthorizationFilter);
inOrder.verify(requestAuthorizationFilter).beforeAuthorization(eq(permissionTicket), any(Subject.class), any(Subject.class));
inOrder.verify(policyEvaluator).evaluate(anyString(), any(Subject.class), anyString(), anyMap(), eq(false));
inOrder.verify(requestAuthorizationFilter).afterSuccessfulAuthorization(eq(permissionTicket), any(Subject.class), any(Subject.class));
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
InOrder(org.mockito.InOrder)
ArrayList(java.util.ArrayList)
Matchers.anyString(org.mockito.Matchers.anyString)
Entitlement(com.sun.identity.entitlement.Entitlement)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Example 18 with Entitlement
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class DelegationEvaluatorImpl method isAllowed.
public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParameters, boolean subTreeMode) throws SSOException, DelegationException {
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(PolicyConstants.SUPER_ADMIN_SUBJECT, "/");
if (!ec.migratedToEntitlementService()) {
return false;
}
try {
AMIdentity user = new AMIdentity(token);
if (((privilegedUser != null) && user.equals(privilegedUser)) || (installTime && adminUserSet.contains(DNUtils.normalizeDN(token.getPrincipal().getName()))) || user.equals(adminUserId)) {
return true;
}
} catch (IdRepoException ide) {
throw (new DelegationException(ide.getMessage()));
}
if (!subTreeMode) {
return isAllowed(token, permission, envParameters);
}
StringBuilder buff = new StringBuilder();
buff.append("sms://");
if (permission.getOrganizationName() != null) {
buff.append(permission.getOrganizationName()).append("/");
}
if (permission.getServiceName() != null) {
buff.append(permission.getServiceName()).append("/");
}
if (permission.getVersion() != null) {
buff.append(permission.getVersion()).append("/");
}
if (permission.getConfigType() != null) {
buff.append(permission.getConfigType()).append("/");
}
if (permission.getSubConfigName() != null) {
buff.append(permission.getSubConfigName());
}
String resource = buff.toString();
try {
Subject userSubject = SubjectUtils.createSubject(token);
Evaluator eval = new Evaluator(PolicyConstants.SUPER_ADMIN_SUBJECT, DelegationManager.DELEGATION_SERVICE);
List<Entitlement> results = eval.evaluate(DNMapper.orgNameToDN(PolicyManager.DELEGATION_REALM), userSubject, resource, envParameters, true);
List<String> copiedActions = new ArrayList<String>();
copiedActions.addAll(permission.getActions());
for (Entitlement e : results) {
for (int i = copiedActions.size() - 1; i >= 0; --i) {
String action = copiedActions.get(i);
Boolean result = e.getActionValue(action);
if ((result != null) && result) {
copiedActions.remove(i);
}
}
if (copiedActions.isEmpty()) {
return true;
}
}
return false;
} catch (EntitlementException ex) {
debug.error("DelegationEvaluator.isAllowed", ex);
throw new DelegationException(ex);
}
}
Also used :
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
IdRepoException(com.sun.identity.idm.IdRepoException)
ArrayList(java.util.ArrayList)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
AMIdentity(com.sun.identity.idm.AMIdentity)
Entitlement(com.sun.identity.entitlement.Entitlement)
Example 19 with Entitlement
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class PolicyEvaluator method isAllowedE.
private boolean isAllowedE(SSOToken token, String resourceName, String actionName, Map envParameters) throws SSOException, PolicyException {
if ((envParameters == null) || envParameters.isEmpty()) {
envParameters = new HashMap();
}
padEnvParameters(token, resourceName, actionName, envParameters);
ActionSchema schema = serviceType.getActionSchema(actionName);
if (!AttributeSchema.Syntax.BOOLEAN.equals(schema.getSyntax())) {
String[] objs = { actionName };
throw new PolicyException(ResBundleUtils.rbName, "action_does_not_have_boolean_syntax", objs, null);
}
HashSet actions = new HashSet(2);
actions.add(actionName);
SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
try {
Subject adminSubject = SubjectUtils.createSubject(token);
Entitlement entitlement = new Entitlement(serviceTypeName, resourceName, actions);
entitlement.canonicalizeResources(adminSubject, realm);
Evaluator eval = new Evaluator(adminSubject, applicationName);
return eval.hasEntitlement(realm, SubjectUtils.createSubject(token), entitlement, envParameters);
} catch (EntitlementException e) {
throw new PolicyException(e);
}
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
Entitlement(com.sun.identity.entitlement.Entitlement)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Example 20 with Entitlement
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class AuthorizationRequestEndpoint method isEntitled.
private boolean isEntitled(UmaProviderSettings umaProviderSettings, OAuth2ProviderSettings oauth2ProviderSettings, PermissionTicket permissionTicket, String requestingPartyId) throws EntitlementException, ServerException, UmaException {
String realm = permissionTicket.getRealm();
String resourceSetId = permissionTicket.getResourceSetId();
String resourceName = UmaConstants.UMA_POLICY_SCHEME;
Subject resourceOwnerSubject;
try {
ResourceSetStore store = oauth2ProviderSettings.getResourceSetStore();
Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
}
resourceName += results.iterator().next().getId();
resourceOwnerSubject = UmaUtils.createSubject(createIdentity(results.iterator().next().getResourceOwnerId(), realm));
} catch (NotFoundException e) {
debug.message("Couldn't find resource that permission ticket is registered for", e);
throw new ServerException("Couldn't find resource that permission ticket is registered for");
}
Subject requestingPartySubject = UmaUtils.createSubject(createIdentity(requestingPartyId, realm));
beforeAuthorization(permissionTicket, requestingPartySubject, resourceOwnerSubject);
// Implicitly grant access to the resource owner
if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
afterAuthorization(true, permissionTicket, requestingPartySubject, resourceOwnerSubject);
return true;
}
List<Entitlement> entitlements = umaProviderSettings.getPolicyEvaluator(requestingPartySubject, permissionTicket.getResourceServerClientId().toLowerCase()).evaluate(realm, requestingPartySubject, resourceName, null, false);
Set<String> requestedScopes = permissionTicket.getScopes();
Set<String> requiredScopes = new HashSet<>(requestedScopes);
for (Entitlement entitlement : entitlements) {
for (String requestedScope : requestedScopes) {
final Boolean actionValue = entitlement.getActionValue(requestedScope);
if (actionValue != null && actionValue) {
requiredScopes.remove(requestedScope);
}
}
}
boolean isAuthorized = requiredScopes.isEmpty();
afterAuthorization(isAuthorized, permissionTicket, requestingPartySubject, resourceOwnerSubject);
return isAuthorized;
}
Also used :
ServerException(org.forgerock.oauth2.core.exceptions.ServerException)
NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException)
ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription)
Subject(javax.security.auth.Subject)
ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore)
Entitlement(com.sun.identity.entitlement.Entitlement)
HashSet(java.util.HashSet)
Aggregations
Entitlement (com.sun.identity.entitlement.Entitlement)43
Privilege (com.sun.identity.entitlement.Privilege)19
HashMap (java.util.HashMap)19
HashSet (java.util.HashSet)19
EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)14
Test (org.testng.annotations.Test)14
Subject (javax.security.auth.Subject)13
EntitlementException (com.sun.identity.entitlement.EntitlementException)12
Evaluator (com.sun.identity.entitlement.Evaluator)9
Set (java.util.Set)9
JsonValue (org.forgerock.json.JsonValue)9
EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)8
SSOToken (com.iplanet.sso.SSOToken)7
OrSubject (com.sun.identity.entitlement.OrSubject)6
PrivilegeManager (com.sun.identity.entitlement.PrivilegeManager)6
ResourceAttribute (com.sun.identity.entitlement.ResourceAttribute)6
SSOException (com.iplanet.sso.SSOException)5
OpenSSOPrivilege (com.sun.identity.entitlement.opensso.OpenSSOPrivilege)5
OpenSSOUserSubject (com.sun.identity.entitlement.opensso.OpenSSOUserSubject)5
AuthenticatedUsers (org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers)5
