Examples with Entitlement com.sun.identity.entitlement.Entitlement used on opensource projects

Example 21 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class PolicyEvaluator method getPolicyDecisionE.

/**
     * Evaluates privileges of the user to perform the specified actions
     * on the specified resource. The evaluation depends on user's
     * application environment parameters.
     *
     * @param token single sign on token of the user evaluating policies
     * @param resourceName name of the resource the user is trying to access
     * @param actionNames <code>Set</code> of names(<code>String</code>) of the
     * action the user is trying to perform on the resource.
     * @param envParameters run-time environment parameters
     * @return policy decision
     *
     * @exception SSOException single-sign-on token invalid or expired
     * @exception PolicyException if any policy evaluation error.
     */
private PolicyDecision getPolicyDecisionE(SSOToken token, String resourceName, Set actionNames, Map envParameters) throws PolicyException, SSOException {
    if (DEBUG.messageEnabled()) {
        DEBUG.message("Evaluating policies at org " + orgName);
    }
    /* compute for all action names if passed in actionNames is
           null or empty */
    if ((actionNames == null) || (actionNames.isEmpty())) {
        actionNames = serviceType.getActionNames();
    }
    SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    try {
        Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
        Subject sbj = (token != null) ? SubjectUtils.createSubject(token) : null;
        List<Entitlement> entitlements = eval.evaluate(orgName, sbj, resourceName, envParameters, false);
        if ((entitlements != null) && !entitlements.isEmpty()) {
            Entitlement e = entitlements.iterator().next();
            return (entitlementToPolicyDecision(e, actionNames));
        }
    } catch (EntitlementException e) {
        throw new PolicyException(e);
    }
    return (new PolicyDecision());
}

Example 22 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class PolicyEvaluator method getResourceResultsE.

private Set getResourceResultsE(SSOToken token, String resourceName, String scope, Map envParameters) throws SSOException, PolicyException {
    if ((envParameters == null) || envParameters.isEmpty()) {
        envParameters = new HashMap();
    }
    padEnvParameters(token, resourceName, null, envParameters);
    Set resultsSet;
    boolean subTreeSearch = false;
    if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
        subTreeSearch = true;
    //resultsSet = getResourceResultTree(token, resourceName, scope,
    //                            envParameters).getResourceResults();
    } else if (ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope) || ResourceResult.SELF_SCOPE.equals(scope)) {
    /*
            ResourceResult result = getResourceResultTree(token, resourceName,
                                         scope, envParameters);
            resultsSet = new HashSet();
            resultsSet.add(result);*/
    } else {
        DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
        String[] objs = { scope };
        throw new PolicyException(ResBundleUtils.rbName, "invalid_request_scope", objs, null);
    }
    SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    try {
        // Parse the resource name before proceeding.
        resourceName = serviceType.canonicalize(resourceName);
        Subject userSubject = SubjectUtils.createSubject(token);
        Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
        List<Entitlement> entitlements = eval.evaluate(realm, userSubject, resourceName, envParameters, subTreeSearch);
        resultsSet = new HashSet();
        if (!entitlements.isEmpty()) {
            if (!subTreeSearch) {
                resultsSet.add(entitlementToResourceResult((Entitlement) entitlements.iterator().next()));
            } else {
                ResourceResult virtualResourceResult = new ResourceResult(ResourceResult.VIRTUAL_ROOT, new PolicyDecision());
                for (Entitlement ent : entitlements) {
                    ResourceResult r = entitlementToResourceResult(ent);
                    virtualResourceResult.addResourceResult(r, serviceType);
                }
                resultsSet.addAll(virtualResourceResult.getResourceResults());
            }
        }
    } catch (Exception e) {
        DEBUG.error("Error in getResourceResults", e);
        //TOFIX
        throw new PolicyException(e.getMessage());
    }
    return resultsSet;
}

Example 23 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class ConfigureOAuth2 method execute.

public String execute(Locale locale, Map params) throws WorkflowException {
    final String type = getString(params, TYPE);
    final String realm = getString(params, REALM);
    final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
    if (StringUtils.isEmpty(type)) {
        throw new WorkflowException("type parameter is required");
    }
    //replace service attributes
    final Map<String, Set<String>> attrValues = getDefaultOAuth2ProviderAttributes(token);
    attrValues.putAll(PROFILE_SETTINGS.get(type));
    attrValues.put(SUPPORTED_SCOPES, translate(realm, SUPPORTED_SCOPE_KEYS.get(type)));
    attrValues.put(SUPPORTED_CLAIMS, translate(realm, SUPPORTED_CLAIM_KEYS.get(type)));
    attrValues.put(REFRESH_TOKEN_LIFETIME_NAME, singleton(getString(params, RTL)));
    attrValues.put(AUTHZ_CODE_LIFETIME_NAME, singleton(getString(params, ACL)));
    attrValues.put(ACCESS_TOKEN_LIFETIME_NAME, singleton(getString(params, ATL)));
    attrValues.put(ISSUE_REFRESH_TOKEN, singleton(getString(params, IRT)));
    attrValues.put(ISSUE_REFRESH_TOKEN_ON_REFRESHING_TOKEN, singleton(getString(params, IRTR)));
    attrValues.put(SCOPE_PLUGIN_CLASS, singleton(getString(params, SIC)));
    createProvider(OAUTH2_SERVICE_NAME, token, realm, attrValues);
    final boolean createUmaService = "uma".equals(type);
    if (createUmaService) {
        createProvider(UMA_SERVICE_NAME, token, realm, Collections.<String, Set<String>>emptyMap());
    }
    String policyURL = getRequestURL(params) + format(OAUTH2_AUTHORIZE_ENDPOINT, "/".equals(realm) ? "" : realm);
    //check if policy exists
    boolean createPolicy = false;
    try {
        Subject adminSubject = SubjectUtils.createSuperAdminSubject();
        PolicyStore policyStore = storeProvider.getPolicyStore(adminSubject, realm);
        try {
            if (policyStore.read(POLICY_NAME) == null) {
                createPolicy = true;
            }
        } catch (Exception e) {
            createPolicy = true;
        }
        if (createPolicy) {
            Privilege toStore = Privilege.getNewInstance();
            Map<String, Boolean> actions = new HashMap<>();
            actions.put("POST", true);
            actions.put("GET", true);
            Entitlement entitlement = new Entitlement();
            entitlement.setActionValues(actions);
            entitlement.setResourceName(policyURL);
            entitlement.setApplicationName(POLICY_APPLICATION_NAME);
            toStore.setResourceTypeUuid(getUrlResourceTypeId(adminSubject, realm));
            toStore.setSubject(new AuthenticatedUsers());
            toStore.setName(POLICY_NAME);
            toStore.setEntitlement(entitlement);
            policyStore.create(toStore);
        }
    } catch (EntitlementException e) {
        DEBUG.error("ConfigureOAuth2.execute() : Unable to create policy", e);
        throw new WorkflowException("oauth2.provider.policy.failed");
    }
    String messageTemplate = getMessage(MESSAGE, locale);
    return format(messageTemplate, createUmaService ? getMessage(UMA_SERVICE_CREATED, locale) : "", realm, format(getMessage(createPolicy ? POLICY_CREATED : POLICY_EXISTS, locale), POLICY_NAME));
}

Example 24 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class PrivilegeUtils method policyToPrivileges.

public static void policyToPrivileges(Policy policy, Set<IPrivilege> privileges) throws SSOException, PolicyException, EntitlementException {
    String policyName = policy.getName();
    if (policy.isReferralPolicy()) {
        Map<String, Set<String>> resources = getResources(policy);
        Set<String> referredRealms = getReferrals(policy);
        ReferralPrivilege rp = new ReferralPrivilege(policyName, resources, referredRealms);
        rp.setDescription(policy.getDescription());
        rp.setCreationDate(policy.getCreationDate());
        rp.setCreatedBy(policy.getCreatedBy());
        rp.setLastModifiedBy(policy.getLastModifiedBy());
        rp.setLastModifiedDate(policy.getLastModifiedDate());
        rp.setActive(policy.isActive());
        privileges.add(rp);
    } else {
        Set<Entitlement> entitlements = rulesToEntitlement(policy);
        EntitlementSubject eSubject = toEntitlementSubject(policy);
        EntitlementCondition eCondition = toEntitlementCondition(policy);
        Set<ResourceAttribute> resourceAttributesSet = toResourceAttributes(policy);
        if (entitlements.size() == 1) {
            privileges.add(createPrivilege(policyName, policyName, entitlements.iterator().next(), eSubject, eCondition, resourceAttributesSet, policy));
        } else {
            for (Entitlement e : entitlements) {
                String pName = policyName + "_" + e.getName();
                privileges.add(createPrivilege(pName, policyName, e, eSubject, eCondition, resourceAttributesSet, policy));
            }
        }
    }
}

Example 25 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class OpenSSOApplicationPrivilegeManager method isPolicyAdmin.

private boolean isPolicyAdmin() {
    if (isDsameUser()) {
        return true;
    }
    Subject adminSubject = SubjectUtils.createSuperAdminSubject();
    try {
        Evaluator eval = new Evaluator(adminSubject, APPL_NAME);
        Set<String> actions = new HashSet<String>();
        actions.add(ACTION_MODIFY);
        String res = "sms://" + DNMapper.orgNameToDN(realm) + "/iPlanetAMPolicyService/*";
        Entitlement e = new Entitlement(res, actions);
        return eval.hasEntitlement(getHiddenRealmDN(), caller, e, Collections.EMPTY_MAP);
    } catch (EntitlementException ex) {
        PrivilegeManager.debug.error("OpenSSOApplicationPrivilegeManager.isPolicyAdmin", ex);
        return false;
    }
}