Search in sources :

Example 31 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class RestPermissionTest method createPrivilege.

private void createPrivilege() throws EntitlementException {
    PrivilegeManager pm = PrivilegeManager.getInstance("/", adminSubject);
    Privilege privilege = Privilege.getNewInstance();
    privilege.setName(PRIVILEGE_NAME);
    privilege.setDescription("desciption");
    Map<String, Boolean> actions = new HashMap<String, Boolean>();
    actions.put("GET", true);
    Entitlement entitlement = new Entitlement(RESOURCE_NAME + "/*", actions);
    privilege.setEntitlement(entitlement);
    EntitlementSubject sbj = new AuthenticatedUsers();
    privilege.setSubject(sbj);
    pm.add(privilege);
}
Also used : EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) HashMap(java.util.HashMap) AuthenticatedUsers(org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers) PrivilegeManager(com.sun.identity.entitlement.PrivilegeManager) Privilege(com.sun.identity.entitlement.Privilege) DelegationPrivilege(com.sun.identity.delegation.DelegationPrivilege) Entitlement(com.sun.identity.entitlement.Entitlement)

Example 32 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class PolicyEvaluator method getPolicyDecisionE.

/**
     * Evaluates privileges of the user to perform the specified actions
     * on the specified resource. The evaluation depends on user's
     * application environment parameters.
     *
     * @param token single sign on token of the user evaluating policies
     * @param resourceName name of the resource the user is trying to access
     * @param actionNames <code>Set</code> of names(<code>String</code>) of the
     * action the user is trying to perform on the resource.
     * @param envParameters run-time environment parameters
     * @return policy decision
     *
     * @exception SSOException single-sign-on token invalid or expired
     * @exception PolicyException if any policy evaluation error.
     */
private PolicyDecision getPolicyDecisionE(SSOToken token, String resourceName, Set actionNames, Map envParameters) throws PolicyException, SSOException {
    if (DEBUG.messageEnabled()) {
        DEBUG.message("Evaluating policies at org " + orgName);
    }
    /* compute for all action names if passed in actionNames is
           null or empty */
    if ((actionNames == null) || (actionNames.isEmpty())) {
        actionNames = serviceType.getActionNames();
    }
    SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    try {
        Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
        Subject sbj = (token != null) ? SubjectUtils.createSubject(token) : null;
        List<Entitlement> entitlements = eval.evaluate(orgName, sbj, resourceName, envParameters, false);
        if ((entitlements != null) && !entitlements.isEmpty()) {
            Entitlement e = entitlements.iterator().next();
            return (entitlementToPolicyDecision(e, actionNames));
        }
    } catch (EntitlementException e) {
        throw new PolicyException(e);
    }
    return (new PolicyDecision());
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) SSOToken(com.iplanet.sso.SSOToken) Evaluator(com.sun.identity.entitlement.Evaluator) Entitlement(com.sun.identity.entitlement.Entitlement) Subject(javax.security.auth.Subject)

Example 33 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class PolicyEvaluator method getResourceResultsE.

private Set getResourceResultsE(SSOToken token, String resourceName, String scope, Map envParameters) throws SSOException, PolicyException {
    if ((envParameters == null) || envParameters.isEmpty()) {
        envParameters = new HashMap();
    }
    padEnvParameters(token, resourceName, null, envParameters);
    Set resultsSet;
    boolean subTreeSearch = false;
    if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
        subTreeSearch = true;
    //resultsSet = getResourceResultTree(token, resourceName, scope,
    //                            envParameters).getResourceResults();
    } else if (ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope) || ResourceResult.SELF_SCOPE.equals(scope)) {
    /*
            ResourceResult result = getResourceResultTree(token, resourceName,
                                         scope, envParameters);
            resultsSet = new HashSet();
            resultsSet.add(result);*/
    } else {
        DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
        String[] objs = { scope };
        throw new PolicyException(ResBundleUtils.rbName, "invalid_request_scope", objs, null);
    }
    SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
    try {
        // Parse the resource name before proceeding.
        resourceName = serviceType.canonicalize(resourceName);
        Subject userSubject = SubjectUtils.createSubject(token);
        Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
        List<Entitlement> entitlements = eval.evaluate(realm, userSubject, resourceName, envParameters, subTreeSearch);
        resultsSet = new HashSet();
        if (!entitlements.isEmpty()) {
            if (!subTreeSearch) {
                resultsSet.add(entitlementToResourceResult((Entitlement) entitlements.iterator().next()));
            } else {
                ResourceResult virtualResourceResult = new ResourceResult(ResourceResult.VIRTUAL_ROOT, new PolicyDecision());
                for (Entitlement ent : entitlements) {
                    ResourceResult r = entitlementToResourceResult(ent);
                    virtualResourceResult.addResourceResult(r, serviceType);
                }
                resultsSet.addAll(virtualResourceResult.getResourceResults());
            }
        }
    } catch (Exception e) {
        DEBUG.error("Error in getResourceResults", e);
        //TOFIX
        throw new PolicyException(e.getMessage());
    }
    return resultsSet;
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) CollectionUtils.asSet(org.forgerock.openam.utils.CollectionUtils.asSet) SSOToken(com.iplanet.sso.SSOToken) HashMap(java.util.HashMap) Evaluator(com.sun.identity.entitlement.Evaluator) Subject(javax.security.auth.Subject) EntitlementException(com.sun.identity.entitlement.EntitlementException) AMException(com.iplanet.am.sdk.AMException) SSOException(com.iplanet.sso.SSOException) Entitlement(com.sun.identity.entitlement.Entitlement) HashSet(java.util.HashSet)

Example 34 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class OpenSSOApplicationPrivilegeManager method isPolicyAdmin.

private boolean isPolicyAdmin() {
    if (isDsameUser()) {
        return true;
    }
    Subject adminSubject = SubjectUtils.createSuperAdminSubject();
    try {
        Evaluator eval = new Evaluator(adminSubject, APPL_NAME);
        Set<String> actions = new HashSet<String>();
        actions.add(ACTION_MODIFY);
        String res = "sms://" + DNMapper.orgNameToDN(realm) + "/iPlanetAMPolicyService/*";
        Entitlement e = new Entitlement(res, actions);
        return eval.hasEntitlement(getHiddenRealmDN(), caller, e, Collections.EMPTY_MAP);
    } catch (EntitlementException ex) {
        PrivilegeManager.debug.error("OpenSSOApplicationPrivilegeManager.isPolicyAdmin", ex);
        return false;
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) Evaluator(com.sun.identity.entitlement.Evaluator) Entitlement(com.sun.identity.entitlement.Entitlement) EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) Subject(javax.security.auth.Subject) OrSubject(com.sun.identity.entitlement.OrSubject) HashSet(java.util.HashSet)

Example 35 with Entitlement

use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.

the class OpenSSOApplicationPrivilegeManager method toApplicationPrivilege.

private ApplicationPrivilege toApplicationPrivilege(Privilege p) throws EntitlementException {
    ApplicationPrivilege ap = new ApplicationPrivilege(p.getName());
    ap.setDescription(p.getDescription());
    ap.setCreatedBy(p.getCreatedBy());
    ap.setCreationDate(p.getCreationDate());
    ap.setLastModifiedBy(p.getLastModifiedBy());
    ap.setLastModifiedDate(p.getLastModifiedDate());
    Entitlement ent = p.getEntitlement();
    Set<String> resourceNames = ent.getResourceNames();
    Map<String, Set<String>> mapAppToRes = getApplicationPrivilegeResourceNames(resourceNames);
    ap.setApplicationResources(mapAppToRes);
    ap.setActionValues(getActionValues(ent.getActionValues()));
    Set<SubjectImplementation> subjects = new HashSet<SubjectImplementation>();
    if (p.getSubject() instanceof OrSubject) {
        OrSubject orSubject = (OrSubject) p.getSubject();
        for (EntitlementSubject es : orSubject.getESubjects()) {
            if (es instanceof SubjectImplementation) {
                subjects.add((SubjectImplementation) es);
            }
        }
    } else if (p.getSubject() instanceof SubjectImplementation) {
        subjects.add((SubjectImplementation) p.getSubject());
    }
    ap.setSubject(subjects);
    EntitlementCondition cond = p.getCondition();
    if (cond instanceof SimpleTimeCondition) {
        ap.setCondition(cond);
    }
    return ap;
}
Also used : EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition) HashSet(java.util.HashSet) Set(java.util.Set) SimpleTimeCondition(org.forgerock.openam.entitlement.conditions.environment.SimpleTimeCondition) OrSubject(com.sun.identity.entitlement.OrSubject) EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege) SubjectImplementation(com.sun.identity.entitlement.SubjectImplementation) Entitlement(com.sun.identity.entitlement.Entitlement) HashSet(java.util.HashSet)

Aggregations

Entitlement (com.sun.identity.entitlement.Entitlement)43 Privilege (com.sun.identity.entitlement.Privilege)19 HashMap (java.util.HashMap)19 HashSet (java.util.HashSet)19 EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)14 Test (org.testng.annotations.Test)14 Subject (javax.security.auth.Subject)13 EntitlementException (com.sun.identity.entitlement.EntitlementException)12 Evaluator (com.sun.identity.entitlement.Evaluator)9 Set (java.util.Set)9 JsonValue (org.forgerock.json.JsonValue)9 EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)8 SSOToken (com.iplanet.sso.SSOToken)7 OrSubject (com.sun.identity.entitlement.OrSubject)6 PrivilegeManager (com.sun.identity.entitlement.PrivilegeManager)6 ResourceAttribute (com.sun.identity.entitlement.ResourceAttribute)6 SSOException (com.iplanet.sso.SSOException)5 OpenSSOPrivilege (com.sun.identity.entitlement.opensso.OpenSSOPrivilege)5 OpenSSOUserSubject (com.sun.identity.entitlement.opensso.OpenSSOUserSubject)5 AuthenticatedUsers (org.forgerock.openam.entitlement.conditions.subject.AuthenticatedUsers)5