use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class RestPermissionTest method createPrivilege.
private void createPrivilege() throws EntitlementException {
PrivilegeManager pm = PrivilegeManager.getInstance("/", adminSubject);
Privilege privilege = Privilege.getNewInstance();
privilege.setName(PRIVILEGE_NAME);
privilege.setDescription("desciption");
Map<String, Boolean> actions = new HashMap<String, Boolean>();
actions.put("GET", true);
Entitlement entitlement = new Entitlement(RESOURCE_NAME + "/*", actions);
privilege.setEntitlement(entitlement);
EntitlementSubject sbj = new AuthenticatedUsers();
privilege.setSubject(sbj);
pm.add(privilege);
}
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class PolicyEvaluator method getPolicyDecisionE.
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource. The evaluation depends on user's
* application environment parameters.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionNames <code>Set</code> of names(<code>String</code>) of the
* action the user is trying to perform on the resource.
* @param envParameters run-time environment parameters
* @return policy decision
*
* @exception SSOException single-sign-on token invalid or expired
* @exception PolicyException if any policy evaluation error.
*/
private PolicyDecision getPolicyDecisionE(SSOToken token, String resourceName, Set actionNames, Map envParameters) throws PolicyException, SSOException {
if (DEBUG.messageEnabled()) {
DEBUG.message("Evaluating policies at org " + orgName);
}
/* compute for all action names if passed in actionNames is
null or empty */
if ((actionNames == null) || (actionNames.isEmpty())) {
actionNames = serviceType.getActionNames();
}
SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
try {
Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
Subject sbj = (token != null) ? SubjectUtils.createSubject(token) : null;
List<Entitlement> entitlements = eval.evaluate(orgName, sbj, resourceName, envParameters, false);
if ((entitlements != null) && !entitlements.isEmpty()) {
Entitlement e = entitlements.iterator().next();
return (entitlementToPolicyDecision(e, actionNames));
}
} catch (EntitlementException e) {
throw new PolicyException(e);
}
return (new PolicyDecision());
}
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class PolicyEvaluator method getResourceResultsE.
private Set getResourceResultsE(SSOToken token, String resourceName, String scope, Map envParameters) throws SSOException, PolicyException {
if ((envParameters == null) || envParameters.isEmpty()) {
envParameters = new HashMap();
}
padEnvParameters(token, resourceName, null, envParameters);
Set resultsSet;
boolean subTreeSearch = false;
if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
subTreeSearch = true;
//resultsSet = getResourceResultTree(token, resourceName, scope,
// envParameters).getResourceResults();
} else if (ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope) || ResourceResult.SELF_SCOPE.equals(scope)) {
/*
ResourceResult result = getResourceResultTree(token, resourceName,
scope, envParameters);
resultsSet = new HashSet();
resultsSet.add(result);*/
} else {
DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
String[] objs = { scope };
throw new PolicyException(ResBundleUtils.rbName, "invalid_request_scope", objs, null);
}
SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
try {
// Parse the resource name before proceeding.
resourceName = serviceType.canonicalize(resourceName);
Subject userSubject = SubjectUtils.createSubject(token);
Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
List<Entitlement> entitlements = eval.evaluate(realm, userSubject, resourceName, envParameters, subTreeSearch);
resultsSet = new HashSet();
if (!entitlements.isEmpty()) {
if (!subTreeSearch) {
resultsSet.add(entitlementToResourceResult((Entitlement) entitlements.iterator().next()));
} else {
ResourceResult virtualResourceResult = new ResourceResult(ResourceResult.VIRTUAL_ROOT, new PolicyDecision());
for (Entitlement ent : entitlements) {
ResourceResult r = entitlementToResourceResult(ent);
virtualResourceResult.addResourceResult(r, serviceType);
}
resultsSet.addAll(virtualResourceResult.getResourceResults());
}
}
} catch (Exception e) {
DEBUG.error("Error in getResourceResults", e);
//TOFIX
throw new PolicyException(e.getMessage());
}
return resultsSet;
}
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method isPolicyAdmin.
private boolean isPolicyAdmin() {
if (isDsameUser()) {
return true;
}
Subject adminSubject = SubjectUtils.createSuperAdminSubject();
try {
Evaluator eval = new Evaluator(adminSubject, APPL_NAME);
Set<String> actions = new HashSet<String>();
actions.add(ACTION_MODIFY);
String res = "sms://" + DNMapper.orgNameToDN(realm) + "/iPlanetAMPolicyService/*";
Entitlement e = new Entitlement(res, actions);
return eval.hasEntitlement(getHiddenRealmDN(), caller, e, Collections.EMPTY_MAP);
} catch (EntitlementException ex) {
PrivilegeManager.debug.error("OpenSSOApplicationPrivilegeManager.isPolicyAdmin", ex);
return false;
}
}
use of com.sun.identity.entitlement.Entitlement in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method toApplicationPrivilege.
private ApplicationPrivilege toApplicationPrivilege(Privilege p) throws EntitlementException {
ApplicationPrivilege ap = new ApplicationPrivilege(p.getName());
ap.setDescription(p.getDescription());
ap.setCreatedBy(p.getCreatedBy());
ap.setCreationDate(p.getCreationDate());
ap.setLastModifiedBy(p.getLastModifiedBy());
ap.setLastModifiedDate(p.getLastModifiedDate());
Entitlement ent = p.getEntitlement();
Set<String> resourceNames = ent.getResourceNames();
Map<String, Set<String>> mapAppToRes = getApplicationPrivilegeResourceNames(resourceNames);
ap.setApplicationResources(mapAppToRes);
ap.setActionValues(getActionValues(ent.getActionValues()));
Set<SubjectImplementation> subjects = new HashSet<SubjectImplementation>();
if (p.getSubject() instanceof OrSubject) {
OrSubject orSubject = (OrSubject) p.getSubject();
for (EntitlementSubject es : orSubject.getESubjects()) {
if (es instanceof SubjectImplementation) {
subjects.add((SubjectImplementation) es);
}
}
} else if (p.getSubject() instanceof SubjectImplementation) {
subjects.add((SubjectImplementation) p.getSubject());
}
ap.setSubject(subjects);
EntitlementCondition cond = p.getCondition();
if (cond instanceof SimpleTimeCondition) {
ap.setCondition(cond);
}
return ap;
}
Aggregations