Example 16 with EntitlementCondition
use of com.sun.identity.entitlement.EntitlementCondition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method getEntitlementConditionFromPolicy.
static EntitlementCondition getEntitlementConditionFromPolicy(Policy policy) throws EntitlementException {
if (policy == null) {
return null;
}
List<Rule> rules = getRules(policy);
if (rules == null) {
return null;
}
EntitlementCondition ec = null;
for (Rule rule : rules) {
Condition condition = rule.getCondition();
JAXBElement jaxbElement = condition.getExpression();
if (jaxbElement.getDeclaredType().equals(Apply.class)) {
Apply apply = (Apply) jaxbElement.getValue();
String functionId = apply.getFunctionId();
if (XACMLConstants.JSON_SUBJECT_AND_CONDITION_SATISFIED.equals(functionId)) {
List<JAXBElement<?>> expressionList = apply.getExpression();
for (JAXBElement jaxe : expressionList) {
if (jaxe.getDeclaredType().equals(AttributeValue.class)) {
AttributeValue av = (AttributeValue) jaxe.getValue();
String dataType = av.getDataType();
if (dataType.startsWith(XACMLConstants.JSON_CONDITION_DATATYPE)) {
List<Object> valueList = av.getContent();
String value = null;
if (valueList != null) {
for (Object ob : valueList) {
if (ob instanceof String) {
value = (String) ob;
break;
}
}
}
if (value != null) {
ec = createEntitlementCondition(dataType, value);
}
}
}
}
}
if (ec != null) {
break;
}
}
}
return ec;
}
Also used :
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
Condition(com.sun.identity.entitlement.xacml3.core.Condition)
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
AttributeValue(com.sun.identity.entitlement.xacml3.core.AttributeValue)
Apply(com.sun.identity.entitlement.xacml3.core.Apply)
JSONObject(org.json.JSONObject)
Rule(com.sun.identity.entitlement.xacml3.core.Rule)
JAXBElement(javax.xml.bind.JAXBElement)
Example 17 with EntitlementCondition
use of com.sun.identity.entitlement.EntitlementCondition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method eSubjectConditionToXCondition.
public static Condition eSubjectConditionToXCondition(EntitlementSubject es, EntitlementCondition ec) throws JAXBException {
Condition condition = null;
if (es != null || ec != null) {
condition = new Condition();
JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
Apply apply = new Apply();
apply.setFunctionId(XACMLConstants.JSON_SUBJECT_AND_CONDITION_SATISFIED);
List applyExpressions = apply.getExpression();
if (es != null) {
String esString = es.getState();
// TODO: add custom xml attribute to idenity as privilge subject
AttributeValue esv = new AttributeValue();
Map<QName, String> otherAttrs = esv.getOtherAttributes();
QName qn = new QName("privilegeComponent");
otherAttrs.put(qn, "entitlementSubject");
String dataType = XACMLConstants.JSON_SUBJECT_DATATYPE + ":" + es.getClass().getName();
esv.setDataType(dataType);
esv.getContent().add(esString);
JAXBElement esve = objectFactory.createAttributeValue(esv);
applyExpressions.add(esve);
}
if (ec != null) {
String ecString = ec.getState();
// TODO: add custom xml attribute to idenity as privilge condition
AttributeValue ecv = new AttributeValue();
Map<QName, String> otherAttrs = ecv.getOtherAttributes();
QName qn = new QName("privilegeComponent");
otherAttrs.put(qn, "entitlementCondition");
String dataType = XACMLConstants.JSON_CONDITION_DATATYPE + ":" + ec.getClass().getName();
ecv.setDataType(dataType);
ecv.getContent().add(ecString);
JAXBElement ecve = objectFactory.createAttributeValue(ecv);
applyExpressions.add(ecve);
}
JAXBElement applyElement = objectFactory.createApply(apply);
condition.setExpression(applyElement);
}
return condition;
}
Also used :
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
Condition(com.sun.identity.entitlement.xacml3.core.Condition)
AttributeValue(com.sun.identity.entitlement.xacml3.core.AttributeValue)
Apply(com.sun.identity.entitlement.xacml3.core.Apply)
QName(javax.xml.namespace.QName)
JAXBContext(javax.xml.bind.JAXBContext)
List(java.util.List)
ArrayList(java.util.ArrayList)
JAXBElement(javax.xml.bind.JAXBElement)
Example 18 with EntitlementCondition
use of com.sun.identity.entitlement.EntitlementCondition in project OpenAM by OpenRock.
the class PrivilegeUtilsTest method testPrivilegeToXACMLPolicy.
@Test
public void testPrivilegeToXACMLPolicy() throws Exception {
try {
UnittestLog.logMessage("PrivilegeUtils.testPrivilegeToXACMLPolicy():" + " entered");
Map<String, Boolean> actionValues = new HashMap<String, Boolean>();
actionValues.put("GET", Boolean.TRUE);
actionValues.put("POST", Boolean.FALSE);
// The port is required for passing equals test
// opensso policy would add default port if port not specified
String resourceName = "http://www.sun.com:80";
Entitlement entitlement = new Entitlement(SERVICE_NAME, resourceName, actionValues);
entitlement.setName("ent1");
String user11 = "id=user11,ou=user," + ServiceManager.getBaseDN();
String user12 = "id=user12,ou=user," + ServiceManager.getBaseDN();
UserSubject ua1 = new OpenSSOUserSubject();
ua1.setID(user11);
UserSubject ua2 = new OpenSSOUserSubject();
ua2.setID(user12);
Set<EntitlementSubject> subjects = new HashSet<EntitlementSubject>();
subjects.add(ua1);
subjects.add(ua2);
OrSubject os = new OrSubject(subjects);
Set<EntitlementCondition> conditions = new HashSet<EntitlementCondition>();
String startIp = "100.100.100.100";
String endIp = "200.200.200.200";
IPv4Condition ipc = new IPv4Condition();
ipc.setStartIpAndEndIp(startIp, endIp);
conditions.add(ipc);
OrCondition oc = new OrCondition(conditions);
AndCondition ac = new AndCondition(conditions);
StaticAttributes sa1 = new StaticAttributes();
Set<String> aValues = new HashSet<String>();
aValues.add("a10");
aValues.add("a20");
sa1.setPropertyName("a");
sa1.setPropertyValues(aValues);
sa1.setPResponseProviderName("sa");
StaticAttributes sa2 = new StaticAttributes();
Set<String> bValues = new HashSet<String>();
bValues.add("b10");
bValues.add("b20");
sa2.setPropertyName("b");
sa2.setPropertyValues(bValues);
sa2.setPResponseProviderName("sa");
UserAttributes uat1 = new UserAttributes();
uat1.setPropertyName("email");
uat1.setPResponseProviderName("ua");
UserAttributes uat2 = new UserAttributes();
uat2.setPropertyName("uid");
uat2.setPResponseProviderName("ua");
Set<ResourceAttribute> ra = new HashSet<ResourceAttribute>();
ra.add(sa1);
ra.add(sa2);
ra.add(uat1);
ra.add(uat2);
Privilege privilege = Privilege.getNewInstance();
privilege.setName(PRIVILEGE_NAME);
privilege.setEntitlement(entitlement);
privilege.setSubject(ua1);
privilege.setCondition(ipc);
privilege.setResourceAttributes(ra);
privilege.setCreatedBy("amadmin");
privilege.setLastModifiedBy("amadmin");
privilege.setCreationDate(System.currentTimeMillis());
privilege.setLastModifiedDate(System.currentTimeMillis());
UnittestLog.logMessage("PrivilegeUtils.testPrivilegeToXACMLPolicy():" + "Privilege=" + privilege.toString());
UnittestLog.logMessage("PrivilegeUtils.testPrivilegeToXACMLPolicy():" + "converting to xacml policy");
// TODO(jtb): not compiling
String xacmlString = XACMLPrivilegeUtils.toXACML(privilege);
UnittestLog.logMessage("xacml policy=" + xacmlString);
} catch (Throwable t) {
UnittestLog.logError("Throwable:", t);
UnittestLog.logMessage("Throwable:" + t.getMessage());
t.printStackTrace();
}
}
Also used :
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
HashMap(java.util.HashMap)
IPv4Condition(org.forgerock.openam.entitlement.conditions.environment.IPv4Condition)
OpenSSOUserSubject(com.sun.identity.entitlement.opensso.OpenSSOUserSubject)
StaticAttributes(com.sun.identity.entitlement.StaticAttributes)
OrSubject(com.sun.identity.entitlement.OrSubject)
AndCondition(com.sun.identity.entitlement.AndCondition)
UserAttributes(com.sun.identity.entitlement.UserAttributes)
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
OpenSSOUserSubject(com.sun.identity.entitlement.opensso.OpenSSOUserSubject)
UserSubject(com.sun.identity.entitlement.UserSubject)
OrCondition(com.sun.identity.entitlement.OrCondition)
Entitlement(com.sun.identity.entitlement.Entitlement)
ResourceAttribute(com.sun.identity.entitlement.ResourceAttribute)
Privilege(com.sun.identity.entitlement.Privilege)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Example 19 with EntitlementCondition
use of com.sun.identity.entitlement.EntitlementCondition in project OpenAM by OpenRock.
the class PrivilegePolicyMapping method policyToPrivilege.
@Test
public void policyToPrivilege() throws Exception {
Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(policy);
if (privileges.isEmpty()) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: cannot get privilege");
}
privilege = (Privilege) privileges.iterator().next();
EntitlementCondition cond = privilege.getCondition();
if (!(cond instanceof OrCondition)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: condition is not AND condition");
}
OrCondition pOrCond = (OrCondition) cond;
for (EntitlementCondition ec : pOrCond.getEConditions()) {
if (!(ec instanceof PolicyCondition)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: condition is not policy condition");
}
PolicyCondition pCond = (PolicyCondition) ec;
Map<String, Set<String>> pCondProp = pCond.getProperties();
if (!pCondProp.equals(ipConditionEnvMap) && !pCondProp.equals(ipConditionEnvMap1)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: condition values are not correct");
}
}
EntitlementSubject sbj = privilege.getSubject();
if (!(sbj instanceof PolicySubject)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: subject is not privilege subject");
}
PolicySubject pSbj = (PolicySubject) sbj;
Set pSbjValue = pSbj.getValues();
if ((pSbjValue == null) || pSbjValue.isEmpty()) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: subject value is empty");
}
if (!pSbjValue.contains(testUser.getUniversalId())) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: subject value is incorrect");
}
}
Also used :
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
HashSet(java.util.HashSet)
Set(java.util.Set)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
OrCondition(com.sun.identity.entitlement.OrCondition)
PolicyException(com.sun.identity.policy.PolicyException)
Test(org.testng.annotations.Test)
Example 20 with EntitlementCondition
use of com.sun.identity.entitlement.EntitlementCondition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method policyToPrivilege.
public static Privilege policyToPrivilege(Policy policy) throws EntitlementException {
String policyId = policy.getPolicyId();
String privilegeName = policyIdToPrivilegeName(policyId);
String description = policy.getDescription();
String createdBy = getVariableById(policy, XACMLConstants.PRIVILEGE_CREATED_BY);
long createdAt = dateStringToLong(getVariableById(policy, XACMLConstants.PRIVILEGE_CREATION_DATE));
String lastModifiedBy = getVariableById(policy, XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
long lastModifiedAt = dateStringToLong(getVariableById(policy, XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE));
String entitlementName = getVariableById(policy, XACMLConstants.ENTITLEMENT_NAME);
String applicationName = getVariableById(policy, XACMLConstants.APPLICATION_NAME);
List<Match> policyMatches = getAllMatchesFromTarget(policy.getTarget());
Set<String> resourceNames = getResourceNamesFromMatches(policyMatches);
Map<String, Boolean> actionValues = getActionValuesFromPolicy(policy);
EntitlementSubject es = getEntitlementSubjectFromPolicy(policy);
EntitlementCondition ec = getEntitlementConditionFromPolicy(policy);
/*
* Construct entitlement from Rule target
* Get resource names, excluded resource names, action names from Rule Match element
* One Match for Action
* One Rule per value
*/
Entitlement entitlement = new Entitlement(applicationName, resourceNames, actionValues);
if (entitlementName != null) {
entitlement.setName(entitlementName);
}
// Process AdviceExpressions from Export into ResourceAttributes
Set<ResourceAttribute> ras = schemaFactory.adviceExpressionsToResourceAttributes(policy.getAdviceExpressions());
Privilege privilege = new XACMLOpenSSOPrivilege();
privilege.setName(privilegeName);
privilege.setDescription(description);
privilege.setCreatedBy(createdBy);
privilege.setCreationDate(createdAt);
privilege.setLastModifiedBy(lastModifiedBy);
privilege.setLastModifiedDate(lastModifiedAt);
privilege.setEntitlement(entitlement);
privilege.setSubject(es);
privilege.setCondition(ec);
privilege.setResourceAttributes(ras);
return privilege;
}
Also used :
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
Match(com.sun.identity.entitlement.xacml3.core.Match)
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
XACMLOpenSSOPrivilege(com.sun.identity.entitlement.opensso.XACMLOpenSSOPrivilege)
Entitlement(com.sun.identity.entitlement.Entitlement)
ResourceAttribute(com.sun.identity.entitlement.ResourceAttribute)
XACMLOpenSSOPrivilege(com.sun.identity.entitlement.opensso.XACMLOpenSSOPrivilege)
Privilege(com.sun.identity.entitlement.Privilege)
ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege)
Aggregations
EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)28
HashSet (java.util.HashSet)17
Test (org.testng.annotations.Test)14
Privilege (com.sun.identity.entitlement.Privilege)13
PolicyCondition (com.sun.identity.entitlement.opensso.PolicyCondition)10
Set (java.util.Set)10
AndCondition (com.sun.identity.entitlement.AndCondition)9
EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)9
OrCondition (com.sun.identity.entitlement.OrCondition)8
Entitlement (com.sun.identity.entitlement.Entitlement)7
HashMap (java.util.HashMap)6
ResourceAttribute (com.sun.identity.entitlement.ResourceAttribute)5
OrSubject (com.sun.identity.entitlement.OrSubject)4
NotCondition (com.sun.identity.entitlement.NotCondition)3
ReferralPrivilege (com.sun.identity.entitlement.ReferralPrivilege)3
Condition (com.sun.identity.policy.interfaces.Condition)3
PrivilegeCondition (com.sun.identity.policy.plugins.PrivilegeCondition)3
IPrivilege (com.sun.identity.entitlement.IPrivilege)2
LogicalCondition (com.sun.identity.entitlement.LogicalCondition)2
NumericAttributeCondition (com.sun.identity.entitlement.NumericAttributeCondition)2
