Example 1 with EntitlementConfiguration
use of com.sun.identity.entitlement.EntitlementConfiguration in project OpenAM by OpenRock.
the class ListXACML method handleRequest.
/**
* Services a Commandline Request.
*
* @param rc Request Context.
* @throws CLIException if the request cannot serviced.
*/
public void handleRequest(RequestContext rc) throws CLIException {
super.handleRequest(rc);
ldapLogin();
// FIXME: change to use entitlementService.xacmlPrivilegeEnabled()
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(adminSubject, "/");
if (!ec.migratedToEntitlementService()) {
String[] args = { realm, "ANY", "list-xacml not supported in legacy policy mode" };
debugError("ListXACML.handleRequest(): " + "list-xacml not supported in legacy policy mode");
writeLog(LogWriter.LOG_ERROR, Level.INFO, "FAILED_GET_POLICY_IN_REALM", args);
throw new CLIException(getResourceString("list-xacml-not-supported-in-legacy-policy-mode"), ExitCodes.REQUEST_CANNOT_BE_PROCESSED, "list-xacml");
}
adminSSOToken = getAdminSSOToken();
if (!XACMLUtils.hasPermission(realm, adminSSOToken, "READ")) {
String errorMessage = MessageFormat.format(getResourceString("permission-denied"), "list-xacml", getAdminID());
String[] args = { realm, "ANY", errorMessage };
writeLog(LogWriter.LOG_ERROR, Level.INFO, "FAILED_GET_POLICY_IN_REALM", args);
throw new CLIException(errorMessage, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
}
adminSubject = SubjectUtils.createSubject(adminSSOToken);
realm = getStringOptionValue(IArgument.REALM_NAME);
getPolicyNamesOnly = isOptionSet("namesonly");
filters = (List) rc.getOption(ARGUMENT_POLICY_NAMES);
outfile = getStringOptionValue(IArgument.OUTPUT_FILE);
outputWriter = getOutputWriter();
if (getPolicyNamesOnly) {
getPolicyNames();
} else {
getPolicies();
}
}
Also used :
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
CLIException(com.sun.identity.cli.CLIException)
Example 2 with EntitlementConfiguration
use of com.sun.identity.entitlement.EntitlementConfiguration in project OpenAM by OpenRock.
the class EntitlementServiceTest method migratedToEntitlementService.
@Test
public void migratedToEntitlementService() {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(SubjectUtils.createSubject(adminToken), "/");
boolean result = ec.migratedToEntitlementService();
UnittestLog.logMessage("EntitlementServiceTest.migratedToEntitlementService: returns " + result);
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
Test(org.testng.annotations.Test)
Example 3 with EntitlementConfiguration
use of com.sun.identity.entitlement.EntitlementConfiguration in project OpenAM by OpenRock.
the class DelegationEvaluatorImpl method isAllowed.
public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParameters, boolean subTreeMode) throws SSOException, DelegationException {
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(PolicyConstants.SUPER_ADMIN_SUBJECT, "/");
if (!ec.migratedToEntitlementService()) {
return false;
}
try {
AMIdentity user = new AMIdentity(token);
if (((privilegedUser != null) && user.equals(privilegedUser)) || (installTime && adminUserSet.contains(DNUtils.normalizeDN(token.getPrincipal().getName()))) || user.equals(adminUserId)) {
return true;
}
} catch (IdRepoException ide) {
throw (new DelegationException(ide.getMessage()));
}
if (!subTreeMode) {
return isAllowed(token, permission, envParameters);
}
StringBuilder buff = new StringBuilder();
buff.append("sms://");
if (permission.getOrganizationName() != null) {
buff.append(permission.getOrganizationName()).append("/");
}
if (permission.getServiceName() != null) {
buff.append(permission.getServiceName()).append("/");
}
if (permission.getVersion() != null) {
buff.append(permission.getVersion()).append("/");
}
if (permission.getConfigType() != null) {
buff.append(permission.getConfigType()).append("/");
}
if (permission.getSubConfigName() != null) {
buff.append(permission.getSubConfigName());
}
String resource = buff.toString();
try {
Subject userSubject = SubjectUtils.createSubject(token);
Evaluator eval = new Evaluator(PolicyConstants.SUPER_ADMIN_SUBJECT, DelegationManager.DELEGATION_SERVICE);
List<Entitlement> results = eval.evaluate(DNMapper.orgNameToDN(PolicyManager.DELEGATION_REALM), userSubject, resource, envParameters, true);
List<String> copiedActions = new ArrayList<String>();
copiedActions.addAll(permission.getActions());
for (Entitlement e : results) {
for (int i = copiedActions.size() - 1; i >= 0; --i) {
String action = copiedActions.get(i);
Boolean result = e.getActionValue(action);
if ((result != null) && result) {
copiedActions.remove(i);
}
}
if (copiedActions.isEmpty()) {
return true;
}
}
return false;
} catch (EntitlementException ex) {
debug.error("DelegationEvaluator.isAllowed", ex);
throw new DelegationException(ex);
}
}
Also used :
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
IdRepoException(com.sun.identity.idm.IdRepoException)
ArrayList(java.util.ArrayList)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
AMIdentity(com.sun.identity.idm.AMIdentity)
Entitlement(com.sun.identity.entitlement.Entitlement)
Example 4 with EntitlementConfiguration
use of com.sun.identity.entitlement.EntitlementConfiguration in project OpenAM by OpenRock.
the class AMSetupServlet method processRequest.
public static boolean processRequest(IHttpServletRequest request, IHttpServletResponse response) {
// Only continue if we are not already configured
if (isConfigured()) {
return true;
}
setLocale(request);
final InstallLog installLog = InstallLog.getInstance();
installLog.open((String) request.getParameterMap().get(SetupConstants.CONFIG_VAR_BASE_DIR));
/*
* This logic needs refactoring later. setServiceConfigValues()
* attempts to check if directory is up and makes a call
* back to this class. The implementation'd
* be cleaner if classes&methods are named better and separated than
* intertwined together.
*/
ServicesDefaultValues.setServiceConfigValues(request);
// set debug directory
Map<String, Object> map = ServicesDefaultValues.getDefaultValues();
String basedir = (String) map.get(SetupConstants.CONFIG_VAR_BASE_DIR);
String uri = (String) map.get(SetupConstants.CONFIG_VAR_SERVER_URI);
SystemProperties.initializeProperties(Constants.SERVICES_DEBUG_DIRECTORY, basedir + uri + "/debug");
// used for site configuration later
Map<String, Object> siteMap = (Map<String, Object>) map.remove(SetupConstants.CONFIG_VAR_SITE_CONFIGURATION);
Map<String, Object> userRepo = (Map<String, Object>) map.remove(SetupConstants.USER_STORE);
try {
// Check for click-through license acceptance before processing the request.
SetupProgress.reportStart("configurator.progress.license.check", new Object[0]);
if (!isLicenseAccepted(request)) {
SetupProgress.reportEnd("configurator.progress.license.rejected", new Object[] { SetupConstants.ACCEPT_LICENSE_PARAM });
return false;
}
SetupProgress.reportEnd("configurator.progress.license.accepted", new Object[0]);
/*
* As we have got this far then the user must have accepted the license, so we log this implicitly.
*/
LicenseSet licenses = getLicenseLocator().getRequiredLicenses();
for (License license : licenses) {
installLog.write(String.format("License, %s, has been accepted.%n", license.getFilename()));
String licenseHash = Hash.hash(license.toString());
installLog.write(String.format("License Hash: %s.%n", licenseHash));
}
isConfiguredFlag = configure(request, map, userRepo);
if (isConfiguredFlag) {
FQDNUtils.getInstance().init();
//postInitialize was called at the end of configure????
postInitialize(getAdminSSOToken());
}
LoginLogoutMapping.setProductInitialized(isConfiguredFlag);
registerListeners();
if (isConfiguredFlag) {
String fileBootstrap = getBootstrapLocator();
if (fileBootstrap != null) {
writeToFileEx(fileBootstrap, basedir);
}
// this will write bootstrap file after configuration is
// done; and also register the observer.
ServerConfigXMLObserver.getInstance().update(true);
// register our other observers
SMSPropertiesObserver.getInstance().notifyChanges();
DebugPropertiesObserver.getInstance().notifyChanges();
Map<String, Set<String>> mapBootstrap = new HashMap<String, Set<String>>(2);
Set<String> set = new HashSet<String>(2);
set.add(fileBootstrap);
mapBootstrap.put(BOOTSTRAP_FILE_LOC, set);
if (fileBootstrap == null) {
set.add(getPresetConfigDir());
} else {
set.add(fileBootstrap);
}
// this is to store the bootstrap location
String serverInstanceName = SystemProperties.getServerInstanceName();
SSOToken adminToken = AccessController.doPrivileged(AdminTokenAction.getInstance());
ServerConfiguration.setServerInstance(adminToken, serverInstanceName, mapBootstrap);
// store the ds admin port if we are running in embedded mode
String dataStore = (String) map.get(SetupConstants.CONFIG_VAR_DATA_STORE);
if (dataStore.equals(SetupConstants.SMS_EMBED_DATASTORE)) {
String dsAdminPort = (String) map.get(SetupConstants.CONFIG_VAR_DIRECTORY_ADMIN_SERVER_PORT);
Map<String, Set<String>> mapAdminPort = new HashMap<String, Set<String>>(2);
Set<String> set2 = new HashSet<String>(2);
set2.add(dsAdminPort);
mapAdminPort.put(Constants.DS_ADMIN_PORT, set2);
ServerConfiguration.setServerInstance(adminToken, serverInstanceName, mapAdminPort);
}
// setup site configuration information
if (siteMap != null && !siteMap.isEmpty()) {
String site = (String) siteMap.get(SetupConstants.LB_SITE_NAME);
String primaryURL = (String) siteMap.get(SetupConstants.LB_PRIMARY_URL);
Boolean isSessionHASFOEnabled = Boolean.valueOf((String) siteMap.get(SetupConstants.LB_SESSION_HA_SFO));
/*
* If primary url is null that means we are adding
* to an existing site. we don't need to create it
* first.
*/
if (primaryURL != null && primaryURL.length() > 0) {
Set<String> sites = SiteConfiguration.getSites(adminToken);
if (!sites.contains(site)) {
SiteConfiguration.createSite(adminToken, site, primaryURL, Collections.EMPTY_SET);
}
}
if (!ServerConfiguration.belongToSite(adminToken, serverInstanceName, site)) {
ServerConfiguration.addToSite(adminToken, serverInstanceName, site);
}
//configure SFO (enabled/disabled) by creating a subconfiguration for the site
Map<String, Set<String>> values = new HashMap<String, Set<String>>(1);
values.put(CoreTokenConstants.IS_SFO_ENABLED, asSet(isSessionHASFOEnabled.toString()));
createSFOSubConfig(adminToken, site, values);
}
if (EmbeddedOpenDS.isMultiServer(map)) {
// Setup Replication port in SMS for each server
updateReplPortInfo(map);
}
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(SubjectUtils.createSuperAdminSubject(), "/");
ec.reindexApplications();
}
} catch (Exception e) {
installLog.write("AMSetupServlet.processRequest: error", e);
Debug.getInstance(SetupConstants.DEBUG_NAME).error("AMSetupServlet.processRequest: error", e);
Object[] params = { e.getMessage(), basedir };
throw new ConfiguratorException("configuration.failed", params, configLocale);
} finally {
installLog.write("\n\nDumping all configuration parameters...\n");
installLog.write("\nRequest Parameters:\n");
dumpConfigurationProperties(installLog, request.getParameterMap());
if (siteMap != null && !siteMap.isEmpty()) {
installLog.write("\nSite configuration items:\n");
dumpConfigurationProperties(installLog, siteMap);
}
if (userRepo != null && !userRepo.isEmpty()) {
installLog.write("\nExternal user repo configuration items:\n");
dumpConfigurationProperties(installLog, userRepo);
}
if (map != null && !map.isEmpty()) {
installLog.write("\nMain configuration items:\n");
dumpConfigurationProperties(installLog, map);
}
installLog.write("\nFinished dumping all configuration parameters\n");
installLog.close();
SetupProgress.closeOutputStream();
}
if (WebtopNaming.configMonitoring() >= 0) {
ConfigMonitoring cm = new ConfigMonitoring();
cm.configureMonitoring();
} else {
Debug.getInstance(SetupConstants.DEBUG_NAME).error("WebtopNaming.configMonitoring returned error.");
}
return isConfiguredFlag;
}
Also used :
LicenseSet(org.forgerock.openam.license.LicenseSet)
ConfigMonitoring(com.sun.identity.common.ConfigMonitoring)
Set(java.util.Set)
CollectionUtils.asSet(org.forgerock.openam.utils.CollectionUtils.asSet)
LicenseSet(org.forgerock.openam.license.LicenseSet)
HashSet(java.util.HashSet)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
License(org.forgerock.openam.license.License)
MissingResourceException(java.util.MissingResourceException)
SSOException(com.iplanet.sso.SSOException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
NamingException(javax.naming.NamingException)
UnknownPropertyNameException(com.sun.identity.common.configuration.UnknownPropertyNameException)
PolicyException(com.sun.identity.policy.PolicyException)
LDAPServiceException(com.iplanet.services.ldap.LDAPServiceException)
UpgradeException(org.forgerock.openam.upgrade.UpgradeException)
IdRepoException(com.sun.identity.idm.IdRepoException)
SMSException(com.sun.identity.sm.SMSException)
MalformedURLException(java.net.MalformedURLException)
ConfigurationException(com.sun.identity.common.configuration.ConfigurationException)
DirUserObject(com.sun.identity.common.configuration.ServerConfigXML.DirUserObject)
ServerObject(com.sun.identity.common.configuration.ServerConfigXML.ServerObject)
Map(java.util.Map)
TreeMap(java.util.TreeMap)
SortedMap(java.util.SortedMap)
HashMap(java.util.HashMap)
HashSet(java.util.HashSet)
Example 5 with EntitlementConfiguration
use of com.sun.identity.entitlement.EntitlementConfiguration in project OpenAM by OpenRock.
the class CreateXACML method ensureEntitlementServiceActive.
private void ensureEntitlementServiceActive(Subject adminSubject, String realm) throws CLIException {
// FIXME: change to use entitlementService.xacmlPrivilegEnabled()
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(adminSubject, "/");
if (!ec.migratedToEntitlementService()) {
String[] args = { realm, "ANY", "create-xacml not supported in legacy policy mode" };
debugError("CreateXACML.handleRequest(): create-xacml not supported in legacy policy mode");
writeLog(LOG_ERROR, INFO, "FAILED_CREATE_POLICY_IN_REALM", args);
throw new CLIException(getResourceString("create-xacml-not-supported-in-legacy-policy-mode"), ExitCodes.REQUEST_CANNOT_BE_PROCESSED, "create-xacml");
}
}
Also used :
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
CLIException(com.sun.identity.cli.CLIException)
Aggregations
EntitlementConfiguration (com.sun.identity.entitlement.EntitlementConfiguration)10
SSOToken (com.iplanet.sso.SSOToken)6
CLIException (com.sun.identity.cli.CLIException)3
SSOException (com.iplanet.sso.SSOException)2
EntitlementException (com.sun.identity.entitlement.EntitlementException)2
PrivilegeManager (com.sun.identity.entitlement.PrivilegeManager)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
SMSException (com.sun.identity.sm.SMSException)2
ArrayList (java.util.ArrayList)2
HashMap (java.util.HashMap)2
HashSet (java.util.HashSet)2
Map (java.util.Map)2
Set (java.util.Set)2
Subject (javax.security.auth.Subject)2
Test (org.testng.annotations.Test)2
LDAPServiceException (com.iplanet.services.ldap.LDAPServiceException)1
IOutput (com.sun.identity.cli.IOutput)1
ConfigMonitoring (com.sun.identity.common.ConfigMonitoring)1
ConfigurationException (com.sun.identity.common.configuration.ConfigurationException)1
DirUserObject (com.sun.identity.common.configuration.ServerConfigXML.DirUserObject)1
