Examples with EntitlementException com.sun.identity.entitlement.EntitlementException used on opensource projects

Example 56 with EntitlementException

use of com.sun.identity.entitlement.EntitlementException in project OpenAM by OpenRock.

the class DataStore method searchReferral.

/**
     * Returns a set of referral privilege that satifies the resource and
     * subject indexes.
     *
     * @param adminToken Subject who has the rights to read datastore.
     * @param realm Realm name
     * @param iterator Buffered iterator to have the result fed to it.
     * @param indexes Resource search indexes.
     * @param bSubTree <code>true</code> to do sub tree search
     * @param excludeDNs Set of DN to be excluded from the search results.
     * @return a set of privilege that satifies the resource and subject
     * indexes.
     */
public Set<ReferralPrivilege> searchReferral(SSOToken adminToken, String realm, BufferedIterator iterator, ResourceSearchIndexes indexes, boolean bSubTree, Set<String> excludeDNs) throws EntitlementException {
    Set<ReferralPrivilege> results = new HashSet<ReferralPrivilege>();
    String filter = getFilter(indexes, null, bSubTree);
    String baseDN = getSearchBaseDN(realm, REFERRAL_STORE);
    if (PolicyConstants.DEBUG.messageEnabled()) {
        PolicyConstants.DEBUG.message("[PolicyEval] DataStore.searchReferral");
        PolicyConstants.DEBUG.message("[PolicyEval] search filter: " + filter);
        PolicyConstants.DEBUG.message("[PolicyEval] search DN: " + baseDN);
    }
    if (filter != null) {
        SSOToken token = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
        long start = DB_MONITOR_REFERRAL.start();
        if (SMSEntry.checkIfEntryExists(baseDN, token)) {
            try {
                Iterator i = SMSEntry.search(token, baseDN, filter, NO_LIMIT, NO_LIMIT, NOT_SORTED, NOT_SORTED, excludeDNs);
                while (i.hasNext()) {
                    SMSDataEntry e = (SMSDataEntry) i.next();
                    ReferralPrivilege referral = ReferralPrivilege.getInstance(new JSONObject(e.getAttributeValue(SERIALIZABLE_INDEX_KEY)));
                    iterator.add(referral);
                    results.add(referral);
                }
                iterator.isDone();
            } catch (JSONException e) {
                Object[] arg = { baseDN };
                throw new EntitlementException(52, arg, e);
            } catch (SMSException e) {
                Object[] arg = { baseDN };
                throw new EntitlementException(52, arg, e);
            }
        }
        DB_MONITOR_REFERRAL.end(start);
    }
    return results;
}

Example 57 with EntitlementException

use of com.sun.identity.entitlement.EntitlementException in project OpenAM by OpenRock.

the class DelegationEvaluatorImpl method isAllowed.

public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParameters, boolean subTreeMode) throws SSOException, DelegationException {
    EntitlementConfiguration ec = EntitlementConfiguration.getInstance(PolicyConstants.SUPER_ADMIN_SUBJECT, "/");
    if (!ec.migratedToEntitlementService()) {
        return false;
    }
    try {
        AMIdentity user = new AMIdentity(token);
        if (((privilegedUser != null) && user.equals(privilegedUser)) || (installTime && adminUserSet.contains(DNUtils.normalizeDN(token.getPrincipal().getName()))) || user.equals(adminUserId)) {
            return true;
        }
    } catch (IdRepoException ide) {
        throw (new DelegationException(ide.getMessage()));
    }
    if (!subTreeMode) {
        return isAllowed(token, permission, envParameters);
    }
    StringBuilder buff = new StringBuilder();
    buff.append("sms://");
    if (permission.getOrganizationName() != null) {
        buff.append(permission.getOrganizationName()).append("/");
    }
    if (permission.getServiceName() != null) {
        buff.append(permission.getServiceName()).append("/");
    }
    if (permission.getVersion() != null) {
        buff.append(permission.getVersion()).append("/");
    }
    if (permission.getConfigType() != null) {
        buff.append(permission.getConfigType()).append("/");
    }
    if (permission.getSubConfigName() != null) {
        buff.append(permission.getSubConfigName());
    }
    String resource = buff.toString();
    try {
        Subject userSubject = SubjectUtils.createSubject(token);
        Evaluator eval = new Evaluator(PolicyConstants.SUPER_ADMIN_SUBJECT, DelegationManager.DELEGATION_SERVICE);
        List<Entitlement> results = eval.evaluate(DNMapper.orgNameToDN(PolicyManager.DELEGATION_REALM), userSubject, resource, envParameters, true);
        List<String> copiedActions = new ArrayList<String>();
        copiedActions.addAll(permission.getActions());
        for (Entitlement e : results) {
            for (int i = copiedActions.size() - 1; i >= 0; --i) {
                String action = copiedActions.get(i);
                Boolean result = e.getActionValue(action);
                if ((result != null) && result) {
                    copiedActions.remove(i);
                }
            }
            if (copiedActions.isEmpty()) {
                return true;
            }
        }
        return false;
    } catch (EntitlementException ex) {
        debug.error("DelegationEvaluator.isAllowed", ex);
        throw new DelegationException(ex);
    }
}

Example 58 with EntitlementException

use of com.sun.identity.entitlement.EntitlementException in project OpenAM by OpenRock.

the class PolicyResponseProvider method getResponseProvider.

/**
     * Constructs a legacy response provider based on the information in this adapter.
     *
     * @return the legacy response provider
     * @throws EntitlementException if an error occurs constructing the response provider.
     */
@JsonIgnore
public ResponseProvider getResponseProvider() throws EntitlementException {
    try {
        ResponseProvider rp = Class.forName(className).asSubclass(ResponseProvider.class).newInstance();
        Map<String, Set<String>> properties = new HashMap<String, Set<String>>();
        properties.put(propertyName, propertyValues);
        rp.setProperties(properties);
        return rp;
    } catch (Exception ex) {
        throw new EntitlementException(510, ex);
    }
}

Example 59 with EntitlementException

use of com.sun.identity.entitlement.EntitlementException in project OpenAM by OpenRock.

the class PolicyResponseProvider method evaluate.

/**
     * Called by the entitlements framework to fetch its resource attributes;
     * cascades the call through to the configured response provider implementation
     * 
     * @param adminSubject The admin user executing the policy eval
     * @param realm The realm of the policy eval
     * @param subject The user who is subject to the policy eval
     * @param resourceName The resource name of the policy eval
     * @param environment environment map from the policy eval client
     * @return The attributes (only one since resource attributes are singled)
     * @throws EntitlementException 
     */
public Map<String, Set<String>> evaluate(Subject adminSubject, String realm, Subject subject, String resourceName, Map<String, Set<String>> environment) throws EntitlementException {
    try {
        ResponseProvider rp = getResponseProvider();
        SSOToken token = (subject != null) ? getSSOToken(subject) : null;
        Map<String, Set<String>> result = rp.getResponseDecision(token, environment);
        return result;
    } catch (SSOException ex) {
        throw new EntitlementException(510, ex);
    } catch (PolicyException ex) {
        throw new EntitlementException(510, ex);
    }
}

Example 60 with EntitlementException

use of com.sun.identity.entitlement.EntitlementException in project OpenAM by OpenRock.

the class OpenSSOIndexStore method getReferredResources.

/**
     * Returns a set of resources that are referred to this realm.
     *
     * @param applicationTypeName Application type name,
     * @return a set of resources that are referred to this realm.
     * @throws EntitlementException if resources cannot be returned.
     */
@Override
public Set<String> getReferredResources(String applicationTypeName) throws EntitlementException {
    String realm = getRealm();
    if (realm.equals("/")) {
        return Collections.EMPTY_SET;
    }
    if (LDAPUtils.isDN(realm)) {
        realm = DNMapper.orgNameToRealmName(realm);
    }
    SSOToken adminToken = SubjectUtils.getSSOToken(superAdminSubject);
    try {
        Set<String> results = new HashSet<String>();
        Set<String> realms = getPeerRealms(realm);
        realms.addAll(getParentRealms(realm));
        String filter = "(&(ou=" + DataStore.REFERRAL_APPLS + "=" + applicationTypeName + ")(ou=" + DataStore.REFERRAL_REALMS + "=" + realm + "))";
        Map<String, Set<ReferralPrivilege>> referrals = new HashMap<String, Set<ReferralPrivilege>>();
        for (String rlm : realms) {
            referrals.put(rlm, dataStore.searchReferrals(adminToken, rlm, filter));
        }
        for (String rlm : referrals.keySet()) {
            Set<ReferralPrivilege> rPrivileges = referrals.get(rlm);
            String realmName = LDAPUtils.isDN(rlm) ? DNMapper.orgNameToRealmName(rlm) : rlm;
            for (ReferralPrivilege r : rPrivileges) {
                Map<String, Set<String>> map = r.getOriginalMapApplNameToResources();
                for (String a : map.keySet()) {
                    Application appl = ApplicationManager.getApplication(PolicyConstants.SUPER_ADMIN_SUBJECT, realmName, a);
                    if (appl.getApplicationType().getName().equals(applicationTypeName)) {
                        results.addAll(map.get(a));
                    }
                }
            }
        }
        results.addAll(getOrgAliasMappingResources(realm, applicationTypeName));
        return results;
    } catch (SMSException ex) {
        PolicyConstants.DEBUG.error("OpenSSOIndexStore.getReferredResources", ex);
        Object[] param = { realm };
        throw new EntitlementException(275, param);
    }
}