Example 1 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class UmaPolicyServiceImpl method canUserShareResourceSet.
private boolean canUserShareResourceSet(String resourceOwnerId, String username, String clientId, String realm, String resourceSetId, Set<String> requestedScopes) {
Subject resourceOwner = UmaUtils.createSubject(coreServicesWrapper.getIdentity(resourceOwnerId, realm));
Subject user = UmaUtils.createSubject(coreServicesWrapper.getIdentity(username, realm));
if (resourceOwner.equals(user)) {
return true;
}
if (!isDelegationOn(realm)) {
return false;
}
try {
Evaluator evaluator = policyEvaluatorFactory.getEvaluator(user, clientId.toLowerCase());
List<Entitlement> entitlements = evaluator.evaluate(realm, user, UmaConstants.UMA_POLICY_SCHEME + resourceSetId, null, false);
Set<String> requiredScopes = new HashSet<>(requestedScopes);
for (Entitlement entitlement : entitlements) {
for (String requestedScope : requestedScopes) {
final Boolean actionValue = entitlement.getActionValue(requestedScope);
if (actionValue != null && actionValue) {
requiredScopes.remove(requestedScope);
}
}
}
return requiredScopes.isEmpty();
} catch (EntitlementException e) {
debug.error("Failed to evaluate UAM policies", e);
return false;
}
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
Evaluator(com.sun.identity.entitlement.Evaluator)
Entitlement(com.sun.identity.entitlement.Entitlement)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Example 2 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class ResourceSetServiceTest method shouldGetResourceSetsWhenResourceSetsExistQueryingByOrWithPolicies.
@Test
public void shouldGetResourceSetsWhenResourceSetsExistQueryingByOrWithPolicies() throws Exception {
//Given
Context context = createContext();
String realm = "REALM";
ResourceSetWithPolicyQuery query = new ResourceSetWithPolicyQuery();
String resourceOwnerId = "RESOURCE_OWNER_ID";
boolean augmentWithPolicies = true;
QueryFilter<String> resourceSetQuery = QueryFilter.contains("name", "RS_THREE");
QueryFilter policyQuery = QueryFilter.alwaysFalse();
Set<ResourceSetDescription> queriedResourceSets = new HashSet<>();
ResourceSetDescription resourceSetOne = new ResourceSetDescription("RS_ID_ONE", "CLIENT_ID_ONE", "RESOURCE_OWNER_ID", singletonMap("name", (Object) "RS_ONE"));
ResourceSetDescription resourceSetTwo = new ResourceSetDescription("RS_ID_TWO", "CLIENT_ID_TWO", "RESOURCE_OWNER_ID", singletonMap("name", (Object) "RS_TWO"));
ResourceSetDescription resourceSetThree = new ResourceSetDescription("RS_ID_THREE", "CLIENT_ID_TWO", "RESOURCE_OWNER_ID", singletonMap("name", (Object) "RS_THREE"));
Collection<UmaPolicy> queriedPolicies = new HashSet<>();
UmaPolicy policyOne = mock(UmaPolicy.class);
UmaPolicy policyTwo = mock(UmaPolicy.class);
UmaPolicy policyThree = mock(UmaPolicy.class);
JsonValue policyOneJson = mock(JsonValue.class);
JsonValue policyTwoJson = mock(JsonValue.class);
JsonValue policyThreeJson = mock(JsonValue.class);
Pair<QueryResponse, Collection<UmaPolicy>> queriedPoliciesPair = Pair.of(newQueryResponse(), queriedPolicies);
Promise<Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException> queriedPoliciesPromise = Promises.newResultPromise(queriedPoliciesPair);
Promise<UmaPolicy, ResourceException> policyOnePromise = Promises.newResultPromise(policyOne);
Promise<UmaPolicy, ResourceException> policyTwoPromise = Promises.newResultPromise(policyTwo);
mockResourceOwnerIdentity(resourceOwnerId, realm);
query.setResourceSetQuery(resourceSetQuery);
query.setPolicyQuery(policyQuery);
queriedResourceSets.add(resourceSetOne);
queriedResourceSets.add(resourceSetTwo);
queriedPolicies.add(policyOne);
queriedPolicies.add(policyThree);
given(policyOne.getId()).willReturn("RS_ID_ONE");
given(policyOne.getResourceSet()).willReturn(resourceSetOne);
given(policyTwo.getId()).willReturn("RS_ID_TWO");
given(policyTwo.getResourceSet()).willReturn(resourceSetTwo);
given(policyThree.getId()).willReturn("RS_ID_THREE");
given(policyThree.getResourceSet()).willReturn(resourceSetThree);
given(policyOne.asJson()).willReturn(policyOneJson);
given(policyTwo.asJson()).willReturn(policyTwoJson);
given(policyThree.asJson()).willReturn(policyThreeJson);
given(resourceSetStore.query(QueryFilter.and(resourceSetQuery, equalTo(ResourceSetTokenField.RESOURCE_OWNER_ID, "RESOURCE_OWNER_ID")))).willReturn(queriedResourceSets);
given(policyService.queryPolicies(eq(context), Matchers.<QueryRequest>anyObject())).willReturn(queriedPoliciesPromise);
given(resourceSetStore.read("RS_ID_ONE", resourceOwnerId)).willReturn(resourceSetOne);
given(resourceSetStore.read("RS_ID_THREE", resourceOwnerId)).willReturn(resourceSetThree);
given(policyService.readPolicy(context, "RS_ID_ONE")).willReturn(policyOnePromise);
given(policyService.readPolicy(context, "RS_ID_TWO")).willReturn(policyTwoPromise);
Entitlement entitlement = new Entitlement();
Map<String, Boolean> actionValues = new HashMap();
actionValues.put("actionValueKey", true);
entitlement.setActionValues(actionValues);
Evaluator evaluator = mock(Evaluator.class);
given(umaProviderSettings.getPolicyEvaluator(any(Subject.class), anyString())).willReturn(evaluator);
given(evaluator.evaluate(eq(realm), any(Subject.class), eq("RS_ONE"), isNull(Map.class), eq(false))).willReturn(singletonList(entitlement));
given(evaluator.evaluate(eq(realm), any(Subject.class), eq("RS_TWO"), isNull(Map.class), eq(false))).willReturn(singletonList(entitlement));
given(evaluator.evaluate(eq(realm), any(Subject.class), eq("RS_THREE"), isNull(Map.class), eq(false))).willReturn(Collections.<Entitlement>emptyList());
//When
Collection<ResourceSetDescription> resourceSets = service.getResourceSets(context, realm, query, resourceOwnerId, augmentWithPolicies).getOrThrowUninterruptibly();
//Then
assertThat(resourceSets).hasSize(2).contains(resourceSetOne, resourceSetThree);
assertThat(resourceSetOne.getPolicy()).isEqualTo(policyOneJson);
assertThat(resourceSetThree.getPolicy()).isEqualTo(policyThreeJson);
}
Also used :
HashMap(java.util.HashMap)
ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription)
ResourceException(org.forgerock.json.resource.ResourceException)
UmaPolicy(org.forgerock.openam.uma.UmaPolicy)
HashSet(java.util.HashSet)
Pair(org.forgerock.util.Pair)
RootContext(org.forgerock.services.context.RootContext)
RealmContext(org.forgerock.openam.rest.RealmContext)
Context(org.forgerock.services.context.Context)
JsonValue(org.forgerock.json.JsonValue)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
QueryFilter(org.forgerock.util.query.QueryFilter)
Responses.newQueryResponse(org.forgerock.json.resource.Responses.newQueryResponse)
QueryResponse(org.forgerock.json.resource.QueryResponse)
Collection(java.util.Collection)
Entitlement(com.sun.identity.entitlement.Entitlement)
HashMap(java.util.HashMap)
Map(java.util.Map)
Test(org.testng.annotations.Test)
Example 3 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class DelegationEvaluatorImpl method isAllowed.
public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParameters, boolean subTreeMode) throws SSOException, DelegationException {
EntitlementConfiguration ec = EntitlementConfiguration.getInstance(PolicyConstants.SUPER_ADMIN_SUBJECT, "/");
if (!ec.migratedToEntitlementService()) {
return false;
}
try {
AMIdentity user = new AMIdentity(token);
if (((privilegedUser != null) && user.equals(privilegedUser)) || (installTime && adminUserSet.contains(DNUtils.normalizeDN(token.getPrincipal().getName()))) || user.equals(adminUserId)) {
return true;
}
} catch (IdRepoException ide) {
throw (new DelegationException(ide.getMessage()));
}
if (!subTreeMode) {
return isAllowed(token, permission, envParameters);
}
StringBuilder buff = new StringBuilder();
buff.append("sms://");
if (permission.getOrganizationName() != null) {
buff.append(permission.getOrganizationName()).append("/");
}
if (permission.getServiceName() != null) {
buff.append(permission.getServiceName()).append("/");
}
if (permission.getVersion() != null) {
buff.append(permission.getVersion()).append("/");
}
if (permission.getConfigType() != null) {
buff.append(permission.getConfigType()).append("/");
}
if (permission.getSubConfigName() != null) {
buff.append(permission.getSubConfigName());
}
String resource = buff.toString();
try {
Subject userSubject = SubjectUtils.createSubject(token);
Evaluator eval = new Evaluator(PolicyConstants.SUPER_ADMIN_SUBJECT, DelegationManager.DELEGATION_SERVICE);
List<Entitlement> results = eval.evaluate(DNMapper.orgNameToDN(PolicyManager.DELEGATION_REALM), userSubject, resource, envParameters, true);
List<String> copiedActions = new ArrayList<String>();
copiedActions.addAll(permission.getActions());
for (Entitlement e : results) {
for (int i = copiedActions.size() - 1; i >= 0; --i) {
String action = copiedActions.get(i);
Boolean result = e.getActionValue(action);
if ((result != null) && result) {
copiedActions.remove(i);
}
}
if (copiedActions.isEmpty()) {
return true;
}
}
return false;
} catch (EntitlementException ex) {
debug.error("DelegationEvaluator.isAllowed", ex);
throw new DelegationException(ex);
}
}
Also used :
EntitlementConfiguration(com.sun.identity.entitlement.EntitlementConfiguration)
IdRepoException(com.sun.identity.idm.IdRepoException)
ArrayList(java.util.ArrayList)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
AMIdentity(com.sun.identity.idm.AMIdentity)
Entitlement(com.sun.identity.entitlement.Entitlement)
Example 4 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class PolicyEvaluator method isAllowedE.
private boolean isAllowedE(SSOToken token, String resourceName, String actionName, Map envParameters) throws SSOException, PolicyException {
if ((envParameters == null) || envParameters.isEmpty()) {
envParameters = new HashMap();
}
padEnvParameters(token, resourceName, actionName, envParameters);
ActionSchema schema = serviceType.getActionSchema(actionName);
if (!AttributeSchema.Syntax.BOOLEAN.equals(schema.getSyntax())) {
String[] objs = { actionName };
throw new PolicyException(ResBundleUtils.rbName, "action_does_not_have_boolean_syntax", objs, null);
}
HashSet actions = new HashSet(2);
actions.add(actionName);
SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
try {
Subject adminSubject = SubjectUtils.createSubject(token);
Entitlement entitlement = new Entitlement(serviceTypeName, resourceName, actions);
entitlement.canonicalizeResources(adminSubject, realm);
Evaluator eval = new Evaluator(adminSubject, applicationName);
return eval.hasEntitlement(realm, SubjectUtils.createSubject(token), entitlement, envParameters);
} catch (EntitlementException e) {
throw new PolicyException(e);
}
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
Entitlement(com.sun.identity.entitlement.Entitlement)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
HashSet(java.util.HashSet)
Example 5 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class ResourceSetService method isSharedWith.
/**
* Checks whether a ResourceSet is accessible by a user.
* @param resourceSet The resource set to check.
* @param resourceUserId The id of the user to check.
* @param realm The realm to check in.
* @return @code{true} if the user can access that ResourceSet.
*/
public boolean isSharedWith(ResourceSetDescription resourceSet, String resourceUserId, String realm) throws InternalServerErrorException {
Subject subject = createSubject(resourceUserId, realm);
try {
Evaluator evaluator = umaProviderSettingsFactory.get(realm).getPolicyEvaluator(subject, resourceSet.getClientId().toLowerCase());
String sharedResourceName = "uma://" + resourceSet.getId();
List<Entitlement> entitlements = evaluator.evaluate(realm, subject, sharedResourceName, null, false);
if (!entitlements.isEmpty() && !entitlements.iterator().next().getActionValues().isEmpty()) {
return true;
}
} catch (EntitlementException | NotFoundException e) {
throw new InternalServerErrorException(e);
}
return false;
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException)
InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException)
Evaluator(com.sun.identity.entitlement.Evaluator)
Entitlement(com.sun.identity.entitlement.Entitlement)
Subject(javax.security.auth.Subject)
Aggregations
Evaluator (com.sun.identity.entitlement.Evaluator)10
Subject (javax.security.auth.Subject)10
Entitlement (com.sun.identity.entitlement.Entitlement)9
EntitlementException (com.sun.identity.entitlement.EntitlementException)8
HashSet (java.util.HashSet)6
SSOToken (com.iplanet.sso.SSOToken)4
HashMap (java.util.HashMap)4
SSOException (com.iplanet.sso.SSOException)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
Set (java.util.Set)2
Test (org.testng.annotations.Test)2
AMException (com.iplanet.am.sdk.AMException)1
AuthSPrincipal (com.sun.identity.authentication.internal.server.AuthSPrincipal)1
AttributeLookupCondition (com.sun.identity.entitlement.AttributeLookupCondition)1
EntitlementConfiguration (com.sun.identity.entitlement.EntitlementConfiguration)1
EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)1
OrSubject (com.sun.identity.entitlement.OrSubject)1
UserSubject (com.sun.identity.entitlement.UserSubject)1
OpenSSOUserSubject (com.sun.identity.entitlement.opensso.OpenSSOUserSubject)1
AMIdentity (com.sun.identity.idm.AMIdentity)1
