Example 6 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class PolicyEvaluator method getResourceResultsE.
private Set getResourceResultsE(SSOToken token, String resourceName, String scope, Map envParameters) throws SSOException, PolicyException {
if ((envParameters == null) || envParameters.isEmpty()) {
envParameters = new HashMap();
}
padEnvParameters(token, resourceName, null, envParameters);
Set resultsSet;
boolean subTreeSearch = false;
if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
subTreeSearch = true;
//resultsSet = getResourceResultTree(token, resourceName, scope,
// envParameters).getResourceResults();
} else if (ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope) || ResourceResult.SELF_SCOPE.equals(scope)) {
/*
ResourceResult result = getResourceResultTree(token, resourceName,
scope, envParameters);
resultsSet = new HashSet();
resultsSet.add(result);*/
} else {
DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
String[] objs = { scope };
throw new PolicyException(ResBundleUtils.rbName, "invalid_request_scope", objs, null);
}
SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
try {
// Parse the resource name before proceeding.
resourceName = serviceType.canonicalize(resourceName);
Subject userSubject = SubjectUtils.createSubject(token);
Evaluator eval = new Evaluator(SubjectUtils.createSubject(adminSSOToken), applicationName);
List<Entitlement> entitlements = eval.evaluate(realm, userSubject, resourceName, envParameters, subTreeSearch);
resultsSet = new HashSet();
if (!entitlements.isEmpty()) {
if (!subTreeSearch) {
resultsSet.add(entitlementToResourceResult((Entitlement) entitlements.iterator().next()));
} else {
ResourceResult virtualResourceResult = new ResourceResult(ResourceResult.VIRTUAL_ROOT, new PolicyDecision());
for (Entitlement ent : entitlements) {
ResourceResult r = entitlementToResourceResult(ent);
virtualResourceResult.addResourceResult(r, serviceType);
}
resultsSet.addAll(virtualResourceResult.getResourceResults());
}
}
} catch (Exception e) {
DEBUG.error("Error in getResourceResults", e);
//TOFIX
throw new PolicyException(e.getMessage());
}
return resultsSet;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
CollectionUtils.asSet(org.forgerock.openam.utils.CollectionUtils.asSet)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
AMException(com.iplanet.am.sdk.AMException)
SSOException(com.iplanet.sso.SSOException)
Entitlement(com.sun.identity.entitlement.Entitlement)
HashSet(java.util.HashSet)
Example 7 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method isPolicyAdmin.
private boolean isPolicyAdmin() {
if (isDsameUser()) {
return true;
}
Subject adminSubject = SubjectUtils.createSuperAdminSubject();
try {
Evaluator eval = new Evaluator(adminSubject, APPL_NAME);
Set<String> actions = new HashSet<String>();
actions.add(ACTION_MODIFY);
String res = "sms://" + DNMapper.orgNameToDN(realm) + "/iPlanetAMPolicyService/*";
Entitlement e = new Entitlement(res, actions);
return eval.hasEntitlement(getHiddenRealmDN(), caller, e, Collections.EMPTY_MAP);
} catch (EntitlementException ex) {
PrivilegeManager.debug.error("OpenSSOApplicationPrivilegeManager.isPolicyAdmin", ex);
return false;
}
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
Evaluator(com.sun.identity.entitlement.Evaluator)
Entitlement(com.sun.identity.entitlement.Entitlement)
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
Subject(javax.security.auth.Subject)
OrSubject(com.sun.identity.entitlement.OrSubject)
HashSet(java.util.HashSet)
Example 8 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class OpenProvisioning method testEval.
@Test
public void testEval() throws Exception {
SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
Subject adminSubject = SubjectUtils.createSubject(adminSSOToken);
Set<Principal> userPrincipals = new HashSet<Principal>(2);
userPrincipals.add(new AuthSPrincipal(jSmith.getUniversalId()));
Subject userSubject = new Subject(false, userPrincipals, new HashSet(), new HashSet());
Map<String, Set<String>> envParameters = new HashMap<String, Set<String>>();
Evaluator eval = new Evaluator(adminSubject, APPLICATION);
List entitlements = eval.evaluate("/", userSubject, RESOURCE, envParameters, false);
Entitlement e1 = (Entitlement) entitlements.iterator().next();
if (!e1.getActionValues().isEmpty()) {
throw new Exception("OpenProvisioning.test fails because action values is not empty");
}
Map<String, Set<String>> mapAdvices = e1.getAdvices();
Set<String> setAdvices = mapAdvices.get(AttributeLookupCondition.class.getName());
if (!setAdvices.contains("$USER.postaladdress=$RES.postaladdress")) {
throw new Exception("OpenProvisioning.test fails because missing advices");
}
Set publicCreds = userSubject.getPublicCredentials();
publicCreds.add("postaladdress=CA");
Set<String> setLocation = new HashSet<String>();
setLocation.add("CA");
envParameters.put("/OP/cropLdap/person/johndoe.postaladdress", setLocation);
eval = new Evaluator(adminSubject, APPLICATION);
entitlements = eval.evaluate("/", userSubject, RESOURCE1, envParameters, false);
e1 = (Entitlement) entitlements.iterator().next();
if (e1.getActionValues().isEmpty()) {
throw new Exception("OpenProvisioning.test fails.");
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
HashSet(java.util.HashSet)
Set(java.util.Set)
AttributeLookupCondition(com.sun.identity.entitlement.AttributeLookupCondition)
HashMap(java.util.HashMap)
Evaluator(com.sun.identity.entitlement.Evaluator)
OpenSSOUserSubject(com.sun.identity.entitlement.opensso.OpenSSOUserSubject)
Subject(javax.security.auth.Subject)
UserSubject(com.sun.identity.entitlement.UserSubject)
IdRepoException(com.sun.identity.idm.IdRepoException)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOException(com.iplanet.sso.SSOException)
AuthSPrincipal(com.sun.identity.authentication.internal.server.AuthSPrincipal)
List(java.util.List)
Entitlement(com.sun.identity.entitlement.Entitlement)
Principal(java.security.Principal)
AuthSPrincipal(com.sun.identity.authentication.internal.server.AuthSPrincipal)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Example 9 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class ResourceSetService method isSharedWith.
/**
* Checks whether a ResourceSet is accessible by a user.
* @param resourceSet The resource set to check.
* @param resourceUserId The id of the user to check.
* @param realm The realm to check in.
* @return @code{true} if the user can access that ResourceSet.
*/
public boolean isSharedWith(ResourceSetDescription resourceSet, String resourceUserId, String realm) throws InternalServerErrorException {
Subject subject = createSubject(resourceUserId, realm);
try {
Evaluator evaluator = umaProviderSettingsFactory.get(realm).getPolicyEvaluator(subject, resourceSet.getClientId().toLowerCase());
String sharedResourceName = "uma://" + resourceSet.getId();
List<Entitlement> entitlements = evaluator.evaluate(realm, subject, sharedResourceName, null, false);
if (!entitlements.isEmpty() && !entitlements.iterator().next().getActionValues().isEmpty()) {
return true;
}
} catch (EntitlementException | NotFoundException e) {
throw new InternalServerErrorException(e);
}
return false;
}
Also used :
EntitlementException(com.sun.identity.entitlement.EntitlementException)
NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException)
InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException)
Evaluator(com.sun.identity.entitlement.Evaluator)
Entitlement(com.sun.identity.entitlement.Entitlement)
Subject(javax.security.auth.Subject)
Example 10 with Evaluator
use of com.sun.identity.entitlement.Evaluator in project OpenAM by OpenRock.
the class ResourceSetServiceTest method mockPolicyEvaluator.
private void mockPolicyEvaluator(String clientId) throws EntitlementException {
Evaluator policyEvaluator = mock(Evaluator.class);
given(umaProviderSettings.getPolicyEvaluator(any(Subject.class), anyString())).willReturn(policyEvaluator);
given(policyEvaluator.evaluate(any(String.class), any(Subject.class), any(String.class), anyMap(), any(Boolean.class))).willReturn(Collections.<Entitlement>emptyList());
given(umaProviderSettings.getPolicyEvaluator(any(Subject.class), eq(clientId.toLowerCase()))).willReturn(policyEvaluator);
}Aggregations
Evaluator (com.sun.identity.entitlement.Evaluator)10
Subject (javax.security.auth.Subject)10
Entitlement (com.sun.identity.entitlement.Entitlement)9
EntitlementException (com.sun.identity.entitlement.EntitlementException)8
HashSet (java.util.HashSet)6
SSOToken (com.iplanet.sso.SSOToken)4
HashMap (java.util.HashMap)4
SSOException (com.iplanet.sso.SSOException)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
Set (java.util.Set)2
Test (org.testng.annotations.Test)2
AMException (com.iplanet.am.sdk.AMException)1
AuthSPrincipal (com.sun.identity.authentication.internal.server.AuthSPrincipal)1
AttributeLookupCondition (com.sun.identity.entitlement.AttributeLookupCondition)1
EntitlementConfiguration (com.sun.identity.entitlement.EntitlementConfiguration)1
EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)1
OrSubject (com.sun.identity.entitlement.OrSubject)1
UserSubject (com.sun.identity.entitlement.UserSubject)1
OpenSSOUserSubject (com.sun.identity.entitlement.opensso.OpenSSOUserSubject)1
AMIdentity (com.sun.identity.idm.AMIdentity)1
