Example 11 with IPrivilege
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class PolicyManager method addPolicy.
/**
* Adds a policy to the data store.
*
* @param policy policy object to be added to the organization
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to add policy
* @throws InvalidFormatException the data in the policy object
* has been corrupted or does not have a valid format
* @throws NameAlreadyExistsException a policy with the same
* name already exists
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
public void addPolicy(Policy policy) throws SSOException, NameAlreadyExistsException, NoPermissionException, InvalidFormatException, PolicyException {
String realmName = getOrganizationDN();
//TODO: handle non DNs/
realmName = LDAPUtils.formatToRFC(realmName);
String subjectRealm = policy.getSubjectRealm();
String[] realmNames = { realmName, subjectRealm };
if ((subjectRealm != null) && !subjectRealm.equals(realmName)) {
if (debug.messageEnabled()) {
debug.message("Can not add policy in realm :" + realmName + ", policy has realm subjects " + " from realm : " + subjectRealm);
}
throw (new InvalidFormatException(ResBundleUtils.rbName, "policy_realm_does_not_match", realmNames, null, realmName, PolicyException.POLICY));
}
validateForResourcePrefix(policy);
validateReferrals(policy);
String testCreatedBy = policy.getCreatedBy();
//testCreatedBy is set if we are doing policy replaced.
if ((testCreatedBy == null) || (testCreatedBy.length() == 0)) {
Date creationDate = new Date();
policy.setCreatedBy(token.getPrincipal().getName());
policy.setCreationDate(creationDate.getTime());
policy.setLastModifiedBy(token.getPrincipal().getName());
policy.setLastModifiedDate(creationDate.getTime());
}
// Construct the named policy
String policyXml = policy.toXML();
Map attrs = new HashMap();
Set set = new HashSet();
set.add(policyXml);
attrs.put(POLICY_XML, set);
// Get(create if necessary) ou=policies entry
ServiceConfig namedPolicy = createOrGetPolicyConfig(NAMED_POLICY, NAMED_POLICY, scm, org);
try {
//create the policy entry
namedPolicy.addSubConfig(policy.getName(), NAMED_POLICY_ID, 0, attrs);
if (isMigratedToEntitlementService()) {
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(adminSubject, realmName);
Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(policy);
pis.add(privileges);
policyCache.sendPolicyChangeNotification(null, policy, ServiceListener.ADDED);
} else {
// do the addition in resources tree
//rm.addPolicyToResourceTree(policy);
rim.addPolicyToResourceTree(svtm, token, policy);
}
} catch (EntitlementException e) {
String[] objs = { policy.getName(), org };
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_add_policy", objs, e));
} catch (ServiceAlreadyExistsException e) {
String[] objs = { policy.getName(), org };
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("POLICY_ALREADY_EXISTS_IN_REALM", objs, token);
}
throw (new NameAlreadyExistsException(ResBundleUtils.rbName, "policy_already_exists_in_org", objs, policy.getName(), PolicyException.POLICY));
} catch (SMSException se) {
String[] objs = { policy.getName(), org };
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("UNABLE_TO_ADD_POLICY", objs, token);
}
debug.error("SMS error in add policy: " + policy.getName() + " for org: " + org, se);
// Check for permission exception
if (se.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
} else {
// Throw generic policy exception
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_add_policy", objs, se));
}
}
if (PolicyUtils.logStatus) {
String[] objs = { policy.getName(), org };
PolicyUtils.logAccessMessage("POLICY_CREATE_SUCCESS", objs, token);
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore)
HashMap(java.util.HashMap)
SMSException(com.sun.identity.sm.SMSException)
Date(java.util.Date)
ServiceAlreadyExistsException(com.sun.identity.sm.ServiceAlreadyExistsException)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
Map(java.util.Map)
HashMap(java.util.HashMap)
HashSet(java.util.HashSet)
Example 12 with IPrivilege
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method getSubResourceRelatedPrivileges.
private void getSubResourceRelatedPrivileges() throws EntitlementException {
if (!bPolicyAdmin) {
Set<String> applNames = new HashSet<String>();
applNames.addAll(readables.getApplications());
applNames.addAll(modifiables.getApplications());
applNames.addAll(delegatables.getApplications());
if (!applNames.isEmpty()) {
Set<String> hostIndex = new HashSet<String>();
hostIndex.add("://" + DNMapper.orgNameToDN(realm));
Set<String> pathParentIndexes = new HashSet<String>();
for (String applName : applNames) {
pathParentIndexes.add(RESOURCE_PREFIX + "/" + applName);
}
ResourceSearchIndexes rIndex = new ResourceSearchIndexes(hostIndex, null, pathParentIndexes);
OpenSSOIndexStore db = new OpenSSOIndexStore(dsameUserSubject, getHiddenRealmDN());
Iterator<IPrivilege> results = db.search("/", rIndex, Collections.EMPTY_SET, true, false);
while (results.hasNext()) {
Privilege p = (Privilege) results.next();
delegatables.evaluate(p, true);
modifiables.evaluate(p, true);
readables.evaluate(p, true);
}
}
}
}
Also used :
IPrivilege(com.sun.identity.entitlement.IPrivilege)
ResourceSearchIndexes(com.sun.identity.entitlement.ResourceSearchIndexes)
ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
Privilege(com.sun.identity.entitlement.Privilege)
ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege)
HashSet(java.util.HashSet)
Example 13 with IPrivilege
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class PolicyPrivilegeManager method findByName.
@Override
public Privilege findByName(String privilegeName, Subject adminSubject) throws EntitlementException {
if (privilegeName == null) {
throw new EntitlementException(12);
}
Privilege privilege = null;
try {
if (!migratedToEntitlementSvc) {
Policy policy = pm.getPolicy(privilegeName);
Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(policy);
Iterator<IPrivilege> it = privileges.iterator();
if (it.hasNext()) {
IPrivilege searchResult = it.next();
privilege = (Privilege) searchResult;
}
} else {
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(adminSubject, getRealm());
privilege = (Privilege) pis.getPrivilege(privilegeName);
if (privilege == null) {
throw new EntitlementException(EntitlementException.NO_SUCH_POLICY, new Object[] { privilegeName });
}
}
if (adminSubject != PrivilegeManager.superAdminSubject) {
if (privilege != null) {
// Delegation to applications is currently not configurable, passing super admin (see AME-4959)
ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
if (applPrivilegeMgr == null) {
return null;
}
if (!applPrivilegeMgr.hasPrivilege(privilege, ApplicationPrivilege.Action.READ)) {
throw new EntitlementException(326);
}
}
}
} catch (PolicyException pe) {
throw new EntitlementException(102, pe);
} catch (SSOException ssoe) {
throw new EntitlementException(102, ssoe);
}
return privilege;
}
Also used :
Policy(com.sun.identity.policy.Policy)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore)
PolicyException(com.sun.identity.policy.PolicyException)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
SSOException(com.iplanet.sso.SSOException)
ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager)
ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
Privilege(com.sun.identity.entitlement.Privilege)
Example 14 with IPrivilege
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method getPrivileges.
private void getPrivileges() throws EntitlementException {
Set<String> hostIndex = new HashSet<String>();
hostIndex.add("://" + DNMapper.orgNameToDN(realm));
Set<String> pathParentIndex = new HashSet<String>();
pathParentIndex.add(RESOURCE_PREFIX);
ResourceSearchIndexes rIndex = new ResourceSearchIndexes(hostIndex, null, pathParentIndex);
SubjectAttributesManager sam = SubjectAttributesManager.getInstance(dsameUserSubject);
Set<String> subjectIndex = (bPolicyAdmin) ? Collections.EMPTY_SET : sam.getSubjectSearchFilter(caller, APPL_NAME);
OpenSSOIndexStore db = new OpenSSOIndexStore(dsameUserSubject, getHiddenRealmDN());
Iterator<IPrivilege> results = db.search("/", rIndex, subjectIndex, true, false);
while (results.hasNext()) {
Privilege p = (Privilege) results.next();
if (bPolicyAdmin || doesSubjectMatch(p, resourcePrefix)) {
delegatables.evaluate(p);
modifiables.evaluate(p);
readables.evaluate(p);
}
}
}
Also used :
SubjectAttributesManager(com.sun.identity.entitlement.SubjectAttributesManager)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
ResourceSearchIndexes(com.sun.identity.entitlement.ResourceSearchIndexes)
ApplicationPrivilege(com.sun.identity.entitlement.ApplicationPrivilege)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
Privilege(com.sun.identity.entitlement.Privilege)
ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege)
HashSet(java.util.HashSet)
Example 15 with IPrivilege
use of com.sun.identity.entitlement.IPrivilege in project OpenAM by OpenRock.
the class PrivilegePolicyMapping method policyToPrivilege.
@Test
public void policyToPrivilege() throws Exception {
Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(policy);
if (privileges.isEmpty()) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: cannot get privilege");
}
privilege = (Privilege) privileges.iterator().next();
EntitlementCondition cond = privilege.getCondition();
if (!(cond instanceof OrCondition)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: condition is not AND condition");
}
OrCondition pOrCond = (OrCondition) cond;
for (EntitlementCondition ec : pOrCond.getEConditions()) {
if (!(ec instanceof PolicyCondition)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: condition is not policy condition");
}
PolicyCondition pCond = (PolicyCondition) ec;
Map<String, Set<String>> pCondProp = pCond.getProperties();
if (!pCondProp.equals(ipConditionEnvMap) && !pCondProp.equals(ipConditionEnvMap1)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: condition values are not correct");
}
}
EntitlementSubject sbj = privilege.getSubject();
if (!(sbj instanceof PolicySubject)) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: subject is not privilege subject");
}
PolicySubject pSbj = (PolicySubject) sbj;
Set pSbjValue = pSbj.getValues();
if ((pSbjValue == null) || pSbjValue.isEmpty()) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: subject value is empty");
}
if (!pSbjValue.contains(testUser.getUniversalId())) {
throw new Exception("PrivilegePolicyMapping.policyToPrivilege: subject value is incorrect");
}
}
Also used :
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition)
HashSet(java.util.HashSet)
Set(java.util.Set)
IPrivilege(com.sun.identity.entitlement.IPrivilege)
OrCondition(com.sun.identity.entitlement.OrCondition)
PolicyException(com.sun.identity.policy.PolicyException)
Test(org.testng.annotations.Test)
Aggregations
IPrivilege (com.sun.identity.entitlement.IPrivilege)16
HashSet (java.util.HashSet)10
EntitlementException (com.sun.identity.entitlement.EntitlementException)9
Privilege (com.sun.identity.entitlement.Privilege)9
SSOToken (com.iplanet.sso.SSOToken)7
ReferralPrivilege (com.sun.identity.entitlement.ReferralPrivilege)7
SSOException (com.iplanet.sso.SSOException)6
SMSException (com.sun.identity.sm.SMSException)6
PrivilegeIndexStore (com.sun.identity.entitlement.PrivilegeIndexStore)5
PolicyException (com.sun.identity.policy.PolicyException)5
Set (java.util.Set)5
ApplicationPrivilege (com.sun.identity.entitlement.ApplicationPrivilege)4
ApplicationPrivilegeManager (com.sun.identity.entitlement.ApplicationPrivilegeManager)4
HashMap (java.util.HashMap)4
EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)3
ResourceSearchIndexes (com.sun.identity.entitlement.ResourceSearchIndexes)3
Policy (com.sun.identity.policy.Policy)3
SMSEntry (com.sun.identity.sm.SMSEntry)3
Test (org.testng.annotations.Test)3
EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)2
