Search in sources :

Example 6 with PrivilegeIndexStore

use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.

the class PolicyManager method addPolicy.

/**
     * Adds a policy to the data store. 
     *
     * @param policy policy object to be added to the organization
     *
     * @throws SSOException invalid or expired single-sign-on token
     * @throws NoPermissionException user does not have sufficient
     * privileges to add policy
     * @throws InvalidFormatException the data in the policy object
     * has been corrupted or does not have a valid format
     * @throws NameAlreadyExistsException a policy with the same
     * name already exists
     * @throws PolicyException for any other abnormal condition
     *
     * @supported.api
     */
public void addPolicy(Policy policy) throws SSOException, NameAlreadyExistsException, NoPermissionException, InvalidFormatException, PolicyException {
    String realmName = getOrganizationDN();
    //TODO: handle non DNs/
    realmName = LDAPUtils.formatToRFC(realmName);
    String subjectRealm = policy.getSubjectRealm();
    String[] realmNames = { realmName, subjectRealm };
    if ((subjectRealm != null) && !subjectRealm.equals(realmName)) {
        if (debug.messageEnabled()) {
            debug.message("Can not add policy in realm :" + realmName + ", policy has realm subjects " + " from realm : " + subjectRealm);
        }
        throw (new InvalidFormatException(ResBundleUtils.rbName, "policy_realm_does_not_match", realmNames, null, realmName, PolicyException.POLICY));
    }
    validateForResourcePrefix(policy);
    validateReferrals(policy);
    String testCreatedBy = policy.getCreatedBy();
    //testCreatedBy is set if we are doing policy replaced.
    if ((testCreatedBy == null) || (testCreatedBy.length() == 0)) {
        Date creationDate = new Date();
        policy.setCreatedBy(token.getPrincipal().getName());
        policy.setCreationDate(creationDate.getTime());
        policy.setLastModifiedBy(token.getPrincipal().getName());
        policy.setLastModifiedDate(creationDate.getTime());
    }
    // Construct the named policy
    String policyXml = policy.toXML();
    Map attrs = new HashMap();
    Set set = new HashSet();
    set.add(policyXml);
    attrs.put(POLICY_XML, set);
    // Get(create if necessary) ou=policies entry
    ServiceConfig namedPolicy = createOrGetPolicyConfig(NAMED_POLICY, NAMED_POLICY, scm, org);
    try {
        //create the policy entry
        namedPolicy.addSubConfig(policy.getName(), NAMED_POLICY_ID, 0, attrs);
        if (isMigratedToEntitlementService()) {
            PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(adminSubject, realmName);
            Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(policy);
            pis.add(privileges);
            policyCache.sendPolicyChangeNotification(null, policy, ServiceListener.ADDED);
        } else {
            // do the addition in resources tree
            //rm.addPolicyToResourceTree(policy);
            rim.addPolicyToResourceTree(svtm, token, policy);
        }
    } catch (EntitlementException e) {
        String[] objs = { policy.getName(), org };
        throw (new PolicyException(ResBundleUtils.rbName, "unable_to_add_policy", objs, e));
    } catch (ServiceAlreadyExistsException e) {
        String[] objs = { policy.getName(), org };
        if (PolicyUtils.logStatus) {
            PolicyUtils.logErrorMessage("POLICY_ALREADY_EXISTS_IN_REALM", objs, token);
        }
        throw (new NameAlreadyExistsException(ResBundleUtils.rbName, "policy_already_exists_in_org", objs, policy.getName(), PolicyException.POLICY));
    } catch (SMSException se) {
        String[] objs = { policy.getName(), org };
        if (PolicyUtils.logStatus) {
            PolicyUtils.logErrorMessage("UNABLE_TO_ADD_POLICY", objs, token);
        }
        debug.error("SMS error in add policy: " + policy.getName() + " for org: " + org, se);
        // Check for permission exception
        if (se.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
            throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
        } else {
            // Throw generic policy exception
            throw (new PolicyException(ResBundleUtils.rbName, "unable_to_add_policy", objs, se));
        }
    }
    if (PolicyUtils.logStatus) {
        String[] objs = { policy.getName(), org };
        PolicyUtils.logAccessMessage("POLICY_CREATE_SUCCESS", objs, token);
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) HashMap(java.util.HashMap) SMSException(com.sun.identity.sm.SMSException) Date(java.util.Date) ServiceAlreadyExistsException(com.sun.identity.sm.ServiceAlreadyExistsException) EntitlementException(com.sun.identity.entitlement.EntitlementException) ServiceConfig(com.sun.identity.sm.ServiceConfig) IPrivilege(com.sun.identity.entitlement.IPrivilege) Map(java.util.Map) HashMap(java.util.HashMap) HashSet(java.util.HashSet)

Example 7 with PrivilegeIndexStore

use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.

the class PolicyManager method replacePolicy.

/**
     * Replaces a policy object  in the data store with the same policy name
     *
     * @param policy policy object to be added to the organization
     *
     * @throws SSOException invalid or expired single-sign-on token
     * @throws NoPermissionException user does not have sufficient
     * privileges to replace policy
     * @throws NameNotFoundException policy with the same name does
     * not exist.
     * @throws InvalidFormatException the provide policy from the
     * data store has been corrupted or does not have a valid format
     * @throws PolicyException for any other abnormal condition.
     *
     * @supported.api
     */
public void replacePolicy(Policy policy) throws SSOException, NameNotFoundException, NoPermissionException, InvalidFormatException, PolicyException {
    String realm = getOrganizationDN();
    String subjectRealm = policy.getSubjectRealm();
    String[] realmNames = { realm, subjectRealm };
    if ((subjectRealm != null) && !subjectRealm.equals(realm)) {
        if (debug.messageEnabled()) {
            debug.message("Can not replace policy in realm :" + realm + ", policy has realm subjects " + " from realm : " + subjectRealm);
        }
        throw (new InvalidFormatException(ResBundleUtils.rbName, "policy_realm_does_not_match", realmNames, null, realm, PolicyException.POLICY));
    }
    policy.setLastModifiedBy(token.getPrincipal().getName());
    Date lastModifiedDate = new Date();
    policy.setLastModifiedDate(lastModifiedDate.getTime());
    // Construct the named policy
    String policyXml = policy.toXML();
    Map attrs = new HashMap();
    Set set = new HashSet();
    set.add(policyXml);
    attrs.put(POLICY_XML, set);
    String name = null;
    // Get(create if necessary) ou=policies entry
    ServiceConfig namedPolicy = createOrGetPolicyConfig(NAMED_POLICY, NAMED_POLICY, scm, org);
    try {
        String policyName = policy.getName();
        String oldPolicyName = policy.getOriginalName();
        ServiceConfig policyEntry = namedPolicy.getSubConfig(policyName);
        ServiceConfig oldPolicyEntry = null;
        if (oldPolicyName != null) {
            oldPolicyEntry = namedPolicy.getSubConfig(oldPolicyName);
            name = oldPolicyName;
        } else {
            name = policy.getName();
        }
        if (policyEntry == null) {
            if (oldPolicyEntry != null) {
                removePolicy(oldPolicyName);
                addPolicy(policy);
                // reset the policy name
                // TODO: need to think this through
                policy.resetOriginalName();
            } else {
                // neither the new policy nor the old policy is present
                String[] objs = { policy.getName(), org };
                throw (new NameNotFoundException(ResBundleUtils.rbName, "policy_not_found_in_organization", objs, policy.getName(), PolicyException.POLICY));
            }
        } else {
            //newPolicy exisits
            String[] objs = { policy.getName(), org };
            if ((oldPolicyName != null) && !policy.getName().equalsIgnoreCase(oldPolicyName)) {
                if (PolicyUtils.logStatus) {
                    PolicyUtils.logErrorMessage("DID_NOT_REPLACE_POLICY", objs, token);
                }
                throw (new NameAlreadyExistsException(ResBundleUtils.rbName, "policy_already_exists_in_org", objs, policy.getName(), PolicyException.POLICY));
            }
            Policy oldPolicy = getPolicy(policy.getName());
            validateForResourcePrefix(policy);
            validateReferrals(policy);
            policyEntry.setAttributes(attrs);
            if (oldPolicy != null) {
                // Acquire lock to ensure atomicity when updating policy.
                Lock lock = lockFactory.acquireLock(policyName);
                try {
                    lock.lock();
                    if (isMigratedToEntitlementService()) {
                        PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(SubjectUtils.createSubject(token), realm);
                        pis.delete(PrivilegeUtils.policyToPrivileges(oldPolicy));
                        pis.add(PrivilegeUtils.policyToPrivileges(policy));
                    } else {
                        rim.replacePolicyInResourceTree(svtm, token, oldPolicy, policy);
                    }
                } finally {
                    lock.unlock();
                }
                policyCache.sendPolicyChangeNotification(oldPolicy, policy, ServiceListener.MODIFIED);
            }
        }
    } catch (EntitlementException e) {
        String[] objs = { name, org };
        throw (new PolicyException(ResBundleUtils.rbName, "unable_to_replace_policy", objs, e));
    } catch (SMSException se) {
        String[] objs = { name, org };
        if (PolicyUtils.logStatus) {
            PolicyUtils.logErrorMessage("UNABLE_TO_REPLACE_POLICY", objs, token);
        }
        debug.error("SMS error in replacing policy: " + policy.getOriginalName() + " for org: " + org, se);
        // Check for permission exception
        if (se.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
            throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
        } else {
            // Throw generic policy exception
            throw (new PolicyException(ResBundleUtils.rbName, "unable_to_replace_policy", objs, se));
        }
    }
    if (PolicyUtils.logStatus) {
        String[] objs = { name, org };
        PolicyUtils.logAccessMessage("POLICY_MODIFY_SUCCESS", objs, token);
    }
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) HashMap(java.util.HashMap) SMSException(com.sun.identity.sm.SMSException) Date(java.util.Date) Lock(java.util.concurrent.locks.Lock) EntitlementException(com.sun.identity.entitlement.EntitlementException) ServiceConfig(com.sun.identity.sm.ServiceConfig) Map(java.util.Map) HashMap(java.util.HashMap) HashSet(java.util.HashSet)

Example 8 with PrivilegeIndexStore

use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.

the class PolicyManager method removePolicy.

/**
     * Deletes a policy in the organization with the given name.
     *
     * @param policyName name of the policy to be deleted
     *
     * @throws SSOException invalid or expired single-sign-on token
     * @throws NoPermissionException user does not have sufficient
     * privileges to remove policies
     * @throws PolicyException for any other abnormal condition
     *
     * @supported.api
     */
public void removePolicy(String policyName) throws SSOException, NoPermissionException, PolicyException {
    // Check if name is valid
    if (policyName == null) {
        if (debug.warningEnabled()) {
            debug.warning("In PolicyManager::removePolicy(), name is null");
        }
        throw (new InvalidNameException(ResBundleUtils.rbName, "null_name", null, "null", PolicyException.POLICY));
    }
    try {
        // Get service config for named policy node
        ServiceConfig oConfig = scm.getOrganizationConfig(org, null);
        ServiceConfig namedPolicy = (oConfig == null) ? null : oConfig.getSubConfig(NAMED_POLICY);
        if (namedPolicy != null) {
            /* Remove the named policy
                 * before removing the named policy
                 * prepare for changes in resources tree
                 */
            Policy policy = getPolicy(policyName);
            // do the removal of policy 
            namedPolicy.removeSubConfig(policyName);
            if (policy != null) {
                if (isMigratedToEntitlementService()) {
                    // should use super admin token to remove the index store
                    // entry
                    PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(SubjectUtils.createSuperAdminSubject(), getOrganizationDN());
                    if (policy.isReferralPolicy()) {
                        pis.deleteReferral((policyName));
                    } else {
                        pis.delete(PrivilegeUtils.policyToPrivileges(policy));
                    }
                    policyCache.sendPolicyChangeNotification(null, policy, ServiceListener.REMOVED);
                } else {
                    // do the removal in resources tree
                    rim.removePolicyFromResourceTree(svtm, token, policy);
                }
            }
        }
    } catch (EntitlementException e) {
        debug.error("Error while removing policy : " + e.getMessage());
    } catch (ServiceNotFoundException snfe) {
        debug.error("Error while removing policy : " + snfe.getMessage());
    } catch (SMSException smse) {
        String[] objs = { policyName, org };
        if (PolicyUtils.logStatus) {
            PolicyUtils.logErrorMessage("UNABLE_TO_REMOVE_POLICY", objs, token);
        }
        debug.error("SMS error in deleting policy: " + policyName + " for org: " + org, smse);
        // Check for permission exception
        if (smse.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
            throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
        } else {
            // Throw generic policy exception
            throw (new PolicyException(ResBundleUtils.rbName, "unable_to_remove_policy", objs, smse));
        }
    }
    String[] objs = { policyName, org };
    if (PolicyUtils.logStatus) {
        PolicyUtils.logAccessMessage("POLICY_REMOVE_SUCCESS", objs, token);
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) ServiceConfig(com.sun.identity.sm.ServiceConfig) SMSException(com.sun.identity.sm.SMSException) ServiceNotFoundException(com.sun.identity.sm.ServiceNotFoundException)

Example 9 with PrivilegeIndexStore

use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.

the class OpenSSOPolicyDataStore method removePrivilege.

public void removePrivilege(Subject subject, String realm, Privilege privilege) throws EntitlementException {
    SSOToken adminToken = SubjectUtils.getSSOToken(subject);
    String name = privilege.getName();
    if (adminToken == null) {
        Object[] params = { name };
        throw new EntitlementException(211, params);
    }
    // Delegation to applications is currently not configurable, passing super admin (see AME-4959)
    ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
    if (!applPrivilegeMgr.hasPrivilege(privilege, ApplicationPrivilege.Action.MODIFY)) {
        throw new EntitlementException(326);
    }
    try {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_REMOVE_PRIVILEGE", logParams, subject);
        // Remove from privilege index store first
        PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
        pis.delete(name);
        // Only remove from legacy policy store if the policy still exists. This can happen if an old policy
        // had multiple rules (= multiple privileges in new store) and one of the new privileges for that policy
        // has been deleted, which deletes the entire legacy policy.
        String dn = findLegacyPolicyDn(dsameUserToken, realm, name);
        if (dn != null) {
            SMSEntry s = new SMSEntry(dsameUserToken, dn);
            s.delete();
        } else {
            debug("Unable to find legacy policy for privilege %s in realm %s", name, realm);
        }
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_REMOVE_PRIVILEGE", logParams, subject);
    } catch (SSOException ex) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_PRIVILEGE", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(205, params, ex);
    } catch (SMSException ex) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_PRIVILEGE", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(205, params, ex);
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) SSOToken(com.iplanet.sso.SSOToken) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) SMSException(com.sun.identity.sm.SMSException) SMSEntry(com.sun.identity.sm.SMSEntry) SSOException(com.iplanet.sso.SSOException) ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager)

Example 10 with PrivilegeIndexStore

use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.

the class OpenSSOPolicyDataStore method removeReferral.

public void removeReferral(Subject subject, String realm, ReferralPrivilege referral) throws EntitlementException {
    SSOToken adminToken = SubjectUtils.getSSOToken(subject);
    String name = referral.getName();
    if (adminToken == null) {
        Object[] params = { name };
        throw new EntitlementException(266, params);
    }
    // Delegation to applications is currently not configurable, passing super admin (see AME-4959)
    ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
    if (!applPrivilegeMgr.hasPrivilege(referral, ApplicationPrivilege.Action.MODIFY)) {
        throw new EntitlementException(326);
    }
    String dn = getPolicyDistinguishedName(realm, name);
    if (!SMSEntry.checkIfEntryExists(dn, dsameUserToken)) {
        Object[] params = { name };
        throw new EntitlementException(263, params);
    }
    try {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_REMOVE_REFERRAL", logParams, subject);
        SMSEntry s = new SMSEntry(dsameUserToken, dn);
        s.delete();
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_REMOVE_REFERRAL", logParams, subject);
        PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
        pis.deleteReferral(name);
    } catch (SSOException ex) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_REFERRAL", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(205, params, ex);
    } catch (SMSException ex) {
        String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
        OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_REFERRAL", logParams, subject);
        Object[] params = { name };
        throw new EntitlementException(205, params, ex);
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) SSOToken(com.iplanet.sso.SSOToken) PrivilegeIndexStore(com.sun.identity.entitlement.PrivilegeIndexStore) SMSException(com.sun.identity.sm.SMSException) SMSEntry(com.sun.identity.sm.SMSEntry) SSOException(com.iplanet.sso.SSOException) ApplicationPrivilegeManager(com.sun.identity.entitlement.ApplicationPrivilegeManager)

Aggregations

EntitlementException (com.sun.identity.entitlement.EntitlementException)11 PrivilegeIndexStore (com.sun.identity.entitlement.PrivilegeIndexStore)11 SMSException (com.sun.identity.sm.SMSException)7 SSOException (com.iplanet.sso.SSOException)6 ApplicationPrivilegeManager (com.sun.identity.entitlement.ApplicationPrivilegeManager)5 IPrivilege (com.sun.identity.entitlement.IPrivilege)5 HashSet (java.util.HashSet)5 SSOToken (com.iplanet.sso.SSOToken)4 SMSEntry (com.sun.identity.sm.SMSEntry)4 HashMap (java.util.HashMap)4 Set (java.util.Set)4 Policy (com.sun.identity.policy.Policy)3 PolicyException (com.sun.identity.policy.PolicyException)3 ServiceConfig (com.sun.identity.sm.ServiceConfig)3 Privilege (com.sun.identity.entitlement.Privilege)2 Date (java.util.Date)2 Map (java.util.Map)2 ApplicationPrivilege (com.sun.identity.entitlement.ApplicationPrivilege)1 ResourceSearchIndexes (com.sun.identity.entitlement.ResourceSearchIndexes)1 ServiceAlreadyExistsException (com.sun.identity.sm.ServiceAlreadyExistsException)1