use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.
the class PolicyManager method addPolicy.
/**
* Adds a policy to the data store.
*
* @param policy policy object to be added to the organization
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to add policy
* @throws InvalidFormatException the data in the policy object
* has been corrupted or does not have a valid format
* @throws NameAlreadyExistsException a policy with the same
* name already exists
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
public void addPolicy(Policy policy) throws SSOException, NameAlreadyExistsException, NoPermissionException, InvalidFormatException, PolicyException {
String realmName = getOrganizationDN();
//TODO: handle non DNs/
realmName = LDAPUtils.formatToRFC(realmName);
String subjectRealm = policy.getSubjectRealm();
String[] realmNames = { realmName, subjectRealm };
if ((subjectRealm != null) && !subjectRealm.equals(realmName)) {
if (debug.messageEnabled()) {
debug.message("Can not add policy in realm :" + realmName + ", policy has realm subjects " + " from realm : " + subjectRealm);
}
throw (new InvalidFormatException(ResBundleUtils.rbName, "policy_realm_does_not_match", realmNames, null, realmName, PolicyException.POLICY));
}
validateForResourcePrefix(policy);
validateReferrals(policy);
String testCreatedBy = policy.getCreatedBy();
//testCreatedBy is set if we are doing policy replaced.
if ((testCreatedBy == null) || (testCreatedBy.length() == 0)) {
Date creationDate = new Date();
policy.setCreatedBy(token.getPrincipal().getName());
policy.setCreationDate(creationDate.getTime());
policy.setLastModifiedBy(token.getPrincipal().getName());
policy.setLastModifiedDate(creationDate.getTime());
}
// Construct the named policy
String policyXml = policy.toXML();
Map attrs = new HashMap();
Set set = new HashSet();
set.add(policyXml);
attrs.put(POLICY_XML, set);
// Get(create if necessary) ou=policies entry
ServiceConfig namedPolicy = createOrGetPolicyConfig(NAMED_POLICY, NAMED_POLICY, scm, org);
try {
//create the policy entry
namedPolicy.addSubConfig(policy.getName(), NAMED_POLICY_ID, 0, attrs);
if (isMigratedToEntitlementService()) {
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(adminSubject, realmName);
Set<IPrivilege> privileges = PrivilegeUtils.policyToPrivileges(policy);
pis.add(privileges);
policyCache.sendPolicyChangeNotification(null, policy, ServiceListener.ADDED);
} else {
// do the addition in resources tree
//rm.addPolicyToResourceTree(policy);
rim.addPolicyToResourceTree(svtm, token, policy);
}
} catch (EntitlementException e) {
String[] objs = { policy.getName(), org };
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_add_policy", objs, e));
} catch (ServiceAlreadyExistsException e) {
String[] objs = { policy.getName(), org };
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("POLICY_ALREADY_EXISTS_IN_REALM", objs, token);
}
throw (new NameAlreadyExistsException(ResBundleUtils.rbName, "policy_already_exists_in_org", objs, policy.getName(), PolicyException.POLICY));
} catch (SMSException se) {
String[] objs = { policy.getName(), org };
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("UNABLE_TO_ADD_POLICY", objs, token);
}
debug.error("SMS error in add policy: " + policy.getName() + " for org: " + org, se);
// Check for permission exception
if (se.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
} else {
// Throw generic policy exception
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_add_policy", objs, se));
}
}
if (PolicyUtils.logStatus) {
String[] objs = { policy.getName(), org };
PolicyUtils.logAccessMessage("POLICY_CREATE_SUCCESS", objs, token);
}
}
use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.
the class PolicyManager method replacePolicy.
/**
* Replaces a policy object in the data store with the same policy name
*
* @param policy policy object to be added to the organization
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to replace policy
* @throws NameNotFoundException policy with the same name does
* not exist.
* @throws InvalidFormatException the provide policy from the
* data store has been corrupted or does not have a valid format
* @throws PolicyException for any other abnormal condition.
*
* @supported.api
*/
public void replacePolicy(Policy policy) throws SSOException, NameNotFoundException, NoPermissionException, InvalidFormatException, PolicyException {
String realm = getOrganizationDN();
String subjectRealm = policy.getSubjectRealm();
String[] realmNames = { realm, subjectRealm };
if ((subjectRealm != null) && !subjectRealm.equals(realm)) {
if (debug.messageEnabled()) {
debug.message("Can not replace policy in realm :" + realm + ", policy has realm subjects " + " from realm : " + subjectRealm);
}
throw (new InvalidFormatException(ResBundleUtils.rbName, "policy_realm_does_not_match", realmNames, null, realm, PolicyException.POLICY));
}
policy.setLastModifiedBy(token.getPrincipal().getName());
Date lastModifiedDate = new Date();
policy.setLastModifiedDate(lastModifiedDate.getTime());
// Construct the named policy
String policyXml = policy.toXML();
Map attrs = new HashMap();
Set set = new HashSet();
set.add(policyXml);
attrs.put(POLICY_XML, set);
String name = null;
// Get(create if necessary) ou=policies entry
ServiceConfig namedPolicy = createOrGetPolicyConfig(NAMED_POLICY, NAMED_POLICY, scm, org);
try {
String policyName = policy.getName();
String oldPolicyName = policy.getOriginalName();
ServiceConfig policyEntry = namedPolicy.getSubConfig(policyName);
ServiceConfig oldPolicyEntry = null;
if (oldPolicyName != null) {
oldPolicyEntry = namedPolicy.getSubConfig(oldPolicyName);
name = oldPolicyName;
} else {
name = policy.getName();
}
if (policyEntry == null) {
if (oldPolicyEntry != null) {
removePolicy(oldPolicyName);
addPolicy(policy);
// reset the policy name
// TODO: need to think this through
policy.resetOriginalName();
} else {
// neither the new policy nor the old policy is present
String[] objs = { policy.getName(), org };
throw (new NameNotFoundException(ResBundleUtils.rbName, "policy_not_found_in_organization", objs, policy.getName(), PolicyException.POLICY));
}
} else {
//newPolicy exisits
String[] objs = { policy.getName(), org };
if ((oldPolicyName != null) && !policy.getName().equalsIgnoreCase(oldPolicyName)) {
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("DID_NOT_REPLACE_POLICY", objs, token);
}
throw (new NameAlreadyExistsException(ResBundleUtils.rbName, "policy_already_exists_in_org", objs, policy.getName(), PolicyException.POLICY));
}
Policy oldPolicy = getPolicy(policy.getName());
validateForResourcePrefix(policy);
validateReferrals(policy);
policyEntry.setAttributes(attrs);
if (oldPolicy != null) {
// Acquire lock to ensure atomicity when updating policy.
Lock lock = lockFactory.acquireLock(policyName);
try {
lock.lock();
if (isMigratedToEntitlementService()) {
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(SubjectUtils.createSubject(token), realm);
pis.delete(PrivilegeUtils.policyToPrivileges(oldPolicy));
pis.add(PrivilegeUtils.policyToPrivileges(policy));
} else {
rim.replacePolicyInResourceTree(svtm, token, oldPolicy, policy);
}
} finally {
lock.unlock();
}
policyCache.sendPolicyChangeNotification(oldPolicy, policy, ServiceListener.MODIFIED);
}
}
} catch (EntitlementException e) {
String[] objs = { name, org };
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_replace_policy", objs, e));
} catch (SMSException se) {
String[] objs = { name, org };
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("UNABLE_TO_REPLACE_POLICY", objs, token);
}
debug.error("SMS error in replacing policy: " + policy.getOriginalName() + " for org: " + org, se);
// Check for permission exception
if (se.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
} else {
// Throw generic policy exception
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_replace_policy", objs, se));
}
}
if (PolicyUtils.logStatus) {
String[] objs = { name, org };
PolicyUtils.logAccessMessage("POLICY_MODIFY_SUCCESS", objs, token);
}
}
use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.
the class PolicyManager method removePolicy.
/**
* Deletes a policy in the organization with the given name.
*
* @param policyName name of the policy to be deleted
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to remove policies
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
public void removePolicy(String policyName) throws SSOException, NoPermissionException, PolicyException {
// Check if name is valid
if (policyName == null) {
if (debug.warningEnabled()) {
debug.warning("In PolicyManager::removePolicy(), name is null");
}
throw (new InvalidNameException(ResBundleUtils.rbName, "null_name", null, "null", PolicyException.POLICY));
}
try {
// Get service config for named policy node
ServiceConfig oConfig = scm.getOrganizationConfig(org, null);
ServiceConfig namedPolicy = (oConfig == null) ? null : oConfig.getSubConfig(NAMED_POLICY);
if (namedPolicy != null) {
/* Remove the named policy
* before removing the named policy
* prepare for changes in resources tree
*/
Policy policy = getPolicy(policyName);
// do the removal of policy
namedPolicy.removeSubConfig(policyName);
if (policy != null) {
if (isMigratedToEntitlementService()) {
// should use super admin token to remove the index store
// entry
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(SubjectUtils.createSuperAdminSubject(), getOrganizationDN());
if (policy.isReferralPolicy()) {
pis.deleteReferral((policyName));
} else {
pis.delete(PrivilegeUtils.policyToPrivileges(policy));
}
policyCache.sendPolicyChangeNotification(null, policy, ServiceListener.REMOVED);
} else {
// do the removal in resources tree
rim.removePolicyFromResourceTree(svtm, token, policy);
}
}
}
} catch (EntitlementException e) {
debug.error("Error while removing policy : " + e.getMessage());
} catch (ServiceNotFoundException snfe) {
debug.error("Error while removing policy : " + snfe.getMessage());
} catch (SMSException smse) {
String[] objs = { policyName, org };
if (PolicyUtils.logStatus) {
PolicyUtils.logErrorMessage("UNABLE_TO_REMOVE_POLICY", objs, token);
}
debug.error("SMS error in deleting policy: " + policyName + " for org: " + org, smse);
// Check for permission exception
if (smse.getExceptionCode() == SMSException.STATUS_NO_PERMISSION) {
throw (new NoPermissionException(ResBundleUtils.rbName, "insufficient_access_rights", null));
} else {
// Throw generic policy exception
throw (new PolicyException(ResBundleUtils.rbName, "unable_to_remove_policy", objs, smse));
}
}
String[] objs = { policyName, org };
if (PolicyUtils.logStatus) {
PolicyUtils.logAccessMessage("POLICY_REMOVE_SUCCESS", objs, token);
}
}
use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.
the class OpenSSOPolicyDataStore method removePrivilege.
public void removePrivilege(Subject subject, String realm, Privilege privilege) throws EntitlementException {
SSOToken adminToken = SubjectUtils.getSSOToken(subject);
String name = privilege.getName();
if (adminToken == null) {
Object[] params = { name };
throw new EntitlementException(211, params);
}
// Delegation to applications is currently not configurable, passing super admin (see AME-4959)
ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
if (!applPrivilegeMgr.hasPrivilege(privilege, ApplicationPrivilege.Action.MODIFY)) {
throw new EntitlementException(326);
}
try {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_REMOVE_PRIVILEGE", logParams, subject);
// Remove from privilege index store first
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
pis.delete(name);
// Only remove from legacy policy store if the policy still exists. This can happen if an old policy
// had multiple rules (= multiple privileges in new store) and one of the new privileges for that policy
// has been deleted, which deletes the entire legacy policy.
String dn = findLegacyPolicyDn(dsameUserToken, realm, name);
if (dn != null) {
SMSEntry s = new SMSEntry(dsameUserToken, dn);
s.delete();
} else {
debug("Unable to find legacy policy for privilege %s in realm %s", name, realm);
}
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_REMOVE_PRIVILEGE", logParams, subject);
} catch (SSOException ex) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_PRIVILEGE", logParams, subject);
Object[] params = { name };
throw new EntitlementException(205, params, ex);
} catch (SMSException ex) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_PRIVILEGE", logParams, subject);
Object[] params = { name };
throw new EntitlementException(205, params, ex);
}
}
use of com.sun.identity.entitlement.PrivilegeIndexStore in project OpenAM by OpenRock.
the class OpenSSOPolicyDataStore method removeReferral.
public void removeReferral(Subject subject, String realm, ReferralPrivilege referral) throws EntitlementException {
SSOToken adminToken = SubjectUtils.getSSOToken(subject);
String name = referral.getName();
if (adminToken == null) {
Object[] params = { name };
throw new EntitlementException(266, params);
}
// Delegation to applications is currently not configurable, passing super admin (see AME-4959)
ApplicationPrivilegeManager applPrivilegeMgr = ApplicationPrivilegeManager.getInstance(realm, PrivilegeManager.superAdminSubject);
if (!applPrivilegeMgr.hasPrivilege(referral, ApplicationPrivilege.Action.MODIFY)) {
throw new EntitlementException(326);
}
String dn = getPolicyDistinguishedName(realm, name);
if (!SMSEntry.checkIfEntryExists(dn, dsameUserToken)) {
Object[] params = { name };
throw new EntitlementException(263, params);
}
try {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "ATTEMPT_REMOVE_REFERRAL", logParams, subject);
SMSEntry s = new SMSEntry(dsameUserToken, dn);
s.delete();
OpenSSOLogger.log(OpenSSOLogger.LogLevel.MESSAGE, Level.INFO, "SUCCEEDED_REMOVE_REFERRAL", logParams, subject);
PrivilegeIndexStore pis = PrivilegeIndexStore.getInstance(dsameUserSubject, realm);
pis.deleteReferral(name);
} catch (SSOException ex) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_REFERRAL", logParams, subject);
Object[] params = { name };
throw new EntitlementException(205, params, ex);
} catch (SMSException ex) {
String[] logParams = { DNMapper.orgNameToRealmName(realm), name, ex.getMessage() };
OpenSSOLogger.log(OpenSSOLogger.LogLevel.ERROR, Level.INFO, "FAILED_REMOVE_REFERRAL", logParams, subject);
Object[] params = { name };
throw new EntitlementException(205, params, ex);
}
}
Aggregations