Example 1 with SubjectDecision
use of com.sun.identity.entitlement.SubjectDecision in project OpenAM by OpenRock.
the class OpenSSOPrivilege method internalEvaluate.
private List<Entitlement> internalEvaluate(Subject adminSubject, String realm, Subject subject, String applicationName, String resourceName, Set<String> actionNames, Map<String, Set<String>> environment, boolean recursive) throws EntitlementException {
Entitlement originalEntitlement = getEntitlement();
if (!isActive()) {
Entitlement entitlement = new Entitlement(originalEntitlement.getApplicationName(), originalEntitlement.getResourceName(), Collections.<String>emptySet());
return Arrays.asList(entitlement);
}
// First evaluate subject conditions.
SubjectDecision subjectDecision = doesSubjectMatch(adminSubject, realm, subject, resourceName, environment);
if (!subjectDecision.isSatisfied()) {
Entitlement entitlement = new Entitlement(originalEntitlement.getApplicationName(), originalEntitlement.getResourceName(), Collections.<String>emptySet());
entitlement.setAdvices(subjectDecision.getAdvices());
return Arrays.asList(entitlement);
}
// Second evaluate environment conditions.
ConditionDecision conditionDecision = doesConditionMatch(realm, subject, resourceName, environment);
if (!conditionDecision.isSatisfied()) {
Entitlement entitlement = new Entitlement(originalEntitlement.getApplicationName(), originalEntitlement.getResourceName(), Collections.<String>emptySet());
entitlement.setAdvices(conditionDecision.getAdvice());
entitlement.setTTL(conditionDecision.getTimeToLive());
return Arrays.asList(entitlement);
}
// Finally verify the resource.
Set<String> matchedResources = originalEntitlement.evaluate(adminSubject, realm, subject, applicationName, resourceName, actionNames, environment, recursive);
if (PolicyConstants.DEBUG.messageEnabled()) {
PolicyConstants.DEBUG.message("[PolicyEval] OpenSSOPrivilege.evaluate: resources=" + matchedResources);
}
// Retrieve the collection of response attributes base on the resource.
Map<String, Set<String>> attributes = getAttributes(adminSubject, realm, subject, resourceName, environment);
squashMaps(attributes, conditionDecision.getResponseAttributes());
List<Entitlement> results = new ArrayList<>();
for (String matchedResource : matchedResources) {
Entitlement entitlement = new Entitlement(originalEntitlement.getApplicationName(), matchedResource, originalEntitlement.getActionValues());
entitlement.setAdvices(conditionDecision.getAdvice());
entitlement.setAttributes(attributes);
entitlement.setTTL(conditionDecision.getTimeToLive());
results.add(entitlement);
}
return results;
}
Also used :
Set(java.util.Set)
SubjectDecision(com.sun.identity.entitlement.SubjectDecision)
ArrayList(java.util.ArrayList)
Entitlement(com.sun.identity.entitlement.Entitlement)
ConditionDecision(com.sun.identity.entitlement.ConditionDecision)
Example 2 with SubjectDecision
use of com.sun.identity.entitlement.SubjectDecision in project OpenAM by OpenRock.
the class PolicySubject method evaluate.
/**
* Returns subject decision.
*
* @param realm Realm name.
* @param mgr Subject attribute manager
* @param subject Subject to be evaluated.
* @param resourceName Resource name to be evaluated.
* @param environment Environment map.
* @return subject decision.
* @throws com.sun.identity.entitlement.EntitlementException if error
* occurs.
*/
public SubjectDecision evaluate(String realm, SubjectAttributesManager mgr, javax.security.auth.Subject subject, String resourceName, Map<String, Set<String>> environment) throws EntitlementException {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
try {
PolicyManager pm = new PolicyManager(adminToken, realm);
Subject sbj = getPolicySubject();
sbj.initialize(pm.getPolicyConfig());
SSOToken token = getSSOToken(subject);
boolean result = (token == null) ? true : sbj.isMember(token) ^ exclusive;
return new SubjectDecision(result, Collections.EMPTY_MAP);
} catch (SSOException ex) {
throw new EntitlementException(508, ex);
} catch (PolicyException ex) {
throw new EntitlementException(508, ex);
}
}
Also used :
PolicyManager(com.sun.identity.policy.PolicyManager)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
SSOToken(com.iplanet.sso.SSOToken)
SubjectDecision(com.sun.identity.entitlement.SubjectDecision)
PolicyException(com.sun.identity.policy.PolicyException)
SSOException(com.iplanet.sso.SSOException)
EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject)
Subject(com.sun.identity.policy.interfaces.Subject)
Example 3 with SubjectDecision
use of com.sun.identity.entitlement.SubjectDecision in project OpenAM by OpenRock.
the class OpenSSOGroupSubject method evaluate.
/**
* Returns <code>SubjectDecision</code> of
* <code>EntitlementSubject</code> evaluation
*
* @param realm Realm name.
* @param subject EntitlementSubject who is under evaluation.
* @param resourceName Resource name.
* @param environment Environment parameters.
* @return <code>SubjectDecision</code> of
* <code>EntitlementSubject</code> evaluation
* @throws com.sun.identity.entitlement, EntitlementException in case
* of any error
*/
@Override
public SubjectDecision evaluate(String realm, SubjectAttributesManager mgr, Subject subject, String resourceName, Map<String, Set<String>> environment) throws EntitlementException {
boolean satified = false;
if (mgr.isGroupMembershipSearchIndexEnabled()) {
Set publicCreds = subject.getPublicCredentials();
if ((publicCreds != null) && !publicCreds.isEmpty()) {
Map<String, Set<String>> attributes = (Map<String, Set<String>>) publicCreds.iterator().next();
Set<String> values = attributes.get(SubjectAttributesCollector.NAMESPACE_MEMBERSHIP + IdType.GROUP.getName());
String grpID = getID();
if (values != null) {
if (values.contains(grpID)) {
satified = true;
} else {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentity idGroup = IdUtils.getIdentity(adminToken, grpID);
for (String value : values) {
AMIdentity amgrp = IdUtils.getIdentity(adminToken, value);
if (idGroup.equals(amgrp)) {
satified = true;
break;
}
}
} catch (IdRepoException e) {
PrivilegeManager.debug.error("GroupSubject.evaluate", e);
}
}
}
}
} else {
try {
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentity idGroup = IdUtils.getIdentity(adminToken, getID());
Set<IdType> supportedType = IdType.GROUP.canHaveMembers();
for (IdType type : supportedType) {
if (isMember(subject, type, idGroup)) {
satified = true;
break;
}
}
} catch (IdRepoException e) {
PrivilegeManager.debug.error("GroupSubject.evaluate", e);
} catch (SSOException e) {
PrivilegeManager.debug.error("GroupSubject.evaluate", e);
}
}
return new SubjectDecision(satified, Collections.EMPTY_MAP);
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
SSOToken(com.iplanet.sso.SSOToken)
SubjectDecision(com.sun.identity.entitlement.SubjectDecision)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
IdType(com.sun.identity.idm.IdType)
AMIdentity(com.sun.identity.idm.AMIdentity)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 4 with SubjectDecision
use of com.sun.identity.entitlement.SubjectDecision in project OpenAM by OpenRock.
the class OpenSSOApplicationPrivilegeManager method doesSubjectMatch.
private boolean doesSubjectMatch(Privilege privilege, String resourceName) throws EntitlementException {
SubjectAttributesManager mgr = SubjectAttributesManager.getInstance(dsameUserSubject, realm);
SubjectDecision sDecision = privilege.getSubject().evaluate(realm, mgr, caller, resourceName, Collections.EMPTY_MAP);
return sDecision.isSatisfied();
}
Also used :
SubjectAttributesManager(com.sun.identity.entitlement.SubjectAttributesManager)
SubjectDecision(com.sun.identity.entitlement.SubjectDecision)
Example 5 with SubjectDecision
use of com.sun.identity.entitlement.SubjectDecision in project OpenAM by OpenRock.
the class IdentitySubject method evaluate.
/**
* {@inheritDoc}
*/
@Override
public SubjectDecision evaluate(String realm, SubjectAttributesManager mgr, Subject subject, String resourceName, Map<String, Set<String>> environment) throws EntitlementException {
String tokenID = null;
String userDN = null;
SSOToken token = SubjectUtils.getSSOToken(subject);
if (token != null) {
Object tokenIDObject = token.getTokenID();
if (tokenIDObject != null) {
tokenID = tokenIDObject.toString();
}
}
if (tokenID == null) {
if (debug.warningEnabled()) {
debug.warning("IdentitySubject.isMember():" + "tokenID is null");
debug.warning("IdentitySubject.isMember():" + "returning false");
}
return new SubjectDecision(false, Collections.EMPTY_MAP);
} else {
Principal principal = null;
try {
principal = token.getPrincipal();
} catch (SSOException e) {
throw new EntitlementException(508, e);
}
if (principal != null) {
userDN = principal.getName();
}
if (userDN == null) {
if (debug.warningEnabled()) {
debug.warning("IdentitySubject.isMember():" + "userDN is null");
debug.warning("IdentitySubject.isMember():" + "returning false");
}
return new SubjectDecision(false, Collections.EMPTY_MAP);
}
}
boolean listenerAdded = false;
boolean subjectMatch = false;
if (debug.messageEnabled()) {
debug.message("AMIndentitySubject.isMember(): " + "entering with userDN = " + userDN);
}
if (subjectValues.size() > 0) {
Iterator valueIter = subjectValues.iterator();
while (valueIter.hasNext()) {
Boolean matchFound = null;
/* Actually this is universal id of AMIdentity object
*
*/
String subjectValue = (String) valueIter.next();
if (debug.messageEnabled()) {
debug.message("AMIndentitySubject.isMember(): " + "checking membership with userDN = " + userDN + ", subjectValue = " + subjectValue);
}
if ((matchFound = SubjectEvaluationCache.isMember(tokenID, "IdentitySubject", subjectValue)) != null) {
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "got membership from SubjectEvaluationCache " + " for userDN = " + userDN + ", subjectValue = " + subjectValue + ", result = " + matchFound.booleanValue());
}
boolean result = matchFound.booleanValue();
if (result) {
if (debug.messageEnabled()) {
debug.message("AMIndentitySubject.isMember(): " + " returning membership status = " + result);
}
return new SubjectDecision(result, Collections.EMPTY_MAP);
} else {
continue;
}
}
// got here so entry not in subject evalauation cache
if (debug.messageEnabled()) {
debug.message("IdentitySubject:isMember():entry for " + subjectValue + " not in subject evaluation " + "cache, so compute using IDRepo api");
}
try {
AMIdentity subjectIdentity = null;
subjectIdentity = IdUtils.getIdentity(EntitlementUtils.getAdminToken(), subjectValue);
if (subjectIdentity == null) {
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "subjectIdentity is null for " + "subjectValue = " + subjectValue);
debug.message("IdentitySubject.isMember():" + "returning false");
}
return new SubjectDecision(false, Collections.EMPTY_MAP);
}
AMIdentity tmpIdentity = IdUtils.getIdentity(token);
String univId = IdUtils.getUniversalId(tmpIdentity);
AMIdentity userIdentity = IdUtils.getIdentity(EntitlementUtils.getAdminToken(), univId);
if (userIdentity == null) {
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "userIdentity is null");
debug.message("IdentitySubject.isMember():" + "returning false");
}
return new SubjectDecision(false, Collections.EMPTY_MAP);
}
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "user uuid = " + IdUtils.getUniversalId(userIdentity) + ", subject uuid = " + IdUtils.getUniversalId(subjectIdentity));
}
IdType userIdType = userIdentity.getType();
IdType subjectIdType = subjectIdentity.getType();
Set allowedMemberTypes = null;
if (userIdentity.equals(subjectIdentity)) {
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "userIdentity equals subjectIdentity:" + "membership=true");
}
subjectMatch = true;
} else if (((allowedMemberTypes = subjectIdType.canHaveMembers()) != null) && allowedMemberTypes.contains(userIdType)) {
subjectMatch = userIdentity.isMember(subjectIdentity);
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "userIdentity type " + userIdType + " can be a member of " + "subjectIdentityType " + subjectIdType + ":membership=" + subjectMatch);
}
} else {
subjectMatch = false;
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + "userIdentity type " + userIdType + " can not be a member of " + "subjectIdentityType " + subjectIdType + ":membership=" + subjectMatch);
}
}
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember: adding " + "entry in SubjectEvaluationCache for " + ", for userDN = " + userDN + ", subjectValue = " + subjectValue + ", subjectMatch = " + subjectMatch);
}
SubjectEvaluationCache.addEntry(tokenID, "IdentitySubject", subjectValue, subjectMatch);
if (!listenerAdded) {
if (!PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
token.addSSOTokenListener(PolicyEvaluator.ssoListener);
PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
if (debug.messageEnabled()) {
debug.message("IdentitySubject.isMember():" + " sso listener added ");
}
listenerAdded = true;
}
}
if (subjectMatch) {
break;
}
} catch (IdRepoException ire) {
debug.warning("IdentitySubject.isMember():" + "can not check membership for user " + userDN + ", subject " + subjectValue, ire);
String[] args = { userDN, subjectValue };
throw new EntitlementException(508, ire);
} catch (SSOException e) {
throw new EntitlementException(508, e);
}
}
}
if (debug.messageEnabled()) {
if (!subjectMatch) {
debug.message("IdentitySubject.isMember(): user " + userDN + " is not a member of this subject");
} else {
debug.message("IdentitySubject.isMember(): User " + userDN + " is a member of this subject");
}
}
return new SubjectDecision(subjectMatch, Collections.<String, Set<String>>emptyMap());
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
HashSet(java.util.HashSet)
Set(java.util.Set)
SubjectDecision(com.sun.identity.entitlement.SubjectDecision)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
IdType(com.sun.identity.idm.IdType)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
AMIdentity(com.sun.identity.idm.AMIdentity)
Iterator(java.util.Iterator)
Principal(java.security.Principal)
Aggregations
SubjectDecision (com.sun.identity.entitlement.SubjectDecision)5
SSOException (com.iplanet.sso.SSOException)3
SSOToken (com.iplanet.sso.SSOToken)3
Set (java.util.Set)3
EntitlementException (com.sun.identity.entitlement.EntitlementException)2
AMIdentity (com.sun.identity.idm.AMIdentity)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
IdType (com.sun.identity.idm.IdType)2
HashSet (java.util.HashSet)2
ConditionDecision (com.sun.identity.entitlement.ConditionDecision)1
Entitlement (com.sun.identity.entitlement.Entitlement)1
EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)1
SubjectAttributesManager (com.sun.identity.entitlement.SubjectAttributesManager)1
PolicyException (com.sun.identity.policy.PolicyException)1
PolicyManager (com.sun.identity.policy.PolicyManager)1
Subject (com.sun.identity.policy.interfaces.Subject)1
Principal (java.security.Principal)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
Iterator (java.util.Iterator)1
