use of com.sun.identity.entitlement.xacml3.core.Condition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method privilegeToPolicyInternal.
private static Policy privilegeToPolicyInternal(Privilege privilege) throws JAXBException, EntitlementException {
if (privilege == null) {
return null;
}
Policy policy = new Policy();
String privilegeName = privilege.getName();
String applicationName = null;
String entitlementName = null;
Entitlement entitlement = privilege.getEntitlement();
if (entitlement != null) {
applicationName = entitlement.getApplicationName();
entitlementName = entitlement.getName();
}
String policyId = privilegeNameToPolicyId(privilegeName, applicationName);
policy.setPolicyId(policyId);
String description = privilege.getDescription();
policy.setDescription(description);
List<Object> vrList = policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition();
JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
if (applicationName != null) {
VariableDefinition appName = new VariableDefinition();
vrList.add(appName);
appName.setVariableId(XACMLConstants.APPLICATION_NAME);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(applicationName);
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
appName.setExpression(cbve);
}
if (entitlementName != null) {
VariableDefinition entName = new VariableDefinition();
vrList.add(entName);
entName.setVariableId(XACMLConstants.ENTITLEMENT_NAME);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(entitlementName);
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
entName.setExpression(cbve);
}
VariableDefinition createdBy = new VariableDefinition();
vrList.add(createdBy);
createdBy.setVariableId(XACMLConstants.PRIVILEGE_CREATED_BY);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(privilege.getCreatedBy());
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
createdBy.setExpression(cbve);
VariableDefinition lastModifiedBy = new VariableDefinition();
vrList.add(lastModifiedBy);
lastModifiedBy.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
AttributeValue lmbv = new AttributeValue();
lmbv.setDataType(XACMLConstants.XS_STRING);
lmbv.getContent().add(privilege.getLastModifiedBy());
JAXBElement<AttributeValue> lmbve = objectFactory.createAttributeValue(lmbv);
lastModifiedBy.setExpression(lmbve);
SimpleDateFormat sdf1 = new SimpleDateFormat("yyyy-MM-dd");
SimpleDateFormat sdf2 = new SimpleDateFormat("HH:mm:ss.SSS");
SimpleDateFormat sdf3 = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
sdf1.setTimeZone(TimeZone.getTimeZone("GMT"));
sdf2.setTimeZone(TimeZone.getTimeZone("GMT"));
sdf3.setTimeZone(TimeZone.getTimeZone("GMT"));
VariableDefinition creationDate = new VariableDefinition();
vrList.add(creationDate);
creationDate.setVariableId(XACMLConstants.PRIVILEGE_CREATION_DATE);
AttributeValue cdv = new AttributeValue();
cdv.setDataType(XACMLConstants.XS_DATE_TIME);
cdv.getContent().add(sdf1.format(privilege.getCreationDate()) + "T" + sdf2.format(privilege.getCreationDate()));
JAXBElement<AttributeValue> cdve = objectFactory.createAttributeValue(cdv);
creationDate.setExpression(cdve);
VariableDefinition lastModifiedDate = new VariableDefinition();
vrList.add(lastModifiedDate);
lastModifiedDate.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE);
AttributeValue lmdv = new AttributeValue();
lmdv.setDataType(XACMLConstants.XS_DATE_TIME);
lmdv.getContent().add(sdf1.format(privilege.getLastModifiedDate()) + "T" + sdf2.format(privilege.getLastModifiedDate()));
JAXBElement<AttributeValue> lmdve = objectFactory.createAttributeValue(lmdv);
lastModifiedDate.setExpression(lmdve);
// PolicyIssuer policyIssuer = null; // optional, TODO
Version version = new Version();
// TODO: use privilege version in future
version.setValue(sdf3.format(privilege.getLastModifiedDate()));
policy.setVersion(version);
// Defaults policyDefaults = null; // optional, TODO
String rca = getRuleCombiningAlgId(applicationName);
policy.setRuleCombiningAlgId(rca);
// String ruleCombiningAlgId = "rca"; // required
// XACML Target contains a list of AnyOf(s)
// XACML AnyOf contains a list of AllOf(s)
// XACML AllOf contains a list of Match(s)
Target target = new Target();
policy.setTarget(target);
List<AnyOf> targetAnyOfList = target.getAnyOf();
EntitlementSubject es = privilege.getSubject();
/* TODO: detect simple subjects and set attribute value and designator
List<AnyOf> anyOfSubjectList = entitlementSubjectToAnyOfList(es);
if (anyOfSubjectList != null) {
targetAnyOfList.addAll(anyOfSubjectList);
}
*/
AnyOf anyOfSubject = entitlementSubjectToAnyOf(es);
if (anyOfSubject != null) {
targetAnyOfList.add(anyOfSubject);
}
Set<String> resources = entitlement.getResourceNames();
List<AnyOf> anyOfResourceList = resourceNamesToAnyOfList(resources, applicationName);
if (anyOfResourceList != null) {
targetAnyOfList.addAll(anyOfResourceList);
}
AnyOf anyOfApplication = applicationNameToAnyOf(applicationName);
if (anyOfApplication != null) {
targetAnyOfList.add(anyOfApplication);
}
Map<String, Boolean> actionValues = entitlement.getActionValues();
List<AnyOf> anyOfActionList = actionNamesToAnyOfList(actionValues.keySet(), applicationName);
if (anyOfActionList != null) {
targetAnyOfList.addAll(anyOfActionList);
}
// PermitRule, DenyRule
Set<String> permitActions = new HashSet<String>();
Set<String> denyActions = new HashSet<String>();
if (actionValues != null) {
Set<String> actionNames = actionValues.keySet();
for (String actionName : actionNames) {
if (Boolean.TRUE.equals(actionValues.get(actionName))) {
permitActions.add(actionName);
} else {
denyActions.add(actionName);
}
}
}
Condition condition = eSubjectConditionToXCondition(privilege.getSubject(), privilege.getCondition());
// Include resource attributes (ResourceProvider) as AdviceExpressions
Set<ResourceAttribute> ra = privilege.getResourceAttributes();
if (ra != null && !ra.isEmpty()) {
AdviceExpressions adviceExpressions = schemaFactory.resourceAttributesToAdviceExpressions(ra);
policy.setAdviceExpressions(adviceExpressions);
}
if (!permitActions.isEmpty()) {
Rule permitRule = new Rule();
vrList.add(permitRule);
permitRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.PREMIT_RULE_SUFFIX);
permitRule.setDescription(XACMLConstants.PERMIT_RULE_DESCRIPTION);
permitRule.setEffect(EffectType.PERMIT);
Target permitTarget = new Target();
permitRule.setTarget(permitTarget);
List<AnyOf> permitTargetAnyOfList = permitTarget.getAnyOf();
List<AnyOf> anyOfPermitActionList = actionNamesToAnyOfList(permitActions, applicationName);
if (anyOfPermitActionList != null) {
permitTargetAnyOfList.addAll(anyOfPermitActionList);
}
if (condition != null) {
permitRule.setCondition(condition);
}
}
if (!denyActions.isEmpty()) {
Rule denyRule = new Rule();
vrList.add(denyRule);
denyRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.DENY_RULE_SUFFIX);
denyRule.setDescription(XACMLConstants.DENY_RULE_DESCRIPTION);
denyRule.setEffect(EffectType.DENY);
Target denyTarget = new Target();
denyRule.setTarget(denyTarget);
List<AnyOf> denyTargetAnyOfList = denyTarget.getAnyOf();
List<AnyOf> anyOfDenyActionList = actionNamesToAnyOfList(denyActions, applicationName);
if (anyOfDenyActionList != null) {
denyTargetAnyOfList.addAll(anyOfDenyActionList);
}
if (condition != null) {
denyRule.setCondition(condition);
}
}
return policy;
}
use of com.sun.identity.entitlement.xacml3.core.Condition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method getEntitlementSubjectFromPolicy.
static EntitlementSubject getEntitlementSubjectFromPolicy(Policy policy) {
if (policy == null) {
return null;
}
List<Rule> rules = getRules(policy);
if (rules == null) {
return null;
}
EntitlementSubject es = null;
for (Rule rule : rules) {
Condition condition = rule.getCondition();
JAXBElement jaxbElement = condition.getExpression();
if (jaxbElement.getDeclaredType().equals(Apply.class)) {
Apply apply = (Apply) jaxbElement.getValue();
String functionId = apply.getFunctionId();
if (XACMLConstants.JSON_SUBJECT_AND_CONDITION_SATISFIED.equals(functionId)) {
List<JAXBElement<?>> expressionList = apply.getExpression();
for (JAXBElement jaxe : expressionList) {
if (jaxe.getDeclaredType().equals(AttributeValue.class)) {
AttributeValue av = (AttributeValue) jaxe.getValue();
String dataType = av.getDataType();
if (dataType.startsWith(XACMLConstants.JSON_SUBJECT_DATATYPE)) {
List<Object> valueList = av.getContent();
String value = null;
if (valueList != null) {
for (Object ob : valueList) {
if (ob instanceof String) {
value = (String) ob;
break;
}
}
}
if (value != null) {
es = createEntitlementSubject(dataType, value);
}
}
}
}
}
}
if (es != null) {
break;
}
}
return es;
}
use of com.sun.identity.entitlement.xacml3.core.Condition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method getEntitlementConditionFromPolicy.
static EntitlementCondition getEntitlementConditionFromPolicy(Policy policy) throws EntitlementException {
if (policy == null) {
return null;
}
List<Rule> rules = getRules(policy);
if (rules == null) {
return null;
}
EntitlementCondition ec = null;
for (Rule rule : rules) {
Condition condition = rule.getCondition();
JAXBElement jaxbElement = condition.getExpression();
if (jaxbElement.getDeclaredType().equals(Apply.class)) {
Apply apply = (Apply) jaxbElement.getValue();
String functionId = apply.getFunctionId();
if (XACMLConstants.JSON_SUBJECT_AND_CONDITION_SATISFIED.equals(functionId)) {
List<JAXBElement<?>> expressionList = apply.getExpression();
for (JAXBElement jaxe : expressionList) {
if (jaxe.getDeclaredType().equals(AttributeValue.class)) {
AttributeValue av = (AttributeValue) jaxe.getValue();
String dataType = av.getDataType();
if (dataType.startsWith(XACMLConstants.JSON_CONDITION_DATATYPE)) {
List<Object> valueList = av.getContent();
String value = null;
if (valueList != null) {
for (Object ob : valueList) {
if (ob instanceof String) {
value = (String) ob;
break;
}
}
}
if (value != null) {
ec = createEntitlementCondition(dataType, value);
}
}
}
}
}
if (ec != null) {
break;
}
}
}
return ec;
}
use of com.sun.identity.entitlement.xacml3.core.Condition in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method eSubjectConditionToXCondition.
public static Condition eSubjectConditionToXCondition(EntitlementSubject es, EntitlementCondition ec) throws JAXBException {
Condition condition = null;
if (es != null || ec != null) {
condition = new Condition();
JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
Apply apply = new Apply();
apply.setFunctionId(XACMLConstants.JSON_SUBJECT_AND_CONDITION_SATISFIED);
List applyExpressions = apply.getExpression();
if (es != null) {
String esString = es.getState();
// TODO: add custom xml attribute to idenity as privilge subject
AttributeValue esv = new AttributeValue();
Map<QName, String> otherAttrs = esv.getOtherAttributes();
QName qn = new QName("privilegeComponent");
otherAttrs.put(qn, "entitlementSubject");
String dataType = XACMLConstants.JSON_SUBJECT_DATATYPE + ":" + es.getClass().getName();
esv.setDataType(dataType);
esv.getContent().add(esString);
JAXBElement esve = objectFactory.createAttributeValue(esv);
applyExpressions.add(esve);
}
if (ec != null) {
String ecString = ec.getState();
// TODO: add custom xml attribute to idenity as privilge condition
AttributeValue ecv = new AttributeValue();
Map<QName, String> otherAttrs = ecv.getOtherAttributes();
QName qn = new QName("privilegeComponent");
otherAttrs.put(qn, "entitlementCondition");
String dataType = XACMLConstants.JSON_CONDITION_DATATYPE + ":" + ec.getClass().getName();
ecv.setDataType(dataType);
ecv.getContent().add(ecString);
JAXBElement ecve = objectFactory.createAttributeValue(ecv);
applyExpressions.add(ecve);
}
JAXBElement applyElement = objectFactory.createApply(apply);
condition.setExpression(applyElement);
}
return condition;
}
Aggregations