Search in sources :

Example 1 with Version

use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.

the class XACMLPrivilegeUtils method privilegeToPolicyInternal.

private static Policy privilegeToPolicyInternal(Privilege privilege) throws JAXBException, EntitlementException {
    if (privilege == null) {
        return null;
    }
    Policy policy = new Policy();
    String privilegeName = privilege.getName();
    String applicationName = null;
    String entitlementName = null;
    Entitlement entitlement = privilege.getEntitlement();
    if (entitlement != null) {
        applicationName = entitlement.getApplicationName();
        entitlementName = entitlement.getName();
    }
    String policyId = privilegeNameToPolicyId(privilegeName, applicationName);
    policy.setPolicyId(policyId);
    String description = privilege.getDescription();
    policy.setDescription(description);
    List<Object> vrList = policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition();
    JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
    if (applicationName != null) {
        VariableDefinition appName = new VariableDefinition();
        vrList.add(appName);
        appName.setVariableId(XACMLConstants.APPLICATION_NAME);
        AttributeValue cbv = new AttributeValue();
        cbv.setDataType(XACMLConstants.XS_STRING);
        cbv.getContent().add(applicationName);
        JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
        appName.setExpression(cbve);
    }
    if (entitlementName != null) {
        VariableDefinition entName = new VariableDefinition();
        vrList.add(entName);
        entName.setVariableId(XACMLConstants.ENTITLEMENT_NAME);
        AttributeValue cbv = new AttributeValue();
        cbv.setDataType(XACMLConstants.XS_STRING);
        cbv.getContent().add(entitlementName);
        JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
        entName.setExpression(cbve);
    }
    VariableDefinition createdBy = new VariableDefinition();
    vrList.add(createdBy);
    createdBy.setVariableId(XACMLConstants.PRIVILEGE_CREATED_BY);
    AttributeValue cbv = new AttributeValue();
    cbv.setDataType(XACMLConstants.XS_STRING);
    cbv.getContent().add(privilege.getCreatedBy());
    JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
    createdBy.setExpression(cbve);
    VariableDefinition lastModifiedBy = new VariableDefinition();
    vrList.add(lastModifiedBy);
    lastModifiedBy.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
    AttributeValue lmbv = new AttributeValue();
    lmbv.setDataType(XACMLConstants.XS_STRING);
    lmbv.getContent().add(privilege.getLastModifiedBy());
    JAXBElement<AttributeValue> lmbve = objectFactory.createAttributeValue(lmbv);
    lastModifiedBy.setExpression(lmbve);
    SimpleDateFormat sdf1 = new SimpleDateFormat("yyyy-MM-dd");
    SimpleDateFormat sdf2 = new SimpleDateFormat("HH:mm:ss.SSS");
    SimpleDateFormat sdf3 = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
    sdf1.setTimeZone(TimeZone.getTimeZone("GMT"));
    sdf2.setTimeZone(TimeZone.getTimeZone("GMT"));
    sdf3.setTimeZone(TimeZone.getTimeZone("GMT"));
    VariableDefinition creationDate = new VariableDefinition();
    vrList.add(creationDate);
    creationDate.setVariableId(XACMLConstants.PRIVILEGE_CREATION_DATE);
    AttributeValue cdv = new AttributeValue();
    cdv.setDataType(XACMLConstants.XS_DATE_TIME);
    cdv.getContent().add(sdf1.format(privilege.getCreationDate()) + "T" + sdf2.format(privilege.getCreationDate()));
    JAXBElement<AttributeValue> cdve = objectFactory.createAttributeValue(cdv);
    creationDate.setExpression(cdve);
    VariableDefinition lastModifiedDate = new VariableDefinition();
    vrList.add(lastModifiedDate);
    lastModifiedDate.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE);
    AttributeValue lmdv = new AttributeValue();
    lmdv.setDataType(XACMLConstants.XS_DATE_TIME);
    lmdv.getContent().add(sdf1.format(privilege.getLastModifiedDate()) + "T" + sdf2.format(privilege.getLastModifiedDate()));
    JAXBElement<AttributeValue> lmdve = objectFactory.createAttributeValue(lmdv);
    lastModifiedDate.setExpression(lmdve);
    // PolicyIssuer policyIssuer = null;  // optional, TODO
    Version version = new Version();
    // TODO: use privilege version in future
    version.setValue(sdf3.format(privilege.getLastModifiedDate()));
    policy.setVersion(version);
    // Defaults policyDefaults = null; // optional, TODO
    String rca = getRuleCombiningAlgId(applicationName);
    policy.setRuleCombiningAlgId(rca);
    // String ruleCombiningAlgId = "rca"; // required
    // XACML Target contains a  list of AnyOf(s)
    // XACML AnyOf contains a list of AllOf(s)
    // XACML AllOf contains a list of Match(s)
    Target target = new Target();
    policy.setTarget(target);
    List<AnyOf> targetAnyOfList = target.getAnyOf();
    EntitlementSubject es = privilege.getSubject();
    /* TODO: detect simple subjects and set attribute value and designator
        List<AnyOf> anyOfSubjectList = entitlementSubjectToAnyOfList(es);
        if (anyOfSubjectList != null) {
            targetAnyOfList.addAll(anyOfSubjectList);
        }
        */
    AnyOf anyOfSubject = entitlementSubjectToAnyOf(es);
    if (anyOfSubject != null) {
        targetAnyOfList.add(anyOfSubject);
    }
    Set<String> resources = entitlement.getResourceNames();
    List<AnyOf> anyOfResourceList = resourceNamesToAnyOfList(resources, applicationName);
    if (anyOfResourceList != null) {
        targetAnyOfList.addAll(anyOfResourceList);
    }
    AnyOf anyOfApplication = applicationNameToAnyOf(applicationName);
    if (anyOfApplication != null) {
        targetAnyOfList.add(anyOfApplication);
    }
    Map<String, Boolean> actionValues = entitlement.getActionValues();
    List<AnyOf> anyOfActionList = actionNamesToAnyOfList(actionValues.keySet(), applicationName);
    if (anyOfActionList != null) {
        targetAnyOfList.addAll(anyOfActionList);
    }
    // PermitRule, DenyRule
    Set<String> permitActions = new HashSet<String>();
    Set<String> denyActions = new HashSet<String>();
    if (actionValues != null) {
        Set<String> actionNames = actionValues.keySet();
        for (String actionName : actionNames) {
            if (Boolean.TRUE.equals(actionValues.get(actionName))) {
                permitActions.add(actionName);
            } else {
                denyActions.add(actionName);
            }
        }
    }
    Condition condition = eSubjectConditionToXCondition(privilege.getSubject(), privilege.getCondition());
    // Include resource attributes (ResourceProvider) as AdviceExpressions
    Set<ResourceAttribute> ra = privilege.getResourceAttributes();
    if (ra != null && !ra.isEmpty()) {
        AdviceExpressions adviceExpressions = schemaFactory.resourceAttributesToAdviceExpressions(ra);
        policy.setAdviceExpressions(adviceExpressions);
    }
    if (!permitActions.isEmpty()) {
        Rule permitRule = new Rule();
        vrList.add(permitRule);
        permitRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.PREMIT_RULE_SUFFIX);
        permitRule.setDescription(XACMLConstants.PERMIT_RULE_DESCRIPTION);
        permitRule.setEffect(EffectType.PERMIT);
        Target permitTarget = new Target();
        permitRule.setTarget(permitTarget);
        List<AnyOf> permitTargetAnyOfList = permitTarget.getAnyOf();
        List<AnyOf> anyOfPermitActionList = actionNamesToAnyOfList(permitActions, applicationName);
        if (anyOfPermitActionList != null) {
            permitTargetAnyOfList.addAll(anyOfPermitActionList);
        }
        if (condition != null) {
            permitRule.setCondition(condition);
        }
    }
    if (!denyActions.isEmpty()) {
        Rule denyRule = new Rule();
        vrList.add(denyRule);
        denyRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.DENY_RULE_SUFFIX);
        denyRule.setDescription(XACMLConstants.DENY_RULE_DESCRIPTION);
        denyRule.setEffect(EffectType.DENY);
        Target denyTarget = new Target();
        denyRule.setTarget(denyTarget);
        List<AnyOf> denyTargetAnyOfList = denyTarget.getAnyOf();
        List<AnyOf> anyOfDenyActionList = actionNamesToAnyOfList(denyActions, applicationName);
        if (anyOfDenyActionList != null) {
            denyTargetAnyOfList.addAll(anyOfDenyActionList);
        }
        if (condition != null) {
            denyRule.setCondition(condition);
        }
    }
    return policy;
}
Also used : Policy(com.sun.identity.entitlement.xacml3.core.Policy) EntitlementCondition(com.sun.identity.entitlement.EntitlementCondition) Condition(com.sun.identity.entitlement.xacml3.core.Condition) AttributeValue(com.sun.identity.entitlement.xacml3.core.AttributeValue) VariableDefinition(com.sun.identity.entitlement.xacml3.core.VariableDefinition) AnyOf(com.sun.identity.entitlement.xacml3.core.AnyOf) JAXBContext(javax.xml.bind.JAXBContext) EntitlementSubject(com.sun.identity.entitlement.EntitlementSubject) Target(com.sun.identity.entitlement.xacml3.core.Target) Version(com.sun.identity.entitlement.xacml3.core.Version) JSONObject(org.json.JSONObject) AdviceExpressions(com.sun.identity.entitlement.xacml3.core.AdviceExpressions) Rule(com.sun.identity.entitlement.xacml3.core.Rule) Entitlement(com.sun.identity.entitlement.Entitlement) ResourceAttribute(com.sun.identity.entitlement.ResourceAttribute) SimpleDateFormat(java.text.SimpleDateFormat) HashSet(java.util.HashSet)

Example 2 with Version

use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.

the class XACMLPrivilegeUtils method referralToPolicyInternal.

public static Policy referralToPolicyInternal(ReferralPrivilege privilege) throws JAXBException, JSONException {
    if (privilege == null) {
        return null;
    }
    Policy policy = new Policy();
    String privilegeName = privilege.getName();
    String policyId = privilegeNameToPolicyId(privilegeName, null);
    policy.setPolicyId(policyId);
    String description = privilege.getDescription();
    policy.setDescription(description);
    List<Object> vrList = policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition();
    JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
    VariableDefinition createdBy = new VariableDefinition();
    vrList.add(createdBy);
    createdBy.setVariableId(XACMLConstants.PRIVILEGE_CREATED_BY);
    AttributeValue cbv = new AttributeValue();
    cbv.setDataType(XACMLConstants.XS_STRING);
    cbv.getContent().add(privilege.getCreatedBy());
    JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
    createdBy.setExpression(cbve);
    VariableDefinition lastModifiedBy = new VariableDefinition();
    vrList.add(lastModifiedBy);
    lastModifiedBy.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
    AttributeValue lmbv = new AttributeValue();
    lmbv.setDataType(XACMLConstants.XS_STRING);
    lmbv.getContent().add(privilege.getLastModifiedBy());
    JAXBElement<AttributeValue> lmbve = objectFactory.createAttributeValue(lmbv);
    lastModifiedBy.setExpression(lmbve);
    SimpleDateFormat sdf1 = new SimpleDateFormat("yyyy-MM-dd");
    SimpleDateFormat sdf2 = new SimpleDateFormat("HH:mm:ss.SSS");
    SimpleDateFormat sdf3 = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
    sdf1.setTimeZone(TimeZone.getTimeZone("GMT"));
    sdf2.setTimeZone(TimeZone.getTimeZone("GMT"));
    sdf3.setTimeZone(TimeZone.getTimeZone("GMT"));
    VariableDefinition creationDate = new VariableDefinition();
    vrList.add(creationDate);
    creationDate.setVariableId(XACMLConstants.PRIVILEGE_CREATION_DATE);
    AttributeValue cdv = new AttributeValue();
    cdv.setDataType(XACMLConstants.XS_DATE_TIME);
    cdv.getContent().add(sdf1.format(privilege.getCreationDate()) + "T" + sdf2.format(privilege.getCreationDate()));
    JAXBElement<AttributeValue> cdve = objectFactory.createAttributeValue(cdv);
    creationDate.setExpression(cdve);
    VariableDefinition lastModifiedDate = new VariableDefinition();
    vrList.add(lastModifiedDate);
    lastModifiedDate.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE);
    AttributeValue lmdv = new AttributeValue();
    lmdv.setDataType(XACMLConstants.XS_DATE_TIME);
    lmdv.getContent().add(sdf1.format(privilege.getLastModifiedDate()) + "T" + sdf2.format(privilege.getLastModifiedDate()));
    JAXBElement<AttributeValue> lmdve = objectFactory.createAttributeValue(lmdv);
    lastModifiedDate.setExpression(lmdve);
    VariableDefinition isReferralPolicy = new VariableDefinition();
    vrList.add(isReferralPolicy);
    isReferralPolicy.setVariableId(XACMLConstants.IS_REFERRAL_POLICY);
    AttributeValue irdv = new AttributeValue();
    irdv.setDataType(XACMLConstants.XS_BOOLEAN_TYPE);
    irdv.getContent().add(XACMLConstants.XS_BOOLEAN_TRUE);
    JAXBElement<AttributeValue> irdve = objectFactory.createAttributeValue(irdv);
    isReferralPolicy.setExpression(irdve);
    // PolicyIssuer policyIssuer = null;  // optional, TODO
    Version version = new Version();
    // TODO: use privilege version in future
    version.setValue(sdf3.format(privilege.getLastModifiedDate()));
    policy.setVersion(version);
    // Defaults policyDefaults = null; // optional, TODO
    policy.setRuleCombiningAlgId(XACMLConstants.XACML_RULE_DENY_OVERRIDES);
    // XACML Target contains a  list of AnyOf(s)
    // XACML AnyOf contains a list of AllOf(s)
    // XACML AllOf contains a list of Match(s)
    Target target = new Target();
    policy.setTarget(target);
    List<AnyOf> targetAnyOfList = target.getAnyOf();
    Set<String> realms = privilege.getRealms();
    Map<String, Set<String>> appsResources = privilege.getOriginalMapApplNameToResources();
    AnyOf anyOfRealmsAppsResources = realmsAppsResourcesToAnyOf(realms, appsResources);
    if (anyOfRealmsAppsResources != null) {
        targetAnyOfList.add(anyOfRealmsAppsResources);
    }
    Rule permitRule = new Rule();
    vrList.add(permitRule);
    permitRule.setRuleId(privilegeName + ":" + XACMLConstants.PREMIT_RULE_SUFFIX);
    permitRule.setDescription(XACMLConstants.PERMIT_RULE_DESCRIPTION);
    permitRule.setEffect(EffectType.PERMIT);
    Target permitTarget = new Target();
    permitRule.setTarget(permitTarget);
    return policy;
}
Also used : Policy(com.sun.identity.entitlement.xacml3.core.Policy) AttributeValue(com.sun.identity.entitlement.xacml3.core.AttributeValue) Set(java.util.Set) PolicySet(com.sun.identity.entitlement.xacml3.core.PolicySet) HashSet(java.util.HashSet) VariableDefinition(com.sun.identity.entitlement.xacml3.core.VariableDefinition) AnyOf(com.sun.identity.entitlement.xacml3.core.AnyOf) JAXBContext(javax.xml.bind.JAXBContext) Target(com.sun.identity.entitlement.xacml3.core.Target) Version(com.sun.identity.entitlement.xacml3.core.Version) JSONObject(org.json.JSONObject) Rule(com.sun.identity.entitlement.xacml3.core.Rule) SimpleDateFormat(java.text.SimpleDateFormat)

Example 3 with Version

use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.

the class XacmlService method exportXACML.

/**
     * This version of exportXACML here for testing - it saves trying to mock the static getRealmFromRequest
     * @param realm The realm
     * @return Representation object wrapping the converted XACML
     */
@VisibleForTesting
Representation exportXACML(String realm) {
    List<String> filters = new ArrayList<String>(Arrays.asList(getQuery().getValuesArray(QUERY_PARAM_STRING)));
    PolicySet policySet;
    try {
        if (!checkPermission("READ")) {
            throw new ResourceException(new Status(FORBIDDEN));
        }
        policySet = importExport.exportXACML(realm, getAdminToken(), filters);
        getResponse().setStatus(Status.SUCCESS_OK);
    } catch (EntitlementException e) {
        debug.warning("Reading Policies failed", e);
        throw new ResourceException(new Status(INTERNAL_ERROR, e.getLocalizedMessage(getRequestLocale()), null, null));
    }
    final PolicySet finalPolicySet = policySet;
    Representation result = new OutputRepresentation(XACMLServiceEndpointApplication.APPLICATION_XML_XACML3) {

        @Override
        public void write(OutputStream outputStream) throws IOException {
            try {
                XACMLPrivilegeUtils.writeXMLToStream(finalPolicySet, outputStream);
            } catch (EntitlementException e) {
                throw new IOException(e);
            }
        }
    };
    // OPENAM-4974
    Disposition disposition = new Disposition();
    disposition.setType(Disposition.TYPE_ATTACHMENT);
    disposition.setFilename(getPolicyAttachmentFileName(realm));
    result.setDisposition(disposition);
    return result;
}
Also used : Status(org.restlet.data.Status) EntitlementException(com.sun.identity.entitlement.EntitlementException) OutputRepresentation(org.restlet.representation.OutputRepresentation) OutputStream(java.io.OutputStream) ArrayList(java.util.ArrayList) Disposition(org.restlet.data.Disposition) ResourceException(org.restlet.resource.ResourceException) ResourceException(org.forgerock.json.resource.ResourceException) JacksonRepresentation(org.restlet.ext.jackson.JacksonRepresentation) OutputRepresentation(org.restlet.representation.OutputRepresentation) Representation(org.restlet.representation.Representation) IOException(java.io.IOException) PolicySet(com.sun.identity.entitlement.xacml3.core.PolicySet) VisibleForTesting(org.forgerock.util.annotations.VisibleForTesting)

Example 4 with Version

use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.

the class XACMLPrivilegeUtilsTest method assertPolicySetContentsMatchPrivilegesContent.

private void assertPolicySetContentsMatchPrivilegesContent(PolicySet policySet, Set<Privilege> privileges) {
    if (privileges != null && !privileges.isEmpty()) {
        assertTrue(policySet != null, "Expected PolicySet to not be null.");
    }
    List<Policy> policies = getPoliciesFromPolicySet(policySet);
    assertEquals(policies.size(), privileges.size(), "Mismatch between number of Policy elements in PolicySet, " + "and number of original Privileges.");
    List<String> policyIdList = new ArrayList<String>();
    for (Policy policy : policies) {
        policyIdList.add(policy.getPolicyId());
    }
    List<String> privilegeIdList = new ArrayList<String>();
    for (Privilege privilege : privileges) {
        privilegeIdList.add(privilege.getName());
    }
    assertTrue(policyIdList.containsAll(privilegeIdList), "Not all Privilege names were included in the " + "PolicySet.");
    assertTrue(privilegeIdList.containsAll(policyIdList), "Extra names were added to the PolicySet which were " + "not in the list of Privilege names.");
    List<String> descriptionList = new ArrayList<String>();
    for (Policy policy : policies) {
        descriptionList.add(policy.getDescription());
    }
    for (Privilege privilege : privileges) {
        String description = privilege.getDescription();
        assertTrue(descriptionList.contains(description), "Privilege with description '" + description + "' not " + "found in PolicySet.");
    }
    String privilegesVersion = formatMillisecondsAsTimestamp(now);
    for (Policy policy : policies) {
        assertEquals(policy.getVersion().getValue(), privilegesVersion, "Policy found with version not matching " + "Privilege creation date.");
    }
}
Also used : Policy(com.sun.identity.entitlement.xacml3.core.Policy) ArrayList(java.util.ArrayList) ReferralPrivilege(com.sun.identity.entitlement.ReferralPrivilege) Privilege(com.sun.identity.entitlement.Privilege)

Example 5 with Version

use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.

the class XACMLPrivilegeUtils method policiesToPolicySetInternal.

private static PolicySet policiesToPolicySetInternal(String realm, Set<Policy> policies) throws JAXBException {
    PolicySet policySet = new PolicySet();
    SimpleDateFormat sdf = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
    sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
    String currentTime = sdf.format(System.currentTimeMillis());
    String policySetId = realm + ":" + currentTime;
    policySet.setPolicySetId(policySetId);
    Version version = new Version();
    version.setValue(sdf.format(System.currentTimeMillis()));
    policySet.setVersion(version);
    // FIXME: is there a better choice?
    // policySet could contain policies for different applications
    policySet.setPolicyCombiningAlgId(XACMLConstants.XACML_RULE_DENY_OVERRIDES);
    Target target = new Target();
    policySet.setVersion(version);
    policySet.setTarget(target);
    JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
    List<JAXBElement<?>> pList = policySet.getPolicySetOrPolicyOrPolicySetIdReference();
    if (policies != null) {
        for (Policy policy : policies) {
            JAXBElement<Policy> policyElement = objectFactory.createPolicy(policy);
            pList.add(policyElement);
        }
    }
    return policySet;
}
Also used : Policy(com.sun.identity.entitlement.xacml3.core.Policy) Target(com.sun.identity.entitlement.xacml3.core.Target) Version(com.sun.identity.entitlement.xacml3.core.Version) JAXBContext(javax.xml.bind.JAXBContext) JAXBElement(javax.xml.bind.JAXBElement) SimpleDateFormat(java.text.SimpleDateFormat) PolicySet(com.sun.identity.entitlement.xacml3.core.PolicySet)

Aggregations

Policy (com.sun.identity.entitlement.xacml3.core.Policy)4 PolicySet (com.sun.identity.entitlement.xacml3.core.PolicySet)4 Target (com.sun.identity.entitlement.xacml3.core.Target)4 Version (com.sun.identity.entitlement.xacml3.core.Version)4 SimpleDateFormat (java.text.SimpleDateFormat)4 JAXBContext (javax.xml.bind.JAXBContext)3 AnyOf (com.sun.identity.entitlement.xacml3.core.AnyOf)2 AttributeValue (com.sun.identity.entitlement.xacml3.core.AttributeValue)2 Rule (com.sun.identity.entitlement.xacml3.core.Rule)2 VariableDefinition (com.sun.identity.entitlement.xacml3.core.VariableDefinition)2 ArrayList (java.util.ArrayList)2 HashSet (java.util.HashSet)2 JSONObject (org.json.JSONObject)2 Entitlement (com.sun.identity.entitlement.Entitlement)1 EntitlementCondition (com.sun.identity.entitlement.EntitlementCondition)1 EntitlementException (com.sun.identity.entitlement.EntitlementException)1 EntitlementSubject (com.sun.identity.entitlement.EntitlementSubject)1 Privilege (com.sun.identity.entitlement.Privilege)1 ReferralPrivilege (com.sun.identity.entitlement.ReferralPrivilege)1 ResourceAttribute (com.sun.identity.entitlement.ResourceAttribute)1