use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method privilegeToPolicyInternal.
private static Policy privilegeToPolicyInternal(Privilege privilege) throws JAXBException, EntitlementException {
if (privilege == null) {
return null;
}
Policy policy = new Policy();
String privilegeName = privilege.getName();
String applicationName = null;
String entitlementName = null;
Entitlement entitlement = privilege.getEntitlement();
if (entitlement != null) {
applicationName = entitlement.getApplicationName();
entitlementName = entitlement.getName();
}
String policyId = privilegeNameToPolicyId(privilegeName, applicationName);
policy.setPolicyId(policyId);
String description = privilege.getDescription();
policy.setDescription(description);
List<Object> vrList = policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition();
JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
if (applicationName != null) {
VariableDefinition appName = new VariableDefinition();
vrList.add(appName);
appName.setVariableId(XACMLConstants.APPLICATION_NAME);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(applicationName);
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
appName.setExpression(cbve);
}
if (entitlementName != null) {
VariableDefinition entName = new VariableDefinition();
vrList.add(entName);
entName.setVariableId(XACMLConstants.ENTITLEMENT_NAME);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(entitlementName);
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
entName.setExpression(cbve);
}
VariableDefinition createdBy = new VariableDefinition();
vrList.add(createdBy);
createdBy.setVariableId(XACMLConstants.PRIVILEGE_CREATED_BY);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(privilege.getCreatedBy());
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
createdBy.setExpression(cbve);
VariableDefinition lastModifiedBy = new VariableDefinition();
vrList.add(lastModifiedBy);
lastModifiedBy.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
AttributeValue lmbv = new AttributeValue();
lmbv.setDataType(XACMLConstants.XS_STRING);
lmbv.getContent().add(privilege.getLastModifiedBy());
JAXBElement<AttributeValue> lmbve = objectFactory.createAttributeValue(lmbv);
lastModifiedBy.setExpression(lmbve);
SimpleDateFormat sdf1 = new SimpleDateFormat("yyyy-MM-dd");
SimpleDateFormat sdf2 = new SimpleDateFormat("HH:mm:ss.SSS");
SimpleDateFormat sdf3 = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
sdf1.setTimeZone(TimeZone.getTimeZone("GMT"));
sdf2.setTimeZone(TimeZone.getTimeZone("GMT"));
sdf3.setTimeZone(TimeZone.getTimeZone("GMT"));
VariableDefinition creationDate = new VariableDefinition();
vrList.add(creationDate);
creationDate.setVariableId(XACMLConstants.PRIVILEGE_CREATION_DATE);
AttributeValue cdv = new AttributeValue();
cdv.setDataType(XACMLConstants.XS_DATE_TIME);
cdv.getContent().add(sdf1.format(privilege.getCreationDate()) + "T" + sdf2.format(privilege.getCreationDate()));
JAXBElement<AttributeValue> cdve = objectFactory.createAttributeValue(cdv);
creationDate.setExpression(cdve);
VariableDefinition lastModifiedDate = new VariableDefinition();
vrList.add(lastModifiedDate);
lastModifiedDate.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE);
AttributeValue lmdv = new AttributeValue();
lmdv.setDataType(XACMLConstants.XS_DATE_TIME);
lmdv.getContent().add(sdf1.format(privilege.getLastModifiedDate()) + "T" + sdf2.format(privilege.getLastModifiedDate()));
JAXBElement<AttributeValue> lmdve = objectFactory.createAttributeValue(lmdv);
lastModifiedDate.setExpression(lmdve);
// PolicyIssuer policyIssuer = null; // optional, TODO
Version version = new Version();
// TODO: use privilege version in future
version.setValue(sdf3.format(privilege.getLastModifiedDate()));
policy.setVersion(version);
// Defaults policyDefaults = null; // optional, TODO
String rca = getRuleCombiningAlgId(applicationName);
policy.setRuleCombiningAlgId(rca);
// String ruleCombiningAlgId = "rca"; // required
// XACML Target contains a list of AnyOf(s)
// XACML AnyOf contains a list of AllOf(s)
// XACML AllOf contains a list of Match(s)
Target target = new Target();
policy.setTarget(target);
List<AnyOf> targetAnyOfList = target.getAnyOf();
EntitlementSubject es = privilege.getSubject();
/* TODO: detect simple subjects and set attribute value and designator
List<AnyOf> anyOfSubjectList = entitlementSubjectToAnyOfList(es);
if (anyOfSubjectList != null) {
targetAnyOfList.addAll(anyOfSubjectList);
}
*/
AnyOf anyOfSubject = entitlementSubjectToAnyOf(es);
if (anyOfSubject != null) {
targetAnyOfList.add(anyOfSubject);
}
Set<String> resources = entitlement.getResourceNames();
List<AnyOf> anyOfResourceList = resourceNamesToAnyOfList(resources, applicationName);
if (anyOfResourceList != null) {
targetAnyOfList.addAll(anyOfResourceList);
}
AnyOf anyOfApplication = applicationNameToAnyOf(applicationName);
if (anyOfApplication != null) {
targetAnyOfList.add(anyOfApplication);
}
Map<String, Boolean> actionValues = entitlement.getActionValues();
List<AnyOf> anyOfActionList = actionNamesToAnyOfList(actionValues.keySet(), applicationName);
if (anyOfActionList != null) {
targetAnyOfList.addAll(anyOfActionList);
}
// PermitRule, DenyRule
Set<String> permitActions = new HashSet<String>();
Set<String> denyActions = new HashSet<String>();
if (actionValues != null) {
Set<String> actionNames = actionValues.keySet();
for (String actionName : actionNames) {
if (Boolean.TRUE.equals(actionValues.get(actionName))) {
permitActions.add(actionName);
} else {
denyActions.add(actionName);
}
}
}
Condition condition = eSubjectConditionToXCondition(privilege.getSubject(), privilege.getCondition());
// Include resource attributes (ResourceProvider) as AdviceExpressions
Set<ResourceAttribute> ra = privilege.getResourceAttributes();
if (ra != null && !ra.isEmpty()) {
AdviceExpressions adviceExpressions = schemaFactory.resourceAttributesToAdviceExpressions(ra);
policy.setAdviceExpressions(adviceExpressions);
}
if (!permitActions.isEmpty()) {
Rule permitRule = new Rule();
vrList.add(permitRule);
permitRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.PREMIT_RULE_SUFFIX);
permitRule.setDescription(XACMLConstants.PERMIT_RULE_DESCRIPTION);
permitRule.setEffect(EffectType.PERMIT);
Target permitTarget = new Target();
permitRule.setTarget(permitTarget);
List<AnyOf> permitTargetAnyOfList = permitTarget.getAnyOf();
List<AnyOf> anyOfPermitActionList = actionNamesToAnyOfList(permitActions, applicationName);
if (anyOfPermitActionList != null) {
permitTargetAnyOfList.addAll(anyOfPermitActionList);
}
if (condition != null) {
permitRule.setCondition(condition);
}
}
if (!denyActions.isEmpty()) {
Rule denyRule = new Rule();
vrList.add(denyRule);
denyRule.setRuleId(entitlement.getName() + ":" + XACMLConstants.DENY_RULE_SUFFIX);
denyRule.setDescription(XACMLConstants.DENY_RULE_DESCRIPTION);
denyRule.setEffect(EffectType.DENY);
Target denyTarget = new Target();
denyRule.setTarget(denyTarget);
List<AnyOf> denyTargetAnyOfList = denyTarget.getAnyOf();
List<AnyOf> anyOfDenyActionList = actionNamesToAnyOfList(denyActions, applicationName);
if (anyOfDenyActionList != null) {
denyTargetAnyOfList.addAll(anyOfDenyActionList);
}
if (condition != null) {
denyRule.setCondition(condition);
}
}
return policy;
}
use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method referralToPolicyInternal.
public static Policy referralToPolicyInternal(ReferralPrivilege privilege) throws JAXBException, JSONException {
if (privilege == null) {
return null;
}
Policy policy = new Policy();
String privilegeName = privilege.getName();
String policyId = privilegeNameToPolicyId(privilegeName, null);
policy.setPolicyId(policyId);
String description = privilege.getDescription();
policy.setDescription(description);
List<Object> vrList = policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition();
JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
VariableDefinition createdBy = new VariableDefinition();
vrList.add(createdBy);
createdBy.setVariableId(XACMLConstants.PRIVILEGE_CREATED_BY);
AttributeValue cbv = new AttributeValue();
cbv.setDataType(XACMLConstants.XS_STRING);
cbv.getContent().add(privilege.getCreatedBy());
JAXBElement<AttributeValue> cbve = objectFactory.createAttributeValue(cbv);
createdBy.setExpression(cbve);
VariableDefinition lastModifiedBy = new VariableDefinition();
vrList.add(lastModifiedBy);
lastModifiedBy.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_BY);
AttributeValue lmbv = new AttributeValue();
lmbv.setDataType(XACMLConstants.XS_STRING);
lmbv.getContent().add(privilege.getLastModifiedBy());
JAXBElement<AttributeValue> lmbve = objectFactory.createAttributeValue(lmbv);
lastModifiedBy.setExpression(lmbve);
SimpleDateFormat sdf1 = new SimpleDateFormat("yyyy-MM-dd");
SimpleDateFormat sdf2 = new SimpleDateFormat("HH:mm:ss.SSS");
SimpleDateFormat sdf3 = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
sdf1.setTimeZone(TimeZone.getTimeZone("GMT"));
sdf2.setTimeZone(TimeZone.getTimeZone("GMT"));
sdf3.setTimeZone(TimeZone.getTimeZone("GMT"));
VariableDefinition creationDate = new VariableDefinition();
vrList.add(creationDate);
creationDate.setVariableId(XACMLConstants.PRIVILEGE_CREATION_DATE);
AttributeValue cdv = new AttributeValue();
cdv.setDataType(XACMLConstants.XS_DATE_TIME);
cdv.getContent().add(sdf1.format(privilege.getCreationDate()) + "T" + sdf2.format(privilege.getCreationDate()));
JAXBElement<AttributeValue> cdve = objectFactory.createAttributeValue(cdv);
creationDate.setExpression(cdve);
VariableDefinition lastModifiedDate = new VariableDefinition();
vrList.add(lastModifiedDate);
lastModifiedDate.setVariableId(XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE);
AttributeValue lmdv = new AttributeValue();
lmdv.setDataType(XACMLConstants.XS_DATE_TIME);
lmdv.getContent().add(sdf1.format(privilege.getLastModifiedDate()) + "T" + sdf2.format(privilege.getLastModifiedDate()));
JAXBElement<AttributeValue> lmdve = objectFactory.createAttributeValue(lmdv);
lastModifiedDate.setExpression(lmdve);
VariableDefinition isReferralPolicy = new VariableDefinition();
vrList.add(isReferralPolicy);
isReferralPolicy.setVariableId(XACMLConstants.IS_REFERRAL_POLICY);
AttributeValue irdv = new AttributeValue();
irdv.setDataType(XACMLConstants.XS_BOOLEAN_TYPE);
irdv.getContent().add(XACMLConstants.XS_BOOLEAN_TRUE);
JAXBElement<AttributeValue> irdve = objectFactory.createAttributeValue(irdv);
isReferralPolicy.setExpression(irdve);
// PolicyIssuer policyIssuer = null; // optional, TODO
Version version = new Version();
// TODO: use privilege version in future
version.setValue(sdf3.format(privilege.getLastModifiedDate()));
policy.setVersion(version);
// Defaults policyDefaults = null; // optional, TODO
policy.setRuleCombiningAlgId(XACMLConstants.XACML_RULE_DENY_OVERRIDES);
// XACML Target contains a list of AnyOf(s)
// XACML AnyOf contains a list of AllOf(s)
// XACML AllOf contains a list of Match(s)
Target target = new Target();
policy.setTarget(target);
List<AnyOf> targetAnyOfList = target.getAnyOf();
Set<String> realms = privilege.getRealms();
Map<String, Set<String>> appsResources = privilege.getOriginalMapApplNameToResources();
AnyOf anyOfRealmsAppsResources = realmsAppsResourcesToAnyOf(realms, appsResources);
if (anyOfRealmsAppsResources != null) {
targetAnyOfList.add(anyOfRealmsAppsResources);
}
Rule permitRule = new Rule();
vrList.add(permitRule);
permitRule.setRuleId(privilegeName + ":" + XACMLConstants.PREMIT_RULE_SUFFIX);
permitRule.setDescription(XACMLConstants.PERMIT_RULE_DESCRIPTION);
permitRule.setEffect(EffectType.PERMIT);
Target permitTarget = new Target();
permitRule.setTarget(permitTarget);
return policy;
}
use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.
the class XacmlService method exportXACML.
/**
* This version of exportXACML here for testing - it saves trying to mock the static getRealmFromRequest
* @param realm The realm
* @return Representation object wrapping the converted XACML
*/
@VisibleForTesting
Representation exportXACML(String realm) {
List<String> filters = new ArrayList<String>(Arrays.asList(getQuery().getValuesArray(QUERY_PARAM_STRING)));
PolicySet policySet;
try {
if (!checkPermission("READ")) {
throw new ResourceException(new Status(FORBIDDEN));
}
policySet = importExport.exportXACML(realm, getAdminToken(), filters);
getResponse().setStatus(Status.SUCCESS_OK);
} catch (EntitlementException e) {
debug.warning("Reading Policies failed", e);
throw new ResourceException(new Status(INTERNAL_ERROR, e.getLocalizedMessage(getRequestLocale()), null, null));
}
final PolicySet finalPolicySet = policySet;
Representation result = new OutputRepresentation(XACMLServiceEndpointApplication.APPLICATION_XML_XACML3) {
@Override
public void write(OutputStream outputStream) throws IOException {
try {
XACMLPrivilegeUtils.writeXMLToStream(finalPolicySet, outputStream);
} catch (EntitlementException e) {
throw new IOException(e);
}
}
};
// OPENAM-4974
Disposition disposition = new Disposition();
disposition.setType(Disposition.TYPE_ATTACHMENT);
disposition.setFilename(getPolicyAttachmentFileName(realm));
result.setDisposition(disposition);
return result;
}
use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.
the class XACMLPrivilegeUtilsTest method assertPolicySetContentsMatchPrivilegesContent.
private void assertPolicySetContentsMatchPrivilegesContent(PolicySet policySet, Set<Privilege> privileges) {
if (privileges != null && !privileges.isEmpty()) {
assertTrue(policySet != null, "Expected PolicySet to not be null.");
}
List<Policy> policies = getPoliciesFromPolicySet(policySet);
assertEquals(policies.size(), privileges.size(), "Mismatch between number of Policy elements in PolicySet, " + "and number of original Privileges.");
List<String> policyIdList = new ArrayList<String>();
for (Policy policy : policies) {
policyIdList.add(policy.getPolicyId());
}
List<String> privilegeIdList = new ArrayList<String>();
for (Privilege privilege : privileges) {
privilegeIdList.add(privilege.getName());
}
assertTrue(policyIdList.containsAll(privilegeIdList), "Not all Privilege names were included in the " + "PolicySet.");
assertTrue(privilegeIdList.containsAll(policyIdList), "Extra names were added to the PolicySet which were " + "not in the list of Privilege names.");
List<String> descriptionList = new ArrayList<String>();
for (Policy policy : policies) {
descriptionList.add(policy.getDescription());
}
for (Privilege privilege : privileges) {
String description = privilege.getDescription();
assertTrue(descriptionList.contains(description), "Privilege with description '" + description + "' not " + "found in PolicySet.");
}
String privilegesVersion = formatMillisecondsAsTimestamp(now);
for (Policy policy : policies) {
assertEquals(policy.getVersion().getValue(), privilegesVersion, "Policy found with version not matching " + "Privilege creation date.");
}
}
use of com.sun.identity.entitlement.xacml3.core.Version in project OpenAM by OpenRock.
the class XACMLPrivilegeUtils method policiesToPolicySetInternal.
private static PolicySet policiesToPolicySetInternal(String realm, Set<Policy> policies) throws JAXBException {
PolicySet policySet = new PolicySet();
SimpleDateFormat sdf = new SimpleDateFormat("yyyy.MM.dd.HH.mm.ss.SSS");
sdf.setTimeZone(TimeZone.getTimeZone("GMT"));
String currentTime = sdf.format(System.currentTimeMillis());
String policySetId = realm + ":" + currentTime;
policySet.setPolicySetId(policySetId);
Version version = new Version();
version.setValue(sdf.format(System.currentTimeMillis()));
policySet.setVersion(version);
// FIXME: is there a better choice?
// policySet could contain policies for different applications
policySet.setPolicyCombiningAlgId(XACMLConstants.XACML_RULE_DENY_OVERRIDES);
Target target = new Target();
policySet.setVersion(version);
policySet.setTarget(target);
JAXBContext jaxbContext = JAXBContext.newInstance(XACMLConstants.XACML3_CORE_PKG);
List<JAXBElement<?>> pList = policySet.getPolicySetOrPolicyOrPolicySetIdReference();
if (policies != null) {
for (Policy policy : policies) {
JAXBElement<Policy> policyElement = objectFactory.createPolicy(policy);
pList.add(policyElement);
}
}
return policySet;
}
Aggregations