Examples with AMIdentity com.sun.identity.idm.AMIdentity used on opensource projects

Example 46 with AMIdentity

use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.

the class DelegationEvaluatorImpl method isAllowed.

public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParameters, boolean subTreeMode) throws SSOException, DelegationException {
    EntitlementConfiguration ec = EntitlementConfiguration.getInstance(PolicyConstants.SUPER_ADMIN_SUBJECT, "/");
    if (!ec.migratedToEntitlementService()) {
        return false;
    }
    try {
        AMIdentity user = new AMIdentity(token);
        if (((privilegedUser != null) && user.equals(privilegedUser)) || (installTime && adminUserSet.contains(DNUtils.normalizeDN(token.getPrincipal().getName()))) || user.equals(adminUserId)) {
            return true;
        }
    } catch (IdRepoException ide) {
        throw (new DelegationException(ide.getMessage()));
    }
    if (!subTreeMode) {
        return isAllowed(token, permission, envParameters);
    }
    StringBuilder buff = new StringBuilder();
    buff.append("sms://");
    if (permission.getOrganizationName() != null) {
        buff.append(permission.getOrganizationName()).append("/");
    }
    if (permission.getServiceName() != null) {
        buff.append(permission.getServiceName()).append("/");
    }
    if (permission.getVersion() != null) {
        buff.append(permission.getVersion()).append("/");
    }
    if (permission.getConfigType() != null) {
        buff.append(permission.getConfigType()).append("/");
    }
    if (permission.getSubConfigName() != null) {
        buff.append(permission.getSubConfigName());
    }
    String resource = buff.toString();
    try {
        Subject userSubject = SubjectUtils.createSubject(token);
        Evaluator eval = new Evaluator(PolicyConstants.SUPER_ADMIN_SUBJECT, DelegationManager.DELEGATION_SERVICE);
        List<Entitlement> results = eval.evaluate(DNMapper.orgNameToDN(PolicyManager.DELEGATION_REALM), userSubject, resource, envParameters, true);
        List<String> copiedActions = new ArrayList<String>();
        copiedActions.addAll(permission.getActions());
        for (Entitlement e : results) {
            for (int i = copiedActions.size() - 1; i >= 0; --i) {
                String action = copiedActions.get(i);
                Boolean result = e.getActionValue(action);
                if ((result != null) && result) {
                    copiedActions.remove(i);
                }
            }
            if (copiedActions.isEmpty()) {
                return true;
            }
        }
        return false;
    } catch (EntitlementException ex) {
        debug.error("DelegationEvaluator.isAllowed", ex);
        throw new DelegationException(ex);
    }
}

Example 47 with AMIdentity

use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.

the class DelegationManager method validateSupportedSubjectTypes.

private static void validateSupportedSubjectTypes(Set subjects) throws DelegationException {
    if ((subjects != null) && !subjects.isEmpty()) {
        try {
            SSOToken adminToken = getAdminToken();
            for (Iterator i = subjects.iterator(); i.hasNext(); ) {
                String uuid = (String) i.next();
                AMIdentity amid = IdUtils.getIdentity(adminToken, uuid);
                if (!subjectIdTypes.contains(amid.getType().getName())) {
                    throw new DelegationException(ResBundleUtils.rbName, "un_supported_subject_type", null, null);
                }
            }
        } catch (SSOException e) {
            throw new DelegationException(e);
        } catch (IdRepoException e) {
            throw new DelegationException(e);
        }
    }
}

Example 48 with AMIdentity

use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.

the class IdRepoDataStoreProvider method getAttributes.

/**
     * Returns attribute values for a user. 
     * @param userID Universal identifier of the user. 
     * @param attrNames Set of attributes whose values are to be retrieved.
     * @return Map containing attribute key/value pair, key is the
     *  attribute name, value is a Set of values. 
     * @throws DataStoreProviderException if unable to retrieve the values. 
     */
public Map<String, Set<String>> getAttributes(String userID, Set<String> attrNames) throws DataStoreProviderException {
    if (userID == null) {
        throw new DataStoreProviderException(bundle.getString("nullUserId"));
    }
    if (attrNames == null) {
        throw new DataStoreProviderException(bundle.getString("nullAttrSet"));
    }
    try {
        SSOToken adminToken = AccessController.doPrivileged(AdminTokenAction.getInstance());
        AMIdentity amId = IdUtils.getIdentity(adminToken, userID);
        return amId.getAttributes(attrNames);
    } catch (SSOException ssoe) {
        debug.error("IdRepoDataStoreProvider.getAttribute(2): " + "invalid admin SSOtoken", ssoe);
        throw new DataStoreProviderException(ssoe);
    } catch (IdRepoException ide) {
        debug.error("IdRepoDataStoreProvider.getAttribute(2): " + "IdRepo exception", ide);
        throw new DataStoreProviderException(ide);
    }
}

Example 49 with AMIdentity

use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.

the class IdRepoDataStoreProvider method getUserID.

/**
     * Returns user matching the search criteria.
     * @param orgDN The realm to search the user. If null,
     *  searches the root realm.
     * @param avPairs Attribute key/value pairs that will be used for 
     *  searching the user. Key is the attribute name, value 
     *  is a Set containing attribute value(s).
     * @return Universal identifier of the matching user, null if
     *  the matching user could not be found. 
     * @throws DataStoreProviderException if error occurs during search or
     *  multiple matching users found.
     */
public String getUserID(String orgDN, Map<String, Set<String>> avPairs) throws DataStoreProviderException {
    if (orgDN == null) {
        orgDN = SMSEntry.getRootSuffix();
    }
    if (avPairs == null || avPairs.isEmpty()) {
        throw new DataStoreProviderException(bundle.getString("nullAvPair"));
    }
    Set amIdSet = null;
    try {
        IdSearchControl searchControl = getIdSearchControl(avPairs, IdSearchOpModifier.AND);
        AMIdentityRepository idRepo = getAMIdentityRepository(orgDN);
        IdSearchResults searchResults = idRepo.searchIdentities(IdType.USER, "*", searchControl);
        amIdSet = searchResults.getSearchResults();
    } catch (IdRepoException ame) {
        debug.error("IdRepoDataStoreProvider.getUserID(): IdRepoException", ame);
        throw new DataStoreProviderException(ame);
    } catch (SSOException ssoe) {
        debug.error("IdRepoDataStoreProvider.getUserID() : SSOException", ssoe);
        throw new DataStoreProviderException(ssoe);
    }
    if (amIdSet == null || amIdSet.isEmpty()) {
        debug.message("IdRepoDataStoreProvider.getUserID : user not found");
        return null;
    } else if (amIdSet.size() > 1) {
        debug.message("IdRepoDataStoreProvider.getUserID : multiple match");
        throw new DataStoreProviderException(bundle.getString("multipleMatches"));
    }
    // single user found.
    final AMIdentity amId = (AMIdentity) amIdSet.iterator().next();
    final String universalId = IdUtils.getUniversalId(amId);
    if (debug.messageEnabled()) {
        debug.message("IdRepoDataStoreProvider.getUserID()" + " Name=: " + amId.getName() + " DN=: " + amId.getDN() + " univId=: " + universalId);
    }
    return universalId;
}

Example 50 with AMIdentity

use of com.sun.identity.idm.AMIdentity in project OpenAM by OpenRock.

the class IdRepoDataStoreProvider method getAttribute.

/**
     * Returns values for a given attribute. 
     * @param userID Universal identifier of the user.
     * @param attrName Name of the attribute whose value to be retrieved.
     * @return Set of the values for the attribute.
     * @throws DataStoreProviderException if unable to retrieve the attribute. 
     */
public Set<String> getAttribute(String userID, String attrName) throws DataStoreProviderException {
    if (userID == null) {
        throw new DataStoreProviderException(bundle.getString("nullUserId"));
    }
    if (attrName == null) {
        throw new DataStoreProviderException(bundle.getString("nullAttrName"));
    }
    try {
        SSOToken adminToken = AccessController.doPrivileged(AdminTokenAction.getInstance());
        AMIdentity amId = IdUtils.getIdentity(adminToken, userID);
        return amId.getAttribute(attrName);
    } catch (SSOException ssoe) {
        debug.error("IdRepoDataStoreProvider.getAttribute(1): " + "invalid admin SSOtoken", ssoe);
        throw new DataStoreProviderException(ssoe);
    } catch (IdRepoException ide) {
        debug.error("IdRepoDataStoreProvider.getAttribute(1): " + "IdRepo exception", ide);
        throw new DataStoreProviderException(ide);
    }
}