Examples with ActionDecision com.sun.identity.policy.ActionDecision used on opensource projects

Example 1 with ActionDecision

use of com.sun.identity.policy.ActionDecision in project OpenAM by OpenRock.

the class ResourceResultCache method getPolicyDecision.

/**
     * Returns policy decision
     * @param appToken application sso token to identify the client to policy
     * service
     * @param serviceName name of service for which to get policy decision
     * @param token session token of user for whom to get policy decision
     * @param resourceName resource name for which to get policy decision
     * @param actionNames action names for which to get policy decision
     * @param env environment map to use to get policy decision
     * @param retryCount try this many times before giving up if received policy
     * decision is found to have expired
     * @return policy decision
     * @throws PolicyException if can not get policy decision
     * @throws SSOException if user session token is not valid
     * @throws InvalidAppSSOTokenException if application session token 
     * is not valid
     */
PolicyDecision getPolicyDecision(SSOToken appToken, String serviceName, SSOToken token, String resourceName, Set actionNames, Map env, int retryCount) throws InvalidAppSSOTokenException, PolicyException, SSOException {
    int count = 0;
    boolean validTtl = false;
    PolicyDecision pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //use cache
    true);
    if (pd.getTimeToLive() > System.currentTimeMillis()) {
        validTtl = true;
    }
    while (!validTtl && (count < retryCount)) {
        count++;
        if (debug.messageEnabled()) {
            debug.message("ResourceResultCache.getPolicyDecision():" + "Received expired decision, " + "Getting decision again, repeat attempt=" + count);
        }
        pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //do not use cache
        false);
        if (pd.getTimeToLive() > System.currentTimeMillis()) {
            validTtl = true;
            break;
        }
    }
    if (!validTtl) {
        if (debug.warningEnabled()) {
            debug.warning("ResourceResultCache.getPolicyDecision():" + "Received expired decision from server");
        }
        Object[] args = { resourceName };
        throw new PolicyEvaluationException(ResBundleUtils.rbName, "received_expired_decision", args, null);
    }
    if (actionNames != null) {
        PolicyDecision pd1 = new PolicyDecision();
        Iterator nameIter = actionNames.iterator();
        while (nameIter.hasNext()) {
            String actionName = (String) nameIter.next();
            Map actionDecisions = pd.getActionDecisions();
            ActionDecision ad = (ActionDecision) actionDecisions.get(actionName);
            if (ad != null) {
                pd1.addActionDecision(ad);
            }
        }
        Map mergedReponseAttrsMap = new HashMap();
        PolicyUtils.appendMapToMap(pd.getResponseAttributes(), mergedReponseAttrsMap);
        pd1.setResponseAttributes(mergedReponseAttrsMap);
        pd = pd1;
    } else {
        pd = (PolicyDecision) pd.clone();
    }
    return pd;
}

Example 2 with ActionDecision

use of com.sun.identity.policy.ActionDecision in project OpenAM by OpenRock.

the class PolicyEvaluator method isAllowed.

/**
     * Evaluates simple privileges of boolean type. The privilege indicates
     * if the user can perform specified action on the specified resource.
     * The evaluation also depends on user's application environment parameters.
     *
     * @param token single sign on token of the user evaluating policies.
     * @param resourceName name of the resource the user is trying to access
     * @param actionName name of the action the user is trying to perform on
     * the resource
     * @param envParameters run time environment parameters
     *
     * @return the result of the evaluation as a boolean value
     *
     * @throws PolicyException if result could not be computed for
     *         reason other than single sign on token problem.
     * @throws SSOException if single sign on token is not valid
     *
     * @supported.api
     */
public boolean isAllowed(SSOToken token, String resourceName, String actionName, Map envParameters) throws PolicyException, SSOException {
    if (debug.messageEnabled()) {
        debug.message("PolicyEvaluator:isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":envParameters) : entering");
    }
    boolean actionAllowed = false;
    Set actionNames = new HashSet(1);
    actionNames.add(actionName);
    PolicyDecision policyDecision = getPolicyDecision(token, resourceName, actionNames, envParameters);
    ActionDecision actionDecision = (ActionDecision) policyDecision.getActionDecisions().get(actionName);
    String trueValue = policyProperties.getTrueValue(serviceName, actionName);
    String falseValue = policyProperties.getFalseValue(serviceName, actionName);
    if ((actionDecision != null) && (trueValue != null) && (falseValue != null)) {
        Set set = (Set) actionDecision.getValues();
        if ((set != null)) {
            if (set.contains(falseValue)) {
                actionAllowed = false;
            } else if (set.contains(trueValue)) {
                actionAllowed = true;
            }
        }
    }
    String result = actionAllowed ? "ALLOW" : "DENY";
    String[] objs = { resourceName, actionName, result };
    if (PolicyProperties.ALLOW.equals(logActions) && actionAllowed) {
        logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_allow", objs), token);
    } else if (PolicyProperties.DENY.equals(logActions) && !actionAllowed) {
        logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_deny", objs), token);
    } else if (PolicyProperties.BOTH.equals(logActions) || PolicyProperties.DECISION.equals(logActions)) {
        logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_result", objs), token);
    }
    if (debug.messageEnabled()) {
        debug.message("PolicyEvaluator.isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":returning: " + actionAllowed);
    }
    return actionAllowed;
}

Example 3 with ActionDecision

use of com.sun.identity.policy.ActionDecision in project OpenAM by OpenRock.

the class ResourceResultCache method jsonEntitlementToResourceResult.

ResourceResult jsonEntitlementToResourceResult(JSONObject jsonEntitlement, String serviceName) throws JSONException {
    String resultResourceName = jsonEntitlement.optString(JSON_RESOURCE_NAME);
    Map<String, Set<String>> actionsValues = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ACTIONS_VALUES);
    Map<String, Set<String>> advices = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ADVICES);
    Map<String, Set<String>> attributes = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ATTRIBUTES);
    Set<String> actNames = (actionsValues != null) ? actionsValues.keySet() : null;
    PolicyDecision pd = new PolicyDecision();
    if (actNames != null) {
        for (String actName : actNames) {
            Set<String> actValues = actionsValues.get(actName);
            actValues = mapActionBooleanToString(serviceName, actName, actValues);
            ActionDecision ad = new ActionDecision(actName, actValues);
            ad.setAdvices(advices);
            pd.addActionDecision(ad);
        }
    }
    pd.setResponseDecisions(attributes);
    ResourceResult resourceResult = new ResourceResult(resultResourceName, pd);
    return resourceResult;
}

Example 4 with ActionDecision

use of com.sun.identity.policy.ActionDecision in project OpenAM by OpenRock.

the class DelegationPolicyImpl method isAllowed.

/**
     * Returns a boolean value;  if a user has the specified
     * permission returns true, false otherwise.
     * 
     * @param token Single sign on token of the user evaluating permission.
     * @param permission Delegation permission to be evaluated
     * @param envParams Run-time environment parameters.
     * @return the result of the evaluation as a boolean value
     * 
     * @throws SSOException single-sign-on token invalid or expired.
     * @throws DelegationException for any other abnormal condition.
     */
public boolean isAllowed(SSOToken token, DelegationPermission permission, Map envParams) throws SSOException, DelegationException {
    SSOTokenID tokenId;
    PolicyDecision pd;
    String resource = null;
    boolean result = false;
    if (DelegationManager.debug.messageEnabled()) {
        DelegationManager.debug.message("DelegationPolicyImpl.isAllowed() is called");
    }
    if ((token != null) && ((tokenId = token.getTokenID()) != null) && (permission != null)) {
        String tokenIdStr = tokenId.toString();
        Set actions = permission.getActions();
        if ((actions != null) && (!actions.isEmpty())) {
            //they have read access to global-config endpoints
            if (GLOBALCONFIG.equals(permission.getConfigType()) && actions.equals(Collections.singleton(READ))) {
                return hasDelegationPermissionsForRealm(token, token.getProperty(ISAuthConstants.ORGANIZATION));
            }
            try {
                resource = getResourceName(permission);
                pd = getResultFromCache(tokenIdStr, resource, envParams);
                if (pd != null) {
                    if (DelegationManager.debug.messageEnabled()) {
                        DelegationManager.debug.message("got delegation evaluation result from cache.");
                    }
                } else {
                    // decision not found in the cache. compute it.
                    pd = pe.getPolicyDecision(token, resource, null, envParams);
                    // add the result in the cache.
                    putResultIntoCache(tokenIdStr, resource, envParams, pd);
                    if (DelegationManager.debug.messageEnabled()) {
                        DelegationManager.debug.message("put delegation evaluation result into cache.");
                    }
                }
                Map ads = pd.getActionDecisions();
                if ((ads != null) && (!ads.isEmpty())) {
                    result = true;
                    Iterator it = actions.iterator();
                    while (it.hasNext() && result) {
                        String actionName = (String) it.next();
                        ActionDecision ad = (ActionDecision) ads.get(actionName);
                        if (ad != null) {
                            Set values = ad.getValues();
                            if ((values == null) || values.isEmpty() || values.contains(ACTION_DENY)) {
                                result = false;
                            }
                        } else {
                            result = false;
                        }
                    }
                }
            } catch (PolicyException pe) {
                throw new DelegationException(pe);
            }
        }
        if (DelegationManager.debug.messageEnabled()) {
            DelegationManager.debug.message("DelegationPolicyImpl.isAllowed(): " + "actions=" + actions + "  resource=" + resource + "  result is:" + result);
        }
    }
    return result;
}

Example 5 with ActionDecision

use of com.sun.identity.policy.ActionDecision in project OpenAM by OpenRock.

the class Gateway method doPost.

/**
     * Performs the HTTP POST operation. 
     */
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    // Obtain goto URL and check if there are auth parameters
    String authScheme = null;
    String authLevel = null;
    String gotoUrl = null;
    ActionDecision ad = null;
    Map advices = null;
    String orgName = null;
    // Check content length
    try {
        RequestUtils.checkContentLength(request);
    } catch (L10NMessageImpl e) {
        ISLocaleContext localeContext = new ISLocaleContext();
        localeContext.setLocale(request);
        java.util.Locale locale = localeContext.getLocale();
        if (debug.messageEnabled()) {
            debug.message("GatewayServlet: " + e.getL10NMessage(locale));
        }
        throw new ServletException(e.getL10NMessage(locale));
    }
    // Construct the default forwarding URL
    StringBuilder forwardUrl = new StringBuilder(200);
    forwardUrl.append(LOGIN_URL);
    String queryString = request.getQueryString();
    Enumeration paramNames = request.getParameterNames();
    while ((queryString != null) && paramNames.hasMoreElements()) {
        String key = (String) paramNames.nextElement();
        if (key.equalsIgnoreCase(GOTO_URL)) {
            gotoUrl = request.getParameter(key);
        } else if (key.equalsIgnoreCase(AUTH_SCHEME)) {
            authScheme = request.getParameter(key);
        } else if (key.equalsIgnoreCase(AUTH_LEVEL)) {
            authLevel = request.getParameter(key);
        }
    }
    if (debug.messageEnabled()) {
        debug.message("GatewayServlet: queryString : " + queryString);
        debug.message("GatewayServlet: gotoUrl : " + gotoUrl);
    }
    if (gotoUrl != null) {
        ad = getActionDecision(gotoUrl);
        if (ad != null) {
            advices = ad.getAdvices();
            orgName = getOrgNameFromAdvice(advices);
        }
    }
    AuthServiceConfigInfo info = null;
    // Construct the forward URL
    if ((gotoUrl != null) && ((authScheme == null) && (authLevel == null))) {
        if (debug.messageEnabled()) {
            debug.message("GatewayServlet: gotoUrl : " + gotoUrl);
        }
        // we have only goto URL, hence find from policy if there are
        // any advices on authentication modules
        forwardUrl.append('?').append(queryString);
        String advice = getPolicyAdvice(ad);
        info = getGWServletUtilsFromMap(advices);
        if (advice != null) {
            StringBuffer adv = new StringBuffer();
            int index1 = advice.indexOf("=");
            if (index1 != -1) {
                adv = adv.append(advice.substring(0, index1 + 1));
                int index2 = advice.indexOf(":");
                if (index2 != -1) {
                    orgName = advice.substring(index1 + 1, index2);
                    adv = adv.append(advice.substring(index2 + 1));
                    advice = adv.toString();
                }
            }
        }
        if (debug.messageEnabled()) {
            debug.message("GatewayServlet: advice from getPolicyAdvice(): " + advice);
        }
        if (advice != null && advice.length() > 0) {
            forwardUrl.append('&').append(advice);
        }
    } else if ((authScheme != null) || (authLevel != null)) {
        // Either query string contains goto url & auth parameters
        // which could be auth level or module, or no goto url
        forwardUrl.append('?').append(queryString);
        if (authScheme != null) {
            info = getGWServletUtilsByScheme(orgName, authScheme);
        } else if (authLevel != null) {
            info = getGWServletUtilsByLevel(orgName, authLevel);
        }
    }
    // If module is Cert, redirect to Cert module URL
    String fUrl = forwardUrl.toString();
    if (debug.messageEnabled()) {
        debug.message("GatewayServlet >>> Need to change URL !");
        debug.message("OLD URL : " + fUrl);
    }
    if ((info != null) && (info.getPortNumber() != null)) {
        fUrl = CERT_PROTOCOL + request.getServerName() + ":" + info.getPortNumber() + SystemProperties.get(AuthXMLTags.SERVER_DEPLOY_URI) + fUrl;
        if ((orgName != null) && (fUrl.indexOf("org=") == -1)) {
            fUrl = fUrl + "&" + ORG_NAME + "=" + DNtoName(orgName);
        }
        response.sendRedirect(fUrl);
    } else {
        // Forward the request to Login servlet
        if ((orgName != null) && (fUrl.indexOf("org=") == -1)) {
            fUrl = fUrl + "&" + ORG_NAME + "=" + DNtoName(orgName);
        }
        // Forward the request to Login servlet
        RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl);
        dispatcher.forward(request, response);
    }
    if (debug.messageEnabled()) {
        debug.message("New URL : " + fUrl);
    }
}