Search in sources :

Example 11 with ConditionDecision

use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.

the class AuthenticateToRealmConditionTest method testValidLowerCaseRealm.

@Test
public void testValidLowerCaseRealm() throws Exception {
    Map<String, Set<String>> properties = new HashMap<String, Set<String>>(1);
    Set<String> realm = new HashSet<String>(1);
    realm.add("/validrealm");
    properties.put(AuthenticateToRealmCondition.AUTHENTICATE_TO_REALM, realm);
    AuthenticateToRealmCondition condition = new AuthenticateToRealmCondition();
    condition.setProperties(properties);
    Set<String> passedRealm = new HashSet<String>(1);
    passedRealm.add("/ValidRealm");
    Map<String, Set<String>> env = new HashMap<String, Set<String>>(1);
    env.put(AuthenticateToRealmCondition.REQUEST_AUTHENTICATED_TO_REALMS, passedRealm);
    ConditionDecision conditionDecision = condition.getConditionDecision(null, env);
    assertTrue(conditionDecision.isAllowed());
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) HashMap(java.util.HashMap) ConditionDecision(com.sun.identity.policy.ConditionDecision) HashSet(java.util.HashSet) Test(org.testng.annotations.Test)

Example 12 with ConditionDecision

use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.

the class SampleCondition method getConditionDecision.

/**
     * Gets the decision computed by this condition object.
     *
     * @param token single sign on token of the user
     *
     * @param env request specific environment map of key/value pairs.
     *        SampleCondition doesn't use this parameter.
     *
     * @return the condition decision. The condition decision 
     *         encapsulates whether a policy applies for the request. 
     *
     * Policy framework continues evaluating a policy only if it 
     * applies to the request as indicated by the CondtionDecision. 
     * Otherwise, further evaluation of the policy is skipped. 
     *
     * @throws SSOException if the token is invalid
     */
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
    boolean allowed = false;
    String userDN = token.getPrincipal().getName();
    // user DN is in the format like "uid=username,ou=people,dc=example,dc=com"
    int beginIndex = userDN.indexOf("=");
    int endIndex = userDN.indexOf(",");
    if (beginIndex >= endIndex) {
        throw (new PolicyException("invalid user DN"));
    }
    String userName = userDN.substring(beginIndex + 1, endIndex);
    if (userName.length() >= nameLength) {
        allowed = true;
    }
    return new ConditionDecision(allowed);
}
Also used : PolicyException(com.sun.identity.policy.PolicyException) ConditionDecision(com.sun.identity.policy.ConditionDecision)

Example 13 with ConditionDecision

use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.

the class ResourceEnvIPCondition method getConditionDecision.

/**
     * Returns the decision computed by <code>ResourceEnvIPCondition</code>
     * object.
     *
     * @param token single sign on token of the user
     *
     * @param env request specific environment map of key/value
     *        pairs <code>ResourceEnvIPCondition</code> looks for values of key
     *        <code>REQUEST_IP</code> in the
     *        <code>env</code> map. If <code>REQUEST_IP</code> could not be 
     *        determined from <code>env</code>, it is obtained from 
     *        single sign on token of the user.
     *
     * @return the condition decision. The condition decision encapsulates
     *         whether a policy applies for the request and advice messages
     *         generated by the condition.  
     * 
     * Policy framework continues evaluating a policy only if it applies 
     * to the request  as indicated by the <code>ConditionDecision</code>. 
     * Otherwise, further evaluation of the policy is skipped. 
     * However, the advice messages encapsulated in the 
     * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
     * in the policy  decision. 
     *
     * @throws PolicyException if the condition has not been initialized
     *        with a successful call to <code>setProperties(Map)</code> and/or
     *        the value of key <code>REQUEST_IP</code> is not a String.
     * @throws SSOException if the token is invalid
     *
     * @see #setProperties(Map)
     * @see #REQUEST_IP
     * @see com.sun.identity.policy.ConditionDecision
     */
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
    if (DEBUG.messageEnabled()) {
        DEBUG.message("ResourceEnvIPCondition:getConditionDecision - " + "client environment map : " + env);
    }
    boolean allowed = false;
    Map advices = new HashMap();
    String adviceStr = getAdviceStrForEnv(env, token);
    String adviceName = null;
    String adviceValue = null;
    if (adviceStr != null && adviceStr.contains("=")) {
        int index = adviceStr.indexOf("=");
        adviceName = adviceStr.substring(0, index);
        adviceValue = adviceStr.substring(index + 1);
        if (DEBUG.messageEnabled()) {
            DEBUG.message("ResourceEnvIPCondition:getConditionDecision - " + "adviceName : " + adviceName + " and adviceValue : " + adviceValue);
        }
        if ((adviceName != null) && (adviceName.length() != 0) && (adviceValue != null) && (adviceValue.length() != 0)) {
            if (adviceName.equalsIgnoreCase(ISAuthConstants.MODULE_PARAM)) {
                Set adviceMessages = getAdviceMessagesforAuthScheme(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
                }
            } else if (adviceName.equalsIgnoreCase(ISAuthConstants.SERVICE_PARAM)) {
                Set adviceMessages = getAdviceMessagesforAuthService(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(AUTHENTICATE_TO_SERVICE_CONDITION_ADVICE, adviceMessages);
                }
            } else if (adviceName.equalsIgnoreCase(ISAuthConstants.AUTH_LEVEL_PARAM)) {
                Set adviceMessages = getAdviceMessagesforAuthLevel(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(AUTH_LEVEL_CONDITION_ADVICE, adviceMessages);
                }
            } else if (adviceName.equalsIgnoreCase(ISAuthConstants.ROLE_PARAM)) {
                Set adviceMessages = getAdviceMessagesforRole(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(PolicyDecisionUtils.AUTH_ROLE_ADVICE, adviceMessages);
                }
            } else if (adviceName.equalsIgnoreCase(ISAuthConstants.USER_PARAM)) {
                Set adviceMessages = getAdviceMessagesforUser(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(PolicyDecisionUtils.AUTH_USER_ADVICE, adviceMessages);
                }
            } else if (adviceName.equalsIgnoreCase(ISAuthConstants.REDIRECT_URL_PARAM)) {
                Set adviceMessages = getAdviceMessagesforRedirectURL(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(PolicyDecisionUtils.AUTH_REDIRECTION_ADVICE, adviceMessages);
                }
            } else if ((adviceName.equalsIgnoreCase(ISAuthConstants.REALM_PARAM)) || (adviceName.equalsIgnoreCase(ISAuthConstants.ORG_PARAM))) {
                Set adviceMessages = getAdviceMessagesforRealm(adviceValue, token, env);
                if (adviceMessages.isEmpty()) {
                    allowed = true;
                } else {
                    advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
                }
            } else {
                if (DEBUG.messageEnabled()) {
                    DEBUG.message("At ResourceEnvIPCondition." + "getConditionDecision(): " + "adviceName is invalid");
                }
            }
        }
    } else if (adviceStr != null) {
        String[] args = { adviceStr };
        throw new PolicyException(ResBundleUtils.rbName, "invalid_property_value", args, null);
    } else {
        if (DEBUG.messageEnabled()) {
            DEBUG.message("At ResourceEnvIPCondition." + "getConditionDecision(): " + "Advice is NULL since there is no matching " + "condition found.");
        }
    }
    return new ConditionDecision(allowed, advices);
}
Also used : HashSet(java.util.HashSet) Set(java.util.Set) HashMap(java.util.HashMap) PolicyException(com.sun.identity.policy.PolicyException) HashMap(java.util.HashMap) Map(java.util.Map) ConditionDecision(com.sun.identity.policy.ConditionDecision)

Example 14 with ConditionDecision

use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.

the class IPv4Condition method getConditionDecision.

/**
     * Gets the decision computed by this condition object, based on the 
     * map of environment parameters 
     *
     * @param token single sign on token of the user
     * @param env request specific environment map of key/value
     *        pairs <code>IPCondition</code> looks for values of keys
     *        <code>REQUEST_IP</code> and <code>REQUEST_DNS_NAME</code> in the
     *        <code>env</code> map. If <code>REQUEST_IP</code> and/or 
     *        <code>REQUEST_DNS_NAME</code> could not be determined from
     *        <code>env</code>, they are obtained from single sign on token
     *        of the user.
     *
     * @return the condition decision. The condition decision encapsulates
     *         whether a policy applies for the request and advice messages
     *         generated by the condition.  
     * Policy framework continues evaluating a  policy only if it applies 
     * to the request  as indicated by the <code>CondtionDecision</code>. 
     * Otherwise, further evaluation of the policy is skipped. 
     * However, the advice messages encapsulated in the 
     * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
     * in the policy  decision.
     *
     * @throws PolicyException if the condition has not been initialized
     *        with a successful call to <code>setProperties(Map)</code> and/or
     *        the value of key <code>REQUEST_IP</code> is not a String or the
     *        value of of key <code>REQUEST_DNS_NAME</code> is not a Set of
     *        strings.
     * @throws SSOException if the token is invalid
     *
     * @see #setProperties(Map)
     * @see #START_IP
     * @see #END_IP
     * @see #IP_RANGE
     * @see #DNS_NAME
     * @see #REQUEST_IP
     * @see #REQUEST_DNS_NAME
     */
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
    boolean allowed = false;
    String ip = IPCondition.getRequestIp(env);
    if (ValidateIPaddress.isIPv6(ip)) {
        return new ConditionDecision(allowed);
    }
    if (ip == null) {
        if (token != null) {
            ip = token.getIPAddress().getHostAddress();
        }
    }
    Set reqDnsNames = (Set) env.get(REQUEST_DNS_NAME);
    if ((ip != null) && isAllowedByIp(ip)) {
        allowed = true;
    } else if ((reqDnsNames != null) && (!reqDnsNames.isEmpty())) {
        Iterator names = reqDnsNames.iterator();
        while (names.hasNext()) {
            String dnsName = (String) names.next();
            if (isAllowedByDns(dnsName)) {
                allowed = true;
                break;
            }
        }
    }
    if (DEBUG.messageEnabled()) {
        DEBUG.message("At IPv4Condition.getConditionDecision():requestIp, " + " requestDnsName, allowed = " + ip + ", " + reqDnsNames + "," + allowed);
    }
    return new ConditionDecision(allowed);
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Iterator(java.util.Iterator) ConditionDecision(com.sun.identity.policy.ConditionDecision)

Aggregations

ConditionDecision (com.sun.identity.policy.ConditionDecision)14 HashSet (java.util.HashSet)12 Set (java.util.Set)12 HashMap (java.util.HashMap)11 PolicyException (com.sun.identity.policy.PolicyException)8 Map (java.util.Map)7 Test (org.testng.annotations.Test)4 SSOException (com.iplanet.sso.SSOException)3 CaseInsensitiveHashSet (com.sun.identity.common.CaseInsensitiveHashSet)3 Iterator (java.util.Iterator)3 AMIdentity (com.sun.identity.idm.AMIdentity)2 IdRepoException (com.sun.identity.idm.IdRepoException)2 SSOToken (com.iplanet.sso.SSOToken)1 OrderedSet (com.sun.identity.shared.datastruct.OrderedSet)1 ServiceConfig (com.sun.identity.sm.ServiceConfig)1 ParseException (java.text.ParseException)1