use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.
the class AuthenticateToRealmConditionTest method testValidLowerCaseRealm.
@Test
public void testValidLowerCaseRealm() throws Exception {
Map<String, Set<String>> properties = new HashMap<String, Set<String>>(1);
Set<String> realm = new HashSet<String>(1);
realm.add("/validrealm");
properties.put(AuthenticateToRealmCondition.AUTHENTICATE_TO_REALM, realm);
AuthenticateToRealmCondition condition = new AuthenticateToRealmCondition();
condition.setProperties(properties);
Set<String> passedRealm = new HashSet<String>(1);
passedRealm.add("/ValidRealm");
Map<String, Set<String>> env = new HashMap<String, Set<String>>(1);
env.put(AuthenticateToRealmCondition.REQUEST_AUTHENTICATED_TO_REALMS, passedRealm);
ConditionDecision conditionDecision = condition.getConditionDecision(null, env);
assertTrue(conditionDecision.isAllowed());
}
use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.
the class SampleCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object.
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs.
* SampleCondition doesn't use this parameter.
*
* @return the condition decision. The condition decision
* encapsulates whether a policy applies for the request.
*
* Policy framework continues evaluating a policy only if it
* applies to the request as indicated by the CondtionDecision.
* Otherwise, further evaluation of the policy is skipped.
*
* @throws SSOException if the token is invalid
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
boolean allowed = false;
String userDN = token.getPrincipal().getName();
// user DN is in the format like "uid=username,ou=people,dc=example,dc=com"
int beginIndex = userDN.indexOf("=");
int endIndex = userDN.indexOf(",");
if (beginIndex >= endIndex) {
throw (new PolicyException("invalid user DN"));
}
String userName = userDN.substring(beginIndex + 1, endIndex);
if (userName.length() >= nameLength) {
allowed = true;
}
return new ConditionDecision(allowed);
}
use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.
the class ResourceEnvIPCondition method getConditionDecision.
/**
* Returns the decision computed by <code>ResourceEnvIPCondition</code>
* object.
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value
* pairs <code>ResourceEnvIPCondition</code> looks for values of key
* <code>REQUEST_IP</code> in the
* <code>env</code> map. If <code>REQUEST_IP</code> could not be
* determined from <code>env</code>, it is obtained from
* single sign on token of the user.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
*
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized
* with a successful call to <code>setProperties(Map)</code> and/or
* the value of key <code>REQUEST_IP</code> is not a String.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #REQUEST_IP
* @see com.sun.identity.policy.ConditionDecision
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
if (DEBUG.messageEnabled()) {
DEBUG.message("ResourceEnvIPCondition:getConditionDecision - " + "client environment map : " + env);
}
boolean allowed = false;
Map advices = new HashMap();
String adviceStr = getAdviceStrForEnv(env, token);
String adviceName = null;
String adviceValue = null;
if (adviceStr != null && adviceStr.contains("=")) {
int index = adviceStr.indexOf("=");
adviceName = adviceStr.substring(0, index);
adviceValue = adviceStr.substring(index + 1);
if (DEBUG.messageEnabled()) {
DEBUG.message("ResourceEnvIPCondition:getConditionDecision - " + "adviceName : " + adviceName + " and adviceValue : " + adviceValue);
}
if ((adviceName != null) && (adviceName.length() != 0) && (adviceValue != null) && (adviceValue.length() != 0)) {
if (adviceName.equalsIgnoreCase(ISAuthConstants.MODULE_PARAM)) {
Set adviceMessages = getAdviceMessagesforAuthScheme(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.SERVICE_PARAM)) {
Set adviceMessages = getAdviceMessagesforAuthService(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTHENTICATE_TO_SERVICE_CONDITION_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.AUTH_LEVEL_PARAM)) {
Set adviceMessages = getAdviceMessagesforAuthLevel(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTH_LEVEL_CONDITION_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.ROLE_PARAM)) {
Set adviceMessages = getAdviceMessagesforRole(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(PolicyDecisionUtils.AUTH_ROLE_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.USER_PARAM)) {
Set adviceMessages = getAdviceMessagesforUser(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(PolicyDecisionUtils.AUTH_USER_ADVICE, adviceMessages);
}
} else if (adviceName.equalsIgnoreCase(ISAuthConstants.REDIRECT_URL_PARAM)) {
Set adviceMessages = getAdviceMessagesforRedirectURL(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(PolicyDecisionUtils.AUTH_REDIRECTION_ADVICE, adviceMessages);
}
} else if ((adviceName.equalsIgnoreCase(ISAuthConstants.REALM_PARAM)) || (adviceName.equalsIgnoreCase(ISAuthConstants.ORG_PARAM))) {
Set adviceMessages = getAdviceMessagesforRealm(adviceValue, token, env);
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
}
} else {
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getConditionDecision(): " + "adviceName is invalid");
}
}
}
} else if (adviceStr != null) {
String[] args = { adviceStr };
throw new PolicyException(ResBundleUtils.rbName, "invalid_property_value", args, null);
} else {
if (DEBUG.messageEnabled()) {
DEBUG.message("At ResourceEnvIPCondition." + "getConditionDecision(): " + "Advice is NULL since there is no matching " + "condition found.");
}
}
return new ConditionDecision(allowed, advices);
}
use of com.sun.identity.policy.ConditionDecision in project OpenAM by OpenRock.
the class IPv4Condition method getConditionDecision.
/**
* Gets the decision computed by this condition object, based on the
* map of environment parameters
*
* @param token single sign on token of the user
* @param env request specific environment map of key/value
* pairs <code>IPCondition</code> looks for values of keys
* <code>REQUEST_IP</code> and <code>REQUEST_DNS_NAME</code> in the
* <code>env</code> map. If <code>REQUEST_IP</code> and/or
* <code>REQUEST_DNS_NAME</code> could not be determined from
* <code>env</code>, they are obtained from single sign on token
* of the user.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>CondtionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized
* with a successful call to <code>setProperties(Map)</code> and/or
* the value of key <code>REQUEST_IP</code> is not a String or the
* value of of key <code>REQUEST_DNS_NAME</code> is not a Set of
* strings.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #START_IP
* @see #END_IP
* @see #IP_RANGE
* @see #DNS_NAME
* @see #REQUEST_IP
* @see #REQUEST_DNS_NAME
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
boolean allowed = false;
String ip = IPCondition.getRequestIp(env);
if (ValidateIPaddress.isIPv6(ip)) {
return new ConditionDecision(allowed);
}
if (ip == null) {
if (token != null) {
ip = token.getIPAddress().getHostAddress();
}
}
Set reqDnsNames = (Set) env.get(REQUEST_DNS_NAME);
if ((ip != null) && isAllowedByIp(ip)) {
allowed = true;
} else if ((reqDnsNames != null) && (!reqDnsNames.isEmpty())) {
Iterator names = reqDnsNames.iterator();
while (names.hasNext()) {
String dnsName = (String) names.next();
if (isAllowedByDns(dnsName)) {
allowed = true;
break;
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("At IPv4Condition.getConditionDecision():requestIp, " + " requestDnsName, allowed = " + ip + ", " + reqDnsNames + "," + allowed);
}
return new ConditionDecision(allowed);
}
Aggregations