use of com.sun.identity.policy.Policy in project OpenAM by OpenRock.
the class UpgradeEntitlementsStep method initialize.
@Override
public void initialize() throws UpgradeException {
try {
DEBUG.message("Initializing UpgradeEntitlementsStep");
ServiceConfig appType = getDefaultApplicationType();
Map<String, Set<String>> attrs = appType.getAttributes();
String searchImpl = CollectionHelper.getMapAttr(attrs, SEARCH_INDEX_IMPL);
String saveImpl = CollectionHelper.getMapAttr(attrs, SAVE_INDEX_IMPL);
if (NEW_SEARCH_IMPL.equals(searchImpl) && NEW_SAVE_IMPL.equals(saveImpl)) {
DEBUG.message("The entitlements framework is already using the new TreeSearchIndex/TreeSaveIndex" + " implementations");
} else {
// There might not be any policies to upgrade but always update the search and save index
// implementation values if they are not already updated.
upgradeIndexImpls = true;
for (String realm : getRealmNames()) {
Map<PolicyType, Set<String>> map = new EnumMap<PolicyType, Set<String>>(PolicyType.class);
PolicyManager pm = new PolicyManager(getAdminToken(), realm);
Set<String> policyNames = pm.getPolicyNames();
for (String policyName : policyNames) {
Policy policy = pm.getPolicy(policyName);
PolicyType type;
if (policy.isReferralPolicy()) {
type = PolicyType.REFERRAL;
} else {
//There is a small edgecase here in case a rule contains multiple resourcenames, but that
//isn't quite a supported case anyways
policyRuleCount += policy.getRuleNames().size();
type = PolicyType.POLICY;
}
Set<String> values = map.get(type);
if (values == null) {
values = new HashSet<String>();
}
values.add(policyName);
map.put(type, values);
upgradableConfigs.put(realm, map);
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("Discovered following policies/referrals:\n" + upgradableConfigs);
}
}
} catch (Exception ex) {
DEBUG.error("Error while trying to detect changes in entitlements", ex);
throw new UpgradeException(ex);
}
}
use of com.sun.identity.policy.Policy in project OpenAM by OpenRock.
the class ResavePoliciesStep method perform.
public void perform() throws UpgradeException {
try {
for (Map.Entry<String, Set<String>> entry : policyMap.entrySet()) {
String realm = entry.getKey();
Set<String> policyNames = entry.getValue();
PolicyManager pm = new PolicyManager(getAdminToken(), realm);
for (String policyName : policyNames) {
if (DEBUG.messageEnabled()) {
DEBUG.message("Resaving the following policy: " + policyName);
}
UpgradeProgress.reportStart("upgrade.policy.start", policyName);
Policy policy = pm.getPolicy(policyName);
pm.replacePolicy(policy);
UpgradeProgress.reportEnd("upgrade.success");
}
}
} catch (Exception ex) {
UpgradeProgress.reportEnd("upgrade.failed");
DEBUG.error("An error occurred while trying to resave policies", ex);
throw new UpgradeException(ex);
}
}
use of com.sun.identity.policy.Policy in project OpenAM by OpenRock.
the class UpgradeUtils method createRealmReadOnlyPolicy.
/**
* Creates Realm Read Only Policy
*
* @param policyManager the policy manager object.
* @param orgDN the organization dn.
* @param orgID the organization identifier.
*/
private static void createRealmReadOnlyPolicy(PolicyManager policyManager, String orgDN, String orgID) {
String classMethod = "UpgradeUtils:createRealmReadOnlyPolicy";
try {
String policyName = orgID + "^^" + REALM_READ_ONLY;
Policy realmPolicy = new Policy(policyName, null, false, true);
// create Rule
String serviceName = DELEGATION_SERVICE;
String resourceName = "sms://*" + orgDN + "/" + REALM_SERVICE;
Rule rule = getRule(serviceName, resourceName);
if (rule != null) {
realmPolicy.addRule(rule);
}
// add subjects
String policyAdminRoleUniversalID = getUniversalID(orgDN, ORG_POLICY_ADMIN_ROLE);
Subject subject = getSubject(policyManager, policyAdminRoleUniversalID);
if (subject != null) {
realmPolicy.addSubject(DELEGATION_SUBJECT, subject, false);
}
policyManager.addPolicy(realmPolicy);
} catch (Exception e) {
debug.error(classMethod + "Error creating realm read only policy", e);
}
}
use of com.sun.identity.policy.Policy in project OpenAM by OpenRock.
the class SubjectReferentialIntegrityPlugin method postProcessDelete.
/**
* This implementation would visit all the subjects in policies
* across all orgs/sub-orgs and remove the subject values
* corresponding to the deleted entry DN. After removing an entry from a
* subject, checks if that entry is the only one in the subject to
* remove the subject as well.
*/
public void postProcessDelete(SSOToken token, String entryDN, Map attributes, boolean softDeleteEnabled, int objectType) throws AMPostCallBackException {
try {
if (debug.messageEnabled()) {
debug.message("ReferentialIntegrityPlugin.postProcessDelete()");
}
// check the subject types
Set objectTypes = new HashSet();
objectTypes.add(new Integer(AMObject.USER));
objectTypes.add(new Integer(AMObject.ROLE));
objectTypes.add(new Integer(AMObject.ORGANIZATION));
objectTypes.add(new Integer(AMObject.GROUP));
objectTypes.add(new Integer(AMObject.ASSIGNABLE_DYNAMIC_GROUP));
objectTypes.add(new Integer(AMObject.DYNAMIC_GROUP));
objectTypes.add(new Integer(AMObject.FILTERED_ROLE));
if (objectTypes.contains(new Integer(objectType))) {
String subOrg, policyName, subjectName;
Policy policy;
Subject subject;
Iterator policyIter, subjectIter;
// create a DN for the entry to be deleted
DN entryDName = DN.valueOf(entryDN);
//a connection to the Identity Server data store.
AMStoreConnection dpStore = new AMStoreConnection(token);
DN rootDN = DN.valueOf(SMSEntry.getRootSuffix());
if (debug.messageEnabled()) {
debug.message("Searching for all policies from root DN: " + rootDN.toString());
}
PolicyManager pm = new PolicyManager(token, rootDN.toString());
String org = pm.getOrganizationName();
/**
* find out from org policy config that is the directory
* specified is the local directory
*/
Map configParams = PolicyConfig.getPolicyConfig(org);
String ldapServer = ((String) configParams.get(PolicyConfig.LDAP_SERVER)).toLowerCase();
boolean localDS = PolicyUtils.isLocalDS(ldapServer);
/**
* process IdentityServer Role irrespective of local or
* non-local DS
*/
if (objectType == AMObject.ROLE) {
localDS = true;
}
if (localDS) {
AMOrganization rootOrg = (AMOrganization) dpStore.getOrganization(org);
Set subOrgs = null;
//all orgs/sub-orgs
subOrgs = rootOrg.searchSubOrganizations("*", AMConstants.SCOPE_SUB);
Iterator orgIter = subOrgs.iterator();
while (orgIter.hasNext()) {
subOrg = (String) orgIter.next();
if (debug.messageEnabled()) {
debug.message("Visiting suborg: " + subOrg);
}
PolicyManager pmSubOrg = new PolicyManager(token, subOrg);
// all policies
Set policies = pmSubOrg.getPolicyNames();
policyIter = policies.iterator();
while (policyIter.hasNext()) {
policyName = (String) policyIter.next();
if (debug.messageEnabled()) {
debug.message("policyName: " + policyName);
}
policy = pmSubOrg.getPolicy(policyName);
// referral policies don't have subjects defined
if (!policy.isReferralPolicy()) {
// all subjects
boolean replacePolicy = false;
Set subjectsInPolicy = policy.getSubjectNames();
Set subjects = new HashSet();
subjects.addAll(subjectsInPolicy);
subjectIter = subjects.iterator();
while (subjectIter.hasNext()) {
subjectName = (String) subjectIter.next();
if (debug.messageEnabled()) {
debug.message("subjectName: " + subjectName);
}
subject = policy.getSubject(subjectName);
Set set = subject.getValues();
Iterator ite = set.iterator();
String str = null;
DN strDN = null;
while (ite.hasNext()) {
str = (String) ite.next();
strDN = DN.valueOf(str);
if (entryDName.equals(strDN)) {
replacePolicy = true;
if (debug.messageEnabled()) {
debug.message("DNs match, str:" + str + "entryDN:" + entryDN);
}
set.remove(str);
if (set.isEmpty()) {
policy.removeSubject(subjectName);
if (debug.messageEnabled()) {
debug.message("subjectDeleted:" + subjectName);
}
} else {
subject.setValues(set);
}
break;
}
// match DNs
}
// all subject values in the subject
}
// all subjects in the policy
if (replacePolicy) {
pmSubOrg.replacePolicy(policy);
}
}
// for referral policies
}
// all policies
}
// all orgs
}
// localDS check
}
// objectType check
} catch (PolicyException pe) {
debug.error("ReferentialIntegrityPlugin.postProcessDelete():", pe);
} catch (SSOException sse) {
debug.error("ReferentialIntegrityPlugin.postProcessDelete():", sse);
} catch (Exception e) {
debug.error("ReferentialIntegrityPlugin.postProcessDelete():", e);
}
}
use of com.sun.identity.policy.Policy in project OpenAM by OpenRock.
the class PolicyModelImpl method cachePolicy.
/**
* Caches a policy. Returns the cache ID of the policy object.
*
* @param policyName Name of policy.
* @param description Description of policy.
* @param isReferral <code>true</code> if policy is referral typed.
* @param isActive <code>true</code> if policy is active.
* @return cache ID of the policy object.
* @throws AMConsoleException if policy cannot be cached.
*/
public String cachePolicy(String policyName, String description, boolean isReferral, boolean isActive) throws AMConsoleException {
try {
Policy policy = new Policy(policyName, description, isReferral, isActive);
PolicyCache cache = PolicyCache.getInstance();
return cache.cachePolicy(getUserSSOToken(), new CachedPolicy(policy));
} catch (InvalidNameException e) {
throw new AMConsoleException(getErrorString(e));
}
}
Aggregations