Search in sources :

Example 6 with PolicyDecision

use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.

the class ResourceResultCache method getPolicyDecision.

/**
     * Returns policy decision
     * @param appToken application sso token to identify the client to policy
     * service
     * @param serviceName name of service for which to get policy decision
     * @param token session token of user for whom to get policy decision
     * @param resourceName resource name for which to get policy decision
     * @param actionNames action names for which to get policy decision
     * @param env environment map to use to get policy decision
     * @param retryCount try this many times before giving up if received policy
     * decision is found to have expired
     * @return policy decision
     * @throws PolicyException if can not get policy decision
     * @throws SSOException if user session token is not valid
     * @throws InvalidAppSSOTokenException if application session token 
     * is not valid
     */
PolicyDecision getPolicyDecision(SSOToken appToken, String serviceName, SSOToken token, String resourceName, Set actionNames, Map env, int retryCount) throws InvalidAppSSOTokenException, PolicyException, SSOException {
    int count = 0;
    boolean validTtl = false;
    PolicyDecision pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //use cache
    true);
    if (pd.getTimeToLive() > System.currentTimeMillis()) {
        validTtl = true;
    }
    while (!validTtl && (count < retryCount)) {
        count++;
        if (debug.messageEnabled()) {
            debug.message("ResourceResultCache.getPolicyDecision():" + "Received expired decision, " + "Getting decision again, repeat attempt=" + count);
        }
        pd = getPolicyDecision(appToken, serviceName, token, resourceName, actionNames, env, //do not use cache
        false);
        if (pd.getTimeToLive() > System.currentTimeMillis()) {
            validTtl = true;
            break;
        }
    }
    if (!validTtl) {
        if (debug.warningEnabled()) {
            debug.warning("ResourceResultCache.getPolicyDecision():" + "Received expired decision from server");
        }
        Object[] args = { resourceName };
        throw new PolicyEvaluationException(ResBundleUtils.rbName, "received_expired_decision", args, null);
    }
    if (actionNames != null) {
        PolicyDecision pd1 = new PolicyDecision();
        Iterator nameIter = actionNames.iterator();
        while (nameIter.hasNext()) {
            String actionName = (String) nameIter.next();
            Map actionDecisions = pd.getActionDecisions();
            ActionDecision ad = (ActionDecision) actionDecisions.get(actionName);
            if (ad != null) {
                pd1.addActionDecision(ad);
            }
        }
        Map mergedReponseAttrsMap = new HashMap();
        PolicyUtils.appendMapToMap(pd.getResponseAttributes(), mergedReponseAttrsMap);
        pd1.setResponseAttributes(mergedReponseAttrsMap);
        pd = pd1;
    } else {
        pd = (PolicyDecision) pd.clone();
    }
    return pd;
}
Also used : PolicyDecision(com.sun.identity.policy.PolicyDecision) HashMap(java.util.HashMap) Iterator(java.util.Iterator) ActionDecision(com.sun.identity.policy.ActionDecision) PolicyEvaluationException(com.sun.identity.policy.remote.PolicyEvaluationException) JSONObject(org.json.JSONObject) Map(java.util.Map) HashMap(java.util.HashMap)

Example 7 with PolicyDecision

use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.

the class PolicyEvaluator method isAllowed.

/**
     * Evaluates simple privileges of boolean type. The privilege indicates
     * if the user can perform specified action on the specified resource.
     * The evaluation also depends on user's application environment parameters.
     *
     * @param token single sign on token of the user evaluating policies.
     * @param resourceName name of the resource the user is trying to access
     * @param actionName name of the action the user is trying to perform on
     * the resource
     * @param envParameters run time environment parameters
     *
     * @return the result of the evaluation as a boolean value
     *
     * @throws PolicyException if result could not be computed for
     *         reason other than single sign on token problem.
     * @throws SSOException if single sign on token is not valid
     *
     * @supported.api
     */
public boolean isAllowed(SSOToken token, String resourceName, String actionName, Map envParameters) throws PolicyException, SSOException {
    if (debug.messageEnabled()) {
        debug.message("PolicyEvaluator:isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":envParameters) : entering");
    }
    boolean actionAllowed = false;
    Set actionNames = new HashSet(1);
    actionNames.add(actionName);
    PolicyDecision policyDecision = getPolicyDecision(token, resourceName, actionNames, envParameters);
    ActionDecision actionDecision = (ActionDecision) policyDecision.getActionDecisions().get(actionName);
    String trueValue = policyProperties.getTrueValue(serviceName, actionName);
    String falseValue = policyProperties.getFalseValue(serviceName, actionName);
    if ((actionDecision != null) && (trueValue != null) && (falseValue != null)) {
        Set set = (Set) actionDecision.getValues();
        if ((set != null)) {
            if (set.contains(falseValue)) {
                actionAllowed = false;
            } else if (set.contains(trueValue)) {
                actionAllowed = true;
            }
        }
    }
    String result = actionAllowed ? "ALLOW" : "DENY";
    String[] objs = { resourceName, actionName, result };
    if (PolicyProperties.ALLOW.equals(logActions) && actionAllowed) {
        logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_allow", objs), token);
    } else if (PolicyProperties.DENY.equals(logActions) && !actionAllowed) {
        logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_deny", objs), token);
    } else if (PolicyProperties.BOTH.equals(logActions) || PolicyProperties.DECISION.equals(logActions)) {
        logAccessMessage(Level.INFO, ResBundleUtils.getString("policy_eval_result", objs), token);
    }
    if (debug.messageEnabled()) {
        debug.message("PolicyEvaluator.isAllowed():" + "token=" + token.getPrincipal().getName() + ":resourceName=" + resourceName + ":actionName=" + actionName + ":returning: " + actionAllowed);
    }
    return actionAllowed;
}
Also used : PolicyDecision(com.sun.identity.policy.PolicyDecision) Set(java.util.Set) HashSet(java.util.HashSet) ActionDecision(com.sun.identity.policy.ActionDecision) HashSet(java.util.HashSet)

Example 8 with PolicyDecision

use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.

the class ResourceResultCache method jsonEntitlementToResourceResult.

ResourceResult jsonEntitlementToResourceResult(JSONObject jsonEntitlement, String serviceName) throws JSONException {
    String resultResourceName = jsonEntitlement.optString(JSON_RESOURCE_NAME);
    Map<String, Set<String>> actionsValues = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ACTIONS_VALUES);
    Map<String, Set<String>> advices = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ADVICES);
    Map<String, Set<String>> attributes = JSONUtils.getMapStringSetString(jsonEntitlement, JSON_ATTRIBUTES);
    Set<String> actNames = (actionsValues != null) ? actionsValues.keySet() : null;
    PolicyDecision pd = new PolicyDecision();
    if (actNames != null) {
        for (String actName : actNames) {
            Set<String> actValues = actionsValues.get(actName);
            actValues = mapActionBooleanToString(serviceName, actName, actValues);
            ActionDecision ad = new ActionDecision(actName, actValues);
            ad.setAdvices(advices);
            pd.addActionDecision(ad);
        }
    }
    pd.setResponseDecisions(attributes);
    ResourceResult resourceResult = new ResourceResult(resultResourceName, pd);
    return resourceResult;
}
Also used : PolicyDecision(com.sun.identity.policy.PolicyDecision) ResourceResult(com.sun.identity.policy.ResourceResult) Set(java.util.Set) HashSet(java.util.HashSet) RequestSet(com.iplanet.services.comm.share.RequestSet) ActionDecision(com.sun.identity.policy.ActionDecision)

Example 9 with PolicyDecision

use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.

the class EvaluatePolicyServlet method processRequest.

/**
     * Reads the resource which the user needs to access from the servlet
     * request parameter <code>resource</code>.
     * if the user's session is invalid, the user gets redirected to the 
     * amserver login page to log in first.
     * Once the session is valid, the access permissions for the requested 
     * resource  is computed and sent back in the servlet response.
     *
     * @param request servlet request
     * @param response servlet response
     * @throws ServletException
     * @throws java.io.IOException
     */
protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, java.io.IOException {
    try {
        SSOTokenManager mgr = SSOTokenManager.getInstance();
        SSOToken ssoToken = mgr.createSSOToken(request);
        if (mgr.isValidToken(ssoToken)) {
            if (ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER) != null) {
                debug.message("UNIV ID in ssoToken:" + ssoToken.getProperty(Constants.UNIVERSAL_IDENTIFIER));
            } else {
                debug.message("univ id is null");
                if (debug.messageEnabled()) {
                    debug.message("principal:" + ssoToken.getPrincipal().getName());
                }
            }
            String resource = request.getParameter("resource");
            PolicyEvaluator pe = new PolicyEvaluator(WEB_AGENT_SERVICE);
            Set actions = new HashSet();
            actions.add("GET");
            PolicyDecision pd = pe.getPolicyDecision(ssoToken, resource, actions, null);
            boolean allowed = pe.isAllowed(ssoToken, resource, "GET", null);
            StringBuffer message = new StringBuffer("<pre>");
            message.append("isAllowed() for ").append(resource).append(" action:GET is:   ");
            message = message.append(allowed);
            message.append(NEWLINE);
            message.append(NEWLINE);
            message.append("getPolicyDecision() for ").append(resource).append(" action:GET is:");
            message.append(NEWLINE);
            message.append(XMLUtils.escapeSpecialCharacters(pd.toXML()));
            message.append("</pre>");
            sendResponse(response, message.toString());
        }
    } catch (Exception ire) {
        debug.error("processRequest::exception:", ire);
        String requestUrl = request.getRequestURL().toString();
        String redirectUrl = serverUrl + "?goto=" + requestUrl;
        response.sendRedirect(redirectUrl);
        return;
    }
}
Also used : SSOTokenManager(com.iplanet.sso.SSOTokenManager) PolicyDecision(com.sun.identity.policy.PolicyDecision) SSOToken(com.iplanet.sso.SSOToken) Set(java.util.Set) HashSet(java.util.HashSet) PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator) ServletException(javax.servlet.ServletException) IOException(java.io.IOException) HashSet(java.util.HashSet)

Example 10 with PolicyDecision

use of com.sun.identity.policy.PolicyDecision in project OpenAM by OpenRock.

the class DelegationPolicyImpl method getResultFromCache.

/**
     * Returns a policy decision given a resource and the user's token,
     * for the resource from the delegation cache.
     * @param  tokenIdStr <code>String</code> representation of user's token
     * @param  resource resource for which results are sought.
     * @param  envParams  <code>Map</code> of environment params to be
     *         used to fetch the decisions.
     * @return policy decision 
     */
private PolicyDecision getResultFromCache(String tokenIdStr, String resource, Map envParams) throws SSOException, DelegationException {
    if (resource != null) {
        Map<String, List<Object>> items = delegationCache.get(tokenIdStr);
        if (items != null && !items.isEmpty()) {
            List<Object> al = items.get(resource);
            if (al != null) {
                Map cachedEnv = (Map) al.get(0);
                if (envParams == null || envParams.isEmpty()) {
                    envParams = Collections.EMPTY_MAP;
                }
                if (cachedEnv == null || cachedEnv.isEmpty()) {
                    cachedEnv = Collections.EMPTY_MAP;
                }
                if (envParams.equals(cachedEnv)) {
                    PolicyDecision pd = (PolicyDecision) al.get(1);
                    if (pd != null) {
                        long pdTTL = pd.getTimeToLive();
                        long currentTime = System.currentTimeMillis();
                        if (pdTTL > currentTime) {
                            return pd;
                        } else {
                            if (DelegationManager.debug.messageEnabled()) {
                                DelegationManager.debug.message("DelegationPolicyImpl: delegation decision " + "expired. TTL=" + pdTTL + "; current time=" + currentTime);
                            }
                        }
                    }
                }
            }
        }
    }
    return null;
}
Also used : PolicyDecision(com.sun.identity.policy.PolicyDecision) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) HashMap(java.util.HashMap)

Aggregations

PolicyDecision (com.sun.identity.policy.PolicyDecision)22 HashSet (java.util.HashSet)14 Set (java.util.Set)13 Map (java.util.Map)12 HashMap (java.util.HashMap)11 SSOToken (com.iplanet.sso.SSOToken)8 ActionDecision (com.sun.identity.policy.ActionDecision)8 ResourceResult (com.sun.identity.policy.ResourceResult)6 PolicyEvaluator (com.sun.identity.policy.client.PolicyEvaluator)6 PolicyEvaluator (com.sun.identity.policy.PolicyEvaluator)5 Test (org.testng.annotations.Test)5 Parameters (org.testng.annotations.Parameters)4 PolicyException (com.sun.identity.policy.PolicyException)3 ResourceName (com.sun.identity.policy.interfaces.ResourceName)3 IOException (java.io.IOException)3 Iterator (java.util.Iterator)3 ServletException (javax.servlet.ServletException)3 RequestSet (com.iplanet.services.comm.share.RequestSet)2 SSOException (com.iplanet.sso.SSOException)2 AuthContext (com.sun.identity.authentication.AuthContext)2