Examples with PolicyEvaluator com.sun.identity.policy.PolicyEvaluator used on opensource projects

Example 6 with PolicyEvaluator

use of com.sun.identity.policy.PolicyEvaluator in project OpenAM by OpenRock.

the class PolicyRequestHandler method processPolicyRequest.

/**
     * Processes a policy request and return a policy response.
     *
     * @param req a policy request
     * @return its corresponding policy response
     */
private PolicyResponse processPolicyRequest(PolicyRequest req, PLLAuditor auditor) throws PolicyEvaluationException {
    if (debug.messageEnabled()) {
        debug.message("PolicyRequestHandler.processPolicyRequest(): " + " req received:\n" + req.toXMLString());
    }
    PolicyResponse policyRes = new PolicyResponse();
    String requestId = req.getRequestId();
    policyRes.setRequestId(requestId);
    String appSSOTokenIDStr = req.getAppSSOToken();
    SSOToken appToken = null;
    Map<String, Set<String>> appAttributes;
    try {
        appToken = getSSOToken(appSSOTokenIDStr, null);
        appAttributes = IdUtils.getIdentity(appToken).getAttributes();
    } catch (IdRepoException | SSOException | PolicyException pe) {
        if (debug.warningEnabled()) {
            debug.warning("PolicyRequestHandler: Invalid app sso token, " + appSSOTokenIDStr);
        }
        throw new PolicyEvaluationException(PolicyResponse.APP_SSO_TOKEN_INVALID, requestId);
    }
    // set the app token into the ThreadLocal
    AppTokenHandler.set(appToken);
    auditor.setMethod(req.getMethodName());
    auditor.setSsoToken(appToken);
    auditor.setRealm(getFirstItem(appAttributes.get(EVALUATION_REALM), NO_REALM));
    auditor.auditAccessAttempt();
    if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_ADD_POLICY_LISTENER) {
        PolicyListenerRequest plReq = req.getPolicyListenerRequest();
        boolean addListener = addPolicyListener(appToken, plReq, appAttributes);
        if (addListener) {
            policyRes.setMethodID(PolicyResponse.POLICY_ADD_LISTENER_RESPONSE);
            auditor.auditAccessSuccess();
        } else {
            String[] objs = { plReq.getNotificationURL() };
            String message = ResBundleUtils.getString("failed.add.policy.listener", objs);
            policyRes.setExceptionMsg(message);
            policyRes.setMethodID(PolicyResponse.POLICY_EXCEPTION);
            auditor.auditAccessFailure(message);
        }
        return policyRes;
    }
    if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_REMOVE_POLICY_LISTENER) {
        RemoveListenerRequest rmReq = req.getRemoveListenerRequest();
        boolean removeListener = removePolicyListener(appToken, rmReq, appAttributes);
        if (removeListener) {
            policyRes.setMethodID(PolicyResponse.POLICY_REMOVE_LISTENER_RESPONSE);
            auditor.auditAccessSuccess();
        } else {
            String[] objs = { rmReq.getNotificationURL() };
            String message = ResBundleUtils.getString("failed.remove.policy.listener", objs);
            policyRes.setExceptionMsg(message);
            policyRes.setMethodID(PolicyResponse.POLICY_EXCEPTION);
            auditor.auditAccessFailure(message);
        }
        return policyRes;
    }
    if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_ADVICES_HANDLEABLE_BY_AM_REQUEST) {
        if (debug.messageEnabled()) {
            debug.message("PolicyRequestHandler: request to get  " + " advicesHandleableByAM");
        }
        try {
            Set advices = PolicyConfig.getAdvicesHandleableByAM();
            policyRes.setAdvicesHandleableByAMResponse(new AdvicesHandleableByAMResponse(advices));
            policyRes.setMethodID(PolicyResponse.POLICY_ADVICES_HANDLEABLE_BY_AM_RESPONSE);
            auditor.auditAccessSuccess();
        } catch (PolicyException pe) {
            if (debug.warningEnabled()) {
                debug.warning("PolicyRequestHandler: could not get " + " advicesHandleableByAM", pe);
            }
            throw new PolicyEvaluationException(ResBundleUtils.rbName, "could_not_get_advices_handleable_by_am", null, pe, requestId);
        }
        if (debug.messageEnabled()) {
            debug.message("PolicyRequestHandler: returning  " + " advicesHandleableByAM policy response");
        }
        return policyRes;
    }
    if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_GET_RESOURCE_RESULTS) {
        ResourceResultRequest resourceResultReq = req.getResourceResultRequest();
        // Get the user's SSO token id string from the request
        String userSSOTokenIDStr = resourceResultReq.getUserSSOToken();
        SSOToken userToken = null;
        if ((userSSOTokenIDStr != null) && !userSSOTokenIDStr.equals(PolicyUtils.EMPTY_STRING) && !userSSOTokenIDStr.equals(PolicyUtils.NULL_STRING)) {
            try {
                userToken = getSSOToken(userSSOTokenIDStr, appToken);
            } catch (PolicyException pe) {
                if (debug.warningEnabled()) {
                    debug.warning("PolicyRequestHandler: Invalid user sso token, " + userSSOTokenIDStr, pe);
                }
                throw new PolicyEvaluationException(ResBundleUtils.rbName, "user_sso_token_invalid", null, null, requestId);
            }
        }
        Set resourceResults = new HashSet();
        ResourceResults resourceRst = null;
        // check if the request contains user response attributes
        Set respAttrs = resourceResultReq.getResponseAttributes();
        if (debug.messageEnabled()) {
            debug.message("PolicyRequestHandler.processPolicyRequest(): " + "respAttrs=\n" + respAttrs);
        }
        Map respDecisions = null;
        if ((respAttrs != null) && (userToken != null)) {
            // get the response decisions wrt the attributes  
            respDecisions = getResponseDecisions(userToken, respAttrs);
        }
        // Get the service name and resource name of the request
        String serviceName = resourceResultReq.getServiceName();
        String resourceName = resourceResultReq.getResourceName();
        // Get the resource scope of the request
        String resourceScope = resourceResultReq.getResourceScope();
        if ((resourceScope != null) && resourceScope.equals(ResourceResultRequest.RESPONSE_ATTRIBUTES_ONLY)) {
            // need not to evaluate policies, do attributes only
            ResourceResult resResult = new ResourceResult(resourceName, new PolicyDecision());
            Set results = new HashSet();
            results.add(resResult);
            resourceRst = new ResourceResults(results);
        } else {
            // Get the environment parameters of the request
            Map envParameters = resourceResultReq.getEnvParms();
            try {
                convertEnvParams(envParameters);
            } catch (PolicyException pe) {
                debug.error("PolicyRequestHandler: Invalid env parameters", pe);
                throw new PolicyEvaluationException(ResBundleUtils.rbName, "invalid_env_parameters", null, pe, requestId);
            }
            PolicyEvaluator policyEvaluator = null;
            try {
                // Get an instance of the policy evaluator
                policyEvaluator = getPolicyEvaluator(appToken, serviceName, appAttributes);
                // Get the resource result from the policy evaluator
                resourceRst = new ResourceResults(policyEvaluator.getResourceResults(userToken, resourceName, resourceScope, envParameters));
                if (debug.messageEnabled()) {
                    debug.message("PolicyRequestHandler.processPolicyRequest():" + " resource result:\n" + resourceRst.toXML());
                }
            } catch (Exception se) {
                debug.error("PolicyRequestHandler: Evaluation error", se);
                throw new PolicyEvaluationException(ResBundleUtils.rbName, "evaluation_error", null, se, requestId);
            }
        }
        resourceRst.setResponseDecisions(respDecisions);
        resourceResults.addAll(resourceRst.getResourceResults());
        policyRes.setResourceResults(resourceResults);
        policyRes.setMethodID(PolicyResponse.POLICY_RESPONSE_RESOURCE_RESULT);
        auditor.auditAccessSuccess();
        return policyRes;
    }
    debug.error("PolicyRequestHandler: Invalid policy request format");
    throw new PolicyEvaluationException(ResBundleUtils.rbName, "invalid_policy_request_format", null, null);
}

Example 7 with PolicyEvaluator

use of com.sun.identity.policy.PolicyEvaluator in project OpenAM by OpenRock.

the class PolicyRequestHandler method removePolicyListener.

/*
     *  Remove a policy change listener from the policy framework.
     */
private boolean removePolicyListener(SSOToken appToken, RemoveListenerRequest removeListenerReq, Map<String, Set<String>> appAttributes) {
    if (removeListenerReq == null) {
        debug.error("PolicyRequestHandler.removePolicyListener: " + "invalid remove policy listener request received");
        return false;
    }
    String serviceTypeName = removeListenerReq.getServiceName();
    String notiURL = removeListenerReq.getNotificationURL();
    if (!listenerRegistry.containsKey(notiURL)) {
        if (debug.messageEnabled()) {
            debug.message("PolicyRequestHandler.removePolicyListener: " + "policy listener to be removed for service " + serviceTypeName + " has not been registered yet; the notification URL is " + notiURL);
        }
        return true;
    }
    PolicyListener policyListener = (PolicyListener) listenerRegistry.get(notiURL);
    if (policyListener == null) {
        listenerRegistry.remove(notiURL);
        return true;
    }
    PolicyEvaluator policyEvaluator = null;
    try {
        // Get an instance of the policy evaluator
        policyEvaluator = getPolicyEvaluator(appToken, serviceTypeName, appAttributes);
        if (policyEvaluator != null) {
            // remove the policy listener from the policy framework
            policyEvaluator.removePolicyListener(policyListener);
            listenerRegistry.remove(notiURL);
            if (debug.messageEnabled()) {
                debug.message("PolicyRequestHandler.removePolicyListener: " + "policy listener for service " + serviceTypeName + " removed");
            }
        }
    } catch (PolicyException e) {
        debug.error("PolicyRequestHandler.removePolicyListener: " + "failed to remove policy change listener", e);
        return false;
    }
    return true;
}

Example 8 with PolicyEvaluator

use of com.sun.identity.policy.PolicyEvaluator in project OpenAM by OpenRock.

the class DefaultActionMapper method getAuthorizationDecisions.

/**
     * This method first converts the AttributeStatements in Evidence to
     * OpenAM Policy API environment variables. The Attributes in
     * the AttributeStatement(s) are expected to be OpenAM
     * attributes.
     * It then query the Policy decision one action at a time. Currently,
     * it handles actions defined in urn:oasis:names:tc:SAML:1.0:ghpp only.
     * This action Namespace is mapped to OpenAM
     * iPlanetAMWebAgentService.
     */
public Map getAuthorizationDecisions(AuthorizationDecisionQuery query, Object token, String sourceID) throws SAMLException {
    if ((query == null) || (token == null)) {
        SAMLUtils.debug.message("DefaultActionMapper: null input.");
        throw new SAMLException(SAMLUtils.bundle.getString("nullInput"));
    }
    Evidence evidence = query.getEvidence();
    Subject querySubject = query.getSubject();
    Map envParameters = convertEvidence(evidence, querySubject, sourceID);
    List permitActions = new ArrayList();
    List denyActions = new ArrayList();
    List actions = query.getAction();
    Iterator iterator = actions.iterator();
    PolicyEvaluator pe = null;
    String resource = query.getResource();
    Action action = null;
    String actionNamespace = null;
    while (iterator.hasNext()) {
        action = (Action) iterator.next();
        // get ActionNameSpace
        actionNamespace = action.getNameSpace();
        if ((actionNamespace != null) && (actionNamespace.equals(SAMLConstants.ACTION_NAMESPACE_GHPP))) {
            try {
                if (pe == null) {
                    pe = new PolicyEvaluator("iPlanetAMWebAgentService");
                }
                boolean result = pe.isAllowed((SSOToken) token, resource, action.getAction(), envParameters);
                if (result) {
                    permitActions.add(action);
                } else {
                    denyActions.add(action);
                }
            } catch (Exception e) {
                if (SAMLUtils.debug.messageEnabled()) {
                    SAMLUtils.debug.message("DefaultActionMapper: " + "Exception from policy:" + e);
                }
                // indeterminate
                continue;
            }
        }
    }
    // while loop for each action
    Map resultMap = new HashMap();
    if (!permitActions.isEmpty()) {
        resultMap.put(ActionMapper.PERMIT, permitActions);
    } else if (!denyActions.isEmpty()) {
        resultMap.put(ActionMapper.DENY, denyActions);
    } else {
        resultMap.put(ActionMapper.INDETERMINATE, actions);
    }
    return resultMap;
}

Example 9 with PolicyEvaluator

use of com.sun.identity.policy.PolicyEvaluator in project OpenAM by OpenRock.

the class IDPPTest method evaluate.

private boolean evaluate(String res) throws Exception {
    AuthContext lc = new AuthContext(orgName);
    lc.login();
    while (lc.hasMoreRequirements()) {
        Callback[] callbacks = lc.getRequirements();
        for (int i = 0; i < callbacks.length; i++) {
            if (callbacks[i] instanceof NameCallback) {
                NameCallback nc = (NameCallback) callbacks[i];
                nc.setName(USER1_NAME);
            } else if (callbacks[i] instanceof PasswordCallback) {
                PasswordCallback pc = (PasswordCallback) callbacks[i];
                pc.setPassword(USER1_NAME.toCharArray());
            } else {
                throw new Exception("No callback");
            }
        }
        lc.submitRequirements(callbacks);
    }
    if (lc.getStatus() != AuthContext.Status.SUCCESS) {
        return false;
    }
    SSOToken ssoToken = lc.getSSOToken();
    PolicyEvaluator evaluator = new PolicyEvaluator(serviceType);
    String resource = URL1;
    String action = "MODIFY";
    Set actions = new HashSet();
    actions.add(action);
    PolicyDecision policyDecision = evaluator.getPolicyDecision(ssoToken, resource, actions, null);
    if (policyDecision == null) {
        return false;
    }
    Map actionDecisions = policyDecision.getActionDecisions();
    ActionDecision actionDecision = (ActionDecision) actionDecisions.get(action);
    if (actionDecision == null) {
        return false;
    }
    Set values = (Set) actionDecision.getValues();
    if ((values == null) || (values.size() != 1)) {
        return false;
    }
    String actionValue = (String) (values.iterator().next());
    return (actionValue.equals("deny"));
}

Example 10 with PolicyEvaluator

use of com.sun.identity.policy.PolicyEvaluator in project OpenAM by OpenRock.

the class DecisionMergeTest method testOldAPI.

@Test
public void testOldAPI() throws SSOException, PolicyException {
    PolicyEvaluator pe = new PolicyEvaluator("/", ApplicationTypeManager.URL_APPLICATION_TYPE_NAME);
    Set<String> actions = new HashSet<String>();
    actions.add("GET");
    Set<ResourceResult> res = pe.getResourceResults(adminToken, "http://www.DecisionMergeTest.com", ResourceResult.SUBTREE_SCOPE, Collections.EMPTY_MAP);
    for (ResourceResult r : res) {
        PolicyDecision pd = r.getPolicyDecision();
        pd.toString();
    }
}