Example 61 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticatedSharedAgentsCondition method getConditionDecision.
/**
* Gets the decision computed by this condition object.
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs.
*
* @return the condition decision. The condition decision
* encapsulates whether a policy applies for the request.
*
* Policy framework continues evaluating a policy only if it
* applies to the request as indicated by the CondtionDecision.
* Otherwise, further evaluation of the policy is skipped.
*
* @throws SSOException if the token is invalid
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
boolean allowed = false;
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: " + "called with Token: " + token.getPrincipal().getName() + ", requestedResourcename: " + env.get(PolicyEvaluator.SUN_AM_ORIGINAL_REQUESTED_RESOURCE));
}
String realmName = null;
String sharedAgentName = null;
String sharedAgentUnivId = null;
try {
AMIdentity id = IdUtils.getIdentity(token);
realmName = id.getRealm();
sharedAgentName = id.getName();
sharedAgentUnivId = id.getUniversalId();
} catch (SSOException ssoe) {
// Debug it and throe error message.
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: invalid sso token: " + ssoe.getMessage());
}
throw ssoe;
} catch (IdRepoException ide) {
// Debug it and throw converted policy exception.
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision IdRepo exception: ", ide);
}
throw new PolicyException(ide);
}
// Get the resource name from the env
Object o = env.get(PolicyEvaluator.SUN_AM_ORIGINAL_REQUESTED_RESOURCE);
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision:" + " name: " + sharedAgentName + " resource: " + o);
}
if (o != null) {
String resourceName = null;
if (o instanceof String) {
resourceName = (String) o;
} else if (o instanceof Set) {
if (!((Set) o).isEmpty()) {
resourceName = (String) ((Set) o).iterator().next();
}
} else if (debug.warningEnabled()) {
resourceName = "";
debug.warning("AuthenticatedSharedAgentsCondition." + "getConditionDecision: Unable to get resource name");
}
try {
Set agentsFromEnv = new HashSet();
String agentTypeName = IdType.AGENT.getName();
String agentOnlyTypeName = IdType.AGENTONLY.getName();
SSOToken adminToken = (SSOToken) AccessController.doPrivileged(AdminTokenAction.getInstance());
ServiceConfig orgConfig = getOrgConfig(adminToken, realmName);
String[] retVal = split(resourceName);
if ((retVal[0].equalsIgnoreCase(agentTypeName) && retVal[1].equalsIgnoreCase(agentTypeName)) || (retVal[0].equalsIgnoreCase(agentOnlyTypeName) && retVal[1].equalsIgnoreCase(agentOnlyTypeName))) {
agentsFromEnv.add(retVal[0]);
}
if ((!retVal[0].equalsIgnoreCase(agentTypeName)) && (!retVal[0].equalsIgnoreCase(agentOnlyTypeName))) {
retVal[0] = getAgentNameFromEnv(resourceName);
if (retVal[0] == null) {
return new ConditionDecision(false);
}
if (retVal[0].equalsIgnoreCase(sharedAgentName)) {
Map envMap = getAttributes(orgConfig, retVal[0]);
agentsFromEnv = (Set) envMap.get(attributeToRead);
} else {
agentsFromEnv.add(retVal[0]);
}
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: agentsFromEnv: " + agentsFromEnv + "retVal[0] " + retVal[0]);
}
}
// Check in cache
if ((sharedAgentsCache != null) && (sharedAgentsCache.containsKey(sharedAgentUnivId))) {
Set agentsfromCache = (Set) sharedAgentsCache.get(sharedAgentUnivId);
if (agentsfromCache != null && !agentsfromCache.isEmpty()) {
allowed = getPermission(agentsFromEnv, agentsfromCache);
}
return new ConditionDecision(allowed);
}
// If not in cache.
// Return the attributes for the given agent under
// default group.
Map agentsAttrMap = getAttributes(orgConfig, sharedAgentName);
Set agentsToRead = (Set) agentsAttrMap.get(attributeToRead);
if (debug.messageEnabled()) {
debug.message("AuthenticatedSharedAgentsCondition." + "getConditionDecision: agentsToRead: " + agentsToRead);
}
if (agentsToRead != null && !agentsToRead.isEmpty()) {
allowed = getPermission(agentsFromEnv, agentsToRead);
}
// Update the cache.
updateCache(sharedAgentUnivId, agentsToRead);
} catch (IdRepoException idpe) {
debug.error("AuthenticatedSharedAgentsCondition." + "getConditionDecision(): Unable to read agent" + " attributes for " + sharedAgentName, idpe);
throw new PolicyException(idpe);
}
}
return new ConditionDecision(allowed);
}
Also used :
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Set(java.util.Set)
SSOToken(com.iplanet.sso.SSOToken)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
ConditionDecision(com.sun.identity.policy.ConditionDecision)
PolicyException(com.sun.identity.policy.PolicyException)
ServiceConfig(com.sun.identity.sm.ServiceConfig)
AMIdentity(com.sun.identity.idm.AMIdentity)
HashMap(java.util.HashMap)
Map(java.util.Map)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Example 62 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class DSAMERole method getValidValues.
/**
* Returns a list of possible values for the <code>Subject
* </code> that matches the pattern.
*
* @param token the <code>SSOToken</code> that will be used
* to determine the possible values
*
* @return <code>ValidValues</code> object
*
* @exception SSOException if SSO token is not valid
* @exception PolicyException if unable to get the list of valid
* names.
*/
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
if (!initialized) {
throw (new PolicyException(ResBundleUtils.rbName, "role_subject_not_yet_initialized", null, null));
}
try {
AMStoreConnection amConnection = new AMStoreConnection(token);
AMOrganization orgObject = amConnection.getOrganization(organizationDN);
AMSearchControl sc = new AMSearchControl();
sc.setMaxResults(maxResults);
sc.setTimeOut(timeLimit);
sc.setSearchScope(roleSearchScope);
AMSearchResults results = orgObject.searchAllRoles(pattern, sc);
int status;
switch(results.getErrorCode()) {
case AMSearchResults.SUCCESS:
status = ValidValues.SUCCESS;
break;
case AMSearchResults.SIZE_LIMIT_EXCEEDED:
status = ValidValues.SIZE_LIMIT_EXCEEDED;
break;
case AMSearchResults.TIME_LIMIT_EXCEEDED:
status = ValidValues.TIME_LIMIT_EXCEEDED;
break;
default:
status = ValidValues.SUCCESS;
}
return new ValidValues(status, results.getSearchResults());
} catch (AMException e) {
LdapException lde = e.getLDAPException();
if (lde != null) {
ResultCode ldapErrorCode = lde.getResult().getResultCode();
if (ResultCode.INVALID_CREDENTIALS.equals(ldapErrorCode)) {
throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ResultCode.NO_SUCH_OBJECT.equals(ldapErrorCode)) {
String[] objs = { organizationDN };
throw new PolicyException(ResBundleUtils.rbName, "no_such_am_roles_base_dn", objs, null);
}
String errorMsg = lde.getResult().getDiagnosticMessage();
String additionalMsg = lde.getResult().getResultCode().getName().toString(Locale.ROOT);
if (additionalMsg != null) {
throw new PolicyException(errorMsg + ": " + additionalMsg);
} else {
throw new PolicyException(errorMsg);
}
}
throw new PolicyException(e);
}
}
Also used :
AMStoreConnection(com.iplanet.am.sdk.AMStoreConnection)
AMSearchControl(com.iplanet.am.sdk.AMSearchControl)
PolicyException(com.sun.identity.policy.PolicyException)
ValidValues(com.sun.identity.policy.ValidValues)
AMOrganization(com.iplanet.am.sdk.AMOrganization)
AMException(com.iplanet.am.sdk.AMException)
AMSearchResults(com.iplanet.am.sdk.AMSearchResults)
LdapException(org.forgerock.opendj.ldap.LdapException)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
Example 63 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToRealmCondition method validateProperties.
/**
* Checks the properties set using setProperties() method for
* validity like, not null, presence of AUTHENTICATE_TO_REALM property,
* and no other invalid property.
*/
private boolean validateProperties() throws PolicyException {
if ((properties == null) || (properties.keySet() == null)) {
throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
}
Set keySet = properties.keySet();
//Check if the required key(s) are defined
if (!keySet.contains(AUTHENTICATE_TO_REALM)) {
String[] args = { AUTHENTICATE_TO_REALM };
throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
}
//Check if all the keys are valid
Iterator keys = keySet.iterator();
while (keys.hasNext()) {
String key = (String) keys.next();
if (!AUTHENTICATE_TO_REALM.equals(key)) {
String[] args = { key };
throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
}
}
//validate AUTHENTICATE_TO_REALM
Set authnToRealmSet = null;
try {
authnToRealmSet = (Set) properties.get(AUTHENTICATE_TO_REALM);
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_REALMS };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
if (authnToRealmSet != null) {
validateAuthnToRealms(authnToRealmSet);
}
return true;
}
Also used :
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 64 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToRealmCondition method getConditionDecision.
/**
* Returns the decision computed by this condition object, based on the
* map of environment parameters
*
* @param token single sign on token of the user
*
* @param env request specific environment map of key/value pairs
* <code>AuthenticateToRealmCondition</code> looks for value of key
* <code>REQUEST_AUTHENTICATED_TO_REALMS</code> in the map.
* The value should be a <code>Set</code> with <code>String</code>
* elements.
* If the <code>env</code> parameter is <code>null</code> or does not
* define the value for
* <code>REQUEST_AUTHENTICATED_TO_REALMS</code>, value for
* <code>REQUEST_AUTHENTICATED_TO_REALMS</code> is computed
* from sso token.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
*
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized with a
* successful call to <code>setProperties(Map)</code> and/or the
* value of <code>REQUEST_AUTHENTICATED_TO_REALMS</code> could not be
* determined.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #AUTHENTICATE_TO_REALM
* @see #REQUEST_AUTHENTICATED_TO_REALMS
* @see com.sun.identity.policy.ConditionDecision
*/
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
// We don't care about case of the realm when doing the comparison so use a CaseInsensitiveHashSet
Set requestAuthnRealms = new CaseInsensitiveHashSet();
if ((env != null) && (env.get(REQUEST_AUTHENTICATED_TO_REALMS) != null)) {
try {
requestAuthnRealms.addAll((Set) env.get(REQUEST_AUTHENTICATED_TO_REALMS));
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision(): " + "requestAuthnRealms, from request = " + requestAuthnRealms);
}
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_REALMS };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
} else {
if (token != null) {
Set authenticatedRealms = AMAuthUtils.getAuthenticatedRealms(token);
if (authenticatedRealms != null) {
requestAuthnRealms.addAll(authenticatedRealms);
}
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision(): " + "requestAuthnRealms, from ssoToken = " + requestAuthnRealms);
}
}
}
boolean allowed = true;
Set adviceMessages = new HashSet(1);
if (!requestAuthnRealms.contains(authenticateToRealm)) {
allowed = false;
adviceMessages.add(authenticateToRealm);
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision():" + "authenticateToRealm not satisfied = " + authenticateToRealm);
}
}
if (debugMessageEnabled) {
DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision():authenticateToRealm = " + authenticateToRealm + "," + "requestAuthnRealms = " + requestAuthnRealms + ", " + " allowed = " + allowed);
}
Map advices = new HashMap();
if (!allowed) {
advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
}
return new ConditionDecision(allowed, advices);
}
Also used :
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
HashMap(java.util.HashMap)
HashMap(java.util.HashMap)
Map(java.util.Map)
ConditionDecision(com.sun.identity.policy.ConditionDecision)
CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet)
HashSet(java.util.HashSet)
Example 65 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthenticateToServiceCondition method validateProperties.
/**
* Checks the properties set using setProperties() method for
* validity like, not null, presence of AUTHENTICATE_TO_SERVICE property,
* and no other invalid property.
*/
private boolean validateProperties() throws PolicyException {
if ((properties == null) || (properties.keySet() == null)) {
throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
}
Set keySet = properties.keySet();
//Check if the required key(s) are defined
if (!keySet.contains(AUTHENTICATE_TO_SERVICE)) {
String[] args = { AUTHENTICATE_TO_SERVICE };
throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
}
//Check if all the keys are valid
Iterator keys = keySet.iterator();
while (keys.hasNext()) {
String key = (String) keys.next();
if (!AUTHENTICATE_TO_SERVICE.equals(key)) {
String[] args = { key };
throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
}
}
//validate AUTHENTICATE_TO_SERVICE
Set authnToServiceSet = null;
try {
authnToServiceSet = (Set) properties.get(AUTHENTICATE_TO_SERVICE);
} catch (ClassCastException e) {
String[] args = { REQUEST_AUTHENTICATED_TO_SERVICES };
throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
}
if (authnToServiceSet != null) {
validateAuthnToServices(authnToServiceSet);
}
return true;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Aggregations
PolicyException (com.sun.identity.policy.PolicyException)151
SSOException (com.iplanet.sso.SSOException)64
HashSet (java.util.HashSet)63
Set (java.util.Set)57
Iterator (java.util.Iterator)50
PolicyManager (com.sun.identity.policy.PolicyManager)35
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)32
HashMap (java.util.HashMap)28
Map (java.util.Map)27
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)26
ByteString (org.forgerock.opendj.ldap.ByteString)16
EntitlementException (com.sun.identity.entitlement.EntitlementException)14
LdapException (org.forgerock.opendj.ldap.LdapException)13
ResultCode (org.forgerock.opendj.ldap.ResultCode)13
Connection (org.forgerock.opendj.ldap.Connection)12
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)12
InvalidNameException (com.sun.identity.policy.InvalidNameException)11
ValidValues (com.sun.identity.policy.ValidValues)11
IOException (java.io.IOException)11
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)11
