Search in sources :

Example 11 with PolicyException

use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.

the class DSAMERole method getValidValues.

/**
     * Returns a list of possible values for the <code>Subject
     * </code> that matches the pattern. 
     *
     * @param token the <code>SSOToken</code> that will be used
     * to determine the possible values
     *
     * @return <code>ValidValues</code> object
     *
     * @exception SSOException if SSO token is not valid
     * @exception PolicyException if unable to get the list of valid
     * names.
     */
public ValidValues getValidValues(SSOToken token, String pattern) throws SSOException, PolicyException {
    if (!initialized) {
        throw (new PolicyException(ResBundleUtils.rbName, "role_subject_not_yet_initialized", null, null));
    }
    try {
        AMStoreConnection amConnection = new AMStoreConnection(token);
        AMOrganization orgObject = amConnection.getOrganization(organizationDN);
        AMSearchControl sc = new AMSearchControl();
        sc.setMaxResults(maxResults);
        sc.setTimeOut(timeLimit);
        sc.setSearchScope(roleSearchScope);
        AMSearchResults results = orgObject.searchAllRoles(pattern, sc);
        int status;
        switch(results.getErrorCode()) {
            case AMSearchResults.SUCCESS:
                status = ValidValues.SUCCESS;
                break;
            case AMSearchResults.SIZE_LIMIT_EXCEEDED:
                status = ValidValues.SIZE_LIMIT_EXCEEDED;
                break;
            case AMSearchResults.TIME_LIMIT_EXCEEDED:
                status = ValidValues.TIME_LIMIT_EXCEEDED;
                break;
            default:
                status = ValidValues.SUCCESS;
        }
        return new ValidValues(status, results.getSearchResults());
    } catch (AMException e) {
        LdapException lde = e.getLDAPException();
        if (lde != null) {
            ResultCode ldapErrorCode = lde.getResult().getResultCode();
            if (ResultCode.INVALID_CREDENTIALS.equals(ldapErrorCode)) {
                throw new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
            } else if (ResultCode.NO_SUCH_OBJECT.equals(ldapErrorCode)) {
                String[] objs = { organizationDN };
                throw new PolicyException(ResBundleUtils.rbName, "no_such_am_roles_base_dn", objs, null);
            }
            String errorMsg = lde.getResult().getDiagnosticMessage();
            String additionalMsg = lde.getResult().getResultCode().getName().toString(Locale.ROOT);
            if (additionalMsg != null) {
                throw new PolicyException(errorMsg + ": " + additionalMsg);
            } else {
                throw new PolicyException(errorMsg);
            }
        }
        throw new PolicyException(e);
    }
}
Also used : AMStoreConnection(com.iplanet.am.sdk.AMStoreConnection) AMSearchControl(com.iplanet.am.sdk.AMSearchControl) PolicyException(com.sun.identity.policy.PolicyException) ValidValues(com.sun.identity.policy.ValidValues) AMOrganization(com.iplanet.am.sdk.AMOrganization) AMException(com.iplanet.am.sdk.AMException) AMSearchResults(com.iplanet.am.sdk.AMSearchResults) LdapException(org.forgerock.opendj.ldap.LdapException) ResultCode(org.forgerock.opendj.ldap.ResultCode)

Example 12 with PolicyException

use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.

the class AuthenticateToRealmCondition method validateProperties.

/**
     * Checks the properties set using setProperties() method for
     * validity like, not null, presence of AUTHENTICATE_TO_REALM property,
     * and no other invalid property.
     */
private boolean validateProperties() throws PolicyException {
    if ((properties == null) || (properties.keySet() == null)) {
        throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
    }
    Set keySet = properties.keySet();
    //Check if the required key(s) are defined
    if (!keySet.contains(AUTHENTICATE_TO_REALM)) {
        String[] args = { AUTHENTICATE_TO_REALM };
        throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
    }
    //Check if all the keys are valid 
    Iterator keys = keySet.iterator();
    while (keys.hasNext()) {
        String key = (String) keys.next();
        if (!AUTHENTICATE_TO_REALM.equals(key)) {
            String[] args = { key };
            throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
        }
    }
    //validate AUTHENTICATE_TO_REALM
    Set authnToRealmSet = null;
    try {
        authnToRealmSet = (Set) properties.get(AUTHENTICATE_TO_REALM);
    } catch (ClassCastException e) {
        String[] args = { REQUEST_AUTHENTICATED_TO_REALMS };
        throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
    }
    if (authnToRealmSet != null) {
        validateAuthnToRealms(authnToRealmSet);
    }
    return true;
}
Also used : CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) Set(java.util.Set) HashSet(java.util.HashSet) PolicyException(com.sun.identity.policy.PolicyException) Iterator(java.util.Iterator)

Example 13 with PolicyException

use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.

the class AuthenticateToRealmCondition method getConditionDecision.

/**
     * Returns the decision computed by this condition object, based on the 
     * map of environment parameters 
     *
     * @param token single sign on token of the user
     *
     * @param env request specific environment map of key/value pairs
     *        <code>AuthenticateToRealmCondition</code> looks for value of key
     *        <code>REQUEST_AUTHENTICATED_TO_REALMS</code> in the map.  
     *        The value should be a <code>Set</code> with <code>String</code> 
     *        elements. 
     *        If the <code>env</code> parameter is <code>null</code> or does not
     *        define the value for 
     *       <code>REQUEST_AUTHENTICATED_TO_REALMS</code>,  value for
     *        <code>REQUEST_AUTHENTICATED_TO_REALMS</code> is computed 
     *        from sso token.
     *
     * @return the condition decision. The condition decision encapsulates
     *         whether a policy applies for the request and advice messages
     *         generated by the condition.  
     *
     * Policy framework continues evaluating a  policy only if it applies 
     * to the request  as indicated by the <code>ConditionDecision</code>. 
     * Otherwise, further evaluation of the policy is skipped. 
     * However, the advice messages encapsulated in the 
     * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
     * in the policy  decision.
     *
     * @throws PolicyException if the condition has not been initialized with a
     *        successful call to <code>setProperties(Map)</code> and/or the
     *        value of <code>REQUEST_AUTHENTICATED_TO_REALMS</code> could not be
     *        determined.
     * @throws SSOException if the token is invalid
     *
     * @see #setProperties(Map)
     * @see #AUTHENTICATE_TO_REALM
     * @see #REQUEST_AUTHENTICATED_TO_REALMS
     * @see com.sun.identity.policy.ConditionDecision
     */
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
    // We don't care about case of the realm when doing the comparison so use a CaseInsensitiveHashSet
    Set requestAuthnRealms = new CaseInsensitiveHashSet();
    if ((env != null) && (env.get(REQUEST_AUTHENTICATED_TO_REALMS) != null)) {
        try {
            requestAuthnRealms.addAll((Set) env.get(REQUEST_AUTHENTICATED_TO_REALMS));
            if (debugMessageEnabled) {
                DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision(): " + "requestAuthnRealms, from request = " + requestAuthnRealms);
            }
        } catch (ClassCastException e) {
            String[] args = { REQUEST_AUTHENTICATED_TO_REALMS };
            throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
        }
    } else {
        if (token != null) {
            Set authenticatedRealms = AMAuthUtils.getAuthenticatedRealms(token);
            if (authenticatedRealms != null) {
                requestAuthnRealms.addAll(authenticatedRealms);
            }
            if (debugMessageEnabled) {
                DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision(): " + "requestAuthnRealms, from ssoToken = " + requestAuthnRealms);
            }
        }
    }
    boolean allowed = true;
    Set adviceMessages = new HashSet(1);
    if (!requestAuthnRealms.contains(authenticateToRealm)) {
        allowed = false;
        adviceMessages.add(authenticateToRealm);
        if (debugMessageEnabled) {
            DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision():" + "authenticateToRealm not satisfied = " + authenticateToRealm);
        }
    }
    if (debugMessageEnabled) {
        DEBUG.message("At AuthenticateToRealmCondition." + "getConditionDecision():authenticateToRealm = " + authenticateToRealm + "," + "requestAuthnRealms = " + requestAuthnRealms + ", " + " allowed = " + allowed);
    }
    Map advices = new HashMap();
    if (!allowed) {
        advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE, adviceMessages);
    }
    return new ConditionDecision(allowed, advices);
}
Also used : CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) Set(java.util.Set) HashSet(java.util.HashSet) PolicyException(com.sun.identity.policy.PolicyException) HashMap(java.util.HashMap) HashMap(java.util.HashMap) Map(java.util.Map) ConditionDecision(com.sun.identity.policy.ConditionDecision) CaseInsensitiveHashSet(com.sun.identity.common.CaseInsensitiveHashSet) HashSet(java.util.HashSet)

Example 14 with PolicyException

use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.

the class AuthenticateToServiceCondition method validateProperties.

/**
     * Checks the properties set using setProperties() method for
     * validity like, not null, presence of AUTHENTICATE_TO_SERVICE property,
     * and no other invalid property.
     */
private boolean validateProperties() throws PolicyException {
    if ((properties == null) || (properties.keySet() == null)) {
        throw new PolicyException(ResBundleUtils.rbName, "properties_can_not_be_null_or_empty", null, null);
    }
    Set keySet = properties.keySet();
    //Check if the required key(s) are defined
    if (!keySet.contains(AUTHENTICATE_TO_SERVICE)) {
        String[] args = { AUTHENTICATE_TO_SERVICE };
        throw new PolicyException(ResBundleUtils.rbName, "property_value_not_defined", args, null);
    }
    //Check if all the keys are valid 
    Iterator keys = keySet.iterator();
    while (keys.hasNext()) {
        String key = (String) keys.next();
        if (!AUTHENTICATE_TO_SERVICE.equals(key)) {
            String[] args = { key };
            throw new PolicyException(ResBundleUtils.rbName, "attempt_to_set_invalid_property ", args, null);
        }
    }
    //validate AUTHENTICATE_TO_SERVICE
    Set authnToServiceSet = null;
    try {
        authnToServiceSet = (Set) properties.get(AUTHENTICATE_TO_SERVICE);
    } catch (ClassCastException e) {
        String[] args = { REQUEST_AUTHENTICATED_TO_SERVICES };
        throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
    }
    if (authnToServiceSet != null) {
        validateAuthnToServices(authnToServiceSet);
    }
    return true;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) PolicyException(com.sun.identity.policy.PolicyException) Iterator(java.util.Iterator)

Example 15 with PolicyException

use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.

the class AuthSchemeCondition method getConditionDecision.

/**
     * Gets the decision computed by this condition object, based on the 
     * map of environment parameters 
     *
     * @param token single sign on token of the user
     *
     * @param env request specific environment map of key/value pairs
     *        <code>AuthSchemeCondition</code> looks for value of key
     *        <code>REQUEST_AUTH_SCHEHMES</code> in the map.  The value should
     *        be a String. If the <code>env</code> parameter is null or does not
     *       define the value for <code.REQUEST_AUTH_SCHEMES</code>, value for
     *        <code>REQUEST_AUTH_SCHEMES</code> is computed using
     *        <code>AuthMethod</code> obtained from single sign on token of
     *        the user.
     *
     * @return the condition decision. The condition decision encapsulates
     *         whether a policy applies for the request and advice messages
     *         generated by the condition.  
     * Policy framework continues evaluating a  policy only if it applies 
     * to the request  as indicated by the <code>ConditionDecision</code>. 
     * Otherwise, further evaluation of the policy is skipped. 
     * However, the advice messages encapsulated in the 
     * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
     * in the policy  decision.
     *
     * @throws PolicyException if the condition has not been initialized with a
     *         successful call to <code>setProperties(Map)</code> and/or the
     *         value of <code>REQUEST_AUTH_SCHEMES</code> could not be
     *         determined.
     * @throws SSOException if the token is invalid
     *
     * @see #setProperties(Map)
     * @see #AUTH_SCHEME
     * @see #REQUEST_AUTH_SCHEMES
     * @see com.sun.identity.policy.ConditionDecision
     */
public ConditionDecision getConditionDecision(SSOToken token, Map env) throws PolicyException, SSOException {
    if (DEBUG.messageEnabled()) {
        DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():entering:" + "authSchemes=" + authSchemes + ", appName=" + appName + ", appIdleTimeout=" + appIdleTimeout);
    }
    boolean allowed = false;
    Set requestAuthSchemes = null;
    Set requestAuthSchemesIgnoreRealm = null;
    if ((env != null) && (env.get(REQUEST_AUTH_SCHEMES) != null)) {
        try {
            requestAuthSchemes = (Set) env.get(REQUEST_AUTH_SCHEMES);
            if (DEBUG.messageEnabled()) {
                DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemes from env= " + requestAuthSchemes);
            }
        } catch (ClassCastException e) {
            String[] args = { REQUEST_AUTH_SCHEMES };
            throw new PolicyException(ResBundleUtils.rbName, "property_is_not_a_Set", args, e);
        }
    } else {
        if (token != null) {
            requestAuthSchemes = AMAuthUtils.getRealmQualifiedAuthenticatedSchemes(token);
            requestAuthSchemesIgnoreRealm = AMAuthUtils.getAuthenticatedSchemes(token);
            if (DEBUG.messageEnabled()) {
                DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemes from ssoToken= " + requestAuthSchemes);
                DEBUG.message("At AuthSchemeCondition." + "getConditionDecision(): " + "requestAuthSchemesIgnoreRealm from ssoToken= " + requestAuthSchemesIgnoreRealm);
            }
        }
    }
    if (requestAuthSchemes == null) {
        requestAuthSchemes = Collections.EMPTY_SET;
    }
    if (requestAuthSchemesIgnoreRealm == null) {
        requestAuthSchemesIgnoreRealm = Collections.EMPTY_SET;
    }
    Iterator authSchemesIter = authSchemes.iterator();
    String authScheme = null;
    allowed = true;
    Set adviceMessages = new HashSet(authSchemes.size());
    while (authSchemesIter.hasNext()) {
        authScheme = (String) authSchemesIter.next();
        if (!requestAuthSchemes.contains(authScheme)) {
            String realm = AMAuthUtils.getRealmFromRealmQualifiedData(authScheme);
            if ((realm != null) && (realm.length() != 0)) {
                allowed = false;
                adviceMessages.add(authScheme);
                if (DEBUG.messageEnabled()) {
                    DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "authScheme not satisfied = " + authScheme);
                }
                break;
            } else if ((realm == null) || (realm.length() == 0)) {
                if (!requestAuthSchemesIgnoreRealm.contains(authScheme)) {
                    allowed = false;
                    adviceMessages.add(authScheme);
                    if (DEBUG.messageEnabled()) {
                        DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "authScheme not satisfied = " + authScheme);
                    }
                    break;
                }
            }
        }
    }
    if (DEBUG.messageEnabled()) {
        DEBUG.message("At AuthSchemeCondition.getConditionDecision():" + "authSchemes = " + authSchemes + "," + " requestAuthSchemes = " + requestAuthSchemes + ", " + " allowed before appIdleTimeout check = " + allowed);
    }
    Map advices = new HashMap();
    if (!allowed) {
        advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
    }
    long timeToLive = Long.MAX_VALUE;
    //following additions are to support application idle timeout
    long currentTimeMillis = System.currentTimeMillis();
    //a collector
    Set expiredAuthSchemes = new HashSet();
    if (appIdleTimeoutEnabled) {
        if (allowed) {
            //condition satisfied pending idletimeout check
            //do idletimeout check
            long idleTimesOutAtMillis = getApplicationIdleTimesoutAt(token, expiredAuthSchemes, currentTimeMillis);
            if (idleTimesOutAtMillis <= currentTimeMillis) {
                allowed = false;
            }
            if (DEBUG.messageEnabled()) {
                DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "currentTimeMillis = " + currentTimeMillis + ", idleTimesOutAtMillis = " + idleTimesOutAtMillis + ", expiredAuthSchemes = " + expiredAuthSchemes + ", allowed after appIdleTimeout check = " + allowed);
            }
        }
        if (allowed) {
            //condition satisfied
            long appIdleTimesoutAt = currentTimeMillis + appIdleTimeout;
            token.setProperty(appIdleTimesoutAtSessionKey, Long.toString(appIdleTimesoutAt));
            timeToLive = appIdleTimesoutAt;
            if (DEBUG.messageEnabled()) {
                DEBUG.message("At AuthSchemeCondition." + "getConditionDecision():" + "app access allowed, revised appIdleTimesOutAt=" + appIdleTimesoutAt + ", currentTimeMillis=" + currentTimeMillis);
            }
        } else {
            //condiiton not satisifed
            adviceMessages.addAll(expiredAuthSchemes);
            advices.put(AUTH_SCHEME_CONDITION_ADVICE, adviceMessages);
            Set forceAuthAdvices = new HashSet();
            forceAuthAdvices.add(TRUE);
            advices.put(FORCE_AUTH_ADVICE, forceAuthAdvices);
        }
    }
    if (DEBUG.messageEnabled()) {
        DEBUG.message("At AuthSchemeCondition.getConditionDecision():" + "just before return:" + "allowed = " + allowed + ", timeToLive = " + timeToLive + ", advices = " + advices);
    }
    return new ConditionDecision(allowed, timeToLive, advices);
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) PolicyException(com.sun.identity.policy.PolicyException) HashMap(java.util.HashMap) Iterator(java.util.Iterator) HashMap(java.util.HashMap) Map(java.util.Map) ConditionDecision(com.sun.identity.policy.ConditionDecision) HashSet(java.util.HashSet)

Aggregations

PolicyException (com.sun.identity.policy.PolicyException)151 SSOException (com.iplanet.sso.SSOException)64 HashSet (java.util.HashSet)63 Set (java.util.Set)57 Iterator (java.util.Iterator)50 PolicyManager (com.sun.identity.policy.PolicyManager)35 NameNotFoundException (com.sun.identity.policy.NameNotFoundException)32 HashMap (java.util.HashMap)28 Map (java.util.Map)27 AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)26 ByteString (org.forgerock.opendj.ldap.ByteString)16 EntitlementException (com.sun.identity.entitlement.EntitlementException)14 LdapException (org.forgerock.opendj.ldap.LdapException)13 ResultCode (org.forgerock.opendj.ldap.ResultCode)13 Connection (org.forgerock.opendj.ldap.Connection)12 SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)12 InvalidNameException (com.sun.identity.policy.InvalidNameException)11 ValidValues (com.sun.identity.policy.ValidValues)11 IOException (java.io.IOException)11 ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)11