Example 21 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class IDRepoResponseProvider method validateStaticAttribute.
/**
* This method validates the STATIC_ATTRIBUTE data
* for format and caches parsed static attributes map
* Needs to be in "attr=val" format.
* Else, throws PolicyException
*/
private void validateStaticAttribute(Set staticSet) throws PolicyException {
if (DEBUG.messageEnabled()) {
DEBUG.message("IDRepoResponseProvider.validateStaticAttribute():" + "entering with staticSet=" + staticSet);
}
if (!staticSet.isEmpty()) {
staticResponse = new HashMap();
for (Iterator it = staticSet.iterator(); it.hasNext(); ) {
String attrValueString = (String) it.next();
if (attrValueString.indexOf(ATTR_DELIMITER) == -1) {
clearProperties();
DEBUG.error("IDRepoResponseProvider" + ".validateStaticAttribute():" + " Invalid format in defining StaticAttribute, needs" + " to be attr=value format");
String[] args = { attrValueString };
throw new PolicyException(ResBundleUtils.rbName, "invalid_format_static_property", args, null);
} else {
int index = attrValueString.indexOf(ATTR_DELIMITER);
String attrName = attrValueString.substring(0, index).trim();
String attrValue = attrValueString.substring(index + 1);
Set values = PolicyUtils.delimStringToSet(attrValue, VAL_DELIMITER);
PolicyUtils.appendElementToMap(attrName, values, staticResponse);
if (DEBUG.messageEnabled()) {
DEBUG.message("IDRepoResponseProvider." + "validateStaticAttribute():" + "attrName=" + attrName + ",values=" + values);
DEBUG.message("IDRepoResponseProvider." + "validateStaticAttribute():" + "caching staticResponse:" + staticResponse);
}
}
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("IDRepoResponseProvider.validateStaticAttribute():" + "returning");
}
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
HashMap(java.util.HashMap)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 22 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class AuthLevelCondition method getMaxRequestAuthLevel.
/**
* gets the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the environment Map.
* @see #REQUEST_AUTH_LEVEL
*/
private int getMaxRequestAuthLevel(Map env) throws PolicyException {
int maxAuthLevel = Integer.MIN_VALUE;
int currentAuthLevel = Integer.MIN_VALUE;
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel(" + "envMap,realm): entering: envMap= " + env + ", authRealm= " + authRealm + ", conditionAuthLevel= " + authLevel);
}
Object envAuthLevelObject = env.get(REQUEST_AUTH_LEVEL);
if (envAuthLevelObject != null) {
if (envAuthLevelObject instanceof Integer) {
if ((authRealm == null) || (authRealm.length() == 0)) {
maxAuthLevel = ((Integer) envAuthLevelObject).intValue();
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthLevelCondition." + "getMaxRequestAuthLevel():Integer level in env= " + maxAuthLevel);
}
}
} else if (envAuthLevelObject instanceof Set) {
Set envAuthLevelSet = (Set) envAuthLevelObject;
if (!envAuthLevelSet.isEmpty()) {
Iterator iter = envAuthLevelSet.iterator();
while (iter.hasNext()) {
Object envAuthLevelElement = iter.next();
if (!(envAuthLevelElement instanceof String)) {
if (DEBUG.warningEnabled()) {
DEBUG.warning("AuthLevelCondition." + "getMaxRequestAuthLevel():" + "requestAuthLevel Set element" + " not String");
}
throw new PolicyException(ResBundleUtils.rbName, "request_authlevel_in_env_set_element_not_string", null, null);
} else {
String qualifiedLevel = (String) envAuthLevelElement;
currentAuthLevel = getAuthLevel(qualifiedLevel);
if ((authRealm == null) || authRealm.length() == 0) {
if (currentAuthLevel > maxAuthLevel) {
maxAuthLevel = currentAuthLevel;
}
} else {
String realmString = AMAuthUtils.getRealmFromRealmQualifiedData(qualifiedLevel);
if (authRealm.equals(realmString) && (currentAuthLevel > maxAuthLevel)) {
maxAuthLevel = currentAuthLevel;
}
}
}
}
}
} else {
if (DEBUG.warningEnabled()) {
DEBUG.warning("AuthLevelCondition.getMaxRequestAuthLevel():" + "requestAuthLevel in env neither" + " Integer nor Set");
}
throw new PolicyException(ResBundleUtils.rbName, "request_authlevel_in_env_not_Integer_or_set", null, null);
}
}
if (DEBUG.messageEnabled()) {
DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel(" + "): returning: maxAuthLevel=" + maxAuthLevel);
}
return maxAuthLevel;
}
Also used :
Set(java.util.Set)
HashSet(java.util.HashSet)
PolicyException(com.sun.identity.policy.PolicyException)
Iterator(java.util.Iterator)
Example 23 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class LDAPUsers method handleResultException.
private PolicyException handleResultException(LdapException e) {
ResultCode ldapErrorCode = e.getResult().getResultCode();
if (ldapErrorCode.equals(ResultCode.INVALID_CREDENTIALS)) {
return new PolicyException(ResBundleUtils.rbName, "ldap_invalid_password", null, null);
} else if (ldapErrorCode.equals(ResultCode.NO_SUCH_OBJECT)) {
String[] objs = { baseDN };
return new PolicyException(ResBundleUtils.rbName, "no_such_ldap_users_base_dn", objs, null);
}
String errorMsg = e.getResult().getDiagnosticMessage();
String additionalMsg = e.getMessage();
if (additionalMsg != null) {
return new PolicyException(errorMsg + ": " + additionalMsg);
} else {
return new PolicyException(errorMsg);
}
}
Also used :
PolicyException(com.sun.identity.policy.PolicyException)
ByteString(org.forgerock.opendj.ldap.ByteString)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
Example 24 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class LDAPUsers method getUserDN.
/**
* Gets the DN for a user identified
* by the token. If the Directory server is locally installed to speed
* up the search, no directoty search is performed and the DN obtained
* from the token is returned. If the directory is remote
* a LDAP search is performed to get the user DN.
*/
private DN getUserDN(SSOToken token) throws SSOException, PolicyException {
Set<String> qualifiedUserDNs = new HashSet<>();
String userLocalDN = token.getPrincipal().getName();
DN userDN = null;
if (localDS && !PolicyUtils.principalNameEqualsUuid(token)) {
userDN = DN.valueOf(userLocalDN);
} else {
// try to figure out the user name from the local user DN
int beginIndex = userLocalDN.indexOf("=");
int endIndex = userLocalDN.indexOf(",");
if ((beginIndex <= 0) || (endIndex <= 0) || (beginIndex >= endIndex)) {
throw (new PolicyException(ResBundleUtils.rbName, "ldapusers_subject_invalid_local_user_dn", null, null));
}
String userName = userLocalDN.substring(beginIndex + 1, endIndex);
String searchFilter = null;
if ((userSearchFilter != null) && !(userSearchFilter.length() == 0)) {
searchFilter = "(&" + userSearchFilter + PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled) + ")";
} else {
searchFilter = PolicyUtils.constructUserFilter(token, userRDNAttrName, userName, aliasEnabled);
}
if (debug.messageEnabled()) {
debug.message("LDAPUsers.getUserDN(): search filter is: " + searchFilter);
}
String[] attrs = { userRDNAttrName };
// search the remote ldap and find out the user DN
try (Connection ld = connPool.getConnection()) {
ConnectionEntryReader res = search(searchFilter, ld, attrs);
while (res.hasNext()) {
try {
SearchResultEntry entry = res.readEntry();
qualifiedUserDNs.add(entry.getName().toString());
} catch (SearchResultReferenceIOException e) {
// ignore referrals
continue;
} catch (LdapException e) {
String[] objs = { orgName };
ResultCode resultCode = e.getResult().getResultCode();
if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getUserDN(): exceeded the size limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_size_limit", objs, null);
} else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getUserDN(): exceeded the time limit");
throw new PolicyException(ResBundleUtils.rbName, "ldap_search_exceed_time_limit", objs, null);
} else {
throw new PolicyException(e);
}
}
}
} catch (LdapException e) {
throw handleResultException(e);
} catch (Exception e) {
throw new PolicyException(e);
}
// check if the user belongs to any of the selected users
if (qualifiedUserDNs.size() > 0) {
debug.message("LDAPUsers.getUserDN(): qualified users={}", qualifiedUserDNs);
Iterator<String> iter = qualifiedUserDNs.iterator();
// we only take the first qualified DN
userDN = DN.valueOf(iter.next());
}
}
return userDN;
}
Also used :
Connection(org.forgerock.opendj.ldap.Connection)
DN(org.forgerock.opendj.ldap.DN)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
LdapException(org.forgerock.opendj.ldap.LdapException)
NameNotFoundException(com.sun.identity.policy.NameNotFoundException)
PolicyException(com.sun.identity.policy.PolicyException)
InvalidNameException(com.sun.identity.policy.InvalidNameException)
SSOException(com.iplanet.sso.SSOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
PolicyException(com.sun.identity.policy.PolicyException)
LdapException(org.forgerock.opendj.ldap.LdapException)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
HashSet(java.util.HashSet)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Example 25 with PolicyException
use of com.sun.identity.policy.PolicyException in project OpenAM by OpenRock.
the class LDAPUsers method getValidEntries.
/**
* Returns a set of possible values that satisfy the <code>pattern</code>.
* The returned <code>ValidValues</code> object contains a set of
* map of user DN to a map of user's attribute name to a string array of
* attribute values.
*
* @param token Single Sign On token for fetching the possible values.
* @param pattern Search pattern of which possible values are matched to.
* @param attributeNames Array of attribute names to be to returned.
* @return a set of possible values that satify the <code>pattern</code>.
* @throws SSOException if <code>SSOToken</code> is invalid.
* @throws PolicyException if there are problems getting these values.
*/
public ValidValues getValidEntries(SSOToken token, String pattern, String[] attributeNames) throws SSOException, PolicyException {
if (!initialized) {
throw (new PolicyException(ResBundleUtils.rbName, "ldapusers_subject_not_yet_initialized", null, null));
}
Set<Map<String, Map<String, String[]>>> results = new HashSet<>();
String searchFilter = getSearchFilter(pattern);
int status = ValidValues.SUCCESS;
try (Connection ld = connPool.getConnection()) {
ConnectionEntryReader res = search(searchFilter, ld, attributeNames);
Map<String, Map<String, String[]>> map = new HashMap<>();
results.add(map);
while (res.hasNext()) {
try {
SearchResultEntry entry = res.readEntry();
if (entry != null) {
String userDN = entry.getName().toString();
map.put(userDN, getUserAttributeValues(entry, attributeNames));
}
} catch (SearchResultReferenceIOException lre) {
// ignore referrals
continue;
} catch (LdapException e) {
ResultCode resultCode = e.getResult().getResultCode();
if (resultCode.equals(ResultCode.SIZE_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getValidEntries(): exceeded the size limit");
status = ValidValues.SIZE_LIMIT_EXCEEDED;
} else if (resultCode.equals(ResultCode.TIME_LIMIT_EXCEEDED)) {
debug.warning("LDAPUsers.getValidEntries(): exceeded the time limit");
status = ValidValues.TIME_LIMIT_EXCEEDED;
} else {
throw new PolicyException(e);
}
}
}
} catch (LdapException e) {
throw handleResultException(e);
} catch (Exception e) {
throw new PolicyException(e);
}
return new ValidValues(status, results);
}
Also used :
HashMap(java.util.HashMap)
ValidValues(com.sun.identity.policy.ValidValues)
Connection(org.forgerock.opendj.ldap.Connection)
ByteString(org.forgerock.opendj.ldap.ByteString)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
LdapException(org.forgerock.opendj.ldap.LdapException)
NameNotFoundException(com.sun.identity.policy.NameNotFoundException)
PolicyException(com.sun.identity.policy.PolicyException)
InvalidNameException(com.sun.identity.policy.InvalidNameException)
SSOException(com.iplanet.sso.SSOException)
SearchResultReferenceIOException(org.forgerock.opendj.ldap.SearchResultReferenceIOException)
ConnectionEntryReader(org.forgerock.opendj.ldif.ConnectionEntryReader)
PolicyException(com.sun.identity.policy.PolicyException)
HashMap(java.util.HashMap)
Map(java.util.Map)
LdapException(org.forgerock.opendj.ldap.LdapException)
ResultCode(org.forgerock.opendj.ldap.ResultCode)
HashSet(java.util.HashSet)
SearchResultEntry(org.forgerock.opendj.ldap.responses.SearchResultEntry)
Aggregations
PolicyException (com.sun.identity.policy.PolicyException)151
SSOException (com.iplanet.sso.SSOException)64
HashSet (java.util.HashSet)63
Set (java.util.Set)57
Iterator (java.util.Iterator)50
PolicyManager (com.sun.identity.policy.PolicyManager)35
NameNotFoundException (com.sun.identity.policy.NameNotFoundException)32
HashMap (java.util.HashMap)28
Map (java.util.Map)27
AMConsoleException (com.sun.identity.console.base.model.AMConsoleException)26
ByteString (org.forgerock.opendj.ldap.ByteString)16
EntitlementException (com.sun.identity.entitlement.EntitlementException)14
LdapException (org.forgerock.opendj.ldap.LdapException)13
ResultCode (org.forgerock.opendj.ldap.ResultCode)13
Connection (org.forgerock.opendj.ldap.Connection)12
SearchResultEntry (org.forgerock.opendj.ldap.responses.SearchResultEntry)12
InvalidNameException (com.sun.identity.policy.InvalidNameException)11
ValidValues (com.sun.identity.policy.ValidValues)11
IOException (java.io.IOException)11
ConnectionEntryReader (org.forgerock.opendj.ldif.ConnectionEntryReader)11
