Example 1 with ResourceResults
use of com.sun.identity.policy.ResourceResults in project OpenAM by OpenRock.
the class PolicyRequestHandler method processPolicyRequest.
/**
* Processes a policy request and return a policy response.
*
* @param req a policy request
* @return its corresponding policy response
*/
private PolicyResponse processPolicyRequest(PolicyRequest req, PLLAuditor auditor) throws PolicyEvaluationException {
if (debug.messageEnabled()) {
debug.message("PolicyRequestHandler.processPolicyRequest(): " + " req received:\n" + req.toXMLString());
}
PolicyResponse policyRes = new PolicyResponse();
String requestId = req.getRequestId();
policyRes.setRequestId(requestId);
String appSSOTokenIDStr = req.getAppSSOToken();
SSOToken appToken = null;
Map<String, Set<String>> appAttributes;
try {
appToken = getSSOToken(appSSOTokenIDStr, null);
appAttributes = IdUtils.getIdentity(appToken).getAttributes();
} catch (IdRepoException | SSOException | PolicyException pe) {
if (debug.warningEnabled()) {
debug.warning("PolicyRequestHandler: Invalid app sso token, " + appSSOTokenIDStr);
}
throw new PolicyEvaluationException(PolicyResponse.APP_SSO_TOKEN_INVALID, requestId);
}
// set the app token into the ThreadLocal
AppTokenHandler.set(appToken);
auditor.setMethod(req.getMethodName());
auditor.setSsoToken(appToken);
auditor.setRealm(getFirstItem(appAttributes.get(EVALUATION_REALM), NO_REALM));
auditor.auditAccessAttempt();
if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_ADD_POLICY_LISTENER) {
PolicyListenerRequest plReq = req.getPolicyListenerRequest();
boolean addListener = addPolicyListener(appToken, plReq, appAttributes);
if (addListener) {
policyRes.setMethodID(PolicyResponse.POLICY_ADD_LISTENER_RESPONSE);
auditor.auditAccessSuccess();
} else {
String[] objs = { plReq.getNotificationURL() };
String message = ResBundleUtils.getString("failed.add.policy.listener", objs);
policyRes.setExceptionMsg(message);
policyRes.setMethodID(PolicyResponse.POLICY_EXCEPTION);
auditor.auditAccessFailure(message);
}
return policyRes;
}
if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_REMOVE_POLICY_LISTENER) {
RemoveListenerRequest rmReq = req.getRemoveListenerRequest();
boolean removeListener = removePolicyListener(appToken, rmReq, appAttributes);
if (removeListener) {
policyRes.setMethodID(PolicyResponse.POLICY_REMOVE_LISTENER_RESPONSE);
auditor.auditAccessSuccess();
} else {
String[] objs = { rmReq.getNotificationURL() };
String message = ResBundleUtils.getString("failed.remove.policy.listener", objs);
policyRes.setExceptionMsg(message);
policyRes.setMethodID(PolicyResponse.POLICY_EXCEPTION);
auditor.auditAccessFailure(message);
}
return policyRes;
}
if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_ADVICES_HANDLEABLE_BY_AM_REQUEST) {
if (debug.messageEnabled()) {
debug.message("PolicyRequestHandler: request to get " + " advicesHandleableByAM");
}
try {
Set advices = PolicyConfig.getAdvicesHandleableByAM();
policyRes.setAdvicesHandleableByAMResponse(new AdvicesHandleableByAMResponse(advices));
policyRes.setMethodID(PolicyResponse.POLICY_ADVICES_HANDLEABLE_BY_AM_RESPONSE);
auditor.auditAccessSuccess();
} catch (PolicyException pe) {
if (debug.warningEnabled()) {
debug.warning("PolicyRequestHandler: could not get " + " advicesHandleableByAM", pe);
}
throw new PolicyEvaluationException(ResBundleUtils.rbName, "could_not_get_advices_handleable_by_am", null, pe, requestId);
}
if (debug.messageEnabled()) {
debug.message("PolicyRequestHandler: returning " + " advicesHandleableByAM policy response");
}
return policyRes;
}
if (req.getMethodID() == PolicyRequest.POLICY_REQUEST_GET_RESOURCE_RESULTS) {
ResourceResultRequest resourceResultReq = req.getResourceResultRequest();
// Get the user's SSO token id string from the request
String userSSOTokenIDStr = resourceResultReq.getUserSSOToken();
SSOToken userToken = null;
if ((userSSOTokenIDStr != null) && !userSSOTokenIDStr.equals(PolicyUtils.EMPTY_STRING) && !userSSOTokenIDStr.equals(PolicyUtils.NULL_STRING)) {
try {
userToken = getSSOToken(userSSOTokenIDStr, appToken);
} catch (PolicyException pe) {
if (debug.warningEnabled()) {
debug.warning("PolicyRequestHandler: Invalid user sso token, " + userSSOTokenIDStr, pe);
}
throw new PolicyEvaluationException(ResBundleUtils.rbName, "user_sso_token_invalid", null, null, requestId);
}
}
Set resourceResults = new HashSet();
ResourceResults resourceRst = null;
// check if the request contains user response attributes
Set respAttrs = resourceResultReq.getResponseAttributes();
if (debug.messageEnabled()) {
debug.message("PolicyRequestHandler.processPolicyRequest(): " + "respAttrs=\n" + respAttrs);
}
Map respDecisions = null;
if ((respAttrs != null) && (userToken != null)) {
// get the response decisions wrt the attributes
respDecisions = getResponseDecisions(userToken, respAttrs);
}
// Get the service name and resource name of the request
String serviceName = resourceResultReq.getServiceName();
String resourceName = resourceResultReq.getResourceName();
// Get the resource scope of the request
String resourceScope = resourceResultReq.getResourceScope();
if ((resourceScope != null) && resourceScope.equals(ResourceResultRequest.RESPONSE_ATTRIBUTES_ONLY)) {
// need not to evaluate policies, do attributes only
ResourceResult resResult = new ResourceResult(resourceName, new PolicyDecision());
Set results = new HashSet();
results.add(resResult);
resourceRst = new ResourceResults(results);
} else {
// Get the environment parameters of the request
Map envParameters = resourceResultReq.getEnvParms();
try {
convertEnvParams(envParameters);
} catch (PolicyException pe) {
debug.error("PolicyRequestHandler: Invalid env parameters", pe);
throw new PolicyEvaluationException(ResBundleUtils.rbName, "invalid_env_parameters", null, pe, requestId);
}
PolicyEvaluator policyEvaluator = null;
try {
// Get an instance of the policy evaluator
policyEvaluator = getPolicyEvaluator(appToken, serviceName, appAttributes);
// Get the resource result from the policy evaluator
resourceRst = new ResourceResults(policyEvaluator.getResourceResults(userToken, resourceName, resourceScope, envParameters));
if (debug.messageEnabled()) {
debug.message("PolicyRequestHandler.processPolicyRequest():" + " resource result:\n" + resourceRst.toXML());
}
} catch (Exception se) {
debug.error("PolicyRequestHandler: Evaluation error", se);
throw new PolicyEvaluationException(ResBundleUtils.rbName, "evaluation_error", null, se, requestId);
}
}
resourceRst.setResponseDecisions(respDecisions);
resourceResults.addAll(resourceRst.getResourceResults());
policyRes.setResourceResults(resourceResults);
policyRes.setMethodID(PolicyResponse.POLICY_RESPONSE_RESOURCE_RESULT);
auditor.auditAccessSuccess();
return policyRes;
}
debug.error("PolicyRequestHandler: Invalid policy request format");
throw new PolicyEvaluationException(ResBundleUtils.rbName, "invalid_policy_request_format", null, null);
}
Also used :
PolicyDecision(com.sun.identity.policy.PolicyDecision)
SSOToken(com.iplanet.sso.SSOToken)
ResponseSet(com.iplanet.services.comm.share.ResponseSet)
HashSet(java.util.HashSet)
Set(java.util.Set)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
IdRepoException(com.sun.identity.idm.IdRepoException)
EntitlementException(com.sun.identity.entitlement.EntitlementException)
PolicyException(com.sun.identity.policy.PolicyException)
SMSException(com.sun.identity.sm.SMSException)
SSOException(com.iplanet.sso.SSOException)
ResourceResult(com.sun.identity.policy.ResourceResult)
PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator)
PolicyException(com.sun.identity.policy.PolicyException)
HashMap(java.util.HashMap)
Map(java.util.Map)
ResourceResults(com.sun.identity.policy.ResourceResults)
HashSet(java.util.HashSet)
Aggregations
ResponseSet (com.iplanet.services.comm.share.ResponseSet)1
SSOException (com.iplanet.sso.SSOException)1
SSOToken (com.iplanet.sso.SSOToken)1
EntitlementException (com.sun.identity.entitlement.EntitlementException)1
IdRepoException (com.sun.identity.idm.IdRepoException)1
PolicyDecision (com.sun.identity.policy.PolicyDecision)1
PolicyEvaluator (com.sun.identity.policy.PolicyEvaluator)1
PolicyException (com.sun.identity.policy.PolicyException)1
ResourceResult (com.sun.identity.policy.ResourceResult)1
ResourceResults (com.sun.identity.policy.ResourceResults)1
SMSException (com.sun.identity.sm.SMSException)1
HashMap (java.util.HashMap)1
HashSet (java.util.HashSet)1
Map (java.util.Map)1
Set (java.util.Set)1
