Search in sources :

Example 1 with Attribute

use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.

the class FMResourceMapper method mapToNativeResource.

/**
     * Returns native resource and service name
     * @param xacmlContextResource XACML  context Resource
     * @return native resource and service name. 
     *         Returned object is an array of String objects.
     *         First element would be resource name.
     *         Second element would be service name.
     * @exception XACMLException if can not map to native resource
     *                            and service name
     */
public String[] mapToNativeResource(Resource xacmlContextResource) throws XACMLException {
    String[] resourceService = new String[2];
    String resourceName = null;
    String serviceName = null;
    List attributes = xacmlContextResource.getAttributes();
    if (attributes != null) {
        for (int count = 0; count < attributes.size(); count++) {
            Attribute attr = (Attribute) attributes.get(count);
            if (attr != null) {
                URI tmpURI = attr.getAttributeId();
                if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
                    tmpURI = attr.getDataType();
                    if (tmpURI.toString().equals(XACMLConstants.XS_STRING)) {
                        Element element = (Element) attr.getAttributeValues().get(0);
                        resourceName = XMLUtils.getElementValue(element);
                    }
                } else if (tmpURI.toString().equals(XACMLConstants.TARGET_SERVICE)) {
                    tmpURI = attr.getDataType();
                    if (tmpURI.toString().equals(XACMLConstants.XS_STRING)) {
                        Element element = (Element) attr.getAttributeValues().get(0);
                        serviceName = XMLUtils.getElementValue(element);
                    }
                }
            }
        }
    }
    resourceService[0] = resourceName;
    resourceService[1] = serviceName;
    return resourceService;
}
Also used : Attribute(com.sun.identity.xacml.context.Attribute) Element(org.w3c.dom.Element) List(java.util.List) URI(java.net.URI)

Example 2 with Attribute

use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.

the class FMSubjectMapper method mapToNativeSubject.

/**
     * Returns native subject, OpenAM SSOToken
     * @param xacmlContextSubjects XACML  context Subject(s) from the
     * xacml-context:Request
     * @return native subject, OpenAM SSOToken, returns null if
     *         Subject did not match
     * @exception XACMLException if can not map to native subject
     */
public Object mapToNativeSubject(List xacmlContextSubjects) throws XACMLException {
    if (xacmlContextSubjects == null) {
        return null;
    }
    String sid = null;
    String userName = null;
    //for (int subCount=0;subCount<xacmlContextSubjects.length;subCount++) {
    for (Iterator iter = xacmlContextSubjects.iterator(); iter.hasNext(); ) {
        //Subject subject = xacmlContextSubjects[subCount];
        Subject subject = (Subject) iter.next();
        if (subject == null) {
            continue;
        }
        URI subjectCategory = subject.getSubjectCategory();
        if ((subjectCategory != null) && (!subjectCategory.toString().equals(XACMLConstants.ACCESS_SUBJECT))) {
            continue;
        }
        List attributes = subject.getAttributes();
        if (attributes != null) {
            for (int count = 0; count < attributes.size(); count++) {
                Attribute attr = (Attribute) attributes.get(count);
                if (attr != null) {
                    URI tmpURI = attr.getAttributeId();
                    if (tmpURI.toString().equals(XACMLConstants.SUBJECT_ID)) {
                        tmpURI = attr.getDataType();
                        if (tmpURI.toString().equals(XACMLConstants.OPENSSO_SESSION_ID)) {
                            Element sidElement = (Element) attr.getAttributeValues().get(0);
                            sid = XMLUtils.getElementValue(sidElement);
                        } else if (tmpURI.toString().equals(XACMLConstants.X500NAME)) {
                            Element sidElement = (Element) attr.getAttributeValues().get(0);
                            userName = XMLUtils.getElementValue(sidElement);
                        } else if (tmpURI.toString().equals(XACMLConstants.SAML2_NAMEID)) {
                            Element sidElement = (Element) attr.getAttributeValues().get(0);
                            String nameID = XMLUtils.getElementValue(sidElement);
                            if (nameID != null) {
                                userName = (String) IDPCache.userIDByTransientNameIDValue.get(nameID);
                            }
                        // TODO:Need to support non-transient nameid format
                        }
                    }
                }
            }
        }
    }
    SSOToken ssoToken = null;
    if (sid != null) {
        //create ssoToken based on sessionId
        try {
            SSOTokenManager tokenManager = SSOTokenManager.getInstance();
            ssoToken = tokenManager.createSSOToken(sid);
        } catch (SSOException ssoExp) {
            if (XACMLSDKUtils.debug.messageEnabled()) {
                XACMLSDKUtils.debug.message("FMSubjectMapper.mapToNativeSubject()" + ":caught SSOException:", ssoExp);
            }
        }
    }
    //create ssoToken based on x500name (userName)
    if ((ssoToken == null) && (userName != null)) {
        try {
            ssoToken = createFMSession(userName);
        } catch (SessionException se) {
            if (XACMLSDKUtils.debug.messageEnabled()) {
                XACMLSDKUtils.debug.message("FMSubjectMapper.mapToNativeSubject()" + ":caught SessionException:", se);
            }
        }
    }
    return ssoToken;
}
Also used : SSOTokenManager(com.iplanet.sso.SSOTokenManager) SSOToken(com.iplanet.sso.SSOToken) Attribute(com.sun.identity.xacml.context.Attribute) Element(org.w3c.dom.Element) Iterator(java.util.Iterator) SessionException(com.sun.identity.plugin.session.SessionException) List(java.util.List) SSOException(com.iplanet.sso.SSOException) URI(java.net.URI) Subject(com.sun.identity.xacml.context.Subject)

Example 3 with Attribute

use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.

the class XACMLAuthzDecisionQueryHandler method handleQuery.

/**
     * Processes an XACMLAuthzDecisionQuery and retruns a SAML2 Response.
     *
     * @param pdpEntityId EntityID of PDP
     * @param pepEntityId EntityID of PEP
     * @param samlpRequest SAML2 Request, an XAMLAuthzDecisionQuery
     * @param soapMessage SOAPMessage that carried the SAML2 Request
     * @return SAML2 Response with an XAMLAuthzDecisionStatement
     * @exception SAML2Exception if the query can not be handled
     */
public com.sun.identity.saml2.protocol.Response handleQuery(String pdpEntityId, String pepEntityId, RequestAbstract samlpRequest, SOAPMessage soapMessage) throws SAML2Exception {
    //TODO: logging, i18n
    //TODO: long term, allow different mapper impls for  different
    //combination of pdp, pep
    SubjectMapper subjectMapper = new FMSubjectMapper();
    subjectMapper.initialize(pdpEntityId, pepEntityId, null);
    ResourceMapper resourceMapper = new FMResourceMapper();
    resourceMapper.initialize(pdpEntityId, pepEntityId, null);
    ActionMapper actionMapper = new FMActionMapper();
    actionMapper.initialize(pdpEntityId, pepEntityId, null);
    EnvironmentMapper environmentMapper = new FMEnvironmentMapper();
    environmentMapper.initialize(pdpEntityId, pepEntityId, null);
    ResultMapper resultMapper = new FMResultMapper();
    resultMapper.initialize(pdpEntityId, pepEntityId, null);
    boolean evaluationFailed = false;
    String statusCodeValue = null;
    if (XACMLSDKUtils.debug.messageEnabled()) {
        XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), entering" + ":pdpEntityId=" + pdpEntityId + ":pepEntityId=" + pepEntityId + ":samlpRequest=\n" + samlpRequest.toXMLString(true, true) + ":soapMessage=\n" + soapMessage);
    }
    Request xacmlRequest = ((XACMLAuthzDecisionQuery) samlpRequest).getRequest();
    boolean returnContext = ((XACMLAuthzDecisionQuery) samlpRequest).getReturnContext();
    SSOToken ssoToken = null;
    String resourceName = null;
    String serviceName = null;
    String actionName = null;
    Map environment = null;
    boolean booleanDecision = false;
    try {
        //get native sso token
        ssoToken = (SSOToken) subjectMapper.mapToNativeSubject(xacmlRequest.getSubjects());
        if (ssoToken == null) {
            //TODO: log message and fill missing attribute details 
            statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
            evaluationFailed = true;
        } else {
            if (XACMLSDKUtils.debug.messageEnabled()) {
                XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery()," + "created ssoToken");
            }
        }
        if (ssoToken != null) {
            //get native service name, resource name 
            List resources = xacmlRequest.getResources();
            Resource resource = null;
            if (!resources.isEmpty()) {
                //We deal with only one resource for now
                resource = (Resource) resources.get(0);
            }
            if (resource != null) {
                String[] resourceService = resourceMapper.mapToNativeResource(resource);
                if (resourceService != null) {
                    if (resourceService.length > 0) {
                        resourceName = resourceService[0];
                    }
                    if (resourceService.length > 1) {
                        serviceName = resourceService[1];
                    }
                }
            }
            if (resourceName == null) {
                //TODO: log message and fill missing attribute details 
                statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
                evaluationFailed = true;
            }
            if (serviceName == null) {
                //TODO: log message and fill missing attribute details
                throw new SAML2Exception(XACMLSDKUtils.xacmlResourceBundle.getString("missing_attribute"));
            }
        }
        if (serviceName != null) {
            //get native action name
            if (serviceName != null) {
                actionName = actionMapper.mapToNativeAction(xacmlRequest.getAction(), serviceName);
            }
            if (actionName == null) {
                //TODO: log message and fill missing attribute details
                statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
                evaluationFailed = true;
            }
        }
    //get environment map
    /*
            environment = environmentMapper.mapToNativeEnvironment(
                    xacmlRequest.getEnvironment(), 
                    xacmlRequest.getSubjects());
            */
    } catch (XACMLException xe) {
        statusCodeValue = XACMLConstants.STATUS_CODE_MISSING_ATTRIBUTE;
        evaluationFailed = true;
        if (XACMLSDKUtils.debug.warningEnabled()) {
            XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", xe);
        }
    }
    //get native policy deicison using native policy evaluator
    if (!evaluationFailed) {
        try {
            PolicyEvaluator pe = new PolicyEvaluator(serviceName);
            booleanDecision = pe.isAllowed(ssoToken, resourceName, actionName, environment);
        } catch (SSOException ssoe) {
            if (XACMLSDKUtils.debug.warningEnabled()) {
                XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", ssoe);
            }
            evaluationFailed = true;
        } catch (PolicyException pe) {
            if (XACMLSDKUtils.debug.warningEnabled()) {
                XACMLSDKUtils.debug.warning("XACMLAuthzDecisionQueryHandler.handleQuery()," + "caught exception", pe);
            }
            evaluationFailed = true;
        }
    }
    //decision: Indeterminate, Deny, Permit, NotApplicable
    //status code: missing_attribute, syntax_error, processing_error, ok
    Decision decision = ContextFactory.getInstance().createDecision();
    Status status = ContextFactory.getInstance().createStatus();
    StatusCode code = ContextFactory.getInstance().createStatusCode();
    StatusMessage message = ContextFactory.getInstance().createStatusMessage();
    StatusDetail detail = ContextFactory.getInstance().createStatusDetail();
    detail.getElement().insertBefore(detail.getElement().cloneNode(true), null);
    if (evaluationFailed) {
        decision.setValue(XACMLConstants.INDETERMINATE);
        if (statusCodeValue == null) {
            statusCodeValue = XACMLConstants.STATUS_CODE_PROCESSING_ERROR;
        }
        code.setValue(statusCodeValue);
        //TODO: i18n
        message.setValue("processing_error");
    } else if (booleanDecision) {
        decision.setValue(XACMLConstants.PERMIT);
        code.setValue(XACMLConstants.STATUS_CODE_OK);
        //TODO: i18n
        message.setValue("ok");
    } else {
        decision.setValue(XACMLConstants.DENY);
        code.setValue(XACMLConstants.STATUS_CODE_OK);
        //TODO: i18n
        message.setValue("ok");
    }
    Result result = ContextFactory.getInstance().createResult();
    String resourceId = resourceName;
    List resources = xacmlRequest.getResources();
    Resource resource = null;
    if (!resources.isEmpty()) {
        //We deal with only one resource for now
        resource = (Resource) resources.get(0);
        if (resource != null) {
            List attributes = resource.getAttributes();
            if (attributes != null) {
                for (int count = 0; count < attributes.size(); count++) {
                    Attribute attr = (Attribute) attributes.get(count);
                    if (attr != null) {
                        URI tmpURI = attr.getAttributeId();
                        if (tmpURI.toString().equals(XACMLConstants.RESOURCE_ID)) {
                            Element element = (Element) attr.getAttributeValues().get(0);
                            resourceId = XMLUtils.getElementValue(element);
                            break;
                        }
                    }
                }
            }
        }
    }
    result.setResourceId(resourceId);
    result.setDecision(decision);
    status.setStatusCode(code);
    status.setStatusMessage(message);
    status.setStatusDetail(detail);
    result.setStatus(status);
    Response response = ContextFactory.getInstance().createResponse();
    response.addResult(result);
    XACMLAuthzDecisionStatement statement = ContextFactory.getInstance().createXACMLAuthzDecisionStatement();
    statement.setResponse(response);
    if (returnContext) {
        statement.setRequest(xacmlRequest);
    }
    com.sun.identity.saml2.protocol.Response samlpResponse = createSamlpResponse(statement, status.getStatusCode().getValue());
    if (XACMLSDKUtils.debug.messageEnabled()) {
        XACMLSDKUtils.debug.message("XACMLAuthzDecisionQueryHandler.handleQuery(), returning" + ":samlResponse=\n" + samlpResponse.toXMLString(true, true));
    }
    return samlpResponse;
}
Also used : SSOToken(com.iplanet.sso.SSOToken) Attribute(com.sun.identity.xacml.context.Attribute) Element(org.w3c.dom.Element) SSOException(com.iplanet.sso.SSOException) StatusCode(com.sun.identity.xacml.context.StatusCode) URI(java.net.URI) Result(com.sun.identity.xacml.context.Result) ResourceResult(com.sun.identity.policy.ResourceResult) ActionMapper(com.sun.identity.xacml.spi.ActionMapper) XACMLAuthzDecisionStatement(com.sun.identity.xacml.saml2.XACMLAuthzDecisionStatement) PolicyEvaluator(com.sun.identity.policy.PolicyEvaluator) SubjectMapper(com.sun.identity.xacml.spi.SubjectMapper) PolicyException(com.sun.identity.policy.PolicyException) ResourceMapper(com.sun.identity.xacml.spi.ResourceMapper) ArrayList(java.util.ArrayList) List(java.util.List) Status(com.sun.identity.xacml.context.Status) Request(com.sun.identity.xacml.context.Request) Resource(com.sun.identity.xacml.context.Resource) EnvironmentMapper(com.sun.identity.xacml.spi.EnvironmentMapper) Decision(com.sun.identity.xacml.context.Decision) XACMLException(com.sun.identity.xacml.common.XACMLException) StatusMessage(com.sun.identity.xacml.context.StatusMessage) SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) Response(com.sun.identity.xacml.context.Response) ResultMapper(com.sun.identity.xacml.spi.ResultMapper) StatusDetail(com.sun.identity.xacml.context.StatusDetail) XACMLAuthzDecisionQuery(com.sun.identity.xacml.saml2.XACMLAuthzDecisionQuery) Map(java.util.Map)

Example 4 with Attribute

use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.

the class SubjectImpl method toXMLString.

/**
    * Returns a <code>String</code> representation of this object
    * @param includeNSPrefix Determines whether or not the namespace qualifier
    *        is prepended to the Element when converted
    * @param declareNS Determines whether or not the namespace is declared
    *        within the Element.
    * @return a string representation of this object
    * @exception XACMLException if conversion fails for any reason
     */
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws XACMLException {
    StringBuffer sb = new StringBuffer(2000);
    StringBuffer NS = new StringBuffer(100);
    //TODO: remove the 2 following line
    includeNSPrefix = false;
    declareNS = false;
    String appendNS = "";
    if (declareNS) {
        NS.append(XACMLConstants.CONTEXT_NS_DECLARATION).append(XACMLConstants.SPACE);
        NS.append(XACMLConstants.XSI_NS_URI).append(XACMLConstants.SPACE).append(XACMLConstants.CONTEXT_SCHEMA_LOCATION);
    }
    if (includeNSPrefix) {
        appendNS = XACMLConstants.CONTEXT_NS_PREFIX + ":";
    }
    sb.append("<").append(appendNS).append(XACMLConstants.SUBJECT).append(NS);
    if (subjectCategory != null) {
        sb.append(" ").append(XACMLConstants.SUBJECT_CATEGORY).append("=");
        sb.append("\"").append(subjectCategory.toString()).append("\"");
    }
    sb.append(">");
    int length = 0;
    if (attributes != null) {
        sb.append("\n");
        length = attributes.size();
        for (int i = 0; i < length; i++) {
            Attribute attr = (Attribute) attributes.get(i);
            sb.append(attr.toXMLString(includeNSPrefix, false));
        }
    }
    /*   if (needToCreateSubjectCategory && subjectCategoryAttribute != null) {
                sb.append(subjectCategoryAttribute.toXMLString(
                    includeNSPrefix, false));
        }// its already covered in the previous list of attrs.
      */
    sb.append("</").append(appendNS).append(XACMLConstants.SUBJECT);
    sb.append(">\n");
    return sb.toString();
}
Also used : Attribute(com.sun.identity.xacml.context.Attribute)

Example 5 with Attribute

use of com.sun.identity.xacml.context.Attribute in project OpenAM by OpenRock.

the class ActionImpl method toXMLString.

/**
     * Returns a <code>String</code> representation of this object
     * @param includeNSPrefix Determines whether or not the namespace qualifier
     *        is prepended to the Element when converted
     * @param declareNS Determines whether or not the namespace is declared
     *        within the Element.
     * @return a string representation of this object
     * @exception XACMLException if conversion fails for any reason
     */
public String toXMLString(boolean includeNSPrefix, boolean declareNS) throws XACMLException {
    StringBuffer sb = new StringBuffer(2000);
    StringBuffer namespaceBuffer = new StringBuffer(100);
    String nsDeclaration = "";
    if (declareNS) {
        namespaceBuffer.append(XACMLConstants.CONTEXT_NS_DECLARATION).append(XACMLConstants.SPACE);
        namespaceBuffer.append(XACMLConstants.XSI_NS_URI).append(XACMLConstants.SPACE).append(XACMLConstants.CONTEXT_SCHEMA_LOCATION);
    }
    if (includeNSPrefix) {
        nsDeclaration = XACMLConstants.CONTEXT_NS_PREFIX + ":";
    }
    sb.append("<").append(nsDeclaration).append(XACMLConstants.ACTION).append(namespaceBuffer);
    sb.append(">");
    int length = 0;
    if (attributes != null) {
        sb.append("\n");
        length = attributes.size();
        for (int i = 0; i < length; i++) {
            Attribute attr = (Attribute) attributes.get(i);
            sb.append(attr.toXMLString(includeNSPrefix, false));
        }
    }
    sb.append("</").append(nsDeclaration).append(XACMLConstants.ACTION);
    sb.append(">\n");
    return sb.toString();
}
Also used : Attribute(com.sun.identity.xacml.context.Attribute)

Aggregations

Attribute (com.sun.identity.xacml.context.Attribute)17 URI (java.net.URI)9 ArrayList (java.util.ArrayList)9 XACMLException (com.sun.identity.xacml.common.XACMLException)7 List (java.util.List)6 ContextFactory (com.sun.identity.xacml.context.ContextFactory)5 Subject (com.sun.identity.xacml.context.Subject)5 Element (org.w3c.dom.Element)5 Request (com.sun.identity.xacml.context.Request)4 Resource (com.sun.identity.xacml.context.Resource)4 Node (org.w3c.dom.Node)4 NodeList (org.w3c.dom.NodeList)4 SSOException (com.iplanet.sso.SSOException)3 SSOToken (com.iplanet.sso.SSOToken)3 Action (com.sun.identity.xacml.context.Action)3 Environment (com.sun.identity.xacml.context.Environment)3 SAML2Exception (com.sun.identity.saml2.common.SAML2Exception)2 Decision (com.sun.identity.xacml.context.Decision)2 Response (com.sun.identity.xacml.context.Response)2 Result (com.sun.identity.xacml.context.Result)2