Search in sources :

Example 21 with ResourceSetDescription

use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.

the class UmaResourceSetRegistrationHook method resourceSetDeleted.

/**
     * Removes the ResourceType from the Resource Server's policy application, deletes all related policies,
     * then deletes the ResourceSet.
     *
     * @param realm {@inheritDoc}
     * @param resourceSet {@inheritDoc}
     */
@Override
public void resourceSetDeleted(String realm, ResourceSetDescription resourceSet) throws ServerException {
    Subject adminSubject = SubjectUtils.createSuperAdminSubject();
    String resourceTypeUUID = resourceSet.getId();
    try {
        Application application = applicationManager.getApplication(adminSubject, realm, resourceSet.getClientId().toLowerCase());
        application.removeResourceTypeUuid(resourceTypeUUID);
        applicationManager.saveApplication(adminSubject, realm, application);
    } catch (EntitlementException e) {
        logger.error("Failed to remove Resource Type, " + resourceTypeUUID + " from application, " + resourceSet.getClientId(), e);
        throw new ServerException(e);
    }
    policyService.deletePolicy(createAdminContext(realm, resourceSet.getResourceOwnerId()), resourceSet.getId());
    try {
        resourceTypeService.deleteResourceType(adminSubject, realm, resourceTypeUUID);
    } catch (EntitlementException e) {
        logger.error("Failed to delete Resource Type " + resourceTypeUUID, e);
        throw new ServerException(e);
    }
}
Also used : EntitlementException(com.sun.identity.entitlement.EntitlementException) ServerException(org.forgerock.oauth2.core.exceptions.ServerException) Application(com.sun.identity.entitlement.Application) Subject(javax.security.auth.Subject)

Example 22 with ResourceSetDescription

use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.

the class UmaPolicyServiceImpl method queryPolicies.

/**
     * {@inheritDoc}
     */
@Override
public Promise<Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException> queryPolicies(final Context context, final QueryRequest umaQueryRequest) {
    if (umaQueryRequest.getQueryExpression() != null) {
        return new BadRequestException("Query expressions not supported").asPromise();
    }
    QueryRequest request = Requests.newQueryRequest("");
    final AggregateQuery<QueryFilter<JsonPointer>, QueryFilter<JsonPointer>> filter = umaQueryRequest.getQueryFilter().accept(new AggregateUmaPolicyQueryFilter(), new AggregateQuery<QueryFilter<JsonPointer>, QueryFilter<JsonPointer>>());
    String queryId = umaQueryRequest.getQueryId();
    if (queryId != null && queryId.equals("searchAll")) {
        request.setQueryFilter(QueryFilter.<JsonPointer>alwaysTrue());
    } else {
        String resourceOwnerUid = getResourceOwnerUid(context);
        if (filter.getFirstQuery() == null) {
            request.setQueryFilter(QueryFilter.equalTo(new JsonPointer("createdBy"), resourceOwnerUid));
        } else {
            request.setQueryFilter(QueryFilter.and(QueryFilter.equalTo(new JsonPointer("createdBy"), resourceOwnerUid), filter.getFirstQuery()));
        }
    }
    return policyResourceDelegate.queryPolicies(context, request).thenAsync(new AsyncFunction<Pair<QueryResponse, List<ResourceResponse>>, Collection<UmaPolicy>, ResourceException>() {

        @Override
        public Promise<Collection<UmaPolicy>, ResourceException> apply(Pair<QueryResponse, List<ResourceResponse>> value) {
            Map<String, Set<ResourceResponse>> policyMapping = new HashMap<>();
            for (ResourceResponse policy : value.getSecond()) {
                String resource = policy.getContent().get("resources").asList(String.class).get(0);
                if (!resource.startsWith(UMA_POLICY_SCHEME)) {
                    continue;
                }
                resource = resource.replaceFirst(UMA_POLICY_SCHEME, "");
                if (resource.indexOf(":") > 0) {
                    resource = resource.substring(0, resource.indexOf(":"));
                }
                Set<ResourceResponse> mapping = policyMapping.get(resource);
                if (mapping == null) {
                    mapping = new HashSet<>();
                    policyMapping.put(resource, mapping);
                }
                mapping.add(policy);
            }
            try {
                Collection<UmaPolicy> umaPolicies = new HashSet<>();
                for (Map.Entry<String, Set<ResourceResponse>> entry : policyMapping.entrySet()) {
                    ResourceSetDescription resourceSet = getResourceSetDescription(entry.getKey(), context);
                    UmaPolicy umaPolicy = UmaPolicy.fromUnderlyingPolicies(resourceSet, entry.getValue());
                    resolveUIDToUsername(umaPolicy.asJson());
                    umaPolicies.add(umaPolicy);
                }
                return newResultPromise(umaPolicies);
            } catch (ResourceException e) {
                return e.asPromise();
            }
        }
    }).thenAsync(new AsyncFunction<Collection<UmaPolicy>, Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException>() {

        @Override
        public Promise<Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException> apply(Collection<UmaPolicy> policies) {
            Collection<UmaPolicy> results = policies;
            if (filter.getSecondQuery() != null) {
                PolicySearch search = filter.getSecondQuery().accept(new UmaPolicyQueryFilterVisitor(), new PolicySearch(policies));
                if (AggregateQuery.Operator.AND.equals(filter.getOperator())) {
                    results.retainAll(search.getPolicies());
                }
            }
            int pageSize = umaQueryRequest.getPageSize();
            String pagedResultsCookie = umaQueryRequest.getPagedResultsCookie();
            int pagedResultsOffset = umaQueryRequest.getPagedResultsOffset();
            Collection<UmaPolicy> pagedPolicies = new HashSet<UmaPolicy>();
            int count = 0;
            for (UmaPolicy policy : results) {
                if (count >= pagedResultsOffset * pageSize) {
                    pagedPolicies.add(policy);
                }
                count++;
            }
            int remainingPagedResults = results.size() - pagedPolicies.size();
            if (pageSize > 0) {
                remainingPagedResults /= pageSize;
            }
            return newResultPromise(Pair.of(newQueryResponse(pagedResultsCookie, CountPolicy.EXACT, remainingPagedResults), pagedPolicies));
        }
    });
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) HashMap(java.util.HashMap) JsonPointer(org.forgerock.json.JsonPointer) AsyncFunction(org.forgerock.util.AsyncFunction) ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription) List(java.util.List) ArrayList(java.util.ArrayList) ResourceException(org.forgerock.json.resource.ResourceException) PolicySearch(org.forgerock.openam.uma.PolicySearch) UmaPolicy(org.forgerock.openam.uma.UmaPolicy) Pair(org.forgerock.util.Pair) HashSet(java.util.HashSet) UmaPolicyQueryFilterVisitor(org.forgerock.openam.uma.UmaPolicyQueryFilterVisitor) QueryRequest(org.forgerock.json.resource.QueryRequest) Promise(org.forgerock.util.promise.Promise) QueryFilter(org.forgerock.util.query.QueryFilter) ResourceResponse(org.forgerock.json.resource.ResourceResponse) Responses.newQueryResponse(org.forgerock.json.resource.Responses.newQueryResponse) QueryResponse(org.forgerock.json.resource.QueryResponse) BadRequestException(org.forgerock.json.resource.BadRequestException) Collection(java.util.Collection) Map(java.util.Map) HashMap(java.util.HashMap)

Example 23 with ResourceSetDescription

use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.

the class UmaPolicyApplicationListener method deleteResourceSets.

private void deleteResourceSets(String realm, String resourceServerId) throws NotFoundException, ServerException {
    ResourceSetStore resourceSetStore = resourceSetStoreFactory.create(DNMapper.orgNameToRealmName(realm));
    QueryFilter<String> queryFilter = QueryFilter.equalTo(ResourceSetTokenField.CLIENT_ID, resourceServerId);
    Set<ResourceSetDescription> results = resourceSetStore.query(queryFilter);
    for (ResourceSetDescription resourceSet : results) {
        resourceSetStore.delete(resourceSet.getId(), resourceSet.getResourceOwnerId());
    }
}
Also used : ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore) ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription)

Example 24 with ResourceSetDescription

use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.

the class AuthorizationRequestEndpoint method getResourceSet.

private ResourceSetDescription getResourceSet(String resourceSetId, OAuth2ProviderSettings providerSettings) throws UmaException {
    try {
        ResourceSetStore store = providerSettings.getResourceSetStore();
        Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
        if (results.size() != 1) {
            throw new UmaException(400, "invalid_resource_set_id", "Could not fing Resource Set, " + resourceSetId);
        }
        return results.iterator().next();
    } catch (ServerException e) {
        throw new UmaException(400, "invalid_resource_set_id", e.getMessage());
    }
}
Also used : ServerException(org.forgerock.oauth2.core.exceptions.ServerException) ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore) ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription)

Example 25 with ResourceSetDescription

use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.

the class AuthorizationRequestEndpoint method isEntitled.

private boolean isEntitled(UmaProviderSettings umaProviderSettings, OAuth2ProviderSettings oauth2ProviderSettings, PermissionTicket permissionTicket, String requestingPartyId) throws EntitlementException, ServerException, UmaException {
    String realm = permissionTicket.getRealm();
    String resourceSetId = permissionTicket.getResourceSetId();
    String resourceName = UmaConstants.UMA_POLICY_SCHEME;
    Subject resourceOwnerSubject;
    try {
        ResourceSetStore store = oauth2ProviderSettings.getResourceSetStore();
        Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
        if (results.size() != 1) {
            throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
        }
        resourceName += results.iterator().next().getId();
        resourceOwnerSubject = UmaUtils.createSubject(createIdentity(results.iterator().next().getResourceOwnerId(), realm));
    } catch (NotFoundException e) {
        debug.message("Couldn't find resource that permission ticket is registered for", e);
        throw new ServerException("Couldn't find resource that permission ticket is registered for");
    }
    Subject requestingPartySubject = UmaUtils.createSubject(createIdentity(requestingPartyId, realm));
    beforeAuthorization(permissionTicket, requestingPartySubject, resourceOwnerSubject);
    // Implicitly grant access to the resource owner
    if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
        afterAuthorization(true, permissionTicket, requestingPartySubject, resourceOwnerSubject);
        return true;
    }
    List<Entitlement> entitlements = umaProviderSettings.getPolicyEvaluator(requestingPartySubject, permissionTicket.getResourceServerClientId().toLowerCase()).evaluate(realm, requestingPartySubject, resourceName, null, false);
    Set<String> requestedScopes = permissionTicket.getScopes();
    Set<String> requiredScopes = new HashSet<>(requestedScopes);
    for (Entitlement entitlement : entitlements) {
        for (String requestedScope : requestedScopes) {
            final Boolean actionValue = entitlement.getActionValue(requestedScope);
            if (actionValue != null && actionValue) {
                requiredScopes.remove(requestedScope);
            }
        }
    }
    boolean isAuthorized = requiredScopes.isEmpty();
    afterAuthorization(isAuthorized, permissionTicket, requestingPartySubject, resourceOwnerSubject);
    return isAuthorized;
}
Also used : ServerException(org.forgerock.oauth2.core.exceptions.ServerException) NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException) ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription) Subject(javax.security.auth.Subject) ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore) Entitlement(com.sun.identity.entitlement.Entitlement) HashSet(java.util.HashSet)

Aggregations

ResourceSetDescription (org.forgerock.oauth2.resources.ResourceSetDescription)59 Test (org.testng.annotations.Test)33 ResourceException (org.forgerock.json.resource.ResourceException)19 HashSet (java.util.HashSet)15 UmaPolicy (org.forgerock.openam.uma.UmaPolicy)15 Context (org.forgerock.services.context.Context)14 JsonValue (org.forgerock.json.JsonValue)12 QueryResponse (org.forgerock.json.resource.QueryResponse)12 Collection (java.util.Collection)11 ResourceSetStore (org.forgerock.oauth2.resources.ResourceSetStore)11 RealmContext (org.forgerock.openam.rest.RealmContext)11 HashMap (java.util.HashMap)10 Responses.newQueryResponse (org.forgerock.json.resource.Responses.newQueryResponse)10 RootContext (org.forgerock.services.context.RootContext)10 Pair (org.forgerock.util.Pair)10 ServerException (org.forgerock.oauth2.core.exceptions.ServerException)9 QueryFilter (org.forgerock.util.query.QueryFilter)9 JsonRepresentation (org.restlet.ext.json.JsonRepresentation)9 List (java.util.List)8 ResourceSetLabel (org.forgerock.openam.oauth2.resources.labels.ResourceSetLabel)8