use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.
the class UmaResourceSetRegistrationHook method resourceSetDeleted.
/**
* Removes the ResourceType from the Resource Server's policy application, deletes all related policies,
* then deletes the ResourceSet.
*
* @param realm {@inheritDoc}
* @param resourceSet {@inheritDoc}
*/
@Override
public void resourceSetDeleted(String realm, ResourceSetDescription resourceSet) throws ServerException {
Subject adminSubject = SubjectUtils.createSuperAdminSubject();
String resourceTypeUUID = resourceSet.getId();
try {
Application application = applicationManager.getApplication(adminSubject, realm, resourceSet.getClientId().toLowerCase());
application.removeResourceTypeUuid(resourceTypeUUID);
applicationManager.saveApplication(adminSubject, realm, application);
} catch (EntitlementException e) {
logger.error("Failed to remove Resource Type, " + resourceTypeUUID + " from application, " + resourceSet.getClientId(), e);
throw new ServerException(e);
}
policyService.deletePolicy(createAdminContext(realm, resourceSet.getResourceOwnerId()), resourceSet.getId());
try {
resourceTypeService.deleteResourceType(adminSubject, realm, resourceTypeUUID);
} catch (EntitlementException e) {
logger.error("Failed to delete Resource Type " + resourceTypeUUID, e);
throw new ServerException(e);
}
}
use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.
the class UmaPolicyServiceImpl method queryPolicies.
/**
* {@inheritDoc}
*/
@Override
public Promise<Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException> queryPolicies(final Context context, final QueryRequest umaQueryRequest) {
if (umaQueryRequest.getQueryExpression() != null) {
return new BadRequestException("Query expressions not supported").asPromise();
}
QueryRequest request = Requests.newQueryRequest("");
final AggregateQuery<QueryFilter<JsonPointer>, QueryFilter<JsonPointer>> filter = umaQueryRequest.getQueryFilter().accept(new AggregateUmaPolicyQueryFilter(), new AggregateQuery<QueryFilter<JsonPointer>, QueryFilter<JsonPointer>>());
String queryId = umaQueryRequest.getQueryId();
if (queryId != null && queryId.equals("searchAll")) {
request.setQueryFilter(QueryFilter.<JsonPointer>alwaysTrue());
} else {
String resourceOwnerUid = getResourceOwnerUid(context);
if (filter.getFirstQuery() == null) {
request.setQueryFilter(QueryFilter.equalTo(new JsonPointer("createdBy"), resourceOwnerUid));
} else {
request.setQueryFilter(QueryFilter.and(QueryFilter.equalTo(new JsonPointer("createdBy"), resourceOwnerUid), filter.getFirstQuery()));
}
}
return policyResourceDelegate.queryPolicies(context, request).thenAsync(new AsyncFunction<Pair<QueryResponse, List<ResourceResponse>>, Collection<UmaPolicy>, ResourceException>() {
@Override
public Promise<Collection<UmaPolicy>, ResourceException> apply(Pair<QueryResponse, List<ResourceResponse>> value) {
Map<String, Set<ResourceResponse>> policyMapping = new HashMap<>();
for (ResourceResponse policy : value.getSecond()) {
String resource = policy.getContent().get("resources").asList(String.class).get(0);
if (!resource.startsWith(UMA_POLICY_SCHEME)) {
continue;
}
resource = resource.replaceFirst(UMA_POLICY_SCHEME, "");
if (resource.indexOf(":") > 0) {
resource = resource.substring(0, resource.indexOf(":"));
}
Set<ResourceResponse> mapping = policyMapping.get(resource);
if (mapping == null) {
mapping = new HashSet<>();
policyMapping.put(resource, mapping);
}
mapping.add(policy);
}
try {
Collection<UmaPolicy> umaPolicies = new HashSet<>();
for (Map.Entry<String, Set<ResourceResponse>> entry : policyMapping.entrySet()) {
ResourceSetDescription resourceSet = getResourceSetDescription(entry.getKey(), context);
UmaPolicy umaPolicy = UmaPolicy.fromUnderlyingPolicies(resourceSet, entry.getValue());
resolveUIDToUsername(umaPolicy.asJson());
umaPolicies.add(umaPolicy);
}
return newResultPromise(umaPolicies);
} catch (ResourceException e) {
return e.asPromise();
}
}
}).thenAsync(new AsyncFunction<Collection<UmaPolicy>, Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException>() {
@Override
public Promise<Pair<QueryResponse, Collection<UmaPolicy>>, ResourceException> apply(Collection<UmaPolicy> policies) {
Collection<UmaPolicy> results = policies;
if (filter.getSecondQuery() != null) {
PolicySearch search = filter.getSecondQuery().accept(new UmaPolicyQueryFilterVisitor(), new PolicySearch(policies));
if (AggregateQuery.Operator.AND.equals(filter.getOperator())) {
results.retainAll(search.getPolicies());
}
}
int pageSize = umaQueryRequest.getPageSize();
String pagedResultsCookie = umaQueryRequest.getPagedResultsCookie();
int pagedResultsOffset = umaQueryRequest.getPagedResultsOffset();
Collection<UmaPolicy> pagedPolicies = new HashSet<UmaPolicy>();
int count = 0;
for (UmaPolicy policy : results) {
if (count >= pagedResultsOffset * pageSize) {
pagedPolicies.add(policy);
}
count++;
}
int remainingPagedResults = results.size() - pagedPolicies.size();
if (pageSize > 0) {
remainingPagedResults /= pageSize;
}
return newResultPromise(Pair.of(newQueryResponse(pagedResultsCookie, CountPolicy.EXACT, remainingPagedResults), pagedPolicies));
}
});
}
use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.
the class UmaPolicyApplicationListener method deleteResourceSets.
private void deleteResourceSets(String realm, String resourceServerId) throws NotFoundException, ServerException {
ResourceSetStore resourceSetStore = resourceSetStoreFactory.create(DNMapper.orgNameToRealmName(realm));
QueryFilter<String> queryFilter = QueryFilter.equalTo(ResourceSetTokenField.CLIENT_ID, resourceServerId);
Set<ResourceSetDescription> results = resourceSetStore.query(queryFilter);
for (ResourceSetDescription resourceSet : results) {
resourceSetStore.delete(resourceSet.getId(), resourceSet.getResourceOwnerId());
}
}
use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.
the class AuthorizationRequestEndpoint method getResourceSet.
private ResourceSetDescription getResourceSet(String resourceSetId, OAuth2ProviderSettings providerSettings) throws UmaException {
try {
ResourceSetStore store = providerSettings.getResourceSetStore();
Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new UmaException(400, "invalid_resource_set_id", "Could not fing Resource Set, " + resourceSetId);
}
return results.iterator().next();
} catch (ServerException e) {
throw new UmaException(400, "invalid_resource_set_id", e.getMessage());
}
}
use of org.forgerock.oauth2.resources.ResourceSetDescription in project OpenAM by OpenRock.
the class AuthorizationRequestEndpoint method isEntitled.
private boolean isEntitled(UmaProviderSettings umaProviderSettings, OAuth2ProviderSettings oauth2ProviderSettings, PermissionTicket permissionTicket, String requestingPartyId) throws EntitlementException, ServerException, UmaException {
String realm = permissionTicket.getRealm();
String resourceSetId = permissionTicket.getResourceSetId();
String resourceName = UmaConstants.UMA_POLICY_SCHEME;
Subject resourceOwnerSubject;
try {
ResourceSetStore store = oauth2ProviderSettings.getResourceSetStore();
Set<ResourceSetDescription> results = store.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, resourceSetId));
if (results.size() != 1) {
throw new NotFoundException("Could not find Resource Set, " + resourceSetId);
}
resourceName += results.iterator().next().getId();
resourceOwnerSubject = UmaUtils.createSubject(createIdentity(results.iterator().next().getResourceOwnerId(), realm));
} catch (NotFoundException e) {
debug.message("Couldn't find resource that permission ticket is registered for", e);
throw new ServerException("Couldn't find resource that permission ticket is registered for");
}
Subject requestingPartySubject = UmaUtils.createSubject(createIdentity(requestingPartyId, realm));
beforeAuthorization(permissionTicket, requestingPartySubject, resourceOwnerSubject);
// Implicitly grant access to the resource owner
if (isRequestingPartyResourceOwner(requestingPartySubject, resourceOwnerSubject)) {
afterAuthorization(true, permissionTicket, requestingPartySubject, resourceOwnerSubject);
return true;
}
List<Entitlement> entitlements = umaProviderSettings.getPolicyEvaluator(requestingPartySubject, permissionTicket.getResourceServerClientId().toLowerCase()).evaluate(realm, requestingPartySubject, resourceName, null, false);
Set<String> requestedScopes = permissionTicket.getScopes();
Set<String> requiredScopes = new HashSet<>(requestedScopes);
for (Entitlement entitlement : entitlements) {
for (String requestedScope : requestedScopes) {
final Boolean actionValue = entitlement.getActionValue(requestedScope);
if (actionValue != null && actionValue) {
requiredScopes.remove(requestedScope);
}
}
}
boolean isAuthorized = requiredScopes.isEmpty();
afterAuthorization(isAuthorized, permissionTicket, requestingPartySubject, resourceOwnerSubject);
return isAuthorized;
}
Aggregations