Example 11 with SubjectContext
use of org.forgerock.openam.rest.resource.SubjectContext in project OpenAM by OpenRock.
the class UmaResourceSetRegistrationHook method createAdminContext.
/**
* Used to create a context for deleting policies. If this is being called, we know that the user has the right
* to delete the policies.
* @param realm The realm to delete the policies in.
* @param resourceOwnerId The owner of the ResourceSet that the policies are for.
* @return The generated context.
*/
private Context createAdminContext(String realm, String resourceOwnerId) {
RealmContext realmContext = new RealmContext(new RootContext());
realmContext.setSubRealm(realm, realm);
SubjectContext subjectContext = new AdminSubjectContext(logger, sessionCache, realmContext);
Map<String, String> templateVariables = new HashMap<>();
templateVariables.put("user", resourceOwnerId);
UriRouterContext routerContext = new UriRouterContext(subjectContext, "", "", templateVariables);
return routerContext;
}
Also used :
RootContext(org.forgerock.services.context.RootContext)
RealmContext(org.forgerock.openam.rest.RealmContext)
AdminSubjectContext(org.forgerock.openam.rest.resource.AdminSubjectContext)
SubjectContext(org.forgerock.openam.rest.resource.SubjectContext)
HashMap(java.util.HashMap)
AdminSubjectContext(org.forgerock.openam.rest.resource.AdminSubjectContext)
UriRouterContext(org.forgerock.http.routing.UriRouterContext)
Example 12 with SubjectContext
use of org.forgerock.openam.rest.resource.SubjectContext in project OpenAM by OpenRock.
the class UmaPolicyServiceImpl method getLoggedInUserId.
private String getLoggedInUserId(Context context) throws InternalServerErrorException {
try {
SubjectContext subjectContext = context.asContext(SubjectContext.class);
SSOToken token = subjectContext.getCallerSSOToken();
return token.getPrincipal().getName();
} catch (SSOException e) {
throw new InternalServerErrorException(e);
}
}
Also used :
SSOToken(com.iplanet.sso.SSOToken)
SubjectContext(org.forgerock.openam.rest.resource.SubjectContext)
InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException)
SSOException(com.iplanet.sso.SSOException)
Example 13 with SubjectContext
use of org.forgerock.openam.rest.resource.SubjectContext in project OpenAM by OpenRock.
the class PrivilegeAuthzModule method evaluate.
/**
* Given the calling context and the privilege definition attempts to authorise the calling subject.
*
* @param context
* the server context
* @param definition
* the privilege definition
*
* @return the authorisation result
*/
protected Promise<AuthorizationResult, ResourceException> evaluate(final Context context, final PrivilegeDefinition definition) {
// If no realm is specified default to the root realm.
final String realm = (context.containsContext(RealmContext.class)) ? context.asContext(RealmContext.class).getResolvedRealm() : "/";
final SubjectContext subjectContext = context.asContext(SubjectContext.class);
final UriRouterContext routerContext = context.asContext(UriRouterContext.class);
// Map the set of actions to a set of action strings.
final Set<String> actions = transformSet(definition.getActions(), ACTION_TO_STRING_MAPPER);
try {
Session callerSession = subjectContext.getCallerSession();
if (callerSession == null) {
// you don't have a session so return access denied
return Promises.newResultPromise(AuthorizationResult.accessDenied("No session for request."));
}
final String loggedInRealm = coreWrapper.convertOrgNameToRealmName(callerSession.getClientDomain());
final DelegationPermission permissionRequest = permissionFactory.newInstance(loggedInRealm, REST, VERSION, routerContext.getMatchedUri(), definition.getCommonVerb(), actions, Collections.<String, String>emptyMap());
if (evaluator.isAllowed(subjectContext.getCallerSSOToken(), permissionRequest, Collections.<String, Set<String>>emptyMap()) && loggedIntoValidRealm(realm, loggedInRealm)) {
// Authorisation has been approved.
return Promises.newResultPromise(AuthorizationResult.accessPermitted());
}
} catch (DelegationException dE) {
return new InternalServerErrorException("Attempt to authorise the user has failed", dE).asPromise();
} catch (SSOException e) {
//you don't have a user so return access denied
return Promises.newResultPromise(AuthorizationResult.accessDenied("No user supplied in request."));
}
return Promises.newResultPromise(AuthorizationResult.accessDenied("The user has insufficient privileges"));
}
Also used :
Set(java.util.Set)
CollectionUtils.transformSet(org.forgerock.openam.utils.CollectionUtils.transformSet)
SubjectContext(org.forgerock.openam.rest.resource.SubjectContext)
UriRouterContext(org.forgerock.http.routing.UriRouterContext)
InternalServerErrorException(org.forgerock.json.resource.InternalServerErrorException)
DelegationException(com.sun.identity.delegation.DelegationException)
SSOException(com.iplanet.sso.SSOException)
DelegationPermission(com.sun.identity.delegation.DelegationPermission)
Session(com.iplanet.dpro.session.Session)
Example 14 with SubjectContext
use of org.forgerock.openam.rest.resource.SubjectContext in project OpenAM by OpenRock.
the class PolicyRequestFactoryTest method shouldRetrieveTreeRequest.
@Test
public void shouldRetrieveTreeRequest() throws EntitlementException {
// When...
given(subjectContext.getCallerSubject()).willReturn(restSubject);
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("resource", "/resource/a");
given(actionRequest.getContent()).willReturn(JsonValue.json(properties));
// Given...
Context context = buildContextStructure("/abc");
PolicyRequest request = factory.buildRequest(PolicyAction.TREE_EVALUATE, context, actionRequest);
// Then...
assertThat(request).isNotNull();
assertThat(request.getRealm()).isEqualTo("/abc");
assertThat(request).isInstanceOfAny(TreePolicyRequest.class);
TreePolicyRequest treeRequest = (TreePolicyRequest) request;
assertThat(treeRequest.getResource()).isEqualTo("/resource/a");
verify(subjectContext).getCallerSubject();
verify(actionRequest, times(2)).getContent();
verifyNoMoreInteractions(subjectContext, actionRequest);
}
Also used :
Context(org.forgerock.services.context.Context)
ClientContext(org.forgerock.services.context.ClientContext)
SubjectContext(org.forgerock.openam.rest.resource.SubjectContext)
RealmContext(org.forgerock.openam.rest.RealmContext)
HashMap(java.util.HashMap)
TreePolicyRequest(org.forgerock.openam.entitlement.rest.model.json.TreePolicyRequest)
TreePolicyRequest(org.forgerock.openam.entitlement.rest.model.json.TreePolicyRequest)
PolicyRequest(org.forgerock.openam.entitlement.rest.model.json.PolicyRequest)
BatchPolicyRequest(org.forgerock.openam.entitlement.rest.model.json.BatchPolicyRequest)
Test(org.testng.annotations.Test)
Example 15 with SubjectContext
use of org.forgerock.openam.rest.resource.SubjectContext in project OpenAM by OpenRock.
the class PolicyResourceEvaluationTest method shouldMakeTreeEvaluation.
@Test
public void shouldMakeTreeEvaluation() throws EntitlementException {
// Given...
given(request.getAction()).willReturn("evaluateTree");
Context context = buildContextStructure("/abc");
given(requestFactory.buildRequest(PolicyAction.TREE_EVALUATE, context, request)).willReturn(policyRequest);
given(policyRequest.getRestSubject()).willReturn(restSubject);
given(policyRequest.getApplication()).willReturn("some-application");
given(factory.getEvaluator(restSubject, "some-application")).willReturn(evaluator);
given(policyRequest.getApplication()).willReturn("some-application");
given(policyRequest.getRealm()).willReturn("/abc");
List<Entitlement> decisions = Arrays.asList(new Entitlement());
given(evaluator.routePolicyRequest(policyRequest)).willReturn(decisions);
JsonValue jsonDecision = JsonValue.json(array());
given(parser.printEntitlements(decisions)).willReturn(jsonDecision);
// When...
Promise<ActionResponse, ResourceException> promise = policyResource.actionCollection(context, request);
// Then...
verify(request).getAction();
verify(requestFactory).buildRequest(PolicyAction.TREE_EVALUATE, context, request);
verify(policyRequest).getRestSubject();
verify(policyRequest, times(2)).getApplication();
verify(policyRequest).getRealm();
verify(factory).getEvaluator(restSubject, "some-application");
verify(evaluator).routePolicyRequest(policyRequest);
verify(parser).printEntitlements(decisions);
assertThat(promise).succeeded().withContent().isEqualTo(jsonDecision);
verifyNoMoreInteractions(request, subjectContext, requestFactory, policyRequest, factory, evaluator, parser);
}
Also used :
ClientContext(org.forgerock.services.context.ClientContext)
RealmContext(org.forgerock.openam.rest.RealmContext)
Context(org.forgerock.services.context.Context)
SubjectContext(org.forgerock.openam.rest.resource.SubjectContext)
JsonValue(org.forgerock.json.JsonValue)
ResourceException(org.forgerock.json.resource.ResourceException)
Entitlement(com.sun.identity.entitlement.Entitlement)
ActionResponse(org.forgerock.json.resource.ActionResponse)
Test(org.testng.annotations.Test)
Aggregations
SubjectContext (org.forgerock.openam.rest.resource.SubjectContext)33
RealmContext (org.forgerock.openam.rest.RealmContext)31
Test (org.testng.annotations.Test)28
Context (org.forgerock.services.context.Context)27
ClientContext (org.forgerock.services.context.ClientContext)18
ResourceException (org.forgerock.json.resource.ResourceException)15
ResourceResponse (org.forgerock.json.resource.ResourceResponse)12
HashMap (java.util.HashMap)10
DelegationPermission (com.sun.identity.delegation.DelegationPermission)9
FilterChain (org.forgerock.json.resource.FilterChain)9
Router (org.forgerock.json.resource.Router)9
HashSet (java.util.HashSet)8
Subject (javax.security.auth.Subject)8
JsonValue (org.forgerock.json.JsonValue)8
Matchers.anyString (org.mockito.Matchers.anyString)8
JsonSchema (com.fasterxml.jackson.databind.jsonschema.JsonSchema)7
ReadRequest (org.forgerock.json.resource.ReadRequest)6
SSOToken (com.iplanet.sso.SSOToken)4
ActionResponse (org.forgerock.json.resource.ActionResponse)4
Map (java.util.Map)3
