Example 6 with EntitlementException
use of org.wso2.carbon.identity.entitlement.EntitlementException in project carbon-identity-framework by wso2.
the class PAPPolicyStoreReader method readPolicyDTO.
/**
* Reads PolicyDTO for given registry resource
*
* @param resource Registry resource
* @return PolicyDTO
* @throws EntitlementException throws, if fails
*/
public PolicyDTO readPolicyDTO(Resource resource) throws EntitlementException {
String policy = null;
String policyId = null;
AbstractPolicy absPolicy = null;
PolicyDTO dto = null;
try {
policy = new String((byte[]) resource.getContent(), Charset.forName("UTF-8"));
absPolicy = PAPPolicyReader.getInstance(null).getPolicy(policy);
policyId = absPolicy.getId().toASCIIString();
dto = new PolicyDTO();
dto.setPolicyId(policyId);
dto.setPolicy(policy);
dto.setActive(Boolean.parseBoolean(resource.getProperty(PDPConstants.ACTIVE_POLICY)));
String policyOrder = resource.getProperty(PDPConstants.POLICY_ORDER);
if (policyOrder != null) {
dto.setPolicyOrder(Integer.parseInt(policyOrder));
} else {
dto.setPolicyOrder(0);
}
String version = resource.getProperty(PDPConstants.POLICY_VERSION);
if (version != null) {
dto.setVersion(version);
}
String lastModifiedTime = resource.getProperty(PDPConstants.LAST_MODIFIED_TIME);
if (lastModifiedTime != null) {
dto.setLastModifiedTime(lastModifiedTime);
}
String lastModifiedUser = resource.getProperty(PDPConstants.LAST_MODIFIED_USER);
if (lastModifiedUser != null) {
dto.setLastModifiedUser(lastModifiedUser);
}
dto.setPolicyType(resource.getProperty(PDPConstants.POLICY_TYPE));
String policyReferences = resource.getProperty(PDPConstants.POLICY_REFERENCE);
if (policyReferences != null && policyReferences.trim().length() > 0) {
dto.setPolicyIdReferences(policyReferences.split(PDPConstants.ATTRIBUTE_SEPARATOR));
}
String policySetReferences = resource.getProperty(PDPConstants.POLICY_SET_REFERENCE);
if (policySetReferences != null && policySetReferences.trim().length() > 0) {
dto.setPolicySetIdReferences(policySetReferences.split(PDPConstants.ATTRIBUTE_SEPARATOR));
}
// read policy meta data that is used for basic policy editor
dto.setPolicyEditor(resource.getProperty(PDPConstants.POLICY_EDITOR_TYPE));
String basicPolicyEditorMetaDataAmount = resource.getProperty(PDPConstants.BASIC_POLICY_EDITOR_META_DATA_AMOUNT);
if (basicPolicyEditorMetaDataAmount != null) {
int amount = Integer.parseInt(basicPolicyEditorMetaDataAmount);
String[] basicPolicyEditorMetaData = new String[amount];
for (int i = 0; i < amount; i++) {
basicPolicyEditorMetaData[i] = resource.getProperty(PDPConstants.BASIC_POLICY_EDITOR_META_DATA + i);
}
dto.setPolicyEditorData(basicPolicyEditorMetaData);
}
PolicyAttributeBuilder policyAttributeBuilder = new PolicyAttributeBuilder();
dto.setAttributeDTOs(policyAttributeBuilder.getPolicyMetaDataFromRegistryProperties(resource.getProperties()));
return dto;
} catch (RegistryException e) {
log.error("Error while loading entitlement policy " + policyId + " from PAP policy store", e);
throw new EntitlementException("Error while loading entitlement policy " + policyId + " from PAP policy store");
}
}
Also used :
EntitlementException(org.wso2.carbon.identity.entitlement.EntitlementException)
PolicyDTO(org.wso2.carbon.identity.entitlement.dto.PolicyDTO)
AbstractPolicy(org.wso2.balana.AbstractPolicy)
PolicyAttributeBuilder(org.wso2.carbon.identity.entitlement.policy.PolicyAttributeBuilder)
RegistryException(org.wso2.carbon.registry.core.exceptions.RegistryException)
Example 7 with EntitlementException
use of org.wso2.carbon.identity.entitlement.EntitlementException in project carbon-identity-framework by wso2.
the class PAPPolicyStoreReader method readMetaDataPolicyDTO.
/**
* Reads Light Weight PolicyDTO with Attribute meta data for given policy id
*
* @param policyId policy id
* @return PolicyDTO but don not contains XACML policy
* @throws EntitlementException throws, if fails
*/
public PolicyDTO readMetaDataPolicyDTO(String policyId) throws EntitlementException {
Resource resource = null;
PolicyDTO dto = null;
resource = store.getPolicy(policyId, PDPConstants.ENTITLEMENT_POLICY_PAP);
if (resource == null) {
return null;
}
dto = new PolicyDTO();
dto.setPolicyId(policyId);
dto.setActive(Boolean.parseBoolean(resource.getProperty(PDPConstants.ACTIVE_POLICY)));
String policyOrder = resource.getProperty(PDPConstants.POLICY_ORDER);
if (policyOrder != null) {
dto.setPolicyOrder(Integer.parseInt(policyOrder));
} else {
dto.setPolicyOrder(0);
}
String version = resource.getProperty(PDPConstants.POLICY_VERSION);
if (version != null) {
dto.setVersion(version);
}
String lastModifiedTime = resource.getProperty(PDPConstants.LAST_MODIFIED_TIME);
if (lastModifiedTime != null) {
dto.setLastModifiedTime(lastModifiedTime);
}
String lastModifiedUser = resource.getProperty(PDPConstants.LAST_MODIFIED_USER);
if (lastModifiedUser != null) {
dto.setLastModifiedUser(lastModifiedUser);
}
dto.setPolicyType(resource.getProperty(PDPConstants.POLICY_TYPE));
String policyReferences = resource.getProperty(PDPConstants.POLICY_REFERENCE);
if (policyReferences != null && policyReferences.trim().length() > 0) {
dto.setPolicyIdReferences(policyReferences.split(PDPConstants.ATTRIBUTE_SEPARATOR));
}
String policySetReferences = resource.getProperty(PDPConstants.POLICY_SET_REFERENCE);
if (policySetReferences != null && policySetReferences.trim().length() > 0) {
dto.setPolicySetIdReferences(policySetReferences.split(PDPConstants.ATTRIBUTE_SEPARATOR));
}
dto.setPolicyEditor(resource.getProperty(PDPConstants.POLICY_EDITOR_TYPE));
String basicPolicyEditorMetaDataAmount = resource.getProperty(PDPConstants.BASIC_POLICY_EDITOR_META_DATA_AMOUNT);
if (basicPolicyEditorMetaDataAmount != null) {
int amount = Integer.parseInt(basicPolicyEditorMetaDataAmount);
String[] basicPolicyEditorMetaData = new String[amount];
for (int i = 0; i < amount; i++) {
basicPolicyEditorMetaData[i] = resource.getProperty(PDPConstants.BASIC_POLICY_EDITOR_META_DATA + i);
}
dto.setPolicyEditorData(basicPolicyEditorMetaData);
}
PolicyAttributeBuilder policyAttributeBuilder = new PolicyAttributeBuilder();
dto.setAttributeDTOs(policyAttributeBuilder.getPolicyMetaDataFromRegistryProperties(resource.getProperties()));
return dto;
}
Also used :
PolicyDTO(org.wso2.carbon.identity.entitlement.dto.PolicyDTO)
PolicyAttributeBuilder(org.wso2.carbon.identity.entitlement.policy.PolicyAttributeBuilder)
Resource(org.wso2.carbon.registry.core.Resource)
Example 8 with EntitlementException
use of org.wso2.carbon.identity.entitlement.EntitlementException in project carbon-identity-framework by wso2.
the class EntitlementEngine method evaluate.
/**
* Evaluates the given XACML request and returns the Response that the EntitlementEngine will
* hand back to the PEP. PEP needs construct the XACML request before sending it to the
* EntitlementEngine
*
* @param xacmlRequest XACML request as String
* @return XACML response as String
* @throws org.wso2.balana.ParsingException throws
* @throws org.wso2.carbon.identity.entitlement.EntitlementException throws
*/
public String evaluate(String xacmlRequest) throws EntitlementException, ParsingException {
if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.XACML_REQUEST)) {
log.debug("XACML Request : " + xacmlRequest);
}
String xacmlResponse;
if ((xacmlResponse = (String) getFromCache(xacmlRequest, false)) != null) {
if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.XACML_RESPONSE)) {
log.debug("XACML Response : " + xacmlResponse);
}
return xacmlResponse;
}
Map<PIPExtension, Properties> extensions = EntitlementServiceComponent.getEntitlementConfig().getExtensions();
if (extensions != null && !extensions.isEmpty()) {
PolicyRequestBuilder policyRequestBuilder = new PolicyRequestBuilder();
Element xacmlRequestElement = policyRequestBuilder.getXacmlRequest(xacmlRequest);
AbstractRequestCtx requestCtx = RequestCtxFactory.getFactory().getRequestCtx(xacmlRequestElement);
Set<PIPExtension> pipExtensions = extensions.keySet();
for (PIPExtension pipExtension : pipExtensions) {
pipExtension.update(requestCtx);
}
ResponseCtx responseCtx = pdp.evaluate(requestCtx);
xacmlResponse = responseCtx.encode();
} else {
xacmlResponse = pdp.evaluate(xacmlRequest);
}
addToCache(xacmlRequest, xacmlResponse, false);
if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.XACML_RESPONSE)) {
log.debug("XACML Response : " + xacmlResponse);
}
return xacmlResponse;
}
Also used :
AbstractRequestCtx(org.wso2.balana.ctx.AbstractRequestCtx)
PIPExtension(org.wso2.carbon.identity.entitlement.pip.PIPExtension)
Element(org.w3c.dom.Element)
Properties(java.util.Properties)
ResponseCtx(org.wso2.balana.ctx.ResponseCtx)
PolicyRequestBuilder(org.wso2.carbon.identity.entitlement.policy.PolicyRequestBuilder)
Example 9 with EntitlementException
use of org.wso2.carbon.identity.entitlement.EntitlementException in project carbon-identity-framework by wso2.
the class DefaultPolicyCollection method getEffectivePolicy.
/**
* Attempts to retrieve a policy based on the given context. If multiple policies match then
* this will either throw an exception or wrap the policies under a new PolicySet (depending on
* how this instance was constructed). If no policies match, then this will return null. See the
* comment in the class header about how this behaves when multiple versions of the same policy
* exist.
*
* @param context
* @return
* @throws EntitlementException
*/
public AbstractPolicy getEffectivePolicy(EvaluationCtx context) throws EntitlementException {
// setup a list of matching policies
ArrayList<AbstractPolicy> list = new ArrayList<AbstractPolicy>();
// get an iterator over all the identifiers
Iterator<TreeSet<AbstractPolicy>> it = policies.values().iterator();
while (it.hasNext()) {
// for each identifier, get only the most recent policy
AbstractPolicy policy = it.next().first();
// see if we match
MatchResult match = policy.match(context);
int result = match.getResult();
// if there was an error, we stop right away
if (result == MatchResult.INDETERMINATE) {
log.error(match.getStatus().getMessage());
throw new EntitlementException(match.getStatus().getMessage());
}
// if we matched, we keep track of the matching policy...
if (result == MatchResult.MATCH) {
if (log.isDebugEnabled()) {
log.debug("Matching XACML policy found " + policy.getId().toString());
}
if ((combiningAlg == null) && (list.size() > 0)) {
ArrayList<String> code = new ArrayList<String>();
code.add(Status.STATUS_PROCESSING_ERROR);
Status status = new Status(code, "too many applicable top-level policies");
// throw new EntitlementException(status); // TODO
}
list.add(policy);
}
}
// action based on how many policies we found
switch(list.size()) {
case 0:
if (log.isDebugEnabled()) {
log.debug("No matching XACML policy found");
}
return null;
case 1:
return ((AbstractPolicy) (list.get(0)));
default:
return new PolicySet(parentId, combiningAlg, null, list);
}
}
Also used :
Status(org.wso2.balana.ctx.Status)
EntitlementException(org.wso2.carbon.identity.entitlement.EntitlementException)
TreeSet(java.util.TreeSet)
AbstractPolicy(org.wso2.balana.AbstractPolicy)
ArrayList(java.util.ArrayList)
MatchResult(org.wso2.balana.MatchResult)
PolicySet(org.wso2.balana.PolicySet)
Example 10 with EntitlementException
use of org.wso2.carbon.identity.entitlement.EntitlementException in project carbon-identity-framework by wso2.
the class CarbonPolicyFinder method findPolicy.
@Override
public PolicyFinderResult findPolicy(EvaluationCtx context) {
if (EntitlementEngine.getInstance().getPolicyCache().isInvalidate()) {
init(this.finder);
policyReferenceCache.clear();
EntitlementEngine.getInstance().clearDecisionCache();
EntitlementEngine.getInstance().resetCacheInvalidateState();
if (log.isDebugEnabled()) {
int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
log.debug("Invalidation cache message is received. " + "Re-initialized policy finder module of current node and invalidate decision " + "caching for tenantId : " + tenantId);
}
} else {
Collection<PolicyStatus> policies = EntitlementEngine.getInstance().getPolicyCache().getInvalidatedPolicies();
if (policies != null) {
if (policies.size() > 0) {
synchronized (policies) {
boolean isReorder = false;
policyReferenceCache.clear();
EntitlementEngine.getInstance().clearDecisionCache();
for (PolicyStatus policyStatus : policies) {
if (EntitlementConstants.PolicyPublish.ACTION_DELETE.equals(policyStatus.getPolicyAction())) {
policyCollection.deletePolicy(policyStatus.getPolicyId());
policyCollectionOrder.remove(new PolicyDTO(policyStatus.getPolicyId()));
} else if (EntitlementConstants.PolicyPublish.ACTION_UPDATE.equals(policyStatus.getPolicyAction())) {
AbstractPolicy abstractPolicy = loadPolicy(policyStatus.getPolicyId());
policyCollection.addPolicy(abstractPolicy);
} else if (EntitlementConstants.PolicyPublish.ACTION_CREATE.equals(policyStatus.getPolicyAction())) {
AbstractPolicy abstractPolicy = loadPolicy(policyStatus.getPolicyId());
policyCollection.addPolicy(abstractPolicy);
isReorder = true;
} else if (EntitlementConstants.PolicyPublish.ACTION_ORDER.equals(policyStatus.getPolicyAction())) {
int order = getPolicyOrder(policyStatus.getPolicyId());
if (order != -1) {
PolicyDTO policyDTO = new PolicyDTO(policyStatus.getPolicyId());
if (policyCollectionOrder.indexOf(policyDTO) != -1) {
policyCollectionOrder.get(policyCollectionOrder.indexOf(policyDTO)).setPolicyOrder(order);
isReorder = true;
}
}
}
}
if (isReorder) {
orderPolicyCache();
}
policies.clear();
}
}
}
}
try {
AbstractPolicy policy = policyCollection.getEffectivePolicy(context);
if (policy == null) {
return new PolicyFinderResult();
} else {
return new PolicyFinderResult(policy);
}
} catch (EntitlementException e) {
ArrayList<String> code = new ArrayList<String>();
code.add(Status.STATUS_PROCESSING_ERROR);
Status status = new Status(code, e.getMessage());
return new PolicyFinderResult(status);
}
}
Also used :
Status(org.wso2.balana.ctx.Status)
PolicyStatus(org.wso2.carbon.identity.entitlement.cache.PolicyStatus)
EntitlementException(org.wso2.carbon.identity.entitlement.EntitlementException)
PolicyDTO(org.wso2.carbon.identity.entitlement.dto.PolicyDTO)
PolicyFinderResult(org.wso2.balana.finder.PolicyFinderResult)
PolicyStatus(org.wso2.carbon.identity.entitlement.cache.PolicyStatus)
AbstractPolicy(org.wso2.balana.AbstractPolicy)
ArrayList(java.util.ArrayList)
Aggregations
EntitlementException (org.wso2.carbon.identity.entitlement.EntitlementException)42
RegistryException (org.wso2.carbon.registry.core.exceptions.RegistryException)23
ArrayList (java.util.ArrayList)19
PolicyDTO (org.wso2.carbon.identity.entitlement.dto.PolicyDTO)18
Resource (org.wso2.carbon.registry.core.Resource)18
Registry (org.wso2.carbon.registry.core.Registry)13
Collection (org.wso2.carbon.registry.core.Collection)12
Properties (java.util.Properties)11
AbstractPolicy (org.wso2.balana.AbstractPolicy)9
PolicyPublisher (org.wso2.carbon.identity.entitlement.policy.publisher.PolicyPublisher)9
PolicyStoreDTO (org.wso2.carbon.identity.entitlement.dto.PolicyStoreDTO)7
Map (java.util.Map)6
StatusHolder (org.wso2.carbon.identity.entitlement.dto.StatusHolder)6
PAPPolicyStoreManager (org.wso2.carbon.identity.entitlement.pap.store.PAPPolicyStoreManager)6
AttributeDTO (org.wso2.carbon.identity.entitlement.dto.AttributeDTO)5
PAPPolicyStore (org.wso2.carbon.identity.entitlement.pap.store.PAPPolicyStore)5
PolicyAttributeBuilder (org.wso2.carbon.identity.entitlement.policy.PolicyAttributeBuilder)5
PolicyVersionManager (org.wso2.carbon.identity.entitlement.policy.version.PolicyVersionManager)5
CertificateEncodingException (java.security.cert.CertificateEncodingException)4
SignatureException (org.opensaml.xmlsec.signature.support.SignatureException)4
