/* * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved * * The contents of this file are subject to the terms * of the Common Development and Distribution License * (the License). You may not use this file except in * compliance with the License. * * You can obtain a copy of the License at * https://opensso.dev.java.net/public/CDDLv1.0.html or * opensso/legal/CDDLv1.0.txt * See the License for the specific language governing * permission and limitations under the License. * * When distributing Covered Code, include this CDDL * Header Notice in each file and include the License file * at opensso/legal/CDDLv1.0.txt. * If applicable, add the following below the CDDL Header, * with the fields enclosed by brackets [] replaced by * your own identifying information: * "Portions Copyrighted [year] [name of copyright owner]" * * $Id: AMCompliance.java,v 1.8 2009/01/28 05:34:47 ww203982 Exp $ * * Portions Copyright 2011-2015 ForgeRock AS. */ package com.iplanet.am.sdk; import com.iplanet.am.sdk.common.IComplianceServices; import com.iplanet.sso.SSOException; import com.iplanet.sso.SSOToken; import com.sun.identity.security.AdminTokenAction; import com.sun.identity.shared.debug.Debug; import com.sun.identity.sm.SMSException; import com.sun.identity.sm.ServiceSchema; import com.sun.identity.sm.ServiceSchemaManager; import org.forgerock.opendj.ldap.DN; import java.security.AccessController; import java.util.HashMap; import java.util.Map; import java.util.Set; /** * This class AMCompliance contains the functionality to support * iPlanet Compliant DIT. The methods of this class will be used by other * classes in com.iplanet.am.sdk package.

* * In order to determine if iPlanet Compliance mode is required or not, the * parameter com.iplanet.am.compliance will be verified. A value * of true for this parameter, means iPlanet Compliance mode.

* * NOTE: An explicit check must be performed using AMCompliance. * isIplanetCompliant() method before calling any other methods in this * class. * * @deprecated As of Sun Java System Access Manager 7.1. */ class AMCompliance implements AMConstants { // Map to keep role->group name mapping private static IComplianceServices complianceServices = AMDirectoryAccessFactory.getComplianceServices(); static private Map deletedOrg = new HashMap(); protected static final String ADMIN_GROUPS_ENABLED_ATTR = "iplanet-am-admin-console-compliance-admin-groups"; protected static final String COMPLIANCE_USER_DELETION_ATTR = "iplanet-am-admin-console-compliance-user-deletion"; static private String rootSuffix; static protected ServiceSchema gsc = null; static Debug debug = AMCommonUtils.debug; static { init(); } /** * Method to intialize all the AMCompliance class static variables */ protected static void init() { rootSuffix = AMStoreConnection.getAMSdkBaseDN(); if (rootSuffix == null || rootSuffix.equals("")) { debug.error("com.iplanet.am.rootsuffix property value " + "should not be null"); return; } } /** * Method which checks all the parent organizations of this entry * till the base DN, and returns true if any one of them is * deleted. * * @param token SSO token of user * @param dn string representing dn of the object. * @param profileType the profile type of the object whose ancestor is * is being checked. **/ protected static boolean isAncestorOrgDeleted(SSOToken token, String dn, int profileType) throws AMException { return complianceServices.isAncestorOrgDeleted(token, dn, profileType); } /** * Method to clean up the deletedOrg cache, when an event notification * occurs from the directory * @param orgDN DN of organization that has been modified */ protected static void cleanDeletedOrgCache(String orgDN) { String tdn = orgDN; while (!tdn.equalsIgnoreCase(rootSuffix)) { // check to see if this dn is in the deletedOrg cache. // delete this entry if it is if (deletedOrg.containsKey(tdn)) { synchronized (deletedOrg) { deletedOrg.remove(tdn); } } // Get the parent DN.. tdn = DN.valueOf(tdn).parent().toString().toLowerCase(); } } /** * Method which checks if Admin Groups need to be created for an * organization. * @param orgDN organization dn * @return true if Admin Groups need to be created * @exception AMException if an error is encountered */ protected static boolean isAdminGroupsEnabled(String orgDN) throws AMException { if (!isUnderRootSuffix(orgDN)) { return false; } try { if (AMDCTree.gsc == null) { ServiceSchemaManager scm = new ServiceSchemaManager( ADMINISTRATION_SERVICE, (SSOToken) AccessController .doPrivileged(AdminTokenAction.getInstance())); AMDCTree.gsc = scm.getGlobalSchema(); } Map attrMap = AMDCTree.gsc.getReadOnlyAttributeDefaults(); Set values = (Set) attrMap.get(ADMIN_GROUPS_ENABLED_ATTR); boolean enabled = false; if (values == null || values.isEmpty()) { enabled = false; } else { String val = (String) values.iterator().next(); enabled = (val.equalsIgnoreCase("true")); } if (debug.messageEnabled()) { debug.message("Compliance.isAdminGroupsEnabled = " + enabled); } return enabled; } catch (SMSException ex) { debug.error(AMSDKBundle.getString("357"), ex); throw new AMException(AMSDKBundle.getString("357"), "357"); } catch (SSOException ex) { debug.error(AMSDKBundle.getString("357"), ex); throw new AMException(AMSDKBundle.getString("357"), "357"); } //return compl.isAdminGroupsEnabled(orgDN); } /** * Method which checks if the object is directly under root suffix * @param objDN object dn * @return true if the object is directly under root suffix */ protected static boolean isUnderRootSuffix(String objDN) { if ((objDN == null) || (objDN.length() == 0)) { // Will be null only in special cases during search filter // construction (AMSearchFilterMaanager.getSearchFilter()) return true; } DN rootDN = DN.valueOf(rootSuffix); DN objectDN = DN.valueOf(objDN); return rootDN.equals(objectDN) || rootDN.equals(objectDN.parent()); } /** * Method which checks if Compliance User Deletion is enabled * @return true if Compliance User Deletion is enabled * @exception AMException if an error is encountered */ protected static boolean isComplianceUserDeletionEnabled() throws AMException { try { if (AMDCTree.gsc == null) { ServiceSchemaManager scm = new ServiceSchemaManager( ADMINISTRATION_SERVICE, (SSOToken) AccessController .doPrivileged(AdminTokenAction.getInstance())); AMDCTree.gsc = scm.getGlobalSchema(); } Map attrMap = AMDCTree.gsc.getReadOnlyAttributeDefaults(); Set values = (Set) attrMap.get(COMPLIANCE_USER_DELETION_ATTR); boolean enabled = false; if (values == null || values.isEmpty()) { enabled = false; } else { String val = (String) values.iterator().next(); enabled = (val.equalsIgnoreCase("true")); } if (debug.messageEnabled()) { debug.message("Compliance.isComplianceUserDeletionEnabled = " + enabled); } return enabled; } catch (SMSException ex) { debug.error(AMSDKBundle.getString("359"), ex); throw new AMException(AMSDKBundle.getString("359"), "359"); } catch (SSOException ex) { debug.error(AMSDKBundle.getString("359"), ex); throw new AMException(AMSDKBundle.getString("359"), "359"); } } protected static void verifyAndDeleteObject(SSOToken token, String profileDN) throws AMException { complianceServices.verifyAndDeleteObject(token, profileDN); } /** * Protected method to get the search filter to be used for * searching for deleted objects. * **/ protected static String getDeletedObjectFilter(int objectType) throws AMException, SSOException { return complianceServices.getDeletedObjectFilter(objectType); } }