8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: PolicyEvaluator.java,v 1.19 2010/01/14 23:18:35 dillidorai Exp $
402cd5da45d9182b81c16a13c3568faf78701827Andrew Forrest * Portions Copyrighted 2011-2015 ForgeRock AS.
402cd5da45d9182b81c16a13c3568faf78701827Andrew Forrestimport static org.forgerock.openam.utils.CollectionUtils.asSet;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.Application;
ba3008548cd047b233fcd32bb3c5d69926eed22fAndrew Forrestimport com.sun.identity.entitlement.ApplicationManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.Entitlement;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.EntitlementException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.opensso.SubjectUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.monitoring.MonitoringUtil;
402cd5da45d9182b81c16a13c3568faf78701827Andrew Forrestimport com.sun.identity.monitoring.SsoServerPolicySvcImpl;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Condition;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.PolicyListener;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AdminTokenAction;
402cd5da45d9182b81c16a13c3568faf78701827Andrew Forrestimport org.forgerock.openam.entitlement.PolicyConstants;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>PolicyEvaluator</code> evaluates policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and provides policy decisions.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
0c9594d96d580b0cba488fa7d01802fbb49d8a3eCraig McDonnell * @deprecated since 12.0.0
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant used to identity all the resources of a service type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The resources include the sub resources of all resource prefixes of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "---ALL_RESOURCES---";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String ADVICING_ORGANIZATION
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "AdvicingOrganization";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant used to identity empty resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String EMPTY_RESOURCE_NAME = "";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant used for key to pass the requested resource name canonicalized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the env map, so that Condition(s)/ResponseProvider(s) could use
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the requested resource name, if necessary
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String SUN_AM_REQUESTED_RESOURCE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "sun.am.requestedResource";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant used for key to pass the requested resource name uncanonicalized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the env map, so that Condition(s)/ResponseProvider(s) could use
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the requested resource name, if necessary
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String SUN_AM_ORIGINAL_REQUESTED_RESOURCE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "sun.am.requestedOriginalResource";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant used for key to pass the requested actions names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the env map, so that Condition(s)/ResponseProvider(s) could use
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the requested actions names, if necessary
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String SUN_AM_REQUESTED_ACTIONS
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "sun.am.requestedActions";
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell * Constant used for key to pass the realm DN in the env map, so that Condition(s)
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell * can look up the relevant <code>PolicyConfig</code> config map, if necessary.
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell * <code>LDAPFilterCondition</code> needs to use PolicyConfig config map.
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell public static final String REALM_DN = "am.policy.realmDN";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String RESULTS_CACHE_SESSION_CAP
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "com.sun.identity.policy.resultsCacheSessionCap";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static int DEFAULT_RESULTS_CACHE_SESSION_CAP = 1000;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static int resultsCacheSessionCap = DEFAULT_RESULTS_CACHE_SESSION_CAP;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String RESULTS_CACHE_RESOURCE_CAP
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = "com.sun.identity.policy.resultsCacheResourceCap";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static int DEFAULT_RESULTS_CACHE_RESOURCE_CAP = 100;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static int resultsCacheResourceCap = DEFAULT_RESULTS_CACHE_RESOURCE_CAP;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final Debug DEBUG = PolicyManager.debug;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final boolean USE_POLICY_CACHE = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final boolean INCLUDE_SUPER_RESOURCE_POLCIES = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final long DEFAULT_USER_NSROLE_CACHE_TTL = 600000;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private ResourceIndexManager resourceIndexManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private HashMap booleanActionNameTrueValues; //cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private HashMap booleanActionNameFalseValues; //cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set actionNames; //all action names valid for the serviceType
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set orgNames = new HashSet(); // to pass org name in envParameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // used to pass service type name in envParameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // listener for policy decision cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecisionCacheListener listener = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Cache to keep the policy evaluation results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Cache structure layout:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * cache ----> Servicename1
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> servicename2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> servicenameN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * servicenameI ----> Resourcename1
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> Resourcename2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> ResourcenameN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resourcenameI ----> userssotokenidstring1
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> userssotokenidstring2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> userssotokenidstringN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * userssotokenidstringI ----> requestscope1
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ----> requestscope2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * requestscope1 ----> resourceresult1
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * requestscope2 ----> resourceresult2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The sso token listener registry for policy decision cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To avoid adding multiple sso token listeners for the same
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * token, we use this registry to make sure the listener is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * registered only once for each token. It will be unregistered
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if token is expired.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Key is tokenId and value is policySSOTokenListener
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ssoTokenIDString : PolicySSOTokenListener
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Used to clean up cache on ssoToken notifications
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The policy change listener registry for policy decision cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To avoid adding multiple listeners for the same service, we
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * use this registry to make sure the listener is registered only
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * once for each service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Key is serviceTypeName and value is <code>PolicyDecisionCacheListener
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * serviceTypeName : PolicyDecisionCacheListener for service type
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Used to clean up the decision cache on policy change notification
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest private static Map<String, PolicyDecisionCacheListener> policyListenerRegistry =
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest Collections.synchronizedMap(new HashMap<String, PolicyDecisionCacheListener>());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The user <code>nsRole</code> attribute cache.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * AMSDK cache stops caching a user's nsRole attribute in 6.2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * due to notification issue. Adding this cache in policy to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * avoid performance impact caused by the AMSDK change. This
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * cache uses a user's token as the key to map to the user's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>nsRole</code> attribute values.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Key is tokenId and value is set of role DN(s)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ssoTokenIDString : set of role DN(s)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // TTL value for entries in the user's nsRole attribute values.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * listener object to be used in cleaning up the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * userNSRoleCache, subjectEvaluationCache , user role
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * cache in LDAPRoles and policyResultsCache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * upon user token expiration.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Cache for sub resources keyed by resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The structure is a Map of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * serviceType(String) : resourceNamesCache(Cache)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Key for resourceNamesCache is a root resource name and value is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a <code>Set</code> of sub resource names for the root resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * serviceType: resourceName : resourceNames
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Map resourceNamesMap = new HashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant key for passing organization name in the environment map during
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy evaluation. The value for the key would be a <code>Set</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with one element of type String. The string is the name of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * organization the policy evaluator has been instantiated for.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final String ORGANIZATION_NAME = "organizationName";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constant key for passing service type name in the environment map during
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy evaluation. The value for the key would be a <code>Set</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with one element of type String. The string is the name of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ServiceType</code> the policy evaluator has been instantiated for.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static final String SERVICE_TYPE_NAME = "serviceTypeName";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructor to create a <code>PolicyEvaluator</code> given the <code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ServiceType</code> name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceTypeName the name of the <code>ServiceType</code> for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which this evaluator can be used.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if <code>SSOToken</code> used by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PolicyEvaluator</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws NameNotFoundException if the service with name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>serviceTypeName</code> is not found
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, NameNotFoundException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructor to create a <code>PolicyEvaluator</code> given organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name and the <code>ServiceType</code> name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param orgName the name of the organization under which the evaluation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is being done
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceTypeName the name of the <code>ServiceType</code> for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which this evaluator can be used.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public PolicyEvaluator(String orgName, String serviceTypeName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws SSOException, PolicyException, NameNotFoundException {
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest if ( (orgName == null) || (orgName.equals("/"))
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster orgName = com.sun.identity.sm.DNMapper.orgNameToDN(orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster this.realm = com.sun.identity.sm.DNMapper.orgNameToRealmName(orgName);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest // Default application to be the service type, this maintains legacy behaviour.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceTypeManager stm = ServiceTypeManager.getServiceTypeManager();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster serviceType = stm.getServiceType(serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyManager = policyCache.getPolicyManager(orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster this.orgNames.add(policyManager.getOrganizationDN());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceIndexManager = policyManager.getResourceIndexManager();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = SystemProperties.get(RESULTS_CACHE_SESSION_CAP);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = Integer.parseInt(resultsCacheSessionCapString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "number format exception: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "defaulting resultsCacheSessionCap to "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsCacheSessionCap = DEFAULT_RESULTS_CACHE_SESSION_CAP;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "resultsCacheSessionCap not specified, "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "defaulting resultsCacheSessionCap to "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsCacheSessionCap = DEFAULT_RESULTS_CACHE_SESSION_CAP;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "resultsCacheSessionCap=" + resultsCacheSessionCap);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = SystemProperties.get(RESULTS_CACHE_RESOURCE_CAP);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = Integer.parseInt(resultsCacheResourceCapString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "number format exception: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "defaulting resultsCacheResourceCap to "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsCacheResourceCap = DEFAULT_RESULTS_CACHE_RESOURCE_CAP;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "resultsCacheResourceCap not specified, "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "defaulting resultsCacheResourceCap to "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsCacheResourceCap = DEFAULT_RESULTS_CACHE_RESOURCE_CAP;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "resultsCacheResourceCap=" + resultsCacheResourceCap);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * Creates a new policy evaluator instance.
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * @param orgName
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * the name of the organization under which the evaluation is being done
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * @param serviceTypeName
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * the name of the <code>ServiceType</code> for which this evaluator can be used
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * @param applicationName
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * the application name containing the policies in question
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * @throws PolicyException
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * should some error occur constructor the evaluator
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * @throws SSOException
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * should some error occur with regards to any SSO token
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest public PolicyEvaluator(String orgName, String serviceTypeName, String applicationName)
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest * Register a policy listener for updating policy decision cache if there is none already registered.
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest synchronized (lock) {
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest if (!policyListenerRegistry.containsKey(serviceTypeName)) {
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest listener = new PolicyDecisionCacheListener(serviceTypeName);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest PolicyCache.getInstance().addPolicyListener(listener);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest DEBUG.error("PolicyEvaluator: registering policy decision cache listener failed");
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest policyListenerRegistry.put(serviceTypeName, listener);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest DEBUG.message("PolicyEvaluator:policy listener for service " + serviceTypeName + " added");
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest listener = policyListenerRegistry.get(serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluates a simple privilege of boolean type. The privilege indicate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if the user can perform specified action on the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Invoking this method would result in <code>PolicyException</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if the syntax for the <code>actionName</code> is not declared to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * boolean, in the service schema.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionName name of the action the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the result of the evaluation as a boolean value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isAllowed(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String actionName) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (isAllowed(token, resourceName, actionName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluates simple privileges of boolean type. The privilege indicate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if the user can perform specified action on the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The evaluation depends on user's application environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Invoking this method would result in <code>PolicyException</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * if the syntax for the <code>actionName</code> is not declared to be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * boolean, in the service schema.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionName name of the action the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the result of the evaluation as a boolean value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isAllowed(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String actionName, Map envParameters) throws SSOException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyManager.isMigratedToEntitlementService()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return isAllowedE(token, resourceName, actionName, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return isAllowedO(token, resourceName, actionName, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public boolean isAllowedO(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String actionName, Map envParameters) throws SSOException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionSchema schema = serviceType.getActionSchema(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Cache the false values for the action names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameFalseValues = new HashMap(10);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameFalseValues.get(actionName)) == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add it to the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameFalseValues.put(actionName, falseValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Cache the true values for the action names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameTrueValues.get(actionName)) == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add it to the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameTrueValues.put(actionName, trueValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!AttributeSchema.Syntax.BOOLEAN.equals(schema.getSyntax())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "action_does_not_have_boolean_syntax", objs, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean actionAllowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyDecision policyDecision = getPolicyDecision(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (ActionDecision) policyDecision.getActionDecisions()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private void padEnvParameters(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String actionName, Map envParameters) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((resourceName == null) || (resourceName.trim().length() == 0)) {
ba3008548cd047b233fcd32bb3c5d69926eed22fAndrew Forrest Application appl = ApplicationManager.getApplication(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceName = appl.getResourceComparator().canonicalize(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Add request resourceName and request actionNames to the envParameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //so that Condition(s)/ResponseProvider(s) can use them if necessary
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set actionNames = serviceType.getActionNames();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(SUN_AM_REQUESTED_RESOURCE, resourceNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(SUN_AM_ORIGINAL_REQUESTED_RESOURCE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(SUN_AM_REQUESTED_ACTIONS, actions);
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell envParameters.put(REALM_DN, asSet(policyManager.getOrganizationDN()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Fix for OPENAM-811
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((userid != null) && (userid.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Required by the AMIdentityMembershipCondition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(Condition.INVOCATOR_PRINCIPAL_UUID, set);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.padEnvParameters() unable to get userid from token.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private boolean isAllowedE(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String actionName, Map envParameters) throws SSOException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((envParameters == null) || envParameters.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster padEnvParameters(token, resourceName, actionName, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionSchema schema = serviceType.getActionSchema(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!AttributeSchema.Syntax.BOOLEAN.equals(schema.getSyntax())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "action_does_not_have_boolean_syntax", objs, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(
bf41c4342792552d38ff8e8857d4869470694fe3Andrew Forrest Subject adminSubject = SubjectUtils.createSubject(token);
bf41c4342792552d38ff8e8857d4869470694fe3Andrew Forrest Entitlement entitlement = new Entitlement(serviceTypeName, resourceName, actions);
bf41c4342792552d38ff8e8857d4869470694fe3Andrew Forrest entitlement.canonicalizeResources(adminSubject, realm);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest Evaluator eval = new Evaluator(adminSubject, applicationName);
bf41c4342792552d38ff8e8857d4869470694fe3Andrew Forrest return eval.hasEntitlement(realm, SubjectUtils.createSubject(token), entitlement, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private String getActionFalseBooleanValue(String actionName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionSchema schema = serviceType.getActionSchema(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Cache the false values for the action names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameFalseValues = new HashMap(10);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameFalseValues.get(actionName)) == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Add it to the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameFalseValues.put(actionName, falseValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private String getActionTrueBooleanValue(String actionName)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionSchema schema = serviceType.getActionSchema(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Cache the true values for the action names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameTrueValues.get(actionName)) == null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster booleanActionNameTrueValues.put(actionName, trueValue);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluates privileges of the user to perform the specified actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * on the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames a <code>Set</code> of <code>Sting</code> objects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * representing names of the actions the user is trying to perform on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other abnormal condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public PolicyDecision getPolicyDecision(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set actionNames) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return getPolicyDecision(token, resourceName, actionNames, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluates privileges of the user to perform the specified actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * on the specified resource. The evaluation depends on user's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * application environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames <code>Set</code> of names(<code>String</code>) of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the action the user is trying to perform on the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters <code>Map</code> of run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, String resourceName, Set actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map envParameters) throws SSOException, PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (resourceName == null) || (resourceName.length() == 0) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceName = serviceType.canonicalize(resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Add request resourceName and request actionNames to the envParameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //so that Condition(s)/ResponseProvider(s) can use them if necessary
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* compute for all action names if passed in actionNames is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster null or empty */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (actionNames == null) || (actionNames.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * We create new HashMap in place of empty map since
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Collections.EMPTY_MAP can not be modified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((envParameters == null) || envParameters.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(SUN_AM_REQUESTED_RESOURCE, resourceNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(SUN_AM_ORIGINAL_REQUESTED_RESOURCE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters.put(SUN_AM_REQUESTED_ACTIONS, actions);
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell envParameters.put(REALM_DN, asSet(policyManager.getOrganizationDN()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return getPolicyDecision(token, resourceName, actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluates privileges of the user to perform the specified actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * on the specified resource. The evaluation depends on user's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * application environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames <code>Set</code> of names(<code>String</code>) of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * action the user is trying to perform on the resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param visitedOrgs names of organizations that have been already visited
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * during policy evaluation for this request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if any policy evaluation error.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, String resourceName, Set actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (PolicyManager.isMigratedToEntitlementService()) ?
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getPolicyDecisionE(token, resourceName, actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster envParameters) : getPolicyDecisionO(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluates privileges of the user to perform the specified actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * on the specified resource. The evaluation depends on user's
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * application environment parameters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actionNames <code>Set</code> of names(<code>String</code>) of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * action the user is trying to perform on the resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if any policy evaluation error.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, String resourceName, Set actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("Evaluating policies at org " + orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* compute for all action names if passed in actionNames is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster null or empty */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (actionNames == null) || (actionNames.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken adminSSOToken = (SSOToken) AccessController.doPrivileged(
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest SubjectUtils.createSubject(adminSSOToken), applicationName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Subject sbj = (token != null) ? SubjectUtils.createSubject(token) :
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster List<Entitlement> entitlements = eval.evaluate(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster orgName, sbj, resourceName, envParameters, false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((entitlements != null) && !entitlements.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Entitlement e = entitlements.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (entitlementToPolicyDecision(e, actionNames));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (new PolicyDecision());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, String resourceName, Set actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("Evaluating policies at org " + orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* compute for all action names if passed in actionNames is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster null or empty */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (actionNames == null) || (actionNames.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet = resourceIndexManager.getPolicyNames(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster serviceType, resourceName, INCLUDE_SUPER_RESOURCE_POLCIES);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (token != null) ? token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message(new StringBuffer("at PolicyEvaluator")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator policyIter = policyNameSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String policyName = (String) policyIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Policy policy = policyManager.getPolicy(policyName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //policy might have been removed or inactivated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyDecision policyDecision = policy.getPolicyDecision(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster serviceTypeName, resourceName, actions, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!policy.isReferralPolicy() && policyDecision.hasAdvices()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster addAdvice(policyDecision, ADVICING_ORGANIZATION, orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Let us log all policy evaluation results
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyUtils.logStatus && (token != null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (decision != null && decision.length() != 0) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String[] objs = { policyName, orgName, serviceTypeName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyUtils.logAccessMessage("POLICY_EVALUATION",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster mergePolicyDecisions(serviceType, policyDecision,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!PolicyConfig.continueEvaluationOnDenyDecision()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actions.removeAll(getFinalizedActions(serviceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // add policy names to toRemovePolicyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getPolicyDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // remove inactive/missing policies from policyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet.removeAll(toRemovePolicyNameSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set orgsToVisit = getOrgsToVisit(policyNameSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyConfig.orgAliasMappedResourcesEnabled()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && PolicyManager.WEB_AGENT_SERVICE.equalsIgnoreCase(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgAlias = policyManager.getOrgAliasWithResource(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgWithAlias = policyManager.getOrgNameWithAlias(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getPolicyDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "adding orgWithAlias to orgsToVisit="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message(new StringBuffer("at PolicyEvaluator")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" orgsToVist=").append(orgsToVisit.toString())
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message(new StringBuffer("at PolicyEvaluator")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" orgsToVist(after removing already visited orgs=")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster while ( !orgsToVisit.isEmpty() && !actions.isEmpty() ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgToVisit = (String) orgsToVisit.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // need to use admin sso token here. Need all privileges to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // check for the organzation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyEvaluator pe = new PolicyEvaluator(orgToVisit,
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell * save current realm DN before passing control down to sub-realm
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell Set<String> savedRealmDn = (Set<String>) envParameters.get(REALM_DN);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Update env to point to the realm policy config data.
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell envParameters.put(REALM_DN, asSet(DNMapper.orgNameToDN(orgToVisit)));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = pe.getPolicyDecision(token, resourceName, actionNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // restore back the policy config data for the parent realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster mergePolicyDecisions(serviceType, policyDecision,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!PolicyConfig.continueEvaluationOnDenyDecision()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster actions.removeAll(getFinalizedActions(serviceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets protected resources for a user identified by single sign on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Conditions defined in the policies are ignored while
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * computing protected resources.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Only resources that are sub resources of the given
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>rootResource</code> or equal to the given <code>rootResource</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * would be returned.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If all policies applicable to a resource are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * only referral policies, no <code>ProtectedResource</code> would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * returned for such a resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param rootResource only resources that are sub resources of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given <code>rootResource</code> or equal to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given <code>rootResource</code> would be returned
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>rootResource</code> would be returned.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If <code>PolicyEvaluator.ALL_RESOURCES</code> is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * passed as <code>rootResource</code>, resources under
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * all root resources of the service
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * type are considered while computing protected
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resources.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code> of protected resources. The set
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * contains <code>ProtectedResource</code> objects.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if single sign on token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ProtectedResource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Set getProtectedResourcesIgnoreConditions(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (rootResource == null) || (rootResource.equals("")) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = resourceIndexManager.getTopLevelResourceNames(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = getResourceNames(token, topLevelResource, true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator resourceIter = resourceNames.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName = (String)resourceIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator iter1 = protectingPolicies.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets policies applicable to user that are protecting
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return set of policies applicable to user that are protecting the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * specified resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException policy exception coming from policy framework
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return getProtectingPolicies(token, resourceName, new HashSet());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets policies applicable to user that are protecting
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the specified resource.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource the user is trying to access
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param visitedOrgs names of organizations that have been
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * already visited during evaluation for this request
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return set of policies applicable to user that are protecting the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * specified resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException policy exception coming from policy framework
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, String resourceName, Set visitedOrgs)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // false - do not include super resource policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // includes EXACT_MATCH and WILD_CARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set policyNameSet = resourceIndexManager.getPolicyNames(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (token != null) ? token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "at PolicyEvaluator.getProtectingPolicies()")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" principal, resource name, policy names,")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator policyIter = policyNameSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String policyName = (String) policyIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Policy policy = policyManager.getPolicy(policyName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //policy might have been removed or inactivated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // add policy names to toRemovePolicyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getProtectingPolicies():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // remove inactive/missing policies from policyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet.removeAll(toRemovePolicyNameSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //include super resource policies provided they are referral policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet = resourceIndexManager.getSuperResourcePolicyNames(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String policyName = (String) policyIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Policy policy = policyManager.getPolicy(policyName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //policy might have been removed or inactivated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // add policy names to toRemovePolicyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getProtectingPolicies():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // remove inactive/missing policies from policyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet.removeAll(toRemovePolicyNameSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set orgsToVisit = getOrgsToVisit(policyNameSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "at PolicyEvaluator.getProtectingPolicies()")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" orgsToVist=").append(orgsToVisit.toString())
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyConfig.orgAliasMappedResourcesEnabled()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && PolicyManager.WEB_AGENT_SERVICE.equalsIgnoreCase(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgAlias = policyManager.getOrgAliasWithResource(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgWithAlias = policyManager.getOrgNameWithAlias(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getProtectingPolicies():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "adding orgWithAlias to orgsToVisit="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "at PolicyEvaluator.getProtectingPolicies()")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster .append(" orgsToVist(after removing already visited orgs=")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgToVisit = (String) orgsToVisit.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // need to use admin sso token here. Need all privileges to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // check for the organzation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = new PolicyEvaluator(orgToVisit, serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set pp = pe.getProtectingPolicies(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyManager.debug.messageEnabled() || PolicyUtils.logStatus) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator pIter = protectingPolicies.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster sb.append(policy.getOrganizationName()).append(":")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyManager.debug.message("Computed policies "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " protecting resource "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "for principal:" + principalName + " " + pp);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyUtils.logStatus && (token != null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyUtils.logAccessMessage("PROTECTED_RESOURCES", objs, token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets resource result objects given a resource name. The set
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * contains <code>ResourceResult</code> objects for all resources
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * that would affect policy decisions for any resource associated with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * argument resource name. To determine whether to include the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult</code> of a resource, we compare argument resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * name and policy resource name, treating wild characters in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name as wild. If the comparison resulted in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>EXACT_MATCH</code>, <code>WILD_CARD_MACTH</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>SUB_RESOURCE_MACTH</code>, the resource result would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param scope indicates whether to compute the resource result based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the policy decision for only the <code>resourceName</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or all the resources associated with the resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The valid scope values are:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li><code>ResourceResult.SUBTREE_SCOPE</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li><code>ResourceResult.STRICT_SUBTREE_SCOPE</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li><code>ResourceResult.SELF_SCOPE</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the scope is <code>ResourceResult.SUBTREE_SCOPE</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the method will return a set of <code>ResourceResult</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * objects, one of them for the <code>resourceName</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * its sub resources; the others are for resources that match
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the <code>resourceName</code> by wildcard. If the scope is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult.STRICT_SUBTREE_SCOPE</code>, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method will return a set object that contains one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult</code> object. The
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult</code> contains the policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * regarding the <code>resourceName</code> and its sub
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resources. If the scope is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult.SELF_SCOPE</code>, the method will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * return a set object that contains one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>ResourceResult</code> contains the policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * regarding the <code>resourceName</code> only.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return set of <code>ResourceResult</code> objects
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if <code>token</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#EXACT_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#SUB_RESOURCE_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#WILDCARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceResult#SUBTREE_SCOPE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceResult#STRICT_SUBTREE_SCOPE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceResult#SELF_SCOPE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, String scope, Map envParameters)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (PolicyManager.isMigratedToEntitlementService()) ?
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getResourceResultsE(token, resourceName, scope, envParameters) :
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getResourceResultsO(token, resourceName, scope, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getResourceResultsO(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, String scope, Map envParameters)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsSet = getResourceResultTree(token, resourceName, scope,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResourceResult result = getResourceResultTree(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getResourceResultsE(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, String scope, Map envParameters)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((envParameters == null) || envParameters.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster padEnvParameters(token, resourceName, null, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean subTreeSearch = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //resultsSet = getResourceResultTree(token, resourceName, scope,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // envParameters).getResourceResults();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResourceResult result = getResourceResultTree(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster scope, envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsSet = new HashSet();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resultsSet.add(result);*/
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken adminSSOToken = (SSOToken)AccessController.doPrivileged(
5a26403f372c15120fe93224c2fb44c6efbd76ccAndrew Forrest // Parse the resource name before proceeding.
5a26403f372c15120fe93224c2fb44c6efbd76ccAndrew Forrest resourceName = serviceType.canonicalize(resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Subject userSubject = SubjectUtils.createSubject(token);
2eddbb614c733c5bcfea3755b1fc891bc6379d14Andrew Forrest SubjectUtils.createSubject(adminSSOToken), applicationName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster List<Entitlement> entitlements = eval.evaluate(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new ResourceResult(ResourceResult.VIRTUAL_ROOT,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResourceResult r = entitlementToResourceResult(ent);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster virtualResourceResult.addResourceResult(r, serviceType);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(e.getMessage()); //TOFIX
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private ResourceResult entitlementToResourceResult(
65aacd9d067a36d3e7fcba054cf7460627a0d13cJaco Jooste return new ResourceResult(entitlement.getRequestedResourceName(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster entitlementToPolicyDecision(entitlement, Collections.EMPTY_SET));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private PolicyDecision entitlementToPolicyDecision(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map actionValues = entitlement.getActionValues();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((actionValues != null) && !actionValues.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator i = actionValues.keySet().iterator(); i.hasNext();) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean isBooleanAction = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster as.getSyntax().equals(AttributeSchema.Syntax.BOOLEAN);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Boolean values = (Boolean) actionValues.get(actionName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster set.add(getActionTrueBooleanValue(actionName));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster set.add(getActionFalseBooleanValue(actionName));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Parse the action name to get the value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionDecision ad = new ActionDecision(actionName, set);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((advices != null) && (!advices.isEmpty()) &&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ((actionNames == null) || actionNames.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Determinte if the serviceType have boolean action values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster as.getSyntax().equals(AttributeSchema.Syntax.BOOLEAN)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster set.add(getActionFalseBooleanValue(actionName));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionDecision ad = new ActionDecision(actionName, set);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster pd.setResponseAttributes(entitlement.getAttributes());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets resource result given a resource name. <code>ResourceResult</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is a tree representation of policy decisions for all resources rooted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * at the resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To determine whether a resource defined in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is a sub resource of argument resource name, argument resource name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and policy resource name are compared, treating wild characters as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * literals. If comparison resulted in <code>EXACT_MACTH</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>SUB_RESOURCE_MACTH</code>, the resource would be included
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param scope indicates whether to compute the resource result based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the policy decision for only the <code>resourceName</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or all the resources associated with the resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The valid scope values are:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li><code>ResourceResult.SUBTREE_SCOPE</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li><code>ResourceResult.STRICT_SUBTREE_SCOPE</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <li><code>ResourceResult.SELF_SCOPE</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the scope is <code>ResourceResult.SUBTREE_SCOPE</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult.STRICT_SUBTREE_SCOPE</code>, the method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will return a <code>ResourceResult</code> object that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * contains the policy decisions regarding the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>resourceName</code> and its sub resources.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the scope is <code>ResourceResult.SELF_SCOPE</code>, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method will return a <code>ResourceResult</code> object that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * contains the policy decision regarding the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>resourceName</code> only. Note, scope values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult.SUBTREE_SCOPE</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ResourceResult.STRICT_SUBTREE_SCOPE</code> are being
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * treated as the same for backword compatibility reasons. This
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method is being deprecated. The method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>getResourceResults()</code> should be used instead.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ResourceResult</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if <code>token</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#EXACT_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#SUB_RESOURCE_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#WILDCARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceResult#SUBTREE_SCOPE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceResult#STRICT_SUBTREE_SCOPE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceResult#SELF_SCOPE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @deprecated Use <code>getResourceResults()</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ResourceResult getResourceResult(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, String scope, Map envParameters)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return getResourceResultTree(token, resourceName, scope,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("PolicyEvaluator: invalid request scope: " + scope);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets resource result given a resource name. <code>ResourceResult</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is a tree representation of policy decisions for all resources
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * that are sub resources of argument resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName name of the resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param scope indicates whether to compute the resource result based on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the policy decision for only the <code>resourceName</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or all the resources associated with the resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param envParameters run-time environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ResourceResult</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if <code>token</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#EXACT_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#SUB_RESOURCE_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#WILDCARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private ResourceResult getResourceResultTree(SSOToken token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName, String scope, Map envParameters)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("user sso token is null, forcing ResourceResult"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " evaluation to self_scope");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (resourceName == null) || (resourceName.equals("")) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceName = serviceType.canonicalize(resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map clientEnv = PolicyUtils.cloneMap(envParameters);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // check if we already have the result in the cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // policyResultsCache:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // serviceType -> resource -> sessionId -> scope -> result
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // rscCACHE: resource -> sessionId -> scope -> result
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map rscCache = (Map)policyResultsCache.get(serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // resultCACHE: sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map resultsCache = (Map)rscCache.get(resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map results = (Map)resultsCache.get(userSSOTokenIDStr);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceResult = (ResourceResult)results.get(scope);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster long ttlMinimal = resourceResult.getTimeToLive();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //check envMap equality of request and cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " getResourceResult(): we get the "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "result from the cache.\n"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "PolicyEvaluator.getResourceesultTree()"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + ":cached envMap does not equal "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "request envMap, request envMap = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* compute all action names if passed in actionNames is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster null or empty */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (actionNames == null) || (actionNames.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator:computing policy decisions "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyDecision policyDecision = getPolicyDecision(token, resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceResult = new ResourceResult(resourceName, policyDecision);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (ResourceResult.SUBTREE_SCOPE.equals(scope)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = new ResourceResult(ResourceResult.VIRTUAL_ROOT,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster virtualResourceResult.addResourceResult(resourceResult,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster || ResourceResult.STRICT_SUBTREE_SCOPE.equals(scope)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNamesCache = new Cache(resultsCacheResourceCap);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNamesMap.put(serviceTypeName, resourceNamesCache);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set resourceNames = (Set)resourceNamesCache.get(resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // true indicates to follow referral
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNames = getResourceNames(token, resourceName, true);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNames = removeDuplicateResourceNames(resourceNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNames = removeResourceName(resourceNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNamesCache.put(resourceName, resourceNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator:computing policy decisions "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator resourceNameIter = resourceNames.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String subResourceName = (String) resourceNameIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (ResourceResult.SUBTREE_SCOPE.equals(scope) ||
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyDecision pDecision = getPolicyDecision(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new ResourceResult(subResourceName, pDecision),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // Do not cache policy decision with advices
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // add the evaluation result to the result cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //cacheElem: sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // serviceType -> resourceName -> sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // rscElemCACHE: resourceName -> sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (rscElem != null) { // serviceType has been seen earlier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //CACHEElem: sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (cacheElem != null) { // resource seen earlier
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (scopeElem == null) { // seeing sessionId first time
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // seeing the resource first time
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "PolicyEvaluator.getResourceResultTree()"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Create Cache for:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // seeing service for first time
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // rscElemCACHE: resourceName -> sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //CACHEElem: sessionId -> scope -> resourceResult
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "PolicyEvaluator.getResourceResultTree()"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Create Cache for:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "PolicyEvaluator.getResourceResultTree()"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Create Cache for:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyResultsCache.put(serviceTypeName, rscElem);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "failed to add sso token listener");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ssoListenerRegistry.put(userSSOTokenIDStr, ssoListener);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getResourceResultTree():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " sso listener added .\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator: we added the evaluation "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " result to the cache");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets resource names that are exact matches, sub resources or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * wild card matches of argument resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To determine whether to include a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name of a resource, we compare argument resource name and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy resource name, treating wild characters in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name as wild. If the comparison resulted in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>EXACT_MATCH</code>, <code>WILD_CARD_MACTH</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>SUB_RESOURCE_MACTH</code>, the resource result would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resoure name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param followReferral indicates whether to follow the referrals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * defined in policies to compute resource names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return names of sub resources for the given <code>resourceName</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The return value would also include the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>resourceName</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if <code>token</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#EXACT_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#SUB_RESOURCE_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#WILDCARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Set getResourceNames(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean followReferral) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster visitedOrgs.add(policyManager.getOrganizationDN());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return getResourceNames(token, resourceName, followReferral,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /**Gets resource names that are exact matches, sub resources or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * wild card matches of argument resource name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * To determine whether to include a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name of a resource, we compare argument resource name and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy resource name, treating wild characters in the policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource name as wild. If the comparsion resulted in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>EXACT_MATCH</code>, <code>WILD_CARD_MACTH</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>SUB_RESOURCE_MACTH</code>, the resource result would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param resourceName resoure name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param followReferral indicates whether to follow the referrals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * defined in policies to compute resource names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param visitedOrgs organizations that were already visited to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compute resource names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return names of sub resources for the given <code>resourceName</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The return value would also include the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>resourceName</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if <code>token</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#EXACT_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#SUB_RESOURCE_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see ResourceMatch#WILDCARD_MATCH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Set getResourceNames(SSOToken token, String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getResourceNames():entering");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet = resourceIndexManager.getSubResourcePolicyNames(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceIndexManager.getPolicyNames(serviceType,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceName, true)); //include policies of super resources
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceIndexManager.getWildSubResourcePolicyNames(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (policyNameSet != null) && (!policyNameSet.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator policyIter = policyNameSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String policyName = (String) policyIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Policy policy = policyManager.getPolicy(policyName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // policy could have been deleted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // true inidicates to follow referrals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set pResourceNames = policy.getResourceNames(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else { // add policy names to toRemovePolicyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getResourceNames():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // remove inactive/missing policies from policyNameSet
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyNameSet.removeAll(toRemovePolicyNameSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster orgsToVisit.addAll(getOrgsToVisit(policyNameSet));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getResourceNames():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "realmAliasEnabled="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + PolicyConfig.orgAliasMappedResourcesEnabled()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (PolicyConfig.orgAliasMappedResourcesEnabled()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && PolicyManager.WEB_AGENT_SERVICE.equalsIgnoreCase(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgAlias = policyManager.getOrgAliasWithResource(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgWithAlias = policyManager.getOrgNameWithAlias(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getgetResourceNames():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "adding orgWithAlias to orgsToVisit="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getgetResourceNames():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String orgToVisit = (String) orgsToVisit.iterator().next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //resourceNames.add(resourceName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // need to use admin sso token here. Need all privileges to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // check for the organzation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getgetResourceNames():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Organization does not exist - "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyEvaluator pe = new PolicyEvaluator(orgToVisit,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNames.addAll(pe.getResourceNames(token,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Adds a policy listener that would be notified whenever a policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is added, removed or changed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyListener the listener to be added
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void addPolicyListener(PolicyListener policyListener) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Removes a policy listener that was previously registered
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to receive notifications whenever a policy is added, removed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or changed. It is not an error to attempt to remove a listener
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * that was not registered. It would return silently.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param policyListener the listener to be removed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @supported.api
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void removePolicyListener(PolicyListener policyListener) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyCache.removePolicyListener(policyListener);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Merges two policy decisions.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Merging policy decisions merges each action decision of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy with the corresponding action decision of the other
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy. This method also merges ResponseProviderDecision of one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy ( response attributes per policy)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with that of the other policy.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * These are the rules followed to merge each action decision:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the action schema has boolean syntax, boolean false value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * overrides boolean true value. The time to live of boolean false
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value overrides the time to live of boolean true value.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise, action values are simply aggregated. Time to live
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is set to the minimum of time to live(s) of all values of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * For response attributes, all response attributes are aggregated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * In case of mutiple values for the same attribute
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * they appear as multi valued data for the attribute.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceType service type that would be consulted to merge the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policy decisions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pd1 policy decision 1
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pd2 policy decision 2
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the merged policy decision.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Policy decisions pd1 and pd2 are merged into pd2 and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * pd2 is returned.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static PolicyDecision mergePolicyDecisions(ServiceType
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster serviceType, PolicyDecision pd1, PolicyDecision pd2) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map actionDecisions1 = pd1.getActionDecisions();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionDecision ad1 = (ActionDecision) actionDecisions1.get(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyUtils.appendMapToMap(pd1.getResponseAttributes(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyUtils.appendMapToMap(pd2.getResponseAttributes(),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster pd2.setResponseAttributes(mergedReponseAttrsMap);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Gets a set of action names for which final values have been
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * determined. We assume the final values have been determined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for an action if the action schema syntax is boolean and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the value is boolean false value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceType service type that would be consulted to decide
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the final values for actions
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pd policy decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator actions = actionDecisions.keySet().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = (ActionDecision) actionDecisions.get(action);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("can not find action schmea for action = " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Gets names of organizations to visit for policy evaluation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * based on the give policy names. This is used to follow
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * OrgReferral(s) defined in the policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return names of organization to visit
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if <code>token</code> is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException for any other abnormal condition
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator policyNames = policyNameSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String policyName = (String) policyNames.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Policy policy = policyManager.getPolicy(policyName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster orgsToVisit.addAll(policy.getReferredToOrganizations());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This would be a costly operation.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Can be avoided if ResourceName has api for getting canonical name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When the policies are stored, resource names would be converted to and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * stored as canonical name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Set removeDuplicateResourceNames(Set resourceNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (resourceNames != null) && (serviceType != null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean duplicate = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String answerResourceName = (String) answerIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Removes the <code>resourceName</code> from the <code>Set</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of resource names matching on <code>serviceType</code> and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * performing a <code>ResourceMatch.EXACT_MATCH</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Set removeResourceName(Set resourceNames,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceType serviceType, String resourceName) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (resourceNames != null) && (serviceType != null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster rName, false).equals(ResourceMatch.EXACT_MATCH) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Handles policyChanged notifications - clears the cached resource
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * names for the service type name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param serviceTypeName service type name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pe policy event
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster static void policyChanged(String serviceTypeName, PolicyEvent pe) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaulator.policyChanged():serviceTypeName="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = (Cache)resourceNamesMap.get(serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((resourceNamesCache == null) || (resourceNamesCache.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("PolicyEvaluator.policyChanged: enterred try block");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceTypeManager stm = ServiceTypeManager.getServiceTypeManager();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ServiceType serviceType = stm.getServiceType(serviceTypeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Enumeration resourceNames = resourceNamesCache.keys();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceName = (String)resourceNames.nextElement();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (resourceNamesToRemove.contains(resourceName)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set affectedResourceNames = pe.getResourceNames();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator iter = affectedResourceNames.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String affectedResourceName = (String)iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator iter1 = resourceNamesToRemove.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceNameToRemove = (String) iter1.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster resourceNamesCache.remove(resourceNameToRemove);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("PolicyEvaluator.policyChanged:", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.error("PolicyEvaluator.policyChanged:", pex);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaulator.policyChanged():serviceTypeName="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + ", new cached resoruceNames="
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Add an advice to the policy decision.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param pd <code>PolicyDecision</code> in which to add the advice.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param adviceKey key to the condition generating the advice
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * like SessionCondition.SESSION_CONDITION_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * AuthSchemeCondition.AUTH_SCHEME_CONDITION_ADVICE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param adviceValue advice message to be added to the advice
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static void addAdvice(PolicyDecision pd, String adviceKey,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator actionDecisionIter = actionDecisions.keySet().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String key = (String) actionDecisionIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ActionDecision ad = (ActionDecision) actionDecisions.get(key);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Get the policy decision for a resource ignoring the subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyDecision getPolicyDecisionIgnoreSubjects(String resourceName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set actionNames, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Add request resourceName and request actionNames to the envParameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * so that Condition(s)/ResponseProvider(s) can use them if necessary
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* compute for all action names if passed in actionNames is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster null or empty */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (actionNames == null) || (actionNames.isEmpty()) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //We create new HashMap in place of empty map since
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Collections.EMPTY_MAP can not be modified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster env.put(SUN_AM_REQUESTED_RESOURCE, resourceNames);
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell env.put(REALM_DN, asSet(policyManager.getOrganizationDN()));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return getPolicyDecision(null, resourceName, actionNames, env,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Get the set of role DNs of a user. The role DNs are cached to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * improve the performance of IdentityServerRole subject membership
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * validation.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user evaluating policies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The set of user <code>nsRole</code> attribute values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException single-sign-on token invalid or expired
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if an error occured while getting the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * user's nsRole attribute value set
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Set getUserNSRoleValues(SSOToken token)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster synchronized(userNSRoleCache) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map pConfigValues = PolicyConfig.getPolicyConfig(orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PolicyConfig.getSubjectsResultTtl(pConfigValues);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster userNSRoleCacheTTL = DEFAULT_USER_NSROLE_CACHE_TTL;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.warning("Invalid TTL got from configuration."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Set TTL to default:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String tokenIDStr = token.getTokenID().toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Object[] element = (Object[])userNSRoleCache.get(tokenIDStr);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getUserNSRoleValues():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " get the nsRole values from cache.\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // add or update the cache entry.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // we come here either the token is first registered with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // cache or the cache element is out of date.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMStoreConnection am = new AMStoreConnection(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMUser user = am.getUser(token.getPrincipal().getName());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // get all the roles assigned to the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getUserNSRoleValues():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!ssoListenerRegistry.containsKey(tokenIDStr)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ssoListenerRegistry.put(tokenIDStr, ssoListener);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("PolicyEvaluator.getUserNSRoleValues():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " sso listener added .\n");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new PolicyException(e));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * record stats for policyResultsCache, ssoListenerRegistry,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * policyListenerRegistry, userNSRoleCache, resouceNamesMap
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster synchronized (policyResultsCache) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyStats.record("PolicyEvaluator: Number of services in "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyStats.record("PolicyEvaluator: Number of token IDs in "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " sessionListernerRgistry:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyStats.record("PolicyEvaluator: Number of serviceNames "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " in policyListenerRegistry: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyStats.record("PolicyEvaluator: Number of token IDs "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " in role cahce: " + userNSRoleCache.size());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster policyStats.record("PolicyEvaluator:Number of serviceNames in "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " resourceNames cache: "