PolicyManager.java revision 6636284dd99df27fda992fb77fb6236657269ec9
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: PolicyManager.java,v 1.19 2010/01/25 23:48:15 veiming Exp $
*
* Portions Copyrighted 2011-2014 ForgeRock AS.
*/
/**
* The <code>PolicyManager</code> class manages policies
* for a specific organization, sub organization or a container.
* This class is the
* starting point for policy management, and provides methods to
* <p>It is a final class
* and hence cannot be further extended. The methods in this class
* works directly with the backend datastore (usually a
* directory server) to store and manage policies. Hence, user
* of this class must have valid <code>SSOToken</code>
* and privileges to the backend datastore.
*
* @supported.api
* @deprecated since 12.0.0
*/
public final class PolicyManager {
/**
* The service name for Policy component.
* @supported.api
*/
/**
* The key for the plugins to get the organization name.
* @supported.api
*/
public static final String DELEGATION_REALM =
"/sunamhiddenrealmdelegationservicepermissions";
static final String POLICY_RULE_EXCLUDED_RESOURCE_NODE =
"ExcludedResourceName";
static final String
POLICY_INDEX_ROOT_NODE_TYPE_ATTR_RESOURCES_VALUE = "Resources";
private ServiceConfigManager scm;
private OrganizationConfigManager ocm;
private ResourceManager rm;
private ServiceTypeManager svtm;
private SubjectTypeManager stm;
private ConditionTypeManager ctm;
private ResponseProviderTypeManager rpm;
private ReferralTypeManager rtm;
private PolicyCache policyCache;
private ResourceIndexManager rim;
private static ServiceSchemaManager ssm;
// Can be shared by classes
private static boolean migratedToEntitlementService = false;
/**
* Constructor for <code>PolicyManager</code> for the
* top (or root) organization. It requires a <code>SSOToken
* </code> which will be used to perform all data store
* operations. If the user does not have sufficient
* privileges <code>NoPermissionException</code> will be thrown.
*
* @param token <code>SSOToken</code> of the user managing policy
*
* @throws SSOException invalid or expired single-sign-on token
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
this(token, "");
if (debug.messageEnabled()) {
}
}
/**
* Constructor for <code>PolicyManager</code> for the
* specified organization, sub organization or a container object.
* The names of the organization, sub organization or the
* container object could be either "/" separated (as per SMS)
* or could be the complete DN of the object.
* etc., or <code>"ou=tacobell, o=pepsi, o=isp"<code>,
* <code>"o=coke, o=isp"</code>, etc.
* The constructor also requires a single sign on token.
* which will be used to perform all data store
* operations. If the user does not have sufficient
* privileges <code>NoPermissionException</code> will be thrown.
*
* @param token single-sign-on token of the user managing policies
* @param name name of the organization, sub organization
* or container for which to manage policies.
* The name could be either slash (/) separated
* or the complete DN.
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NameNotFoundException if the given organization,
* sub-organization or container name is not present
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
try {
// Check name i.e., org name
givenOrgName = name;
} catch (SMSException se) {
"Unable to get service config manager", se);
throw (new PolicyException(se));
}
if (debug.messageEnabled()) {
" for organization: " + org);
}
if (SystemProperties.isServerMode()) {
} else {
}
// Retrieves a singleton instance of LockFactory shared across policy.
}
/**
* Gets the organization name for which the policy manager
* was initialized with. The organization name could either be
* slash ("/") separated or could be the distinguished name
* depending on the manner in which it was initialized.
*
* @return organization name for which the policy manager was
* instantiated
*
* @supported.api
*/
public String getOrganizationName() {
return (givenOrgName);
}
/**
* Gets the policy config attribute values defined for this policy manager
* @return policy config attributes defined for this policy manager. Also,
* includes the organization distinguished name.
*/
public Map getPolicyConfig() {
try {
} catch (PolicyException pe) {
}
if (policyConfig != null) {
} else {
+ org + ". Most likely it has been unregistered."
+ " It is not recommended to unregister the policy"
+ " configuration serivce. If you do so, the result"
+ " is undefined.");
}
return policyConfig;
}
/**
* Gets the organization DN
* @return DN of the organization for which this policy manager
* was created
*/
return (org);
}
/**
* Gets a set of names of polices defined in the
* organization for which the policy manager was instantiated.
* If there are no policies defined, this method returns
* an empty set (not null).
*
* @return <code>Set</code> of names of policies defined in the organization
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to get policy names
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
return (getPolicyNames("*"));
}
/**
* Gets a set of selected policy names matching the
* pattern in the given organization. The pattern
* accepts "*" as the wild card for searching policy names.
* For example if the pattern is "co*", it returns policies
* starting with "co". Similarly, if the pattern is "*net", it returns
* policies ending with "net". The wildcard can be anywhere in the
* the string. If there are no policies that match the provided filter,
* this method returns an empty set (not null).
*
* @param pattern search pattern that will be used to select policy names
*
* @return <code>Set</code> of policy names that satisfy the pattern
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to get policy names
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
try {
if (namedPolicy == null) {
return (Collections.EMPTY_SET);
} else {
return (namedPolicy.getSubConfigNames());
} else {
}
}
} catch (SMSException se) {
+ org);
// Check for permission exception
"insufficient_access_rights", null));
} else {
// Throw generic policy exception
"unable_to_get_policies_for_organization", objs,
se));
}
}
}
/**
* Gets the LDAP DN (distinguished name) for the named policy
* @param policyName name of the policy
* @return DN of the policy
* @throws SSOException if single sign on token associated with the policy
* manager is not valid.
* @throws NoPermissionException if not enough permissions
* @throws NameNotFoundException if the policy is not found
* @throws PolicyException for any other abnormal condition
*
*/
// Get the policy. If the policy does not exists it will
// throw NameNotFoundException
// Policy is present, construct the DN and return
}
/**
* Gets the policy object given the name of the policy.
*
* @param policyName name of the policy
* @return policy with the given policy name
* @throws SSOException if single sign on token associated with the policy
* manager is not valid.
* @throws NoPermissionException if not enough permissions.
* @throws InvalidFormatException if <code>policyName</code> has
* invalid format.
* @throws NameNotFoundException if the policy is not found.
* @throws InvalidNameException if <code>policyName</code> is invalid.
* @throws PolicyException for any other abnormal condition.
*
*
* @supported.api
*/
if (policyName == null) {
}
if (debug.messageEnabled()) {
" in organization: " + org);
}
// Check the cache %%% Need to have notification for policy changes
try {
if ((namedPolicy == null) ||
// Named policy node or policy node does not exist
if (debug.warningEnabled()) {
" in organization: " + org);
}
}
// Now create a policy object out of the XML blob
try {
" in organization: " + org);
// throw generic policy exception
throw (new PolicyException(xmle));
}
}
if (debug.messageEnabled()) {
" for organization: " + org);
}
// Return the policy object
if (policyConfig != null) {
}
return (answer);
} catch (SMSException se) {
" in organization: " + org);
// Check for permission exception
"insufficient_access_rights", null));
} else {
// Throw generic policy exception
}
}
}
/**
* Adds a policy to the data store.
*
* @param policy policy object to be added to the organization
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to add policy
* @throws InvalidFormatException the data in the policy object
* has been corrupted or does not have a valid format
* @throws NameAlreadyExistsException a policy with the same
* name already exists
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
//TODO: handle non DNs/
if (debug.messageEnabled()) {
+ realmName + ", policy has realm subjects "
+ " from realm : " + subjectRealm);
}
//TODO : add logging?
}
//testCreatedBy is set if we are doing policy replaced.
}
// Construct the named policy
// Get(create if necessary) ou=policies entry
try {
//create the policy entry
if (isMigratedToEntitlementService()) {
policy);
} else {
// do the addition in resources tree
//rm.addPolicyToResourceTree(policy);
}
} catch (EntitlementException e) {
"unable_to_add_policy", objs, e));
} catch (ServiceAlreadyExistsException e) {
if (PolicyUtils.logStatus) {
}
} catch (SMSException se) {
if (PolicyUtils.logStatus) {
token);
}
// Check for permission exception
"insufficient_access_rights", null));
} else {
// Throw generic policy exception
"unable_to_add_policy",
}
}
if (PolicyUtils.logStatus) {
}
}
/**
* Replaces a policy object in the data store with the same policy name
*
* @param policy policy object to be added to the organization
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to replace policy
* @throws NameNotFoundException policy with the same name does
* not exist.
* @throws InvalidFormatException the provide policy from the
* data store has been corrupted or does not have a valid format
* @throws PolicyException for any other abnormal condition.
*
* @supported.api
*/
if (debug.messageEnabled()) {
+ realm + ", policy has realm subjects "
+ " from realm : " + subjectRealm);
}
}
// Construct the named policy
// Get(create if necessary) ou=policies entry
try {
if ( oldPolicyName != null ) {
} else {
}
if ( policyEntry == null ) {
if ( oldPolicyEntry != null ) {
// reset the policy name
// TODO: need to think this through
} else {
// neither the new policy nor the old policy is present
"policy_not_found_in_organization", objs,
}
} else { //newPolicy exisits
if((oldPolicyName != null) &&
if (PolicyUtils.logStatus) {
"DID_NOT_REPLACE_POLICY",
}
}
// Acquire lock to ensure atomicity when updating policy.
try {
if (isMigratedToEntitlementService()) {
} else {
}
} finally {
}
}
}
} catch (EntitlementException e) {
"unable_to_replace_policy", objs, e));
} catch (SMSException se) {
if (PolicyUtils.logStatus) {
token);
}
// Check for permission exception
"insufficient_access_rights", null));
} else {
// Throw generic policy exception
}
}
if (PolicyUtils.logStatus) {
}
}
/**
* Deletes a policy in the organization with the given name.
*
* @param policyName name of the policy to be deleted
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to remove policies
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
// Check if name is valid
if (policyName == null) {
if (debug.warningEnabled()) {
}
}
try {
// Get service config for named policy node
if (namedPolicy != null) {
/* Remove the named policy
* before removing the named policy
* prepare for changes in resources tree
*/
// do the removal of policy
if (isMigratedToEntitlementService()) {
// should use super admin token to remove the index store
// entry
if (policy.isReferralPolicy()) {
} else {
}
} else {
// do the removal in resources tree
}
}
}
} catch (EntitlementException e) {
} catch (ServiceNotFoundException snfe) {
snfe.getMessage() );
} catch (SMSException smse) {
if (PolicyUtils.logStatus) {
token);
}
// Check for permission exception
"insufficient_access_rights", null));
} else {
// Throw generic policy exception
}
}
if (PolicyUtils.logStatus) {
}
}
/**
* Gets the <code>ResourceManager</code> object instance associated
* with this <code>PolicyManager</code> object instance
*
* @return <code>ResourceManager</code> object
*
* @supported.api
*/
public ResourceManager getResourceManager() {
return rm;
}
/**
* Gets the <code>SubjectTypeManager</code> object instance associated
* with this <code>PolicyManager</code> object instance
*
* @return <code>SubjectTypeManager</code> object
*
* @supported.api
*/
public SubjectTypeManager getSubjectTypeManager() {
stm = new SubjectTypeManager(this);
}
return (stm);
}
/**
* Gets the <code>ConditionTypeManager</code> object instance associated
* with this <code>PolicyManager</code> object instance
*
* @return <code>ConditionTypeManager</code> object
*
* @supported.api
*/
public ConditionTypeManager getConditionTypeManager() {
ctm = new ConditionTypeManager(this);
}
return (ctm);
}
/**
* Gets the <code>ResponseProviderTypeManager</code> object instance
* associated with this <code>PolicyManager</code> object instance
*
* @return <code>ResponseProviderTypeManager</code> object
*
*/
rpm = new ResponseProviderTypeManager(this);
}
return (rpm);
}
/** Creates or gets a node (namedPolicy, resources, or userCollection)
* under ou=policies
*/
// Get service config that represents named policy node
try {
if (debug.messageEnabled()) {
" tree for org: " + org);
}
// create the named policy node
// Check if policy tree is created
}
configName)) == null)) {
// Throw generic policy exception
}
}
} catch (SMSException smse) {
// Debug messages
// Check for permission exception
"insufficient_access_rights", objs));
} else {
// Throw generic policy exception
}
}
return (sConfig);
}
/**
* Creates the policy tree, ou=policy, ou=services, ...
*/
try {
// Get the iPlanetPolicyService node
// Since not present, create organization services node
// i.e, ou=services, <org dn> and ou=iPlanetPolicyService,
// ou=services, ...
// Since it is created above, get it
}
// Create requested policy sub node
// i.e., ou=<configName>, ou=iPlanetPolicyService, ou=services, ...
} catch (ServiceAlreadyExistsException se) {
// do nothing
if (debug.messageEnabled()) {
" Policy service already exists under org->" + org);
}
} catch (SMSException e) {
// Check for permission exception
"insufficient_access_rights", null));
} else {
"unable_to_create_policy_for_org", objs, e));
}
}
}
/**
* Verifies if the name, which specifies a organization,
* a suborganization or a container object, is in DN format; If not,
* the name will be converted to a DN. Furthermore, whether the entry
* corresponding to the DN exists is also checked.
*
* @param name name of the organization, suborganization
* or container for which to manage policies.
* The name could be either slash (/) separated
* or the complete DN.
*
* @return the name in DN format (possibly converted from slash format)
*
* @throws SSOException invalid or expired single-sign-on token
* @throws InvalidNameException the name is null
* @throws NameNotFoundException if the given organization,
* sub-organization or container name is not present
*/
// Check for null name
}
/* this mapping call is required if name is not a DN
* or if the name is not DN of a realm
* This call is harmless if the DN is already DN of a realm
*/
// Check to see if the organization exists
// if not present throw NameNotFoundException
if (debug.warningEnabled()) {
orgName + " failed since entry does not exist");
}
}
return (orgName);
}
/**
* Gets a list of subordinate organizations or containers. If
* there are no subordinate organizations or containers, returns
* an empty set (not null).
*
* @return set of valid subordinate organizations or containers
*
* @throws SSOException invalid or expired single-sign-on token
* @throws NoPermissionException user does not have sufficient
* privileges to replace policy
*/
throw (new UnsupportedOperationException());
}
/**
* Gets sub-organizations, given a filter. The filter
* accepts "*" as the wild card for searching sub-organization names.
* For example if the filter is "co*", it returns sub-organizations
* starting with "co". Similarly, if the filter is "*net", it returns
* sub-organizations ending with "net".
*
* @param filter the search filter that be used to
* identify sub-organizations
*
* @return a set of sub-organizations
*/
throws SSOException, PolicyException {
throw (new UnsupportedOperationException());
}
/**
* Gets sub-organization's policy manager.
*
* @param subOrgName name of the sub-organization organization. This
* should be relative to the current organization.
*
* @return returns the policy manager for the organization;
* else returns <code>null</code>.
*/
throws SSOException, PolicyException {
// the assumption is that orgnames are / separated
}
/**
* Gets <code>ServiceTypeManager</code> associated with this
* policy manager
*/
return svtm;
}
/**
* Returns <code>ReferralTypeManager</code> associated with this
* policy manager.
*
* @return <code>ReferralTypeManager</code> associated with this
* policy manager.
* @supported.api
*/
public ReferralTypeManager getReferralTypeManager() {
rtm = new ReferralTypeManager(this);
}
return rtm;
}
/**
* Gets plugins schemas for a given interface name
*/
try {
ssm = new ServiceSchemaManager(
"Cannot create service schema " +
"manager for policy", se);
return (Collections.EMPTY_SET);
}
}
try {
/* Get the plugin schema names for the root
* In the future might want to customize it for org
*/
} catch (Exception e) {
"Cannot get plugin schemas: " +
interfaceName + " for policy", e);
return (Collections.EMPTY_SET);
}
}
/**
* Gets PluginSchema object for the given plugin interface name
* and plugin name. Returns <code>null</code> if not present.
*/
String pluginName) {
try {
} catch (Exception e) {
"Cannot get plugin schemas: " +
interfaceName + " for policy", e);
}
}
return (null);
}
/**
* Gets the view bean URL given the plugin type
* and the plugin java class name
*
* @param pluginType type of plugin such as Subject, Referral, Condition
* @param pluginClassName name of java class name implementing the plugin
* type
*
* @return view bean URL defined for pluginType with name pluginName
*/
if (pluginType != null) {
pluginType).iterator();
break;
}
}
}
return viewBeanURL;
}
/** Gets a policy using policy cache.
* @param policyName policy name
* @param useCache flag to indicate whether to use cache or not
* @return the policy with the given policy name
* @throws SSOException
* @throws NoPermissionException
* @throws InvalidFormatException
* @throws PolicyException
*/
if ( useCache ) {
} else {
}
return policy;
}
return rim;
}
resourceType.getName());
}
private boolean validateResourceForPrefixE(
boolean interpretWildCard = true;
return true;
}
}
return false;
}
private boolean validateResourceForPrefix(
boolean interpretWildCard = true;
return true;
}
}
return false;
}
throws SSOException, PolicyException {
if (isMigratedToEntitlementService()) {
} else {
}
}
throws SSOException, PolicyException {
try {
// Make sure adminSubject has been set before using
if (adminSubject == null) {
initialise();
}
isEmpty()) {
}
"resource_name_not_permitted_by_prefix_names", objs,
null);
}
} catch (EntitlementException ex) {
}
}
}
}
throws SSOException, PolicyException {
throw new PolicyException(
}
boolean validResource = true;
}
if (!validResource) {
throw new PolicyException(
"resource_name_not_permitted_by_prefix_names",
}
}
}
throws SSOException, PolicyException {
throw new PolicyException(
"invalid_referral_pointing_to_self",
}
/*
* check org orgName exisits - would result in
* PolicyException if the orgName does not exist
*/
}
}
throws PolicyException, SSOException {
try {
} catch (SMSException se) {
+ " in organization: " + org);
// Check for permission exception
} else {
// Throw generic policy exception
}
}
if (debug.messageEnabled()) {
}
}
try {
+ " in organization: " + org);
// throw generic policy exception
throw (new PolicyException(xmle));
}
if (subjectsNode == null) {
+ " in organization: " + org);
"invalid_xml_realmsubjects_root_node", null,
}
} else {
}
if (debug.messageEnabled()) {
}
return subjects;
}
/**
* Gets the set of policies that use the realm subject
* @param subjectName name of the realm subject to check for
* @return a <code>Set</code> of <code>Policy</code> objects
* that use the realm subject
*/
throws PolicyException, SSOException {
policyIter.hasNext();) {
if (subject instanceof SharedSubject) {
}
}
}
return policies;
}
throws PolicyException, SSOException {
policyIter.hasNext();) {
if (subject instanceof SharedSubject) {
policy = p;
break;
}
}
}
return policy;
}
private Set getOrgAliasMappedResourceNames()
throws PolicyException {
if (debug.messageEnabled()) {
+ " entering:orgName = " + org);
}
try {
} catch (SMSException sme) {
"unable_to_get_org_config_manager_for_org",
}
}
try {
if (debug.messageEnabled()) {
+ " orgName = " + org
+ ":orgAliases=" + orgAliases);
}
} catch (SMSException sme) {
}
if (orgAliases != null) {
}
}
if (debug.messageEnabled()) {
+ " returning: orgName = " + org
+ ":orgAliases=" + orgAliases
+ ":managedResourceNames=" + managedResourceNames);
}
return managedResourceNames;
}
throws PolicyException {
return (isMigratedToEntitlementService()) ?
}
try {
} catch (EntitlementException ex) {
return Collections.EMPTY_SET;
}
}
throws PolicyException {
if (delegatedResourceNames != null) {
}
}
if (debug.messageEnabled()) {
+ " returning: orgName = " + org
+ ":serviceName=" + serviceName
+ ":managedResourceNames=" + managedResourceNames);
}
return managedResourceNames;
}
public Set getManagedResourceNames()
throws PolicyException {
if ((managedResourceNames == null)
managedResourceNames = new HashSet();
}
if (debug.messageEnabled()) {
+ " returning: orgName = " + org
+ ":managedResourceNames=" + managedResourceNames);
}
return managedResourceNames;
}
throws PolicyException, SSOException {
if (debug.messageEnabled()) {
+ " orgName = " + org
+ ", resourceName = " + resourceName);
}
if (resourceName == null) {
return null;
}
try {
} catch (MalformedURLException mfe) {
if (debug.messageEnabled()) {
+ " orgName = " + org
+ ", resourceName = " + resourceName
+ " is invalid URL, no org alias mapping can be found");
}
}
return orgAlias;
}
throws PolicyException, SSOException {
try {
} catch (IdRepoException re) {
//idRepo throws exception if there is no mapping
if (debug.messageEnabled()) {
+ " can not get orgName for orgAlias = " + orgAlias);
}
}
if (debug.messageEnabled()) {
+ " orgAlias = " + orgAlias
+ ", mapped org = " + aliasMappedOrg);
}
return aliasMappedOrg;
}
throws EntitlementException {
return true;
}
if (isMigratedToEntitlementService()) {
adminSubject, realm, s);
return true;
}
}
return false;
} else {
return canCreateNewResource(services) ||
}
}
boolean can = false;
try {
} catch (PolicyException e) {
}
}
}
}
return can;
}
private boolean hasReferredResources() {
boolean hasPrefixes = false;
try {
} catch (PolicyException e) {
}
return hasPrefixes;
}
static boolean isMigratedToEntitlementService() {
// This must be non-null for the migratedToEntitlementService to have been
// calculated correctly
if (adminSubject == null) {
initialise();
}
return migratedToEntitlementService;
}
private static void initialise() {
}
boolean can = false;
if (isMigratedToEntitlementService()) {
try {
} catch (PolicyException e) {
}
}
} else {
}
return can;
}
}