8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: ResourceEnvIPCondition.java,v 1.4 2009/07/21 18:33:17 mrudul_uchil Exp $
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington * Portions Copyrighted 2011-2014 ForgeRock AS
7e070d2425d617c9c91e175e122043b35546db6fKohei Tamura * Portions Copyrighted 2012 Open Source Solution Technology Corporation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.config.AMAuthenticationInstance;
f94b4fb00205e67d786426685187cdf603cd8d89David Lunaimport com.sun.identity.authentication.config.AMAuthenticationManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.config.AMConfigurationException;
f94b4fb00205e67d786426685187cdf603cd8d89David Lunaimport com.sun.identity.authentication.util.AMAuthUtils;
f94b4fb00205e67d786426685187cdf603cd8d89David Lunaimport com.sun.identity.authentication.util.ISAuthConstants;
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnellimport com.sun.identity.policy.PolicyEvaluator;
f94b4fb00205e67d786426685187cdf603cd8d89David Lunaimport com.sun.identity.policy.interfaces.Condition;
f94b4fb00205e67d786426685187cdf603cd8d89David Lunaimport com.sun.identity.policy.util.PolicyDecisionUtils;
f94b4fb00205e67d786426685187cdf603cd8d89David Lunaimport com.sun.identity.security.AdminTokenAction;
7e070d2425d617c9c91e175e122043b35546db6fKohei Tamuraimport com.sun.identity.shared.locale.AMResourceBundleCache;
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Briciimport org.forgerock.openam.utils.ValidateIPaddress;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>ResourceEnvIPCondition</code> is a plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * implementation of <code>Condition</code> interface.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This condition object provides the policy framework with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * condition decision and advices based on the client's environment or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * resource such as IP address, DNS host name, location, etc.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * For the first drop, we are only supporting IP address.
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington * @deprecated Use {@link org.forgerock.openam.entitlement.conditions.environment.ResourceEnvIPCondition instead}.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class ResourceEnvIPCondition implements Condition {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = Debug.getInstance(PolicyManager.POLICY_DEBUG_NAME);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static final String ENV_CONDITION_VALUE =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "resourceEnvIPConditionValue";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private ArrayList adviceList = new ArrayList();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * No argument constructor
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a list of property names for <code>ResourceEnvIPCondition</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return List of property names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the syntax for a property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.Syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param property String property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Syntax<code> for the property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Syntax getPropertySyntax(String property)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the display name for the property name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be used by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * plugin to customize the display name for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be <code>null</code>, in which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * case the plugin must use the default locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param property String property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param locale Locale for which the property name must be customized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return display name for the property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getDisplayName(String property, Locale locale)
7e070d2425d617c9c91e175e122043b35546db6fKohei Tamura ResourceBundle rb = AMResourceBundleCache.getInstance().getResBundle(ResBundleUtils.rbName, locale);
7e070d2425d617c9c91e175e122043b35546db6fKohei Tamura return com.sun.identity.shared.locale.Locale.getString(rb, property);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a set of valid values given the property name. This method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is called if the property Syntax is either the SINGLE_CHOICE or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * MULTIPLE_CHOICE.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param property String property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Set of valid values for the property.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if unable to get the Syntax.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Set getValidValues(String property) throws PolicyException
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the properties of <code>ResourceEnvIPCondition</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluation of ConditionDecision is influenced by these properties.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param properties the properties of the condition that governs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * whether a policy applies. The properties should
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * define value for the key ENV_CONDITION_VALUE. The value should
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * be a Set with multiple elements. Each element should be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a String. Please note that properties is not cloned by the method.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException if properties is null or does not contain
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value for the key ENV_CONDITION_VALUE or the value of the key is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * not a Set with one String element that is parsable as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * an integer.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setProperties(Map properties) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (properties == null) || ( properties.keySet() == null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // check if the value is valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set envCondVal = (Set) properties.get(ENV_CONDITION_VALUE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (( envCondVal == null ) || envCondVal.isEmpty()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition:setProperties envCondVal : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator envCondValIter = envCondVal.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String envKey = (String) envCondValIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String envVal = envKey.substring(ifIndex+2, adviceIndex-1);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String adviceVal = envKey.substring(adviceIndex+5);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition:setProperties envList : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition:setProperties adviceList : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns properties of <code>ResourceEnvIPCondition</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the decision computed by <code>ResourceEnvIPCondition</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param env request specific environment map of key/value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * pairs <code>ResourceEnvIPCondition</code> looks for values of key
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>REQUEST_IP</code> in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>env</code> map. If <code>REQUEST_IP</code> could not be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * determined from <code>env</code>, it is obtained from
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * single sign on token of the user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the condition decision. The condition decision encapsulates
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * whether a policy applies for the request and advice messages
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * generated by the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Policy framework continues evaluating a policy only if it applies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to the request as indicated by the <code>ConditionDecision</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise, further evaluation of the policy is skipped.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * However, the advice messages encapsulated in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the policy decision.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException if the condition has not been initialized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with a successful call to <code>setProperties(Map)</code> and/or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the value of key <code>REQUEST_IP</code> is not a String.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if the token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #setProperties(Map)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #REQUEST_IP
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.ConditionDecision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ConditionDecision getConditionDecision(SSOToken token, Map env)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition:getConditionDecision - " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String adviceStr = getAdviceStrForEnv(env,token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (adviceStr != null && adviceStr.contains("=")) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition:getConditionDecision - " +
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "adviceName : " + adviceName + " and adviceValue : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((adviceName != null) && (adviceName.length() != 0) &&
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (adviceValue != null) && (adviceValue.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (adviceName.equalsIgnoreCase(ISAuthConstants.MODULE_PARAM)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforAuthScheme(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforAuthService(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advices.put(AUTHENTICATE_TO_SERVICE_CONDITION_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforAuthLevel(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforRole(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advices.put(PolicyDecisionUtils.AUTH_ROLE_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforUser(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advices.put(PolicyDecisionUtils.AUTH_USER_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforRedirectURL(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advices.put(PolicyDecisionUtils.AUTH_REDIRECTION_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getAdviceMessagesforRealm(adviceValue,token,env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advices.put(AUTHENTICATE_TO_REALM_CONDITION_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getConditionDecision(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "adviceName is invalid");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getConditionDecision(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "Advice is NULL since there is no matching "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "condition found.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return new ConditionDecision(allowed, advices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication Scheme condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforAuthScheme(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthSchemes = (Set) env.get(REQUEST_AUTH_SCHEMES);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthScheme(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthSchemes from env= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_a_Set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getRealmQualifiedAuthenticatedSchemes(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthScheme(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthSchemes from ssoToken= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthScheme(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthSchemesIgnoreRealm from ssoToken= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthSchemesIgnoreRealm = Collections.EMPTY_SET;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!requestAuthSchemes.contains(authScheme)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String realm = AMAuthUtils.getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((realm != null) && (realm.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthScheme():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "authScheme not satisfied = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if ((realm == null) || (realm.length() == 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!requestAuthSchemesIgnoreRealm.contains(authScheme)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthScheme():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "authScheme not satisfied = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforAuthScheme():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " requestAuthSchemes = " + requestAuthSchemes + ", "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication Service condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforAuthService(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allow = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && (env.get(REQUEST_AUTHENTICATED_TO_SERVICES) != null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthService(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthnServices from request = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String args[] = { REQUEST_AUTHENTICATED_TO_SERVICES };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_a_Set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getRealmQualifiedAuthenticatedServices(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthnServices.addAll(authenticatedServices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthService(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthnServices from ssoToken = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!requestAuthnServices.contains(adviceValue)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String realm = AMAuthUtils.getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((realm != null) && (realm.length() != 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforAuthService():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "authService not satisfied = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if ((realm == null) || (realm.length() == 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator iter = requestAuthnServices.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String requestAuthnService = (String)iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String service = AMAuthUtils.getDataFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"getAdviceMessagesforAuthService():authenticateToService = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + adviceValue + "," + " requestAuthnServices = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + requestAuthnServices + ", " + " adviceMessages = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication Level condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforAuthLevel(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authRealm = AMAuthUtils.getRealmFromRealmQualifiedData(authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getDataFromRealmQualifiedData(authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authLevelInt = Integer.parseInt(authLevelIntString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_an_Integer",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster maxRequestAuthLevel = getMaxRequestAuthLevel(env,authRealm,authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((maxRequestAuthLevel == Integer.MIN_VALUE) && (token != null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster getMaxRequestAuthLevel(token,authRealm,authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforAuthLevel():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + ",maxRequestAuthLevel=" + maxRequestAuthLevel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication Role condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforRole(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allow = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String userAuthRoleNames = token.getProperty("Role");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforRole(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"userAuthRoleNames from token =" + userAuthRoleNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("At ResourceEnvIPCondition.getAdviceMessagesforRole():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication User condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforUser(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allow = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String authUserNames = token.getProperty("UserToken");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforUser(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"userAuthRoleNames from token =" + authUserNames);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(authUserNames, "|");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("At ResourceEnvIPCondition.getAdviceMessagesforUser():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication Realm condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforRealm(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && (env.get(REQUEST_AUTHENTICATED_TO_REALMS) != null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRealm(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthnRealms, from request / env = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String args[] = { REQUEST_AUTHENTICATED_TO_REALMS };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_a_Set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthnRealms.addAll(authenticatedRealms);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRealm(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthnRealms, from ssoToken = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRealm():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "authenticateToRealm not satisfied = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforRealm():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " requestAuthnRealms = " + requestAuthnRealms + ", "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns advice messages for Authentication Redirect condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set getAdviceMessagesforRedirectURL(String adviceValue,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token, Map env) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean nullRealm = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allow = false;
1118e15a4a97d6e0e87303c9e406d616923a0479Craig McDonnell Set<String> orgSet = (Set<String>) env.get(PolicyEvaluator.REALM_DN);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthSchemes = (Set) env.get(REQUEST_AUTH_SCHEMES);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRedirectURL(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthSchemes from env= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " AND orgName from env= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_a_Set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster orgName = token.getProperty(ISAuthConstants.ORGANIZATION);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getRealmQualifiedAuthenticatedSchemes(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRedirectURL(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "orgName from ssoToken= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRedirectURL(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthSchemes from ssoToken= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getAdviceMessagesforRedirectURL(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthSchemesIgnoreRealm from ssoToken= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthSchemesIgnoreRealm = Collections.EMPTY_SET;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken adminToken = (SSOToken)AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator iter = requestAuthSchemes.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String requestAuthnScheme = (String)iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster schemeInstance = AMAuthUtils.getDataFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String realm = AMAuthUtils.getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((realm == null) || (realm.length() == 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new AMAuthenticationManager(adminToken,orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authManager.getAuthenticationInstance(schemeInstance);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator iter = requestAuthSchemesIgnoreRealm.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster new AMAuthenticationManager(adminToken,orgName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authManager.getAuthenticationInstance(schemeInstance);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforRedirectURL():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "got AMConfigurationException:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "auth_scheme_not_found",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "getAdviceMessagesforRedirectURL():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the maximum auth level specified for the REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * property in the environment Map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private int getMaxRequestAuthLevel(Map env, String authRealm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "envMap,authRealm,authLevel): entering: envMap= " + env
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Object envAuthLevelObject = env.get(REQUEST_AUTH_LEVEL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((authRealm == null) || (authRealm.length() == 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster maxAuthLevel = ((Integer)envAuthLevelObject).intValue();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"getMaxRequestAuthLevel():Integer level in env= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (envAuthLevelObject instanceof Set) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (!(envAuthLevelElement instanceof String)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getMaxRequestAuthLevel():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthLevel Set element"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " not String");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "request_authlevel_in_env_set_element_not_string",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String qualifiedLevel = (String)envAuthLevelElement;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster currentAuthLevel = getAuthLevel(qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.warning("ResourceEnvIPCondition.getMaxRequestAuthLevel():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthLevel in env neither"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " Integer nor Set");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "request_authlevel_in_env_not_Integer_or_set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "): returning: maxAuthLevel=" + maxAuthLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the maximum auth level specified for the REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * property in the SSO token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private int getMaxRequestAuthLevel(SSOToken token, String authRealm,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String authLevel) throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "token,authRealm,authLevel): entering:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((authRealm == null) || authRealm.length() == 0) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "): levels from token= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster maxAuthLevel = (level > maxAuthLevel)? level : maxAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getRealmQualifiedAuthenticatedLevels(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "): qualifiedLeves from token= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((qualifiedLevels != null) && (!qualifiedLevels.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String realm = AMAuthUtils.getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("ResourceEnvIPCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "): returning:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Extracts the integer auth level from String realm qualified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * ( realm:level) String.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private int getAuthLevel(String qualifiedLevel)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getDataFromRealmQualifiedData(qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.warning("AuthLevelCondition.getAuthLevel(qualifiedLevel):"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "got NumberFormatException:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "auth_level_not_integer",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the advice string that satisfies or matches for the client
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * environment parameter, including client's IP Address.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private String getAdviceStrForEnv(Map env, SSOToken token)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Check if all the keys are valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(key, "=");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici DEBUG.message("ResourceEnvIPCondition:getAdviceStrForEnv invalid strIP : "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici ValidateIPaddress.isIPv4(startIp) && ValidateIPaddress.isIPv4(endIp)){
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici ValidateIPaddress.isIPv6(startIp) && ValidateIPaddress.isIPv6(endIp)){
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici IPv6AddressRange ipv6Range = IPv6AddressRange.fromFirstAndLast(
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici IPv6Address.fromString(startIp),IPv6Address.fromString(endIp));
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici if(requestIpV6 != null && ipv6Range.contains(requestIpV6)) {
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici } else if (requestIpV4 != 0 && ValidateIPaddress.isIPv4(ipVal)) {
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici } else if (requestIpV6 != null && ValidateIPaddress.isIPv6(ipVal)) {
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici // treat as single ip address
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici IPv6Address iPv6AddressIpVal = IPv6Address.fromString(ipVal);
44a62998f373c4089cb2e6b478cdb5e7ac71ccaeAlin Brici if(iPv6AddressIpVal.compareTo(requestIpV6) == 0){
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "resource_env_not_known",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "resource_env_not_known",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Converts String represenration of IP address to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private long stringToIp(String ip) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster StringTokenizer st = new StringTokenizer(ip, ".");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a copy of this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster theClone = (ResourceEnvIPCondition) super.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // this should never happen