ResourceEnvIPCondition.java revision 8af80418ba1ec431c8027fa9668e5678658d3611
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: ResourceEnvIPCondition.java,v 1.4 2009/07/21 18:33:17 mrudul_uchil Exp $
*
*/
/*
* Portions Copyrighted [2011] [ForgeRock AS]
*/
/**
* The class <code>ResourceEnvIPCondition</code> is a plugin
* implementation of <code>Condition</code> interface.
* This condition object provides the policy framework with the
* condition decision and advices based on the client's environment or
* resource such as IP address, DNS host name, location, etc.
* For the first drop, we are only supporting IP address.
*/
public class ResourceEnvIPCondition implements Condition {
public static final String ENV_CONDITION_VALUE =
"resourceEnvIPConditionValue";
private List propertyNames;
private Map properties;
/**
* No argument constructor
*/
public ResourceEnvIPCondition() {
propertyNames = new ArrayList();
}
/**
* Returns a list of property names for <code>ResourceEnvIPCondition</code>.
*
* @return List of property names
*/
public List getPropertyNames()
{
return propertyNames;
}
/**
* Returns the syntax for a property name
* @see com.sun.identity.policy.Syntax
*
* @param property String property name
*
* @return <code>Syntax<code> for the property name
*/
{
}
/**
* Returns the display name for the property name.
* The <code>locale</code> variable could be used by the
* plugin to customize the display name for the given locale.
* The <code>locale</code> variable could be <code>null</code>, in which
* case the plugin must use the default locale.
*
* @param property String property name
* @param locale Locale for which the property name must be customized
* @return display name for the property name
*/
throws PolicyException
{
}
/**
* Returns a set of valid values given the property name. This method
* is called if the property Syntax is either the SINGLE_CHOICE or
* MULTIPLE_CHOICE.
*
* @param property String property name
* @return Set of valid values for the property.
* @exception PolicyException if unable to get the Syntax.
*/
{
return (Collections.EMPTY_SET);
}
/**
* Sets the properties of <code>ResourceEnvIPCondition</code>.
* Evaluation of ConditionDecision is influenced by these properties.
* @param properties the properties of the condition that governs
* whether a policy applies. The properties should
* define value for the key ENV_CONDITION_VALUE. The value should
* be a Set with multiple elements. Each element should be
* a String. Please note that properties is not cloned by the method.
*
* @throws PolicyException if properties is null or does not contain
* value for the key ENV_CONDITION_VALUE or the value of the key is
* not a Set with one String element that is parsable as
* an integer.
*/
this.properties = properties;
adviceList.clear();
}
// check if the value is valid
|| ( envCondVal.isEmpty() )) {
}
if ( DEBUG.messageEnabled()) {
+ envCondVal);
}
int i = 0;
while ( envCondValIter.hasNext()) {
if (ifIndex == -1) {
}
if (adviceIndex == -1) {
}
i++;
}
}
if ( DEBUG.messageEnabled()) {
+ envList);
+ adviceList);
}
}
/**
* Returns properties of <code>ResourceEnvIPCondition</code>.
*/
public Map getProperties() {
return properties;
}
/**
* Returns the decision computed by <code>ResourceEnvIPCondition</code>
* object.
*
* @param token single sign on token of the user
*
* pairs <code>ResourceEnvIPCondition</code> looks for values of key
* <code>REQUEST_IP</code> in the
* <code>env</code> map. If <code>REQUEST_IP</code> could not be
* determined from <code>env</code>, it is obtained from
* single sign on token of the user.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice messages
* generated by the condition.
*
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the policy decision.
*
* @throws PolicyException if the condition has not been initialized
* the value of key <code>REQUEST_IP</code> is not a String.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #REQUEST_IP
* @see com.sun.identity.policy.ConditionDecision
*/
throws PolicyException, SSOException {
if ( DEBUG.messageEnabled()) {
"client environment map : " + env);
}
boolean allowed = false;
if ( DEBUG.messageEnabled()) {
+ adviceValue);
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if (adviceName.equalsIgnoreCase(
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if (adviceName.equalsIgnoreCase(
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if (adviceName.equalsIgnoreCase(
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if (adviceName.equalsIgnoreCase(
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if (adviceName.equalsIgnoreCase(
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if ((adviceName.equalsIgnoreCase(
ISAuthConstants.ORG_PARAM))) {
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else {
if ( DEBUG.messageEnabled()) {
+ "getConditionDecision(): "
+ "adviceName is invalid");
}
}
}
} else {
if ( DEBUG.messageEnabled()) {
+ "getConditionDecision(): "
+ "Advice is NULL since there is no matching "
+ "condition found.");
}
}
}
/**
* Returns advice messages for Authentication Scheme condition.
*/
try {
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthScheme(): "
+ "requestAuthSchemes from env= "
}
} catch (ClassCastException e) {
throw new PolicyException(
args, e);
}
} else {
token);
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthScheme(): "
+ "requestAuthSchemes from ssoToken= "
+ "getAdviceMessagesforAuthScheme(): "
+ "requestAuthSchemesIgnoreRealm from ssoToken= "
}
}
}
if (requestAuthSchemes == null) {
}
if (requestAuthSchemesIgnoreRealm == null) {
}
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthScheme():"
+ "authScheme not satisfied = "
+ authScheme);
}
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthScheme():"
+ "authScheme not satisfied = "
+ authScheme);
}
}
}
}
if ( DEBUG.messageEnabled()) {
"getAdviceMessagesforAuthScheme():"
+ " adviceMessages = " + adviceMessages);
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Service condition.
*/
boolean allow = false;
try {
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthService(): "
+ "requestAuthnServices from request = "
}
} catch (ClassCastException e) {
throw new PolicyException(
args, e);
}
} else {
token);
if (authenticatedServices != null) {
}
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthService(): "
+ "requestAuthnServices from ssoToken = "
}
}
}
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforAuthService():"
+ "authService not satisfied = "
+ adviceValue);
}
allow = true;
break;
}
}
}
}
if (!allow) {
}
if ( DEBUG.messageEnabled()) {
+"getAdviceMessagesforAuthService():authenticateToService = "
+ adviceMessages);
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Level condition.
*/
try {
} catch (NumberFormatException e) {
throw new PolicyException(
}
}
if (maxRequestAuthLevel < authLevelInt) {
}
if (DEBUG.messageEnabled()) {
"getAdviceMessagesforAuthLevel():"
+ "authLevel=" + authLevel
+ "authRealm=" + authRealm
+ ",maxRequestAuthLevel=" + maxRequestAuthLevel
+ ",adviceMessages=" + adviceMessages);
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Role condition.
*/
boolean allow = false;
if ( DEBUG.messageEnabled()) {
"getAdviceMessagesforRole(): "
+"userAuthRoleNames from token =" + userAuthRoleNames);
}
if (userAuthRoleNames != null) {
while (st.hasMoreElements()) {
if ((userAuthRoleName != null) &&
allow = true;
}
}
}
}
if (!allow) {
}
if (DEBUG.messageEnabled()) {
+ "auth role =" + adviceValue
+ ",adviceMessages=" + adviceMessages);
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication User condition.
*/
boolean allow = false;
if ( DEBUG.messageEnabled()) {
"getAdviceMessagesforUser(): "
+"userAuthRoleNames from token =" + authUserNames);
}
if (authUserNames != null) {
while (st.hasMoreElements()) {
if ((authUserName != null) &&
allow = true;
}
}
}
}
if (!allow) {
}
if (DEBUG.messageEnabled()) {
+ "auth user =" + adviceValue
+ ",adviceMessages=" + adviceMessages);
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Realm condition.
*/
try {
if (DEBUG.messageEnabled()) {
+ "getAdviceMessagesforRealm(): "
+ "requestAuthnRealms, from request / env = "
}
} catch (ClassCastException e) {
throw new PolicyException(
args, e);
}
} else {
if (authenticatedRealms != null) {
}
if (DEBUG.messageEnabled()) {
+ "getAdviceMessagesforRealm(): "
+ "requestAuthnRealms, from ssoToken = "
}
}
}
if (DEBUG.messageEnabled()) {
+ "getAdviceMessagesforRealm():"
+ "authenticateToRealm not satisfied = "
+ authRealm);
}
}
if ( DEBUG.messageEnabled()) {
"getAdviceMessagesforRealm():"
+ " adviceMessages = " + adviceMessages);
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Redirect condition.
*/
boolean nullRealm = false;
boolean allow = false;
try {
if (policyConfigMap != null) {
}
}
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforRedirectURL(): "
+ "requestAuthSchemes from env= "
+ " AND orgName from env= "
+ orgName);
}
} catch (ClassCastException e) {
throw new PolicyException(
args, e);
}
} else {
token);
if ( DEBUG.messageEnabled()) {
+ "getAdviceMessagesforRedirectURL(): "
+ "orgName from ssoToken= "
+ orgName);
+ "getAdviceMessagesforRedirectURL(): "
+ "requestAuthSchemes from ssoToken= "
+ "getAdviceMessagesforRedirectURL(): "
+ "requestAuthSchemesIgnoreRealm from ssoToken= "
}
}
}
if (requestAuthSchemes == null) {
}
if (requestAuthSchemesIgnoreRealm == null) {
}
try {
nullRealm = true;
break;
} else {
allow = true;
break;
}
}
}
if (nullRealm) {
allow = true;
break;
}
}
}
} catch (AMConfigurationException ace) {
if (DEBUG.warningEnabled()) {
"getAdviceMessagesforRedirectURL():"
+ "got AMConfigurationException:"
+ "schemeInstance=" + schemeInstance
+ ", authSchemeType = " + authSchemeType);
}
throw new PolicyException(
}
if (!allow) {
}
if (DEBUG.messageEnabled()) {
"getAdviceMessagesforRedirectURL():"
+ "redirectURL=" + adviceValue
+ "schemeInstance=" + schemeInstance
+ ",authSchemeType=" + authSchemeType
+ ",adviceMessages=" + adviceMessages);
}
return adviceMessages;
}
/**
* Returns the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the environment Map.
* @see #REQUEST_AUTH_LEVEL
*/
if (DEBUG.messageEnabled()) {
+ "envMap,authRealm,authLevel): entering: envMap= " + env
+ ", authRealm= " + authRealm
+ ", conditionAuthLevel= " + authLevel);
}
if (envAuthLevelObject != null) {
if(envAuthLevelObject instanceof Integer) {
if (DEBUG.messageEnabled()) {
+"getMaxRequestAuthLevel():Integer level in env= "
+ maxAuthLevel);
}
}
} else if (envAuthLevelObject instanceof Set) {
if (!envAuthLevelSet.isEmpty()) {
if (!(envAuthLevelElement instanceof String)) {
if (DEBUG.warningEnabled()) {
+ "getMaxRequestAuthLevel():"
+ "requestAuthLevel Set element"
+ " not String");
}
throw new PolicyException(
"request_authlevel_in_env_set_element_not_string",
} else {
if(currentAuthLevel > maxAuthLevel) {
}
} else {
&& (currentAuthLevel > maxAuthLevel)) {
}
}
}
}
}
} else {
if (DEBUG.warningEnabled()) {
+ "requestAuthLevel in env neither"
+ " Integer nor Set");
}
throw new PolicyException(
"request_authlevel_in_env_not_Integer_or_set",
}
}
if (DEBUG.messageEnabled()) {
+ "): returning: maxAuthLevel=" + maxAuthLevel);
}
return maxAuthLevel;
}
/**
* Returns the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the SSO token.
* @see #REQUEST_AUTH_LEVEL
*/
if (DEBUG.messageEnabled()) {
+ "token,authRealm,authLevel): entering:"
+ " authRealm = " + authRealm
+ ", conditionAuthLevel= " + authLevel);
}
if (DEBUG.messageEnabled()) {
+ "): levels from token= "
+ levels);
}
}
}
} else {
if (DEBUG.messageEnabled()) {
+ "): qualifiedLeves from token= "
+ qualifiedLevels);
}
: maxAuthLevel;
}
}
}
}
if (DEBUG.messageEnabled()) {
+ "): returning:"
+ " maxAuthLevel= " + maxAuthLevel);
}
return maxAuthLevel;
}
/**
* Extracts the integer auth level from String realm qualified
* ( realm:level) String.
*/
throws PolicyException {
int levelInt = 0;
try {
} catch (NumberFormatException nfe) {
if (DEBUG.warningEnabled()) {
+ "got NumberFormatException:"
+ "qualifiedLevel=" + qualifiedLevel
+ ", levelString = " + levelString);
}
throw new PolicyException(
}
return levelInt;
}
/**
* Returns the advice string that satisfies or matches for the client
* environment parameter, including client's IP Address.
*/
throws PolicyException, SSOException {
//Check if all the keys are valid
if ( tokenCount != 2 ) {
}
if ( tokenCount == 2 ) {
}
break;
}
}
} else {
} else {
throw new PolicyException(
}
} else {
}
} else {
throw new PolicyException(
}
}
}
if ( tokenCnt > 2 ) {
}
if ( tokenCnt == 2 ) {
}
break;
}
break;
}
break;
} else {
throw new PolicyException(
"resource_env_not_known",
}
}
} else {
throw new PolicyException(
"resource_env_not_known",
}
}
}
return adviceStr;
}
/**
* Converts String represenration of IP address to
* a long.
*/
if ( tokenCount != 4 ) {
}
long ipValue = 0L;
while ( st.hasMoreElements()) {
short ipElement = 0;
try {
} catch(Exception e) {
}
}
}
return ipValue;
}
/**
* Returns a copy of this object.
*
* @return a copy of this object
*/
try {
} catch (CloneNotSupportedException e) {
// this should never happen
throw new InternalError();
}
if (properties != null) {
}
}
return theClone;
}
}