ResourceEnvIPCondition.java revision 6c6db3f20220562eac1447146b4e5e3fbd2dfb2f
/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions copyright [year] [name of copyright owner]".
*
* Copyright 2009 Sun Microsystems Inc
*/
/*
* Portions Copyrighted 2012 Open Source Solution Technology Corporation
* Portions Copyright 2011-2015 ForgeRock AS.
*/
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.AUTHENTICATE_TO_REALM_CONDITION_ADVICE;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.AUTHENTICATE_TO_SERVICE_CONDITION_ADVICE;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.AUTH_LEVEL;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.AUTH_LEVEL_CONDITION_ADVICE;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.AUTH_SCHEME_CONDITION_ADVICE;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.REQUEST_AUTHENTICATED_TO_REALMS;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.REQUEST_AUTHENTICATED_TO_SERVICES;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.REQUEST_AUTH_LEVEL;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.REQUEST_AUTH_SCHEMES;
import static org.forgerock.openam.entitlement.conditions.environment.ConditionConstants.REQUEST_IP;
/**
* This condition provides the policy framework with the condition decision and advices based on the client's
* environment or resource such as IP address, DNS host name, location, etc.
*/
public class ResourceEnvIPCondition extends EntitlementConditionAdaptor {
/**
* No argument constructor
*/
public ResourceEnvIPCondition() {
this(PrivilegeManager.debug);
}
}
/**
* {@inheritDoc}
*/
if (debug.messageEnabled()) {
}
boolean allowed = false;
try {
if (debug.messageEnabled()) {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
if (adviceMessages.isEmpty()) {
allowed = true;
} else {
}
} else if (debug.messageEnabled()) {
}
}
} else if (debug.messageEnabled()) {
}
} catch (SSOException e) {
}
}
/**
* Returns advice messages for Authentication Scheme condition.
*/
if (debug.messageEnabled()) {
}
try {
if (debug.messageEnabled()) {
}
} catch (ClassCastException e) {
}
} else {
if (debug.messageEnabled()) {
}
}
}
if (requestAuthSchemes == null) {
}
if (requestAuthSchemesIgnoreRealm == null) {
}
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
}
}
}
}
if (debug.messageEnabled()) {
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Service condition.
*/
if (debug.messageEnabled()) {
}
boolean allow = false;
try {
if (debug.messageEnabled()) {
}
} catch (ClassCastException e) {
throw new EntitlementException(PROPERTY_VALUE_NOT_DEFINED,
new String[]{REQUEST_AUTHENTICATED_TO_SERVICES}, e);
}
} else {
if (authenticatedServices != null) {
}
if (debug.messageEnabled()) {
}
}
}
if (debug.messageEnabled()) {
}
allow = true;
break;
}
}
}
}
if (!allow) {
}
if (debug.messageEnabled()) {
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Level condition.
*/
private Set<String> getAdviceMessagesforAuthLevel(String authLevel, SSOToken token, Map<String, Set<String>> env)
throws EntitlementException, SSOException {
if (debug.messageEnabled()) {
}
int maxRequestAuthLevel;
int authLevelInt;
try {
} catch (NumberFormatException e) {
}
}
if (maxRequestAuthLevel < authLevelInt) {
}
if (debug.messageEnabled()) {
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Role condition.
*/
private Set<String> getAdviceMessagesforRole(String adviceValue, SSOToken token, Map<String, Set<String>> env) throws SSOException {
if (debug.messageEnabled()) {
}
boolean allow = false;
if (debug.messageEnabled()) {
}
if (userAuthRoleNames != null) {
while (st.hasMoreElements()) {
allow = true;
}
}
}
}
if (!allow) {
}
if (debug.messageEnabled()) {
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication User condition.
*/
private Set<String> getAdviceMessagesforUser(String adviceValue, SSOToken token, Map<String, Set<String>> env) throws SSOException {
if (debug.messageEnabled()) {
}
boolean allow = false;
if (debug.messageEnabled()) {
}
if (authUserNames != null) {
while (st.hasMoreElements()) {
allow = true;
}
}
}
}
if (!allow) {
}
if (debug.messageEnabled()) {
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Realm condition.
*/
if (debug.messageEnabled()) {
}
try {
if (debug.messageEnabled()) {
}
} catch (ClassCastException e) {
throw new EntitlementException(PROPERTY_IS_NOT_A_SET, new String[]{REQUEST_AUTHENTICATED_TO_REALMS}, e);
}
} else {
if (authenticatedRealms != null) {
}
if (debug.messageEnabled()) {
}
}
}
if (debug.messageEnabled()) {
}
}
if (debug.messageEnabled()) {
}
return adviceMessages;
}
/**
* Returns advice messages for Authentication Redirect condition.
*/
if (debug.messageEnabled()) {
}
boolean nullRealm = false;
boolean allow = false;
try {
if (debug.messageEnabled()) {
"orgName from env= " + orgName);
}
} catch (ClassCastException e) {
}
} else {
if (debug.messageEnabled()) {
}
}
}
if (requestAuthSchemes == null) {
}
if (requestAuthSchemesIgnoreRealm == null) {
}
try {
nullRealm = true;
break;
} else {
allow = true;
break;
}
}
}
if (nullRealm) {
allow = true;
break;
}
}
}
} catch (AMConfigurationException ace) {
if (debug.warningEnabled()) {
debug.warning(localDebugName + "got AMConfigurationException: schemeInstance=" + schemeInstance + ", " +
"authSchemeType = " + authSchemeType);
}
}
if (!allow) {
}
if (debug.messageEnabled()) {
debug.message(localDebugName + "redirectURL=" + adviceValue + "schemeInstance=" + schemeInstance + "," +
}
return adviceMessages;
}
/**
* Returns the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the environment Map.
*/
private int getMaxRequestAuthLevel(Map<String, Set<String>> env, String authRealm, String authLevel) throws EntitlementException {
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
"conditionAuthLevel= " + authLevel);
}
if (envAuthLevelObject != null) {
if (envAuthLevelObject instanceof Integer) {
if (debug.messageEnabled()) {
}
}
} else if (envAuthLevelObject instanceof Set) {
if (!envAuthLevelSet.isEmpty()) {
if (!(envAuthLevelElement instanceof String)) {
if (debug.warningEnabled()) {
}
throw new EntitlementException(AUTH_LEVEL_NOT_INT_OR_SET);
} else {
if (currentAuthLevel > maxAuthLevel) {
}
} else {
}
}
}
}
}
} else {
if (debug.warningEnabled()) {
}
throw new EntitlementException(AUTH_LEVEL_NOT_INT_OR_SET);
}
}
if (debug.messageEnabled()) {
}
return maxAuthLevel;
}
/**
* Returns the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the SSO token.
*/
if (debug.messageEnabled()) {
}
if (debug.messageEnabled()) {
"conditionAuthLevel= " + authLevel);
}
if (debug.messageEnabled()) {
}
}
}
} else {
if (debug.messageEnabled()) {
}
}
}
}
}
if (debug.messageEnabled()) {
}
return maxAuthLevel;
}
/**
* Extracts the integer auth level from String realm qualified
* ( realm:level) String.
*/
if (debug.messageEnabled()) {
}
int levelInt = 0;
try {
} catch (NumberFormatException nfe) {
if (debug.warningEnabled()) {
debug.warning(localDebugName + "got NumberFormatException: qualifiedLevel=" + qualifiedLevel + ", " +
"levelString = " + levelString);
}
}
return levelInt;
}
/**
* Returns the environment condition that satisfies or matches for the client
* environment parameter, including client's IP Address.
*/
@SuppressWarnings("unchecked")
throws EntitlementException,
if (debug.messageEnabled()) {
}
//Check if all the keys are valid
break;
}
}
} else {
} else {
throw new EntitlementException(CLIENT_IP_EMPTY);
}
} else {
}
} else {
throw new EntitlementException(CLIENT_IP_EMPTY);
}
}
}
long requestIpV4 = 0;
} else {
if (debug.messageEnabled()) {
}
continue;
}
if (tokenCnt > 2) {
}
if (tokenCnt == 2) {
}
break;
}
break;
}
} else {
if (debug.errorEnabled()) {
}
}
if (requestIpV4 == longIp) {
break;
}
// treat as single ip address
break;
}
break;
} else {
}
}
}
return matchingCondition;
}
/**
* Converts String representation of IP address to a long.
* No nee for error checking as IP has already been validated.
*/
long ipValue = 0L;
while (st.hasMoreElements()) {
}
return ipValue;
}
try {
}
} catch (JSONException joe) {
}
}
return toString();
}
return jo;
}
/**
* {@inheritDoc}
*/
try {
} catch (JSONException e) {
}
return s;
}
return resourceEnvIPConditionValue;
}
}
/**
* Parse condition strings of the form {@code IF paramName=paramValue THEN adviceName=adviceValue} into condition
* objects. The syntax of the paramValue and adviceValue parts may be further constrained during evaluation.
*
* @param conditionStrings the set of condition strings passed from the front end.
* @return the parsed condition objects.
* @throws EntitlementException if any of the conditions is in an invalid format.
*/
throws EntitlementException {
}
}
return conditions;
}
public void validate() throws EntitlementException {
throw new EntitlementException(EntitlementException.PROPERTY_VALUE_NOT_DEFINED, ENV_CONDITION_VALUE);
}
}
return false;
}
return false;
}
return CollectionUtils.genericCompare(this.resourceEnvIPConditionValue, other.resourceEnvIPConditionValue);
}
public int hashCode() {
if (resourceEnvIPConditionValue != null) {
}
return hc;
}
/**
* Represents a parsed resource environment condition consisting of a parameter name and value to test from the
* environment, and an advice name and value to return if the condition matches.
*/
static final class EnvironmentCondition {
final String paramValue;
final String adviceName;
final String adviceValue;
this.paramValue = paramValue;
this.adviceName = adviceName;
this.adviceValue = adviceValue;
}
return (this == that) ||
}
// Names are case-sensitive, values are not
}
public int hashCode() {
return result;
}
}
}
}