EntitlementUtils.java revision 74dca04245920444925c2544c591c3da5dad607e
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms of the Common Development and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Distribution License (the License). You may not use this file except in compliance with the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * specific language governing permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Software, include this CDDL Header Notice in each file and include
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header, with the fields enclosed by brackets [] replaced by your own identifying
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * information: "Portions copyright [year] [name of copyright owner]".
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright 2014-2015 ForgeRock AS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.Application;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.ApplicationManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.ApplicationType;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.ApplicationTypeManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.DenyOverride;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.EntitlementException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.PrivilegeManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.APPLICATION_CLASSNAME;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.ATTR_NAME_META;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.ATTR_NAME_SUBJECT_ATTR_NAMES;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_ACTIONS;
ca66273b61a8889f097081b01b6ff9a5f5801064Peter Majorimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_APPLICATION_DESC;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_CONDITIONS;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_ENTITLEMENT_COMBINER;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_RESOURCES;
80849398a45dca1fb917716907d6ec99be6222c2Peter Majorimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_RESOURCE_COMP_IMPL;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_RESOURCE_TYPE_UUIDS;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_SAVE_INDEX_IMPL;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_SEARCH_INDEX_IMPL;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport static com.sun.identity.entitlement.opensso.EntitlementService.CONFIG_SUBJECTS;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.entitlement.opensso.SubjectUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Utility methods for managing entitlements.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic final class EntitlementUtils {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an {@link ApplicationType} object based on the provided information.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name The name of the application type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The configuration settings for the application type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return An {@link ApplicationType} object corresponding to the provided details.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws InstantiationException If the class settings cannot be instantiated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws IllegalAccessException If the class settings cannot be instantiated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static ApplicationType createApplicationType(String name, Map<String, Set<String>> data)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throws InstantiationException, IllegalAccessException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map<String, Boolean> actions = getActions(data);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String saveIndexImpl = getAttribute(data, CONFIG_SAVE_INDEX_IMPL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class saveIndex = ApplicationTypeManager.getSaveIndex(saveIndexImpl);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String searchIndexImpl = getAttribute(data, CONFIG_SEARCH_INDEX_IMPL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class searchIndex = ApplicationTypeManager.getSearchIndex(searchIndexImpl);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceComp = getAttribute(data, CONFIG_RESOURCE_COMP_IMPL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class resComp = ApplicationTypeManager.getResourceComparator(resourceComp);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String applicationClassName = getAttribute(data, APPLICATION_CLASSNAME);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ApplicationType appType = new ApplicationType(name, actions, searchIndex, saveIndex, resComp);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster appType.setApplicationClassName(applicationClassName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Constructs an {@link Application} object based on the provided information.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param applicationType The application's type.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param realm The realm where the application is defined.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name The name of the application.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The configuration settings for the application.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return An {@link Application} object corresponding to the provided details.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws InstantiationException If the class settings cannot be instantiated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws IllegalAccessException If the class settings cannot be instantiated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws EntitlementException If the application class cannot be instantiated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Application createApplication(ApplicationType applicationType, String realm, String name,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map<String, Set<String>> data) throws InstantiationException, IllegalAccessException,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Application app = ApplicationManager.newApplication(realm, name, applicationType);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final Set<String> resourceTypeUuids = data.get(CONFIG_RESOURCE_TYPE_UUIDS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster app.addAllResourceTypeUuids(resourceTypeUuids);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String description = getAttribute(data, CONFIG_APPLICATION_DESC);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String entitlementCombiner = getAttribute(data, CONFIG_ENTITLEMENT_COMBINER);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class combiner = getEntitlementCombiner(entitlementCombiner, app);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set<String> conditionClassNames = data.get(CONFIG_CONDITIONS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set<String> subjectClassNames = data.get(CONFIG_SUBJECTS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String saveIndexImpl = getAttribute(data, CONFIG_SAVE_INDEX_IMPL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class saveIndex = ApplicationTypeManager.getSaveIndex(saveIndexImpl);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String searchIndexImpl = getAttribute(data, CONFIG_SEARCH_INDEX_IMPL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Class searchIndex = ApplicationTypeManager.getSearchIndex(searchIndexImpl);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String resourceComp = getAttribute(data, CONFIG_RESOURCE_COMP_IMPL);
f92849012ac6d84ddaad627d1c96f021d06998ecjeff.schenk Class resComp = ApplicationTypeManager.getResourceComparator(resourceComp);
9fa57a4f31580310b62bb2f08906e6b73d510817jeff.schenk Set<String> attributeNames = data.get(ATTR_NAME_SUBJECT_ATTR_NAMES);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final Set<String> meta = data.get(ATTR_NAME_META);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Converts the map of actions into a set format where the map's key->value combinations are separated by an equals
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * character.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param actions The map of actions that needs to be converted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The set of actions in key=value format.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Set<String> getActionSet(Map<String, Boolean> actions) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster set.add(k + "=" + Boolean.toString(actions.get(k)));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the combiner from the provided set of data within the entitlement format.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The entire set of information about an application. May not be null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return A string of the combiners name, or null if the data set is empty.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static String getCombiner(Map<String, Set<String>> data) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set<String> subData = data.get(CONFIG_ENTITLEMENT_COMBINER);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the list of subjects from the provided set of data within
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the entitlement format.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The entire set of information about an application
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return A set of Strings representing each of the conditions this application supports
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Set<String> getSubjects(Map<String, Set<String>> data) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the list of conditions from the provided set of data within
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the entitlement format.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The entire set of information about an application
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return A set of Strings representing each of the conditions this application supports
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Set<String> getConditions(Map<String, Set<String>> data) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the list of conditions from the provided set of data within
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the entitlement format.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The entire set of information about an application
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return A set of Strings representing each of the conditions this application supports
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Set<String> getDescription(Map<String, Set<String>> data) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Set<String> getResources(Map<String, Set<String>> data) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Converts the set of actions in key=value format to an actual map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The set of actions that needs to be converted.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The map of actions after the conversion.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static Map<String, Boolean> getActions(Map<String, Set<String>> data) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Map<String, Boolean> results = new HashMap<String, Boolean>();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set<String> actions = data.get(CONFIG_ACTIONS);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster defaultVal = Boolean.parseBoolean(a.substring(index + 1));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the first attribute value for the corresponding attributeName in the data map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The map where the attribute should be retrieved from.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param attributeName The name of the attribute that should be retrieved from the map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The attribute from the map corresponding to the provided attribute name, or <code>null</code> if no such
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute is present in the map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static String getAttribute(Map<String, Set<String>> data, String attributeName) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (set != null && !set.isEmpty()) ? set.iterator().next() : null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the first attribute value for the corresponding attributeName in the data map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The map where the attribute should be retrieved from.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param attributeName The name of the attribute that should be retrieved from the map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param defaultValue The value to return if the requested value is null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The attribute from the map corresponding to the provided attribute name, or defaultValue if no such
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * attribute is present in the map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static String getAttribute(Map<String, Set<String>> data, String attributeName, String defaultValue) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final Set<String> set = data.get(attributeName);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster final String attr = (set != null && !set.isEmpty()) ? set.iterator().next() : null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the first attribute value for the corresponding attributeName in the data map and parses it to a long.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param data The map where the attribute should be retrieved from.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param attributeName The name of the attribute that should be retrieved from the map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return The attribute from the map corresponding to the provided attribute name, parsed to a long.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the attribute does not exist the current date time will be returned.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static long getDateAttributeAsLong(Map<String, Set<String>> data, String attributeName) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return Long.parseLong(getAttribute(data, attributeName));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster PrivilegeManager.debug.error("EntitlementService.getDateAttributeAsLong", e);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns an admin SSO token for administrative actions.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return An administrative SSO token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return AccessController.doPrivileged(AdminTokenAction.getInstance());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the SSO token for the given subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param subject The subject for which the token is required.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return An SSO token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public static SSOToken getSSOToken(Subject subject) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (subject == PrivilegeManager.superAdminSubject) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Attempts to retrieve the Java Class associated with the name of an entitlement combiner.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * First, we attempt to use the new system, that being the application itself can
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * look up the name from the {@link org.forgerock.openam.entitlement.EntitlementRegistry} such that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the name is registered in there. This may fail. This step will be skipped if app is null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Second, attempts to use the given string to find a class using the provided name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This is so that older systems which used the canonical name to refer to the class to instantiate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * correctly find their class. This may also fail.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If this fails, we simply return the default: {@link DenyOverride}.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param name the name used to reference the combiner. Must not be null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param app the application whose entitlement registry will be used to perform the lookup. Can be null.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the class represented by the name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Class getEntitlementCombiner(String name, Application app) {
751ffbacd21180fbc0849885f30c91425fcee44ajeff.schenk PrivilegeManager.debug.error("EntitlementService.getEntitlementCombiner", ex);