PrivilegeEvaluator.java revision 98889d65f3da34634133fce0bccd5138397bccf6
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: PrivilegeEvaluator.java,v 1.2 2009/10/07 06:36:40 veiming Exp $
*
* Portions copyright 2010-2013 ForgeRock, Inc.
*/
/**
* This class evaluates entitlements of a subject for a given resource
* and a environment parameters.
*/
class PrivilegeEvaluator {
private Subject adminSubject;
private String applicationName;
private String resourceName;
private ResourceSearchIndexes indexes;
private Application application;
private EntitlementCombiner entitlementCombiner;
private boolean recursive;
private EntitlementException eException;
private final static String PRIVILEGE_EVALUATION_CONTEXT =
"org.forgerock.openam.entitlement.context";
// Static variables
// TODO determine number of tasks per thread
private static int tasksPerThread = 5;
private static IThreadPool threadPool;
private static boolean isMultiThreaded;
// Stats monitor
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_INIT =
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_RES_INDEX =
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_SUB_INDEX =
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_SEARCH =
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_SEARCH_NEXT =
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_SUBMIT =
private static final NetworkMonitor PRIVILEGE_EVAL_MONITOR_WAIT =
static {
try {
} catch (NumberFormatException e) {
"PrivilegeEvaluator.<init>: get evaluation thread pool size",
e);
}
}
threadPool = (isMultiThreaded) ?
new SequentialThreadPool();
}
/**
* Initializes the evaluator.
*
* @param adminSubject Administrator subject which is used for evcaluation.
* @param subject Subject to be evaluated.
* @param realm Realm Name
* @param applicationName Application Name.
* @param resourceName Rsource name.
* @param actions Action names.
* @param envParameters Environment parameters.
* @param recursive <code>true</code> for sub tree evaluation
* @throws com.sun.identity.entitlement.EntitlementException if
* initialization fails.
*/
private void init(
boolean recursive
) throws EntitlementException {
this.adminSubject = adminSubject;
this.applicationName = applicationName;
this.resourceName = resourceName;
this.envParameters = envParameters;
} else {
}
}
}
}
return "";
}
}
/**
* Returrns <code>true</code> if the subject has privilege to have the
* given entitlement.
*
* @param adminSubject Administrator subject which is used for evcaluation.
* @param subject Subject to be evaluated.
* @param applicationName Application Name.
* @param entitlement Entitlement to be evaluated.
* @param envParameters Environment parameters.
* @return <code>true</code> if the subject has privilege to have the
* given entitlement.
* @throws com.sun.identity.entitlement.EntitlementException if
* evaluation fails.
*/
public boolean hasEntitlement(
) throws EntitlementException {
// TODO, use policy decision combining algorithm
// Default is deny overrides
if ((b == null) || !b.booleanValue()) {
return false;
}
}
return true;
}
/**
* Returns list of entitlements which is entitled to a subject.
*
* @param adminSubject Administrator subject which is used for evaluation.
* @param subject Subject to be evaluated.
* @param applicationName Application Name.
* @param resourceName Resource name.
* @param envParameters Environment parameters.
* @param recursive <code>true</code> for sub tree evaluation.
* @return <code>true</code> if the subject has privilege to have the
* given entitlement.
* @throws com.sun.identity.entitlement. EntitlementException if
* evaluation fails.
*/
boolean recursive
) throws EntitlementException {
}
throws EntitlementException {
// Subject index
// Search for policies
// Submit the privileges for evaluation
// First collect tasks to be evaluated locally
2*tasksPerThread);
int totalCount = 0;
while (totalCount != tasksPerThread) {
if (i.hasNext()) {
IPrivilege p = i.next();
if (debug.messageEnabled()) {
}
localPrivileges.add(p);
totalCount++;
} else {
break;
}
}
// Submit additional privilges to be executed by worker threads
boolean tasksSubmitted = false;
while (true) {
if (!i.hasNext()) {
break;
}
if (privileges == null) {
tasksSubmitted = true;
}
IPrivilege p = i.next();
if (debug.messageEnabled()) {
}
privileges.add(p);
totalCount++;
privileges.clear();
}
}
}
// IPrivilege privileges locally
// Wait for submitted threads to complete evaluation
if (tasksSubmitted) {
if (isMultiThreaded) {
} else {
boolean isDone = false;
}
}
} else if (eException == null) {
boolean isDone = false;
}
}
if (eException != null) {
throw eException;
}
return ents;
}
private void receiveEvalResults(int totalCount) {
int counter = 0;
try {
hasResults.await();
}
counter++;
}
}
} catch (InterruptedException ex) {
} finally {
}
}
private Application getApplication()
throws EntitlementException {
if (application == null) {
// If application is still null, throw an exception
if (application == null) {
}
}
return application;
}
class PrivilegeTask implements Runnable {
final PrivilegeEvaluator parent;
private boolean isThreaded;
private PrivilegeEvaluatorContext ctx;
this.isThreaded = isThreaded;
}
public void run() {
try {
if (entitlements != null) {
if (isThreaded) {
try {
} finally {
}
} else {
}
}
}
} catch (EntitlementException ex) {
if (isThreaded) {
try {
} finally {
}
} else {
}
}
}
}
}