1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * The contents of this file are subject to the terms of the Common Development and
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * Distribution License (the License). You may not use this file except in compliance with the
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * specific language governing permission and limitations under the License.
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * When distributing Covered Software, include this CDDL Header Notice in each file and include
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * Header, with the fields enclosed by brackets [] replaced by your own identifying
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * information: "Portions copyright [year] [name of copyright owner]".
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * Copyright 2015 ForgeRock AS.
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport com.sun.identity.entitlement.EntitlementException;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport com.sun.identity.entitlement.Privilege;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport com.sun.identity.entitlement.opensso.SubjectUtils;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport com.sun.identity.security.AdminTokenAction;
ed76331d9cc7a5c7df1c84efaa60923621e6af05Craig McDonnellimport org.forgerock.openam.audit.AuditConstants.ConfigOperation;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.openam.auditors.SMSAuditFilter;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport java.security.AccessController;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.i18n.LocalizedIllegalArgumentException;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.openam.entitlement.rest.PolicyStore;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.openam.entitlement.rest.PrivilegePolicyStoreProvider;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.openam.entitlement.rest.query.QueryAttribute;
0fe99aaa2652cb97bbd71876ea28074e6241c3c0Andrew Forrestimport org.forgerock.openam.entitlement.service.DefaultPrivilegeManagerFactory;
0fe99aaa2652cb97bbd71876ea28074e6241c3c0Andrew Forrestimport org.forgerock.openam.entitlement.service.PrivilegeManagerFactory;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.openam.ldap.LDAPUtils;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.opendj.ldap.DN;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.comimport org.forgerock.opendj.ldap.RDN;
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * A filter to stop UMA config changes being audited
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * @since 13.0.0
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.compublic class UmaAuditFilter implements SMSAuditFilter {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com * {@inheritDoc}
ed76331d9cc7a5c7df1c84efaa60923621e6af05Craig McDonnell public boolean isAudited(String objectId, String realm, ConfigOperation operation, Subject subject) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return !isUmaPolicy(realm, getPolicyName(dn));
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com } catch (LocalizedIllegalArgumentException | EntitlementException e) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private String getPolicyName(DN dn) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private boolean isUmaPolicy(String realm, String policyName) throws EntitlementException {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return getPrivilege(realm, policyName).getEntitlement().getResourceName().startsWith("uma://");
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private Privilege getPrivilege(String realm, String policyName) throws EntitlementException {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return getPolicyStore(realm).read(policyName);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private PolicyStore getPolicyStore(String realm) {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return getPrivilegePolicyStoreProvider().getPolicyStore(getAdminSubject(), realm);
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private Subject getAdminSubject() {
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com return SubjectUtils.createSubject(AccessController.doPrivileged(AdminTokenAction.getInstance()));
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com private PrivilegePolicyStoreProvider getPrivilegePolicyStoreProvider() {
0fe99aaa2652cb97bbd71876ea28074e6241c3c0Andrew Forrest PrivilegeManagerFactory factory = new DefaultPrivilegeManagerFactory();
0fe99aaa2652cb97bbd71876ea28074e6241c3c0Andrew Forrest return new PrivilegePolicyStoreProvider(factory,
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com Collections.<String, QueryAttribute>emptyMap());
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com final Iterator<RDN> itr = dn.iterator();
1d220b52ff470e682af30735b255f1d9ab04df21tom.rumsey@forgerock.com if (rdn.toString().equalsIgnoreCase("ou=Policies")) {