cli/entitlement/CreateXACML.java

	CreateXACML.java revision 5819e70cd33d98751fbe907e0a358c3269159185
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson/**
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson *
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson *
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * The contents of this file are subject to the terms
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * of the Common Development and Distribution License
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * (the License). You may not use this file except in
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * compliance with the License.
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson *
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * You can obtain a copy of the License at
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * https://opensso.dev.java.net/public/CDDLv1.0.html or
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * opensso/legal/CDDLv1.0.txt
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * See the License for the specific language governing
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * permission and limitations under the License.
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson *
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * When distributing Covered Code, include this CDDL
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * Header Notice in each file and include the License file
f71f7a61dec7c9089378d14493ad564a1dedf0b5neil_a_wilson * at opensso/legal/CDDLv1.0.txt.
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * If applicable, add the following below the CDDL Header,
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * with the fields enclosed by brackets [] replaced by
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * your own identifying information:
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * "Portions Copyrighted [year] [name of copyright owner]"
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson *
f71f7a61dec7c9089378d14493ad564a1dedf0b5neil_a_wilson * $Id: ImportXACML.java,v 1.3 2010/01/11 01:21:01 dillidorai Exp $
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson *
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson * Portions Copyrighted 2011-2016 ForgeRock AS.
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson */
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonpackage com.sun.identity.cli.entitlement;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport static com.sun.identity.cli.LogWriter.*;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport static java.util.logging.Level.INFO;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport static org.forgerock.openam.entitlement.utils.EntitlementUtils.getEntitlementConfiguration;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.io.ByteArrayInputStream;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.io.FileInputStream;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.io.FileNotFoundException;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.io.FileOutputStream;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.io.InputStream;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.io.PrintWriter;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.text.MessageFormat;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport java.util.List;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport javax.security.auth.Subject;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport org.forgerock.guice.core.InjectorHolder;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport org.forgerock.openam.cli.entitlement.XACMLUtils;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport org.forgerock.openam.entitlement.service.ApplicationServiceFactory;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport org.forgerock.openam.entitlement.service.ResourceTypeService;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport org.forgerock.openam.utils.IOUtils;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilson
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.iplanet.sso.SSOToken;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.cli.AuthenticatedCommand;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.cli.CLIException;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.cli.CommandManager;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.cli.ExitCodes;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.cli.IArgument;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.cli.RequestContext;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.EntitlementConfiguration;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.EntitlementException;
24d6db06810f2ea747f6dff60d483e4fca3aaa13davidelyimport com.sun.identity.entitlement.PrivilegeManager;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.opensso.SubjectUtils;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.xacml3.SearchFilterFactory;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.xacml3.XACMLExportImport;
81b5d78d935a0c395978125a3c85ee824cbd7705neil_a_wilsonimport com.sun.identity.entitlement.xacml3.XACMLExportImport.ImportStep;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.xacml3.XACMLReaderWriter;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.xacml3.validation.PrivilegeValidator;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.entitlement.xacml3.validation.RealmValidator;
7cb5efa1e2554898dea45a0da062781a41b3f2f5neil_a_wilsonimport com.sun.identity.sm.OrganizationConfigManager;
import com.sun.identity.sm.SMSException;

/**
 * Converts access policies read from XACML XML into Entitlement Framework Privileges
 * and then imports these into the specified realm.
 */
public class CreateXACML extends AuthenticatedCommand {

    /**
     * Services the command line request to import XACML.
     *
     * Required Arguments:
     * realm - Defines the realm the Policies will be imported into.
     * xmlfile - References the XACML file from which the Policies should be read.
     *
     * Optional Arguments:
     * dryrun - Optional flag indicates that, rather than carrying out the import,
     *          a report of anticipated affects should be generated.
     * outfile - Optional reference to a file for dryrun report to be written, if not provided
     *         the dryrun report is written directly to stdout.
     *
     * @param rc Request Context.
     * @throws CLIException if the request cannot serviced.
     */
    public void handleRequest(RequestContext rc) throws CLIException {
        super.handleRequest(rc);
        ldapLogin();

        SSOToken adminSSOToken = getAdminSSOToken();
        Subject adminSubject = SubjectUtils.createSubject(adminSSOToken);
        String realm = getStringOptionValue(IArgument.REALM_NAME);

        InputStream xacmlInputStream = getXacmlInputStream(realm);

        logStart(realm);

        if (!XACMLUtils.hasPermission(realm, adminSSOToken, "MODIFY")) {
            String errorMessage = MessageFormat.format(getResourceString("permission-denied"), "create-xacml",
                    getAdminID());
            CLIException clie = new CLIException(errorMessage, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
            logException(realm, clie);
            throw clie;
        }

        List<ImportStep> importSteps;
        try {
            PrivilegeValidator privilegeValidator = new PrivilegeValidator(
                    new RealmValidator(new OrganizationConfigManager(adminSSOToken, realm)));
            ApplicationServiceFactory factory = InjectorHolder.getInstance(ApplicationServiceFactory.class);
            ResourceTypeService service = InjectorHolder.getInstance(ResourceTypeService.class);
            XACMLExportImport xacmlExportImport = new XACMLExportImport(
                    new XACMLExportImport.PrivilegeManagerFactory(),
                    new XACMLReaderWriter(),
                    privilegeValidator,
                    new SearchFilterFactory(),
                    PrivilegeManager.debug,
                    factory,
                    service);

            importSteps = xacmlExportImport.importXacml(realm, xacmlInputStream, adminSubject, isDryRun());
        } catch (EntitlementException e) {
            debugError("CreateXACML.handleRequest", e);
            logException(realm, e);
            throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
        } catch (SMSException e) {
            debugError("CreateXACML.handleRequest", e);
            logException(realm, e);
            throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
        }

        if (importSteps.isEmpty()) {

            String message = getResourceString("no-policies-provided");
            logNothingToImport(realm, message);
            getOutputWriter().printlnMessage(message);

        } else {

            logSuccess(realm);
            if (isDryRun()) {
                outputDryRunResults(importSteps);
            } else {
                getOutputWriter().printlnMessage(MessageFormat.format(
                        getResourceString("create-policy-in-realm-succeed"), realm));
            }

        }
    }

    private void logStart(String realm) throws CLIException {
        if (isDryRun()) {
            writeLog(LOG_ACCESS, INFO, "ATTEMPT_TO_GET_POLICY_NAMES_IN_REALM", new String[]{realm});
        } else {
            writeLog(LOG_ACCESS, INFO, "ATTEMPT_CREATE_POLICY_IN_REALM", new String[]{realm});
        }
    }

    private void logException(String realm, Exception e) throws CLIException {
        if (isDryRun()) {
            writeLog(LOG_ERROR, INFO, "FAILED_GET_POLICY_NAMES_IN_REALM", new String[]{realm});
        }  else {
            writeLog(LOG_ERROR, INFO, "FAILED_CREATE_POLICY_IN_REALM", new String[]{realm, e.getMessage()});
        }
    }

    private void logNothingToImport(String realm, String message) throws CLIException {
        writeLog(LOG_ERROR, INFO, "FAILED_CREATE_POLICY_IN_REALM", new String[]{realm, message});
    }

    private void logSuccess(String realm) throws CLIException {
        if (isDryRun()) {
            writeLog(LOG_ACCESS, INFO, "GOT_POLICY_NAMES_IN_REALM", new String[]{realm});
        } else {
            writeLog(LOG_ACCESS, INFO, "SUCCEED_CREATE_POLICY_IN_REALM", new String[]{realm});
        }
    }

    private InputStream getXacmlInputStream(String realm) throws CLIException {
        InputStream inputStream;

        String datafile = getStringOptionValue(IArgument.XML_FILE);
        CommandManager mgr = getCommandManager();
        String url = mgr.getWebEnabledURL();

        if ((url != null) && (url.length() > 0)) {
            inputStream = new ByteArrayInputStream(datafile.getBytes());
        } else {
            try {
                inputStream = new FileInputStream(datafile);
            } catch (FileNotFoundException e) {
                debugError("CreateXACML.handleRequest", e);
                logException(realm, e);
                throw new CLIException(e, ExitCodes.REQUEST_CANNOT_BE_PROCESSED);
            }
        }

        return inputStream;
    }

    private void outputDryRunResults(List<ImportStep> importSteps) throws CLIException {

        StringBuffer sb = new StringBuffer();
        for (ImportStep step : importSteps) {
            sb.append(MessageFormat.format(
                    "{0} {1}\n", step.getDiffStatus().getCode(), step.getPrivilege().getName()));
        }

        if (isOutfileSet()) {
            writeToOutputFile(sb.toString());
        } else {
            getOutputWriter().printlnMessage(sb.toString());
        }
    }

    private void writeToOutputFile(String string) throws CLIException {
        FileOutputStream fout = null;
        PrintWriter pwout = null;

        try {
            fout = new FileOutputStream(getOutfileName(), true); // appending to be consistent with ListXACML
            pwout = new PrintWriter(fout, true);
        } catch (FileNotFoundException e) {
            debugError("CreateXACML.writeToOutputFile", e);
            IOUtils.closeIfNotNull(fout);
            throw new CLIException(e, ExitCodes.IO_EXCEPTION);
        } catch (SecurityException e) {
            debugError("CreateXACML.writeToOutputFile", e);
            IOUtils.closeIfNotNull(fout);
            throw new CLIException(e, ExitCodes.IO_EXCEPTION);
        }

        pwout.write(string);

        IOUtils.closeIfNotNull(pwout);
        IOUtils.closeIfNotNull(fout);
    }

    private boolean isDryRun() {
        return isOptionSet(IArgument.DRY_RUN);
    }

    private boolean isOutfileSet() {
        return isOptionSet(IArgument.OUTPUT_FILE);
    }

    private String getOutfileName() {
        return getStringOptionValue(IArgument.OUTPUT_FILE);
    }
}