OpenSSOPrivilege.java revision fb3b3a01405c222ae1fdbbe6f5c1d4aa696195bb
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith/**
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith *
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith *
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * The contents of this file are subject to the terms
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * of the Common Development and Distribution License
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * (the License). You may not use this file except in
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * compliance with the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith *
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * You can obtain a copy of the License at
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * https://opensso.dev.java.net/public/CDDLv1.0.html or
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * opensso/legal/CDDLv1.0.txt
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * See the License for the specific language governing
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * permission and limitations under the License.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith *
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * When distributing Covered Code, include this CDDL
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * Header Notice in each file and include the License file
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * at opensso/legal/CDDLv1.0.txt.
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * If applicable, add the following below the CDDL Header,
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * with the fields enclosed by brackets [] replaced by
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * your own identifying information:
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * "Portions Copyrighted [year] [name of copyright owner]"
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith *
c1bef59b02d89a84c23d29663cc4e6d46148ebd2David Goldsmith * $Id: OpenSSOPrivilege.java,v 1.5 2009/10/07 01:36:55 veiming Exp $
*/
/*
* Portions Copyrighted 2010-2014 ForgeRock Inc
* Portions Copyrighted 2013 Nomura Research Institute, Ltd
*/
package com.sun.identity.entitlement.opensso;
import com.sun.identity.entitlement.ConditionDecision;
import com.sun.identity.entitlement.Entitlement;
import com.sun.identity.entitlement.EntitlementException;
import com.sun.identity.entitlement.Privilege;
import com.sun.identity.entitlement.PrivilegeManager;
import com.sun.identity.entitlement.PrivilegeType;
import com.sun.identity.monitoring.MonitoringUtil;
import com.sun.identity.session.util.RestrictedTokenAction;
import com.sun.identity.session.util.RestrictedTokenContext;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.openam.entitlement.monitoring.PolicyMonitor;
import org.json.JSONException;
import org.json.JSONObject;
/**
*
*
*/
public class OpenSSOPrivilege extends Privilege {
private String policyName;
private final PolicyMonitor policyMonitor;
public OpenSSOPrivilege() {
super();
policyMonitor = InjectorHolder.getInstance(PolicyMonitor.class);
}
@Override
public PrivilegeType getType() {
return PrivilegeType.OPENSSO;
}
@Override
public List<Entitlement> evaluate(
final Subject adminSubject,
final String realm,
final Subject subject,
final String applicationName,
final String resourceName,
final Set<String> actionNames,
final Map<String, Set<String>> environment,
final boolean recursive,
final Object context
) throws EntitlementException {
List<Entitlement> results = null;
try {
results = (List<Entitlement>) RestrictedTokenContext.doUsing(context,
new RestrictedTokenAction() {
public Object run() throws Exception {
return internalEvaluate(
adminSubject,
realm,
subject,
applicationName,
resourceName,
actionNames,
environment,
recursive
);
}
});
} catch (Exception ex) {
PrivilegeManager.debug.error("OpenSSOPrivilege.evaluate", ex);
results = new ArrayList<Entitlement>(0);
}
return results;
}
private List<Entitlement> internalEvaluate(
Subject adminSubject,
String realm,
Subject subject,
String applicationName,
String resourceName,
Set<String> actionNames,
Map<String, Set<String>> environment,
boolean recursive
) throws EntitlementException {
final long startTime = System.currentTimeMillis();
List<Entitlement> results = new ArrayList<Entitlement>();
Set<ConditionDecision> decisions = new HashSet();
if (!isActive()) {
Entitlement origE = getEntitlement();
Entitlement e = new Entitlement(origE.getApplicationName(),
origE.getResourceName(), Collections.EMPTY_SET);
results.add(e);
return results;
}
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
if (doesSubjectMatch(adminSubject, realm, advices, subject,
resourceName, environment) &&
doesConditionMatch(realm, advices, subject, resourceName,
environment, decisions)
) {
Entitlement origE = getEntitlement();
Set<String> resources = origE.evaluate(adminSubject, realm,
subject, applicationName, resourceName, actionNames,
environment, recursive);
if (PrivilegeManager.debug.messageEnabled()) {
PrivilegeManager.debug.message(
"[PolicyEval] OpenSSOPrivilege.evaluate: resources=" +
resources.toString(), null);
}
for (String r : resources) {
Entitlement e = new Entitlement(origE.getApplicationName(),
r, origE.getActionValues());
e.setAttributes(getAttributes(adminSubject, realm, subject,
resourceName, environment));
e.setAdvices(advices);
e.setTTL(getLowestDecisionTTL(decisions));
results.add(e);
}
} else {
Entitlement origE = getEntitlement();
Entitlement e = new Entitlement(origE.getApplicationName(),
origE.getResourceName(), Collections.EMPTY_SET);
e.setAdvices(advices);
e.setTTL(getLowestDecisionTTL(decisions));
results.add(e);
}
final long duration = System.currentTimeMillis() - startTime;
if (MonitoringUtil.isRunning()) {
policyMonitor.addEvaluation(policyName, duration, realm, applicationName, resourceName, subject);
}
return results;
}
/**
* Returns JSONObject mapping of the object
* @return JSONObject mapping of the object
* @throws JSONException if can not map to JSONObject
*/
@Override
public JSONObject toJSONObject() throws JSONException {
JSONObject jo = super.toJSONObject();
if (policyName != null) {
jo.put("policyName", policyName);
}
return jo;
}
protected void init(JSONObject jo) {
policyName = jo.optString("policyName");
}
/**
* Sets policy name.
*
* @param policyName Policy name.
*/
public void setPolicyName(String policyName) {
this.policyName = policyName;
}
/**
* Returns policy name.
*
* @return policyName Policy name.
*/
public String getPolicyName() {
return this.policyName;
}
protected long getLowestDecisionTTL(Set<ConditionDecision> decisions) {
long minTTL = Long.MAX_VALUE;
for (ConditionDecision decision : decisions) {
if (minTTL > decision.getTimeToLive()) {
minTTL = decision.getTimeToLive();
}
}
return minTTL;
}
}