PolicyEvaluator.java revision bee2440354b4bc8796e1de0b6cbd60e1f68deba0
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: PolicyEvaluator.java,v 1.19 2010/01/14 23:18:35 dillidorai Exp $
*
* Portions Copyrighted 2011-2015 ForgeRock AS.
*/
/**
* The class <code>PolicyEvaluator</code> evaluates policies
* and provides policy decisions.
* @supported.api
* @deprecated since 12.0.0
*/
public class PolicyEvaluator {
/**
* Constant used to identity all the resources of a service type.
* The resources include the sub resources of all resource prefixes of
* resource type
*
* @supported.api
*/
public static final String ALL_RESOURCES
= "---ALL_RESOURCES---";
public static final String ADVICING_ORGANIZATION
= "AdvicingOrganization";
/**
* Constant used to identity empty resource
*
* @supported.api
*/
/**
* Constant used for key to pass the requested resource name canonicalized
* in the env map, so that Condition(s)/ResponseProvider(s) could use
* the requested resource name, if necessary
*/
public static final String SUN_AM_REQUESTED_RESOURCE
= "sun.am.requestedResource";
/**
* Constant used for key to pass the requested resource name uncanonicalized
* in the env map, so that Condition(s)/ResponseProvider(s) could use
* the requested resource name, if necessary
*/
public static final String SUN_AM_ORIGINAL_REQUESTED_RESOURCE
= "sun.am.requestedOriginalResource";
/**
* Constant used for key to pass the requested actions names
* in the env map, so that Condition(s)/ResponseProvider(s) could use
* the requested actions names, if necessary
*/
public static final String SUN_AM_REQUESTED_ACTIONS
= "sun.am.requestedActions";
/**
* Constant used for key to pass the realm DN in the env map, so that Condition(s)
* can look up the relevant <code>PolicyConfig</code> config map, if necessary.
* <code>LDAPFilterCondition</code> needs to use PolicyConfig config map.
*/
public static final String RESULTS_CACHE_SESSION_CAP
= "com.sun.identity.policy.resultsCacheSessionCap";
public static int DEFAULT_RESULTS_CACHE_SESSION_CAP = 1000;
public static int resultsCacheSessionCap = DEFAULT_RESULTS_CACHE_SESSION_CAP;
public static final String RESULTS_CACHE_RESOURCE_CAP
= "com.sun.identity.policy.resultsCacheResourceCap";
public static int DEFAULT_RESULTS_CACHE_RESOURCE_CAP = 100;
public static int resultsCacheResourceCap = DEFAULT_RESULTS_CACHE_RESOURCE_CAP;
private static final boolean USE_POLICY_CACHE = true;
private static final boolean INCLUDE_SUPER_RESOURCE_POLCIES = true;
private static final long DEFAULT_USER_NSROLE_CACHE_TTL = 600000;
private String serviceTypeName;
private String applicationName;
private ServiceType serviceType;
private PolicyCache policyCache;
private PolicyManager policyManager;
private ResourceIndexManager resourceIndexManager;
// used to pass service type name in envParameters
// listener for policy decision cache
/*
* Cache to keep the policy evaluation results
* Cache structure layout:
*
* cache ----> Servicename1
* ----> servicename2
* ...
* ----> servicenameN
*
* servicenameI ----> Resourcename1
* ----> Resourcename2
* ...
* ----> ResourcenameN
*
* resourcenameI ----> userssotokenidstring1
* ----> userssotokenidstring2
* ...
* ----> userssotokenidstringN
*
* userssotokenidstringI ----> requestscope1
* ----> requestscope2
*
* requestscope1 ----> resourceresult1
* requestscope2 ----> resourceresult2
*/
/*
* The sso token listener registry for policy decision cache.
* To avoid adding multiple sso token listeners for the same
* token, we use this registry to make sure the listener is
* registered only once for each token. It will be unregistered
* if token is expired.
*
* Key is tokenId and value is policySSOTokenListener
* ssoTokenIDString : PolicySSOTokenListener
*
* Used to clean up cache on ssoToken notifications
*/
public static Map ssoListenerRegistry =
/*
* The policy change listener registry for policy decision cache.
* To avoid adding multiple listeners for the same service, we
* use this registry to make sure the listener is registered only
* once for each service.
*
* Key is serviceTypeName and value is <code>PolicyDecisionCacheListener
* </code>
* serviceTypeName : PolicyDecisionCacheListener for service type
*
* Used to clean up the decision cache on policy change notification
*/
/**
* The user <code>nsRole</code> attribute cache.
* AMSDK cache stops caching a user's nsRole attribute in 6.2
* due to notification issue. Adding this cache in policy to
* avoid performance impact caused by the AMSDK change. This
* cache uses a user's token as the key to map to the user's
* <code>nsRole</code> attribute values.
*
* Key is tokenId and value is set of role DN(s)
* ssoTokenIDString : set of role DN(s)
*/
static Map userNSRoleCache =
// TTL value for entries in the user's nsRole attribute values.
private static long userNSRoleCacheTTL = 0;
/**
* listener object to be used in cleaning up the
* userNSRoleCache, subjectEvaluationCache , user role
* cache in LDAPRoles and policyResultsCache
* upon user token expiration.
*/
public static SSOTokenListener ssoListener =
new PolicySSOTokenListener();
/*
* Cache for sub resources keyed by resource name
* The structure is a Map of
* serviceType(String) : resourceNamesCache(Cache)
* Key for resourceNamesCache is a root resource name and value is
* a <code>Set</code> of sub resource names for the root resource name
*
* serviceType: resourceName : resourceNames
*/
/**
* Constant key for passing organization name in the environment map during
* policy evaluation. The value for the key would be a <code>Set</code>
* with one element of type String. The string is the name of the
* organization the policy evaluator has been instantiated for.
*/
/**
* Constant key for passing service type name in the environment map during
* policy evaluation. The value for the key would be a <code>Set</code>
* with one element of type String. The string is the name of the
* <code>ServiceType</code> the policy evaluator has been instantiated for.
*/
/**
* Constructor to create a <code>PolicyEvaluator</code> given the <code>
* ServiceType</code> name.
*
* @param serviceTypeName the name of the <code>ServiceType</code> for
* which this evaluator can be used.
* @throws SSOException if <code>SSOToken</code> used by
* <code>PolicyEvaluator</code> is invalid
* @throws NameNotFoundException if the service with name
* <code>serviceTypeName</code> is not found
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
this("", serviceTypeName);
}
/**
* Constructor to create a <code>PolicyEvaluator</code> given organization
* name and the <code>ServiceType</code> name.
*
* @param orgName the name of the organization under which the evaluation
* is being done
* @param serviceTypeName the name of the <code>ServiceType</code> for
* which this evaluator can be used.
*/
} else {
}
this.serviceTypeName = serviceTypeName;
// Default application to be the service type, this maintains legacy behaviour.
this.applicationName = serviceTypeName;
if (resultsCacheSessionCapString != null) {
try {
} catch (NumberFormatException nfe) {
+ "number format exception: "
+ "defaulting resultsCacheSessionCap to "
}
}
} else {
+ "resultsCacheSessionCap not specified, "
+ "defaulting resultsCacheSessionCap to "
}
}
+ "resultsCacheSessionCap=" + resultsCacheSessionCap);
}
if (resultsCacheResourceCapString != null) {
try {
} catch (NumberFormatException nfe) {
+ "number format exception: "
+ "defaulting resultsCacheResourceCap to "
}
}
} else {
+ "resultsCacheResourceCap not specified, "
+ "defaulting resultsCacheResourceCap to "
}
}
+ "resultsCacheResourceCap=" + resultsCacheResourceCap);
}
}
/**
* Creates a new policy evaluator instance.
*
* @param orgName
* the name of the organization under which the evaluation is being done
* @param serviceTypeName
* the name of the <code>ServiceType</code> for which this evaluator can be used
* @param applicationName
* the application name containing the policies in question
*
* @throws PolicyException
* should some error occur constructor the evaluator
* @throws SSOException
* should some error occur with regards to any SSO token
*/
throws PolicyException, SSOException {
this(orgName, serviceTypeName);
this.applicationName = applicationName;
}
/**
* Register a policy listener for updating policy decision cache if there is none already registered.
*/
private void registerListener() {
synchronized (lock) {
try {
} catch (PolicyException pe) {
}
if (DEBUG.messageEnabled()) {
}
} else {
}
}
}
/**
* Evaluates a simple privilege of boolean type. The privilege indicate
* if the user can perform specified action on the specified resource.
* Invoking this method would result in <code>PolicyException</code>,
* if the syntax for the <code>actionName</code> is not declared to be
* boolean, in the service schema.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionName name of the action the user is trying to perform on
* the resource
*
* @return the result of the evaluation as a boolean value
*
* @exception SSOException single-sign-on token invalid or expired
*
*/
new HashMap()));
}
/**
* Evaluates simple privileges of boolean type. The privilege indicate
* if the user can perform specified action on the specified resource.
* The evaluation depends on user's application environment parameters.
* Invoking this method would result in <code>PolicyException</code>,
* if the syntax for the <code>actionName</code> is not declared to be
* boolean, in the service schema.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionName name of the action the user is trying to perform on
* the resource
* @param envParameters run-time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws SSOException single-sign-on token invalid or expired
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
}
}
// Cache the false values for the action names
if (booleanActionNameFalseValues == null) {
}
if ((falseValue = (String)
// Add it to the cache
}
// Cache the true values for the action names
if (booleanActionNameTrueValues == null) {
}
// Add it to the cache
}
throw new PolicyException(
}
boolean actionAllowed = false;
.get(actionName);
if ( actionDecision != null ) {
actionAllowed = false;
actionAllowed = true;
}
}
}
return actionAllowed;
}
}
try {
} catch (EntitlementException e) {
throw new PolicyException(e);
}
//Add request resourceName and request actionNames to the envParameters
//so that Condition(s)/ResponseProvider(s) can use them if necessary
if (actionName != null) {
} else {
if (actionNames != null) {
}
}
// Fix for OPENAM-811
}
// Required by the AMIdentityMembershipCondition
} else {
if (DEBUG.messageEnabled()) {
}
}
}
envParameters = new HashMap();
}
throw new PolicyException(
}
try {
} catch (EntitlementException e) {
throw new PolicyException(e);
}
}
throws InvalidNameException {
if (serviceType == null) {
}
// Cache the false values for the action names
if (booleanActionNameFalseValues == null) {
}
if ((falseValue = (String)
// Add it to the cache
}
return falseValue;
}
throws InvalidNameException {
if (serviceType == null) {
}
// Cache the true values for the action names
if (booleanActionNameTrueValues == null) {
}
}
return trueValue;
}
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionNames a <code>Set</code> of <code>Sting</code> objects
* representing names of the actions the user is trying to perform on
* the resource
*
* @return policy decision
*
* @exception SSOException single-sign-on token invalid or expired
* @exception PolicyException for any other abnormal condition.
*/
}
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource. The evaluation depends on user's
* application environment parameters.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionNames <code>Set</code> of names(<code>String</code>) of
* the action the user is trying to perform on the resource
* @param envParameters <code>Map</code> of run-time environment parameters
*
* @return policy decision
*
* @throws SSOException single-sign-on token invalid or expired
* @throws PolicyException for any other abnormal condition
*
* @supported.api
*/
public PolicyDecision getPolicyDecision(
}
//Add request resourceName and request actionNames to the envParameters
//so that Condition(s)/ResponseProvider(s) can use them if necessary
/* compute for all action names if passed in actionNames is
null or empty */
}
if (actionNames != null) {
}
/*
* We create new HashMap in place of empty map since
* Collections.EMPTY_MAP can not be modified
*/
envParameters = new HashMap();
}
envParameters, new HashSet());
}
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource. The evaluation depends on user's
* application environment parameters.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionNames <code>Set</code> of names(<code>String</code>) of the
* action the user is trying to perform on the resource.
* @param envParameters run-time environment parameters
* @param visitedOrgs names of organizations that have been already visited
* during policy evaluation for this request
*
* @return policy decision
*
* @exception SSOException single-sign-on token invalid or expired
* @exception PolicyException if any policy evaluation error.
*/
private PolicyDecision getPolicyDecision(
throws PolicyException, SSOException {
if (MonitoringUtil.isRunning()) {
}
try {
return (PolicyManager.isMigratedToEntitlementService()) ?
} finally {
if (MonitoringUtil.isRunning()) {
}
}
}
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource. The evaluation depends on user's
* application environment parameters.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionNames <code>Set</code> of names(<code>String</code>) of the
* action the user is trying to perform on the resource.
* @param envParameters run-time environment parameters
* @return policy decision
*
* @exception SSOException single-sign-on token invalid or expired
* @exception PolicyException if any policy evaluation error.
*/
private PolicyDecision getPolicyDecisionE(
throws PolicyException, SSOException {
if ( DEBUG.messageEnabled() ) {
}
/* compute for all action names if passed in actionNames is
null or empty */
}
try {
null;
return (entitlementToPolicyDecision(e, actionNames));
}
} catch (EntitlementException e) {
throw new PolicyException(e);
}
return (new PolicyDecision());
}
private PolicyDecision getPolicyDecisionO(
throws PolicyException, SSOException {
if ( DEBUG.messageEnabled() ) {
}
/* compute for all action names if passed in actionNames is
null or empty */
}
if ( DEBUG.messageEnabled() ) {
.append(".getPolicyDecision()")
.append(" principal, resource name, ")
.append("action names, policy names,")
.append(" orgName =")
}
while ( policyIter.hasNext() ) {
//policy might have been removed or inactivated
}
// Let us log all policy evaluation results
decision };
}
}
if ( mergedPolicyDecision == null ) {
} else {
}
if (!PolicyConfig.continueEvaluationOnDenyDecision()) {
}
break;
}
} else { // add policy names to toRemovePolicyNameSet
if (toRemovePolicyNameSet == null) {
toRemovePolicyNameSet = new HashSet();
}
if ( DEBUG.messageEnabled() ) {
+policyName+ " is inactive or non-existent");
}
}
}
if (toRemovePolicyNameSet != null) {
}
serviceTypeName)) {
orgAlias);
if (orgWithAlias != null) {
if ( DEBUG.messageEnabled() ) {
+ "adding orgWithAlias to orgsToVisit="
+ orgWithAlias);
}
}
}
}
if ( DEBUG.messageEnabled() ) {
.append(".getPolicyDecision()")
.toString());
}
if ( DEBUG.messageEnabled() ) {
.append(".getPolicyDecision()")
.append(" orgsToVist(after removing already visited orgs=")
.toString() );
}
try {
// need to use admin sso token here. Need all privileges to
// check for the organzation
} catch (NameNotFoundException nnfe) {
if( DEBUG.warningEnabled()) {
+ "skipping referral to " + orgToVisit);
}
continue;
}
/**
* save current realm DN before passing control down to sub-realm
*/
// Update env to point to the realm policy config data.
// restore back the policy config data for the parent realm
if ( mergedPolicyDecision == null ) {
} else {
}
if (!PolicyConfig.continueEvaluationOnDenyDecision()) {
}
}
if ( mergedPolicyDecision == null ) {
mergedPolicyDecision = new PolicyDecision();
}
return mergedPolicyDecision;
}
/**
* Gets protected resources for a user identified by single sign on token
* Conditions defined in the policies are ignored while
* computing protected resources.
* Only resources that are sub resources of the given
* <code>rootResource</code> or equal to the given <code>rootResource</code>
* would be returned.
* If all policies applicable to a resource are
* only referral policies, no <code>ProtectedResource</code> would be
* returned for such a resource.
*
* @param token single sign on token of the user
* @param rootResource only resources that are sub resources of the
* given <code>rootResource</code> or equal to the
* given <code>rootResource</code> would be returned
* <code>rootResource</code> would be returned.
* If <code>PolicyEvaluator.ALL_RESOURCES</code> is
* passed as <code>rootResource</code>, resources under
* all root resources of the service
* type are considered while computing protected
* resources.
* @return <code>Set</code> of protected resources. The set
* contains <code>ProtectedResource</code> objects.
*
* @throws SSOException if single sign on token is invalid
* @throws PolicyException for any other abnormal condition
* @see ProtectedResource
*
* @supported.api
*
*/
throws SSOException, PolicyException
{
}
} else {
topLevelResources = new HashSet();
}
while (resourceIter.hasNext()) {
if ((protectingPolicies != null)
&& (!protectingPolicies.isEmpty())) {
boolean allReferralPolicies = true;
if (!policy.isReferralPolicy()) {
allReferralPolicies = false;
break;
}
}
if (!allReferralPolicies) {
}
}
}
}
return protectedResources;
}
/**
* Gets policies applicable to user that are protecting
* the specified resource.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
*
* @return set of policies applicable to user that are protecting the
* specified resource
*
* @throws PolicyException policy exception coming from policy framework
* @throws SSOException single-sign-on token invalid or expired
*
*/
throws PolicyException, SSOException
{
}
/**
* Gets policies applicable to user that are protecting
* the specified resource.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
*
* @param visitedOrgs names of organizations that have been
* already visited during evaluation for this request
* @return set of policies applicable to user that are protecting the
* specified resource
*
* @throws PolicyException policy exception coming from policy framework
* @throws SSOException single-sign-on token invalid or expired
*
*/
private Set getProtectingPolicies(
throws PolicyException, SSOException
{
// false - do not include super resource policies
// includes EXACT_MATCH and WILD_CARD_MATCH
serviceType, resourceName, false);
if ( DEBUG.messageEnabled() ) {
"at PolicyEvaluator.getProtectingPolicies()")
.append(" principal, resource name, policy names,")
.append(" orgName =")
}
while ( policyIter.hasNext() ) {
//policy might have been removed or inactivated
if (!policy.isReferralPolicy()) {
}
} else {
}
} else { // add policy names to toRemovePolicyNameSet
if (toRemovePolicyNameSet == null) {
toRemovePolicyNameSet = new HashSet();
}
if ( DEBUG.messageEnabled() ) {
+policyName+ " is inactive or non-existent");
}
}
}
if (toRemovePolicyNameSet != null) {
}
//include super resource policies provided they are referral policies
if (toRemovePolicyNameSet != null) {
}
while ( policyIter.hasNext() ) {
//policy might have been removed or inactivated
if (policy.isReferralPolicy()) {
}
} else { // add policy names to toRemovePolicyNameSet
if (toRemovePolicyNameSet == null) {
toRemovePolicyNameSet = new HashSet();
}
if ( DEBUG.messageEnabled() ) {
+policyName+ " is inactive or non-existent");
}
}
}
if (toRemovePolicyNameSet != null) {
}
if ( DEBUG.messageEnabled() ) {
"at PolicyEvaluator.getProtectingPolicies()")
.toString());
}
serviceTypeName)) {
orgAlias);
if (orgWithAlias != null) {
if ( DEBUG.messageEnabled() ) {
+ "adding orgWithAlias to orgsToVisit="
+ orgWithAlias);
}
}
}
}
if ( DEBUG.messageEnabled() ) {
"at PolicyEvaluator.getProtectingPolicies()")
.append(" orgsToVist(after removing already visited orgs=")
.toString() );
}
while (!orgsToVisit.isEmpty() ) {
try {
// need to use admin sso token here. Need all privileges to
// check for the organzation
} catch (NameNotFoundException nnfe) {
if( DEBUG.warningEnabled()) {
+ "skipping referral to " + orgToVisit);
}
continue;
}
}
sb = new StringBuffer();
}
}
+ " protecting resource "
}
resourceName, pp };
}
return protectingPolicies;
}
/**
* Gets resource result objects given a resource name. The set
* contains <code>ResourceResult</code> objects for all resources
* that would affect policy decisions for any resource associated with the
* argument resource name. To determine whether to include the
* <code>ResourceResult</code> of a resource, we compare argument resource
* name and policy resource name, treating wild characters in the policy
* resource name as wild. If the comparison resulted in
* <code>EXACT_MATCH</code>, <code>WILD_CARD_MACTH</code> or
* <code>SUB_RESOURCE_MACTH</code>, the resource result would be
* included.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource
* @param scope indicates whether to compute the resource result based on
* the policy decision for only the <code>resourceName</code>
* or all the resources associated with the resource name.
* The valid scope values are:
* <ul>
* <li><code>ResourceResult.SUBTREE_SCOPE</code>
* <li><code>ResourceResult.STRICT_SUBTREE_SCOPE</code>
* <li><code>ResourceResult.SELF_SCOPE</code>
* <ul>
* If the scope is <code>ResourceResult.SUBTREE_SCOPE</code>,
* the method will return a set of <code>ResourceResult</code>
* objects, one of them for the <code>resourceName</code> and
* its sub resources; the others are for resources that match
* the <code>resourceName</code> by wildcard. If the scope is
* <code>ResourceResult.STRICT_SUBTREE_SCOPE</code>, the
* method will return a set object that contains one
* <code>ResourceResult</code> object. The
* <code>ResourceResult</code> contains the policy decisions
* regarding the <code>resourceName</code> and its sub
* resources. If the scope is
* <code>ResourceResult.SELF_SCOPE</code>, the method will
* return a set object that contains one
* <code>ResourceResult</code> object.
* The <code>ResourceResult</code> contains the policy decision
* regarding the <code>resourceName</code> only.
*
* @param envParameters run-time environment parameters
*
* @return set of <code>ResourceResult</code> objects
*
* @throws SSOException if <code>token</code> is invalid
* @throws PolicyException for any other abnormal condition
*
* @see ResourceMatch#EXACT_MATCH
* @see ResourceMatch#SUB_RESOURCE_MATCH
* @see ResourceMatch#WILDCARD_MATCH
* @see ResourceResult#SUBTREE_SCOPE
* @see ResourceResult#STRICT_SUBTREE_SCOPE
* @see ResourceResult#SELF_SCOPE
*
*
* @supported.api
*/
throws SSOException, PolicyException {
return (PolicyManager.isMigratedToEntitlementService()) ?
}
throws SSOException, PolicyException {
resultsSet = new HashSet();
} else {
}
return resultsSet;
}
throws SSOException, PolicyException {
envParameters = new HashMap();
}
boolean subTreeSearch = false;
subTreeSearch = true;
//resultsSet = getResourceResultTree(token, resourceName, scope,
// envParameters).getResourceResults();
/*
ResourceResult result = getResourceResultTree(token, resourceName,
scope, envParameters);
resultsSet = new HashSet();
resultsSet.add(result);*/
} else {
}
try {
// Parse the resource name before proceeding.
resultsSet = new HashSet();
if (!entitlements.isEmpty()) {
if (!subTreeSearch) {
} else {
new PolicyDecision());
}
}
}
} catch (Exception e) {
}
return resultsSet;
}
) throws PolicyException {
}
) throws PolicyException {
boolean isBooleanAction = true;
if (serviceType != null) {
try {
} catch (InvalidNameException inex) {
if (DEBUG.warningEnabled()) {
"entitlementToPolicyDecision:", inex);
}
}
}
if (isBooleanAction) {
if (values.booleanValue()) {
} else {
}
} else {
// Parse the action name to get the value
if (index != -1) {
} else {
}
}
}
} else {
}
// Determinte if the serviceType have boolean action values
if (serviceType != null) {
try {
} catch (InvalidNameException inex) {
if (DEBUG.warningEnabled()) {
"entitlementToPolicyDecision:", inex);
}
}
}
} else {
}
}
}
return pd;
}
/**
* Gets resource result given a resource name. <code>ResourceResult</code>
* is a tree representation of policy decisions for all resources rooted
* at the resource name.
* To determine whether a resource defined in the policy
* is a sub resource of argument resource name, argument resource name
* and policy resource name are compared, treating wild characters as
* literals. If comparison resulted in <code>EXACT_MACTH</code> or
* <code>SUB_RESOURCE_MACTH</code>, the resource would be included
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource
* @param scope indicates whether to compute the resource result based on
* the policy decision for only the <code>resourceName</code>
* or all the resources associated with the resource name.
* The valid scope values are:
* <ul>
* <li><code>ResourceResult.SUBTREE_SCOPE</code>
* <li><code>ResourceResult.STRICT_SUBTREE_SCOPE</code>
* <li><code>ResourceResult.SELF_SCOPE</code>
* </ul>
* If the scope is <code>ResourceResult.SUBTREE_SCOPE</code> or
* <code>ResourceResult.STRICT_SUBTREE_SCOPE</code>, the method
* will return a <code>ResourceResult</code> object that
* contains the policy decisions regarding the
* <code>resourceName</code> and its sub resources.
* If the scope is <code>ResourceResult.SELF_SCOPE</code>, the
* method will return a <code>ResourceResult</code> object that
* contains the policy decision regarding the
* <code>resourceName</code> only. Note, scope values
* <code>ResourceResult.SUBTREE_SCOPE</code> and
* <code>ResourceResult.STRICT_SUBTREE_SCOPE</code> are being
* treated as the same for backword compatibility reasons. This
* method is being deprecated. The method
* <code>getResourceResults()</code> should be used instead.
*
* @param envParameters run-time environment parameters
*
* @return <code>ResourceResult</code>.
*
* @throws SSOException if <code>token</code> is invalid
* @throws PolicyException for any other abnormal condition
*
* @see ResourceMatch#EXACT_MATCH
* @see ResourceMatch#SUB_RESOURCE_MATCH
* @see ResourceMatch#WILDCARD_MATCH
* @see ResourceResult#SUBTREE_SCOPE
* @see ResourceResult#STRICT_SUBTREE_SCOPE
* @see ResourceResult#SELF_SCOPE
*
* @deprecated Use <code>getResourceResults()</code>
*
* @supported.api
*
*/
throws SSOException, PolicyException {
}
} else {
}
}
/**
* Gets resource result given a resource name. <code>ResourceResult</code>
* is a tree representation of policy decisions for all resources
* that are sub resources of argument resource name.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource
* @param scope indicates whether to compute the resource result based on
* the policy decision for only the <code>resourceName</code>
* or all the resources associated with the resource name.
* @param envParameters run-time environment parameters
*
* @return <code>ResourceResult</code>.
*
* @exception SSOException if <code>token</code> is invalid
* @exception PolicyException for any other abnormal condition
*
* @see ResourceMatch#EXACT_MATCH
* @see ResourceMatch#SUB_RESOURCE_MATCH
* @see ResourceMatch#WILDCARD_MATCH
*
*/
throws PolicyException, SSOException {
if (DEBUG.messageEnabled()) {
+ " evaluation to self_scope");
}
}
}
// check if we already have the result in the cache
// policyResultsCache:
// serviceType -> resource -> sessionId -> scope -> result
synchronized(policyResultsCache) {
// rscCACHE: resource -> sessionId -> scope -> result
// resultCACHE: sessionId -> scope -> resourceResult
if (resultsCache != null) {
if (resourceResult != null) {
if (ttlMinimal > currentTime) {
//check envMap equality of request and cache
if (DEBUG.messageEnabled()) {
+ " getResourceResult(): we get the "
+ "result from the cache.\n"
+ resourceResult.toXML());
}
return resourceResult;
} else {
"PolicyEvaluator.getResourceesultTree()"
+ ":cached envMap does not equal "
+ "request envMap, request envMap = "
+ ", cachedEnv=" + cachedEnv
);
}
}
}
}
}
}
}
}
/* compute all action names if passed in actionNames is
null or empty */
}
if (DEBUG.messageEnabled()) {
+ " for resource : " + resourceName);
}
new PolicyDecision());
}
if (resourceNamesCache == null) {
}
if (resourceNames == null) {
if (DEBUG.messageEnabled()) {
+ resourceName);
}
// true indicates to follow referral
}
if (DEBUG.messageEnabled()) {
+ " for subresources : " + resourceNames);
}
while (resourceNameIter.hasNext()) {
subResourceName, false).equals(
}
}
}
// Do not cache policy decision with advices
if ( (resourceResult != null)
&& !resourceResult.hasAdvices()) {
// add the evaluation result to the result cache
//cacheElem: sessionId -> scope -> resourceResult
// serviceType -> resourceName -> sessionId -> scope -> resourceResult
synchronized(policyResultsCache) {
// rscElemCACHE: resourceName -> sessionId -> scope -> resourceResult
//CACHEElem: sessionId -> scope -> resourceResult
}
} else { // seeing the resource first time
"PolicyEvaluator.getResourceResultTree()"
+ " Create Cache for:"
+ ", resourceName=" + resourceName
+ ", sessionId=" + userSSOTokenIDStr
+ ", scope=" + scope);
}
}
} else { // seeing service for first time
// rscElemCACHE: resourceName -> sessionId -> scope -> resourceResult
//CACHEElem: sessionId -> scope -> resourceResult
"PolicyEvaluator.getResourceResultTree()"
+ " Create Cache for:"
+ ", resourceName=" + resourceName
+ ", sessionId=" + userSSOTokenIDStr
+ ", scope=" + scope
+ ", serviceType=" + serviceTypeName);
}
}
"PolicyEvaluator.getResourceResultTree()"
+ " Create Cache for:"
+ ", resourceName=" + resourceName
+ ", sessionId=" + userSSOTokenIDStr
+ ", scope=" + scope
}
}
userSSOTokenIDStr))) {
try {
} catch (SSOException se) {
+ "failed to add sso token listener");
}
if (DEBUG.messageEnabled()) {
+ " sso listener added .\n");
}
}
if (DEBUG.messageEnabled()) {
+ " result to the cache");
}
}
return resourceResult;
}
/**
* Gets resource names that are exact matches, sub resources or
* wild card matches of argument resource name.
* To determine whether to include a
* resource name of a resource, we compare argument resource name and
* policy resource name, treating wild characters in the policy
* resource name as wild. If the comparison resulted in
* <code>EXACT_MATCH</code>, <code>WILD_CARD_MACTH</code> or
* <code>SUB_RESOURCE_MACTH</code>, the resource result would be
* included.
*
* @param token single sign on token
*
* @param resourceName resoure name
* @param followReferral indicates whether to follow the referrals
* defined in policies to compute resource names
* @return names of sub resources for the given <code>resourceName</code>.
* The return value would also include the
* <code>resourceName</code>.
*
* @exception SSOException if <code>token</code> is invalid
* @exception PolicyException for any other abnormal condition
*
* @see ResourceMatch#EXACT_MATCH
* @see ResourceMatch#SUB_RESOURCE_MATCH
* @see ResourceMatch#WILDCARD_MATCH
*
*/
}
/**Gets resource names that are exact matches, sub resources or
* wild card matches of argument resource name.
* To determine whether to include a
* resource name of a resource, we compare argument resource name and
* policy resource name, treating wild characters in the policy
* resource name as wild. If the comparsion resulted in
* <code>EXACT_MATCH</code>, <code>WILD_CARD_MACTH</code> or
* <code>SUB_RESOURCE_MACTH</code>, the resource result would be
* included.
*
* @param token single sign on token
*
* @param resourceName resoure name
* @param followReferral indicates whether to follow the referrals
* defined in policies to compute resource names
* @param visitedOrgs organizations that were already visited to
* compute resource names
* @return names of sub resources for the given <code>resourceName</code>.
* The return value would also include the
* <code>resourceName</code>.
*
* @exception SSOException if <code>token</code> is invalid
* @exception PolicyException for any other abnormal condition
*
* @see ResourceMatch#EXACT_MATCH
* @see ResourceMatch#SUB_RESOURCE_MATCH
* @see ResourceMatch#WILDCARD_MATCH
*
*/
throws PolicyException, SSOException {
resourceName, true)); //include policies of super resources
while (policyIter.hasNext()) {
// policy could have been deleted
// true inidicates to follow referrals
serviceTypeName, resourceName, true);
if (pResourceNames != null) {
}
} else { // add policy names to toRemovePolicyNameSet
if (toRemovePolicyNameSet == null) {
toRemovePolicyNameSet = new HashSet();
}
if ( DEBUG.messageEnabled() ) {
+policyName+ " is inactive or non-existent");
}
}
}
if (toRemovePolicyNameSet != null) {
}
if ( DEBUG.messageEnabled() ) {
+ "realmAliasEnabled="
+ ", serviceTypeName=" + serviceTypeName);
}
}
serviceTypeName)) {
orgAlias);
if (orgWithAlias != null) {
if ( DEBUG.messageEnabled() ) {
+ "getgetResourceNames():"
+ "adding orgWithAlias to orgsToVisit="
+ orgWithAlias);
}
} else {
if ( DEBUG.messageEnabled() ) {
+ "getgetResourceNames():"
+ "no realm matched orgAlias:" + orgAlias);
}
}
}
}
while (!orgsToVisit.isEmpty() ) {
//resourceNames.add(resourceName);
try {
// need to use admin sso token here. Need all privileges to
// check for the organzation
} catch (NameNotFoundException nnfe) {
if( DEBUG.warningEnabled()) {
+ "getgetResourceNames():"
+ "Organization does not exist - "
+ "skipping referral to " + orgToVisit);
}
continue;
}
resourceName, true,
visitedOrgs));
}
return resourceNames;
}
/** Adds a policy listener that would be notified whenever a policy
* is added, removed or changed
*
* @param policyListener the listener to be added
*
* @supported.api
*/
}
/** Removes a policy listener that was previously registered
* to receive notifications whenever a policy is added, removed
* or changed. It is not an error to attempt to remove a listener
* that was not registered. It would return silently.
*
* @param policyListener the listener to be removed
*
* @supported.api
*/
}
/** Merges two policy decisions.
* Merging policy decisions merges each action decision of the
* policy with the corresponding action decision of the other
* policy. This method also merges ResponseProviderDecision of one
* policy ( response attributes per policy)
* with that of the other policy.
* These are the rules followed to merge each action decision:
* If the action schema has boolean syntax, boolean false value
* overrides boolean true value. The time to live of boolean false
* value overrides the time to live of boolean true value.
* Otherwise, action values are simply aggregated. Time to live
* is set to the minimum of time to live(s) of all values of the
* action.
* For response attributes, all response attributes are aggregated.
* In case of mutiple values for the same attribute
* they appear as multi valued data for the attribute.
* @param serviceType service type that would be consulted to merge the
* policy decisions
* @param pd1 policy decision 1
* @param pd2 policy decision 2
* @return the merged policy decision.
* Policy decisions pd1 and pd2 are merged into pd2 and
* pd2 is returned.
*/
action);
}
return pd2;
}
/** Gets a set of action names for which final values have been
* determined. We assume the final values have been determined
* for an action if the action schema syntax is boolean and
* the value is boolean false value
*
* @param serviceType service type that would be consulted to decide
* the final values for actions
* @param pd policy decision
*/
try {
}
} catch(InvalidNameException e) {
action, e );
}
}
}
return finalizedActions;
}
/**
* Gets names of organizations to visit for policy evaluation
* based on the give policy names. This is used to follow
* OrgReferral(s) defined in the policies
*
* @return names of organization to visit
* @exception SSOException if <code>token</code> is invalid
* @exception PolicyException for any other abnormal condition
*/
throws PolicyException, SSOException {
while ( policyNames.hasNext() ) {
}
}
return orgsToVisit;
}
/**
* This would be a costly operation.
* Can be avoided if ResourceName has api for getting canonical name.
* When the policies are stored, resource names would be converted to and
* stored as canonical name.
*/
boolean duplicate = false;
while (answerIter.hasNext()) {
answerResourceName, false)
duplicate = true;
break;
}
}
if (!duplicate) {
}
}
}
return answer;
}
/**
* Removes the <code>resourceName</code> from the <code>Set</code>
* of resource names matching on <code>serviceType</code> and
* performing a <code>ResourceMatch.EXACT_MATCH</code>
*/
&& (resourceName != null) ) {
}
}
}
return answer;
}
/**
* Handles policyChanged notifications - clears the cached resource
* names for the service type name
*
* @param serviceTypeName service type name
* @param pe policy event
*/
if (DEBUG.messageEnabled()) {
+ serviceTypeName);
}
return;
}
try {
synchronized(resourceNamesCache) {
while (resourceNames.hasMoreElements()) {
continue;
}
!= ResourceMatch.NO_MATCH) {
}
}
}
}
}
} catch (SSOException e) {
} catch (PolicyException pex) {
}
if (DEBUG.messageEnabled()) {
+ ", new cached resoruceNames="
}
}
/**
* Add an advice to the policy decision.
* @param pd <code>PolicyDecision</code> in which to add the advice.
* @param adviceKey key to the condition generating the advice
* like SessionCondition.SESSION_CONDITION_ADVICE,
* AuthSchemeCondition.AUTH_SCHEME_CONDITION_ADVICE
* @param adviceValue advice message to be added to the advice
*/
&& (pd.hasAdvices())) {
while (actionDecisionIter.hasNext()) {
}
}
}
}
}
/**
* Get the policy decision for a resource ignoring the subject
*/
/*
* Add request resourceName and request actionNames to the envParameters
* so that Condition(s)/ResponseProvider(s) can use them if necessary
*/
/* compute for all action names if passed in actionNames is
null or empty */
}
if (actionNames != null) {
}
//We create new HashMap in place of empty map since
//Collections.EMPTY_MAP can not be modified
}
new HashSet());
}
/**
* Get the set of role DNs of a user. The role DNs are cached to
* improve the performance of IdentityServerRole subject membership
* validation.
*
* @param token single sign on token of the user evaluating policies
*
* @return The set of user <code>nsRole</code> attribute values
*
* @exception SSOException single-sign-on token invalid or expired
* @exception PolicyException if an error occured while getting the
* user's nsRole attribute value set
*/
throws SSOException, PolicyException {
if (userNSRoleCacheTTL == 0) {
synchronized(userNSRoleCache) {
if (userNSRoleCacheTTL <= 0) {
if (DEBUG.warningEnabled()) {
+ " Set TTL to default:"
}
}
if (DEBUG.messageEnabled()) {
}
}
}
return null;
}
long timeToLive = 0;
}
if (timeToLive > currentTime) {
if (DEBUG.messageEnabled()) {
+ " get the nsRole values from cache.\n");
}
}
}
// add or update the cache entry.
// we come here either the token is first registered with the
// cache or the cache element is out of date.
try {
return null;
}
// get all the roles assigned to the user
if (staticRoles != null) {
}
if (filteredRoles != null) {
}
}
}
}
if (DEBUG.messageEnabled()) {
+ " added user nsRoles: " + roleSet);
}
if (DEBUG.messageEnabled()) {
+ " sso listener added .\n");
}
}
return roleSet;
} catch (AMException e) {
throw (new PolicyException(e));
}
}
/**
* record stats for policyResultsCache, ssoListenerRegistry,
* policyListenerRegistry, userNSRoleCache, resouceNamesMap
*/
int resultsCacheSize = 0;
synchronized (policyResultsCache) {
}
+ " resultsCache: " + resultsCacheSize);
+ " sessionListernerRgistry:"
+ ssoListenerRegistry.size());
+ " in policyListenerRegistry: "
+ policyListenerRegistry.size());
+ " resourceNames cache: "
+ resourceNamesMap.size());
}
}