PolicyEvaluator.java revision 6033fe2cfc1c391360277704d2c66456a33e9446
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: PolicyEvaluator.java,v 1.7 2009/10/21 23:50:46 dillidorai Exp $
*
* Portions Copyrighted 2013-2015 ForgeRock AS.
*/
/**
* This class provides methods to get policy decisions
* for clients of policy service.
* communicate with the Policy Service.
* Policy client API implementation caches policy decision locally.
* polling.
*
* @supported.api
*/
public class PolicyEvaluator {
private PolicyProperties policyProperties;
private String serviceName;
private SSOTokenManager ssoTokenManager;
/**
* Reference to singleton ResourceResultCache instance
*/
private ResourceResultCache resourceResultCache;
/**
* Logger object for access messages
*/
static Logger accessLogger;
/**
* Logger object for error messages
*/
static Logger errorLogger;
private static final String GET_RESPONSE_ATTRIBUTES
= "Get_Response_Attributes";
private SSOToken appSSOToken;
/*
* Number of attempts to make to server if policy decision received
* from server has expired ttl
*/
private final static int RETRY_COUNT = 3;
private String logActions;
/**
* Creates an instance of client policy evaluator
*
* @param serviceName name of the service for which to create
* policy evaluator.
* @param appSSOTokenProvider an object where application single sign on
* token can be obtained.
* @throws PolicyException if required properties cannot be retrieved.
* @throws SSOException if application single sign on token is invalid.
*/
throws PolicyException, SSOException {
if (debug.messageEnabled()) {
+ "serviceName="+ serviceName
+ ":appSSOTokenProvider=" + appSSOTokenProvider);
}
if (serviceName == null) {
if (debug.warningEnabled()) {
+ "serviceName is null");
}
return;
} //else do the following
}
/**
* Returns an instance of client policy evaluator
*
* @param serviceName name of the service for which to create
* policy evaluator.
* @param appSSOTokenProvider an object where application single sign on
* token can be obtained.
* @throws PolicyException if required properties cannot be retrieved.
* @throws SSOException if application single sign on token is invalid.
*/
throws PolicyException, SSOException {
}
/**
* Initializes an instance of client policy evaluator object
*
* @param serviceName name of the service for which to create
* policy evaluator
* @param appSSOTokenProvider an object where application single sign on
* token can be obtained.
*
* @throws PolicyException if required properties cannot be retrieved.
* @throws SSOException if application single sign on token is invalid.
*
*/
throws PolicyException, SSOException {
this.serviceName = serviceName;
this.policyProperties = new PolicyProperties();
this.resourceResultCache
if (policyProperties.useRESTProtocol()) {
} else {
}
}
if (policyProperties.notificationEnabled()) {
// register remote policy listener policy service
if (debug.messageEnabled()) {
+ "adding remote policy listener with policy "
+ "service " + serviceName);
}
if (policyProperties.useRESTProtocol()) {
} else {
}
// Add a hook to remove our listener on shutdown.
public void shutdown() {
if (policyProperties.useRESTProtocol()) {
if (debug.messageEnabled()) {
}
} else {
if (debug.messageEnabled()) {
}
}
}
});
}
if (debug.messageEnabled()) {
+ "initialized PolicyEvaluator");
}
}
/**
* Evaluates a simple privilege of boolean type. The privilege indicates
* if the user can perform specified action on the specified resource.
*
* @param token single sign on token of the user evaluating policies
* @param resourceName name of the resource the user is trying to access
* @param actionName name of the action the user is trying to perform on
* the resource
*
* @return the result of the evaluation as a boolean value
* @throws PolicyException if result could not be computed for any
* reason other than single sign on token problem.
* @throws SSOException if single sign on token is not valid
*
*/
}
/**
* Evaluates simple privileges of boolean type. The privilege indicates
* if the user can perform specified action on the specified resource.
* The evaluation also depends on user's application environment parameters.
*
* @param token single sign on token of the user evaluating policies.
* @param resourceName name of the resource the user is trying to access
* @param actionName name of the action the user is trying to perform on
* the resource
* @param envParameters run time environment parameters
*
* @return the result of the evaluation as a boolean value
*
* @throws PolicyException if result could not be computed for
* reason other than single sign on token problem.
* @throws SSOException if single sign on token is not valid
*
* @supported.api
*/
if (debug.messageEnabled()) {
+ ":resourceName="+ resourceName
+ ":actionName=" + actionName
+ ":envParameters) : entering");
}
boolean actionAllowed = false;
.get(actionName);
&& (falseValue != null) ) {
actionAllowed = false;
actionAllowed = true;
}
}
}
} //else nothing to log
if (debug.messageEnabled()) {
+ ":resourceName=" + resourceName
+ ":actionName=" + actionName
+ ":returning: " + actionAllowed);
}
return actionAllowed;
}
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource.
*
* @param token single sign on token of the user evaluating policies.
* @param resourceName name of the resource the user is trying to access.
* @param actionNames Set of action names the user is trying to perform on
* the resource.
*
* @return policy decision
* @throws PolicyException if result could not be computed for any
* reason other than single sign on token problem.
* @throws SSOException if single sign on token is not valid
*/
throws PolicyException, SSOException {
}
/**
* Evaluates privileges of the user to perform the specified actions
* on the specified resource. The evaluation also depends on user's
* run time environment parameters.
*
* @param token single sign on token of the user evaluating policies.
* @param resourceName name of the resource the user is trying to access
* @param actionNames Set of action names the user is trying to perform on
* the resource.
* @param envParameters run-time environment parameters
* @return policy decision
* @throws PolicyException if result could not be computed for any
* reason other than single sign on token problem.
* @throws SSOException if single sign on token is invalid or expired.
*
* @supported.api
*/
throws PolicyException, SSOException {
//validate the token
if (debug.messageEnabled()) {
+ ":resourceName=" + resourceName
}
//We need to normalize the resourcename before sending off the policy request to ensure the policy is evaluated
//for the correct resource.
try {
} catch (InvalidAppSSOTokenException e) {
if (debug.warningEnabled()) {
+ "InvalidAppSSOTokenException occured:"
+ "getting new appssotoken");
}
if (policyProperties.notificationEnabled()) {
if (debug.warningEnabled()) {
+ "InvalidAppSSOTokenException occured:"
+ "reRegistering remote policy listener");
}
}
}
if (debug.messageEnabled()) {
+ ":resourceName=" + resourceName
+ ":actionNames=" + actionNames
}
} //else nothing to log
return pd;
}
/**
* Returns the application single sign on token, this token will be
* passed while initializing the <code>PolicyEvaluator</code> or
* if the application session token currently being used by
* this <code>PolicyEvaluator</code> has expired
*
* @return a valid application single sign on token.
*/
if (debug.messageEnabled()) {
+ "entering");
}
if (appSSOTokenProvider != null) {
try {
if (debug.messageEnabled()) {
+ "AdminTokenAction returned "
+ " expired token, trying again");
}
}
} catch (SSOException e) {
if (debug.warningEnabled()) {
+ "could not refresh session:", e);
}
}
} else {
try {
if (debug.messageEnabled()) {
+ "AdminTokenAction returned "
+ " expired token, trying again");
}
}
} catch (SSOException e) {
if (debug.warningEnabled()) {
+ "could not refresh session:", e);
}
}
}
+ "cannot obtain application SSO token");
}
if (debug.messageEnabled()) {
+ "returning token");
}
return token;
}
/**
* Logs an access message from policy client api
* @param level logging level
* @param message message string
* @param token single sign on token of user
*/
try {
if (accessLogger == null) {
if (accessLogger == null) {
if (debug.warningEnabled()) {
+ "Failed to create Logger");
}
return;
}
}
if (debug.warningEnabled()) {
+ " writing access logs");
}
}
}
/**
* Returns application single sign on token provider
*
* @return <code>AppSSOTokenProvider</code> Object.
*/
return appSSOTokenProvider;
}
/**
* Gets names of policy advices that could be handled by OpenAM
* if PEP redirects user agent to OpenAM. If the server reports
* an error indicating the app sso token provided was invalid,
* new app sso token is obtained from app
* sso token provider and another attempt is made to get policy advices
*
* @param refetchFromServer indicates whether to get the values fresh
* from OpenAM or return the values from local cache
* @return names of policy advices that could be handled by OpenAM
* Enterprise if PEP redirects user agent to OpenAM.
* @throws InvalidAppSSOTokenException if the server reported that the
* app sso token provided was invalid
* @throws PolicyEvaluationException if the server reported any other error
* @throws PolicyException if there are problems in policy module
* while getting the result
* @throws SSOException if there are problems with sso token
* while getting the result
*/
if (debug.messageEnabled()) {
+ "refetchFromServer=" + refetchFromServer);
}
try {
} catch (InvalidAppSSOTokenException e) {
//retry with new app sso token
if (debug.warningEnabled()) {
+ "got InvalidAppSSOTokenException, "
+ " retrying with new app token");
}
} catch (PolicyException pe) {
if ((nestedException != null)
&& (nestedException instanceof SessionException)) {
//retry with new app sso token
if (debug.warningEnabled()) {
+ "got SessionException, "
+ " retrying with new app token");
}
} else {
throw pe;
}
}
if (debug.messageEnabled()) {
+ " Returning advicesHandleableByAM="
}
return advicesHandleableByAM;
}
/**
* Returns XML string representation of advice map contained in the
* actionDecision. This is a convenience method for use by PEP.
*
* @param actionDecision actionDecision that contains the
* advices
* @return XML string representation of advice map contained in the
* actionDecision subject to the following rule. If the
* actionDecision is null, the return value would be null.
* Otherwise, if the actionDecision does not contain any advice,
* the return value would be null. Otherwise, actionDecision contains
* advices. In this case, if the advices contains at least one advice
* name that could be handled by AM, the complete advices element is
* serialized to XML and the XML string is returned. Otherwise, null
* is returned.
* @throws PolicyException for any abnormal condition encountered in
* policy module
* @throws SSOException for any abnormal condition encountered in
* session module
*/
throws PolicyException, SSOException {
if(debug.messageEnabled()) {
}
boolean matchFound = false;
if (actionDecision != null) {
}
//false : use cached value
if(debug.messageEnabled()) {
+ " handleableAdvices = " + handleableAdvices);
}
&& (handleableAdvices !=null)
&& (!handleableAdvices.isEmpty()) ) {
if(debug.messageEnabled()) {
+ " adviceKeys = " + adviceKeys);
}
matchFound = true;
if(debug.messageEnabled()) {
+ " matchFound = " + matchFound);
+ " common key = " + adviceKey);
}
break;
}
}
}
if (matchFound) {
}
if(debug.messageEnabled()) {
+ " returning, compositeAdvcie = " + compositeAdvice);
}
return compositeAdvice;
}
/**
* Registers this client again with policy service to get policy
* change notifications
*
* @param appToken application sso token to use while registering with
* policy service to get notifications
*
*/
throws PolicyException {
if (debug.messageEnabled()) {
+ "entering");
}
true); //reRegister
//clear policy decision cache
if (debug.messageEnabled()) {
+ "returning");
}
}
}