8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: AMIdentitySubject.java,v 1.3 2008/06/25 05:43:50 qcheng Exp $
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell * Portions Copyrighted 2011-2016 ForgeRock AS.
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnellimport com.iplanet.sso.SSOTokenListenersUnsupportedException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.NameNotFoundException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.InvalidNameException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.SubjectEvaluationCache;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Subject;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.security.AdminTokenAction;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * AMIdentitySubject is a <code>Subject</code> implementation that checks for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * membership in a set of <code>AMIdentity</code> objects using the underlying
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Identity repository service.
8ac02ff33c6b51ef72b5605b99434ccda7d74a0aPhill Cunnington * @deprecated Use {@link org.forgerock.openam.entitlement.conditions.subject.IdentitySubject} instead.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class AMIdentitySubject implements Subject {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static Debug debug = Debug.getInstance(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Constructs an <code>AMIdentityObject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Initialize the AMIdentitySubject object by using the configuration
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * information passed by the Policy Framework.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This implementation not need anything out of the <code>configParams
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * I/code> so does no operation.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param configParams configuration parameters as a <code>Map</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if an error occured during
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * initialization of <code>Subject</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void initialize(Map configParams) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the syntax of the values the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AMIdentitySubject</code> implementation can have.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.Syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to determine the syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Syntax</code> of the values in this plugin.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * It returns <code>Syntax.MULTIPLE_CHOICE</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if <code>SSOToken</code> is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception <code>PolicyException</code> if unable to get the list of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * valid names.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Syntax</code> of the values for the <code>Subject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Syntax getValueSyntax(SSOToken token) throws SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a list of possible values for the <code>Subject</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to determine the possible values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ValidValues</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if <code>SSOToken</code> is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NOTE: The AMIdentitySubject plugin does not support this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * functionality and in turn throws unsupported
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PolicyException</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ValidValues getValidValues(SSOToken token) throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a list of possible values for the <code>Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * </code> that matches the pattern.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to determine the possible values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ValidValues</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * NOTE: The AMIdentitySubject plugin does not support this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * functionality and in turn throws unsupported
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>PolicyException</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ValidValues getValidValues(SSOToken token, String pattern)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "am_id_subject_does_not_support_getvalidvalues", null, null));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the display name for the value for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * For all the valid values obtained through the methods
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>getValidValues</code> this method must be called
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * by GUI and CLI to get the corresponding display name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be used by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * plugin to customize the display name for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be <code>null</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in which case the plugin must use the default locale (most probabily
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Alternatively, if the plugin does not have to localize
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the value, it can just return the <code>value</code> as is.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param value one of the valid value for the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param locale locale for which the display name must be customized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the given <code>value</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not one of the valid values for the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getDisplayNameForValue(String value, Locale locale)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the values that was set using the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method <code>setValues</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Set</code of values that have been set for the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * collection
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the values identifying <code>AMIdentity</code> objects on which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * membership would be checked
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param names <code>universalId(s)</code> of <code>AMIdentity</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * objects on which memberships would be checked
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the given names are not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setValues(Set names) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new InvalidNameException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "amidentity_subject_invalid_subject_values", null, null,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIdentitySubejct set subjectValues to: "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Determines if the user is a member of this instance of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Subject</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the user is member of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * this subject; <code>false</code> otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if an error occured while
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * checking if the user is a member of this subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"tokenID is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"userDN is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean subjectMatch = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIndentitySubject.isMember(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /* Actually this is universal id of AMIdentity object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String subjectValue = (String)valueIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIndentitySubject.isMember(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "checking membership with userDN = " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((matchFound = SubjectEvaluationCache.isMember(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster tokenID, "AMIdentitySubject" ,subjectValue)) != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "got membership from SubjectEvaluationCache "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIndentitySubject.isMember(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " returning membership status = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // got here so entry not in subject evalauation cache
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIdentitySubject:isMember():entry for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"cache, so compute using IDRepo api");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMIdentity subjectIdentity = IdUtils.getIdentity(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "subjectIdentity is null for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMIdentity tmpIdentity = IdUtils.getIdentity(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String univId = IdUtils.getUniversalId(tmpIdentity);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "userIdentity is null");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "returning false");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "user uuid = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + ", subject uuid = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster IdType subjectIdType = subjectIdentity.getType();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "userIdentity equals subjectIdentity:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "membership=true");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster subjectMatch = userIdentity.isMember(subjectIdentity);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster " can be a member of "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster " can not be a member of "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIdentitySubject.isMember: adding "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"entry in SubjectEvaluationCache for "
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell if (!PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell token.addSSOTokenListener(PolicyEvaluator.ssoListener);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell SubjectEvaluationCache.addEntry(tokenID, "AMIdentitySubject", subjectValue, subjectMatch);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell debug.message("AMIdentitySubject.isMember(): sso listener added");
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell } catch (SSOTokenListenersUnsupportedException ex) {
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell // Catching exception to avoid adding tokenID to SubjectEvaluationCache and ssoListenerRegistry
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell debug.message("AMIdentitySubject.isMember(): could not add sso listener: {}", ex.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "can not check membership for user "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "am_id_subject_membership_evaluation_error", args,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIdentitySubject.isMember(): user " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " is not a member of this subject");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("AMIdentitySubject.isMember(): User " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " is a member of this subject");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Return a hash code for this <code>AMIdentitySubject</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a hash code for this <code>AMIdentitySubject</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Indicates whether some other object is "equal to" this one.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param o another object that will be compared with this one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if eqaul; <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (o instanceof AMIdentitySubject) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMIdentitySubject subject = (AMIdentitySubject) o;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return(subjectValues.equals(subject.subjectValues));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Creates and returns a copy of this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // this should never happen
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method returns an admin <code>SSOToken</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which can be used to perform privileged operations.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private SSOToken getAdminToken() throws SSOException{
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster SSOToken token = (SSOToken) AccessController.doPrivileged(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "invalid_admin", null, null)));