policy/plugins/AuthLevelCondition.java

8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * opensso/legal/CDDLv1.0.txt
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * at opensso/legal/CDDLv1.0.txt.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: AuthLevelCondition.java,v 1.9 2009/05/26 08:06:23 kiran_gonipati Exp $
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington/*
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington * Portions Copyright 2014 ForgeRock AS
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpackage com.sun.identity.policy.plugins;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.util.AMAuthUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Condition;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ConditionDecision;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.PolicyManager;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ResBundleUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.Syntax;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOToken;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.iplanet.sso.SSOException;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.shared.debug.Debug;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Set;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.HashSet;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Map;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.HashMap;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Iterator;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Locale;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.List;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.ArrayList;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport java.util.Collections;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This class <code>AuthLevelCondition</code>  is a plugin implementation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of <code>Condition</code> interface.  This condition would imply policy
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * applies if the <code>requestAuthLevel</code> is greater than or equal to the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthLevel</code> set in the Condition. <code>requestAuthLevel</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is looked up from <code>env </code> map passed in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>getConditionDecision()</code> call. If it is not found in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>env</code> map, <code>AuthLevel</code> is looked up from single sign on
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster *
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington * @deprecated Use {@link org.forgerock.openam.entitlement.conditions.environment.AuthLevelCondition} instead.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington@Deprecated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class AuthLevelCondition implements Condition {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private static final Debug DEBUG
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        = Debug.getInstance(PolicyManager.POLICY_DEBUG_NAME);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private Map properties;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private String authLevel; //realmQualifiedLevel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private String authRealm;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private int authLevelInt;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private static List propertyNames = new ArrayList(1);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    static {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        propertyNames.add(AUTH_LEVEL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /** No argument constructor
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public AuthLevelCondition() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns a list of property names for the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return list of property names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public List getPropertyNames() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (new ArrayList(propertyNames));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns the syntax for a property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see com.sun.identity.policy.Syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param property property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>Syntax<code> for the property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Syntax getPropertySyntax(String property) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return Syntax.NONE;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Gets the display name for the property name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * The <code>locale</code> variable could be used by the plugin to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * customize the display name for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * The <code>locale</code> variable could be <code>null</code>, in which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * case the plugin must use the default locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param property property name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param locale locale for which the property name must be customized.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return display name for the property name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if unable to get display name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public String getDisplayName(String property, Locale locale)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster       throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return "";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns a set of valid values given the property name. This method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * is called if the property Syntax is either the SINGLE_CHOICE or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * MULTIPLE_CHOICE.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param property property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return <code>Set</code> of valid values for the property.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @exception PolicyException if unable to get the Syntax.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Set getValidValues(String property) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return Collections.EMPTY_SET;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /** Sets the properties of the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  Evaluation of <code>ConditionDecision</code> is influenced by these
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  properties.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @param properties the properties of the condition that governs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         whether a policy applies. The properties should
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         define value for the key <code>AUTH_LEVEL</code>. The value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         should be a Set with only one element. The element should be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         a String, parseable as an integer or an integer qaulified with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         realm name. Please note that properties is not cloned by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         the method.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @throws PolicyException if properties is null or does not contain
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *          value for the key <code>AUTH_LEVEL</code> or the value of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *          key is not a Set with one String element that is parse-able as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *          an integer
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @see #REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @see #getConditionDecision(SSOToken, Map)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public void setProperties(Map properties) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        this.properties = (Map)((HashMap) properties);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        validateProperties();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /** Gets the properties of the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @return  unmodifiable map view of properties that govern the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *           evaluation of  the condition decision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *  @see #setProperties(Map)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Map getProperties() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return (properties == null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                ? null : Collections.unmodifiableMap(properties);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Gets the decision computed by this condition object, based on the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param token single-sign-on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @param env request specific environment map of key/value pairs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        <code>AuthLevelCondition</code> looks for value of key
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        <code>REQUEST_AUTH_LEVEL</code> in the map.  The value should be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        an Integer or a set of <code>String</code>s.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        If it is a <code>Set</code> of <code>String</code>s, each element
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        of the set has to be parseable as integer or should be a realm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        qualified integer. If the <code>env</code> parameter is null or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        does not define value for <code>REQUEST_AUTH_LEVEL</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        the value for <code>REQUEST_AUTH_LEVEL</code> is obtained from
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *        the single sign on token of the user.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return the condition decision. The condition decision encapsulates
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         whether a policy applies for the request and advice messages
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         generated by the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         The decision would imply policy is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         applicable if <code>AUTH_LEVEL</code> is greater than or equal to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         <code>REQUES_AUTH_LEVEL</code>. If <code>AUTH_LEVEL</code> is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         qualified with a realm name, <code>REQUEST_AUTH_LEVEL</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         values only with the matching realm name are compared. If the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         policy is not applicable as determined by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         <code>Condition</code>, an <code>Advice</code> would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         included in the <code>ConditionDecision</code> with key
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         <code>AUTH_LEVEL_ADVICE</code> and value corresponding to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         <code>AUTH_LEVEL</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Policy framework continues evaluating a  policy only if it applies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * to the request  as indicated by the <code>ConditionDecision</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Otherwise, further evaluation of the policy is skipped.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * However, the <code>Advice</code>s encapsulated in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * in the <code>PolicyDecision</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws PolicyException if the condition has not been initialized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         with a successful call to <code>setProperties(Map)</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         and/or the value of <code>REQUEST_AUTH_LEVEL</code> could not
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *         be determined.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @throws SSOException if the token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #setProperties(Map)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see com.sun.identity.policy.ConditionDecision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see com.sun.identity.authentication.util.AMAuthUtils
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      #getAuthenticatedLevels(SSOToken)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see com.sun.identity.authentication.util.AMAuthUtils
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *      #getRealmQualifiedAuthenticatedLevels(SSOToken)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public ConditionDecision getConditionDecision(SSOToken token, Map env)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        boolean allowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        int maxRequestAuthLevel = Integer.MIN_VALUE;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.getConditionDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "entering");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        maxRequestAuthLevel = getMaxRequestAuthLevel(env);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ((maxRequestAuthLevel == Integer.MIN_VALUE) && (token != null)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            maxRequestAuthLevel = getMaxRequestAuthLevel(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (maxRequestAuthLevel >= authLevelInt) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            allowed = true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Map advices = new HashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (!allowed) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Set adviceMessages = new HashSet(1);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            adviceMessages.add(authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            advices.put(AUTH_LEVEL_CONDITION_ADVICE, adviceMessages);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("At AuthLevelCondition.getConditionDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "authLevel=" + authLevel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ",maxRequestAuthLevel=" + maxRequestAuthLevel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ",allowed = "  + allowed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ",advices=" + advices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return new ConditionDecision(allowed, advices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Returns a copy of this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     *
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    public Object clone() {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        AuthLevelCondition theClone = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            theClone = (AuthLevelCondition) super.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (CloneNotSupportedException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            // this should never happen
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new InternalError();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (properties != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            theClone.properties = new HashMap();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Iterator it = properties.keySet().iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            while (it.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Object o = it.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Set values = new HashSet();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                values.addAll((Set) properties.get(o));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                theClone.properties.put(o, values);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return theClone;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * This method validates the properties set using the <code>setProperties
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * </code> method. It checks for the presence of the required key
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * <code>AUTH_LEVEL</code>, validates it and also makes sure no other
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * invalid key is being set.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private boolean validateProperties() throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ( (properties == null) || ( properties.keySet() == null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    "properties_can_not_be_null_or_empty", null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.setProperties(),"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "properties=" + properties);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Set keySet = properties.keySet();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        //Check if the required key(s) are defined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ( !keySet.contains(AUTH_LEVEL) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            String args[] = { AUTH_LEVEL };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    ResBundleUtils.rbName,"property_value_not_defined", args,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        //Check if all the keys are valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Iterator keys = keySet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        while ( keys.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            String key = (String) keys.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if ( !AUTH_LEVEL.equals(key) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                String args[] = {key};
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        "attempt_to_set_invalid_property ",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        args, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        //validate AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Set authLevelSet = (Set) properties.get(AUTH_LEVEL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ( authLevelSet != null ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            validateAuthLevels(authLevelSet);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.setProperties(),"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "authLevel=" + authLevel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ",authRealm=" + authRealm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ",authLevelInt=" + authLevelInt);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * This method validates the auth levels set using the <code>setProperties
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * </code> method. It is called from validateProperties() method.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * It validates <code>AUTH_LEVEL</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private boolean validateAuthLevels(Set authLevelSet)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ( authLevelSet.isEmpty() || ( authLevelSet.size() > 1 ) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            String args[] = { AUTH_LEVEL };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    "property_does_not_allow_empty_or_multiple_values",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    args, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Iterator authLevels = authLevelSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        authLevel = (String) authLevels.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            authRealm = AMAuthUtils.getRealmFromRealmQualifiedData(authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            String authLevelIntString
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    = AMAuthUtils.getDataFromRealmQualifiedData(authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            authLevelInt = Integer.parseInt(authLevelIntString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (NumberFormatException e) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            String args[] = { AUTH_LEVEL };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    ResBundleUtils.rbName, "property_is_not_an_Integer",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    args, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * gets the maximum auth level specified for the REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * property in the environment Map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private int getMaxRequestAuthLevel(Map env)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        int maxAuthLevel = Integer.MIN_VALUE;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        int currentAuthLevel = Integer.MIN_VALUE;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "envMap,realm): entering: envMap= " + env
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + ", authRealm= " + authRealm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    +  ", conditionAuthLevel= " + authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        Object envAuthLevelObject = env.get(REQUEST_AUTH_LEVEL);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (envAuthLevelObject != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if(envAuthLevelObject instanceof Integer) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if ((authRealm == null) || (authRealm.length() == 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    maxAuthLevel = ((Integer)envAuthLevelObject).intValue();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        DEBUG.message("AuthLevelCondition."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            +"getMaxRequestAuthLevel():Integer level in env= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + maxAuthLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } else if (envAuthLevelObject instanceof Set) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Set envAuthLevelSet = (Set)envAuthLevelObject;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (!envAuthLevelSet.isEmpty()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    Iterator iter = envAuthLevelSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    while (iter.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        Object envAuthLevelElement = iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        if (!(envAuthLevelElement instanceof String)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            if (DEBUG.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                DEBUG.warning("AuthLevelCondition."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                        + "getMaxRequestAuthLevel():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                        + "requestAuthLevel Set element"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                        + " not String");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                               ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                              "request_authlevel_in_env_set_element_not_string",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                               null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            String qualifiedLevel = (String)envAuthLevelElement;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            currentAuthLevel = getAuthLevel(qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            if ((authRealm == null)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                        || authRealm.length() == 0) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                if(currentAuthLevel > maxAuthLevel) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    maxAuthLevel = currentAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                String realmString = AMAuthUtils.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                     getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                     qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                if(authRealm.equals(realmString)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                        && (currentAuthLevel > maxAuthLevel)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                    maxAuthLevel = currentAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                if (DEBUG.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    DEBUG.warning("AuthLevelCondition.getMaxRequestAuthLevel():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + "requestAuthLevel in env neither"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            + " Integer nor Set");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        "request_authlevel_in_env_not_Integer_or_set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "): returning: maxAuthLevel=" + maxAuthLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return maxAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * gets the maximum auth level specified for the REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * property in the SSO token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * @see #REQUEST_AUTH_LEVEL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private int getMaxRequestAuthLevel(SSOToken token)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException, SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        int maxAuthLevel = Integer.MIN_VALUE;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "token,authRealm): entering:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    +  " authRealm = " + authRealm
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    +  ", conditionAuthLevel= " + authLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if ((authRealm == null) || authRealm.length() == 0) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Set levels
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    = AMAuthUtils.getAuthenticatedLevels(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "): levels from token= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + levels);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if ((levels != null) && (!levels.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Iterator iter = levels.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                while (iter.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    String levelString = (String)iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    int level = getAuthLevel(levelString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    maxAuthLevel = (level > maxAuthLevel)? level : maxAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } else {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Set qualifiedLevels = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (token != null) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                qualifiedLevels =
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    AMAuthUtils.getRealmQualifiedAuthenticatedLevels(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "): qualifiedLeves from token= "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + qualifiedLevels);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if ((qualifiedLevels != null) && (!qualifiedLevels.isEmpty())) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                Iterator iter = qualifiedLevels.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                while (iter.hasNext()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    String qualifiedLevel = (String)iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    String realm = AMAuthUtils.getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                            qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    if (authRealm.equals(realm)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        int level = getAuthLevel(qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        maxAuthLevel = (level > maxAuthLevel)? level
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                                : maxAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        if (DEBUG.messageEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            DEBUG.message("AuthLevelCondition.getMaxRequestAuthLevel("
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    + "): returning:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    +  " maxAuthLevel= " + maxAuthLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return maxAuthLevel;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    /**
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * Extract the integer auth level from  String realm qualified
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     * ( realm:level) String.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster     */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    private int getAuthLevel(String qualifiedLevel)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        int levelInt = 0;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        String levelString
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                = AMAuthUtils.getDataFromRealmQualifiedData(qualifiedLevel);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        try {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            levelInt = Integer.parseInt(levelString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        } catch (NumberFormatException nfe) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            if (DEBUG.warningEnabled()) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                DEBUG.warning("AuthLevelCondition.getAuthLevel(qualifiedLevel):"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "got NumberFormatException:"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + "qualifiedLevel=" + qualifiedLevel
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                        + ", levelString = " + levelString);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            Object[] args = {levelString};
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster            throw new PolicyException(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    ResBundleUtils.rbName, "auth_level_not_integer",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster                    args, nfe);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster        return levelInt;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster    }
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster}