8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: AuthenticateToServiceCondition.java,v 1.7 2009/05/05 18:29:01 mrudul_uchil Exp $
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington * Portions Copyright 2014 ForgeRock AS
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.authentication.util.AMAuthUtils;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Condition;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.ConditionDecision;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The class <code>AuthenticateToServiceCondition</code> is a plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * implementation of <code>Condition</code> that lets you specify
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the service to which user should authenticate for the policy to apply
e60a1cf74ca44a3bb3e3fe63b106e6ef6dca910fPhill Cunnington * @deprecated See {@link org.forgerock.openam.entitlement.conditions.environment.AuthenticateToServiceCondition}
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterpublic class AuthenticateToServiceCondition implements Condition {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = Debug.getInstance(PolicyManager.POLICY_DEBUG_NAME);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static List propertyNames = new ArrayList(1);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** No argument constructor
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a list of property names for the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return list of property names
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the syntax for a property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.Syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param property property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>Syntax</code> for the property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Syntax getPropertySyntax(String property) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the display name for the property name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be used by the plugin to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * customize the display name for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be <code>null</code>, in which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * case the plugin must use the default locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param property property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param locale locale for which the property name must be customized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return display name for the property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException if unable to get display name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getDisplayName(String property, Locale locale)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a set of valid values given the property name. This method
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is called if the property Syntax is either the SINGLE_CHOICE or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * MULTIPLE_CHOICE.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param property property name
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return Set of valid values for the property.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException if unable to get valid values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Set getValidValues(String property) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Sets the properties of the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Evaluation of <code>ConditionDecision</code> is influenced by these
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * properties.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param properties the properties of the condition that governs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * whether a policy applies. The properties should
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * define value for the key <code>AUTHENTICATE_TO_SERVICE</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * should be a Set with only one element. The element should be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * a <code>String</code>, the realm name for which
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the user should authenticate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * for the policy to apply. Please note that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * properties is not cloned by the method.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException if properties is <code>null</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * or does not contain
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value for the key <code>AUTHENTICATE_TO_SERVICE</code> or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the value of the key is not a Set with one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>String</code> element
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #REQUEST_AUTHENTICATED_TO_SERVICES
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setProperties(Map properties) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster /** Returns the properties of the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return unmodifiable map view of properties that govern the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * evaluation of the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Please note that properties is not cloned before returning
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #setProperties(Map)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ? null : Collections.unmodifiableMap(properties);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the decision computed by this condition object, based on the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * map of environment parameters
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single sign on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param env request specific environment map of key/value pairs
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>AuthenticateToServiceCondition</code> looks for value of key
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>REQUEST_AUTHENTICATED_TO_SERVICES</code> in the map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The value should be a <code>Set</code> with <code>String</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If the <code>env</code> parameter is <code>null</code> or does not
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * define the value for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>REQUEST_AUTHENTICATED_TO_SERVICES</code>, value for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>REQUEST_AUTHENTICATED_TO_SERVICES</code> is computed
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * from sso token.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return the condition decision. The condition decision encapsulates
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * whether a policy applies for the request and advice messages
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * generated by the condition.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Policy framework continues evaluating a policy only if it applies
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to the request as indicated by the <code>ConditionDecision</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Otherwise, further evaluation of the policy is skipped.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * However, the advice messages encapsulated in the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>ConditionDecision</code> are aggregated and passed up, encapsulated
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the policy decision.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws PolicyException if the condition has not been initialized with a
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * successful call to <code>setProperties(Map)</code> and/or the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * value of <code>REQUEST_AUTHENTICATED_TO_SERVICES</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * could not be determined.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @throws SSOException if the token is invalid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #setProperties(Map)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #AUTHENTICATE_TO_SERVICE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see #REQUEST_AUTHENTICATED_TO_SERVICES
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.ConditionDecision
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ConditionDecision getConditionDecision(SSOToken token, Map env)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean allowed = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster && (env.get(REQUEST_AUTHENTICATED_TO_SERVICES) != null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("At AuthenticateToServiceCondition."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getConditionDecision(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthnServices from request = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String args[] = { REQUEST_AUTHENTICATED_TO_SERVICES };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_a_Set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster = AMAuthUtils.getRealmQualifiedAuthenticatedServices(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster requestAuthnServices.addAll(authenticatedServices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("At AuthenticateToServiceCondition."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getConditionDecision(): "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "requestAuthnServices from ssoToken = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (requestAuthnServices.contains(authenticateToService)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster for (Iterator iter = requestAuthnServices.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String requestAuthnService = (String)iter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String service = AMAuthUtils.getDataFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("At AuthenticateToServiceCondition."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "getConditionDecision():"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "authenticateToService not satisfied = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DEBUG.message("At AuthenticateToServiceCondition."
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"getConditionDecision():authenticateToService = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + authenticateToService + "," + " requestAuthnServices = "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + requestAuthnServices + ", " + " allowed = " + allowed);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster advices.put(AUTHENTICATE_TO_SERVICE_CONDITION_ADVICE,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return new ConditionDecision(allowed, advices);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a copy of this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AuthenticateToServiceCondition theClone = null;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster theClone = (AuthenticateToServiceCondition) super.clone();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // this should never happen
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster theClone.authenticateToService = authenticateToService;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Checks the properties set using setProperties() method for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * validity like, not null, presence of AUTHENTICATE_TO_SERVICE property,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * and no other invalid property.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private boolean validateProperties() throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( (properties == null) || ( properties.keySet() == null) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "properties_can_not_be_null_or_empty", null, null);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Check if the required key(s) are defined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ( !keySet.contains(AUTHENTICATE_TO_SERVICE) ) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName,"property_value_not_defined",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //Check if all the keys are valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "attempt_to_set_invalid_property ",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster //validate AUTHENTICATE_TO_SERVICE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authnToServiceSet = (Set) properties.get(AUTHENTICATE_TO_SERVICE);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String args[] = { REQUEST_AUTHENTICATED_TO_SERVICES };
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName, "property_is_not_a_Set",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Validates the module chain names provided to the setProperties()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * call for the AUTHENTICATE_TO_SERVICE key. Checks for null and throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Exception if null or not a String.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private boolean validateAuthnToServices(Set authnToServiceSet)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "property_does_not_allow_empty_values",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Iterator authnToServiceSetIter = authnToServiceSet.iterator();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster authenticateToService = (String) authnToServiceSetIter.next();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ResBundleUtils.rbName,"property_is_not_a_String",
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String realm = AMAuthUtils.getRealmFromRealmQualifiedData(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((realm == null) || (realm.length() == 0)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return true;