8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * $Id: DSAMERole.java,v 1.4 2009/01/28 05:35:01 ww203982 Exp $
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell * Portions Copyrighted 2011-2016 ForgeRock AS.
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnellimport com.iplanet.sso.SSOTokenListenersUnsupportedException;
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Maddenimport com.sun.identity.policy.InvalidNameException;
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Maddenimport com.sun.identity.policy.NameNotFoundException;
ce4d3fddc8fe2eddd68a20af9570b3cc63ece5abNeil Maddenimport com.sun.identity.policy.SubjectEvaluationCache;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosterimport com.sun.identity.policy.interfaces.Subject;
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunningtonimport org.forgerock.opendj.ldap.ResultCode;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DSAME Role plugin lets policy admins specify the DSAME roles as a subject.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The plugin validates a user belonging to a DSAME role specified with this
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private Set subjectRoles = Collections.EMPTY_SET;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String LDAP_SCOPE_BASE = "SCOPE_BASE";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private static final String LDAP_SCOPE_ONE = "SCOPE_ONE";
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // do nothing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This method initializes the DSAME Role plugin with the organization
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * DN, search configuration, ldap server name, in which this plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is specified for a <code>Policy</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param configParams configuration parameters as a map.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The values in the map is <code>java.util.Set</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * which contains one or more configuration paramaters.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if an error occured during
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * initialization of <code>Subject</code> instance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void initialize(Map configParams) throws PolicyException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster (String)configParams.get(PolicyConfig.LDAP_SERVER);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("DSAMERole.initialize(): failed to get LDAP "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "server name. If you enter more than one server name "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "in the policy config service's Primary LDAP Server "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "field, please make sure the ldap server name is preceded "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + "with the local server name.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ldapServer = configuredLdapServer.toLowerCase();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster } else if (scope.equalsIgnoreCase(LDAP_SCOPE_ONE)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster timeLimit = Integer.parseInt((String) configParams.get(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster maxResults = Integer.parseInt((String) configParams.get(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.error("Can not parse search parameters in DSAMERole", nfe);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the syntax of the values this <code>Subject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * implementation can have.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @see com.sun.identity.policy.Syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to determine the syntax
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return set of of valid names for the user collection.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return syntax of the values for the <code>Subject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public Syntax getValueSyntax(SSOToken token) throws SSOException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a list of possible values for the <code>Subject</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to determine the possible values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ValidValues</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ValidValues getValidValues(SSOToken token) throws
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns a list of possible values for the <code>Subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * </code> that matches the pattern.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token the <code>SSOToken</code> that will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * to determine the possible values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>ValidValues</code> object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if unable to get the list of valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public ValidValues getValidValues(SSOToken token, String pattern)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new PolicyException(ResBundleUtils.rbName,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster "role_subject_not_yet_initialized", null, null));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMStoreConnection amConnection = new AMStoreConnection(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMOrganization orgObject = amConnection.getOrganization(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster AMSearchResults results = orgObject.searchAllRoles(pattern, sc);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington return new ValidValues(status, results.getSearchResults());
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington ResultCode ldapErrorCode = lde.getResult().getResultCode();
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington if (ResultCode.INVALID_CREDENTIALS.equals(ldapErrorCode)) {
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington throw new PolicyException(ResBundleUtils.rbName,"ldap_invalid_password", null, null);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington } else if (ResultCode.NO_SUCH_OBJECT.equals(ldapErrorCode)) {
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington throw new PolicyException(ResBundleUtils.rbName, "no_such_am_roles_base_dn", objs, null);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String errorMsg = lde.getResult().getDiagnosticMessage();
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington String additionalMsg = lde.getResult().getResultCode().getName().toString(Locale.ROOT);
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington throw new PolicyException(errorMsg + ": " + additionalMsg);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the display name for the value for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * For all the valid values obtained through the methods
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>getValidValues</code> this method must be called
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * by GUI and CLI to get the corresponding display name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be used by the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * plugin to customize the display name for the given locale.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The <code>locale</code> variable could be <code>null</code>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in which case the plugin must use the default locale (most probabily
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Alternatively, if the plugin does not have to localize
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the value, it can just return the <code>value</code> as is.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param value one of the valid value for the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param locale locale for which the display name must be customized
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception NameNotFoundException if the given <code>value</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * is not one of the valid values for the plugin
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public String getDisplayNameForValue(String value, Locale locale)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Returns the values that was set using the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * method <code>setValues</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return values that have been set for the user collection
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Sets the names for the instance of the <code>Subject</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * object. The names are obtained from the policy object,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * usually configured when a policy is created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param names names selected for the instance of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * the user collection object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception InvalidNameException if the given names are not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster public void setValues(Set names) throws InvalidNameException {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster throw (new InvalidNameException(ResBundleUtils.rbName,
bee2440354b4bc8796e1de0b6cbd60e1f68deba0Phill Cunnington subjectRoles.add(DN.valueOf(role).toString().toLowerCase());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("Set subjectRoles to: " + subjectRoles);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Determines if the user belongs to this instance of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * <code>Subject</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param token single-sign-on token of the user
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if the user is memeber of the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * given subject; <code>false</code> otherwise.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception SSOException if SSO token is not valid
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @exception PolicyException if an error occured while
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * checking if the user is a member of this subject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String tokenID = token.getTokenID().toString();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster String userDN = token.getPrincipal().getName();
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster boolean roleMatch = false;
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if ((matchFound = SubjectEvaluationCache.isMember(
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DSAMERole.isMember():Got membership "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"from cache of " +token.getPrincipal().getName()
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // got here so entry not in subject evalauation cache
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell if (!PolicyEvaluator.ssoListenerRegistry.containsKey(tokenID)) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster token.addSSOTokenListener(PolicyEvaluator.ssoListener);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell PolicyEvaluator.ssoListenerRegistry.put(tokenID, PolicyEvaluator.ssoListener);
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell debug.message("DSAMERole.isMember(): sso listener added .\n");
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell } catch (SSOTokenListenersUnsupportedException ex) {
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell // Catching exception to avoid adding tokenID to ssoListenerRegistry
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell debug.message("DSAMERole.isMember(): could not add sso listener: {}", ex.getMessage());
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DSAMERole:isMember():entry for "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +valueDN+" not in subject evaluation cache, fetching "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +"from NS User Cache.");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster roleSet = PolicyEvaluator.getUserNSRoleValues(token);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DSAMERole.isMember:adding entry "
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +tokenID+" "+ldapServer+" "+valueDN+" "+roleMatch
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster +" in subject evaluation cache.");
f48118365a7f4f1240516dbe66e47b24a896ff16Craig McDonnell SubjectEvaluationCache.addEntry(tokenID, ldapServer, valueDN, roleMatch);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DSAMERole.isMember(): User " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " is not a member of this DSAMERole object");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster debug.message("DSAMERole.isMember(): User " + userDN
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster + " is a member of this DSAMERole object");
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Return a hash code for this <code>DSAMERole</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a hash code for this <code>DSAMERole</code> object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Indicates whether some other object is "equal to" this one.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @param o another object that will be compared with this one
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return <code>true</code> if eqaul; <code>false</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if (o instanceof DSAMERole) {
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return(subjectRoles.equals(role.subjectRoles));
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster return (false);
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Creates and returns a copy of this object.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * @return a copy of this object
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster // this should never happen