LDAPFilterCondition.java revision e6c3a72a023407f5d1fface64356e1cc81f1af31
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: LDAPFilterCondition.java,v 1.8 2009/11/20 23:52:55 ww203982 Exp $
*
* Portions Copyrighted 2010-2016 ForgeRock AS.
*/
/**
* The class <code>LDAPFilterCondition</code> is a plugin
* implementation of <code>Condition</code> interface.
* This condition checks whether the ldap entry of the
* user identified by sso token, in the directory specified
* in policy configuration service, satisfiies the ldap filter
* specified in the condition
*
* @deprecated Use {@link org.forgerock.openam.entitlement.conditions.environment.LDAPFilterCondition} instead.
*/
public class LDAPFilterCondition implements Condition {
static {
}
private String ldapConditionFilter;
private long policyConfigExpiresAt;
private String userSearchFilter;
private String userRDNAttrName;
private int timeLimit;
private int maxResults;
private boolean sslEnabled = false;
private int minPoolSize;
private int maxPoolSize;
private ConnectionFactory connPool;
private String ldapServer;
private boolean aliasEnabled;
/**
* No argument constructor
*/
public LDAPFilterCondition() {
}
/**
* Returns the <code>List</code> of property names for the condition.
*
* @return <code>List</code> of property names
*/
public List getPropertyNames() {
}
/**
* Returns the syntax for a property name
* @see com.sun.identity.policy.Syntax
*
* @param property name of property for which to get <code>Syntax</code>
*
* @return <code>Syntax<code> for the property name
*/
}
/**
* Returns the display name for the property name.
* The <code>locale</code> variable could be used by the
* plugin to customize the display name for the given locale.
* The <code>locale</code> variable could be <code>null</code>, in which
* case the plugin must use the default locale.
*
* @param property name of property for which to get the display name
* @param locale locale for which to get the display name
* @return display name for the property name
*/
throws PolicyException {
return property;
}
/**
* Returns the set of valid values given the property name. This method
* is called if the property Syntax is either the SINGLE_CHOICE or
* MULTIPLE_CHOICE.
*
* @param property name of property for which to find valid values
* @return <code>Set</code> of valid values for the property.
* @throws PolicyException if unable to get the Syntax.
*/
return (Collections.EMPTY_SET);
}
/**
* Sets the properties of the condition.
* Evaluation of <code>ConditionDecision</code> is influenced by these
* properties.
* @param properties the properties of the condition that governs
* whether a policy applies. The keys in properties should
* be String objects. Value corresponding to each key should
* be a <code>Set</code> of String(s). Please note that properties
* is not cloned by the method.
* This condition requires value for key <code>LDAP_FILTER</code>
* to be defined. The value corresponding to the key should be a
* Set with only one element. The element should be a String.
*
* @see #LDAP_FILTER
*
* @throws PolicyException if properties is null or empty or does not
* contain value for key LDAP_FILTER or contains values
* for other keys
*/
if (debug.messageEnabled()) {
+ "setProperties():"
+ "properties=" + properties);
}
this.properties = properties;
if (debug.messageEnabled()) {
+ "setProperties():"
+ "ldapConditionFilter=" + ldapConditionFilter);
}
}
/**
* Returns properties of this condition.
* @return properties of the condition as an unmodifiable <code>Map</code>.
*/
public Map getProperties() {
}
/**
* Returns the decision computed by this condition object.
*
* @param token single sign on token of the user
*
*
* @return the condition decision. The <code>ConditionDecision</code>
* encapsulates whether a policy applies for the request.
* The condition decision would imply <code>true</code>, if
* the ldap entry of the user, in the directory specified by
* policy configuration service, satifies the ldap filter,
* specified by <code>LDAP_FILTER</code> property of this condition.
* Otherwise, it would imply <code>false</code>
*
* Policy framework continues evaluating a policy only if it
* applies to the request as indicated by the CondtionDecision.
* Otherwise, further evaluation of the policy is skipped.
*
* @throws SSOException if the token is invalid
*/
throws PolicyException, SSOException {
if (debug.messageEnabled()) {
+ "getConditionDecision():entering:"
+ ":ldapConditionFilter=" + ldapConditionFilter);
}
boolean allowed = true;
if (debug.messageEnabled()) {
+ "allowed= " + allowed);
}
return new ConditionDecision(allowed);
}
/**
* Determines if the user statisfies the <code>ldapConditionFilter</code>
* defined for this condition.
*
* @param token Single Sign On token of the user
*
* @return <code>true</code> if the user satisfies the <code>
* ldapConditionFilter</code>
*
* @throws SSOException if Single Sign On token is not valid
* @throws PolicyException if an error occurred
*/
throws SSOException, PolicyException {
boolean member = false;
boolean listenerAdded = false;
if (debug.messageEnabled()) {
"LDAPFilterCondition.isMember(): userLocalDN from ssoToken is: "
+ userLocalDN);
}
if (debug.messageEnabled()) {
+ "Got membership "
+"from cache userLocalDN: " + userLocalDN
+ ", ldapConditionFilter: " + ldapConditionFilter
}
if (result) {
return result;
}
}
// got here so entry not in subject evaluation cache
if (debug.messageEnabled()) {
+ " ldapConditionFilter:" + ldapConditionFilter
+ " not in subject evaluation cache, "
+ " fetching from directory server.");
}
// construct searchFilter for user
(beginIndex >= endIndex)) {
"ldapusers_subject_invalid_local_user_dn", null,
null));
}
endIndex);
boolean multipleFilters = false;
multipleFilters = true;
}
if (debug.messageEnabled()) {
+ " user search filter is: " + userSearchFilter);
+ " user mapping filter is: " + userMappingFilter);
+ " condition ldapConditionFilter is: "
}
//combine condition ldapConditionFilter and user search filter
if ((ldapConditionFilter != null)
multipleFilters = true;
}
if (multipleFilters) {
}
if (debug.messageEnabled()) {
+ " combined filter : " + searchFilter);
}
if (debug.messageEnabled()) {
+ " caching result, searchFilter:" + searchFilter
+ ", member:" + member);
}
if (!listenerAdded) {
tokenID))
{
if (debug.messageEnabled()) {
+ " sso listener added .\n");
}
listenerAdded = true;
}
}
if (debug.messageEnabled()) {
+ "member=" + member);
}
return member;
}
/**
* returns a boolean result indicating if the specified
* <code>searchFilter</code> is satisfied by
* making a directory search using the filter.
*/
throws SSOException, PolicyException {
if (debug.messageEnabled()) {
+ "entering, searchFitler=" + searchFilter);
}
boolean filterSatisfied = false;
// search the remote ldap
SearchRequest searchRequest = LDAPRequests.newSearchRequest(baseDN, userSearchScope, searchFilter, attrs);
if (reader.isReference()) {
//Ignore
} else {
filterSatisfied = true;
}
}
}
}
} catch (LdapException le) {
}
if (additionalMsg != null) {
} else {
throw new PolicyException(errorMsg);
}
} catch (SearchResultReferenceIOException e) {
+ ": Partial results have been received, status code 9."
+ " The message provided by the LDAP server is: \n"
+ e.getMessage());
}
debug.message("LDAPFilterCondition.searchFilterSatified():returning, filterSatisfied={}", filterSatisfied);
return filterSatisfied;
}
/**
* This condition resets its policy configuration information, periodically.
* The time period is based on the SUBJECTS_RESULT_TTL defined in the policy config service.
* @see com.sun.identity.policy.PolicyConfig#SUBJECTS_RESULT_TTL
*/
}
}
}
/**
* Sets the policy configuration parameters used by this condition.
*/
private synchronized void setPolicyConfig(Map configParams, String realmDn) throws PolicyException {
return;
}
if (debug.messageEnabled()) {
}
if (configParams == null) {
}
if (configuredLdapServer == null) {
+ "server name. If you enter more than one server name "
+ "in the policy config service's Primary LDAP Server "
+ "field, please make sure the ldap server name is preceded "
+ "with the local server name.");
}
}
try {
minPoolSize = Integer.parseInt((String) configParams.get(PolicyConfig.LDAP_CONNECTION_POOL_MIN_SIZE));
maxPoolSize = Integer.parseInt((String) configParams.get(PolicyConfig.LDAP_CONNECTION_POOL_MAX_SIZE));
} catch (NumberFormatException nfe) {
throw new PolicyException(nfe);
}
sslEnabled = true;
} else {
sslEnabled = false;
}
// get the organization name
}
if (debug.messageEnabled()) {
+ "getting params"
+ "\nldapServer: " + ldapServer
+ "\nauthid: " + authid
+ "\nbaseDN: " + baseDN
+ "\nuserSearchFilter: " + userSearchFilter
+ "\nuserRDNAttrName: " + userRDNAttrName
+ "\ntimeLimit: " + timeLimit
+ "\nmaxResults: " + maxResults
+ "\nminPoolSize: " + minPoolSize
+ "\nmaxPoolSize: " + maxPoolSize
+ "\nSSLEnabled: " + sslEnabled
+ "\nOrgName: " + orgName);
}
// initialize the connection pool for the ldap server
LDAPConnectionPools.initConnectionPool(ldapServer, authid, authpw, sslEnabled, minPoolSize, maxPoolSize,
options);
new ShutdownListener() {
public void shutdown() {
}
}
});
policyConfigExpiresAt = System.currentTimeMillis() + PolicyConfig.getSubjectsResultTtl(configParams);
}
/**
* Validates the <code>properties</code> set using the
* setProperties public method. Checks for null,
* presence of expected LDAP_FILTER property and no
* other invalid property.
* @see #LDAP_FILTER
*/
throws PolicyException {
throw new PolicyException(
}
//Check if the required key(s) are defined
throw new PolicyException(
}
//Check if all the keys are valid
throw new PolicyException(
"attempt_to_set_invalid_property",
}
}
//validate LDAP_FILTER
if ( ldapFilterCollection != null ) {
}
return true;
}
/**
* Validates the <code>Set</code> to contain
* LDAP_FILTER property, checks for null,
* mutiple values ( not allowed).
* @see #LDAP_FILTER
*/
throws PolicyException {
if ( ldapFilterSet.isEmpty() ) {
throw new PolicyException(
"property_does_not_allow_empty_values",
}
throw new PolicyException(
"property_does_not_allow_multiple_values",
}
try {
} catch (ClassCastException e) {
throw new PolicyException(
}
return true;
}
/**
* Utility method to trim and put parenthessis in the
* expected ldap filter format for a String representing
* the ldap filter.
*/
}
} else {
}
return parenthesisedString;
}
/**
* Returns a copy of this object.
*
* @return a copy of this object
*/
try {
} catch (CloneNotSupportedException e) {
//this should never happen
throw new InternalError();
}
if (properties != null) {
}
}
return theClone;
}
public void validate() throws PolicyException {
}
}