/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt.
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: LEAuthLevelCondition.java,v 1.5 2008/06/25 05:43:51 qcheng Exp $
*
*/
/*
* Portions Copyright 2014 ForgeRock AS
*/
/**
* This class <code>LEAuthLevelCondition</code> is a plugin implementation
* of <code>Condition</code> interface. This condition would imply policy
* applies if the <code>REQUEST_AUTH_LEVEL</code> is less than or equal to the
* <code>AuthLevel</code> set in the Condition. <code>requestAuthLevel</code>
* is looked up from <code>env </code> map passed in the
* <code>getConditionDecision()</code> call. If it is not found in the
* <code>env</code> map, <code>AuthLevel</code> is looked up from single sign on
* token.
*
* @deprecated Use {@link org.forgerock.openam.entitlement.conditions.environment.LEAuthLevelCondition} instead.
*/
private int authLevelInt;
static {
}
/** No argument constructor
*/
public LEAuthLevelCondition() {
}
/**
* Returns a list of property names for the condition.
*
* @return list of property names
*/
return (new ArrayList(propertyNames));
}
/**
* Returns the syntax for a property name
* @see com.sun.identity.policy.Syntax
*
* @param property property name
*
* @return <code>Syntax<code> for the property name
*/
}
/**
* Gets the display name for the property name.
* The <code>locale</code> variable could be used by the plugin to
* customize the display name for the given locale.
* The <code>locale</code> variable could be <code>null</code>, in which
* case the plugin must use the default locale.
*
* @param property property name
* @param locale locale for which the property name must be customized
* @return display name for the property name
* @throws PolicyException
*/
throws PolicyException {
return "";
}
/**
* Returns a set of valid values given the property name. This method
* is called if the property Syntax is either the SINGLE_CHOICE or
* MULTIPLE_CHOICE.
*
* @param property property name
* @return Set of valid values for the property.
* @exception PolicyException if unable to get the Syntax.
*/
return Collections.EMPTY_SET;
}
/** Sets the properties of the condition.
* Evaluation of <code>ConditionDecision</code> is influenced by these
* properties.
*
* @param properties the properties of the condition that governs
* whether a policy applies. The properties should
* define value for the key <code>AUTH_LEVEL</code>. The value
* should be a Set with only one element. The element should be
* a String, parseable as an integer or an integer qaulified with
* realm name. Please note that properties is not cloned by
* the method.
*
* @throws PolicyException if properties is null or does not contain
* value for the key <code>AUTH_LEVEL</code> or the value of the
* key is not a Set with one String element that is parse-able as
* an integer
*
* @see #REQUEST_AUTH_LEVEL
* @see #getConditionDecision(SSOToken, Map)
*/
}
/** Gets the properties of the condition.
* @return unmodifiable <code>Map</code> view of properties that govern
* the evaluation of the condition decision
* @see #setProperties(Map)
*/
return (properties == null)
}
/**
* Gets the decision computed by this condition object, based on the
* <code>Map</code> of environment parameters
*
* @param token single-sign-on token of the user
*
* <code>AuthLevelCondition</code> looks for value of key
* <code>REQUEST_AUTH_LEVEL</code> in the map. The value should be
* an Integer or a set of <code>String</code>s.
* If it is a <code>Set</code> of <code>String</code>s, each element
* of the set has to be parseable as integer or should be a realm
* qualified integer. If the <code>env</code> parameter is null or
* does not define value for <code>REQUEST_AUTH_LEVEL</code>,
* the value for <code>REQUEST_AUTH_LEVEL</code> is obtained from
* the single sign on token of the user.
*
* @return the condition decision. The condition decision encapsulates
* whether a policy applies for the request and advice
* messages generated by the condition.
*
* The decision would imply policy is
* applicable if <code>AUTH_LEVEL</code> is less than or equal to
* <code>REQUES_AUTH_LEVEL</code>. If <code>AUTH_LEVEL</code> is
* qualified with a realm name, <code>REQUEST_AUTH_LEVEL</code>
* values only with the matching realm name are compared.
*
* Policy framework continues evaluating a policy only if it applies
* to the request as indicated by the <code>ConditionDecision</code>.
* Otherwise, further evaluation of the policy is skipped.
* However, the advice messages encapsulated in the
* <code>ConditionDecision</code> are aggregated and passed up, encapsulated
* in the <code>PolicyDecision</code>.
*
* @throws PolicyException if the condition has not been initialized
* with a successful call to <code>setProperties(Map)</code>
* be determined.
* @throws SSOException if the token is invalid
*
* @see #setProperties(Map)
* @see #AUTH_LEVEL
* @see #REQUEST_AUTH_LEVEL
* @see com.sun.identity.policy.ConditionDecision
* @see com.sun.identity.authentication.util.AMAuthUtils
* #getAuthenticatedLevels(SSOToken)
* @see com.sun.identity.authentication.util.AMAuthUtils
* #getRealmQualifiedAuthenticatedLevels(SSOToken)
*/
throws PolicyException, SSOException {
boolean allowed = false;
if (DEBUG.messageEnabled()) {
+ "entering");
}
}
if (maxRequestAuthLevel <= authLevelInt) {
allowed = true;
}
if (DEBUG.messageEnabled()) {
+ "authLevel=" + authLevel
+ ",maxRequestAuthLevel=" + maxRequestAuthLevel
+ ",allowed = " + allowed);
}
return new ConditionDecision(allowed);
}
/**
* Returns a copy of this object.
*
* @return a copy of this object
*/
try {
} catch (CloneNotSupportedException e) {
// this should never happen
throw new InternalError();
}
if (properties != null) {
}
}
return theClone;
}
/**
* This method validates the properties set using the <code>setProperties
* </code> method. It checks for the presence of the required key
* <code>AUTH_LEVEL</code>, validates it and also makes sure no other
* invalid key is being set.
* @see #AUTH_LEVEL
*/
throw new PolicyException(
}
if (DEBUG.messageEnabled()) {
+ "properties=" + properties);
}
//Check if the required key(s) are defined
throw new PolicyException(
null);
}
//Check if all the keys are valid
throw new PolicyException(
"attempt_to_set_invalid_property ",
}
}
//validate AUTH_LEVEL
if ( authLevelSet != null ) {
}
if (DEBUG.messageEnabled()) {
+ "authLevel=" + authLevel
+ ",authRealm=" + authRealm
+ ",authLevelInt=" + authLevelInt);
}
return true;
}
/**
* This method validates the auth levels set using the <code>setProperties
* </code> method. It is called from validateProperties() method.
* It validates <code>AUTH_LEVEL</code>.
* @see #AUTH_LEVEL
*/
throws PolicyException {
throw new PolicyException(
"property_does_not_allow_empty_or_multiple_values",
}
try {
} catch (NumberFormatException e) {
throw new PolicyException(
}
return true;
}
/**
* gets the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the environment Map.
* @see #REQUEST_AUTH_LEVEL
*/
throws PolicyException {
if (DEBUG.messageEnabled()) {
+ "envMap,realm): entering: envMap= " + env
+ ", authRealm= " + authRealm
+ ", conditionAuthLevel= " + authLevel);
}
if (envAuthLevelObject != null) {
if(envAuthLevelObject instanceof Integer) {
if (DEBUG.messageEnabled()) {
+"getMaxRequestAuthLevel():Integer level in env= "
+ maxAuthLevel);
}
}
} else if (envAuthLevelObject instanceof Set) {
if (!envAuthLevelSet.isEmpty()) {
if (!(envAuthLevelElement instanceof String)) {
if (DEBUG.warningEnabled()) {
+ "getMaxRequestAuthLevel():"
+ "requestAuthLevel Set element"
+ " not String");
}
throw new PolicyException(
"request_authlevel_in_env_set_element_not_string",
} else {
if(currentAuthLevel > maxAuthLevel) {
}
} else {
= AMAuthUtils.
&& (currentAuthLevel > maxAuthLevel)) {
}
}
}
}
}
} else {
if (DEBUG.warningEnabled()) {
+"getMaxRequestAuthLevel():requestAuthLevel in env "
+"neither Integer nor Set");
}
throw new PolicyException(
"request_authlevel_in_env_not_Integer_or_set",
}
}
if (DEBUG.messageEnabled()) {
+ "): returning: maxAuthLevel=" + maxAuthLevel);
}
return maxAuthLevel;
}
/**
* gets the maximum auth level specified for the REQUEST_AUTH_LEVEL
* property in the SSO token.
* @see #REQUEST_AUTH_LEVEL
*/
throws PolicyException, SSOException {
if (DEBUG.messageEnabled()) {
+ "token,realm): entering:"
+ " authRealm = " + authRealm
+ ", conditionAuthLevel= " + authLevel);
}
if (DEBUG.messageEnabled()) {
+ "): levels from token= "
+ levels);
}
}
}
} else {
if (DEBUG.messageEnabled()) {
+ "): qualifiedLeves from token= "
+ qualifiedLevels);
}
: maxAuthLevel;
}
}
}
}
if (DEBUG.messageEnabled()) {
+ "): returning:"
+ " maxAuthLevel= " + maxAuthLevel);
}
return maxAuthLevel;
}
/**
* Extract the integer auth level from String realm qualified
* ( realm:level) String.
*/
throws PolicyException {
int levelInt = 0;
try {
} catch (NumberFormatException nfe) {
if (DEBUG.warningEnabled()) {
+"qualifiedLevel):got NumberFormatException:"
+ "qualifiedLevel=" + qualifiedLevel
+ ", levelString = " + levelString);
}
throw new PolicyException(
}
return levelInt;
}
}