/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2009 Sun Microsystems Inc. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* at opensso/legal/CDDLv1.0.txt
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*
* $Id: XACMLPrivilegeUtils.java,v 1.4 2010/01/10 06:39:42 dillidorai Exp $
*
* Portions Copyrighted 2011-2016 ForgeRock AS.
* Portions Copyrighted 2014 Nomura Research Institute, Ltd
*/
/**
* Class with utility methods to map from
* <code>com.sun.identity.entity.Privilege</code>
* to
* </code>com.sun.identity.entitlement.xacml3.core.Policy</code>
*/
public class XACMLPrivilegeUtils {
// Used in ResourceAttribute serialisation.
/**
* Constructs XACMLPrivilegeUtils
*/
private XACMLPrivilegeUtils() {
}
return "";
}
}
return "";
}
try {
} catch (JAXBException je) {
//TOODO: handle, propogate exception
"JAXBException while mapping privilege to policy:", je);
}
return stringWriter.toString();
}
return "";
}
try {
} catch (JAXBException je) {
}
return stringWriter.toString();
}
public static void writeXMLToStream(PolicySet policySet, OutputStream outputStream) throws EntitlementException {
try {
} catch (JAXBException je) {
}
}
try {
} catch (JAXBException je) {
} catch (EntitlementException ee) {
PrivilegeManager.debug.error("Caught EntitlementException while converting Privilege to Policy", ee);
}
return policy;
}
private static Policy privilegeToPolicyInternal(Privilege privilege) throws JAXBException, EntitlementException {
/*
* See entitelement meeting minutes - 22apr09
*
* privilege name would map to policy id
*
* application name would map to application category attribute
*
* entitlement resource names would map to xacml policy target
*
* entitlement excluded resource names would map to xacml rule target
*
* simple one level entitlement subjects (without or, and etc)
* would map to policy target
*
* all entitlement subjects would also map to xacml rule condition
*
* entitlement conditions would map to xacml rule condition
*
* entitlement resource attributes would map to rule advice expression
*
* at present xacml obligation support is out of scope
*/
return null;
}
if (entitlement != null) {
}
if (applicationName != null) {
}
if (entitlementName != null) {
}
+ "T"
+ "T"
// PolicyIssuer policyIssuer = null; // optional, TODO
// TODO: use privilege version in future
// Defaults policyDefaults = null; // optional, TODO
// String ruleCombiningAlgId = "rca"; // required
// XACML Target contains a list of AnyOf(s)
// XACML AnyOf contains a list of AllOf(s)
// XACML AllOf contains a list of Match(s)
/* TODO: detect simple subjects and set attribute value and designator
List<AnyOf> anyOfSubjectList = entitlementSubjectToAnyOfList(es);
if (anyOfSubjectList != null) {
targetAnyOfList.addAll(anyOfSubjectList);
}
*/
if (anyOfSubject != null) {
}
if (anyOfResourceList != null) {
}
if (anyOfApplication != null) {
}
if (anyOfActionList != null) {
}
// PermitRule, DenyRule
if (actionValues != null) {
} else {
}
}
}
Condition condition = eSubjectConditionToXCondition(privilege.getSubject(), privilege.getCondition());
// Include resource attributes (ResourceProvider) as AdviceExpressions
}
if (!permitActions.isEmpty()) {
if (anyOfPermitActionList != null) {
}
}
}
if (!denyActions.isEmpty()) {
if (anyOfDenyActionList != null) {
}
}
}
return policy;
}
//TODO: implement privilegeNameToPolicyId() correctly
return privilegeName;
}
// TODO: not used now, use, test, fix and verify
return null;
}
if (es instanceof UserSubject) {
// attributeDesignator.setIssuer(issuer); TODO: verify and fix
boolean mustBePresent = true;
}
return anyOfList;
}
return null;
}
//attributeDesignator.setIssuer(issuer); //TODO: verify and fix
boolean mustBePresent = true;
return anyOf;
}
return null;
}
}
return anyOfList;
}
return anyOf;
}
return null;
}
}
return anyOfList;
}
return null;
}
// attributeDesignator.setIssuer(issuer); TODO: verify and fix
boolean mustBePresent = true;
return match;
}
return null;
}
// attributeDesignator.setIssuer(issuer); TODO: verify and fix
boolean mustBePresent = true;
return match;
}
return null;
}
// attributeDesignator.setIssuer(issuer); // TODO: verify and fix
boolean mustBePresent = true;
return match;
}
return null;
}
// attributeDesignator.setIssuer(issuer); // TODO: verify and fix
boolean mustBePresent = false;
return match;
}
throws JAXBException {
// TODO: add custom xml attribute to idenity as privilge subject
}
// TODO: add custom xml attribute to idenity as privilge condition
}
}
return condition;
}
// TODO: return the correct algorithm id based on application
}
throws EntitlementException {
return null;
}
privileges.add(p);
}
}
return privileges;
}
long lastModifiedAt = dateStringToLong(getVariableById(policy, XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE));
/*
* Construct entitlement from Rule target
* Get resource names, excluded resource names, action names from Rule Match element
* One Match for Action
* One Rule per value
*/
if (entitlementName != null) {
}
// Process AdviceExpressions from Export into ResourceAttributes
Set<ResourceAttribute> ras = schemaFactory.adviceExpressionsToResourceAttributes(policy.getAdviceExpressions());
return privilege;
}
/**
* Gets the name of the application to which this policy belongs.
*
* @param policy read from XACML import stream.
*
* @return application name.
*/
}
/**
* Gets the resource names from the policy.
*
* @param policy read from XACML import stream.
*
* @return resource names.
*/
return getResourceNamesFromMatches(policyMatches);
}
// FIXME: do some transform, not required at this time
return policyId;
}
if (obj instanceof VariableDefinition) {
}
}
}
return val;
}
return 0;
}
"yyyy-MM-dd:HH:mm:ss.SSSS");
long time = 0;
try {
//TODO: log debug warning
}
return time;
}
try {
} catch (JAXBException je) {
//TODO: log error, jaxbexception
}
return policySet;
}
if (privileges == null) {
return null;
}
}
return policySet;
}
throws JAXBException {
// FIXME: is there a better choice?
// policySet could contain policies for different applications
return policySet;
}
throws JAXBException {
// FIXME: is there a better choice?
// policySet could contain policies for different applications
}
}
return policySet;
}
throws JAXBException {
return policySet;
}
return policySet;
}
}
}
}
return matches;
}
return null;
}
if (attributeValue != null) {
// FIXME: log a warning if more than one element
}
}
}
}
return resourceNames;
}
return null;
}
if (attributeValue != null) {
// FIXME: log a warning if more than one element
}
}
}
}
return actionNames;
}
throws JSONException {
return null;
}
if (attributeValue != null) {
break;
}
}
}
}
if (jsonString != null) {
}
return jo;
}
return null;
}
}
}
return ruleList;
}
/**
* Gets the action values from the policy.
*
* @param policy instance read from the XACML input stream.
*
* @return action values.
*/
return null;
}
return null;
}
}
}
return actionValues;
}
/**
* Constructs EntitlementSubject from policy.
*
* @param policy
* from which the EntitlementSubject is created.
*
* @return EntitlementSubject created from the policy instance.
*/
return null;
}
return null;
}
functionId)) {
if (dataType.startsWith(
break;
}
}
}
}
}
}
}
}
}
break;
}
}
return es;
}
/**
* Constructs EntitlementCondition from the policy.
*
* @param policy
* from which EntitlementCondition is constructed.
*
* @return EntitlementCondition instance created from the policy instance.
*
* @throws EntitlementException
* when any error occurs during construction.
*/
public static EntitlementCondition getEntitlementConditionFromPolicy(Policy policy) throws EntitlementException {
return null;
}
return null;
}
functionId)) {
if (dataType.startsWith(
break;
}
}
}
}
}
}
}
}
break;
}
}
}
return ec;
}
//FIXME: remove
"XACMLProvilegeUtils.streamToPolicySet(), core_pkg:"
return null;
}
return ps;
}
return null;
}
}
}
return policies;
}
return null;
}
if (i != 0) {
return null;
}
} else {
+ "createEntitlementSubject()"
+ "not an EntitlementSubject");
}
}
}
return es;
}
static EntitlementCondition createEntitlementCondition(String dataType, String value) throws EntitlementException {
return null;
}
if (i != 0) {
return null;
}
} else {
+ "createEntitlementCondition()"
+ "not an EntitlementCondition");
}
}
}
return ec;
}
return null;
}
try {
} catch (ClassNotFoundException e) {
+ "hit exception", e);
} catch (IllegalAccessException e) {
+ "hit exception", e);
} catch (InstantiationException e) {
+ "hit exception", e);
}
return ob;
}
try {
} catch (JAXBException je) {
"JAXBException while mapping referral to policy:", je);
}
return policy;
}
public static Policy referralToPolicyInternal(ReferralPrivilege privilege) throws JAXBException, JSONException {
return null;
}
+ "T"
+ "T"
// PolicyIssuer policyIssuer = null; // optional, TODO
// TODO: use privilege version in future
// Defaults policyDefaults = null; // optional, TODO
// XACML Target contains a list of AnyOf(s)
// XACML AnyOf contains a list of AllOf(s)
// XACML AllOf contains a list of Match(s)
if (anyOfRealmsAppsResources != null) {
}
return policy;
}
}
public static ReferralPrivilege policyToReferral(Policy policy) throws EntitlementException, JSONException {
long lastModifiedAt = dateStringToLong(getVariableById(policy, XACMLConstants.PRIVILEGE_LAST_MODIFIED_DATE));
return referral;
}
boolean mustBePresent = false;
return anyOf;
}
/**
* Validates the privilege instance.
*
* @param privilege
* instance to be validated.
* @param privilegeValidator
* the validator for privilege.
*
* @throws EntitlementException
* if the privilege is invalid.
*/
public static void validate(Privilege privilege, PrivilegeValidator privilegeValidator) throws EntitlementException {
// OPENAM-5031
// For the moment, fail the whole import if any single referral is found to have a name which doesn't
// suit LDAP.
throw new EntitlementException(INVALID_VALUE,
}
}
/**
* OPENAM-5031: We would have used DN.escapeAttributeValue to encode the incoming string and compare with the
* original string - if there are differences then the incoming string contains characters which LDAP requires
* quoted. However ssoadm doesn't include the jar that the DN class ends up in. In order to avoid the
* overhead of adding a whole jar just for one function in one class, this is provided here. Thus, this
* function returns true if the incoming string contains any character which LDAP requires to be quoted.
*
* @param s The specified string.
* @return true if the string contains characters which require quotation for LDAP to work, false otherwise
*/
// This is done with strings rather than characters because the initialisation of the set is much easier.
// Otherwise we end up with a Set<Character> being initialised from a List<char>
for(int i = 0; i < s.length(); i++) {
return true;
}
}
return false;
}
}