001/** 002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 003 * 004 * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved 005 * 006 * The contents of this file are subject to the terms 007 * of the Common Development and Distribution License 008 * (the License). You may not use this file except in 009 * compliance with the License. 010 * 011 * You can obtain a copy of the License at 012 * https://opensso.dev.java.net/public/CDDLv1.0.html or 013 * opensso/legal/CDDLv1.0.txt 014 * See the License for the specific language governing 015 * permission and limitations under the License. 016 * 017 * When distributing Covered Code, include this CDDL 018 * Header Notice in each file and include the License file 019 * at opensso/legal/CDDLv1.0.txt. 020 * If applicable, add the following below the CDDL Header, 021 * with the fields enclosed by brackets [] replaced by 022 * your own identifying information: 023 * "Portions Copyrighted [year] [name of copyright owner]" 024 * 025 * $Id: ProxyPolicyEvaluator.java,v 1.4 2009/01/28 05:35:01 ww203982 Exp $ 026 * 027 * Portions Copyrighted 2011-2014 ForgeRock AS. 028 */ 029package com.sun.identity.policy; 030import com.iplanet.sso.SSOException; 031import com.iplanet.sso.SSOToken; 032import com.iplanet.sso.SSOTokenManager; 033 034import com.sun.identity.authentication.server.AuthContextLocal; 035import com.sun.identity.authentication.service.AuthException; 036import com.sun.identity.authentication.service.AuthUtils; 037 038import com.sun.identity.delegation.DelegationEvaluator; 039import com.sun.identity.delegation.DelegationEvaluatorImpl; 040import com.sun.identity.sm.DNMapper; 041 042import com.sun.identity.delegation.DelegationException; 043import com.sun.identity.delegation.DelegationPermission; 044 045import java.util.Map; 046import java.util.Set; 047import java.util.HashSet; 048import javax.security.auth.login.LoginException; 049 050import com.sun.identity.shared.ldap.util.DN; 051 052/** 053 * Class that lets a priviliged user to compute policy results for 054 * another user. 055 * Only privileged users can get <code>ProxyPolicyEvaluator</code> 056 * - only top level administrator, realm level policy administrator, 057 * realm administrator or realm policy administrator can get 058 * <code>ProxyPolicyEvaluator</code>. Top level administrator can compute policy 059 * results for any user. Realm administrator or policy administrator can 060 * compute policy results only for users who are members of the realm 061 * (including sub realm) that they manage. If they try to compute policys 062 * result for any other user, they would get a <code>PolicyException</code>. 063 * This class can be used only within the web container running policy server. 064 * 065 * @supported.all.api 066 * @deprecated since 12.0.0 067 */ 068@Deprecated 069public class ProxyPolicyEvaluator { 070 071 private SSOToken adminToken; 072 private String serviceType; 073 private PolicyEvaluator policyEvaluator; 074 private static String baseDNString; 075 private static DN baseDN; 076 077 static { 078 baseDNString = com.sun.identity.sm.ServiceManager.getBaseDN(); 079 baseDN= new DN(baseDNString); 080 } 081 082 /** 083 * Constructs a <code>ProxyPolicyEvaluator</code> instance. 084 * Only privileged users can create <code>ProxyPolicyEvaluator</code>. 085 * 086 * @param token single sign on token used to construct the proxy policy 087 * evaluator. 088 * @param serviceType service type for which construct the proxy policy 089 * evaluator 090 * @throws NoPermissionException if the token does not have privileges 091 * to create proxy policy evaluator 092 * @throws NameNotFoundException if the serviceType is not found in 093 * registered service types 094 * @throws PolicyException any policy exception coming from policy 095 * framework 096 * @throws SSOException if the token is invalid 097 */ 098 ProxyPolicyEvaluator(SSOToken token, String serviceType) 099 throws NoPermissionException, NameNotFoundException, 100 PolicyException, SSOException 101 { 102 SSOTokenManager.getInstance().validateToken(token); 103 this.adminToken = token; 104 this.serviceType = serviceType; 105 this.policyEvaluator 106 = PolicyEvaluatorFactory.getInstance() 107 .getPolicyEvaluator(token, serviceType); 108 } 109 110 /** 111 * Evaluates a simple privilege of boolean type. The privilege indicates 112 * if the user identified by the <code>principalName</code> 113 * can perform specified action on the specified resource. 114 * 115 * @param principalName principal name for whom to compute the privilege. 116 * @param realm realm of the user principal "/" separated format 117 * @param resourceName name of the resource for which to compute 118 * policy result. 119 * @param actionName name of the action the user is trying to perform on 120 * the resource 121 * @param env run time environment parameters 122 * 123 * @return the result of the evaluation as a boolean value 124 * 125 * @throws PolicyException exception form policy framework 126 * @throws SSOException if single sign on token is invalid 127 * 128 */ 129 public boolean isAllowed(String principalName, String realm, 130 String resourceName, String actionName, Map env) 131 throws PolicyException, SSOException 132 { 133 SSOToken token = getProxyToken(realm, principalName); 134 boolean allowed = policyEvaluator.isAllowed(token, resourceName, 135 actionName, env); 136 return allowed; 137 } 138 139 /** 140 * Evaluates a simple privilege of boolean type. The privilege indicates 141 * if the user identified by the <code>principalName</code> 142 * can perform specified action on the specified resource. 143 * 144 * @param principalName principal name for whom to compute the privilege. 145 * @param resourceName name of the resource for which to compute 146 * policy result. 147 * @param actionName name of the action the user is trying to perform on 148 * the resource 149 * @param env run time environment parameters 150 * 151 * @return the result of the evaluation as a boolean value 152 * 153 * @throws PolicyException exception form policy framework 154 * @throws SSOException if single sign on token is invalid 155 * 156 */ 157 public boolean isAllowed(String principalName, String resourceName, 158 String actionName, Map env) throws PolicyException, SSOException 159 { 160 return isAllowed(principalName, null, resourceName, actionName, env); 161 } 162 163 /** 164 * Gets policy decision for the user identified by the 165 * <code>principalName</code> for the given resource 166 * 167 * @param principalName principal name for whom to compute the policy 168 * decision 169 * @param realm realm of the user principal "/" separated format 170 * @param resourceName name of the resource for which to compute policy 171 * decision 172 * @param env run time environment parameters 173 * 174 * @return the policy decision for the principal for the given resource 175 * 176 * @throws PolicyException exception form policy framework 177 * @throws SSOException if single sign on token is invalid 178 * 179 */ 180 public PolicyDecision getPolicyDecision(String principalName, String realm, 181 String resourceName, Map env) 182 throws PolicyException, SSOException 183 { 184 SSOToken token = getProxyToken(realm, principalName); 185 PolicyDecision pd = policyEvaluator.getPolicyDecision( 186 token, resourceName, null, env); //null actionNames 187 // Let us log all policy evaluation results 188 if (PolicyUtils.logStatus) { 189 String decision = pd.toString(); 190 if (decision != null && decision.length() != 0) { 191 String[] objs = { adminToken.getPrincipal().getName(), 192 principalName, resourceName, 193 decision }; 194 PolicyUtils.logAccessMessage("PROXIED_POLICY_EVALUATION", 195 objs, adminToken); 196 } 197 } 198 199 if (PolicyManager.debug.messageEnabled()) { 200 PolicyManager.debug.message( 201 " Admin: " + adminToken.getPrincipal().getName() 202 + " got policy decision " 203 + " for principal: " + token.getPrincipal().getName() 204 + " for resourceName:" + resourceName 205 + " for serviceType :" + serviceType 206 + " is " + pd); 207 } 208 209 return pd; 210 } 211 /** 212 * Gets policy decision for the user identified by the 213 * <code>principalName</code> for the given resource 214 * 215 * @param principalName principal name for whom to compute the policy 216 * decision 217 * @param resourceName name of the resource for which to compute policy 218 * decision 219 * @param env run time environment parameters 220 * 221 * @return the policy decision for the principal for the given resource 222 * 223 * @throws PolicyException exception form policy framework 224 * @throws SSOException if single sign on token is invalid 225 * 226 */ 227 public PolicyDecision getPolicyDecision(String principalName, 228 String resourceName, Map env) 229 throws PolicyException, SSOException 230 { 231 return getPolicyDecision(principalName, null, resourceName, env); 232 } 233 234 /** 235 * Gets policy decision for a resource, skipping subject evaluation. 236 * Conditions would be evaluated and would include applicable advices 237 * in policy decisions. Hence, you could get details such as 238 * <code>AuthLevel</code>, <code>AuthScheme</code> that would be required to 239 * access the resource. 240 * 241 * @param resourceName name of the resource for which to compute policy 242 * decision 243 * @param actionNames names of the actions the user is trying to perform on 244 * the resource 245 * 246 * @param env run time environment parameters 247 * 248 * @return the policy decision for the principal for the given resource 249 * 250 * @throws PolicyException exception form policy framework 251 * @throws SSOException if single sign on token is invalid 252 * 253 */ 254 public PolicyDecision getPolicyDecisionIgnoreSubjects(String resourceName, 255 Set actionNames, Map env) throws PolicyException, SSOException 256 { 257 PolicyDecision pd = policyEvaluator.getPolicyDecisionIgnoreSubjects( 258 resourceName, actionNames, env); 259 // Let us log all policy evaluation results 260 if (PolicyUtils.logStatus) { 261 String decision = pd.toString(); 262 if (decision != null && decision.length() != 0) { 263 String[] objs = 264 {adminToken.getPrincipal().getName(), resourceName, 265 decision}; 266 PolicyUtils.logAccessMessage( 267 "PROXIED_POLICY_EVALUATION_IGNORING_SUBJECTS", 268 objs, adminToken); 269 } 270 } 271 272 if (PolicyManager.debug.messageEnabled()) { 273 PolicyManager.debug.message( 274 " Admin: " + adminToken.getPrincipal().getName() 275 + " got policy decision " 276 + " ignoring subjects " 277 + " for resourceName:" + resourceName 278 + " for serviceType :" + serviceType 279 + " is " + pd); 280 } 281 282 return pd; 283 } 284 285 /** 286 * Gets protected resources for a user identified by the 287 * <code>principalName</code>. Conditions defined in the policies are 288 * ignored while computing protected resources. 289 * Only resources that are sub resources of the given 290 * <code>rootResource</code> or equal to the given <code>rootResource</code> 291 * would be returned. 292 * If all policies applicable to a resource are 293 * only referral policies, no <code>ProtectedResource</code> would be 294 * returned for such a resource. 295 * 296 * @param principalName principal name for whom to compute the privilege. 297 * @param rootResource only resources that are sub resources of the 298 * given <code>rootResource</code> or equal to the 299 * given <code>rootResource</code> would be returned. 300 * If <code>PolicyEvaluator.ALL_RESOURCES</code> is 301 * passed as <code>rootResource</code>, resources under 302 * all root resources of the service 303 * type are considered while computing protected 304 * resources. 305 * 306 * @return set of protected resources. The set contains 307 * <code>ProtectedResource</code> objects. 308 * 309 * @throws PolicyException exception form policy framework 310 * @throws SSOException if single sign on token is invalid 311 * @see ProtectedResource 312 * 313 */ 314 public Set getProtectedResourcesIgnoreConditions(String principalName, 315 String rootResource) throws PolicyException, SSOException 316 { 317 return getProtectedResourcesIgnoreConditions(principalName, null, 318 rootResource); 319 } 320 321 /** 322 * Gets protected resources for a user identified by the 323 * <code>principalName</code>. Conditions defined in the policies are 324 * ignored while computing protected resources. 325 * Only resources that are sub resources of the given 326 * <code>rootResource</code> or equal to the given <code>rootResource</code> 327 * would be returned. 328 * If all policies applicable to a resource are 329 * only referral policies, no <code>ProtectedResource</code> would be 330 * returned for such a resource. 331 * 332 * @param principalName principal name for whom to compute the privilege. 333 * @param realm realm of the user principal "/" separated format 334 * @param rootResource only resources that are sub resources of the 335 * given <code>rootResource</code> or equal to the 336 * given <code>rootResource</code> would be returned. 337 * If <code>PolicyEvaluator.ALL_RESOURCES</code> is 338 * passed as <code>rootResource</code>, resources under 339 * all root resources of the service 340 * type are considered while computing protected 341 * resources. 342 * 343 * @return set of protected resources. The set contains 344 * <code>ProtectedResource</code> objects. 345 * 346 * @throws PolicyException exception form policy framework 347 * @throws SSOException if single sign on token is invalid 348 * @see ProtectedResource 349 * 350 */ 351 public Set getProtectedResourcesIgnoreConditions(String principalName, 352 String realm, String rootResource) 353 throws PolicyException, SSOException 354 { 355 SSOToken token = getProxyToken(realm, principalName); 356 return policyEvaluator.getProtectedResourcesIgnoreConditions( 357 token, rootResource); 358 } 359 360 /** 361 * Gets proxy session token 362 * @param principalName user to proxy as 363 * @return proxy session token 364 * @throws PolicyException if proxy session token can not be obtained 365 * @throws SSOException if the session token of the administrative user 366 * is invalid 367 */ 368 private SSOToken getProxyToken(String realm, String principalName) 369 throws PolicyException, SSOException 370 { 371 if ((realm == null) || realm.trim().equals("")) { 372 realm = "/"; // set it to root org 373 } 374 SSOTokenManager.getInstance().validateToken(adminToken); 375 SSOToken token = null; 376 boolean proxyPermission = false; 377 378 try { 379 String orgDN = DNMapper.orgNameToDN(realm); 380 if (PolicyManager.debug.messageEnabled()) { 381 PolicyManager.debug.message("ProxyPolicyEvaluator."+ 382 "getProxyToken:principalName, orgDN="+principalName+ 383 ","+orgDN); 384 } 385 386 AuthContextLocal ac = AuthUtils.getAuthContext(orgDN); 387 ac.login( 388 com.sun.identity.authentication.AuthContext.IndexType.USER, 389 principalName, true); 390 token = ac.getSSOToken(); 391 } catch (AuthException ae) { 392 throw new PolicyException(ae); 393 } catch (LoginException le) { 394 throw new PolicyException(le); 395 } 396 if (token == null) { 397 throw new SSOException(new PolicyException(ResBundleUtils.rbName, 398 "can_not_get_proxy_sso_token", null, null)); 399 } 400 401 try { 402 Set actionNames = new HashSet(); 403 actionNames.add("MODIFY"); 404 DelegationEvaluator de = new DelegationEvaluatorImpl(); 405 DelegationPermission permission = 406 new DelegationPermission("/", "iPlanetAMPolicyService", 407 "1.0", "organization", "default", 408 actionNames, null); 409 proxyPermission = de.isAllowed(adminToken, permission, null); 410 if (PolicyManager.debug.messageEnabled()) { 411 PolicyManager.debug.message("proxyPermission after delegation " 412 +"check:" +proxyPermission); 413 } 414 if (!proxyPermission) { 415 SSOTokenManager.getInstance().destroyToken(token); 416 if (PolicyManager.debug.warningEnabled()) { 417 PolicyManager.debug.warning("Admin : " 418 + adminToken.getPrincipal().getName() 419 + " can not create proxy sso token for user " 420 + principalName); 421 422 } 423 throw new PolicyException(ResBundleUtils.rbName, 424 "no_permission_to_create_proxy_sso_token", null, null); 425 } 426 } catch(DelegationException de) { 427 throw new PolicyException(de); 428 } 429 return token; 430 } 431 432}
Copyright © 2010-2017, ForgeRock All Rights Reserved.