001/**
002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
003 *
004 * Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved
005 *
006 * The contents of this file are subject to the terms
007 * of the Common Development and Distribution License
008 * (the License). You may not use this file except in
009 * compliance with the License.
010 *
011 * You can obtain a copy of the License at
012 * https://opensso.dev.java.net/public/CDDLv1.0.html or
013 * opensso/legal/CDDLv1.0.txt
014 * See the License for the specific language governing
015 * permission and limitations under the License.
016 *
017 * When distributing Covered Code, include this CDDL
018 * Header Notice in each file and include the License file
019 * at opensso/legal/CDDLv1.0.txt.
020 * If applicable, add the following below the CDDL Header,
021 * with the fields enclosed by brackets [] replaced by
022 * your own identifying information:
023 * "Portions Copyrighted [year] [name of copyright owner]"
024 *
025 * $Id: Evaluator.java,v 1.2 2009/09/10 16:35:38 veiming Exp $
026 *
027 * Portions copyright 2013-2014 ForgeRock AS.
028 */
029package com.sun.identity.entitlement;
030
031import com.sun.identity.shared.Constants;
032import com.sun.identity.shared.configuration.SystemPropertiesManager;
033import java.util.ArrayList;
034import java.util.List;
035import java.util.Map;
036import java.util.Set;
037import javax.security.auth.Subject;
038import org.forgerock.guice.core.InjectorHolder;
039import org.forgerock.openam.entitlement.monitoring.EntitlementConfigurationWrapper;
040import org.forgerock.openam.entitlement.monitoring.PolicyMonitor;
041import org.forgerock.openam.entitlement.monitoring.PolicyMonitoringType;
042
043/**
044 * The class evaluates entitlement request and provides decisions.
045 * @supported.api
046 */
047public class Evaluator {
048
049    private Subject adminSubject;
050    private String applicationName =
051        ApplicationTypeManager.URL_APPLICATION_TYPE_NAME;
052
053    public static final int DEFAULT_POLICY_EVAL_THREAD = 10;
054
055    private final PolicyMonitor policyMonitor;
056    private final EntitlementConfigurationWrapper configWrapper;
057
058    /**
059     * Constructor to create an evaluator of default service type.
060     *
061     * @throws EntitlementException if any other abnormal condition occ.
062     */
063    private Evaluator()
064        throws EntitlementException {
065        policyMonitor = getPolicyMonitor();
066        configWrapper = new EntitlementConfigurationWrapper();
067
068    }
069
070    private PolicyMonitor getPolicyMonitor() {
071        //used as no direct access to SystemProperties
072        boolean serverMode = Boolean.parseBoolean(SystemPropertiesManager.get(Constants.SERVER_MODE));
073
074        if (serverMode) {
075            return InjectorHolder.getInstance(PolicyMonitor.class);
076        } else {
077            return null;
078        }
079    }
080
081    /**
082     * Constructor to create an evaluator given the service type.
083     *
084     * @param subject Subject who credential is used for performing the 
085     *        evaluation.
086     * @param applicationName the name of the aplication for
087     *        which this evaluator can be used.
088     * @throws EntitlementException if any other abnormal condition occured.
089     */
090    public Evaluator(Subject subject, String applicationName)
091        throws EntitlementException {
092        adminSubject = subject;
093        this.applicationName = applicationName;
094        policyMonitor = getPolicyMonitor();
095        configWrapper = new EntitlementConfigurationWrapper();
096    }
097
098    /**
099     * Constructor to create an evaluator the default service type.
100     *
101     * @param subject Subject who credential is used for performing the 
102     *        evaluation.
103     * @throws EntitlementException if any other abnormal condition occured.
104     */
105    public Evaluator(Subject subject)
106        throws EntitlementException {
107        adminSubject = subject;
108        policyMonitor = getPolicyMonitor();
109        configWrapper = new EntitlementConfigurationWrapper();
110    }
111    
112    /**
113     * Returns <code>true</code> if the subject is granted to an
114     * entitlement.
115     *
116     * @param realm Realm name.
117     * @param subject Subject who is under evaluation.
118     * @param e Entitlement object which describes the resource name and 
119     *          actions.
120     * @param envParameters Map of environment parameters.
121     * @return <code>true</code> if the subject is granted to an
122     *         entitlement.
123     * @throws EntitlementException if the result cannot be determined.
124     */
125    public boolean hasEntitlement(
126        String realm,
127        Subject subject, 
128        Entitlement e,
129        Map<String, Set<String>> envParameters
130    ) throws EntitlementException {
131
132        PrivilegeEvaluator evaluator = new PrivilegeEvaluator();
133        boolean result = evaluator.hasEntitlement(realm,
134            adminSubject, subject, applicationName, e, envParameters);
135
136        return result;
137    }
138
139    /**
140     * Returns a list of entitlements for a given subject, resource names
141     * and environment.
142     *
143     * @param realm Realm Name.
144     * @param subject Subject who is under evaluation.
145     * @param resourceNames Resource names.
146     * @param environment Environment parameters.
147     * @return a list of entitlements for a given subject, resource name
148     *         and environment.
149     * @throws EntitlementException if the result cannot be determined.
150     */
151    public List<Entitlement> evaluate(
152        String realm,
153        Subject subject,
154        Set<String> resourceNames,
155        Map<String, Set<String>> environment
156    ) throws EntitlementException {
157        if ((resourceNames == null) || resourceNames.isEmpty()) {
158            throw new EntitlementException(424);
159        }
160
161        List<Entitlement> results = new ArrayList<Entitlement>();
162
163        for (String res : resourceNames) {
164            List<Entitlement> r = evaluate(realm, subject, res, environment,
165                false);
166            if ((r != null) && !r.isEmpty()) {
167                results.addAll(r);
168            }
169        }
170        return results;
171    }
172
173    /**
174     * Returns a list of entitlements for a given subject, resource name
175     * and environment.
176     *
177     * @param realm
178     *         Realm Name.
179     * @param subject
180     *         Subject who is under evaluation.
181     * @param resourceName
182     *         Resource name.
183     * @param environment
184     *         Environment parameters.
185     * @param recursive
186     *         <code>true</code> to perform evaluation on sub resources
187     *         from the given resource name.
188     * @return a list of entitlements for a given subject, resource name
189     *         and environment.
190     * @throws EntitlementException
191     *         if the result cannot be determined.
192     */
193    public List<Entitlement> evaluate(
194            String realm,
195            Subject subject,
196            String resourceName,
197            Map<String, Set<String>> environment,
198            boolean recursive
199    ) throws EntitlementException {
200
201        long startTime = System.currentTimeMillis();
202
203        // Delegation to applications is currently not configurable, passing super admin (see AME-4959)
204        Application application = ApplicationManager
205                .getApplication(PrivilegeManager.superAdminSubject, realm, applicationName);
206
207        if (application == null) {
208            // App retrieval error.
209            throw new EntitlementException(EntitlementException.APP_RETRIEVAL_ERROR, new String[] {realm});
210        }
211
212        // Normalise the incoming resource URL.
213        String normalisedResourceName = application.getResourceComparator().canonicalize(resourceName);
214
215        PrivilegeEvaluator evaluator = new PrivilegeEvaluator();
216        List<Entitlement> results = evaluator.evaluate(realm, adminSubject, subject,
217                applicationName, normalisedResourceName, resourceName, environment, recursive);
218
219        if (configWrapper.isMonitoringRunning()) {
220            policyMonitor.addEvaluation(System.currentTimeMillis() - startTime, realm, applicationName, resourceName,
221                    subject, recursive ? PolicyMonitoringType.SUBTREE : PolicyMonitoringType.SELF);
222        }
223
224        return results;
225    }
226
227    /**
228     * Returns application name.
229     * 
230     * @return application name.
231     */
232    public String getApplicationName() {
233        return applicationName;
234    }
235}
236




























































Copyright © 2010-2017, ForgeRock All Rights Reserved.