001/**
002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
003 *
004 * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
005 *
006 * The contents of this file are subject to the terms
007 * of the Common Development and Distribution License
008 * (the License). You may not use this file except in
009 * compliance with the License.
010 *
011 * You can obtain a copy of the License at
012 * https://opensso.dev.java.net/public/CDDLv1.0.html or
013 * opensso/legal/CDDLv1.0.txt
014 * See the License for the specific language governing
015 * permission and limitations under the License.
016 *
017 * When distributing Covered Code, include this CDDL
018 * Header Notice in each file and include the License file
019 * at opensso/legal/CDDLv1.0.txt.
020 * If applicable, add the following below the CDDL Header,
021 * with the fields enclosed by brackets [] replaced by
022 * your own identifying information:
023 * "Portions Copyrighted [year] [name of copyright owner]"
024 *
025 * $Id: ProxyPolicyEvaluator.java,v 1.4 2009/01/28 05:35:01 ww203982 Exp $
026 *
027 * Portions Copyrighted 2011-2014 ForgeRock AS.
028 */
029package com.sun.identity.policy;
030import com.iplanet.sso.SSOException;
031import com.iplanet.sso.SSOToken;
032import com.iplanet.sso.SSOTokenManager;
033
034import com.sun.identity.authentication.server.AuthContextLocal;
035import com.sun.identity.authentication.service.AuthException;
036import com.sun.identity.authentication.service.AuthUtils;
037
038import com.sun.identity.delegation.DelegationEvaluator;
039import com.sun.identity.delegation.DelegationEvaluatorImpl;
040import com.sun.identity.sm.DNMapper;
041
042import com.sun.identity.delegation.DelegationException;
043import com.sun.identity.delegation.DelegationPermission;
044
045import java.util.Map;
046import java.util.Set;
047import java.util.HashSet;
048import javax.security.auth.login.LoginException;
049
050import com.sun.identity.shared.ldap.util.DN;
051
052/**
053 * Class that lets a priviliged user to compute policy results for 
054 * another user.
055 * Only privileged users can get <code>ProxyPolicyEvaluator</code>
056 *  - only top level administrator, realm level policy administrator, 
057 * realm administrator or realm policy administrator can get
058 * <code>ProxyPolicyEvaluator</code>. Top level administrator can compute policy
059 * results for any user. Realm administrator or policy administrator can
060 * compute policy results only for users who are members of the realm
061 * (including sub realm) that they manage. If they try to compute policys
062 * result for any other user, they would get a <code>PolicyException</code>.
063 * This class can be used only within the web container running policy server.
064 *
065 * @supported.all.api
066 * @deprecated since 12.0.0
067 */
068@Deprecated
069public class ProxyPolicyEvaluator {
070
071    private SSOToken adminToken;
072    private String serviceType;
073    private PolicyEvaluator policyEvaluator;
074    private static String baseDNString;
075    private static DN baseDN;
076
077    static {
078        baseDNString = com.sun.identity.sm.ServiceManager.getBaseDN();
079        baseDN= new DN(baseDNString);
080    }
081
082    /**
083     * Constructs a <code>ProxyPolicyEvaluator</code> instance.
084     * Only privileged users can create <code>ProxyPolicyEvaluator</code>.
085     *
086     * @param token single sign on token used to construct the proxy policy
087     *        evaluator.
088     * @param serviceType service type for which construct the proxy policy 
089     *                    evaluator 
090     * @throws NoPermissionException if the token does not have privileges 
091     *         to create proxy policy evaluator
092     * @throws NameNotFoundException if the serviceType is not found in
093     *         registered service types
094     * @throws PolicyException any policy exception coming from policy 
095     *                         framework
096     * @throws SSOException if the token is invalid
097     */
098    ProxyPolicyEvaluator(SSOToken token, String serviceType) 
099        throws NoPermissionException, NameNotFoundException, 
100        PolicyException, SSOException 
101    {
102        SSOTokenManager.getInstance().validateToken(token);
103        this.adminToken = token;
104        this.serviceType = serviceType;
105        this.policyEvaluator 
106                = PolicyEvaluatorFactory.getInstance()
107                .getPolicyEvaluator(token, serviceType);
108    }
109
110    /**
111     * Evaluates a simple privilege of boolean type. The privilege indicates
112     * if the user identified by the <code>principalName</code> 
113     * can perform specified action on the specified resource.
114     *
115     * @param principalName principal name for whom to compute the privilege.
116     * @param realm realm of the user principal "/" separated format 
117     * @param resourceName name of the resource for which to compute 
118     *                     policy result.
119     * @param actionName name of the action the user is trying to perform on
120     * the resource
121     * @param env run time environment parameters
122     *
123     * @return the result of the evaluation as a boolean value
124     *
125     * @throws PolicyException exception form policy framework 
126     * @throws SSOException if single sign on token is invalid
127     * 
128     */
129    public boolean isAllowed(String principalName, String realm,  
130        String resourceName, String actionName, Map env) 
131        throws PolicyException, SSOException 
132    {
133        SSOToken token = getProxyToken(realm, principalName);
134        boolean allowed = policyEvaluator.isAllowed(token, resourceName,
135                actionName, env);
136        return allowed;
137    }
138
139     /**
140     * Evaluates a simple privilege of boolean type. The privilege indicates
141     * if the user identified by the <code>principalName</code> 
142     * can perform specified action on the specified resource.
143     *
144     * @param principalName principal name for whom to compute the privilege.
145     * @param resourceName name of the resource for which to compute 
146     *                     policy result.
147     * @param actionName name of the action the user is trying to perform on
148     * the resource
149     * @param env run time environment parameters
150     *
151     * @return the result of the evaluation as a boolean value
152     *
153     * @throws PolicyException exception form policy framework 
154     * @throws SSOException if single sign on token is invalid
155     * 
156     */
157    public boolean isAllowed(String principalName, String resourceName, 
158        String actionName, Map env) throws PolicyException, SSOException 
159    {
160        return isAllowed(principalName, null, resourceName, actionName, env);
161    }
162
163    /**
164     * Gets policy decision for the user identified by the
165     * <code>principalName</code> for the given resource
166     *
167     * @param principalName principal name for whom to compute the policy 
168     *                      decision
169     * @param realm realm of the user principal "/" separated format 
170     * @param resourceName name of the resource for which to compute policy 
171     *                      decision
172     * @param env run time environment parameters
173     *
174     * @return the policy decision for the principal for the given resource
175     *
176     * @throws PolicyException exception form policy framework
177     * @throws SSOException if single sign on token is invalid
178     * 
179     */
180    public PolicyDecision getPolicyDecision(String principalName, String realm,
181        String resourceName, Map env) 
182        throws PolicyException, SSOException 
183    {
184        SSOToken token = getProxyToken(realm, principalName);
185        PolicyDecision pd = policyEvaluator.getPolicyDecision(
186                token, resourceName, null, env); //null actionNames
187        // Let us log all policy evaluation results
188        if (PolicyUtils.logStatus) {
189            String decision = pd.toString();
190            if (decision != null && decision.length() != 0) {
191                String[] objs = { adminToken.getPrincipal().getName(), 
192                                principalName, resourceName,
193                                decision };
194                PolicyUtils.logAccessMessage("PROXIED_POLICY_EVALUATION",
195                            objs, adminToken);
196            }
197        }
198
199        if (PolicyManager.debug.messageEnabled()) {
200            PolicyManager.debug.message(
201                    " Admin: " + adminToken.getPrincipal().getName()
202                    + " got policy decision "
203                    + " for principal: " + token.getPrincipal().getName() 
204                    + " for resourceName:" + resourceName
205                    + " for serviceType :" + serviceType
206                    + " is " + pd);
207        }
208
209        return pd;
210    }
211    /**
212     * Gets policy decision for the user identified by the
213     * <code>principalName</code> for the given resource
214     *
215     * @param principalName principal name for whom to compute the policy 
216     *                      decision
217     * @param resourceName name of the resource for which to compute policy 
218     *                      decision
219     * @param env run time environment parameters
220     *
221     * @return the policy decision for the principal for the given resource
222     *
223     * @throws PolicyException exception form policy framework
224     * @throws SSOException if single sign on token is invalid
225     * 
226     */
227    public PolicyDecision getPolicyDecision(String principalName, 
228        String resourceName, Map env) 
229        throws PolicyException, SSOException 
230    {
231        return getPolicyDecision(principalName, null, resourceName, env);
232    }
233
234    /**
235     * Gets policy decision for a resource, skipping subject evaluation. 
236     * Conditions would be evaluated and would include applicable advices 
237     * in policy decisions. Hence, you could get details such as
238     * <code>AuthLevel</code>, <code>AuthScheme</code> that would be required to
239     * access the resource.  
240     *
241     * @param resourceName name of the resource for which to compute policy 
242     *                      decision
243     * @param actionNames names of the actions the user is trying to perform on
244     *                   the resource
245     *
246     * @param env run time environment parameters
247     *
248     * @return the policy decision for the principal for the given resource
249     *
250     * @throws PolicyException exception form policy framework
251     * @throws SSOException if single sign on token is invalid
252     * 
253     */
254    public PolicyDecision getPolicyDecisionIgnoreSubjects(String resourceName, 
255            Set actionNames, Map env) throws PolicyException, SSOException 
256    {
257        PolicyDecision pd = policyEvaluator.getPolicyDecisionIgnoreSubjects(
258                resourceName, actionNames, env); 
259        // Let us log all policy evaluation results
260        if (PolicyUtils.logStatus) {
261            String decision = pd.toString();
262            if (decision != null && decision.length() != 0) {
263                String[] objs =
264                    {adminToken.getPrincipal().getName(), resourceName,
265                        decision};
266                PolicyUtils.logAccessMessage(
267                     "PROXIED_POLICY_EVALUATION_IGNORING_SUBJECTS", 
268                      objs, adminToken);
269            }
270        }
271
272        if (PolicyManager.debug.messageEnabled()) {
273            PolicyManager.debug.message(
274                    " Admin: " + adminToken.getPrincipal().getName()
275                    + " got policy decision "
276                    + " ignoring subjects "
277                    + " for resourceName:" + resourceName
278                    + " for serviceType :" + serviceType
279                    + " is " + pd);
280        }
281
282        return pd;
283    }
284
285    /**
286     * Gets protected resources for a user identified by the
287     * <code>principalName</code>.  Conditions defined  in the policies are
288     * ignored while computing protected resources. 
289     * Only resources that are  sub resources of the  given 
290     * <code>rootResource</code> or equal to the given <code>rootResource</code>
291     * would be returned.
292     * If all policies applicable to a resource are 
293     * only referral policies, no <code>ProtectedResource</code> would be
294     * returned for such a resource.
295     *
296     * @param principalName principal name for whom to compute the privilege.
297     * @param rootResource  only resources that are sub resources of the  
298     *                      given <code>rootResource</code> or equal to the
299     *                      given <code>rootResource</code> would be returned.
300     *                      If <code>PolicyEvaluator.ALL_RESOURCES</code> is 
301     *                      passed as <code>rootResource</code>, resources under
302     *                      all root  resources of the service 
303     *                      type are considered while computing protected 
304     *                      resources.
305     *
306     * @return set of protected resources. The set contains
307     *         <code>ProtectedResource</code> objects. 
308     *
309     * @throws PolicyException exception form policy framework
310     * @throws SSOException if single sign on token is invalid
311     * @see ProtectedResource
312     * 
313     */
314    public Set getProtectedResourcesIgnoreConditions(String principalName, 
315        String rootResource)  throws PolicyException, SSOException 
316    {
317            return getProtectedResourcesIgnoreConditions(principalName, null, 
318            rootResource);
319    }
320
321    /**
322     * Gets protected resources for a user identified by the
323     * <code>principalName</code>.  Conditions defined  in the policies are
324     * ignored while computing protected resources. 
325     * Only resources that are  sub resources of the  given 
326     * <code>rootResource</code> or equal to the given <code>rootResource</code>
327     * would be returned.
328     * If all policies applicable to a resource are 
329     * only referral policies, no <code>ProtectedResource</code> would be
330     * returned for such a resource.
331     *
332     * @param principalName principal name for whom to compute the privilege.
333     * @param realm realm of the user principal "/" separated format 
334     * @param rootResource  only resources that are sub resources of the  
335     *                      given <code>rootResource</code> or equal to the
336     *                      given <code>rootResource</code> would be returned.
337     *                      If <code>PolicyEvaluator.ALL_RESOURCES</code> is 
338     *                      passed as <code>rootResource</code>, resources under
339     *                      all root  resources of the service 
340     *                      type are considered while computing protected 
341     *                      resources.
342     *
343     * @return set of protected resources. The set contains
344     *         <code>ProtectedResource</code> objects. 
345     *
346     * @throws PolicyException exception form policy framework
347     * @throws SSOException if single sign on token is invalid
348     * @see ProtectedResource
349     * 
350     */
351    public Set getProtectedResourcesIgnoreConditions(String principalName, 
352        String realm, String rootResource)  
353        throws PolicyException, SSOException 
354    {
355        SSOToken token = getProxyToken(realm, principalName);
356        return policyEvaluator.getProtectedResourcesIgnoreConditions(
357                token, rootResource);
358    }
359
360    /**
361     * Gets proxy session token
362     * @param principalName user to proxy as
363     * @return proxy session token
364     * @throws PolicyException if proxy session token can not be obtained
365     * @throws SSOException if the session token of the administrative user
366     * is invalid
367     */
368    private SSOToken getProxyToken(String realm, String principalName) 
369        throws PolicyException, SSOException 
370    {
371        if ((realm == null) || realm.trim().equals("")) {
372            realm = "/"; // set it to root org
373        }
374        SSOTokenManager.getInstance().validateToken(adminToken);
375        SSOToken token = null;
376        boolean proxyPermission = false;
377
378        try {
379            String orgDN = DNMapper.orgNameToDN(realm);
380            if (PolicyManager.debug.messageEnabled()) {
381                PolicyManager.debug.message("ProxyPolicyEvaluator."+
382                    "getProxyToken:principalName, orgDN="+principalName+
383                    ","+orgDN);
384            }
385            
386            AuthContextLocal ac = AuthUtils.getAuthContext(orgDN);
387            ac.login(
388                com.sun.identity.authentication.AuthContext.IndexType.USER, 
389                    principalName, true);
390            token = ac.getSSOToken();
391        } catch (AuthException ae) {
392            throw new PolicyException(ae);
393        } catch (LoginException le) {
394            throw new PolicyException(le);
395        } 
396        if (token ==  null) {
397            throw new SSOException(new PolicyException(ResBundleUtils.rbName,
398                    "can_not_get_proxy_sso_token", null, null));
399        }
400
401        try {
402            Set actionNames = new HashSet();
403            actionNames.add("MODIFY");
404            DelegationEvaluator de = new DelegationEvaluatorImpl();
405            DelegationPermission permission =
406                new DelegationPermission("/", "iPlanetAMPolicyService",
407                    "1.0", "organization", "default",
408                    actionNames, null);
409            proxyPermission = de.isAllowed(adminToken, permission, null);
410            if (PolicyManager.debug.messageEnabled()) {
411                PolicyManager.debug.message("proxyPermission after delegation "
412                    +"check:" +proxyPermission);
413            }  
414            if (!proxyPermission) {
415                SSOTokenManager.getInstance().destroyToken(token);
416                if (PolicyManager.debug.warningEnabled()) {
417                    PolicyManager.debug.warning("Admin : " 
418                            + adminToken.getPrincipal().getName()
419                            + " can not create proxy sso token for user "
420                            + principalName);
421
422                }
423                throw new PolicyException(ResBundleUtils.rbName,
424                        "no_permission_to_create_proxy_sso_token", null, null);
425            }
426        } catch(DelegationException de) {
427            throw new PolicyException(de);        
428        }
429        return token;
430    }
431
432}




























































Copyright © 2010-2017, ForgeRock All Rights Reserved.