001/** 002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 003 * 004 * Copyright (c) 2008 Sun Microsystems Inc. All Rights Reserved 005 * 006 * The contents of this file are subject to the terms 007 * of the Common Development and Distribution License 008 * (the License). You may not use this file except in 009 * compliance with the License. 010 * 011 * You can obtain a copy of the License at 012 * https://opensso.dev.java.net/public/CDDLv1.0.html or 013 * opensso/legal/CDDLv1.0.txt 014 * See the License for the specific language governing 015 * permission and limitations under the License. 016 * 017 * When distributing Covered Code, include this CDDL 018 * Header Notice in each file and include the License file 019 * at opensso/legal/CDDLv1.0.txt. 020 * If applicable, add the following below the CDDL Header, 021 * with the fields enclosed by brackets [] replaced by 022 * your own identifying information: 023 * "Portions Copyrighted [year] [name of copyright owner]" 024 * 025 * $Id: Evaluator.java,v 1.2 2009/09/10 16:35:38 veiming Exp $ 026 * 027 * Portions copyright 2013-2014 ForgeRock AS. 028 */ 029package com.sun.identity.entitlement; 030 031import com.sun.identity.shared.Constants; 032import com.sun.identity.shared.configuration.SystemPropertiesManager; 033import java.util.ArrayList; 034import java.util.List; 035import java.util.Map; 036import java.util.Set; 037import javax.security.auth.Subject; 038import org.forgerock.guice.core.InjectorHolder; 039import org.forgerock.openam.entitlement.monitoring.EntitlementConfigurationWrapper; 040import org.forgerock.openam.entitlement.monitoring.PolicyMonitor; 041import org.forgerock.openam.entitlement.monitoring.PolicyMonitoringType; 042 043/** 044 * The class evaluates entitlement request and provides decisions. 045 * @supported.api 046 */ 047public class Evaluator { 048 049 private Subject adminSubject; 050 private String applicationName = 051 ApplicationTypeManager.URL_APPLICATION_TYPE_NAME; 052 053 public static final int DEFAULT_POLICY_EVAL_THREAD = 10; 054 055 private final PolicyMonitor policyMonitor; 056 private final EntitlementConfigurationWrapper configWrapper; 057 058 /** 059 * Constructor to create an evaluator of default service type. 060 * 061 * @throws EntitlementException if any other abnormal condition occ. 062 */ 063 private Evaluator() 064 throws EntitlementException { 065 policyMonitor = getPolicyMonitor(); 066 configWrapper = new EntitlementConfigurationWrapper(); 067 068 } 069 070 private PolicyMonitor getPolicyMonitor() { 071 //used as no direct access to SystemProperties 072 boolean serverMode = Boolean.parseBoolean(SystemPropertiesManager.get(Constants.SERVER_MODE)); 073 074 if (serverMode) { 075 return InjectorHolder.getInstance(PolicyMonitor.class); 076 } else { 077 return null; 078 } 079 } 080 081 /** 082 * Constructor to create an evaluator given the service type. 083 * 084 * @param subject Subject who credential is used for performing the 085 * evaluation. 086 * @param applicationName the name of the aplication for 087 * which this evaluator can be used. 088 * @throws EntitlementException if any other abnormal condition occured. 089 */ 090 public Evaluator(Subject subject, String applicationName) 091 throws EntitlementException { 092 adminSubject = subject; 093 this.applicationName = applicationName; 094 policyMonitor = getPolicyMonitor(); 095 configWrapper = new EntitlementConfigurationWrapper(); 096 } 097 098 /** 099 * Constructor to create an evaluator the default service type. 100 * 101 * @param subject Subject who credential is used for performing the 102 * evaluation. 103 * @throws EntitlementException if any other abnormal condition occured. 104 */ 105 public Evaluator(Subject subject) 106 throws EntitlementException { 107 adminSubject = subject; 108 policyMonitor = getPolicyMonitor(); 109 configWrapper = new EntitlementConfigurationWrapper(); 110 } 111 112 /** 113 * Returns <code>true</code> if the subject is granted to an 114 * entitlement. 115 * 116 * @param realm Realm name. 117 * @param subject Subject who is under evaluation. 118 * @param e Entitlement object which describes the resource name and 119 * actions. 120 * @param envParameters Map of environment parameters. 121 * @return <code>true</code> if the subject is granted to an 122 * entitlement. 123 * @throws EntitlementException if the result cannot be determined. 124 */ 125 public boolean hasEntitlement( 126 String realm, 127 Subject subject, 128 Entitlement e, 129 Map<String, Set<String>> envParameters 130 ) throws EntitlementException { 131 132 PrivilegeEvaluator evaluator = new PrivilegeEvaluator(); 133 boolean result = evaluator.hasEntitlement(realm, 134 adminSubject, subject, applicationName, e, envParameters); 135 136 return result; 137 } 138 139 /** 140 * Returns a list of entitlements for a given subject, resource names 141 * and environment. 142 * 143 * @param realm Realm Name. 144 * @param subject Subject who is under evaluation. 145 * @param resourceNames Resource names. 146 * @param environment Environment parameters. 147 * @return a list of entitlements for a given subject, resource name 148 * and environment. 149 * @throws EntitlementException if the result cannot be determined. 150 */ 151 public List<Entitlement> evaluate( 152 String realm, 153 Subject subject, 154 Set<String> resourceNames, 155 Map<String, Set<String>> environment 156 ) throws EntitlementException { 157 if ((resourceNames == null) || resourceNames.isEmpty()) { 158 throw new EntitlementException(424); 159 } 160 161 List<Entitlement> results = new ArrayList<Entitlement>(); 162 163 for (String res : resourceNames) { 164 List<Entitlement> r = evaluate(realm, subject, res, environment, 165 false); 166 if ((r != null) && !r.isEmpty()) { 167 results.addAll(r); 168 } 169 } 170 return results; 171 } 172 173 /** 174 * Returns a list of entitlements for a given subject, resource name 175 * and environment. 176 * 177 * @param realm 178 * Realm Name. 179 * @param subject 180 * Subject who is under evaluation. 181 * @param resourceName 182 * Resource name. 183 * @param environment 184 * Environment parameters. 185 * @param recursive 186 * <code>true</code> to perform evaluation on sub resources 187 * from the given resource name. 188 * @return a list of entitlements for a given subject, resource name 189 * and environment. 190 * @throws EntitlementException 191 * if the result cannot be determined. 192 */ 193 public List<Entitlement> evaluate( 194 String realm, 195 Subject subject, 196 String resourceName, 197 Map<String, Set<String>> environment, 198 boolean recursive 199 ) throws EntitlementException { 200 201 long startTime = System.currentTimeMillis(); 202 203 // Delegation to applications is currently not configurable, passing super admin (see AME-4959) 204 Application application = ApplicationManager 205 .getApplication(PrivilegeManager.superAdminSubject, realm, applicationName); 206 207 if (application == null) { 208 // App retrieval error. 209 throw new EntitlementException(EntitlementException.APP_RETRIEVAL_ERROR, new String[] {realm}); 210 } 211 212 // Normalise the incoming resource URL. 213 String normalisedResourceName = application.getResourceComparator().canonicalize(resourceName); 214 215 PrivilegeEvaluator evaluator = new PrivilegeEvaluator(); 216 List<Entitlement> results = evaluator.evaluate(realm, adminSubject, subject, 217 applicationName, normalisedResourceName, resourceName, environment, recursive); 218 219 if (configWrapper.isMonitoringRunning()) { 220 policyMonitor.addEvaluation(System.currentTimeMillis() - startTime, realm, applicationName, resourceName, 221 subject, recursive ? PolicyMonitoringType.SUBTREE : PolicyMonitoringType.SELF); 222 } 223 224 return results; 225 } 226 227 /** 228 * Returns application name. 229 * 230 * @return application name. 231 */ 232 public String getApplicationName() { 233 return applicationName; 234 } 235} 236
Copyright © 2010-2017, ForgeRock All Rights Reserved.