001/*
002 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
003 *
004 * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
005 *
006 * The contents of this file are subject to the terms
007 * of the Common Development and Distribution License
008 * (the License). You may not use this file except in
009 * compliance with the License.
010 *
011 * You can obtain a copy of the License at
012 * https://opensso.dev.java.net/public/CDDLv1.0.html or
013 * opensso/legal/CDDLv1.0.txt
014 * See the License for the specific language governing
015 * permission and limitations under the License.
016 *
017 * When distributing Covered Code, include this CDDL
018 * Header Notice in each file and include the License file
019 * at opensso/legal/CDDLv1.0.txt.
020 * If applicable, add the following below the CDDL Header,
021 * with the fields enclosed by brackets [] replaced by
022 * your own identifying information:
023 * "Portions Copyrighted [year] [name of copyright owner]"
024 *
025 * $Id: ProxyPolicyEvaluator.java,v 1.4 2009/01/28 05:35:01 ww203982 Exp $
026 *
027 * Portions Copyrighted 2011-2015 ForgeRock AS.
028 */
029
030package com.sun.identity.policy;
031
032import java.util.Map;
033import java.util.Set;
034
035import com.iplanet.sso.SSOException;
036import com.iplanet.sso.SSOToken;
037import com.iplanet.sso.SSOTokenManager;
038import org.forgerock.opendj.ldap.DN;
039
040/**
041 * Class that lets a priviliged user to compute policy results for
042 * another user.
043 * Only privileged users can get <code>ProxyPolicyEvaluator</code>
044 *  - only top level administrator, realm level policy administrator,
045 * realm administrator or realm policy administrator can get
046 * <code>ProxyPolicyEvaluator</code>. Top level administrator can compute policy
047 * results for any user. Realm administrator or policy administrator can
048 * compute policy results only for users who are members of the realm
049 * (including sub realm) that they manage. If they try to compute policys
050 * result for any other user, they would get a <code>PolicyException</code>.
051 * This class can be used only within the web container running policy server.
052 *
053 * @supported.all.api
054 * @deprecated since 12.0.0
055 */
056@Deprecated
057public class ProxyPolicyEvaluator {
058
059    private SSOToken adminToken;
060    private String serviceType;
061    private PolicyEvaluator policyEvaluator;
062    private static String baseDNString;
063    private static DN baseDN;
064
065    static {
066        baseDNString = com.sun.identity.sm.ServiceManager.getBaseDN();
067        baseDN = DN.valueOf(baseDNString);
068    }
069
070    /**
071     * Constructs a <code>ProxyPolicyEvaluator</code> instance.
072     * Only privileged users can create <code>ProxyPolicyEvaluator</code>.
073     *
074     * @param token single sign on token used to construct the proxy policy
075     *        evaluator.
076     * @param serviceType service type for which construct the proxy policy
077     *                    evaluator
078     * @throws NoPermissionException if the token does not have privileges
079     *         to create proxy policy evaluator
080     * @throws NameNotFoundException if the serviceType is not found in
081     *         registered service types
082     * @throws PolicyException any policy exception coming from policy
083     *                         framework
084     * @throws SSOException if the token is invalid
085     */
086    ProxyPolicyEvaluator(SSOToken token, String serviceType)
087        throws NoPermissionException, NameNotFoundException,
088        PolicyException, SSOException
089    {
090        SSOTokenManager.getInstance().validateToken(token);
091        this.adminToken = token;
092        this.serviceType = serviceType;
093        this.policyEvaluator
094                = PolicyEvaluatorFactory.getInstance()
095                .getPolicyEvaluator(token, serviceType);
096    }
097
098    /**
099     * Gets policy decision for a resource, skipping subject evaluation.
100     * Conditions would be evaluated and would include applicable advices
101     * in policy decisions. Hence, you could get details such as
102     * <code>AuthLevel</code>, <code>AuthScheme</code> that would be required to
103     * access the resource.
104     *
105     * @param resourceName name of the resource for which to compute policy
106     *                      decision
107     * @param actionNames names of the actions the user is trying to perform on
108     *                   the resource
109     *
110     * @param env run time environment parameters
111     *
112     * @return the policy decision for the principal for the given resource
113     *
114     * @throws PolicyException exception form policy framework
115     * @throws SSOException if single sign on token is invalid
116     *
117     */
118    public PolicyDecision getPolicyDecisionIgnoreSubjects(String resourceName,
119            Set actionNames, Map env) throws PolicyException, SSOException
120    {
121        PolicyDecision pd = policyEvaluator.getPolicyDecisionIgnoreSubjects(
122                resourceName, actionNames, env);
123        // Let us log all policy evaluation results
124        if (PolicyUtils.logStatus) {
125            String decision = pd.toString();
126            if (decision != null && decision.length() != 0) {
127                String[] objs =
128                    {adminToken.getPrincipal().getName(), resourceName,
129                        decision};
130                PolicyUtils.logAccessMessage(
131                     "PROXIED_POLICY_EVALUATION_IGNORING_SUBJECTS",
132                      objs, adminToken);
133            }
134        }
135
136        if (PolicyManager.debug.messageEnabled()) {
137            PolicyManager.debug.message(
138                    " Admin: " + adminToken.getPrincipal().getName()
139                    + " got policy decision "
140                    + " ignoring subjects "
141                    + " for resourceName:" + resourceName
142                    + " for serviceType :" + serviceType
143                    + " is " + pd);
144        }
145
146        return pd;
147    }
148}