public class OpenSSOPrivilege extends Privilege {
private static final NetworkMonitor EVAL_SINGLE_LEVEL_MONITOR =
NetworkMonitor.getInstance("privilegeSingleLevelEvaluation");
private static final NetworkMonitor EVAL_SUB_TREE_MONITOR =
NetworkMonitor.getInstance("privilegeSubTreeEvaluation");
private String policyName;
public OpenSSOPrivilege() {
super();
}
@Override
public PrivilegeType getType() {
return PrivilegeType.OPENSSO;
}
@Override
public List<Entitlement> evaluate(
final Subject adminSubject,
final String realm,
final Subject subject,
final String applicationName,
final String resourceName,
final Set<String> actionNames,
final Map<String, Set<String>> environment,
final boolean recursive,
final Object context)
throws EntitlementException {
List<Entitlement> results = null;
try {
results =
(List<Entitlement>)
RestrictedTokenContext.doUsing(
context,
new RestrictedTokenAction() {
public Object run() throws Exception {
return internalEvaluate(
adminSubject,
realm,
subject,
applicationName,
resourceName,
actionNames,
environment,
recursive);
}
});
} catch (Exception ex) {
// exception
}
return results;
}
private List<Entitlement> internalEvaluate(
Subject adminSubject,
String realm,
Subject subject,
String applicationName,
String resourceName,
Set<String> actionNames,
Map<String, Set<String>> environment,
boolean recursive)
throws EntitlementException {
long start = (recursive) ? EVAL_SUB_TREE_MONITOR.start() : EVAL_SINGLE_LEVEL_MONITOR.start();
List<Entitlement> results = new ArrayList<Entitlement>();
Set<ConditionDecision> decisions = new HashSet();
if (!isActive()) {
Entitlement origE = getEntitlement();
Entitlement e =
new Entitlement(
origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
results.add(e);
return results;
}
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
if (doesSubjectMatch(adminSubject, realm, advices, subject, resourceName, environment)
&& doesConditionMatch(realm, advices, subject, resourceName, environment, decisions)) {
Entitlement origE = getEntitlement();
Set<String> resources =
origE.evaluate(
adminSubject,
realm,
subject,
applicationName,
resourceName,
actionNames,
environment,
recursive);
if (PrivilegeManager.debug.messageEnabled()) {
PrivilegeManager.debug.message(
"[PolicyEval] OpenSSOPrivilege.evaluate: resources=" + resources.toString(), null);
}
for (String r : resources) {
Entitlement e = new Entitlement(origE.getApplicationName(), r, origE.getActionValues());
e.setAttributes(getAttributes(adminSubject, realm, subject, resourceName, environment));
e.setAdvices(advices);
e.setTTL(getLowestDecisionTTL(decisions));
results.add(e);
}
} else {
Entitlement origE = getEntitlement();
Entitlement e =
new Entitlement(
origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
e.setAdvices(advices);
e.setTTL(getLowestDecisionTTL(decisions));
results.add(e);
}
if (recursive) {
EVAL_SUB_TREE_MONITOR.end(start);
} else {
EVAL_SINGLE_LEVEL_MONITOR.end(start);
}
return results;
}
/**
* Returns JSONObject mapping of the object
*
* @return JSONObject mapping of the object
* @throws JSONException if can not map to JSONObject
*/
@Override
public JSONObject toJSONObject() throws JSONException {
JSONObject jo = super.toJSONObject();
if (policyName != null) {
jo.put("policyName", policyName);
}
return jo;
}
protected void init(JSONObject jo) {
policyName = jo.optString("policyName");
}
/**
* Sets policy name.
*
* @param policyName Policy name.
*/
public void setPolicyName(String policyName) {
this.policyName = policyName;
}
/**
* Returns policy name.
*
* @return policyName Policy name.
*/
public String getPolicyName() {
return this.policyName;
}
protected long getLowestDecisionTTL(Set<ConditionDecision> decisions) {
long minTTL = Long.MAX_VALUE;
for (ConditionDecision decision : decisions) {
if (minTTL > decision.getTimeToLive()) {
minTTL = decision.getTimeToLive();
}
}
return minTTL;
}
}
private List<Entitlement> internalEvaluate(
Subject adminSubject,
String realm,
Subject subject,
String applicationName,
String resourceName,
Set<String> actionNames,
Map<String, Set<String>> environment,
boolean recursive)
throws EntitlementException {
long start = (recursive) ? EVAL_SUB_TREE_MONITOR.start() : EVAL_SINGLE_LEVEL_MONITOR.start();
List<Entitlement> results = new ArrayList<Entitlement>();
Set<ConditionDecision> decisions = new HashSet();
if (!isActive()) {
Entitlement origE = getEntitlement();
Entitlement e =
new Entitlement(
origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
results.add(e);
return results;
}
Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
if (doesSubjectMatch(adminSubject, realm, advices, subject, resourceName, environment)
&& doesConditionMatch(realm, advices, subject, resourceName, environment, decisions)) {
Entitlement origE = getEntitlement();
Set<String> resources =
origE.evaluate(
adminSubject,
realm,
subject,
applicationName,
resourceName,
actionNames,
environment,
recursive);
if (PrivilegeManager.debug.messageEnabled()) {
PrivilegeManager.debug.message(
"[PolicyEval] OpenSSOPrivilege.evaluate: resources=" + resources.toString(), null);
}
for (String r : resources) {
Entitlement e = new Entitlement(origE.getApplicationName(), r, origE.getActionValues());
e.setAttributes(getAttributes(adminSubject, realm, subject, resourceName, environment));
e.setAdvices(advices);
e.setTTL(getLowestDecisionTTL(decisions));
results.add(e);
}
} else {
Entitlement origE = getEntitlement();
Entitlement e =
new Entitlement(
origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
e.setAdvices(advices);
e.setTTL(getLowestDecisionTTL(decisions));
results.add(e);
}
if (recursive) {
EVAL_SUB_TREE_MONITOR.end(start);
} else {
EVAL_SINGLE_LEVEL_MONITOR.end(start);
}
return results;
}