예제 #1
0
public class OpenSSOPrivilege extends Privilege {
  private static final NetworkMonitor EVAL_SINGLE_LEVEL_MONITOR =
      NetworkMonitor.getInstance("privilegeSingleLevelEvaluation");
  private static final NetworkMonitor EVAL_SUB_TREE_MONITOR =
      NetworkMonitor.getInstance("privilegeSubTreeEvaluation");
  private String policyName;

  public OpenSSOPrivilege() {
    super();
  }

  @Override
  public PrivilegeType getType() {
    return PrivilegeType.OPENSSO;
  }

  @Override
  public List<Entitlement> evaluate(
      final Subject adminSubject,
      final String realm,
      final Subject subject,
      final String applicationName,
      final String resourceName,
      final Set<String> actionNames,
      final Map<String, Set<String>> environment,
      final boolean recursive,
      final Object context)
      throws EntitlementException {
    List<Entitlement> results = null;

    try {
      results =
          (List<Entitlement>)
              RestrictedTokenContext.doUsing(
                  context,
                  new RestrictedTokenAction() {
                    public Object run() throws Exception {
                      return internalEvaluate(
                          adminSubject,
                          realm,
                          subject,
                          applicationName,
                          resourceName,
                          actionNames,
                          environment,
                          recursive);
                    }
                  });
    } catch (Exception ex) {
      // exception
    }

    return results;
  }

  private List<Entitlement> internalEvaluate(
      Subject adminSubject,
      String realm,
      Subject subject,
      String applicationName,
      String resourceName,
      Set<String> actionNames,
      Map<String, Set<String>> environment,
      boolean recursive)
      throws EntitlementException {
    long start = (recursive) ? EVAL_SUB_TREE_MONITOR.start() : EVAL_SINGLE_LEVEL_MONITOR.start();
    List<Entitlement> results = new ArrayList<Entitlement>();
    Set<ConditionDecision> decisions = new HashSet();

    if (!isActive()) {
      Entitlement origE = getEntitlement();
      Entitlement e =
          new Entitlement(
              origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
      results.add(e);
      return results;
    }

    Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
    if (doesSubjectMatch(adminSubject, realm, advices, subject, resourceName, environment)
        && doesConditionMatch(realm, advices, subject, resourceName, environment, decisions)) {
      Entitlement origE = getEntitlement();
      Set<String> resources =
          origE.evaluate(
              adminSubject,
              realm,
              subject,
              applicationName,
              resourceName,
              actionNames,
              environment,
              recursive);

      if (PrivilegeManager.debug.messageEnabled()) {
        PrivilegeManager.debug.message(
            "[PolicyEval] OpenSSOPrivilege.evaluate: resources=" + resources.toString(), null);
      }
      for (String r : resources) {
        Entitlement e = new Entitlement(origE.getApplicationName(), r, origE.getActionValues());
        e.setAttributes(getAttributes(adminSubject, realm, subject, resourceName, environment));
        e.setAdvices(advices);
        e.setTTL(getLowestDecisionTTL(decisions));
        results.add(e);
      }
    } else {
      Entitlement origE = getEntitlement();
      Entitlement e =
          new Entitlement(
              origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
      e.setAdvices(advices);
      e.setTTL(getLowestDecisionTTL(decisions));
      results.add(e);
    }

    if (recursive) {
      EVAL_SUB_TREE_MONITOR.end(start);
    } else {
      EVAL_SINGLE_LEVEL_MONITOR.end(start);
    }

    return results;
  }

  /**
   * Returns JSONObject mapping of the object
   *
   * @return JSONObject mapping of the object
   * @throws JSONException if can not map to JSONObject
   */
  @Override
  public JSONObject toJSONObject() throws JSONException {
    JSONObject jo = super.toJSONObject();
    if (policyName != null) {
      jo.put("policyName", policyName);
    }
    return jo;
  }

  protected void init(JSONObject jo) {
    policyName = jo.optString("policyName");
  }

  /**
   * Sets policy name.
   *
   * @param policyName Policy name.
   */
  public void setPolicyName(String policyName) {
    this.policyName = policyName;
  }

  /**
   * Returns policy name.
   *
   * @return policyName Policy name.
   */
  public String getPolicyName() {
    return this.policyName;
  }

  protected long getLowestDecisionTTL(Set<ConditionDecision> decisions) {
    long minTTL = Long.MAX_VALUE;

    for (ConditionDecision decision : decisions) {
      if (minTTL > decision.getTimeToLive()) {
        minTTL = decision.getTimeToLive();
      }
    }

    return minTTL;
  }
}
예제 #2
0
  private List<Entitlement> internalEvaluate(
      Subject adminSubject,
      String realm,
      Subject subject,
      String applicationName,
      String resourceName,
      Set<String> actionNames,
      Map<String, Set<String>> environment,
      boolean recursive)
      throws EntitlementException {
    long start = (recursive) ? EVAL_SUB_TREE_MONITOR.start() : EVAL_SINGLE_LEVEL_MONITOR.start();
    List<Entitlement> results = new ArrayList<Entitlement>();
    Set<ConditionDecision> decisions = new HashSet();

    if (!isActive()) {
      Entitlement origE = getEntitlement();
      Entitlement e =
          new Entitlement(
              origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
      results.add(e);
      return results;
    }

    Map<String, Set<String>> advices = new HashMap<String, Set<String>>();
    if (doesSubjectMatch(adminSubject, realm, advices, subject, resourceName, environment)
        && doesConditionMatch(realm, advices, subject, resourceName, environment, decisions)) {
      Entitlement origE = getEntitlement();
      Set<String> resources =
          origE.evaluate(
              adminSubject,
              realm,
              subject,
              applicationName,
              resourceName,
              actionNames,
              environment,
              recursive);

      if (PrivilegeManager.debug.messageEnabled()) {
        PrivilegeManager.debug.message(
            "[PolicyEval] OpenSSOPrivilege.evaluate: resources=" + resources.toString(), null);
      }
      for (String r : resources) {
        Entitlement e = new Entitlement(origE.getApplicationName(), r, origE.getActionValues());
        e.setAttributes(getAttributes(adminSubject, realm, subject, resourceName, environment));
        e.setAdvices(advices);
        e.setTTL(getLowestDecisionTTL(decisions));
        results.add(e);
      }
    } else {
      Entitlement origE = getEntitlement();
      Entitlement e =
          new Entitlement(
              origE.getApplicationName(), origE.getResourceName(), Collections.EMPTY_SET);
      e.setAdvices(advices);
      e.setTTL(getLowestDecisionTTL(decisions));
      results.add(e);
    }

    if (recursive) {
      EVAL_SUB_TREE_MONITOR.end(start);
    } else {
      EVAL_SINGLE_LEVEL_MONITOR.end(start);
    }

    return results;
  }