-
Notifications
You must be signed in to change notification settings - Fork 526
/
EntitlementService.java
163 lines (149 loc) · 7.03 KB
/
EntitlementService.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
/*
* Copyright (c) 2005-2010, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.identity.entitlement;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.entitlement.dto.AttributeDTO;
import org.wso2.carbon.identity.entitlement.dto.EntitledResultSetDTO;
import org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine;
import org.wso2.carbon.identity.entitlement.policy.search.PolicySearch;
import org.wso2.carbon.identity.entitlement.wsxacml.XACMLHandler;
/**
* Entitlement Service class which exposes the PDP
*/
public class EntitlementService implements XACMLHandler {
private static Log log = LogFactory.getLog(EntitlementService.class);
/**
* Evaluates the given XACML request and returns the Response that the EntitlementEngine will
* hand back to the PEP. PEP needs construct the XACML request before sending it to the
* EntitlementEngine
*
* @param request XACML request as a String Object
* @return XACML response as a String Object
* @throws EntitlementException throws
*/
public String getDecision(String request) throws EntitlementException {
String response;
try {
EntitlementEngine entitlementEngine = EntitlementEngine.getInstance();
response = entitlementEngine.evaluate(request);
return response;
} catch (Exception e) {
log.error("Error occurred while evaluating XACML request", e);
throw new EntitlementException("Error occurred while evaluating XACML request");
}
}
/**
* Evaluates the given XACML request and returns the Response that the EntitlementEngine will
* hand back to the PEP. Here PEP does not need construct the XACML request before sending it to the
* EntitlementEngine. Just can send the single attribute value. But here default attribute ids and data types
* are used
*
* @param subject subject
* @param resource resource
* @param action action
* @param environment environment
* @return XACML response as a String Object
* @throws EntitlementException throws
*/
public String getDecisionByAttributes(String subject, String resource, String action,
String[] environment) throws EntitlementException {
try {
EntitlementEngine entitlementEngine = EntitlementEngine.getInstance();
return entitlementEngine.evaluate(subject, resource, action, environment);
} catch (Exception e) {
log.error("Error occurred while evaluating XACML request", e);
throw new EntitlementException("Error occurred while evaluating XACML request");
}
}
/**
* Evaluates the given XACML request and returns the Response as boolean value.
* Here PEP does not need construct the XACML request before sending it to the
* EntitlementEngine. Just can send the single attribute value. But here default
* attribute ids and data types are used.
* if result permit, return true else false such as Deny based PEP
*
* @param subject subject
* @param resource resource
* @param action action
* @return XACML response as boolean true or false
* @throws Exception throws
*/
public boolean getBooleanDecision(String subject, String resource, String action) throws Exception {
try {
EntitlementEngine entitlementEngine = EntitlementEngine.getInstance();
String response = entitlementEngine.evaluate(subject, resource, action, null);
if (response.contains("Permit")) {
return true;
}
return false;
} catch (Exception e) {
log.error("Error occurred while evaluating XACML request", e);
throw new Exception("Error occurred while evaluating XACML request");
}
}
/**
* Gets entitled resources for given user or role
* This method can be only used, if all policies in PDP are defined with default categories i.e
* subject, resource and action and default attribute Ids and #string data type.
*
* @param subjectName subject Name, User or Role name
* @param subjectId attribute id of the subject, user or role
* @param resourceName resource Name
* @param action action name
* @param enableChildSearch whether search is done for the child resources under the given resource name
* @return entitled resources as String array
* @throws org.wso2.carbon.identity.entitlement.EntitlementException throws if invalid data is provided
*/
public EntitledResultSetDTO getEntitledAttributes(String subjectName, String resourceName,
String subjectId, String action, boolean enableChildSearch)
throws EntitlementException {
if (subjectName == null) {
throw new EntitlementException(
"Invalid input data - either the user name or role name should be non-null");
}
PolicySearch policySearch = EntitlementEngine.getInstance().getPolicySearch();
return policySearch.getEntitledAttributes(subjectName, resourceName, subjectId, action,
enableChildSearch);
}
/**
* Gets all entitled attributes for given set of attributes
* this an universal method to do policy search and find entitlement attributes
*
* @param identifier identifier to separate out the attributes that is used for search
* this is not required and can be null
* @param givenAttributes user provided attributes
* @return all the attributes that is entitled
* @throws EntitlementException if fails
*/
public EntitledResultSetDTO getAllEntitlements(String identifier, AttributeDTO[] givenAttributes)
throws EntitlementException {
PolicySearch policySearch = EntitlementEngine.getInstance().getPolicySearch();
return policySearch.getEntitledAttributes(identifier, givenAttributes);
}
/**
* Evaluates the given XACML request for given SAML based authorization query
*
* @param request XACML request as a String Object
* @return XACML response as a String Object
* @throws Exception throws if fails
*/
public String XACMLAuthzDecisionQuery(String request) throws Exception {
return getDecision(request);
}
}