gluu
公開メンバ関数 | 非公開メンバ関数 | 静的非公開メンバ関数 | 非公開変数類 | 全メンバ一覧
org.xdi.oxauth.uma.service.UmaExpressionService クラス
org.xdi.oxauth.uma.service.UmaExpressionService 連携図
Collaboration graph

公開メンバ関数

boolean isExpressionValid (String expression)
 
void evaluate (Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< UmaPermission > permissions)
 

非公開メンバ関数

boolean evaluateByScopes (Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap)
 
void evaluateScopeExpression (Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, UmaPermission permission, UmaResource resource)
 
void removeFalseScopesFromPermission (UmaPermission permission, List< String > dataScopes, Map< String, String > scopeIdToDnMap, List< Boolean > evaluatedResults)
 

静的非公開メンバ関数

static Map< String, String > scopeIdToDnMap (Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< String > scriptDNs)
 
static Map< UmaScriptByScope, UmaAuthorizationContextfilterByScopeDns (Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< String > scopeDNs)
 
static Map< UmaScriptByScope, UmaAuthorizationContextfilterByScopeId (Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, String scopeId)
 

非公開変数類

Logger log
 
ExternalUmaRptPolicyService policyService
 
ErrorResponseFactory errorResponseFactory
 
UmaResourceService resourceService
 
UmaPermissionService permissionService
 

詳解

著者
yuriyz

関数詳解

◆ evaluate()

void org.xdi.oxauth.uma.service.UmaExpressionService.evaluate ( Map< UmaScriptByScope, UmaAuthorizationContext scriptMap,
List< UmaPermission permissions 
)
inline
52  {
53  for (UmaPermission permission : permissions) {
54  UmaResource resource = resourceService.getResourceById(permission.getResourceId());
55  if (StringHelper.isNotEmpty(resource.getScopeExpression())) {
56  evaluateScopeExpression(scriptMap, permission, resource);
57  } else {
58  if (!evaluateByScopes(filterByScopeDns(scriptMap, permission.getScopeDns()))) {
59  log.trace("Regular evaluation returns false, access FORBIDDEN.");
60  throw new UmaWebException(Response.Status.FORBIDDEN, errorResponseFactory, UmaErrorResponseType.FORBIDDEN_BY_POLICY);
61  }
62  }
63  }
64  }
org.xdi.oxauth.uma.service.UmaExpressionService.evaluateScopeExpression
void evaluateScopeExpression(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, UmaPermission permission, UmaResource resource)
Definition: UmaExpressionService.java:78
org.xdi.oxauth.uma.service.UmaExpressionService.evaluateByScopes
boolean evaluateByScopes(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap)
Definition: UmaExpressionService.java:66
org.xdi.oxauth.uma.service.UmaExpressionService.filterByScopeDns
static Map< UmaScriptByScope, UmaAuthorizationContext > filterByScopeDns(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< String > scopeDNs)
Definition: UmaExpressionService.java:154
org.xdi.oxauth.uma.service.UmaExpressionService.resourceService
UmaResourceService resourceService
Definition: UmaExpressionService.java:43
org.xdi.oxauth.uma.service.UmaExpressionService.log
Logger log
Definition: UmaExpressionService.java:37
org.xdi.oxauth.uma.service.UmaResourceService.getResourceById
UmaResource getResourceById(String id)
Definition: UmaResourceService.java:180
org.xdi.oxauth.uma.service.UmaExpressionService.errorResponseFactory
ErrorResponseFactory errorResponseFactory
Definition: UmaExpressionService.java:41

◆ evaluateByScopes()

boolean org.xdi.oxauth.uma.service.UmaExpressionService.evaluateByScopes ( Map< UmaScriptByScope, UmaAuthorizationContext scriptMap)
inlineprivate
66  {
67  for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : scriptMap.entrySet()) {
68  final boolean result = policyService.authorize(entry.getKey().getScript(), entry.getValue());
69  log.trace("Policy script inum: '{}' result: '{}'", entry.getKey().getScript().getInum(), result);
70  if (!result) {
71  log.trace("Stop authorization scriptMap execution, current script returns false, script inum: " + entry.getKey().getScript().getInum() + ", scope: " + entry.getKey().getScope());
72  return false;
73  }
74  }
75  return true;
76  }
org.xdi.oxauth.uma.service.UmaExpressionService.policyService
ExternalUmaRptPolicyService policyService
Definition: UmaExpressionService.java:39
org.xdi.oxauth.uma.service.UmaExpressionService.log
Logger log
Definition: UmaExpressionService.java:37
org.xdi.oxauth.service.external.ExternalUmaRptPolicyService.authorize
boolean authorize(CustomScriptConfiguration script, UmaAuthorizationContext context)
Definition: ExternalUmaRptPolicyService.java:94

◆ evaluateScopeExpression()

void org.xdi.oxauth.uma.service.UmaExpressionService.evaluateScopeExpression ( Map< UmaScriptByScope, UmaAuthorizationContext scriptMap,
UmaPermission  permission,
UmaResource  resource 
)
inlineprivate
78  {
79  String scopeExpression = resource.getScopeExpression();
80  JsonLogicNode node = JsonLogicNodeParser.parseNode(scopeExpression);
81  if (node != null) {
82  log.trace("Evaluating scope expression ...");
83 
84  // validate scopes, all must be present
85  List<String> dataScopes = node.getDataCopy();
86  Map<String, String> scopeIdToDnMap = scopeIdToDnMap(scriptMap, permission.getScopeDns());
87  if (dataScopes.size() == scopeIdToDnMap.size()) {
88  try {
89  List<Boolean> evaluatedResults = new ArrayList<Boolean>();
90  for (String scopeId : dataScopes) {
91  log.trace("Evaluating scope result for scope: " + scopeId + " ...");
92  boolean b = evaluateByScopes(filterByScopeDns(scriptMap, Lists.newArrayList(scopeIdToDnMap.get(scopeId))));
93  log.trace("Evaluated scope result: " + b + ", scope: " + scopeId);
94  evaluatedResults.add(b);
95  }
96 
97  String rule = node.getRule().toString();
98  final boolean result;
99  if (evaluatedResults.isEmpty()) {
100  result = JsonLogic.apply(rule);
101  } else {
102  result = JsonLogic.apply(rule, Util.asJsonSilently(evaluatedResults));
103  }
104 
105  log.trace("JsonLogic evaluation result: " + result + ", rule: " + rule + ", data:" + Util.asJsonSilently(evaluatedResults));
106  if (result) {
107  // access granted at this point but we have to remove scopes from permissions for which we got 'false' result
108  removeFalseScopesFromPermission(permission, dataScopes, scopeIdToDnMap, evaluatedResults);
109  return; // expression returned true;
110  }
111  } catch (Exception e) {
112  log.error("Failed to evaluate jsonlogic expression. Expression: " + scopeExpression + ", resourceDn: " + resource.getDn());
113  }
114  } else {
115  log.error("Scope size in JsonLogic object 'data' and in permission differs which is forbidden. Node data: " + node +
116  ", permissionDns: " + permission.getScopeDns() + ", result scopeIds: " + scopeIdToDnMap);
117  }
118  } else {
119  log.error("Failed to parse JsonLogic object, invalid expression: " + scopeExpression);
120  }
121  throw new UmaWebException(Response.Status.FORBIDDEN, errorResponseFactory, UmaErrorResponseType.FORBIDDEN_BY_POLICY);
122  }
org.xdi.oxauth.uma.service.UmaExpressionService.evaluateByScopes
boolean evaluateByScopes(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap)
Definition: UmaExpressionService.java:66
org.xdi.oxauth.uma.service.UmaExpressionService.scopeIdToDnMap
static Map< String, String > scopeIdToDnMap(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< String > scriptDNs)
Definition: UmaExpressionService.java:144
org.xdi.oxauth.uma.service.UmaExpressionService.filterByScopeDns
static Map< UmaScriptByScope, UmaAuthorizationContext > filterByScopeDns(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< String > scopeDNs)
Definition: UmaExpressionService.java:154
org.xdi.oxauth.uma.service.UmaExpressionService.log
Logger log
Definition: UmaExpressionService.java:37
org.xdi.oxauth.uma.service.UmaExpressionService.removeFalseScopesFromPermission
void removeFalseScopesFromPermission(UmaPermission permission, List< String > dataScopes, Map< String, String > scopeIdToDnMap, List< Boolean > evaluatedResults)
Definition: UmaExpressionService.java:124
org.xdi.oxauth.uma.service.UmaExpressionService.errorResponseFactory
ErrorResponseFactory errorResponseFactory
Definition: UmaExpressionService.java:41

◆ filterByScopeDns()

static Map<UmaScriptByScope, UmaAuthorizationContext> org.xdi.oxauth.uma.service.UmaExpressionService.filterByScopeDns ( Map< UmaScriptByScope, UmaAuthorizationContext scriptMap,
List< String >  scopeDNs 
)
inlinestaticprivate
154  {
155  Map<UmaScriptByScope, UmaAuthorizationContext> result = new HashMap<UmaScriptByScope, UmaAuthorizationContext>();
156  for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : scriptMap.entrySet()) {
157  if (scopeDNs.contains(entry.getKey().getScope().getDn())) {
158  result.put(entry.getKey(), entry.getValue());
159  }
160  }
161  return result;
162  }

◆ filterByScopeId()

static Map<UmaScriptByScope, UmaAuthorizationContext> org.xdi.oxauth.uma.service.UmaExpressionService.filterByScopeId ( Map< UmaScriptByScope, UmaAuthorizationContext scriptMap,
String  scopeId 
)
inlinestaticprivate
164  {
165  Map<UmaScriptByScope, UmaAuthorizationContext> result = new HashMap<UmaScriptByScope, UmaAuthorizationContext>();
166  for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : scriptMap.entrySet()) {
167  if (entry.getKey().getScope().getId().equals(scopeId)) {
168  result.put(entry.getKey(), entry.getValue());
169  }
170  }
171  return result;
172  }

◆ isExpressionValid()

boolean org.xdi.oxauth.uma.service.UmaExpressionService.isExpressionValid ( String  expression)
inline
48  {
49  return JsonLogicNodeParser.isNodeValid(expression);
50  }

◆ removeFalseScopesFromPermission()

void org.xdi.oxauth.uma.service.UmaExpressionService.removeFalseScopesFromPermission ( UmaPermission  permission,
List< String >  dataScopes,
Map< String, String >  scopeIdToDnMap,
List< Boolean >  evaluatedResults 
)
inlineprivate
124  {
125  if (!evaluatedResults.isEmpty() && permission.getScopeDns() != null) {
126 
127  List<String> newPermissionScopes = new ArrayList<String>(permission.getScopeDns());
128 
129  for (int i = 0; i < evaluatedResults.size(); i++) {
130  if (!evaluatedResults.get(i)) {
131  String dnToRemove = scopeIdToDnMap.get(dataScopes.get(i));
132  newPermissionScopes.remove(dnToRemove);
133  }
134  }
135 
136  if (newPermissionScopes.size() < permission.getScopeDns().size()) {
137  permission.setScopeDns(newPermissionScopes);
138 
139  permissionService.mergeSilently(permission);
140  }
141  }
142  }
org.xdi.oxauth.uma.service.UmaExpressionService.scopeIdToDnMap
static Map< String, String > scopeIdToDnMap(Map< UmaScriptByScope, UmaAuthorizationContext > scriptMap, List< String > scriptDNs)
Definition: UmaExpressionService.java:144
org.xdi.oxauth.uma.service.UmaPermissionService.mergeSilently
void mergeSilently(UmaPermission permission)
Definition: UmaPermissionService.java:128
org.xdi.oxauth.uma.service.UmaExpressionService.permissionService
UmaPermissionService permissionService
Definition: UmaExpressionService.java:46

◆ scopeIdToDnMap()

static Map<String, String> org.xdi.oxauth.uma.service.UmaExpressionService.scopeIdToDnMap ( Map< UmaScriptByScope, UmaAuthorizationContext scriptMap,
List< String >  scriptDNs 
)
inlinestaticprivate
144  {
145  Map<String, String> result = new HashMap<String, String>();
146  for (Map.Entry<UmaScriptByScope, UmaAuthorizationContext> entry : scriptMap.entrySet()) {
147  if (scriptDNs.contains(entry.getKey().getScope().getDn())) {
148  result.put(entry.getKey().getScope().getId(), entry.getKey().getScope().getDn());
149  }
150  }
151  return result;
152  }

メンバ詳解

◆ errorResponseFactory

ErrorResponseFactory org.xdi.oxauth.uma.service.UmaExpressionService.errorResponseFactory
private

◆ log

Logger org.xdi.oxauth.uma.service.UmaExpressionService.log
private

◆ permissionService

UmaPermissionService org.xdi.oxauth.uma.service.UmaExpressionService.permissionService
private

◆ policyService

ExternalUmaRptPolicyService org.xdi.oxauth.uma.service.UmaExpressionService.policyService
private

◆ resourceService

UmaResourceService org.xdi.oxauth.uma.service.UmaExpressionService.resourceService
private
このクラス詳解は次のファイルから抽出されました:
2018年09月30日(日) 14時46分26秒作成 - gluu / 構成:   doxygen 1.8.13