Roles from JSON Sample

The following section provides administrators with information on how to configure the JSON CP such that it reads roles from an attribute found on the identity representation.

This sample is actually part of the otis unit tests the configuration and test code are available from our svn repository.

Configuration

The sample configuration shows how an extremely JSON identity provider could be used as configured as the role source.

Assumable Roles

Using common routines defined in the #JSSharedScope section of the configuration we setup basic rules to be evaluated when computing which roles will be returned from calls to GetAssumableRoles. For more details on configuring assumable role please refer to the section Settings for GetAssumableRoles.

The JSON provider we are working with provides an attribute Link which has complex values. Each value must be examined to see if is a link to a role generation endpoint. One of the children attributes of the complex attribute is a URL which must be queried for a list of new entities which are themselves roles.

In the sample below there is a single rule which is configured to be invoked on all values of the identities Link attribute. Because the attribute Link is a complex value and holds things other than links to roles definitions we must first ensure that only the attribute value which is for roles is evaluated further. In the code contained within the RoleInstantiation element below the calls to compareComplexAttrValToString are just to verify we have the correct complex value. All non matching values are ignored by returning no RESULTS. Once a value of Links which is a link to role information is found we take the value of @PathUR and us that as a filter back into the authSession. The call to .getEntities() will result in a list of entities which are roles for this object.

        <Setting Name="Assumable Roles" Type="htf:map">
        
                <Setting Name="Role Rule 1" Type="htf:map">
                        <Setting Name="Enabled" Type="xsd:boolean">true</Setting>
                        <Setting Name="EntityAttrs" Type="htf:list">
                                <Setting Type="xsd:anyURI">Link</Setting>
                        </Setting>
                        <Setting Name="JSSharedScope" Type="htf:ref">/Roles/JSSharedScope</Setting>
                        <Setting Name="RoleInstantiation" Type="htf:jscriptexec"> <![CDATA[
                                  if ( compareComplexAttrValToString(attributeValue, "$", "Roles") &&  compareComplexAttrValToString(attributeValue, "@TYPE", "Roles" )) {
                                          var exts = new Array( new  Packages.org.eclipse.higgins.idas.common.ContextSpecificFilterExtension(
                                                        getAttrValDataFromComplex(attributeValue, "@PathURI")));
                                                RESULTS = authSession.getEntities(null, null, exts);
                                  }
                                   ]]>
                        </Setting>
                </Setting>
        </Setting> <!-- End Assumable Roles -->

JSSharedScope

In this section we setup some common routines to be used repeatedly.

• getSingleSimple() - pulls apart a attribute which is a simple data type and single valued, returning the value to the caller.
• getAttrValDataFromComplex()
• compareComplexAttrValToString()

  <Setting Name="Roles" Type="htf:map">
  <!-- Root most role configuration element, should be located under the OtisConfiguration element -->
                  <Setting Name="JSSharedScope" Type="htf:jscriptscope"> <![CDATA[
                  importPackage(Packages.org.bandit.otis.impl);
                  importPackage(Packages.org.bandit.otis.api);
                  importPackage(Packages.org.bandit.otis.test.junit);
                  importPackage(Packages.org.eclipse.higgins.idas.api);
                  
                  function getSingleSimple( entityIdAttr) {
                          if ( entityIdAttr != null ) {
                                  attrValues  = entityIdAttr.getValues();
                                  while ( attrValues != null && attrValues.hasNext()) {
                                          attrValue = Packages.org.eclipse.higgins.idas.api.IAttributeValue(attrValues.next());
                                          if ( attrValues.hasNext())
                                                  throw new Packages.org.eclipse.higgins.idas.api.IdASException("single simple value found a multivalued attribute");
                                          if ( attrValue.isSimple()) {
                                                  simpleAttrValue = Packages.org.eclipse.higgins.idas.api.ISimpleAttrValue(attrValue);
                                                  return simpleAttrValue.getCanonical();
                                          }
                                  }
                          }
                  }
                          
                  function getAttrValDataFromComplex( attrVal, attrName)  {
                          if ( !attrVal.isSimple()) {
                                  attrSValue  = Packages.org.eclipse.higgins.idas.api.IComplexAttrValue(attrVal).getAttribute( Packages.java.net.URI.create(attrName));
                                  return getSingleSimple( attrSValue);
                          }
                  }
                  
                  function compareComplexAttrValToString( attrVal, attrName,  comparison)
                  {
                          var data = getAttrValDataFromComplex(attrVal, attrName);
                          return  comparison.equals(data);
                  }
                  ]]>
          </Setting>
  .......
  </Setting> <!-- End Roles -->