Initial commit.
This commit is contained in:
parent
80c8acb805
commit
0d814049f3
|
@ -0,0 +1,42 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.finder.IRecordEvaluationContext;
|
||||
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
import com.sun.xacml.finder.AttributeFinderModule;
|
||||
|
||||
aspect AttributeFinderModuleObserver {
|
||||
|
||||
pointcut findAttributeCall(URI category, URI attributeType, URI attributeId, URI issuer, EvaluationCtx context):
|
||||
call (EvaluationResult AttributeFinderModule.findAttribute(URI, URI, URI, URI, EvaluationCtx))
|
||||
&& args (category, attributeType, attributeId, issuer, context);
|
||||
|
||||
after(URI category, URI attributeType, URI attributeId, URI issuer, EvaluationCtx context)
|
||||
returning (EvaluationResult result):
|
||||
findAttributeCall(category, attributeType, attributeId, issuer, context) {
|
||||
|
||||
if ( context instanceof IRecordEvaluationContext ) {
|
||||
((IRecordEvaluationContext) context).retreiveDesignatorAttributeSearch(
|
||||
category, attributeType, attributeId, issuer, result);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,214 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.List;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.pdp.runtimeEvaluation.EvaluationEventHub;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.MatchResult;
|
||||
import com.sun.xacml.PolicyTreeElement;
|
||||
import com.sun.xacml.MatchElement;
|
||||
import com.sun.xacml.Rule; // TODO remove
|
||||
import com.sun.xacml.combine.CombiningAlgorithm;
|
||||
import com.sun.xacml.combine.CombinerElement;
|
||||
import com.sun.xacml.combine.CombinerParameter;
|
||||
import com.sun.xacml.cond.Evaluatable;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
import com.sun.xacml.cond.Expression;
|
||||
import com.sun.xacml.cond.Function;
|
||||
import com.sun.xacml.ctx.Result;
|
||||
import com.sun.xacml.finder.AttributeFinderModule;
|
||||
import com.sun.xacml.debug.Locatable;
|
||||
import com.sun.xacml.debug.RuntimeInfo;
|
||||
|
||||
|
||||
/**
|
||||
* This aspect has two tasks
|
||||
* <ul>
|
||||
* <li>Report all events to the EvaluationEventHub</li>
|
||||
* <li>Report the information required for creating the call stack to the
|
||||
* RuntimeInfor Object</li>
|
||||
* </ul>
|
||||
*
|
||||
*/
|
||||
aspect EvaluationEventObserver {
|
||||
|
||||
//Policy, PolicySet, PolicyReference, Rule
|
||||
pointcut evaluateCalled(EvaluationCtx context):
|
||||
call ( public Result PolicyTreeElement.evaluate(EvaluationCtx) )
|
||||
&& (target(Locatable))
|
||||
&& args (context);
|
||||
|
||||
before(EvaluationCtx context) : evaluateCalled(context) {
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
if ( thisJoinPoint.getThis() instanceof Locatable ) {
|
||||
src.setCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
}
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().beforePolicyTreeElement( (PolicyTreeElement) thisJoinPoint.getTarget(), context);
|
||||
}
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().beforePolicyTreeElement( (PolicyTreeElement) thisJoinPoint.getTarget(), context);
|
||||
}
|
||||
|
||||
after(EvaluationCtx context) returning (Result result) : evaluateCalled(context) {
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().afterPolicyTreeElement( (PolicyTreeElement) thisJoinPoint.getTarget(), context, result);
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().afterPolicyTreeElement( (PolicyTreeElement) thisJoinPoint.getTarget(), context, result);
|
||||
}
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
if ( thisJoinPoint.getThis() instanceof Locatable ) {
|
||||
src.unsetCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// AttributeDesignator, AttributeSelector, AttributeValue, VariableReference, Condition, Apply
|
||||
pointcut evaluateCall2(EvaluationCtx context):
|
||||
call ( public EvaluationResult Evaluatable.evaluate(EvaluationCtx) )
|
||||
&& (target(Locatable))
|
||||
&& args (context);
|
||||
|
||||
before(EvaluationCtx context) : evaluateCall2(context) {
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.setCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().beforeEvaluatable((Evaluatable) thisJoinPoint.getTarget(), context);
|
||||
}
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().beforeEvaluatable((Evaluatable) thisJoinPoint.getTarget(), context);
|
||||
}
|
||||
|
||||
after(EvaluationCtx context) returning (EvaluationResult result) : evaluateCall2(context) {
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().afterEvaluatable( (Evaluatable) thisJoinPoint.getTarget(), context, result);
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().afterEvaluatable( (Evaluatable) thisJoinPoint.getTarget(), context, result);
|
||||
}
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.unsetCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//Target, TargetMatch, TargetMatchGroup, TargetSection
|
||||
pointcut matchCall(EvaluationCtx context):
|
||||
call ( public MatchResult MatchElement.match(EvaluationCtx ) )
|
||||
&& (target(Locatable))
|
||||
&& args (context);
|
||||
|
||||
before(EvaluationCtx context) : matchCall(context) {
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.setCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().beforeMatch((MatchElement) thisJoinPoint.getTarget(), context);
|
||||
}
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().beforeMatch((MatchElement) thisJoinPoint.getTarget(), context);
|
||||
}
|
||||
|
||||
after(EvaluationCtx context) returning (MatchResult result) : matchCall(context) {
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().afterMatch( (MatchElement) thisJoinPoint.getTarget(), context, result);
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().afterMatch( (MatchElement) thisJoinPoint.getTarget(), context, result);
|
||||
}
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.unsetCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
}
|
||||
|
||||
//Function
|
||||
pointcut evaluateFunction(List<Expression> inputs, EvaluationCtx context):
|
||||
call ( public EvaluationResult Function.evaluate(List<Expression>, EvaluationCtx) )
|
||||
&& (target(Locatable))
|
||||
&& args (inputs, context);
|
||||
|
||||
before(List<Expression> inputs, EvaluationCtx context) : evaluateFunction(inputs, context) {
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.setCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().beforeFunction((Function) thisJoinPoint.getTarget( ), inputs, context);
|
||||
}
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().beforeFunction((Function) thisJoinPoint.getTarget( ), inputs, context);
|
||||
}
|
||||
|
||||
after(List<Expression> inputs, EvaluationCtx context) returning (EvaluationResult result) : evaluateFunction(inputs, context) {
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().afterFunction( (Function) thisJoinPoint.getTarget(), inputs, context, result);
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().afterFunction( (Function) thisJoinPoint.getTarget(), inputs, context, result);
|
||||
}
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.unsetCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
}
|
||||
|
||||
//CombiningAlgorithm
|
||||
pointcut evaluateCombiningAlg(EvaluationCtx context, List<CombinerParameter> parameters, List<CombinerElement> inputs):
|
||||
call ( public Result CombiningAlgorithm.combine(EvaluationCtx, List<CombinerParameter>, List<CombinerElement>) )
|
||||
&& (target(Locatable))
|
||||
&& args (context, parameters, inputs);
|
||||
|
||||
before(EvaluationCtx context, List<CombinerParameter> parameters, List<CombinerElement> inputs) : evaluateCombiningAlg(context, parameters, inputs) {
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.setCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().beforeCombiningAlg((CombiningAlgorithm) thisJoinPoint.getTarget( ), context, parameters, inputs);
|
||||
}
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().beforeCombiningAlg((CombiningAlgorithm) thisJoinPoint.getTarget( ), context, parameters, inputs);
|
||||
}
|
||||
|
||||
after(EvaluationCtx context, List<CombinerParameter> parameters, List<CombinerElement> inputs) returning (Result result) : evaluateCombiningAlg(context, parameters, inputs) {
|
||||
//AnalysisCtx ctx = (AnalysisCtx) context;
|
||||
//ctx.getEvalHub().afterCombiningAlg( (CombiningAlgorithm) thisJoinPoint.getTarget(), context, parameters, inputs, result);
|
||||
if ( context instanceof AnalysisCtx ) {
|
||||
((AnalysisCtx) context).getEvalHub().afterCombiningAlg( (CombiningAlgorithm) thisJoinPoint.getTarget(), context, parameters, inputs, result);
|
||||
}
|
||||
RuntimeInfo src = ((Locatable) thisJoinPoint.getTarget()).getRuntimeInfo();
|
||||
if ( src != null ) {
|
||||
src.unsetCalledFrom( ((Locatable) thisJoinPoint.getThis()).getRuntimeInfo() );
|
||||
}
|
||||
}
|
||||
|
||||
//TODO: Obligation?
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,676 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.pdp;
|
||||
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.lang.reflect.Method;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Properties;
|
||||
|
||||
import javax.jws.WebService;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.apache.log4j.PropertyConfigurator;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.ErrorType;
|
||||
import eu.aniketos.securebpmn.xacml.api.ReasonType;
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.Decision;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.IPDP;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.IPDPStateManagement;
|
||||
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
|
||||
import eu.aniketos.securebpmn.xacml.api.log.ILogStore;
|
||||
import eu.aniketos.securebpmn.xacml.pdp.idHandler.IDHandler;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisConfig;
|
||||
import eu.aniketos.securebpmn.xacml.AnalysisCtx;
|
||||
import eu.aniketos.securebpmn.xacml.support.RecordAttributeFinder;
|
||||
import eu.aniketos.securebpmn.xacml.support.RecordEvaluationContext;
|
||||
import eu.aniketos.securebpmn.xacml.SVNPDPConfig;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACML2APIMapper;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLDecoder;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisDenyOverridesPolicyAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisDenyOverridesRuleAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisFirstApplicablePolicyAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisFirstApplicableRuleAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisOnlyOneApplicablePolicyAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisOrderedDenyOverridesPolicyAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisOrderedDenyOverridesRuleAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisOrderedPermitOverridesPolicyAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisOrderedPermitOverridesRuleAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisPermitOverridesPolicyAlg;
|
||||
import eu.aniketos.securebpmn.xacml.combine.AnalysisPermitOverridesRuleAlg;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.PDP;
|
||||
import com.sun.xacml.PDPConfig;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.combine.BaseCombiningAlgFactory;
|
||||
import com.sun.xacml.combine.CombiningAlgFactory;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
import com.sun.xacml.finder.AttributeFinder;
|
||||
import com.sun.xacml.finder.RevocationFinder;
|
||||
|
||||
@WebService(endpointInterface = "eu.aniketos.securebpmn.xacml.autho.IPDP", serviceName = "PolicyDecisionPoint", targetNamespace = "http://pdp.aniketos.eu/")
|
||||
public class PDPServer implements IPDP {
|
||||
|
||||
private static Logger logger = Logger.getLogger(PDPServer.class);
|
||||
|
||||
private static PDPServer pdpServer;
|
||||
|
||||
private PDP xacmlPDP;
|
||||
private AttributeFinder attrFinder;
|
||||
private RevocationFinder revocFinder;
|
||||
|
||||
private IDHandler idHandler;
|
||||
private ILogStore logServer;
|
||||
private IPDPStateManagement pdpState;
|
||||
|
||||
private boolean log = false;
|
||||
private boolean pdpStateMgt = false;
|
||||
private static boolean tomcatEnv = false;
|
||||
private static String baseDir = null;
|
||||
|
||||
private long start = -1;
|
||||
|
||||
/**
|
||||
* for analysis, some of the static parameters (e.g., CombiningAlgFactory,
|
||||
* etc.) have to be reset, i.e., within one JVM only productive OR analysis
|
||||
* pdp can exist
|
||||
*/
|
||||
private static PDP_MODE mode = PDP_MODE.UNSET;
|
||||
|
||||
private static boolean replacedFAnalysis = false;
|
||||
|
||||
private static enum PDP_MODE {
|
||||
ANALYSIS, PRODUCTIVE, UNSET
|
||||
}
|
||||
|
||||
private static final String LOG4J_FILENAME = "log4j.properties",
|
||||
SVN_CONFIG = "svn-config.xml", XACML_CONFIG = "policy-config.xml",
|
||||
CATALINA_BASE = "CATALINA_BASE", WBAPPS_FOLDER = "webapps",
|
||||
WEBAPP_NAME = "pdp", WEB_INF = "WEB-INF", SLASH = System
|
||||
.getProperty("file.separator");
|
||||
|
||||
public static final String LOG_SERVER = "logServer",
|
||||
PDPSTATE_MGT = "pdpStateManagement";
|
||||
|
||||
static {
|
||||
// check if running in tomcat or not
|
||||
String catHome = System.getenv(CATALINA_BASE);
|
||||
File catHomeF;
|
||||
|
||||
if (catHome != null && catHome.length() > 0
|
||||
&& (catHomeF = new File(catHome)).exists()) {
|
||||
tomcatEnv = true;
|
||||
baseDir = catHomeF.getAbsolutePath() + SLASH + WBAPPS_FOLDER
|
||||
+ SLASH + WEBAPP_NAME + SLASH + WEB_INF + SLASH;
|
||||
String log4jPath = baseDir + LOG4J_FILENAME;
|
||||
|
||||
Properties log4jProps = new Properties();
|
||||
try {
|
||||
// log4jProps.load(new
|
||||
// BufferedInputStream(PDPServer.class.getResourceAsStream(LOG4J_FILEURL)));
|
||||
log4jProps.load(new BufferedInputStream(new FileInputStream(
|
||||
new File(log4jPath))));
|
||||
PropertyConfigurator.configure(log4jProps);
|
||||
logger.info("Loaded log4j configuration from " + log4jPath);
|
||||
} catch (IOException e) {
|
||||
// logger.warn("Could not load log4j configuration from " +
|
||||
// LOG4J_FILEURL + " IOException: " + e.getMessage());
|
||||
System.err.println("Could not load log4j configuration from "
|
||||
+ log4jPath + " IOException: " + e.getMessage());
|
||||
} catch (Exception e) {
|
||||
// logger.warn("Could not load log4j configuration from " +
|
||||
// LOG4J_FILEURL + " " + e.getClass() + ": " + e.getMessage());
|
||||
System.err.println("Could not load log4j configuration from "
|
||||
+ log4jPath + " " + e.getClass() + ": "
|
||||
+ e.getMessage());
|
||||
}
|
||||
} else {
|
||||
tomcatEnv = false;
|
||||
baseDir = new File("foo").getAbsolutePath(); // "foo" must not exist
|
||||
baseDir = baseDir.substring(0, baseDir.length() - 3);
|
||||
|
||||
// when used as analysis PDP, host app has to set log4j properties
|
||||
|
||||
logger.info("base direcotry for configuration: " + baseDir);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* The empty contructor is used when deploying the PDPServer as productice
|
||||
* system into a Tomcat environment; thus, it may not be called outside of a
|
||||
* Tomcat
|
||||
*/
|
||||
public PDPServer() {
|
||||
if (mode == PDP_MODE.UNSET || mode == PDP_MODE.PRODUCTIVE) {
|
||||
mode = PDP_MODE.PRODUCTIVE;
|
||||
} else {
|
||||
throw new RuntimeException(
|
||||
"Cannot create a productive PDPServer in a JVM where an AnalysisPDP already exists");
|
||||
}
|
||||
|
||||
if (pdpServer == null) {
|
||||
if (!tomcatEnv) {
|
||||
throw new RuntimeException(
|
||||
"The empty constructor may not be called when not running within PDP");
|
||||
}
|
||||
|
||||
logger.debug("Start loading XACML configuration from configuration files");
|
||||
// load pdp configuration from file
|
||||
ConfigurationStore config = null;
|
||||
|
||||
try {
|
||||
// check if there is a SVN_CONFIG available
|
||||
File svn_conf = new File(baseDir + SVN_CONFIG);
|
||||
if (svn_conf.exists()) {
|
||||
logger.debug("Found " + SVN_CONFIG + " file in " + baseDir
|
||||
+ "; trying to load configuration from svn");
|
||||
try {
|
||||
PDPConfig pdpconfig = SVNPDPConfig
|
||||
.getSVNPDPConfig(svn_conf);
|
||||
logger.info("Loaded Configuration from svn");
|
||||
init(pdpconfig);
|
||||
return;
|
||||
} catch (SecurityError e) {
|
||||
logger.error("Could not load svn configuration (SecurityError): "
|
||||
+ e.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
File confFile = new File(baseDir + XACML_CONFIG);
|
||||
if (!confFile.exists()) {
|
||||
logger.fatal("Could not find configuration file "
|
||||
+ confFile.getAbsolutePath());
|
||||
return;
|
||||
}
|
||||
logger.info("Loading config from " + confFile.getAbsolutePath());
|
||||
config = new ConfigurationStore(confFile, baseDir);
|
||||
// }
|
||||
} catch (ParsingException e) {
|
||||
logger.fatal("Could not load Configuration: ParsingException: "
|
||||
+ e.getMessage());
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
synchronized (logger) {
|
||||
if (pdpServer == null) {
|
||||
init(config.getDefaultPDPConfig());
|
||||
pdpServer = this;
|
||||
} else {
|
||||
logger.warn("Two threads creating a PDPServer; aborting this thread");
|
||||
}
|
||||
}
|
||||
} catch (UnknownIdentifierException e) {
|
||||
logger.fatal("Could not load Configuration: UnknownIdentifierException: "
|
||||
+ e.getMessage());
|
||||
}
|
||||
} else {
|
||||
copyFromStatic();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public PDPServer(File confFile) throws FileNotFoundException,
|
||||
ParsingException, UnknownIdentifierException {
|
||||
|
||||
logger.info("Loading XACML configuration from "
|
||||
+ confFile.getAbsolutePath());
|
||||
ConfigurationStore config = new ConfigurationStore(confFile);
|
||||
|
||||
init(config.getDefaultPDPConfig());
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
*/
|
||||
public PDPServer(File confFile, String baseDir)
|
||||
throws FileNotFoundException, ParsingException,
|
||||
UnknownIdentifierException {
|
||||
|
||||
logger.info("Loading XACML configuration from "
|
||||
+ confFile.getAbsolutePath() + ", baseDir: " + baseDir);
|
||||
ConfigurationStore config = new ConfigurationStore(new FileInputStream(
|
||||
confFile), baseDir);
|
||||
|
||||
init(config.getDefaultPDPConfig());
|
||||
}
|
||||
|
||||
/**
|
||||
* Loads a new PDPSever instance
|
||||
*/
|
||||
public PDPServer(PDPConfig configuration) {
|
||||
|
||||
logger.info("Creating new PDPServer from configuration");
|
||||
init(configuration);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param configuration
|
||||
*/
|
||||
private void init(PDPConfig configuration) {
|
||||
// load IDHandler with corresponding settings; IDResolver and IDManager
|
||||
|
||||
// load XACML Engine
|
||||
logger.info("Loading XACML engine");
|
||||
start = new Date().getTime();
|
||||
this.attrFinder = configuration.getAttributeFinder();
|
||||
this.revocFinder = configuration.getRevocationFinder();
|
||||
xacmlPDP = new PDP(configuration);
|
||||
logger.info("Loaded XACML engine"
|
||||
+ (start == -1 ? "" : " in " + (new Date().getTime() - start)
|
||||
+ "ms"));
|
||||
|
||||
// load logServer
|
||||
String logServerName = null;
|
||||
if ((logServerName = (String) configuration.getCustomAttr(LOG_SERVER)) != null) {
|
||||
Class<?> logServerClass;
|
||||
try {
|
||||
logger.info("Loading LogServer from class " + logServerName);
|
||||
logServerClass = Class.forName(logServerName);
|
||||
Method getInstance = logServerClass.getMethod("getInstance",
|
||||
(Class<?>[]) null);
|
||||
start = new Date().getTime();
|
||||
logServer = (ILogStore) getInstance.invoke(null,
|
||||
(Object[]) null);
|
||||
// TODO changed to false
|
||||
log = false;
|
||||
this.attrFinder = new RecordAttributeFinder(attrFinder);
|
||||
logger.info("Loaded LogServer with class "
|
||||
+ logServer.getClass() + " in "
|
||||
+ (new Date().getTime() - start) + "ms");
|
||||
} catch (Exception e) {
|
||||
// check if rootcause is "known"...
|
||||
if (e.getCause() != null
|
||||
&& e.getCause()
|
||||
.getClass()
|
||||
.getName()
|
||||
.equals("org.hibernate.exception.JDBCConnectionException")) {
|
||||
logger.error("Could not load LogServer: JDBCConnectionException: "
|
||||
+ e.getMessage());
|
||||
e.printStackTrace();
|
||||
} else {
|
||||
logger.error(
|
||||
"Could not load LogServer from class "
|
||||
+ logServerName + ": " + e.getClass()
|
||||
+ " - " + e.getMessage(), e);
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
} else {
|
||||
logger.debug("No entry for LogServer in configuration found");
|
||||
}
|
||||
|
||||
String pdpStateManager = null;
|
||||
if ((pdpStateManager = (String) configuration
|
||||
.getCustomAttr(PDPSTATE_MGT)) != null) {
|
||||
Class<?> pdpStateMgtClass;
|
||||
try {
|
||||
logger.info("Loading PDPStateManagement from class "
|
||||
+ pdpStateManager);
|
||||
pdpStateMgtClass = Class.forName(pdpStateManager);
|
||||
Method getInstance = pdpStateMgtClass.getMethod("getInstance",
|
||||
(Class<?>[]) null);
|
||||
start = new Date().getTime();
|
||||
pdpState = (IPDPStateManagement) getInstance.invoke(null,
|
||||
(Object[]) null);
|
||||
pdpStateMgt = true;
|
||||
logger.info("Loaded PDPStateManagement with class "
|
||||
+ logServer.getClass() + " in "
|
||||
+ (new Date().getTime() - start) + "ms");
|
||||
} catch (Exception e) {
|
||||
// check if rootcause is "known"...
|
||||
if (e.getCause() != null
|
||||
&& e.getCause()
|
||||
.getClass()
|
||||
.getName()
|
||||
.equals("org.hibernate.exception.JDBCConnectionException")) {
|
||||
logger.error("Could not load PDPStateManagement: JDBCConnectionException: "
|
||||
+ e.getMessage());
|
||||
e.printStackTrace();
|
||||
} else {
|
||||
logger.error(
|
||||
"Could not load PDPStateManagement from class "
|
||||
+ logServerName + ": " + e.getClass()
|
||||
+ " - " + e.getMessage(), e);
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
} else {
|
||||
logger.debug("No entry for LogServer in configuration found");
|
||||
}
|
||||
logger.info("Loaded PDPServer (LogServer: " + log
|
||||
+ ", PDPStateManagement: " + pdpStateMgt + ")");
|
||||
}
|
||||
|
||||
/**
|
||||
* "copy constructor"... PDPServer has to be a singleton, but for the web
|
||||
* service framework a public constructor is required; thus, this creates a
|
||||
* pseudo-further instance (pseudo in the sense, as it holds the same
|
||||
* private elements as the "singleton" instance
|
||||
*/
|
||||
private void copyFromStatic() {
|
||||
logger.warn("A second instance of PDPServer is created!");
|
||||
|
||||
this.xacmlPDP = pdpServer.xacmlPDP;
|
||||
this.idHandler = pdpServer.idHandler;
|
||||
this.log = pdpServer.log;
|
||||
// TODO keep up to date
|
||||
}
|
||||
|
||||
public String evaluateXACML(String xacmlRequest) throws SecurityError {
|
||||
|
||||
AccessControlRequest logEntry = null;
|
||||
Long evaluationId = null;
|
||||
if (log) {
|
||||
evaluationId = logServer.getNewEvaluationId();
|
||||
logEntry = new AccessControlRequest(evaluationId, xacmlRequest);
|
||||
}
|
||||
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(xacmlRequest);
|
||||
PDPResult res = evaluate(request, evaluationId);
|
||||
ResponseCtx response = res.getResponseCtx();
|
||||
String responseStr = XACMLEncoder.encodeResponseCtx(response);
|
||||
|
||||
if (log) {
|
||||
RecordEvaluationContext ctx = (RecordEvaluationContext) res
|
||||
.getEvaluationCtx();
|
||||
logEntry.finished(request, response, responseStr,
|
||||
ctx.getExecTime(), ctx.getVersion(),
|
||||
ctx.getDesignatorAttributes());
|
||||
logServer.storeAccessControlRequest(logEntry);
|
||||
}
|
||||
|
||||
return responseStr;
|
||||
}
|
||||
|
||||
public AuthoResult evaluate(IdInfo idInfo, String resource, String action,
|
||||
List<AuthoAttribute> attributes) throws SecurityError {
|
||||
|
||||
if (idInfo == null || resource == null) {
|
||||
logger.error("Received request with idInfo or resource being null");
|
||||
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED,
|
||||
ReasonType.INVALID_PARAMETERS,
|
||||
"Parameters \"idInfo\" or \"resource\" may not be null!");
|
||||
}
|
||||
URI resourceUri = null;
|
||||
try {
|
||||
resourceUri = new URI(resource);
|
||||
} catch (URISyntaxException e) {
|
||||
logger.error("Received request with resource not being an URI");
|
||||
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED,
|
||||
ReasonType.INVALID_PARAMETERS,
|
||||
"Parameters \"resource\" has to be an URI!");
|
||||
}
|
||||
|
||||
AccessControlRequest logEntry = null;
|
||||
Long evaluationId = null;
|
||||
if (log) {
|
||||
evaluationId = logServer.getNewEvaluationId();
|
||||
logEntry = new AccessControlRequest(evaluationId, idInfo,
|
||||
resourceUri, action, attributes);
|
||||
}
|
||||
// create XACML request
|
||||
RequestCtx request = XACMLDecoder.decodeRequestCtx(idInfo, resourceUri,
|
||||
action, attributes);
|
||||
|
||||
// TODO sysout comment
|
||||
// System.out.println("start with eval of " + evaluationId.longValue() +
|
||||
// ", " + XACMLEncoder.encodeRequestCtx(request));
|
||||
// evaluate
|
||||
PDPResult res = evaluate(request, evaluationId);
|
||||
ResponseCtx response = res.getResponseCtx();
|
||||
// translate result
|
||||
AuthoResult result = XACML2APIMapper.getAuthoResult(res
|
||||
.getResponseCtx());
|
||||
|
||||
if (log) {
|
||||
RecordEvaluationContext ctx = (RecordEvaluationContext) res
|
||||
.getEvaluationCtx();
|
||||
logEntry.finished(request, response, result, ctx.getExecTime(),
|
||||
ctx.getVersion(), ctx.getDesignatorAttributes());
|
||||
logServer.storeAccessControlRequest(logEntry);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
protected PDPResult evaluate(RequestCtx request, Long evaluationId)
|
||||
throws SecurityError {
|
||||
|
||||
ResponseCtx response = null;
|
||||
;
|
||||
// RecordEvaluationContext context = null;
|
||||
EvaluationCtx context = null;
|
||||
|
||||
if (log) {
|
||||
if (evaluationId == null) {
|
||||
evaluationId = new Long(-1);
|
||||
}
|
||||
// if logging is activated, create a context which is
|
||||
// able to keep track of all resovled attributes
|
||||
try {
|
||||
context = new RecordEvaluationContext(request, attrFinder,
|
||||
revocFinder, evaluationId);
|
||||
} catch (ParsingException e) {
|
||||
logger.error("ParsingException during creation of RecordEvaluationContext: "
|
||||
+ e.getMessage());
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR,
|
||||
ReasonType.PDE_ENGINE_ERROR);
|
||||
}
|
||||
response = xacmlPDP.evaluate(context);
|
||||
} else {
|
||||
response = xacmlPDP.evaluate(request);
|
||||
}
|
||||
|
||||
return new PDPResult(response, context);
|
||||
}
|
||||
|
||||
/**
|
||||
* This method creates, based on an existing configuration, a configuration
|
||||
* as needed for running the PDP in analysis mode. For this,
|
||||
* <ul>
|
||||
* <li>make the static settings</li>
|
||||
* <li>modify (i.e. create a new) PDPConfig</li>
|
||||
* </ul>
|
||||
*
|
||||
* @param config
|
||||
* @return
|
||||
*/
|
||||
public AnalysisConfig makeAnalysisConfig(PDPConfig config) {
|
||||
|
||||
// replace all elements which are static and are required to change for
|
||||
// analysis
|
||||
replaceStaticAnalysisStuff();
|
||||
|
||||
return new AnalysisConfig(config);
|
||||
}
|
||||
|
||||
public ResponseCtx analyze(AnalysisCtx ctx) {
|
||||
return xacmlPDP.evaluate(ctx);
|
||||
}
|
||||
|
||||
// TODO check with analysis config?
|
||||
private synchronized void replaceStaticAnalysisStuff() {
|
||||
if (!replacedFAnalysis) {
|
||||
if (mode == PDP_MODE.UNSET || mode == PDP_MODE.ANALYSIS) {
|
||||
mode = PDP_MODE.ANALYSIS;
|
||||
} else {
|
||||
throw new RuntimeException(
|
||||
"Cannot create an Analysis PDPServer in a JVM where an productive PDP already exists");
|
||||
}
|
||||
|
||||
replacedFAnalysis = true;
|
||||
}
|
||||
|
||||
CombiningAlgFactory factory = new BaseCombiningAlgFactory();
|
||||
|
||||
factory.addAlgorithm(new AnalysisDenyOverridesPolicyAlg());
|
||||
factory.addAlgorithm(new AnalysisDenyOverridesRuleAlg());
|
||||
factory.addAlgorithm(new AnalysisFirstApplicablePolicyAlg());
|
||||
factory.addAlgorithm(new AnalysisFirstApplicableRuleAlg());
|
||||
factory.addAlgorithm(new AnalysisOnlyOneApplicablePolicyAlg());
|
||||
factory.addAlgorithm(new AnalysisOrderedDenyOverridesPolicyAlg());
|
||||
factory.addAlgorithm(new AnalysisOrderedDenyOverridesRuleAlg());
|
||||
factory.addAlgorithm(new AnalysisOrderedPermitOverridesPolicyAlg());
|
||||
factory.addAlgorithm(new AnalysisOrderedPermitOverridesRuleAlg());
|
||||
factory.addAlgorithm(new AnalysisPermitOverridesPolicyAlg());
|
||||
factory.addAlgorithm(new AnalysisPermitOverridesRuleAlg());
|
||||
|
||||
CombiningAlgFactory.setAllFactories(factory);
|
||||
}
|
||||
|
||||
public String getXACMLPEPConfig() {
|
||||
// TODO Auto-generated method stub
|
||||
return null;
|
||||
}
|
||||
|
||||
public boolean logBreakGlassAccess(long arg0, String arg1) {
|
||||
// TODO Auto-generated method stub
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* This function is called by PEPs which have to fulfill the TODO
|
||||
* obligation, i.e., notify the PDP about an actually executed action which
|
||||
* influences the state of the PDP. For this, the AccessControlRequest is
|
||||
* loaded from the logServer and passed to the PDPState manager which
|
||||
* updates the PDP State according to the request.
|
||||
*/
|
||||
public void notifyStateChange(long evaluationId) throws SecurityError {
|
||||
// get log entry
|
||||
if (log) {
|
||||
AccessControlRequest request = logServer
|
||||
.getAccessControlRequest(new Long(evaluationId));
|
||||
if (request == null) {
|
||||
logger.error("PDP received a notifyChange for evaluationId "
|
||||
+ evaluationId
|
||||
+ " where no AccessControlRequest was stored for or the entry");
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR,
|
||||
ReasonType.PDE_ENGINE_ERROR, "Invalid evaluationId");
|
||||
} else if (!(request.getResult().getDecision() == Decision.DECISION_PERMIT)) {
|
||||
logger.error("PDP received a notifyChange for evaluationId "
|
||||
+ evaluationId
|
||||
+ " which was not permitted in the first place");
|
||||
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED,
|
||||
ReasonType.DENY, "Referenced request was not permitted");
|
||||
} else {
|
||||
pdpState.updatePDPState(request);
|
||||
}
|
||||
} else {
|
||||
logger.error("Received a notifyStateChange (evaluationId "
|
||||
+ evaluationId + "), but no logService is active!");
|
||||
}
|
||||
}
|
||||
|
||||
public void unload() {
|
||||
if (this.logServer != null) {
|
||||
this.logServer.shutdown();
|
||||
}
|
||||
}
|
||||
|
||||
private class PDPResult {
|
||||
private ResponseCtx resCtx;
|
||||
private EvaluationCtx recCtx;
|
||||
|
||||
public PDPResult(ResponseCtx resCtx, EvaluationCtx recCtx) {
|
||||
this.resCtx = resCtx;
|
||||
this.recCtx = recCtx;
|
||||
}
|
||||
|
||||
public ResponseCtx getResponseCtx() {
|
||||
return resCtx;
|
||||
}
|
||||
|
||||
public EvaluationCtx getEvaluationCtx() {
|
||||
return recCtx;
|
||||
}
|
||||
|
||||
// public AuthoResult getAuthoResult() throws SecurityError {
|
||||
// if ( authoResult == null ) {
|
||||
// authoResult = new AuthoResult();
|
||||
//
|
||||
// if (resCtx.getResults().size() != 1 ) {
|
||||
// logger.error("Received unexpected number of results: " +
|
||||
// resCtx.getResults().size());
|
||||
// throw new SecurityError(ErrorType.CONFIGURATION_ERROR,
|
||||
// ReasonType.PDE_ENGINE_ERROR,
|
||||
// "Received unexpected number of results");
|
||||
// }
|
||||
//
|
||||
// Result xacmlResult = resCtx.getResults().iterator().next();
|
||||
//
|
||||
// authoResult.setDecision(Decision.getFromInt(xacmlResult.getDecision()));
|
||||
// authoResult.setObligations(transform(xacmlResult.getObligations()));
|
||||
// authoResult.setStatusCode(xacmlResult.getStatus().getCode());
|
||||
// authoResult.setStatusMessage(xacmlResult.getStatus().getMessage());
|
||||
//
|
||||
// // TODO get missing attributes
|
||||
//
|
||||
// }
|
||||
// return authoResult;
|
||||
// }
|
||||
//
|
||||
// private List<AuthoObligation> transform(Set<Obligation> xacmlOblgs) {
|
||||
// if ( xacmlOblgs == null && xacmlOblgs.size() > 0 ) {
|
||||
// List<AuthoObligation> oblgs = new Vector<AuthoObligation>();
|
||||
//
|
||||
// for ( Obligation xacmlOblg : xacmlOblgs ) {
|
||||
// AuthoObligation oblg = new AuthoObligation(xacmlOblg.getId());
|
||||
// if ( xacmlOblg.getAssignments() != null &&
|
||||
// xacmlOblg.getAssignments().size() > 0 ) {
|
||||
// Collection<AuthoAttribute> attrs = new
|
||||
// Vector<AuthoAttribute>(xacmlOblg.getAssignments().size());
|
||||
// for ( Attribute xacmlAttr : xacmlOblg.getAssignments()) {
|
||||
// attrs.add(new AuthoAttribute(AuthoAttribute.OBLIGATION_CATEGORY,
|
||||
// xacmlAttr.getId(), xacmlAttr.getValue().getType(),
|
||||
// xacmlAttr.getValue().toString()));
|
||||
// }
|
||||
// oblg.setParameters(attrs);
|
||||
// }
|
||||
// oblgs.add(oblg);
|
||||
// }
|
||||
// return oblgs;
|
||||
// } else {
|
||||
// return null;
|
||||
// }
|
||||
// }
|
||||
|
||||
// protected static AuthoResult createAuthoResult(ResponseCtx response)
|
||||
// throws SecurityError {
|
||||
// AuthoResult result = new AuthoResult();
|
||||
//
|
||||
|
||||
// }
|
||||
|
||||
}
|
||||
}
|
Reference in New Issue