Initial commit: eu.aniketos.securebpmn.xacml.support
This commit is contained in:
parent
ed443202e8
commit
4da3d4e4dd
|
@ -13,6 +13,7 @@
|
|||
<module>../com.sun.xacml</module>
|
||||
<module>../com.sun.xacml.support</module>
|
||||
<module>../eu.aniketos.securebpmn.xacml.api</module>
|
||||
<module>../eu.aniketos.securebpmn.xacml.support</module>
|
||||
</modules>
|
||||
<build>
|
||||
<plugins>
|
||||
|
|
|
@ -0,0 +1,50 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v 4_0_0.xsd">
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<parent>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.parent</artifactId>
|
||||
<version>1.0</version>
|
||||
<relativePath>../eu.aniketos.securebpmn.xacml.parent/pom.xml</relativePath>
|
||||
</parent>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.support</artifactId>
|
||||
<packaging>jar</packaging>
|
||||
<name>SecureBPMN XACML - Support</name>
|
||||
<url>http://maven.apache.org</url>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-compiler-plugin</artifactId>
|
||||
<version>2.0.2</version>
|
||||
<configuration>
|
||||
<source>1.6</source>
|
||||
<target>1.6</target>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>junit</groupId>
|
||||
<artifactId>junit</artifactId>
|
||||
<version>3.8.1</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>com.sun.xacml</artifactId>
|
||||
<version>0.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>com.sun.xacml.support</artifactId>
|
||||
<version>0.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>eu.aniketos.securebpmn.xacml</groupId>
|
||||
<artifactId>eu.aniketos.securebpmn.xacml.api</artifactId>
|
||||
<version>0.1</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
|
@ -0,0 +1,80 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.finder.IPDPStateEvaluationContext;
|
||||
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.attr.AttributeValue;
|
||||
import com.sun.xacml.attr.BagAttribute;
|
||||
import com.sun.xacml.attr.IntegerAttribute;
|
||||
import com.sun.xacml.attr.StringAttribute;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
|
||||
public class AttributeResolver {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(AttributeResolver.class);
|
||||
|
||||
public static long getPDPStatePolicyVersion(EvaluationCtx ctx) {
|
||||
EvaluationResult evalResult = ctx.getAttribute(IPDPStateEvaluationContext.PDPSTATE_CATEGORY,
|
||||
IPDPStateEvaluationContext.PDPSTATE_ATTRIBUTETYPE,
|
||||
IPDPStateEvaluationContext.PDPSTATE_URI,
|
||||
IPDPStateEvaluationContext.PDPSTATE_ISSUER);
|
||||
|
||||
if ( ((BagAttribute) evalResult.getAttributeValue()).size() > 1 ) {
|
||||
logger.error("Did not retreive a bag with one (" +((BagAttribute) evalResult.getAttributeValue()).size() +
|
||||
") entry after attribute search for current svn policy version number; " +
|
||||
"PDP Dtate requires exactly one attribute to be defined");
|
||||
return -1;
|
||||
} else if ( ((BagAttribute) evalResult.getAttributeValue()).size() == 1 ) {
|
||||
IntegerAttribute attrVal = (IntegerAttribute) ((BagAttribute) evalResult.getAttributeValue()).iterator().next();
|
||||
if ( logger.isDebugEnabled() && ctx instanceof EvaluationIdContext)
|
||||
logger.debug("Request " + ((EvaluationIdContext) ctx).getCurrentEvaluationId() + " is executed under policy " + attrVal.getValue());
|
||||
return attrVal.getValue();
|
||||
} else {
|
||||
logger.debug("Could not resolve current policy version");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
public static final URI ACTIVEPOLICY_CATEGORY = Constants.ENVIRONMENT_CAT;
|
||||
public static final URI ACTIVEPOLICY_ATTRIBUTETYPE = TypeIdentifierConstants.STRING_URI;
|
||||
public static final String ACTIVEPOLICY = "urn:activePolicies";
|
||||
public static final URI ACTIVEPOLICY_URI = URI.create(ACTIVEPOLICY);
|
||||
public static final URI ACTIVEPOLICY_ISSUER = null;
|
||||
|
||||
public static Set<String> getActivePolicies(EvaluationCtx ctx) {
|
||||
EvaluationResult evalResult = ctx.getAttribute(ACTIVEPOLICY_CATEGORY,
|
||||
ACTIVEPOLICY_ATTRIBUTETYPE,
|
||||
ACTIVEPOLICY_URI,
|
||||
ACTIVEPOLICY_ISSUER);
|
||||
|
||||
Set<String> policies = new HashSet<String>();
|
||||
|
||||
for (AttributeValue value : ((BagAttribute) evalResult.getAttributeValue()).iterable()) {
|
||||
policies.add( ((StringAttribute)value).getValue());
|
||||
}
|
||||
return policies;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,104 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.helper.*;
|
||||
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.AnyURIAttribute;
|
||||
import com.sun.xacml.attr.StringAttribute;
|
||||
import com.sun.xacml.ctx.Attribute;
|
||||
import com.sun.xacml.ctx.RequestElement;
|
||||
|
||||
/**
|
||||
*
|
||||
* Describes the categories known by xacml as enum
|
||||
*
|
||||
*/
|
||||
public enum Category implements IElementCreator {
|
||||
SUBJECT (Constants.SUBJECT_CAT, Constants.SUBJECT_ID, StringAttribute.identifier, new DefaultElementCreator()),
|
||||
RESOURCE (Constants.RESOURCE_CAT, Constants.RESOURCE_ID, AnyURIAttribute.identifier, new ResourceCreator()),
|
||||
ACTION (Constants.ACTION_CAT, Constants.ACTION_ID, StringAttribute.identifier, new DefaultElementCreator()),
|
||||
ENVIRONMENT (Constants.ENVIRONMENT_CAT, null, StringAttribute.identifier, new DefaultElementCreator());
|
||||
|
||||
private URI uri, defaultId, defaultType;
|
||||
private ElementCreator creator;
|
||||
|
||||
private static Map<URI, Category> known_categories;
|
||||
|
||||
static {
|
||||
known_categories = new HashMap<URI, Category>();
|
||||
|
||||
for ( Category cat : Category.values()) {
|
||||
known_categories.put(cat.getURI(), cat);
|
||||
}
|
||||
}
|
||||
|
||||
Category(URI uri, URI defaultId, String defaultType, ElementCreator creator) {
|
||||
this.uri = uri;
|
||||
this.defaultId = defaultId;
|
||||
this.defaultType = URI.create(defaultType);
|
||||
this.creator = creator;
|
||||
creator.setCategory(this);
|
||||
}
|
||||
|
||||
public URI getURI() {
|
||||
return uri;
|
||||
}
|
||||
|
||||
public URI getDefaultId() {
|
||||
return defaultId;
|
||||
}
|
||||
|
||||
public URI getDefaultType() {
|
||||
return defaultType;
|
||||
}
|
||||
|
||||
public static Category getCategory(URI category) {
|
||||
return known_categories.get(category);
|
||||
}
|
||||
|
||||
public ElementCreator getElementCreator() {
|
||||
return creator;
|
||||
}
|
||||
|
||||
|
||||
public Attribute getAttributeDefaultType(String value)
|
||||
throws ParsingException {
|
||||
return creator.getAttributeDefaultType(value);
|
||||
}
|
||||
|
||||
public RequestElement getRequestElement(String value)
|
||||
throws ParsingException {
|
||||
return creator.getRequestElement(value);
|
||||
}
|
||||
|
||||
public Attribute getAttribute(URI attributeId, URI dataType, String value)
|
||||
throws ParsingException, UnknownIdentifierException {
|
||||
return creator.getAttribute(attributeId, dataType, value);
|
||||
}
|
||||
|
||||
public RequestElement getRequestElement(Set<Attribute> attrs) {
|
||||
return creator.getRequestElement(attrs);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,24 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
|
||||
public interface CtxInfoExtension {
|
||||
List<AuthoAttribute> getCtxInformation();
|
||||
}
|
|
@ -0,0 +1,42 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.finder.IEvaluationIdContext;
|
||||
|
||||
import com.sun.xacml.BasicEvaluationCtx;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.finder.AttributeFinder;
|
||||
import com.sun.xacml.finder.RevocationFinder;
|
||||
|
||||
public class EvaluationIdContext extends BasicEvaluationCtx implements IEvaluationIdContext {
|
||||
|
||||
//private static Logger logger = Logger.getLogger(EvaluationIdContext.class);
|
||||
|
||||
private Long evaluationId;
|
||||
|
||||
public EvaluationIdContext(RequestCtx request, AttributeFinder aFinder,
|
||||
RevocationFinder rFinder, boolean cacheEnvValues, Long evaluationId) throws ParsingException {
|
||||
super(request, aFinder, rFinder, cacheEnvValues);
|
||||
this.evaluationId = evaluationId;
|
||||
}
|
||||
|
||||
|
||||
public Long getCurrentEvaluationId() {
|
||||
return evaluationId;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,45 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
import com.sun.xacml.finder.AttributeFinder;
|
||||
|
||||
public class RecordAttributeFinder extends AttributeFinder {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(RecordEvaluationContext.class);
|
||||
|
||||
public RecordAttributeFinder(AttributeFinder attrFinder) {
|
||||
super(attrFinder);
|
||||
}
|
||||
|
||||
public EvaluationResult findAttribute(URI category, URI attributeType,
|
||||
URI attributeId, URI issuer,
|
||||
EvaluationCtx context) {
|
||||
EvaluationResult evalResult = super.findAttribute(category, attributeType, attributeId, issuer, context);
|
||||
|
||||
if ( context instanceof RecordEvaluationContext ) {
|
||||
((RecordEvaluationContext) context).retreiveDesignatorAttributeSearch(category, attributeType, attributeId, issuer, evalResult);
|
||||
} else {
|
||||
logger.warn("RecordAttributeFinder used without RecordEvaluationContext");
|
||||
}
|
||||
return evalResult;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,141 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.attr.AttributeValue;
|
||||
import com.sun.xacml.attr.BagAttribute;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.finder.AttributeFinder;
|
||||
import com.sun.xacml.finder.RevocationFinder;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.DesignatorAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.support.finder.IRecordEvaluationContext;
|
||||
|
||||
/**
|
||||
*
|
||||
* RecordEvaluationContext is able to retreive events of collected attributes at runtime and store them
|
||||
*
|
||||
*
|
||||
*/
|
||||
public class RecordEvaluationContext extends EvaluationIdContext implements IRecordEvaluationContext {
|
||||
|
||||
private static Logger logger = Logger.getLogger(RecordEvaluationContext.class);
|
||||
|
||||
/**
|
||||
* contains all attributes which have been resolved at runtime
|
||||
*/
|
||||
private List<DesignatorAttribute> attrs;
|
||||
|
||||
/**
|
||||
* defines the time when the policies have been resolved
|
||||
*/
|
||||
private Date execTime;
|
||||
|
||||
/**
|
||||
* defines (if applicable) which policy version has been used
|
||||
*/
|
||||
private long version;
|
||||
|
||||
|
||||
public RecordEvaluationContext(RequestCtx request, AttributeFinder aFinder,
|
||||
RevocationFinder rFinder, Long evaluationId) throws ParsingException {
|
||||
super(request, aFinder, rFinder, true, evaluationId);
|
||||
this.execTime = new Date();
|
||||
version = AttributeResolver.getPDPStatePolicyVersion(this);
|
||||
}
|
||||
|
||||
|
||||
// protected long getPDPStatePolicyVersion() {
|
||||
// EvaluationResult evalResult = this.getAttribute(IPDPStateEvaluationContext.PDPSTATE_CATEGORY,
|
||||
// IPDPStateEvaluationContext.PDPSTATE_ATTRIBUTETYPE,
|
||||
// IPDPStateEvaluationContext.PDPSTATE_URI,
|
||||
// IPDPStateEvaluationContext.PDPSTATE_ISSUER);
|
||||
//
|
||||
// if ( ((BagAttribute) evalResult.getAttributeValue()).size() > 1 ) {
|
||||
// logger.error("Did not retreive a bag with one (" +((BagAttribute) evalResult.getAttributeValue()).size() +
|
||||
// ") entry after attribute search for current svn policy version number; " +
|
||||
// "PDP Dtate requires exactly one attribute to be defined");
|
||||
// return -1;
|
||||
// } else if ( ((BagAttribute) evalResult.getAttributeValue()).size() == 1 ) {
|
||||
// IntegerAttribute attrVal = (IntegerAttribute) ((BagAttribute) evalResult.getAttributeValue()).iterator().next();
|
||||
// logger.debug("Request " + super.getCurrentEvaluationId() + " will be executed under policy " + attrVal.getValue());
|
||||
// return attrVal.getValue();
|
||||
// } else {
|
||||
// logger.debug("Could not resolve current policy version");
|
||||
// return -1;
|
||||
// }
|
||||
// }
|
||||
|
||||
public void retreiveDesignatorAttributeSearch(URI category, URI attributeType,
|
||||
URI attributeId, URI issuer, EvaluationResult evalResult) {
|
||||
|
||||
//TODO why not only store the stuff at runtime and do the transformation aftwards?
|
||||
|
||||
if ( ! (evalResult.getAttributeValue() instanceof BagAttribute) ) {
|
||||
logger.warn("RecordEvaluationContext received a non-bag attribute");
|
||||
} else {
|
||||
BagAttribute bAttr = (BagAttribute) evalResult.getAttributeValue();
|
||||
|
||||
if ( attrs == null ) {
|
||||
attrs = new Vector<DesignatorAttribute>();
|
||||
}
|
||||
if (bAttr.isEmpty()) {
|
||||
attrs.add(new DesignatorAttribute(attributeId, attributeType, category));
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
logger.debug("Result for attributeId " + attributeId + " of type " + attributeType +
|
||||
", category " + category + " is empty");
|
||||
}
|
||||
} else {
|
||||
DesignatorAttribute attr = new DesignatorAttribute(attributeId, attributeType, category);
|
||||
|
||||
for ( AttributeValue value : bAttr.iterable()) {
|
||||
attr.addBagValue(value.encode());
|
||||
}
|
||||
attrs.add(attr);
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
logger.debug("Added designatorAttr (" + attributeId + " of type " + attributeType +
|
||||
", category " + category +") with " + attr.getBagValues().size() + " values added to EvaluationContext");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @return the list of collected designators or null, if non have been collected
|
||||
*/
|
||||
public List<DesignatorAttribute> getDesignatorAttributes() {
|
||||
return attrs;
|
||||
}
|
||||
|
||||
public Date getExecTime() {
|
||||
return execTime;
|
||||
}
|
||||
|
||||
public long getVersion() {
|
||||
return version;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,86 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.ErrorType;
|
||||
import eu.aniketos.securebpmn.xacml.api.ReasonType;
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoObligation;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoResult;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.Decision;
|
||||
|
||||
import com.sun.xacml.Obligation;
|
||||
import com.sun.xacml.ctx.Attribute;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
import com.sun.xacml.ctx.Result;
|
||||
|
||||
public class XACML2APIMapper {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(XACML2APIMapper.class);
|
||||
|
||||
public static AuthoResult getAuthoResult(ResponseCtx resCtx) throws SecurityError {
|
||||
|
||||
AuthoResult authoResult = new AuthoResult();
|
||||
|
||||
if (resCtx.getResults().size() != 1 ) {
|
||||
logger.error("Received unexpected number of results: " + resCtx.getResults().size());
|
||||
throw new SecurityError(ErrorType.CONFIGURATION_ERROR, ReasonType.PDE_ENGINE_ERROR, "Received unexpected number of results");
|
||||
}
|
||||
|
||||
Result xacmlResult = resCtx.getResults().iterator().next();
|
||||
|
||||
authoResult.setDecision(Decision.getFromInt(xacmlResult.getDecision()));
|
||||
authoResult.setObligations(transformObligations(xacmlResult.getObligations()));
|
||||
authoResult.setStatusCode(xacmlResult.getStatus().getCode());
|
||||
authoResult.setStatusMessage(xacmlResult.getStatus().getMessage());
|
||||
|
||||
// TODO get missing attributes
|
||||
|
||||
|
||||
return authoResult;
|
||||
}
|
||||
|
||||
public static List<AuthoObligation> transformObligations(Set<Obligation> xacmlOblgs) {
|
||||
if ( xacmlOblgs != null && xacmlOblgs.size() > 0 ) {
|
||||
List<AuthoObligation> oblgs = new Vector<AuthoObligation>();
|
||||
|
||||
for ( Obligation xacmlOblg : xacmlOblgs ) {
|
||||
AuthoObligation oblg = new AuthoObligation(xacmlOblg.getId());
|
||||
if ( xacmlOblg.getAssignments() != null && xacmlOblg.getAssignments().size() > 0 ) {
|
||||
Collection<AuthoAttribute> attrs = new Vector<AuthoAttribute>(xacmlOblg.getAssignments().size());
|
||||
for ( Attribute xacmlAttr : xacmlOblg.getAssignments()) {
|
||||
attrs.add(new AuthoAttribute(AuthoAttribute.OBLIGATION_CATEGORY,
|
||||
xacmlAttr.getId(), xacmlAttr.getValue().getType(), xacmlAttr.getValue().encode()));
|
||||
}
|
||||
oblg.setParameters(attrs);
|
||||
}
|
||||
oblgs.add(oblg);
|
||||
}
|
||||
return oblgs;
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,168 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.net.URI;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.SecurityError;
|
||||
import eu.aniketos.securebpmn.xacml.api.ErrorType;
|
||||
import eu.aniketos.securebpmn.xacml.api.ReasonType;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AttributeIdentifier;
|
||||
import eu.aniketos.securebpmn.xacml.api.autho.AuthoAttribute;
|
||||
import eu.aniketos.securebpmn.xacml.api.idm.IdInfo;
|
||||
import eu.aniketos.securebpmn.xacml.support.helper.ResourceCreator;
|
||||
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.ctx.Attribute;
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.RequestElement;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Helper class, decoding XML strings to XACML Objects
|
||||
*
|
||||
*/
|
||||
public class XACMLDecoder {
|
||||
|
||||
private static Logger logger = Logger.getLogger(XACMLDecoder.class);
|
||||
|
||||
public static RequestCtx decodeRequestCtx(String request) throws SecurityError {
|
||||
RequestCtx requ;
|
||||
try {
|
||||
requ = RequestCtx.getInstance(new ByteArrayInputStream(request.getBytes()));
|
||||
} catch (ParsingException e) {
|
||||
logger.error("ParsingException during parsing xacmlRequest", e);
|
||||
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED, ReasonType.INVALID_XACML, "ParsingError: " + e.getMessage());
|
||||
}
|
||||
return requ;
|
||||
}
|
||||
|
||||
public static ResponseCtx decodeResponseCtx(String reponse) throws SecurityError {
|
||||
ResponseCtx resp;
|
||||
try {
|
||||
resp = ResponseCtx.getInstance(new ByteArrayInputStream(reponse.getBytes()));
|
||||
} catch (ParsingException e) {
|
||||
logger.error("ParsingException during parsing xacmlRequest", e);
|
||||
throw new SecurityError(ErrorType.AUTHORIZATION_FAILED, ReasonType.INVALID_XACML, "ParsingError: " + e.getMessage());
|
||||
}
|
||||
return resp;
|
||||
}
|
||||
|
||||
public static RequestCtx decodeRequestCtx(IdInfo authinfo, URI resource,
|
||||
String action) throws SecurityError {
|
||||
|
||||
Set<RequestElement> requElems = new HashSet<RequestElement>();
|
||||
|
||||
try {
|
||||
requElems.add(Category.SUBJECT.getRequestElement(authinfo.getUserId()));
|
||||
} catch (ParsingException e) {
|
||||
logger.error("Could not create subject element from subject " + authinfo.getUserId() + ": ParsingException: " + e.getMessage(), e);
|
||||
}
|
||||
|
||||
requElems.add(( (ResourceCreator) Category.RESOURCE.getElementCreator()).getRequestElement(resource));
|
||||
|
||||
if ( action != null ) {
|
||||
try {
|
||||
requElems.add(Category.ACTION.getRequestElement(action));
|
||||
} catch (ParsingException e) {
|
||||
logger.error("Could not create action element from action " + action + ": ParsingException: " + e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
|
||||
return new RequestCtx(requElems, null, null);
|
||||
}
|
||||
|
||||
|
||||
public static RequestCtx decodeRequestCtx(IdInfo idInfo, URI resource,
|
||||
String action, List<AuthoAttribute> attributes) throws SecurityError {
|
||||
|
||||
//"cheap" creation if no attributes are present
|
||||
if ( attributes == null || attributes.size() == 0 ) {
|
||||
return decodeRequestCtx(idInfo, resource, action);
|
||||
} else {
|
||||
|
||||
Map<Category, Set<Attribute>> attrsPerCat = new HashMap<Category, Set<Attribute>>();
|
||||
|
||||
Set<Attribute> subjects = new HashSet<Attribute>();
|
||||
try {
|
||||
Attribute subjectId = Category.SUBJECT.getAttributeDefaultType(idInfo.getUserId());
|
||||
subjects.add(subjectId);
|
||||
} catch (ParsingException e) {
|
||||
logger.error("Could not create subject element from subject " + idInfo.getUserId() + ": ParsingException: " + e.getMessage(), e);
|
||||
}
|
||||
attrsPerCat.put(Category.SUBJECT, subjects);
|
||||
|
||||
//RESOURCE as URI
|
||||
Set<Attribute> resources = new HashSet<Attribute>();
|
||||
resources.add( ( (ResourceCreator) Category.RESOURCE.getElementCreator()).getAttributeDefaultType(resource));
|
||||
attrsPerCat.put(Category.RESOURCE, resources);
|
||||
|
||||
//ACTION if != NULL
|
||||
if (action != null ) {
|
||||
Set<Attribute> actions = new HashSet<Attribute>();
|
||||
try {
|
||||
actions.add(Category.ACTION.getAttributeDefaultType(action));
|
||||
} catch (ParsingException e) {
|
||||
// TODO log
|
||||
e.printStackTrace();
|
||||
}
|
||||
attrsPerCat.put(Category.ACTION, actions);
|
||||
}
|
||||
|
||||
for (AuthoAttribute attr : attributes) {
|
||||
AttributeIdentifier attrId = attr.getAttributeIdentifier();
|
||||
Category cat = Category.getCategory(attrId.getCategory());
|
||||
Set<Attribute> attrs;
|
||||
if ( attrsPerCat.containsKey(cat) ) {
|
||||
attrs = attrsPerCat.get(cat);
|
||||
} else {
|
||||
attrs = new HashSet<Attribute>();
|
||||
attrsPerCat.put(cat, attrs);
|
||||
}
|
||||
try {
|
||||
attrs.add(cat.getAttribute(attrId.getAttributeId(), attrId.getAttributeType(), attr.getValue()));
|
||||
} catch (ParsingException e) {
|
||||
// TODO log
|
||||
e.printStackTrace();
|
||||
} catch (UnknownIdentifierException e) {
|
||||
// TODO log
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
Set<RequestElement> requElems = new HashSet<RequestElement>();
|
||||
|
||||
for (Category cat : attrsPerCat.keySet()) {
|
||||
requElems.add(cat.getRequestElement(attrsPerCat.get(cat)));
|
||||
}
|
||||
|
||||
return new RequestCtx(requElems, null, null);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,86 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import java.io.BufferedOutputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.UnsupportedEncodingException;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
/**
|
||||
* Helper class, encoding XACML Objects to its XML representation
|
||||
*
|
||||
*
|
||||
*/
|
||||
public class XACMLEncoder {
|
||||
|
||||
|
||||
public static final String ERROR_EVALUATING_REQUEST = "todo";
|
||||
|
||||
private static Logger logger = Logger.getLogger(XACMLEncoder.class);
|
||||
|
||||
|
||||
/**
|
||||
* Helper function, encodes a com.sun.xacml.ctx.ResponseCtx to a String, containing a XML representation
|
||||
* @param response
|
||||
* @return XML representation of response
|
||||
*/
|
||||
public static String encodeResponseCtx(ResponseCtx response) {
|
||||
ByteArrayOutputStream bAOut = new ByteArrayOutputStream();
|
||||
BufferedOutputStream bOut = new BufferedOutputStream(bAOut);
|
||||
|
||||
try {
|
||||
response.encode(bAOut, null);
|
||||
bOut.flush();
|
||||
} catch (UnsupportedEncodingException e) {
|
||||
logger.error("Unexpected UnsupportedEncodingException during encoding ResponseCtx to String:" + e.getMessage(), e );
|
||||
return ERROR_EVALUATING_REQUEST;
|
||||
} catch (IOException e) {
|
||||
logger.error("Unexpected IOException during encoding ResponseCtx to String:" + e.getMessage(), e );
|
||||
return ERROR_EVALUATING_REQUEST;
|
||||
}
|
||||
|
||||
return bAOut.toString();
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper function, encodes a com.sun.xacml.ctx.RequestCtx to a String, containing a XML representation
|
||||
* @param request
|
||||
* @return XML representation of request
|
||||
*/
|
||||
public static String encodeRequestCtx(RequestCtx request) {
|
||||
ByteArrayOutputStream bAOut = new ByteArrayOutputStream();
|
||||
BufferedOutputStream bOut = new BufferedOutputStream(bAOut);
|
||||
|
||||
try {
|
||||
request.encode(bAOut, null);
|
||||
bOut.flush();
|
||||
} catch (UnsupportedEncodingException e) {
|
||||
logger.error("Unexpected UnsupportedEncodingException during encoding ResponseCtx to String:" + e.getMessage(), e );
|
||||
return ERROR_EVALUATING_REQUEST;
|
||||
} catch (IOException e) {
|
||||
logger.error("Unexpected IOException during encoding ResponseCtx to String:" + e.getMessage(), e );
|
||||
return ERROR_EVALUATING_REQUEST;
|
||||
}
|
||||
|
||||
return bAOut.toString();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,113 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.attr;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
import org.w3c.dom.Node;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.finder.IEvaluationIdContext;
|
||||
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.attr.AttributeValue;
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
|
||||
/**
|
||||
*
|
||||
* This attribute represents an urn:type:evaluationId which has to be evaluated at runtime by the xacml engine.
|
||||
* Within the evaluation, the evaluation ID is read from the evaluation context and stored within the attribute.
|
||||
*
|
||||
*/
|
||||
public class EvaluationIdAttribute extends AttributeValue {
|
||||
|
||||
|
||||
public static final String identifier = "urn:type:evaluationId";
|
||||
public static final URI identifierURI = URI.create(identifier);
|
||||
|
||||
public static final Long INVALID = new Long(-1);
|
||||
|
||||
private static Logger logger = Logger.getLogger(EvaluationIdAttribute.class);
|
||||
|
||||
public static final String RUNTIME = "RUNTIME";
|
||||
|
||||
private Long value;
|
||||
|
||||
|
||||
|
||||
public EvaluationIdAttribute(Long value) {
|
||||
super(identifierURI);
|
||||
this.value = value;
|
||||
}
|
||||
|
||||
protected EvaluationIdAttribute(URI type) {
|
||||
super(type);
|
||||
}
|
||||
|
||||
@Override
|
||||
public EvaluationResult evaluate(EvaluationCtx context) {
|
||||
|
||||
if ( value == null || value.longValue() == -1 ) {
|
||||
if ( context instanceof IEvaluationIdContext ) {
|
||||
//retreive evaluationID from current context
|
||||
value = ((IEvaluationIdContext) context).getCurrentEvaluationId();
|
||||
} else {
|
||||
logger.warn("Received non-IEvaluationIdContext: Could not determine evaluation ID");
|
||||
value = new Long(-1);
|
||||
}
|
||||
}
|
||||
return new EvaluationResult(this);
|
||||
}
|
||||
|
||||
public static EvaluationIdAttribute getInstance(String value) {
|
||||
if ( value == null || RUNTIME.equals(value) ) {
|
||||
return new EvaluationIdAttribute(new Long(-1));
|
||||
} else {
|
||||
try {
|
||||
long newValue = Long.parseLong(value);
|
||||
return new EvaluationIdAttribute(newValue);
|
||||
} catch (NumberFormatException e) {
|
||||
logger.warn("Could not transfer evaluationID \"" + value + "\" to long value: " + e.getMessage());
|
||||
return new EvaluationIdAttribute(new Long(-1));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static EvaluationIdAttribute getInstance(Node root) throws ParsingException {
|
||||
if (root.getFirstChild() != null) {
|
||||
return getInstance(root.getFirstChild().getNodeValue());
|
||||
} else {
|
||||
return new EvaluationIdAttribute(new Long(-1));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public String encode() {
|
||||
return value.toString();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isDynamic() {
|
||||
return true;
|
||||
}
|
||||
|
||||
public Long getEvaluationId() {
|
||||
return value;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.attr.proxy;
|
||||
|
||||
import org.w3c.dom.Node;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.attr.EvaluationIdAttribute;
|
||||
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.attr.AttributeProxy;
|
||||
import com.sun.xacml.attr.AttributeValue;
|
||||
|
||||
public class EvaluationIdAttributeProxy implements AttributeProxy {
|
||||
//private static Logger logger = Logger.getLogger(EvaluationIdAttributeProxy.class);
|
||||
|
||||
public AttributeValue getInstance(Node root) throws Exception {
|
||||
return EvaluationIdAttribute.getInstance(root);
|
||||
}
|
||||
|
||||
public AttributeValue getInstance(String value) throws Exception {
|
||||
return EvaluationIdAttribute.getInstance(value);
|
||||
}
|
||||
|
||||
public EvaluationIdAttributeProxy() {
|
||||
|
||||
}
|
||||
|
||||
public void setConfigurationStore(ConfigurationStore confStore) {
|
||||
|
||||
}
|
||||
}
|
|
@ -0,0 +1,297 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.comb;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.AttributeResolver;
|
||||
|
||||
import com.sun.xacml.AbstractPolicy;
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.MatchResult;
|
||||
import com.sun.xacml.Obligation;
|
||||
import com.sun.xacml.PolicyTreeElement;
|
||||
import com.sun.xacml.attr.StringAttribute;
|
||||
import com.sun.xacml.combine.CombinerElement;
|
||||
import com.sun.xacml.combine.CombinerParameter;
|
||||
import com.sun.xacml.combine.PolicyCombiningAlgorithm;
|
||||
import com.sun.xacml.ctx.Result;
|
||||
|
||||
public class LatticeCombiningAlgorithm extends PolicyCombiningAlgorithm {
|
||||
|
||||
|
||||
public static final String algId =
|
||||
"urn:policy-combining-algorithm:policy-lattice";
|
||||
|
||||
private static URI identifierURI = URI.create(algId);
|
||||
|
||||
private static final String LATTICE_IDENTIFIER = "urn:policyLattice:latticeIdentifier";
|
||||
|
||||
private static Logger logger = Logger.getLogger(LatticeCombiningAlgorithm.class);
|
||||
|
||||
private Map<String, Map<Long, PolicyLattice>> latticeCache = new HashMap<String, Map<Long, PolicyLattice>>();
|
||||
|
||||
public LatticeCombiningAlgorithm() {
|
||||
super(identifierURI);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Result combine(EvaluationCtx evalCtx, List<CombinerParameter> combParam,
|
||||
List<CombinerElement> combElem) {
|
||||
|
||||
// store the first deny we get, we will return it in case we do not find a permit
|
||||
Result firstDeny = null;
|
||||
// store the first indeterminate
|
||||
Result firstIndeterminate = null;
|
||||
|
||||
// create a cache where all permits are stored;
|
||||
// we may need the result itself to get the obligations
|
||||
Map<String, Result> permitCache = new HashMap<String, Result>();
|
||||
// create a cache where the results of all deny policies are stored
|
||||
// deny policies could be executed several time, i.e.,
|
||||
// remember both the result and if we executed it
|
||||
Map<String, Result> denyCache = new HashMap<String, Result>();
|
||||
|
||||
// get the active policies from the context once
|
||||
Set<String> activePolicies = getActivePolicies(evalCtx);
|
||||
|
||||
// create (or get from cache) the policy lattice we want to evaluate
|
||||
PolicyLattice lattice = getLattice(evalCtx, combParam, combElem);
|
||||
|
||||
// iterate over the lattice (i.e., level per level)
|
||||
for ( LatticeElem elem : lattice ) {
|
||||
// check if current element is an active policy
|
||||
if ( isActive(elem, lattice, activePolicies) ) {
|
||||
boolean permitted = false, denied = false;
|
||||
|
||||
// store a permit if we find it in this policy
|
||||
Result permit = null;
|
||||
// first, check for an inherited permit, then for a permit
|
||||
LatticeElem inhPermit = getInheritedPermit(elem, permitCache);
|
||||
if ( inhPermit != null ) {
|
||||
permitted = true;
|
||||
} else if (elem.getPermitPolicy() != null ) {
|
||||
// no inherited permit, we have to evaluate the current permit policy
|
||||
Result res = evaluate(elem.getPermitPolicy(), evalCtx);
|
||||
if ( res.getDecision() == Result.DECISION_INDETERMINATE ) {
|
||||
if ( firstIndeterminate == null ) {
|
||||
firstIndeterminate = res;
|
||||
}
|
||||
continue; // this policy will not provide a result, go to next
|
||||
} else if ( res.getDecision() == Result.DECISION_PERMIT ) {
|
||||
// we found a permit, store it to cache (in the current policy it may be overwritten by a deny)
|
||||
permitCache.put(elem.getIdentifier(), res);
|
||||
permit = res;
|
||||
permitted = true;
|
||||
} else if ( res.getDecision() == Result.DECISION_DENY && firstDeny == null) {
|
||||
firstDeny = res;
|
||||
continue; // we do not need to evaluate the deny policies if we do not have a permit
|
||||
}
|
||||
}
|
||||
|
||||
if ( permitted ) {
|
||||
// check if there is an inherited deny: iterate over all extending policies, i.e, downwards
|
||||
for ( LatticeElem extending : elem.downwards() ) {
|
||||
// check if extending policy has a deny policy defined
|
||||
if ( extending.getDenyPolicy() != null ) {
|
||||
Result res;
|
||||
// check if we already evaluated this policy
|
||||
if ( denyCache.containsKey(extending.getIdentifier()) ) {
|
||||
res = denyCache.get(extending.getIdentifier());
|
||||
} else {
|
||||
// else, evaluate it and store it into the cache
|
||||
res = evaluate(extending.getDenyPolicy(), evalCtx);
|
||||
denyCache.put(extending.getIdentifier(), res);
|
||||
}
|
||||
// check if the current deny policy denies this request
|
||||
if ( res.getDecision() == Result.DECISION_INDETERMINATE ) {
|
||||
if ( firstIndeterminate == null ) {
|
||||
firstIndeterminate = res;
|
||||
}
|
||||
} else if ( res.getDecision() == Result.DECISION_DENY ) {
|
||||
denied = true;
|
||||
if ( firstDeny == null ) {
|
||||
firstDeny = res;
|
||||
}
|
||||
break; // we have found a deny, do not need to look further
|
||||
}
|
||||
}
|
||||
}
|
||||
// we end up here only if we found a permit, check if we also found a deny
|
||||
if ( ! denied) {
|
||||
// if we did not find a permit for this policy
|
||||
if ( permit == null ) {
|
||||
// we got an inherited permit: we have to remove the lattice obligations
|
||||
// from this permit and attach the lattice obligations of the current policy
|
||||
permit = permitCache.get(inhPermit.getIdentifier());
|
||||
AbstractPolicy curPolicy = (AbstractPolicy) elem.getPermitPolicy();
|
||||
AbstractPolicy inhPolicy = (AbstractPolicy) inhPermit.getPermitPolicy();
|
||||
|
||||
Set<Obligation> obligations = permit.getObligations();
|
||||
|
||||
// remove obligations defined by inhPolicy
|
||||
for ( Obligation oblgRm : inhPolicy.getObligations() ) {
|
||||
for ( Obligation oblg : obligations ) {
|
||||
if ( oblg.getId().equals(oblgRm) ) {
|
||||
obligations.remove(oblg);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
// add obligations from current policy
|
||||
for ( Obligation oblg : curPolicy.getObligations() ) {
|
||||
obligations.add(oblg.evaluate(evalCtx));
|
||||
}
|
||||
permit = new Result(permit.getDecision(), evalCtx, obligations);
|
||||
}
|
||||
return permit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if ( firstIndeterminate != null ) {
|
||||
return firstIndeterminate;
|
||||
} else if ( firstDeny != null ) {
|
||||
return firstDeny;
|
||||
} else {
|
||||
return new Result(Result.DECISION_DENY, evalCtx);
|
||||
}
|
||||
}
|
||||
|
||||
private Result evaluate(PolicyTreeElement policy, EvaluationCtx evalCtx) {
|
||||
|
||||
evalCtx.newEvent(policy);
|
||||
|
||||
MatchResult match = policy.match(evalCtx);
|
||||
Result res = null;
|
||||
|
||||
if (match.getResult() == MatchResult.INDETERMINATE) {
|
||||
res = new Result(Result.DECISION_INDETERMINATE, evalCtx);
|
||||
} else if (match.getResult() == MatchResult.NO_MATCH) {
|
||||
res = new Result(Result.DECISION_NOT_APPLICABLE, evalCtx);
|
||||
} else if (match.getResult() == MatchResult.MATCH) {
|
||||
res = policy.evaluate(evalCtx);
|
||||
}
|
||||
evalCtx.closeCurrentEvent(res);
|
||||
return res;
|
||||
}
|
||||
|
||||
private boolean isActive(LatticeElem elem, PolicyLattice lattice, Set<String> activePolicies) {
|
||||
if ( activePolicies.contains(elem.getIdentifier())) {
|
||||
return true;
|
||||
} else {
|
||||
for ( LatticeElem extending : elem.downwards() ) {
|
||||
if ( activePolicies.contains(extending.getIdentifier())) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private LatticeElem getInheritedPermit(LatticeElem elem, Map<String, Result> permitCache) {
|
||||
for ( LatticeElem extended : elem.upwards() ) {
|
||||
if ( permitCache.containsKey(extended)) {
|
||||
return extended;
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
|
||||
private PolicyLattice getLattice(EvaluationCtx evalCtx, List<CombinerParameter> combParam,
|
||||
List<CombinerElement> combElem) {
|
||||
|
||||
|
||||
String latticeId = getLatticeIdentifier(combParam);
|
||||
|
||||
PolicyLattice lattice = null;
|
||||
if ( latticeId != null) {
|
||||
Map<Long, PolicyLattice> latticeVerCache = null;
|
||||
if ( latticeCache.containsKey(latticeId) ) {
|
||||
latticeVerCache = latticeCache.get(latticeId);
|
||||
} else {
|
||||
latticeVerCache = new HashMap<Long, PolicyLattice>();
|
||||
latticeCache.put(latticeId, latticeVerCache);
|
||||
}
|
||||
|
||||
Long policyVers = getPolicyVersion(evalCtx);
|
||||
if ( latticeVerCache.containsKey(policyVers)) {
|
||||
return latticeVerCache.get(policyVers);
|
||||
} else {
|
||||
lattice = new PolicyLattice(latticeId, combElem);
|
||||
latticeVerCache.put(policyVers, lattice);
|
||||
return lattice;
|
||||
}
|
||||
} else {
|
||||
return new PolicyLattice(null, combElem);
|
||||
}
|
||||
|
||||
// if ( latticeCache.containsKey(policyVers) &&
|
||||
// latticeCache.get(policyVers).containsKey(latticeId) ) {
|
||||
// lattice = latticeCache.get(policyVers).get(latticeId);
|
||||
// } else {
|
||||
// Map<String, PolicyLattice> latticeVerCache = null;
|
||||
// if ( latticeCache.containsKey(policyVers) ) {
|
||||
// latticeVerCache = latticeCache.get(policyVers);
|
||||
// } else {
|
||||
// latticeVerCache = new HashMap<String, PolicyLattice>();
|
||||
// latticeCache.put(policyVers, latticeVerCache);
|
||||
// }
|
||||
// lattice = new PolicyLattice(latticeId, combElem);
|
||||
// latticeVerCache.put(latticeId, lattice);
|
||||
// }
|
||||
// return lattice;
|
||||
}
|
||||
|
||||
|
||||
private String getLatticeIdentifier(List<CombinerParameter> combParam) {
|
||||
|
||||
if ( combParam != null && combParam.size() > 0 ) {
|
||||
for ( CombinerParameter param : combParam ) {
|
||||
if ( LATTICE_IDENTIFIER.equals(param.getName()) ) {
|
||||
if ( param.getValue() instanceof StringAttribute ) {
|
||||
return ((StringAttribute)param.getValue()).getValue();
|
||||
} else {
|
||||
logger.warn("Found " + LATTICE_IDENTIFIER + " which is not of type string (" + param.getValue().encode() + ")");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
logger.warn("Did not find a " + LATTICE_IDENTIFIER + " for evaluating the LatticeCombiningAlgorithm " +
|
||||
(getRuntimeInfo() == null ? "" : getRuntimeInfo().getLocationMsgRuntime()));
|
||||
return null;
|
||||
}
|
||||
|
||||
private Long getPolicyVersion(EvaluationCtx evalCtx) {
|
||||
return new Long(AttributeResolver.getPDPStatePolicyVersion(evalCtx));
|
||||
}
|
||||
|
||||
|
||||
private Set<String> getActivePolicies(EvaluationCtx evalCtx) {
|
||||
return AttributeResolver.getActivePolicies(evalCtx);
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,223 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.comb;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.comb.PolicyLatticeIterator.MODE;
|
||||
|
||||
import com.sun.xacml.PolicyTreeElement;
|
||||
import com.sun.xacml.attr.AttributeValue;
|
||||
import com.sun.xacml.attr.StringAttribute;
|
||||
import com.sun.xacml.combine.CombinerElement;
|
||||
import com.sun.xacml.combine.CombinerParameter;
|
||||
|
||||
public class LatticeElem {
|
||||
|
||||
private int level = 0;
|
||||
private String identifier;
|
||||
/**
|
||||
* policy IDs this policy extends, defined as combiner parameter
|
||||
*/
|
||||
private List<String> extendedPolicyIds;
|
||||
/**
|
||||
* policies which are extended by this policy (i.e., upwards)
|
||||
*/
|
||||
private List<LatticeElem> extendedPolicies;
|
||||
/**
|
||||
* policies extending this policy (i.e, downwards)
|
||||
*/
|
||||
private List<LatticeElem> extendingPolicies;
|
||||
private PolicyTreeElement permitPolicy, denyPolicy;
|
||||
|
||||
private static final String
|
||||
POLICY_IDENDIFIER = "urn:policyLattice:identifier",
|
||||
POLICY_TYPE = "urn:policyLattice:type",
|
||||
EXTENDS_POLICY = "urn:policyLattice:extends";
|
||||
|
||||
private static final Logger logger = Logger.getLogger(LatticeElem.class);
|
||||
|
||||
public static LatticeElem addLatticeElem(CombinerElement combElem,
|
||||
Map<String, LatticeElem> elems) {
|
||||
|
||||
// if ( ! (combElem.getElement() instanceof AbstractPolicy) ) {
|
||||
// logger.warn("LatticeElement has to be an instance of AbstractPolicy (got " + combElem.getElement().getClass().toString() + ")");
|
||||
// return null;
|
||||
// }
|
||||
//
|
||||
// AbstractPolicy policy = (AbstractPolicy) combElem.getElement();
|
||||
|
||||
// read parameters for policy
|
||||
List<CombinerParameter> params = combElem.getParameters();
|
||||
//List<CombinerParameter> params = policy.getCombiningParameters();
|
||||
String identifier = null, type = null;
|
||||
List<String> extendedPolicies = null;
|
||||
if ( params != null && params.size() > 0 ) {
|
||||
for ( CombinerParameter param : params ) {
|
||||
String name = param.getName();
|
||||
if ( POLICY_IDENDIFIER.equals(name) ) {
|
||||
identifier = getString(name, param.getValue());
|
||||
} else if ( POLICY_TYPE.equals(name) ) {
|
||||
type = getString(name, param.getValue());
|
||||
} else if ( EXTENDS_POLICY.equals(name)) {
|
||||
if ( extendedPolicies == null ) {
|
||||
extendedPolicies = new ArrayList<String>();
|
||||
}
|
||||
extendedPolicies.add(getString(name, param.getValue()));
|
||||
} else {
|
||||
logger.warn("Unknown parameter " + name);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
logger.warn("No CombinerParamters defined for " + combElem.getElement().getId());
|
||||
}
|
||||
|
||||
if ( identifier == null ) {
|
||||
logger.warn("Cannot read policy " + combElem.getElement().getId() + " without defining " + POLICY_IDENDIFIER + " as combiner parameter");
|
||||
return null;
|
||||
} else {
|
||||
LatticeElem elem;
|
||||
if ( elems.containsKey(identifier)) {
|
||||
elem = elems.get(identifier);
|
||||
} else {
|
||||
elem = new LatticeElem(identifier);
|
||||
elems.put(identifier, elem);
|
||||
}
|
||||
|
||||
if ( extendedPolicies != null ) {
|
||||
if ( elem.extendedPolicyIds != null ) {
|
||||
logger.warn("For policy with ID " + identifier + " there are already extending policies defined");
|
||||
} else {
|
||||
elem.extendedPolicyIds = extendedPolicies;
|
||||
}
|
||||
}
|
||||
|
||||
if ( type != null ) {
|
||||
if ( "permit".equals(type.toLowerCase()) ) {
|
||||
if ( elem.permitPolicy != null ) {
|
||||
logger.warn("Overwriting permit policy for ID " + identifier);
|
||||
}
|
||||
elem.permitPolicy = combElem.getElement();
|
||||
} else if ( "deny".equals(type.toLowerCase()) ) {
|
||||
if ( elem.denyPolicy != null ) {
|
||||
logger.warn("Overwriting deny policy for ID " + identifier);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// assume default value
|
||||
if ( elem.permitPolicy != null ) {
|
||||
logger.warn("Overwriting permit policy for ID " + identifier);
|
||||
}
|
||||
elem.permitPolicy = combElem.getElement();
|
||||
}
|
||||
return elem;
|
||||
}
|
||||
}
|
||||
|
||||
private LatticeElem(String identifer) {
|
||||
this.identifier = identifer;
|
||||
}
|
||||
|
||||
|
||||
private static String getString(String name, AttributeValue value ) {
|
||||
if ( value instanceof StringAttribute ) {
|
||||
return ((StringAttribute) value).getValue();
|
||||
} else {
|
||||
logger.warn("Attribute " + name + " was not an String Attribute");
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
public int getLevel() {
|
||||
return level;
|
||||
}
|
||||
|
||||
public void setLevel(int level) {
|
||||
this.level = Math.max(this.level, level);
|
||||
}
|
||||
|
||||
public void resetLeve(int level) {
|
||||
this.level = level;
|
||||
}
|
||||
|
||||
public PolicyTreeElement getPermitPolicy() {
|
||||
return permitPolicy;
|
||||
}
|
||||
|
||||
public void setPermitPolicy(PolicyTreeElement permitPolicy) {
|
||||
this.permitPolicy = permitPolicy;
|
||||
}
|
||||
|
||||
public PolicyTreeElement getDenyPolicy() {
|
||||
return denyPolicy;
|
||||
}
|
||||
|
||||
public void setDenyPolicy(PolicyTreeElement denyPolicy) {
|
||||
this.denyPolicy = denyPolicy;
|
||||
}
|
||||
|
||||
public String getIdentifier() {
|
||||
return identifier;
|
||||
}
|
||||
|
||||
public List<String> getExtendedPolicyIds() {
|
||||
return extendedPolicyIds;
|
||||
}
|
||||
|
||||
public void addExtendingPolicy(LatticeElem elem) {
|
||||
if ( this.extendingPolicies == null) {
|
||||
this.extendingPolicies = new ArrayList<LatticeElem>();
|
||||
}
|
||||
this.extendingPolicies.add(elem);
|
||||
}
|
||||
|
||||
public List<LatticeElem> getExtendingPolicies() {
|
||||
return this.extendingPolicies;
|
||||
}
|
||||
|
||||
public void resolveExtendedPolicies(Map<String, LatticeElem> policies) {
|
||||
if ( this.extendedPolicyIds != null &&
|
||||
this.extendedPolicies.size() > 0 ) {
|
||||
this.extendingPolicies = new ArrayList<LatticeElem>();
|
||||
|
||||
for ( String elemId : extendedPolicyIds) {
|
||||
if ( policies.containsKey(elemId)) {
|
||||
extendedPolicies.add(policies.get(elemId));
|
||||
} else {
|
||||
logger.warn("Could not find a policy with ID " + elemId + " to resolve extended policies of policy " + identifier);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public List<LatticeElem> getExtendedPolicies() {
|
||||
return this.extendedPolicies;
|
||||
}
|
||||
|
||||
public Iterable<LatticeElem> downwards() {
|
||||
return new PolicyLatticeIterator(this, MODE.DOWNWARDS);
|
||||
}
|
||||
|
||||
public Iterable<LatticeElem> upwards() {
|
||||
return new PolicyLatticeIterator(this, MODE.UPWARDS);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,105 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.comb;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.comb.PolicyLatticeIterator.MODE;
|
||||
|
||||
import com.sun.xacml.combine.CombinerElement;
|
||||
|
||||
public class PolicyLattice implements Iterable<LatticeElem> {
|
||||
|
||||
private List<LatticeElem> level1;
|
||||
|
||||
private Map<String, LatticeElem> policies;
|
||||
|
||||
private static Logger logger = Logger.getLogger(PolicyLattice.class);
|
||||
|
||||
public PolicyLattice(String latticeIdentifier, List<CombinerElement> combElem) {
|
||||
if ( logger.isDebugEnabled() ) {
|
||||
logger.debug("Creating PolicyLattice "
|
||||
+ (latticeIdentifier == null ? "without identifier" : latticeIdentifier) + " with "
|
||||
+ combElem.size() + " elements");
|
||||
}
|
||||
policies = new HashMap<String, LatticeElem>();
|
||||
level1 = new ArrayList<LatticeElem>();
|
||||
|
||||
|
||||
// read all policies
|
||||
for (int i = 0; i < combElem.size(); ++i ) {
|
||||
LatticeElem elem = LatticeElem.addLatticeElem(combElem.get(i), policies);
|
||||
if (logger.isDebugEnabled() && elem != null ) {
|
||||
logger.debug("Read policy element with ID \"" + elem.getIdentifier()
|
||||
+ "\" with " + (elem.getExtendedPolicyIds() == null ? 0 : elem.getExtendedPolicyIds().size()) + " extended policy definitions");
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
for ( LatticeElem elem : policies.values() ) {
|
||||
elem.resolveExtendedPolicies(policies);
|
||||
if ( elem.getExtendedPolicyIds() == null ||
|
||||
elem.getExtendedPolicyIds().size() == 0 ) {
|
||||
level1.add(elem);
|
||||
logger.debug("Added " + elem.getIdentifier() + " as " + level1.size() + "th element as level 1 element");
|
||||
} else {
|
||||
for ( String extPol : elem.getExtendedPolicyIds()) {
|
||||
if ( policies.containsKey(extPol) ) {
|
||||
policies.get(extPol).addExtendingPolicy(elem);
|
||||
} else {
|
||||
logger.warn("Policy " + elem.getIdentifier() + " defined extension to " + extPol + ", but did not find policy");
|
||||
}
|
||||
}
|
||||
}
|
||||
// if ( policies.containsKey(elem.getExtendedPolicy() )) {
|
||||
// policies.get(elem.getExtendedPolicy()).addChild(elem);
|
||||
// logger.debug("Added policy " + elem.getIdentifier()
|
||||
// + " as child to policy" + elem.getExtendedPolicy() );
|
||||
// } else {
|
||||
// logger.warn("Policy with id " + elem.getIdentifier() +
|
||||
// " defines extending an unkown policy with id " + elem.getExtendedPolicy());
|
||||
// }
|
||||
}
|
||||
for ( LatticeElem elem : level1 ) {
|
||||
setPolicyLevel(elem, 1);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private void setPolicyLevel(LatticeElem elem, int level) {
|
||||
elem.setLevel(level);
|
||||
if ( elem.getExtendingPolicies() != null ) {
|
||||
for ( LatticeElem refElem : elem.getExtendingPolicies() ) {
|
||||
setPolicyLevel(refElem, level + 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public Iterator<LatticeElem> iterator() {
|
||||
return new PolicyLatticeIterator(level1, MODE.DOWNWARDS);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,95 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.comb;
|
||||
|
||||
import java.util.Iterator;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Queue;
|
||||
|
||||
public class PolicyLatticeIterator implements Iterator<LatticeElem>, Iterable<LatticeElem> {
|
||||
|
||||
enum MODE {
|
||||
UPWARDS, // iterates over all refining policies, i.e., policies with lower levels
|
||||
DOWNWARDS // iterates over all extending policies, i.e., policies with higher levels
|
||||
}
|
||||
|
||||
Queue<LatticeElem> todos;
|
||||
|
||||
MODE mode;
|
||||
|
||||
/**
|
||||
*
|
||||
* @param elements should be all on the same level
|
||||
*/
|
||||
PolicyLatticeIterator(List<LatticeElem> elements, MODE mode) {
|
||||
this.mode = mode;
|
||||
todos = new LinkedList<LatticeElem>();
|
||||
for ( LatticeElem elem : elements) {
|
||||
todos.add(elem);
|
||||
}
|
||||
}
|
||||
|
||||
PolicyLatticeIterator(LatticeElem element, MODE mode) {
|
||||
this.mode = mode;
|
||||
todos = new LinkedList<LatticeElem>();
|
||||
todos.add(element);
|
||||
}
|
||||
|
||||
public boolean hasNext() {
|
||||
if ( todos.size() > 0 ) {
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
public LatticeElem next() {
|
||||
LatticeElem next = todos.remove();
|
||||
if ( mode == MODE.DOWNWARDS ) {
|
||||
if ( next.getExtendingPolicies() != null ) {
|
||||
for ( LatticeElem elem : next.getExtendingPolicies() ) {
|
||||
// check if element to put on queue
|
||||
if ( elem.getLevel() + 1 == next.getLevel() && // put on queue only if on next level
|
||||
( elem.getExtendedPolicyIds().size() == 1 || // if referenced elem has only one refining (extends) relation
|
||||
! todos.contains(elem) ) ) { // or, if it has several, check that it is not already on the queue
|
||||
todos.add(elem);
|
||||
}
|
||||
}
|
||||
}
|
||||
} else if ( mode == MODE.UPWARDS ) {
|
||||
if ( next.getExtendedPolicyIds() != null ) {
|
||||
for ( LatticeElem elem : next.getExtendedPolicies() ) {
|
||||
if ( elem.getLevel() -1 == next.getLevel() && // put on queue only if on next (upper) level
|
||||
( elem.getExtendingPolicies().size() == 1 || // if referenced elem has only one extending (refines) relation
|
||||
! todos.contains(elem))) { // or, if it has severl, that that it is not alrey on the queue
|
||||
todos.add(elem);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return next;
|
||||
}
|
||||
|
||||
public void remove() {
|
||||
throw new RuntimeException("remove is not permitted by PolicyLatticeIterator");
|
||||
}
|
||||
|
||||
public Iterator<LatticeElem> iterator() {
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,283 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.finder;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.net.URI;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.Vector;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.sun.xacml.AbstractPolicy;
|
||||
import com.sun.xacml.ConfigurationStore;
|
||||
import com.sun.xacml.EvaluationCtx;
|
||||
import com.sun.xacml.MatchResult;
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.PolicyMetaData;
|
||||
import com.sun.xacml.VersionConstraints;
|
||||
import com.sun.xacml.ctx.Result;
|
||||
import com.sun.xacml.ctx.Status;
|
||||
import com.sun.xacml.finder.PolicyFinder;
|
||||
import com.sun.xacml.finder.PolicyFinderModule;
|
||||
import com.sun.xacml.finder.PolicyFinderResult;
|
||||
import com.sun.xacml.support.finder.PolicyReader;
|
||||
|
||||
/**
|
||||
*
|
||||
* PolicyFinderModule which allows to load policies by filename and folder
|
||||
* <br/>
|
||||
* When searching for policies, only main (entry) policies are searched,
|
||||
* i.e., only policies with an "main" at the end are loaded
|
||||
*
|
||||
*/
|
||||
public class FilePolicyModule extends PolicyFinderModule {
|
||||
|
||||
private File schemaFile;
|
||||
|
||||
// the filenames for the files we'll load
|
||||
private Set<String> fileNames;
|
||||
private Set<String> folders;
|
||||
|
||||
private Map<URI, AbstractPolicy> policies;
|
||||
|
||||
private Map<URI, AbstractPolicy> mainPolicies;
|
||||
|
||||
private static final Logger logger = Logger.getLogger(FilePolicyModule.class);
|
||||
|
||||
// configuration: keep track of lines when loadig policies (slow! use only for debugging!)
|
||||
protected boolean useLines = false, enf_useLines = false;
|
||||
|
||||
protected Map<String, String> confParams = new HashMap<String, String>();
|
||||
|
||||
|
||||
protected static final String CONF_PREFIX = "conf:",
|
||||
FOLDER_PREFIX = "folder:",
|
||||
FILE_PREFIX = "file:",
|
||||
CONF_USELINES = "useLines";
|
||||
|
||||
|
||||
public FilePolicyModule() {
|
||||
fileNames = new HashSet<String>();
|
||||
folders = new HashSet<String>();
|
||||
policies = new HashMap<URI, AbstractPolicy>();
|
||||
mainPolicies = new HashMap<URI, AbstractPolicy>();
|
||||
|
||||
String schemaName =
|
||||
System.getProperty(PolicyReader.POLICY_SCHEMA_PROPERTY);
|
||||
|
||||
if (schemaName != null) {
|
||||
this.schemaFile = new File(schemaName);
|
||||
}
|
||||
}
|
||||
|
||||
public FilePolicyModule(List<String> fileNames) {
|
||||
this();
|
||||
|
||||
if (fileNames != null) {
|
||||
for ( String fileName : fileNames ) {
|
||||
if ( fileName.startsWith(CONF_PREFIX) ) {
|
||||
String tmp = fileName.substring(5);
|
||||
try {
|
||||
String confId = tmp.substring(0, tmp.indexOf(":"));
|
||||
String value = tmp.substring(tmp.indexOf(":") + 1);
|
||||
confParams.put(confId, value);
|
||||
} catch(Exception e) {
|
||||
logger.warn("Could not add configuration: " + tmp);
|
||||
}
|
||||
} else if ( fileName.startsWith(FOLDER_PREFIX)) {
|
||||
this.folders.add(fileName.substring(7));
|
||||
} else if ( fileName.startsWith(FILE_PREFIX) ) {
|
||||
this.fileNames.add(fileName.substring(5));
|
||||
} else {
|
||||
this.fileNames.add(fileName);
|
||||
}
|
||||
}
|
||||
}
|
||||
if ( enf_useLines ) {
|
||||
useLines = true;
|
||||
} else if ( confParams.containsKey(CONF_USELINES)) {
|
||||
useLines = getBool(confParams.get(CONF_USELINES));
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isRequestSupported() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(PolicyFinder finder) {
|
||||
Object o = finder.getPDPConfiguration().getCustomAttr(ConfigurationStore.BASEDIR);
|
||||
String baseDir = "";
|
||||
if ( o != null) {
|
||||
baseDir = (String) o;
|
||||
}
|
||||
|
||||
PolicyReader reader = new PolicyReader(finder,
|
||||
java.util.logging.Logger.getLogger(FilePolicyModule.class.getName()),
|
||||
this.schemaFile, this.useLines);
|
||||
|
||||
for (String fname : this.fileNames ) {
|
||||
try {
|
||||
AbstractPolicy policy =
|
||||
reader.readPolicy(new FileInputStream(baseDir + fname), fname);
|
||||
addPolicy(policy);
|
||||
} catch (FileNotFoundException fnfe) {
|
||||
logger.warn("File couldn't be read: "+ fname, fnfe);
|
||||
} catch (ParsingException e) {
|
||||
logger.warn("Error reading policy from file " + fname + ": " + e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
|
||||
for ( String sFolder : this.folders ) {
|
||||
File folder = new File(baseDir + sFolder);
|
||||
File[] files = folder.listFiles();
|
||||
for ( File f : files ) {
|
||||
String name_lower = f.getName().toLowerCase();
|
||||
if ( name_lower.endsWith(".xacml")) {
|
||||
try {
|
||||
AbstractPolicy policy = reader.readPolicy(new FileInputStream(f), f.getName());
|
||||
addPolicy(policy);
|
||||
} catch (FileNotFoundException e) {
|
||||
logger.warn("File couldn't be read: "+ f.getName(), e);
|
||||
} catch (ParsingException e) {
|
||||
logger.warn("Error reading policy from file " + f.getName(), e);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
logger.info("Loaded " + policies.size() + " policies, " + mainPolicies.size() + " main policies");
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyFinderResult findPolicy(EvaluationCtx context) {
|
||||
logger.debug("FilePolicyModule.findPolicy");
|
||||
|
||||
context.newEvent(this);
|
||||
AbstractPolicy match = null;
|
||||
for ( AbstractPolicy policy : this.mainPolicies.values() ) {
|
||||
context.newEvent(policy);
|
||||
logger.debug("Check match for Policy "+ policy.getId());
|
||||
|
||||
MatchResult mResult = policy.match(context);
|
||||
int iResult = mResult.getResult();
|
||||
if ( iResult == MatchResult.NO_MATCH ) {
|
||||
context.closeCurrentEvent(new Result(Result.DECISION_NOT_APPLICABLE));
|
||||
} else if ( iResult == MatchResult.MATCH ) {
|
||||
context.closeCurrentEvent();
|
||||
if ( match == null ) {
|
||||
match = policy;
|
||||
} else {
|
||||
logger.error("Multiple main policies are matching: first: " + match.getId() + " - " + policy.getId());
|
||||
List<String> statusCodes = new Vector<String>();
|
||||
statusCodes.add(Status.STATUS_PROCESSING_ERROR);
|
||||
Status errorStatus = new Status(statusCodes, "Error in PDP Configuration: Multiple matching main policies");
|
||||
context.closeCurrentEvent(Result.INDETERMINATE);
|
||||
return new PolicyFinderResult(errorStatus);
|
||||
//throw new TopLevelPolicyException(mResult.getStatus(), "Multiple main policies are matching");
|
||||
}
|
||||
} else if ( iResult == MatchResult.INDETERMINATE ) {
|
||||
context.closeCurrentEvent();
|
||||
context.closeCurrentEvent(new Result(Result.DECISION_INDETERMINATE, context));
|
||||
return new PolicyFinderResult(mResult.getStatus());
|
||||
}
|
||||
}
|
||||
|
||||
if (match == null) {
|
||||
context.closeCurrentEvent();
|
||||
logger.debug("Found no matching main policy");
|
||||
return new PolicyFinderResult();
|
||||
}
|
||||
context.closeCurrentEvent(match.getId().toString());
|
||||
logger.debug("Found one matching main policy: " + match.getId());
|
||||
return new PolicyFinderResult(match);
|
||||
// } catch (TopLevelPolicyException e) {
|
||||
// logger.error("Could not find Policy (TopLevelPolicyException): " + e.getMessage());
|
||||
// e.printStackTrace();
|
||||
// context.closeCurrentEvent();
|
||||
// return new PolicyFinderResult(e.getStatus());
|
||||
// }
|
||||
}
|
||||
|
||||
public boolean addPolicy(String filename) {
|
||||
return this.fileNames.add(filename);
|
||||
}
|
||||
|
||||
|
||||
protected void addPolicy(AbstractPolicy policy) {
|
||||
URI policyId = policy.getId();
|
||||
this.policies.put(policyId,policy);
|
||||
if ( policyId.toString().endsWith("main") ) {
|
||||
this.mainPolicies.put(policyId, policy);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
protected static boolean getBool(String value) {
|
||||
try {
|
||||
Boolean val = new Boolean(value);
|
||||
return val.booleanValue();
|
||||
} catch (Exception e) {
|
||||
logger.warn( "Could not read boolean value " + value + "; Using false as default");
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isIdReferenceSupported() {
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
public PolicyFinderResult findPolicy(EvaluationCtx context,
|
||||
URI idReference, int type,
|
||||
VersionConstraints constraints,
|
||||
PolicyMetaData parentMetaData) {
|
||||
|
||||
if ( policies.containsKey(idReference)) {
|
||||
AbstractPolicy policy = policies.get(idReference);
|
||||
|
||||
if ( constraints.meetsConstraint(policy.getVersion())) {
|
||||
return new PolicyFinderResult(policy);
|
||||
} else {
|
||||
logger.warn("Found policy with right ID " + idReference + ", but version contraints do not match");
|
||||
}
|
||||
}
|
||||
return new PolicyFinderResult();
|
||||
}
|
||||
|
||||
/**
|
||||
* this method can be used to enforce the usage of lines parsing
|
||||
* programatically
|
||||
* @param useLines
|
||||
*/
|
||||
public void enforceUseLines() {
|
||||
this.enf_useLines = true;
|
||||
this.useLines = true;
|
||||
}
|
||||
|
||||
public void setConfigurationStore(ConfigurationStore confStore) {
|
||||
// save confStore if needed
|
||||
}
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.finder;
|
||||
|
||||
import com.sun.xacml.finder.PolicyFinder;
|
||||
import com.sun.xacml.finder.PolicyFinderModule;
|
||||
|
||||
public class FolderPolicyModule extends PolicyFinderModule {
|
||||
|
||||
@Override
|
||||
public void init(PolicyFinder arg0) {
|
||||
// TODO Auto-generated method stub
|
||||
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.finder;
|
||||
|
||||
public interface IEvaluationIdContext {
|
||||
Long getCurrentEvaluationId();
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.finder;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.Date;
|
||||
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.attr.TypeIdentifierConstants;
|
||||
|
||||
public interface IPDPStateEvaluationContext {
|
||||
|
||||
public static final URI PDPSTATE_CATEGORY = Constants.ENVIRONMENT_CAT;
|
||||
public static final URI PDPSTATE_ATTRIBUTETYPE = TypeIdentifierConstants.INTEGER_URI;
|
||||
public static final String PDPSTATE = "urn:custom:svnPolicyVersion";
|
||||
public static final URI PDPSTATE_URI = URI.create(PDPSTATE);
|
||||
public static final URI PDPSTATE_ISSUER = null;
|
||||
|
||||
public Date getExecTime();
|
||||
public long getVersion();
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.finder;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import com.sun.xacml.cond.EvaluationResult;
|
||||
|
||||
public interface IRecordEvaluationContext extends IEvaluationIdContext, IPDPStateEvaluationContext {
|
||||
void retreiveDesignatorAttributeSearch(URI category, URI attributeType,
|
||||
URI attributeId, URI issuer, EvaluationResult evalResult);
|
||||
|
||||
}
|
|
@ -0,0 +1,62 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.helper;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.Category;
|
||||
|
||||
public class DefaultElementCreator extends ElementCreator {
|
||||
|
||||
private Category category;
|
||||
private URI categoryURI, defaultId, defaultType;
|
||||
|
||||
public DefaultElementCreator(Category category) {
|
||||
setCategory(category);
|
||||
}
|
||||
|
||||
public DefaultElementCreator() {
|
||||
;
|
||||
}
|
||||
|
||||
public void setCategory(Category category) {
|
||||
this.category = category;
|
||||
this.categoryURI = category.getURI();
|
||||
this.defaultId = category.getDefaultId();
|
||||
this.defaultType = category.getDefaultType();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected URI getCategory() {
|
||||
return categoryURI;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected URI getDefaultType() {
|
||||
return defaultType;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected URI getDefaultId() {
|
||||
return defaultId;
|
||||
}
|
||||
|
||||
protected Category getCategoryObject() {
|
||||
return this.category;
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -0,0 +1,77 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.helper;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.Category;
|
||||
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.attr.AttributeFactory;
|
||||
import com.sun.xacml.ctx.Attribute;
|
||||
import com.sun.xacml.ctx.RequestElement;
|
||||
|
||||
public abstract class ElementCreator implements IElementCreator {
|
||||
|
||||
private static Logger logger = Logger.getLogger(ElementCreator.class);
|
||||
|
||||
protected static AttributeFactory attrFactory = AttributeFactory.getInstance();
|
||||
|
||||
|
||||
protected abstract URI getCategory();
|
||||
protected abstract URI getDefaultId();
|
||||
protected abstract URI getDefaultType();
|
||||
public abstract void setCategory(Category category);
|
||||
|
||||
public RequestElement getRequestElement(String value) throws ParsingException {
|
||||
Attribute attrs;
|
||||
try {
|
||||
attrs = new Attribute(getDefaultId(), null, attrFactory.createValue(getDefaultType(), value));
|
||||
} catch (UnknownIdentifierException e) {
|
||||
logger.error("Could not create attribute for category " + getCategory() + ", default type " + getDefaultType() + " and value " + value);
|
||||
return null; //should not happen...
|
||||
}
|
||||
Set<Attribute> resourceSet = new HashSet<Attribute>();
|
||||
resourceSet.add(attrs);
|
||||
return new RequestElement(getCategory(), resourceSet);
|
||||
}
|
||||
|
||||
|
||||
|
||||
public RequestElement getRequestElement(Set<Attribute> attrs) {
|
||||
return new RequestElement(getCategory(), attrs);
|
||||
}
|
||||
|
||||
|
||||
public Attribute getAttribute(URI attributeId, URI dataType, String value) throws ParsingException, UnknownIdentifierException {
|
||||
return new Attribute(attributeId != null ? attributeId : getDefaultId(),
|
||||
null, attrFactory.createValue(dataType != null ? dataType : getDefaultType(), value));
|
||||
}
|
||||
|
||||
public Attribute getAttributeDefaultType(String value) throws ParsingException {
|
||||
try {
|
||||
return new Attribute(getDefaultId(), null, attrFactory.createValue(getDefaultType(), value));
|
||||
} catch (UnknownIdentifierException e) {
|
||||
logger.error("Could not create attribute for category " + getCategory() + ", default type " + getDefaultType() + " and value " + value);
|
||||
return null; //should not happen...
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.helper;
|
||||
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.Set;
|
||||
|
||||
import com.sun.xacml.ParsingException;
|
||||
import com.sun.xacml.UnknownIdentifierException;
|
||||
import com.sun.xacml.ctx.Attribute;
|
||||
import com.sun.xacml.ctx.RequestElement;
|
||||
|
||||
public interface IElementCreator {
|
||||
RequestElement getRequestElement(String value) throws ParsingException;
|
||||
RequestElement getRequestElement(Set<Attribute> attrs);
|
||||
|
||||
Attribute getAttribute(URI attributeId, URI dataType, String value) throws ParsingException, UnknownIdentifierException;
|
||||
Attribute getAttributeDefaultType(String value) throws ParsingException;
|
||||
}
|
|
@ -0,0 +1,56 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.helper;
|
||||
|
||||
import org.apache.log4j.Logger;
|
||||
|
||||
import com.sun.xacml.ctx.RequestCtx;
|
||||
import com.sun.xacml.ctx.ResponseCtx;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.api.log.AccessControlRequest;
|
||||
import eu.aniketos.securebpmn.xacml.support.XACMLEncoder;
|
||||
|
||||
public class LogPreparer {
|
||||
|
||||
private static Logger logger = Logger.getLogger(LogPreparer.class);
|
||||
|
||||
public static void prepare(AccessControlRequest requ) {
|
||||
RequestCtx requCtx = (RequestCtx) requ.getRequest();
|
||||
ResponseCtx respCtx = (ResponseCtx) requ.getResponse();
|
||||
|
||||
if ( requ.getXacmlRequest() == null || requ.getXacmlResponse() == null) {
|
||||
requ.setXacmlRequest(XACMLEncoder.encodeRequestCtx(requCtx));
|
||||
requ.setXacmlResponse(XACMLEncoder.encodeResponseCtx(respCtx));
|
||||
|
||||
if ( ! (requ.getXacmlRequest() == null && requ.getXacmlResponse() == null)
|
||||
|| requ.getResource() == null || requ.getResult() == null ) {
|
||||
logInconsistant(requ);
|
||||
}
|
||||
}
|
||||
|
||||
if ( requ.getResource() == null || requ.getResult() == null ) {
|
||||
//TODO read from requCtx
|
||||
}
|
||||
}
|
||||
|
||||
private static void logInconsistant(AccessControlRequest requ) {
|
||||
logger.warn("Inconsistant AccessControlRequest: XacmlRequest" + requ.getXacmlRequest() +
|
||||
", XacmlResponse: " + requ.getXacmlResponse() +
|
||||
", Resource: " + requ.getResource() +
|
||||
", Result: " + requ.getResult());
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,75 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support.helper;
|
||||
|
||||
import java.net.URI;
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import eu.aniketos.securebpmn.xacml.support.Category;
|
||||
|
||||
import com.sun.xacml.Constants;
|
||||
import com.sun.xacml.attr.AnyURIAttribute;
|
||||
import com.sun.xacml.ctx.Attribute;
|
||||
import com.sun.xacml.ctx.RequestElement;
|
||||
|
||||
/**
|
||||
*
|
||||
* Creates a RequestElement, containing a resource for evaluation by the XACML PDP
|
||||
*
|
||||
*
|
||||
*/
|
||||
public class ResourceCreator extends ElementCreator {
|
||||
|
||||
private static final URI resourceID_URI = Constants.RESOURCE_CAT; //Category.RESOURCE.getURI();
|
||||
private static final URI defaultId = Constants.RESOURCE_ID; //Category.RESOURCE.getDefaultId();
|
||||
private static final URI default_Type = URI.create(AnyURIAttribute.identifier); //Category.RESOURCE.getDefaultType();
|
||||
|
||||
|
||||
@Override
|
||||
protected URI getCategory() {
|
||||
return resourceID_URI;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected URI getDefaultType() {
|
||||
return default_Type;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected URI getDefaultId() {
|
||||
return defaultId;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setCategory(Category category) {
|
||||
if ( ! category.getURI().equals(resourceID_URI) ) {
|
||||
throw new RuntimeException("It is not possbile to set the category of " + ResourceCreator.class + " afterwards");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public RequestElement getRequestElement(URI resource) {
|
||||
Attribute resourceAttribute = new Attribute(defaultId, null, new AnyURIAttribute(resource));
|
||||
Set<Attribute> resourceSet = new HashSet<Attribute>();
|
||||
resourceSet.add(resourceAttribute);
|
||||
return new RequestElement(resourceID_URI, resourceSet);
|
||||
}
|
||||
|
||||
public Attribute getAttributeDefaultType(URI value) {
|
||||
return new Attribute(getDefaultId(), null, new AnyURIAttribute(value));
|
||||
}
|
||||
}
|
|
@ -0,0 +1,53 @@
|
|||
/* Copyright 2012-2015 SAP SE
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package eu.aniketos.securebpmn.xacml.support;
|
||||
|
||||
import junit.framework.Test;
|
||||
import junit.framework.TestCase;
|
||||
import junit.framework.TestSuite;
|
||||
|
||||
/**
|
||||
* Unit test for simple App.
|
||||
*/
|
||||
public class AppTest
|
||||
extends TestCase
|
||||
{
|
||||
/**
|
||||
* Create the test case
|
||||
*
|
||||
* @param testName name of the test case
|
||||
*/
|
||||
public AppTest( String testName )
|
||||
{
|
||||
super( testName );
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the suite of tests being tested
|
||||
*/
|
||||
public static Test suite()
|
||||
{
|
||||
return new TestSuite( AppTest.class );
|
||||
}
|
||||
|
||||
/**
|
||||
* Rigourous Test :-)
|
||||
*/
|
||||
public void testApp()
|
||||
{
|
||||
assertTrue( true );
|
||||
}
|
||||
}
|
Reference in New Issue